Detection rules

14,038 catalog-relevant detection rules from Sigma, Elastic, Splunk, and Kusto. Each page shows its parsed predicates, exclusions, and shared indicators.

MITRE ATT&CK

Other frameworks MITRE ATT&CK Mobile / ICS, MITRE ATLAS, Email threats, Other detection categories

MITRE ATT&CK Mobile

MITRE ATT&CK ICS

MITRE ATLAS

Email threats Sublime taxonomy

Detection categories beyond ATT&CK

Reconnaissance

Gather Victim Identity Information T1589 9 rules

Kusto API - Anomaly Detection available
Kusto AWSCloudTrail - Suspicious AWS CLI Command Execution
Sigma Azure AD Account Credential Leaked test
Panther GSuite Government Backed Attack
Splunk Kerberos User Enumeration production
Splunk Linux Medusa Rootkit production
Sigma Potential Unconstrained Delegation Discovery Via Get-ADComputer - ScriptBlock experimental
Sigma SSHD Error Message CVE-2018-15473 test
Splunk Windows Gather Victim Identity SAM Info production

Gather Victim Identity Information: Credentials T1589.001 2 rules

Splunk Linux Medusa Rootkit production
Splunk Windows Gather Victim Identity SAM Info production

Gather Victim Identity Information: Email Addresses T1589.002 3 rules

Kusto AWSCloudTrail - Suspicious AWS CLI Command Execution
Splunk Kerberos User Enumeration production
Sigma Potential Unconstrained Delegation Discovery Via Get-ADComputer - ScriptBlock experimental

Gather Victim Identity Information: Employee Names T1589.003 1 rule

Kusto AWSCloudTrail - Suspicious AWS CLI Command Execution

Gather Victim Network Information T1590 17 rules

Kusto AWSCloudTrail - Suspicious AWS CLI Command Execution
Splunk Cisco ASA - Reconnaissance Command Activity production
Splunk Cisco IOS XE Reconnaissance Command Activity production
Splunk Cisco NVM - Suspicious Network Connection to IP Lookup Service API production
Sigma Failed DNS Zone Transfer test
Splunk Local LLM Framework DNS Query production
Kusto Network Port Sweep from External Network (ASIM Network Session schema) available
Sigma PUA - Advanced IP/Port Scanner Update Check test
Sigma PUA - Crassus Execution test
Kusto Rare client observed with high reverse DNS lookup count - Anomaly based (ASIM DNS Solution) available
Kusto Rare client observed with high reverse DNS lookup count - Static threshold based (ASIM DNS Solution) available
Elastic Spike in Firewall Denies production
Sigma Suspicious DNS Query for IP Lookup Service APIs test
Splunk Wermgr Process Connecting To IP Check Web Services production
Splunk Windows DNS Gather Network Info production
Splunk Windows Gather Victim Network Info Through Ip Check Web Services production
Splunk Windows WinPEAS PowerShell Script Execution production

Gather Victim Network Information: Domain Properties T1590.001 2 rules

Splunk Cisco ASA - Reconnaissance Command Activity production
Sigma PUA - Crassus Execution test

Gather Victim Network Information: DNS T1590.002 2 rules

Sigma Failed DNS Zone Transfer test
Splunk Windows DNS Gather Network Info production

Gather Victim Network Information: IP Addresses T1590.005 4 rules

Splunk Cisco ASA - Reconnaissance Command Activity production
Splunk Cisco NVM - Suspicious Network Connection to IP Lookup Service API production
Splunk Wermgr Process Connecting To IP Check Web Services production
Splunk Windows Gather Victim Network Info Through Ip Check Web Services production

Gather Victim Org Information T1591 5 rules

Kusto AWSCloudTrail - Suspicious AWS CLI Command Execution
Sigma Bitbucket User Details Export Attempt Detected test
Sigma Bitbucket User Permissions Export Attempt test
Kusto BitSight - drop in company ratings available
Kusto BitSight - drop in the headline rating available

Gather Victim Org Information: Identify Roles T1591.004 2 rules

Sigma Bitbucket User Details Export Attempt Detected test
Sigma Bitbucket User Permissions Export Attempt test

Gather Victim Host Information T1592 13 rules

Sigma Access of Sudoers File Content test
Kusto API - Invalid host access available
Kusto AWSCloudTrail - Suspicious AWS CLI Command Execution
Kusto CyberBlindSpot - Any Issue Detected available
Kusto HackerView - Any Issue Detected available
Sigma Linux Recon Indicators test
Sigma Print History File Contents test
Splunk Recon AVProduct Through Pwh or WMI production
Splunk Recon Using WMI Class production
Splunk System Info Gathering Using Dxdiag Application production
Splunk Windows Gather Victim Host Information Camera production
Splunk Windows WinPEAS PowerShell Script Execution production
Splunk WMI Recon Running Process Or Services production

Gather Victim Host Information: Hardware T1592.001 1 rule

Splunk Windows Gather Victim Host Information Camera production

Gather Victim Host Information: Software T1592.002 1 rule

Splunk Windows WinPEAS PowerShell Script Execution production

Gather Victim Host Information: Client Configurations T1592.004 5 rules

Sigma Access of Sudoers File Content test
Kusto AWSCloudTrail - Suspicious AWS CLI Command Execution
Sigma Linux Recon Indicators test
Sigma Print History File Contents test
Splunk Windows WinPEAS PowerShell Script Execution production

Search Open Websites/Domains T1593 4 rules

Search Open Websites/Domains: Code Repositories T1593.003 2 rules

Sigma Suspicious Git Clone test
Sigma Suspicious Git Clone - Linux test

Active Scanning T1595 61 rules

Kusto API - Kiterunner detection available
Kusto App Gateway WAF - Scanner Detection available
Splunk Attacker Tools On Endpoint production
Panther AWS WAF Managed Bot Control Passthrough Rule
Panther AWS WAF Managed IP Reputation Passthrough Rule
Kusto AWSCloudTrail - Suspicious AWS CLI Command Execution
Kusto BitSight - diligence risk category detected available
Kusto BTP - Failed access attempts across multiple BAS subaccounts available
Splunk Cisco SA - Automated Web Reconnaissance via HTTP Access Errors production
Splunk Cisco SD-WAN - Uncommon User-Agent Multi-URI Activity production
Splunk Cisco Secure Firewall - Blocked Connection production
Splunk Cisco Secure Firewall - High Volume of Intrusion Events Per Host production
Splunk Cisco Secure Firewall - Repeated Blocked Connections production
Kusto Claroty - Threat detected available
Kusto Dataverse - Suspicious use of Web API available
Kusto Disks Alerts From Prancer available
Sigma DNS Query to External Service Interaction Domains test
Kusto Flow Logs Alerts for Prancer available
Sigma Grixba Malware Reconnaissance Activity experimental
Panther GSuite Government Backed Attack
Splunk HTTP Rapid POST with Mixed Status Codes production
Elastic Inbound Connection to an Unsecure Elasticsearch Node production
Splunk Internal Vulnerability Scan experimental
Elastic Kubernetes Potential Endpoint Permission Enumeration Attempt by Anonymous User Detected production
Kusto NetworkSecurityGroups Alert From Prancer available
Kusto OCI - Multiple rejects on rare ports available
Kusto OCI - SSH scanner available
Splunk Ollama Possible API Endpoint Scan Reconnaissance experimental
Kusto PAC high severity available
Kusto Palo Alto - possible nmap scan on with top 100 option available
Kusto PaloAlto - Possible port scan available
Kusto Port Scan available
Kusto Port Sweep available
Sigma Potential Hello-World Scraper Botnet Activity experimental
Elastic Potential Linux Hack Tool Launched production
Elastic Potential Network Scan Detected production
Elastic Potential Network Sweep Detected production
Elastic Potential Spike in Web Server Error Logs production
Elastic Potential SYN-Based Port Scan Detected production
Sigma PUA - PingCastle Execution test
Sigma PUA - PingCastle Execution From Potentially Suspicious Parent test
Kusto Registries Alerts for Prancer available
Kusto Sites Alerts for Prancer available
Elastic Spike in Firewall Denies production
Elastic Spike in Network Traffic production
Elastic Spike in Network Traffic To a Country production
Kusto Storage Accounts Alerts From Prancer available
Kusto Subnets Alerts for Prancer available
Elastic Suspicious Network Tool Launch Detected via Defend for Containers production
Elastic Suspicious Network Tool Launched Inside A Container production
Kusto Vaults Alerts for Prancer available
Kusto Virtual Machines Alerts for Prancer available
Kusto VirtualNetworkPeerings Alerts From Prancer available
Elastic Web Server Discovery or Fuzzing Activity production
Elastic Web Server Potential Command Injection Request production
Elastic Web Server Potential Spike in Error Response Codes production
Elastic Web Server Potential SQL Injection Request production building block
Elastic Web Server Suspicious User Agent Requests production
Splunk Windows Detect Network Scanner Behavior production
Splunk Windows Netspy Network Scanner Execution production
Kusto XbowNewAssetDiscovered available

Active Scanning: Scanning IP Blocks T1595.001 11 rules

Panther GreyNoise V3 Malicious IP Activity
Sigma Grixba Malware Reconnaissance Activity experimental
Panther OTX Threat Intelligence Indicator Match
Kusto Port Scan available
Kusto Port Sweep available
Elastic Potential Network Scan Detected production
Elastic Potential Network Sweep Detected production
Elastic Potential SYN-Based Port Scan Detected production
Elastic Spike in Network Traffic To a Country production
Elastic Web Server Suspicious User Agent Requests production
Splunk Windows Detect Network Scanner Behavior production

Active Scanning: Vulnerability Scanning T1595.002 16 rules

Panther Azure Excessive IP and VM Discovery
Panther Azure Excessive Network Security Group Read
Kusto BitSight - diligence risk category detected available
Splunk Cisco Secure Firewall - Blocked Connection production
Splunk Cisco Secure Firewall - High Volume of Intrusion Events Per Host production
Splunk Cisco Secure Firewall - Repeated Blocked Connections production
Sigma DNS Query to External Service Interaction Domains test
Splunk Internal Vulnerability Scan experimental
Elastic Potential Linux Hack Tool Launched production
Elastic Potential Spike in Web Server Error Logs production
Elastic Web Server Discovery or Fuzzing Activity production
Elastic Web Server Potential Command Injection Request production
Elastic Web Server Potential Spike in Error Response Codes production
Elastic Web Server Potential SQL Injection Request production building block
Elastic Web Server Suspicious User Agent Requests production
Splunk Windows Detect Network Scanner Behavior production

Active Scanning: Wordlist Scanning T1595.003 8 rules

Elastic Kubernetes Potential Endpoint Permission Enumeration Attempt by Anonymous User Detected production
Elastic Potential Linux Hack Tool Launched production
Elastic Potential Spike in Web Server Error Logs production
Elastic Web Server Discovery or Fuzzing Activity production
Elastic Web Server Potential Command Injection Request production
Elastic Web Server Potential Spike in Error Response Codes production
Elastic Web Server Potential SQL Injection Request production building block
Elastic Web Server Suspicious User Agent Requests production

Search Open Technical Databases T1596 1 rule

Kusto AWSCloudTrail - Suspicious AWS CLI Command Execution

Phishing for Information T1598 9 rules

Splunk Cisco Secure Firewall - Rare Snort Rule Triggered production
Kusto CyberBlindSpot - Any Issue Detected available
Kusto HackerView - Any Issue Detected available
Sigma HTML File Opened From Download Folder experimental
Panther Potential Compromised Okta Credentials
Panther Proofpoint Phishing Email Detected Experimental
Panther Spam Email Surge Experimental
Kusto Suspicious link sharing pattern
Splunk Windows RDP File Execution production

Phishing for Information: Spearphishing Attachment T1598.002 2 rules

Sigma HTML File Opened From Download Folder experimental
Splunk Windows RDP File Execution production

No specific technique 8 rules

Sigma AADInternals PowerShell Cmdlets Execution - ProccessCreation test
Sigma AADInternals PowerShell Cmdlets Execution - PsScript test
Sigma Creation of large amount of unverified accounts experimental
Sigma Many Recon Events test
Sigma Potential Active Directory Enumeration Using AD Module - ProcCreation test
Sigma Potential Active Directory Enumeration Using AD Module - PsModule test
Sigma Potential Active Directory Enumeration Using AD Module - PsScript test
Sigma Suspicious Use of /dev/tcp test

Resource Development

Acquire Infrastructure T1583 4 rules

Elastic AWS Route 53 Private Hosted Zone Associated With a VPC production
Kusto AWSCloudTrail - Unauthorized EC2 Instance Setup Attempt available
Splunk Cisco Secure Firewall - Rare Snort Rule Triggered production
Elastic GitHub Repo Created production building block

Acquire Infrastructure: Domains T1583.001 1 rule

Elastic AWS Route 53 Private Hosted Zone Associated With a VPC production

Acquire Infrastructure: Web Services T1583.006 2 rules

Splunk Cisco Secure Firewall - Rare Snort Rule Triggered production
Elastic GitHub Repo Created production building block

Compromise Infrastructure T1584 10 rules

Elastic AWS Route 53 Domain Transfer Lock Disabled production
Elastic AWS Route 53 Domain Transferred to Another Account production
Kusto BTP - Malware detected in BAS dev space available
Elastic Entra ID Custom Domain Added or Verified production
Kusto GCP Audit Logs - DNSSEC Disabled on Managed DNS Zone available
Sigma Program Executions in Suspicious Folders test
Kusto Semperis DSP Operations Critical Notifications available
Sigma Suspicious External WebDAV Execution test
Sigma WebDAV Temporary Local File Creation test
Sigma Windows Update Error stable

Compromise Infrastructure: Domains T1584.001 3 rules

Elastic AWS Route 53 Domain Transfer Lock Disabled production
Elastic AWS Route 53 Domain Transferred to Another Account production
Elastic Entra ID Custom Domain Added or Verified production

Compromise Infrastructure: DNS Server T1584.002 1 rule

Kusto GCP Audit Logs - DNSSEC Disabled on Managed DNS Zone available

Establish Accounts T1585 2 rules

Panther A SAML Connector was created or modified
Kusto New onmicrosoft domain added to tenant available

Establish Accounts: Cloud Accounts T1585.003 1 rule

Kusto New onmicrosoft domain added to tenant available

Compromise Accounts T1586 41 rules

Splunk ASL AWS Credential Access GetPasswordData production
Splunk ASL AWS Credential Access RDS Password reset production
Splunk ASL AWS Multi-Factor Authentication Disabled production
Splunk AWS Console Login Failed During MFA Challenge production
Splunk AWS Credential Access Failed Login production
Splunk AWS Credential Access GetPasswordData production
Splunk AWS Credential Access RDS Password reset production
Splunk AWS Multi-Factor Authentication Disabled production
Splunk AWS Multiple Failed MFA Requests For User production
YARA-L AWS Successful Console Authentication From Multiple IPs
Splunk AWS Successful Console Authentication From Multiple IPs production
Splunk AWS Successful Single-Factor Authentication production
Splunk AWS Unusual Number of Failed Authentications From Ip production
Splunk Azure Active Directory High Risk Sign-in production
Splunk Azure AD Authentication Failed During MFA Challenge production
Splunk Azure AD Multi-Factor Authentication Disabled production
Splunk Azure AD Multi-Source Failed Authentications Spike production
Splunk Azure AD Multiple Failed MFA Requests For User production
Splunk Azure AD Multiple Users Failing To Authenticate From Ip production
Splunk Azure AD Successful PowerShell Authentication production
Splunk Azure AD Successful Single-Factor Authentication production
Splunk Azure AD Unusual Number of Failed Authentications From Ip production
Panther Azure Role Changed PIM
Sigma Bitbucket Unauthorized Access To A Resource test
Sigma Bitbucket Unauthorized Full Data Export Triggered test
Splunk Detect AWS Console Login by New User production
Splunk Detect AWS Console Login by User from New City production
Splunk Detect AWS Console Login by User from New Country production
Splunk Detect AWS Console Login by User from New Region production
Splunk GCP Authentication Failed During MFA Challenge production
Splunk GCP Multi-Factor Authentication Disabled production
Splunk GCP Multiple Failed MFA Requests For User production
Splunk GCP Multiple Users Failing To Authenticate From Ip production
Splunk GCP Successful Single-Factor Authentication production
Splunk GCP Unusual Number of Failed Authentications From Ip production
Splunk O365 Multi-Source Failed Authentications Spike production
Splunk O365 Multiple Users Failing To Authenticate From Ip production
Splunk Okta Authentication Failed During MFA Challenge production
Splunk Okta Successful Single Factor Authentication production
Sigma Okta Suspicious Activity Reported by End-user test
Splunk Okta User Logins from Multiple Cities production

Compromise Accounts: Cloud Accounts T1586.003 36 rules

Splunk ASL AWS Credential Access GetPasswordData production
Splunk ASL AWS Credential Access RDS Password reset production
Splunk ASL AWS Multi-Factor Authentication Disabled production
Splunk AWS Console Login Failed During MFA Challenge production
Splunk AWS Credential Access Failed Login production
Splunk AWS Credential Access GetPasswordData production
Splunk AWS Credential Access RDS Password reset production
Splunk AWS Multi-Factor Authentication Disabled production
Splunk AWS Multiple Failed MFA Requests For User production
Splunk AWS Successful Single-Factor Authentication production
Splunk AWS Unusual Number of Failed Authentications From Ip production
Splunk Azure Active Directory High Risk Sign-in production
Splunk Azure AD Authentication Failed During MFA Challenge production
Splunk Azure AD Multi-Factor Authentication Disabled production
Splunk Azure AD Multi-Source Failed Authentications Spike production
Splunk Azure AD Multiple Failed MFA Requests For User production
Splunk Azure AD Multiple Users Failing To Authenticate From Ip production
Splunk Azure AD Successful PowerShell Authentication production
Splunk Azure AD Successful Single-Factor Authentication production
Splunk Azure AD Unusual Number of Failed Authentications From Ip production
Splunk Detect AWS Console Login by New User production
Splunk Detect AWS Console Login by User from New City production
Splunk Detect AWS Console Login by User from New Country production
Splunk Detect AWS Console Login by User from New Region production
Splunk GCP Authentication Failed During MFA Challenge production
Splunk GCP Multi-Factor Authentication Disabled production
Splunk GCP Multiple Failed MFA Requests For User production
Splunk GCP Multiple Users Failing To Authenticate From Ip production
Splunk GCP Successful Single-Factor Authentication production
Splunk GCP Unusual Number of Failed Authentications From Ip production
Splunk O365 Multi-Source Failed Authentications Spike production
Splunk O365 Multiple Users Failing To Authenticate From Ip production
Splunk Okta Authentication Failed During MFA Challenge production
Splunk Okta Successful Single Factor Authentication production
Sigma Okta Suspicious Activity Reported by End-user test
Splunk Okta User Logins from Multiple Cities production

Develop Capabilities T1587 23 rules

Kusto Cisco SDWAN - Maleware Events available
Splunk Cisco Secure Firewall - Blacklisted SSL Certificate Fingerprint production
Splunk Cisco Secure Firewall - Possibly Compromised Host experimental
Sigma Conti Volume Shadow Listing test
Sigma Creation of an Executable by an Executable test
Sigma CVE-2021-1675 Print Spooler Exploitation Filename Pattern test
Sigma FoggyWeb Backdoor DLL Loading test
Sigma Formbook Process Creation test
Elastic GenAI Process Compiling or Generating Executables production
Sigma HackTool - PurpleSharp Execution test
Sigma Linux HackTool Execution test
Sigma Mustang Panda Dropper test
Sigma Potential Privilege Escalation To LOCAL SYSTEM test
Sigma Potential PsExec Remote Execution test
Kusto Power Apps - Bulk sharing of Power Apps to newly created guest users available
Sigma Program Executions in Suspicious Folders test
Panther Proofpoint Active Threat Campaign Detected Experimental
Sigma PsExec/PAExec Escalation to LOCAL SYSTEM test
Sigma PUA - CsExec Execution test
Sigma Suspicious Word Cab File Write CVE-2021-40444 test
Sigma Uncommon File Created In Office Startup Folder test
Sigma VHD Image Download Via Browser test
Splunk Windows Certutil Root Certificate Addition production

Develop Capabilities: Malware T1587.001 13 rules

Kusto Cisco SDWAN - Maleware Events available
Splunk Cisco Secure Firewall - Possibly Compromised Host experimental
Sigma Conti Volume Shadow Listing test
Sigma Creation of an Executable by an Executable test
Sigma Formbook Process Creation test
Elastic GenAI Process Compiling or Generating Executables production
Sigma Mustang Panda Dropper test
Sigma Potential Privilege Escalation To LOCAL SYSTEM test
Sigma Potential PsExec Remote Execution test
Sigma PsExec/PAExec Escalation to LOCAL SYSTEM test
Sigma PUA - CsExec Execution test
Sigma Uncommon File Created In Office Startup Folder test
Sigma VHD Image Download Via Browser test

Develop Capabilities: Code Signing Certificates T1587.002 1 rule

Splunk Cisco Secure Firewall - Blacklisted SSL Certificate Fingerprint production

Develop Capabilities: Digital Certificates T1587.003 1 rule

Splunk Windows Certutil Root Certificate Addition production

Obtain Capabilities T1588 21 rules

Elastic Anomalous Linux Compiler Activity production
Sigma Antivirus Relevant File Paths Alerts test
Panther AWS ACM Certificate Expiration
Panther AWS ACM Certificate Status
YARA-L AWS GuardDuty Penetration Testing Activity Detected
Splunk Cisco Secure Firewall - Blacklisted SSL Certificate Fingerprint production
Splunk Cisco Secure Firewall - Connection to File Sharing Domain production
Sigma Hacktool Execution - Imphash test
Sigma Hacktool Execution - PE Metadata test
Panther macOS Malware Detected with osquery
Sigma Potential Execution of Sysinternals Tools test
Sigma PUA - Sysinternal Tool Execution - Registry test
Sigma PUA - Sysinternals Tools Execution - Registry test
Sigma Relevant ClamAV Message stable
Sigma Renamed SysInternals DebugView Execution test
Sigma Suspicious Execution Of Renamed Sysinternals Tools - Registry test
Sigma Suspicious Keyboard Layout Load test
Sigma Usage of Renamed Sysinternals Tools - RegistrySet test
Splunk Windows NirSoft AdvancedRun production
Splunk Windows NirSoft Tool Bundle File Created production
Splunk Windows NirSoft Utilities production

Obtain Capabilities: Malware T1588.001 2 rules

Elastic Anomalous Linux Compiler Activity production
Sigma Relevant ClamAV Message stable

Obtain Capabilities: Tool T1588.002 13 rules

Splunk Cisco Secure Firewall - Connection to File Sharing Domain production
Sigma Hacktool Execution - Imphash test
Sigma Hacktool Execution - PE Metadata test
Sigma Potential Execution of Sysinternals Tools test
Sigma PUA - Sysinternal Tool Execution - Registry test
Sigma PUA - Sysinternals Tools Execution - Registry test
Sigma Renamed SysInternals DebugView Execution test
Sigma Suspicious Execution Of Renamed Sysinternals Tools - Registry test
Sigma Suspicious Keyboard Layout Load test
Sigma Usage of Renamed Sysinternals Tools - RegistrySet test
Splunk Windows NirSoft AdvancedRun production
Splunk Windows NirSoft Tool Bundle File Created production
Splunk Windows NirSoft Utilities production

Obtain Capabilities: Digital Certificates T1588.004 1 rule

Splunk Cisco Secure Firewall - Blacklisted SSL Certificate Fingerprint production

Stage Capabilities T1608 13 rules

Panther AppOmni Alert Passthrough
Sigma AWS KMS Imported Key Material Usage experimental
Elastic AWS SNS Topic Created by Rare User production
Elastic Azure Automation Webhook Created production
Panther Azure Automation Webhook Created
Sigma HybridConnectionManager Service Installation - Registry test
Elastic M365 OneDrive Malware File Upload production
Elastic M365 SharePoint Malware File Detected production
Sigma Suspicious Download from Office Domain test
Splunk Windows Cobalt Strike PowerShell Loader production
Splunk Windows Metasploit Confluence Plugin Execution production
Splunk Windows NorthStar C2 Agent Execution production
Splunk Windows Unusual File Creation in Confluence Directory production

Stage Capabilities: Upload Malware T1608.001 3 rules

Elastic M365 OneDrive Malware File Upload production
Elastic M365 SharePoint Malware File Detected production
Splunk Windows Unusual File Creation in Confluence Directory production

Stage Capabilities: Upload Tool T1608.002 1 rule

Splunk Windows Unusual File Creation in Confluence Directory production

Stage Capabilities: Install Digital Certificate T1608.003 1 rule

Sigma AWS KMS Imported Key Material Usage experimental

No specific technique 1 rule

Sigma Creation of a Diagcab test

Initial Access

Valid Accounts T1078 728 rules

Panther A Login from Outside the Corporate Office
Elastic Access to a Sensitive LDAP Attribute production
Kusto Account added and removed from privileged groups
Kusto Account Created and Deleted in Short Timeframe available
Sigma Account Created And Deleted Within A Close Time Frame test
Kusto Account created or deleted by non-approved user available
Sigma Account Disabled or Blocked for Sign in Attempts test
Elastic Account Discovery Command via SYSTEM Account production
Kusto Account Elevated to New Role
Sigma Account renamed to admin (or likely) account to evade defense experimental
Splunk Account set to active via Net.exe (EDR)
Splunk Account set to active via Net.exe (Sysmon)
Splunk Account set to active via Net.exe (Windows Event Log)
Sigma Account Tampering - Suspicious Failed Logon Reasons test
Kusto Acronis - Login from Abnormal IP - Low Occurrence
Sigma Activity From Anonymous IP Address test
Kusto Addition of a Temporary Access Pass to a Privileged Account
Kusto Admin promotion after Role Management Application Permission Grant available
Panther Admin Role Assigned
Sigma Admin User Remote Logon test
Elastic AdminSDHolder Backdoor production
Kusto AdminSDHolder Modifications
Elastic AdminSDHolder SDProp Exclusion Added production
Kusto Anomalous login followed by Teams action
Kusto Anomalous sign-in location by user account and authenticating application available
Kusto Anomalous Single Factor Signin
Kusto Anomaly Sign In Event from an IP
Kusto ApexOne - Device access permissions was changed available
Elastic Apple Scripting Execution with Administrator Privileges production
Sigma Application AppID Uri Configuration Changes test
Kusto Application ID URI Changed
Kusto Application Redirect URL Update
Sigma Application URI Configuration Changes test
Sigma Application Using Device Code Authentication Flow test
Sigma Applications That Are Using ROPC Authentication Flow test
Panther AppOmni Alert Passthrough
Splunk ASL AWS Create Policy Version to allow all resources production
Splunk ASL AWS SAML Update identity provider production
Kusto Attempt to bypass conditional access rule in Microsoft Entra ID available
Elastic Attempt to Enable the Root Account production
Sigma Attempt To Get Credentials For Identity experimental
Sigma Attempt To Get Federation Token experimental
Sigma Attempt To Get Signin Token experimental
Kusto Attempts to sign in to disabled accounts available
Sigma Atypical Travel test
Kusto Authentication Attempt from New Country
Kusto Authentications of Privileged Accounts Outside of Expected Controls
Sigma Authentications To Important Apps Using Single Factor Authentication test
Elastic AWS Access Token Used from Multiple Addresses production
YARA-L AWS API Call Outside Of Organization
Elastic AWS AssumeRoleWithWebIdentity from Kubernetes SA and External ASN production
Panther AWS Backdoor Administrative IAM Role Created
Elastic AWS Bedrock Foundation Model Enumeration Followed by Invocation via Long-Term Key production
Splunk AWS Bedrock Invoke Model Access Denied production
Elastic AWS CloudShell Environment Created production
Panther AWS CloudTrail Password Spraying Experimental
YARA-L AWS Console Login Without MFA
Splunk AWS Create Policy Version to allow all resources production
Elastic AWS Credentials Used from GitHub Actions and Non-CI/CD Infrastructure production
Elastic AWS EC2 Instance Console Login via Assumed Role production
Elastic AWS EC2 Instance Interaction with IAM Service production building block
Elastic AWS EC2 Instance Profile Associated with Running Instance production
Elastic AWS EC2 Unauthorized Admin Credential Fetch via Assumed Role production
Panther AWS GuardDuty Critical Severity Finding
YARA-L AWS IAM Administrator Access Policy Attached
Elastic AWS IAM API Calls via Temporary Session Tokens production
Elastic AWS IAM Assume Role Policy Update production
Elastic AWS IAM CompromisedKeyQuarantine Policy Attached to User production
Panther AWS IAM Group Users
Elastic AWS IAM Login Profile Added for Root production
Elastic AWS IAM Login Profile Added to User production building block
Elastic AWS IAM Long-Term Access Key Correlated with Elevated Detection Alerts production
Elastic AWS IAM Long-Term Access Key First Seen from Source IP production
Elastic AWS IAM OIDC Provider Created by Rare User production
Panther AWS IAM Policy Administrative Privileges
Panther AWS IAM Policy Assigned to User
Panther AWS IAM Policy Blocklist
Panther AWS IAM Policy Does Not Grant Any Administrative Access
Panther AWS IAM Policy Does Not Grant Network Admin Access
Panther AWS IAM Resource Does Not Have Inline Policy
Panther AWS IAM Role Restricts Usage
Sigma AWS IAM S3Browser LoginProfile Creation test
Sigma AWS IAM S3Browser Templated S3 Bucket Policy Creation test
Sigma AWS IAM S3Browser User or AccessKey Creation test
Elastic AWS IAM SAML Provider Created production
Elastic AWS IAM Sensitive Operations via Lambda Execution Role production
Panther AWS IAM User Not In Conflicting Groups
Elastic AWS IAM Virtual MFA Device Registration Attempt with Session Token production
Sigma AWS Key Pair Import Activity experimental
Elastic AWS Management Console Root Login production
Panther AWS Potential Backdoor Lambda Function Through Resource-Based Policy Experimental
Elastic AWS Rare Source AS Organization Activity production
Panther AWS Root Account Hardware MFA
Panther AWS Root Account MFA
Sigma AWS Root Credentials test
YARA-L AWS SAML Identity Provider Changes
Sigma AWS SAML Provider Deletion Activity experimental
Splunk AWS SAML Update identity provider production
Kusto AWS Security Hub - Detect IAM Policies allowing full administrative privileges available
Splunk AWS SetDefaultPolicyVersion production
Elastic AWS Sign-In Console Login with Federated User production
Elastic AWS Sign-In Root Password Recovery Requested production
Elastic AWS Sign-In Token Created production building block
Elastic AWS STS AssumeRole with New MFA Device production
Elastic AWS STS AssumeRoot by Rare User and Member Account production
Elastic AWS STS GetSessionToken Usage production building block
Elastic AWS STS Role Assumption by User production
Elastic AWS STS Role Chaining production
Sigma AWS Successful Console Login Without MFA experimental
YARA-L AWS Successful Login After Multiple Failed Attempts
Splunk AWS Successful Single-Factor Authentication production
Sigma AWS Suspicious SAML Activity test
Elastic AWS Suspicious User Agent Fingerprint production
YARA-L AWS User Creates Permanent Access Key
Panther AWS.Administrative.IAM.User.Created
Kusto AWSCloudTrail - Changes to Amazon VPC settings available
Kusto AWSCloudTrail - Login to AWS Management Console without MFA available
Kusto AWSCloudTrail - NRT Login to AWS Management Console without MFA available
Kusto AWSCloudTrail - SAML update identity provider available
Splunk Azure AD Authentication Failed During MFA Challenge production
Splunk Azure AD Multiple AppIDs and UserAgents Authentication Spike production
Splunk Azure AD Multiple Failed MFA Requests For User production
Sigma Azure AD Only Single Factor Authentication Required test
Splunk Azure AD Service Principal Authentication production
Splunk Azure AD Successful PowerShell Authentication production
Splunk Azure AD Successful Single-Factor Authentication production
Sigma Azure AD Threat Intelligence test
Elastic Azure Arc Cluster Credential Access by Identity from Unusual Source production
Elastic Azure Automation Account Created production
Panther Azure Automation Account Created
Panther Azure Device Code Authentication with Broker Client
Sigma Azure Domain Federation Settings Modified test
Panther Azure High-Risk Sign-In
Panther Azure Invite External Users
Sigma Azure Kubernetes Admission Controller test
Elastic Azure Kubernetes Services (AKS) Kubernetes Rolebindings Created production
Sigma Azure Login Bypassing Conditional Access Policies experimental
Kusto Azure Machine Learning Write Operations available
Panther Azure Many Failed SignIns
Panther Azure MFA Disabled
Panther Azure Microsoft Graph Single Session from Multiple IP Addresses Experimental
Panther Azure Protection Multiple Alerts for User
Kusto Azure RBAC (Elevate Access)
Panther Azure RiskLevel Passthrough
Panther Azure ROPC Login Attempt Without MFA Experimental
Splunk Azure Runbook Webhook Created production
Elastic Azure Service Principal Sign-In Followed by Arc Cluster Credential Access production
Elastic Azure Storage Account Keys Accessed by Privileged User production
Sigma Azure Subscription Permission Elevation Via ActivityLogs test
Sigma Azure Subscription Permission Elevation Via AuditLogs test
Sigma Azure Unusual Authentication Interruption test
Sigma Azure Windows virtual machine login via serial console experimental
Sigma Bitbucket User Login Failure test
Kusto Bitglass - Impossible travel distance available
Kusto Bitglass - Login from new device available
Kusto Bitglass - New admin user available
Kusto Bitglass - New risky user available
Kusto Bitglass - User Agent string has changed for user available
Kusto Bitglass - User login from new geo location available
Sigma Bitlocker Key Retrieval test
Kusto Box - Inactive user login available
Kusto Box - New external user available
Kusto Box - User logged in as admin available
Kusto Box - User role changed to owner available
Panther Box New Login
Panther Box Shield Suspicious Alert Triggered
Panther Box Untrusted Device Login
Sigma Brutforce with denied access due to account restrictions policies experimental
Kusto BTP - Build Work Zone unauthorized access and role tampering available
Kusto BTP - User added to Cloud Identity Service privileged Administrators list available
Kusto BTP - User added to sensitive privileged role collection available
Kusto Bulk Changes to Privileged Account Permissions available
Kusto Changes to Application Logout URL
Kusto Changes to Application Ownership
Kusto Changes to PIM Settings
Sigma Changes To PIM Settings test
Kusto Cisco - firewall block but success logon to Microsoft Entra ID
Splunk Cisco ASA - New Local User Account Created production
Splunk Cisco ASA - User Privilege Level Change production
Sigma Cisco BGP Authentication Failures test
Kusto Cisco Duo - Admin password reset available
Kusto Cisco Duo - Admin user created available
Kusto Cisco Duo - Authentication device new location available
Kusto Cisco Duo - Multiple admin 2FA failures available
Kusto Cisco Duo - Multiple user login failures available
Kusto Cisco Duo - New access device available
Kusto Cisco Duo - Unexpected authentication factor available
Splunk Cisco IOS Suspicious Privileged Account Creation production
Splunk Cisco IOS XE WebUI Login From IOSd Local Port production
Splunk Cisco IOS XE WebUI Programmatic Configuration production
Sigma Cisco LDP Authentication Failures test
Splunk Cisco Privileged Account Creation with HTTP Command Execution production
Splunk Cisco Privileged Account Creation with Suspicious SSH Activity production
Splunk Cisco Secure Firewall - High Priority Intrusion Classification production
Splunk Cloud API Calls From Previously Unseen User Roles production
Splunk Cloud Compute Instance Created By Previously Unseen User production
Splunk Cloud Instance Modified By Previously Unseen User production
Splunk Cloud Provisioning Activity From Previously Unseen City production
Splunk Cloud Provisioning Activity From Previously Unseen Country production
Splunk Cloud Provisioning Activity From Previously Unseen IP Address production
Splunk Cloud Provisioning Activity From Previously Unseen Region production
Panther CloudTrail Password Spraying Deprecated
Sigma Commvault QLogin with PublicSharingUser and GUID Password (CVE-2025-57788) experimental
Kusto Conditional Access - A Conditional Access user/group/role exclusion has changed
Kusto Conditional Access Policy Modified by New User
Sigma Console Login With MFA test
Sigma Console Login Without MFA test
Kusto Copilot - Jailbreak Attempt Detected available
Kusto Correlate Unfamiliar sign-in properties & atypical travel alerts available
Kusto Cross-Cloud Suspicious Compute resource creation in GCP
Kusto Cross-Cloud Suspicious user activity observed in GCP Envourment
Kusto Cross-tenant Access Settings Organization Added available
Kusto Cross-tenant Access Settings Organization Deleted available
Kusto Cross-tenant Access Settings Organization Inbound Collaboration Settings Changed available
Kusto Cross-tenant Access Settings Organization Inbound Direct Settings Changed available
Kusto Cross-tenant Access Settings Organization Outbound Collaboration Settings Changed available
Kusto Cross-tenant Access Settings Organization Outbound Direct Settings Changed available
Elastic CyberArk Privileged Access Security Error production
Panther Databricks Attempted Logon From Denied IP Experimental
Panther Databricks Delta Sharing IP Access Failures Experimental
Panther Databricks Employee Logon Experimental
Panther Databricks Non-SSO Login Detected Experimental
Panther Databricks Potential Privilege Escalation Experimental
Panther Databricks Repeated Failed Login Attempts Experimental
Kusto Dataverse - Hierarchy security manipulation available
Kusto Dataverse - Login by a sensitive privileged user available
Kusto Dataverse - Login from IP in the block list available
Kusto Dataverse - Login from IP not in the allow list available
Kusto Dataverse - New Dataverse application user activity type available
Kusto Dataverse - New non-interactive identity granted access available
Kusto Dataverse - New sign-in from an unauthorized domain available
Kusto Dataverse - New user agent type that was not used before available
Kusto Dataverse - Organization settings modified available
Kusto Dataverse - TI map IP to DataverseActivity available
Elastic Delegated Managed Service Account Modification by an Unusual User production
Kusto Detect changes to Connect Sync Application
Kusto Detect credential add to Connect Sync Application
Kusto Detect device code login with user risk
Splunk Detect Excessive Account Lockouts From Endpoint production
Splunk Detect Excessive User Account Lockouts production
Kusto Detect PIM Alert Disabling activity
Kusto Detecting Impossible travel with mailbox permission tampering & Privilege Escalation attempt
Sigma Device Registration or Join Without MFA test
Elastic dMSA Account Creation by an Unusual User production
Sigma DMSA Link Attributes Modified experimental
Sigma DMSA Service Account Created in Specific OUs - PowerShell experimental
Kusto EatonForeseer - Unauthorized Logins available
Kusto Elevation of Privilege attempt detected available
Kusto Email access via active sync
Kusto End-user consent stopped due to risk-based consent
Elastic Entra ID Actor Token User Impersonation Abuse production
YARA-L Entra ID Admin Login Activity to Uncommon MS Cloud Apps
Elastic Entra ID Concurrent Sign-in with Suspicious Properties production
Elastic Entra ID External Guest User Invited production
Elastic Entra ID High Risk Sign-in production
Elastic Entra ID High Risk User Sign-in Heuristic production
Elastic Entra ID Kali365 Default User-Agent Detected production
YARA-L Entra ID Login Activity to Uncommon MS Cloud Apps
Elastic Entra ID Microsoft Authentication Broker Sign-In to Unusual Resource production
Elastic Entra ID Microsoft Authentication Broker Sign-In with Non-Standard User Agent production
Elastic Entra ID OAuth Authorization Code Grant for Unusual User, App, and Resource production
Elastic Entra ID OAuth Device Code Flow with Concurrent Sign-ins production
Elastic Entra ID OAuth Device Code Grant by Microsoft Authentication Broker production
Elastic Entra ID OAuth Device Code Grant by Unusual User production
Elastic Entra ID OAuth Device Code Phishing via AiTM production
Elastic Entra ID OAuth Flow by Microsoft Authentication Broker to Device Registration Service (DRS) production
Elastic Entra ID OAuth Phishing via First-Party Microsoft Application production
Elastic Entra ID OAuth PRT Issuance to Non-Managed Device Detected production
Elastic Entra ID OAuth ROPC Grant Login Detected production
Elastic Entra ID OAuth User Impersonation to Microsoft Graph production
Elastic Entra ID OAuth user_impersonation Scope for Unusual User and Client production
Elastic Entra ID PowerShell Sign-in production
Elastic Entra ID Privileged Identity Management (PIM) Role Modified production
Elastic Entra ID Protection - Risk Detection - Sign-in Risk production
Elastic Entra ID Protection - Risk Detection - User Risk production
Elastic Entra ID Protection Admin Confirmed Compromise production
Elastic Entra ID Protection Alerts for User Detected production
Elastic Entra ID Protection User Alert and Device Registration production
Elastic Entra ID Service Principal Federated Credential Authentication by Unusual Client production
Elastic Entra ID Service Principal with Unusual Source ASN production
Elastic Entra ID Sharepoint or OneDrive Accessed by Unusual Client production
Elastic Entra ID User Added as Service Principal Owner production
Elastic Entra ID User Reported Suspicious Activity production
Elastic Entra ID User Sign-in with Unusual Authentication Type production
Elastic Entra ID User Sign-in with Unusual Client production
Elastic Entra ID User Sign-in with Unusual Non-Managed Device production
Splunk ESXi Account Modified production
Splunk ESXi External Root Login Activity production
Splunk ESXi Shared or Stolen Root Account production
Splunk ESXi User Granted Admin Role production
Elastic Execution with Explicit Credentials via Scripting production
Kusto External guest invitation followed by Microsoft Entra ID PowerShell signin available
Sigma External Remote RDP Logon from Public IP test
Sigma External Remote SMB Logon from Public IP test
Elastic External User Added to Google Workspace Group production
Kusto F&O - Bank account change following network alias reassignment available
Kusto F&O - Non-interactive account mapped to self or sensitive privileged user available
Kusto F&O - Unusual sign-in activity using single factor authentication available
Sigma Failed Authentications From Countries You Do Not Operate Out Of test
Kusto Failed AWS Console logons but success logon to AzureAD
Kusto Failed AzureAD logons but success logon to AWS Console
Kusto Failed AzureAD logons but success logon to host
Kusto Failed host logons but success logon to AzureAD
Sigma Failed Logon From Public IP test
Kusto Failed sign-ins into LastPass due to MFA available
Elastic First Occurrence of GitHub Repo Interaction From a New IP production building block
Elastic First Occurrence of IP Address For GitHub Personal Access Token (PAT) production building block
Elastic First Occurrence of IP Address For GitHub User production building block
Elastic First Occurrence of Okta User Session Started via Proxy production
Elastic First Occurrence of Personal Access Token (PAT) Use For a GitHub User production building block
Elastic First Occurrence of Private Repo Event from Specific GitHub Personal Access Token (PAT) production building block
Elastic First Occurrence of User Agent For a GitHub Personal Access Token (PAT) production building block
Elastic First Occurrence of User-Agent For a GitHub User production building block
Elastic First Time Seen Account Performing DCSync production
Elastic First Time Seen Google Workspace OAuth Login from Third-Party Application production
Elastic First-Time FortiGate Administrator Login production
Elastic FortiGate Administrator Login from Multiple IP Addresses production
Elastic FortiGate FortiCloud SSO Login from Unusual Source production
Elastic FortiGate SSL VPN Login Followed by SIEM Alert by User production
Kusto GCP Audit Logs - Data Access Logging Exemption Added for Principal available
Kusto GCP Audit Logs - Storage Bucket Made Public available
Splunk GCP Authentication Failed During MFA Challenge production
Splunk GCP Detect gcploit framework experimental
Kusto GCP IAM - High privileged role added to service account available
Elastic GCP IAM Custom Role Creation production
Panther GCP IAM Role Has Changed
Splunk GCP Multiple Failed MFA Requests For User production
Splunk GCP Successful Single-Factor Authentication production
YARA-L GCP Workload Identity Pool Disabled Or Deleted
Splunk Geographic Improbable Location experimental
Sigma Get Credentials For Identity experimental
Sigma Get Federation Token experimental
Sigma Get Signin Token experimental
Kusto GitHub - A payment method was removed available
Kusto GitHub - Oauth application - a client secret was removed available
Kusto GitHub - pull request was created available
Kusto GitHub - pull request was merged available
Kusto GitHub - Repository was created available
Kusto GitHub - Repository was destroyed available
Kusto GitHub - User visibility Was changed available
Kusto GitHub - User was added to the organization available
Kusto GitHub - User was blocked available
Kusto GitHub - User was invited to the repository available
Kusto GitHub Activites from a New Country available
Elastic Github Activity on a Private Repository from an Unusual IP production
Sigma Github New Secret Created test
Sigma Github Self Hosted Runner Changes Detected test
Sigma Github SSH Certificate Configuration Changed test
Panther GitHub User Access Key Created
Kusto GitLab - TI - Connection from Malicious IP available
Kusto GitLab - User Impersonation available
Sigma Google Cloud Kubernetes Admission Controller test
Elastic Google Workspace Device Registration Burst for Single User production
YARA-L Google Workspace External User Added To Group
Sigma Google Workspace Government Attack Warning experimental
Elastic Google Workspace Login Flagged Suspicious production building block
YARA-L Google Workspace SAML IDP Configuration Change
Elastic Google Workspace Suspended User Account Renewed production
Elastic Google Workspace User Login with Unusual ASN production
Elastic Google Workspace User Sign-in from Atypical Device Type production
YARA-L Google Workspace User Unsuspended
Kusto Group created then added to built in domain local or global group
Kusto GSA - Detect Connections Outside Operational Hours available
Panther GSuite Login Type
Sigma Guest Account Enabled Via Sysadminctl test
Kusto Guest accounts added in Entra ID Groups other than the ones specified available
Sigma Guest User Invited By Non Approved Inviters test
Kusto Guest Users Invited to Tenant by New Inviters
Sigma Guest Users Invited To Tenant By Non Approved Inviters test
Elastic High Command Line Entropy Detected for Privileged Commands production
Elastic High Number of Okta User Password Reset or Unlock Attempts production
Kusto High risk Office operation conducted by IP Address that recently attempted to log into a disabled account
Kusto High-Risk Cross-Cloud User Impersonation
Sigma Huawei BGP Authentication Failures test
Kusto Hunt for critical credentials on devices with non-critical accounts
Kusto Hunt for privilege escalation paths with high ACLs
Panther IAM Administrator Role Policy Attached
Panther IAM Inline Policy Network Admin
Panther IAM Role Created
Panther IAM Role Policy Updated to Allow Internet Access
Panther IAM User Created
Panther IAM User Policy Attached with Administrator Access
Kusto Illusive Incidents Analytic Rule available
Sigma Impossible Travel test
Panther Impossible Travel for Login Action
Sigma Increased Failed Authentications Of Any Type test
Sigma Invalid PIM License test
Kusto IP with multiple failed Microsoft Entra ID logins successfully logs in to Palo Alto VPN
Kusto Jira - Global permission added available
Kusto Jira - New site admin user available
Kusto Jira - New site admin user available
Kusto Jira - New user created available
Kusto Jira - User's password changed multiple times available
Sigma Juniper BGP Missing MD5 test
Elastic Kerberos Pre-authentication Disabled for User production
Elastic Kubeconfig File Creation or Modification production
Sigma Kubernetes Admission Controller Modification test
Elastic Kubernetes Anonymous Request Authorized by Unusual User Agent production
Elastic Kubernetes Suspicious Assignment of Controller Service Account production
Elastic Kubernetes Unusual Decision by User Agent production
Panther Lambda Code Updated by User Experimental
Panther Lambda Configuration Updated with Layers by User
Sigma Lateral movement detection (based on "special groups" feature) experimental
Sigma Login to Disabled Account test
YARA-L Logins From Terminated Employees
Panther Logins Without MFA
Panther Logins Without SAML
Sigma Logon from a Risky IP Address test
Splunk M365 Copilot Application Usage Pattern Anomalies production
Splunk M365 Copilot Session Origin Anomalies production
Elastic M365 Entra ID Risk Detection Signal production building block
Elastic M365 Identity Login from Atypical Region production
Elastic M365 Identity Login from Impossible Travel Location production
Elastic M365 Identity OAuth Flow by First-Party Microsoft App from Multiple IPs production
Elastic M365 Identity OAuth Phishing via First-Party Microsoft Application production
Elastic M365 Identity Unusual SSO Authentication Errors for User production
Elastic M365 Identity User Account Lockouts production
Elastic M365 or Entra ID Identity Sign-in from a Suspicious Source production
Kusto M365D Alerts Correlation to non-Microsoft Network device network activity involved in successful sign-in Activity
Sigma macOS Authentication Events experimental
Sigma macOS SSH Connection Detection experimental
Sigma macOS Sudo Privilege Escalation Attempts experimental
Kusto Malicious BEC Inbox Rule
Kusto Malicious Inbox Rule available
Sigma Malicious Usage Of IMDS Credentials Outside Of AWS Infrastructure test
Sigma Measurable Increase Of Successful Authentications test
Kusto MFA Rejected by User available
Sigma Microsoft 365 - Impossible Travel Activity test
Kusto Microsoft Entra ID PowerShell accessing non-Entra ID resources available
Kusto Microsoft Entra ID Role Management Permission Grant available
Elastic Microsoft Graph Request User Impersonation by Unusual Client production
Elastic Mounting Hidden or WebDav Remote Shares production
Sigma Multifactor Authentication Denied test
Sigma Multifactor Authentication Interrupted test
Splunk Multiple Host logons (Windows Event Log)
Elastic Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy production
Kusto Multiple Password Reset by user
Kusto Netskope - Impossible Travel Detection (Two Countries in Less Than 1 Hour) available
Sigma Network login performed to multiple targets experimental
Sigma New Country test
Kusto New country signIn with correct password
Kusto New Device/Location sign-in along with critical operation available
Sigma New DMSA Service Account Created in Specific OUs experimental
Elastic New Okta Authentication Behavior Detected production building block
Kusto New PA, PCA, or PCAS added to Azure DevOps available
Kusto New User Assigned to Privileged Role available
Kusto New user created and added to the built-in administrators group
Kusto Non-admin guest available
Kusto NRT Malicious Inbox Rule
Kusto NRT PIM Elevation Request Rejected available
Kusto NRT Privileged Role Assigned Outside PIM available
Kusto NRT User added to Microsoft Entra ID Privileged Groups available
YARA-L O365 Admin Login Activity To Uncommon Microsoft Cloud Apps
YARA-L O365 Login Activity To Azure AD PowerShell App
YARA-L O365 Login Activity To Uncommon Microsoft Cloud Apps
Splunk O365 Multiple AppIDs and UserAgents Authentication Spike production
Splunk O365 Security And Compliance Alert Triggered production
Panther Okta AD Agent Authentication Anomaly - Z-Score Detection Experimental
Elastic Okta Admin Console Login Failure production building block
Panther Okta Admin Role Assigned
Elastic Okta Alerts Following Unusual Proxy Authentication production
Splunk Okta Authentication Failed During MFA Challenge production
Panther Okta Login Without Push
YARA-L Okta Multiple User's Logins With Invalid Credentials From The Same IP
Sigma Okta New Admin Console Behaviours test
YARA-L Okta New API Token Created
Splunk Okta New API Token Created production
Splunk Okta Non-Standard VPN Usage experimental
Splunk Okta Phishing Detection with FastPass Origin Check experimental
Splunk Okta Risk Threshold Exceeded production
Elastic Okta Sign-In Events via Third-Party IdP production
YARA-L Okta Successful High Risk User Logins
Elastic Okta Successful Login After Credential Attack production
Splunk Okta Successful Single Factor Authentication production
Splunk Okta Suspicious Activity Reported production
Panther Okta SWA Bulk Access, New Source, and Credential Extraction - Behavioral Experimental
Panther Okta SWA Off-Hours Credential Access - Behavioral Experimental
Splunk Okta ThreatInsight Threat Detected production
YARA-L Okta User Account Lockout
YARA-L Okta User Login Out Of Hours
YARA-L Okta User Logins From Multiple Cities
Elastic Okta User Session Impersonation production
Elastic Okta User Sessions Started from Different Geolocations production
YARA-L Okta User Suspicious Activity Reported
Panther OneLogin High Risk Failed Login FOLLOWED BY Successful Login
YARA-L OneLogin Multiple Users Login Failures From The Same IP
YARA-L OneLogin Super User Privileges Assigned
YARA-L OneLogin User Logins From Multiple Countries
Panther OpenAI Admin Role Assignment
Panther OpenAI Anomalous API Key Activity
Sigma OpenCanary - SSH Login Attempt test
Sigma OpenCanary - SSH New Connection Attempt test
Sigma OpenCanary - Telnet Login Attempt test
Kusto OracleDBAudit - Connection to database from external IP available
Kusto OracleDBAudit - Connection to database from unknown IP available
Kusto OracleDBAudit - New user account available
Kusto OracleDBAudit - User activity after long inactivity time available
Kusto OracleDBAudit - User connected to database from new IP available
Kusto Palo Alto Prisma Cloud - Access keys are not rotated for 90 days available
Kusto Palo Alto Prisma Cloud - Anomalous access key usage available
Kusto Palo Alto Prisma Cloud - IAM Group with Administrator Access Permissions available
Kusto Palo Alto Prisma Cloud - Inactive user available
Sigma Password Provided In Command Line Of Net.EXE test
Sigma Password Reset By User Account test
Kusto Pathlock TDnR - Emergency User (AdminTrack) Activity available
Kusto Pathlock TDnR - Multiple Login Sessions Detected available
Kusto Pathlock TDnR - SAP Cloud Account Administration Events available
Kusto Pathlock TDnR - SAP HANA Database Audit Trail available
Kusto Pathlock TDnR - User Access Management Password Resets available
Sigma PIM Alert Setting Changes To Disabled test
Sigma PIM Approvals And Deny Elevation test
Kusto PIM Elevation Request Rejected available
Kusto Ping Federate - Abnormal password resets for user available
Kusto Ping Federate - Authentication from new IP. available
Kusto Ping Federate - Forbidden country available
Kusto Ping Federate - New user SSO success login available
Kusto Ping Federate - Password reset request from unexpected source IP address.. available
Kusto Ping Federate - Unexpected authentication URL. available
Kusto Ping Federate - Unexpected country for user available
Kusto Ping Federate - Unusual mail domain. available
Splunk PingID Multiple Failed MFA Requests For User production
Kusto Possible AiTM Phishing Attempt Against Microsoft Entra ID available
Elastic Potential Account Takeover - Logon from New Source IP production
Elastic Potential Account Takeover - Mixed Logon Types production
Elastic Potential Admin Group Account Addition production
Panther Potential Compromised Okta Credentials
Elastic Potential Credential Access via DCSync production
Elastic Potential Hidden Local User Account Creation production
Elastic Potential Impersonation Attempt via Kubectl production
Sigma Potential MFA Bypass Using Legacy Client Authentication test
Elastic Potential Okta MFA Bombing via Push Notifications production
Splunk Potential password in username production
Elastic Potential Privileged Escalation via SamAccountName Spoofing production
Kusto Potential Ransomware activity related to Cobalt Strike available
Elastic Potential Successful SSH Brute Force Attack production
Elastic Potential Suspicious DebugFS Root Device Access production
Elastic Potentially Successful Okta MFA Bombing via Push Notifications production
Kusto Power Apps - App activity from unauthorized geo available
Kusto Power Platform - Account added to privileged Microsoft Entra roles available
Kusto Power Platform - Possibly compromised user accesses Power Platform services available
Sigma Privileged Account Creation test
Kusto Privileged Account Permissions Changed
Kusto Privileged Accounts - Sign in Failure Spikes available
Kusto Privileged Role Assigned Outside PIM available
Kusto Privileged User Logon from new ASN
Kusto ProofpointPOD - Binary file in attachment available
Kusto ProofpointPOD - Email sender in TI list
Kusto ProofpointPOD - Email sender IP in TI list
Kusto ProofpointPOD - Possible data exfiltration to private email available
Elastic Rare User Logon production
Sigma RDP reconnaissance with valid credentials performed on multiple hosts experimental
Kusto RecordedFuture Threat Hunting Url All Actors
Kusto Red Sift - Login from previously unseen IP address available
Sigma Refresh Token Exchange from Excessive Locations experimental
Sigma Refresh Token Exchange from Multiple User Agents experimental
Sigma Refresh Token Reuse Detection experimental
Elastic Remote Computer Account DnsHostName Update production
Sigma Roles Activated Too Frequently test
Sigma Roles Activation Doesn't Require MFA test
Sigma Roles Are Not Being Used test
Sigma Roles Assigned Outside PIM test
Panther Root Account Activity
Sigma Root Account Enable Via Dsenableroot test
Panther Root Console Login
Splunk Rubeus Password Change (Windows Event Log)
Panther Salesforce API Anomaly Detection (RET Passthrough)
YARA-L sap break glass account login
YARA-L sap impossible travel
YARA-L sap multi terminal logon
Kusto Semperis DSP Failed Logons available
Kusto Sentinel One - Admin login from new location available
Kusto Sentinel One - New admin created available
Kusto Service Principal Assigned App Role With Sensitive Access
Kusto Service Principal Assigned Privileged Role
Kusto Service Principal Authentication Attempt from New Country
Kusto Service principal not using client credentials available
Splunk Short Lived Windows Accounts production
Sigma Sign-in Failure Due to Conditional Access Requirements Not Met test
Sigma Sign-ins by Unknown Devices test
Kusto Sign-ins from IPs that attempt sign-ins to disabled accounts available
Kusto Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization)
Sigma Sign-ins from Non-Compliant Devices test
Kusto SlackAudit - User email linked to account changed. available
Kusto SlackAudit - User login after deactivated. available
Kusto SlackAudit - User role changed to admin or owner available
Kusto Snowflake - Multiple login failures by user available
Kusto Snowflake - Multiple login failures from single IP available
Kusto Snowflake - User granted admin privileges available
Panther Snowflake Account Admin Granted
Panther Snowflake Account Admin Granted
Elastic Spike in Group Application Assignment Change Events production
Elastic Spike in Group Lifecycle Change Events production
Elastic Spike in Group Management Events production
Elastic Spike in Group Membership Events production
Elastic Spike in Group Privilege Change Events production
Elastic Spike in Logon Events production
Elastic Spike in Privileged Command Execution by a User production
Elastic Spike in Special Logon Events production
Elastic Spike in Special Privilege Use Events production
Elastic Spike in Successful Logon Events from a Source IP production
Elastic Spike in User Account Management Events production
Elastic Spike in User Lifecycle Management Change Events production
Sigma SQL Server - Connection attempt using a disabled account experimental
Sigma Stale Accounts In A Privileged Role test
Kusto StealthTalk - After hours work available
Kusto StealthTalk - Login outside work zone available
Kusto StealthTalk - Multi new devices registration available
Sigma Success login attempt on a Windows OpenSSH server experimental
Elastic Successful Application SSO from Rare Unknown Client Device production
Sigma Successful Authentications From Countries You Do Not Operate Out Of test
Kusto Successful AWS Console Login from IP Address Observed Conducting Password Spray
Kusto Successful logins to SOC Prime platform from bad IP addresses available
Kusto Successful logon from IP and failure from a different IP available
Elastic Successful SSH Authentication from Unusual IP Address production
Elastic Successful SSH Authentication from Unusual SSH Public Key production
Elastic Successful SSH Authentication from Unusual User production
Elastic Suspicious Activity Reported by Okta User production
Kusto Suspicious AWS console logins by credential access alerts
Sigma Suspicious Browser Activity test
Splunk Suspicious Computer Account Name Change production
Sigma Suspicious Computer Machine Password by PowerShell test
Splunk Suspicious Kerberos Service Ticket Request production
Kusto Suspicious linking of existing user to external User
Sigma Suspicious Login Activity Classified By Google experimental
Kusto Suspicious Login from deleted guest account
Kusto Suspicious modification of Global Administrator user properties
Sigma Suspicious Remote Logon with Explicit Credentials test
Kusto Suspicious Service Principal creation activity available
Kusto Suspicious Sign In by Entra ID Connect Sync Account available
Kusto Suspicious Sign In Followed by MFA Modification available
Sigma Suspicious SignIns From A Non Registered Device test
Splunk Suspicious Ticket Granting Ticket Request production
Kusto Suspicious VM Instance Creation Activity Detected
Sigma Temporary Access Pass Added To An Account test
Kusto Threat Essentials - NRT User added to Microsoft Entra ID Privileged Groups available
Kusto Threat Essentials - User Assigned Privileged Role available
Sigma Too Many Global Admins test
Elastic Unauthorized Access to an Okta Application production
Elastic Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials production
Sigma Unfamiliar Sign-In Properties test
Elastic Unusual AWS Command for a User production
Elastic Unusual AWS S3 Object Encryption with SSE-C production
Elastic Unusual Azure Activity Logs Event for a User production
Elastic Unusual City For a GCP Event production
Elastic Unusual City For an AWS Command production
Elastic Unusual City for an Azure Activity Logs Event production
Elastic Unusual Country For a GCP Event production
Elastic Unusual Country For an AWS Command production
Elastic Unusual Country for an Azure Activity Logs Event production
Elastic Unusual GCP Event for a User production
Elastic Unusual Group Name Accessed by a User production
Elastic Unusual Host Name for Okta Privileged Operations Detected production
Elastic Unusual Host Name for Windows Privileged Operations Detected production
Elastic Unusual Hour for a User to Logon production
Elastic Unusual Interactive Shell Launched from System User production
Elastic Unusual Linux Username production
Elastic Unusual Login via System User production
Splunk Unusual Number of Computer Service Tickets Requested experimental
Splunk Unusual Number of Remote Endpoint Authentication Events experimental
Elastic Unusual Privilege Type assigned to a User production
Elastic Unusual Process Detected for Privileged Commands by a User production
Elastic Unusual Region Name for Okta Privileged Operations Detected production
Elastic Unusual Region Name for Windows Privileged Operations Detected production
Elastic Unusual Source IP for a User to Logon from production
Elastic Unusual Source IP for Okta Privileged Operations Detected production
Elastic Unusual Source IP for Windows Privileged Operations Detected production
Elastic Unusual Spike in Concurrent Active Sessions by a User production
Elastic Unusual Windows Remote User production
Elastic Unusual Windows User Privilege Elevation Activity production
Elastic Unusual Windows Username production
Kusto URL Added to Application from Unknown Domain
Sigma Use of Legacy Authentication Protocols test
Sigma User Access Blocked by Azure Conditional Access test
Kusto User account added to built in domain local or global group
Kusto User account created and deleted within 10 mins
Kusto User account enabled and disabled within 10 mins
Kusto User Accounts - Sign in Failure due to CA Spikes available
Sigma User Added To Admin Group Via Dscl test
Sigma User Added To Admin Group Via DseditGroup test
Sigma User Added To Admin Group Via Sysadminctl test
Kusto User Added to Admin Role
Sigma User Added to an Administrator's Azure AD Role test
Sigma User Added to Local Administrator Group stable
Kusto User added to Microsoft Entra ID Privileged Groups available
Sigma User Added To Privilege Role test
Elastic User Added to the Admin Group production
Kusto User Assigned New Privileged Role available
Kusto User joining Zoom meeting from suspicious timezone
Panther User Logged in wihout MFA
Kusto User Login from Different Countries within 3 hours available
Kusto User login from different countries within 3 hours (Uses Authentication Normalization)
Kusto User Sign in from different countries available
Sigma User State Changed From Guest To Member test
Kusto UserAccountDisabled available
Sigma Users Added to Global or Device Admin Roles test
Sigma Users Authenticating To Other Azure AD Tenants test
Kusto Valimail Enforce - High-Value User Management Event available
Kusto Valimail Enforce - Unusual Rate of Configuration Changes or User Additions available
Kusto vCenter - Root impersonation available
Kusto VMware ESXi - Multiple new VMs started available
Kusto VMware ESXi - New VM started available
Kusto VMware ESXi - Root impersonation available
Kusto VMware ESXi - Root login available
Kusto VMware ESXi - Root password changed available
Kusto VMware ESXi - Shared or stolen root account available
Kusto VMware vCenter - Root login available
Splunk Windows Azure PowerShell Module Installation Via PowerShell Script production
Splunk Windows ConvertTo-AADIntBackdoor Execution Via PowerShell Script production
Splunk Windows Entra User Management Via Azure CLI production
Splunk Windows Group Policy Object Created production
Splunk Windows Guest Account Enabled Via Net.EXE production
Splunk Windows Large Number of Computer Service Tickets Requested production
Splunk Windows Multiple Account Passwords Changed production
Splunk Windows Multiple Accounts Deleted production
Splunk Windows Multiple Accounts Disabled production
Splunk Windows PowerView AD Access Control List Enumeration production
Splunk WMIC Explicit Credentials (Sysmon)
Splunk WMIC Explicit Credentials (Windows Event Log)
Kusto Workspace deletion activity from an infected device
Panther Zendesk Account Owner Changed
Panther Zendesk Mobile App Access Modified
Splunk Zoom High Video Latency experimental
Kusto Zscaler - Connections by dormant user available
Kusto Zscaler - Shared ZPA session available
Kusto Zscaler - Unexpected event count of rejects by policy available
Kusto Zscaler - Unexpected ZPA session duration available
Kusto Zscaler - ZPA connections by new user available
Kusto Zscaler - ZPA connections from new IP available

Valid Accounts: Default Accounts T1078.001 15 rules

Splunk Account set to active via Net.exe (EDR)
Splunk Account set to active via Net.exe (Sysmon)
Splunk Account set to active via Net.exe (Windows Event Log)
Sigma Admin User Remote Logon test
Kusto AWS Security Hub - Detect IAM Policies allowing full administrative privileges available
Sigma Commvault QLogin with PublicSharingUser and GUID Password (CVE-2025-57788) experimental
Sigma Guest Account Enabled Via Sysadminctl test
Elastic Kubernetes Anonymous Request Authorized by Unusual User Agent production
Elastic Kubernetes Suspicious Assignment of Controller Service Account production
Splunk Okta New API Token Created production
Splunk Okta Phishing Detection with FastPass Origin Check experimental
Splunk Okta Suspicious Activity Reported production
Sigma Root Account Enable Via Dsenableroot test
Panther Snowflake Grant to Public Role
Splunk Windows Guest Account Enabled Via Net.EXE production

Valid Accounts: Domain Accounts T1078.002 28 rules

Elastic Access to a Sensitive LDAP Attribute production
Sigma Account renamed to admin (or likely) account to evade defense experimental
Sigma Admin User Remote Logon test
Elastic AdminSDHolder Backdoor production
Elastic AdminSDHolder SDProp Exclusion Added production
Elastic Delegated Managed Service Account Modification by an Unusual User production
Splunk Detect Excessive Account Lockouts From Endpoint production
Elastic dMSA Account Creation by an Unusual User production
Sigma DMSA Link Attributes Modified experimental
Sigma DMSA Service Account Created in Specific OUs - PowerShell experimental
Elastic First Time Seen Account Performing DCSync production
Kusto High-Risk Cross-Cloud User Impersonation
Elastic Kerberos Pre-authentication Disabled for User production
Sigma Malicious Usage Of IMDS Credentials Outside Of AWS Infrastructure test
Sigma New DMSA Service Account Created in Specific OUs experimental
Elastic Potential Credential Access via DCSync production
Elastic Potential Privileged Escalation via SamAccountName Spoofing production
Elastic Rare User Logon production
Elastic Remote Computer Account DnsHostName Update production
Elastic Spike in Special Logon Events production
Elastic Spike in Successful Logon Events from a Source IP production
Splunk Suspicious Computer Account Name Change production
Splunk Suspicious Kerberos Service Ticket Request production
Splunk Suspicious Ticket Granting Ticket Request production
Elastic Unusual Windows User Privilege Elevation Activity production
Elastic Unusual Windows Username production
Splunk Windows Group Policy Object Created production
Splunk Windows PowerView AD Access Control List Enumeration production

Valid Accounts: Local Accounts T1078.003 23 rules

Elastic Account Discovery Command via SYSTEM Account production
Sigma Admin User Remote Logon test
Elastic Attempt to Enable the Root Account production
Splunk Cisco ASA - New Local User Account Created production
Splunk Cisco ASA - User Privilege Level Change production
Splunk Detect Excessive User Account Lockouts production
Elastic Mounting Hidden or WebDav Remote Shares production
Elastic Potential Admin Group Account Addition production
Elastic Potential Hidden Local User Account Creation production
Splunk Potential password in username production
Elastic Potential Suspicious DebugFS Root Device Access production
Elastic Rare User Logon production
Sigma Root Account Enable Via Dsenableroot test
Splunk Short Lived Windows Accounts production
Elastic Spike in Successful Logon Events from a Source IP production
Elastic Unusual Interactive Shell Launched from System User production
Elastic Unusual Login via System User production
Elastic Unusual Windows User Privilege Elevation Activity production
Elastic Unusual Windows Username production
Sigma User Added To Admin Group Via Dscl test
Sigma User Added To Admin Group Via DseditGroup test
Sigma User Added To Admin Group Via Sysadminctl test
Elastic User Added to the Admin Group production

Valid Accounts: Cloud Accounts T1078.004 290 rules

Kusto Account Created and Deleted in Short Timeframe available
Kusto Account created or deleted by non-approved user available
Sigma Account Disabled or Blocked for Sign in Attempts test
Kusto Account Elevated to New Role
Kusto Addition of a Temporary Access Pass to a Privileged Account
Kusto Admin promotion after Role Management Application Permission Grant available
Kusto Anomalous Single Factor Signin
Sigma Application AppID Uri Configuration Changes test
Kusto Application ID URI Changed
Kusto Application Redirect URL Update
Sigma Application URI Configuration Changes test
Splunk ASL AWS Create Policy Version to allow all resources production
Sigma Attempt To Get Credentials For Identity experimental
Sigma Attempt To Get Federation Token experimental
Sigma Attempt To Get Signin Token experimental
Kusto Authentication Attempt from New Country
Kusto Authentications of Privileged Accounts Outside of Expected Controls
Elastic AWS Access Token Used from Multiple Addresses production
YARA-L AWS API Call Outside Of Organization
Elastic AWS AssumeRoleWithWebIdentity from Kubernetes SA and External ASN production
Elastic AWS Bedrock Foundation Model Enumeration Followed by Invocation via Long-Term Key production
Elastic AWS CloudShell Environment Created production
Panther AWS Compromised IAM Key Quarantine
YARA-L AWS Console Login Without MFA
Splunk AWS Create Policy Version to allow all resources production
Elastic AWS Credentials Used from GitHub Actions and Non-CI/CD Infrastructure production
Elastic AWS EC2 Instance Console Login via Assumed Role production
Elastic AWS EC2 Instance Interaction with IAM Service production building block
Elastic AWS EC2 Instance Profile Associated with Running Instance production
Elastic AWS EC2 Unauthorized Admin Credential Fetch via Assumed Role production
YARA-L AWS IAM Administrator Access Policy Attached
Elastic AWS IAM API Calls via Temporary Session Tokens production
Elastic AWS IAM Assume Role Policy Update production
Elastic AWS IAM CompromisedKeyQuarantine Policy Attached to User production
Elastic AWS IAM Login Profile Added for Root production
Elastic AWS IAM Login Profile Added to User production building block
Elastic AWS IAM Long-Term Access Key Correlated with Elevated Detection Alerts production
Elastic AWS IAM Long-Term Access Key First Seen from Source IP production
Elastic AWS IAM OIDC Provider Created by Rare User production
Sigma AWS IAM S3Browser LoginProfile Creation test
Sigma AWS IAM S3Browser Templated S3 Bucket Policy Creation test
Sigma AWS IAM S3Browser User or AccessKey Creation test
Elastic AWS IAM SAML Provider Created production
Elastic AWS IAM Sensitive Operations via Lambda Execution Role production
Elastic AWS IAM Virtual MFA Device Registration Attempt with Session Token production
Panther AWS IMDS Credential Usage Outside Expected Services Experimental
Elastic AWS Management Console Root Login production
Elastic AWS Rare Source AS Organization Activity production
Sigma AWS Root Credentials test
Sigma AWS SAML Provider Deletion Activity experimental
Splunk AWS SetDefaultPolicyVersion production
Elastic AWS Sign-In Console Login with Federated User production
Elastic AWS Sign-In Root Password Recovery Requested production
Elastic AWS Sign-In Token Created production building block
Elastic AWS STS AssumeRole with New MFA Device production
Elastic AWS STS AssumeRoot by Rare User and Member Account production
Elastic AWS STS GetSessionToken Usage production building block
Elastic AWS STS Role Assumption by User production
Elastic AWS STS Role Chaining production
Sigma AWS Successful Console Login Without MFA experimental
Splunk AWS Successful Single-Factor Authentication production
Elastic AWS Suspicious User Agent Fingerprint production
YARA-L AWS User Creates Permanent Access Key
Splunk Azure AD Authentication Failed During MFA Challenge production
Splunk Azure AD Multiple Failed MFA Requests For User production
Sigma Azure AD Only Single Factor Authentication Required test
Splunk Azure AD Service Principal Authentication production
Splunk Azure AD Successful PowerShell Authentication production
Splunk Azure AD Successful Single-Factor Authentication production
Elastic Azure Arc Cluster Credential Access by Identity from Unusual Source production
Panther Azure Automation Runbook Created or Modified
Panther Azure Device Code Authentication with Broker Client
Panther Azure Kubernetes RoleBinding or ClusterRoleBinding Created
Elastic Azure Kubernetes Services (AKS) Kubernetes Rolebindings Created production
Panther Azure Microsoft Graph Single Session from Multiple IP Addresses Experimental
Panther Azure Policy DeployIfNotExists Action Triggered
Panther Azure Privileged or Elevated Role Assignment
Panther Azure Protection Multiple Alerts for User
Panther Azure ROPC Login Attempt Without MFA Experimental
Splunk Azure Runbook Webhook Created production
Elastic Azure Service Principal Sign-In Followed by Arc Cluster Credential Access production
Elastic Azure Storage Account Keys Accessed by Privileged User production
Sigma Azure Subscription Permission Elevation Via ActivityLogs test
Sigma Bitbucket User Login Failure test
Sigma Bitlocker Key Retrieval test
Kusto Bulk Changes to Privileged Account Permissions available
Kusto Changes to Application Logout URL
Kusto Changes to Application Ownership
Kusto Changes to PIM Settings
Sigma Changes To PIM Settings test
Splunk Cloud Compute Instance Created By Previously Unseen User production
Splunk Cloud Instance Modified By Previously Unseen User production
Kusto Conditional Access Policy Modified by New User
Kusto Cross-tenant Access Settings Organization Added available
Kusto Cross-tenant Access Settings Organization Deleted available
Kusto Cross-tenant Access Settings Organization Inbound Collaboration Settings Changed available
Kusto Cross-tenant Access Settings Organization Inbound Direct Settings Changed available
Kusto Cross-tenant Access Settings Organization Outbound Collaboration Settings Changed available
Kusto Cross-tenant Access Settings Organization Outbound Direct Settings Changed available
Kusto Detect changes to Connect Sync Application
Kusto Detect credential add to Connect Sync Application
Kusto Detect device code login with user risk
Sigma Device Registration or Join Without MFA test
Kusto End-user consent stopped due to risk-based consent
Elastic Entra ID Actor Token User Impersonation Abuse production
YARA-L Entra ID Admin Login Activity to Uncommon MS Cloud Apps
Elastic Entra ID Concurrent Sign-in with Suspicious Properties production
Elastic Entra ID High Risk Sign-in production
Elastic Entra ID High Risk User Sign-in Heuristic production
Elastic Entra ID Kali365 Default User-Agent Detected production
YARA-L Entra ID Login Activity to Uncommon MS Cloud Apps
Elastic Entra ID Microsoft Authentication Broker Sign-In to Unusual Resource production
Elastic Entra ID Microsoft Authentication Broker Sign-In with Non-Standard User Agent production
Elastic Entra ID OAuth Authorization Code Grant for Unusual User, App, and Resource production
Elastic Entra ID OAuth Device Code Flow with Concurrent Sign-ins production
Elastic Entra ID OAuth Device Code Grant by Microsoft Authentication Broker production
Elastic Entra ID OAuth Device Code Grant by Unusual User production
Elastic Entra ID OAuth Device Code Phishing via AiTM production
Elastic Entra ID OAuth Flow by Microsoft Authentication Broker to Device Registration Service (DRS) production
Elastic Entra ID OAuth Phishing via First-Party Microsoft Application production
Elastic Entra ID OAuth PRT Issuance to Non-Managed Device Detected production
Elastic Entra ID OAuth ROPC Grant Login Detected production
Elastic Entra ID OAuth User Impersonation to Microsoft Graph production
Elastic Entra ID OAuth user_impersonation Scope for Unusual User and Client production
Elastic Entra ID PowerShell Sign-in production
Elastic Entra ID Protection - Risk Detection - Sign-in Risk production
Elastic Entra ID Protection - Risk Detection - User Risk production
Elastic Entra ID Protection Admin Confirmed Compromise production
Elastic Entra ID Protection Alerts for User Detected production
Elastic Entra ID Protection User Alert and Device Registration production
Elastic Entra ID Service Principal Federated Credential Authentication by Unusual Client production
Elastic Entra ID Service Principal with Unusual Source ASN production
Elastic Entra ID Sharepoint or OneDrive Accessed by Unusual Client production
Elastic Entra ID User Added as Service Principal Owner production
Elastic Entra ID User Reported Suspicious Activity production
Elastic Entra ID User Sign-in with Unusual Authentication Type production
Elastic Entra ID User Sign-in with Unusual Client production
Elastic Entra ID User Sign-in with Unusual Non-Managed Device production
Kusto External guest invitation followed by Microsoft Entra ID PowerShell signin available
Elastic External User Added to Google Workspace Group production
Sigma Failed Authentications From Countries You Do Not Operate Out Of test
Elastic First Occurrence of GitHub Repo Interaction From a New IP production building block
Elastic First Occurrence of IP Address For GitHub Personal Access Token (PAT) production building block
Elastic First Occurrence of IP Address For GitHub User production building block
Elastic First Occurrence of Okta User Session Started via Proxy production
Elastic First Occurrence of Personal Access Token (PAT) Use For a GitHub User production building block
Elastic First Occurrence of Private Repo Event from Specific GitHub Personal Access Token (PAT) production building block
Elastic First Occurrence of User Agent For a GitHub Personal Access Token (PAT) production building block
Elastic First Occurrence of User-Agent For a GitHub User production building block
Elastic First Time Seen Google Workspace OAuth Login from Third-Party Application production
Elastic FortiGate FortiCloud SSO Login from Unusual Source production
Panther GAIA GCPW Credential Theft Attack Chain
Kusto GCP Audit Logs - Data Access Logging Exemption Added for Principal available
Kusto GCP Audit Logs - Storage Bucket Made Public available
Splunk GCP Authentication Failed During MFA Challenge production
Splunk GCP Multiple Failed MFA Requests For User production
Splunk GCP Successful Single-Factor Authentication production
Panther GCP User Added to Privileged Group
YARA-L GCP Workload Identity Pool Disabled Or Deleted
Sigma Get Credentials For Identity experimental
Sigma Get Federation Token experimental
Sigma Get Signin Token experimental
Elastic Github Activity on a Private Repository from an Unusual IP production
Sigma Github New Secret Created test
Sigma Github Self Hosted Runner Changes Detected test
Sigma Github SSH Certificate Configuration Changed test
Elastic Google Workspace Device Registration Burst for Single User production
YARA-L Google Workspace External User Added To Group
Elastic Google Workspace Login Flagged Suspicious production building block
Panther Google Workspace Login Type Anomaly
Panther Google Workspace OAuth Application Authorized with Privileged Scopes Experimental
Panther Google Workspace OAuth Token Requests from New IP
Panther Google Workspace Rapid Multi-IP Authentication
Elastic Google Workspace Suspended User Account Renewed production
Elastic Google Workspace User Login with Unusual ASN production
Elastic Google Workspace User Sign-in from Atypical Device Type production
YARA-L Google Workspace User Unsuspended
Kusto Guest accounts added in Entra ID Groups other than the ones specified available
Sigma Guest User Invited By Non Approved Inviters test
Kusto Guest Users Invited to Tenant by New Inviters
Elastic High Number of Okta User Password Reset or Unlock Attempts production
Kusto High-Risk Cross-Cloud User Impersonation
Panther IAM Role Added to RDS Instance or Cluster
Panther Kubernetes ClusterRoleBinding to Privileged Role
Panther Kubernetes Role With Node Proxy Permissions Created
Panther Kubernetes Role With Pod Exec Permissions Created
Panther Kubernetes Role With Wildcard Permissions Created Experimental
Panther Kubernetes Service Account Token Theft from Pod
Panther Kubernetes System Role Modified or Deleted Experimental
Sigma Login to Disabled Account test
Elastic M365 Entra ID Risk Detection Signal production building block
Elastic M365 Identity Login from Atypical Region production
Elastic M365 Identity Login from Impossible Travel Location production
Elastic M365 Identity OAuth Flow by First-Party Microsoft App from Multiple IPs production
Elastic M365 Identity OAuth Phishing via First-Party Microsoft Application production
Elastic M365 Identity Unusual SSO Authentication Errors for User production
Elastic M365 Identity User Account Lockouts production
Sigma macOS SSH Connection Detection experimental
Kusto MFA Rejected by User available
Kusto Microsoft Entra ID Role Management Permission Grant available
Elastic Microsoft Graph Request User Impersonation by Unusual Client production
Sigma Multifactor Authentication Denied test
Sigma Multifactor Authentication Interrupted test
Elastic Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy production
Elastic New Okta Authentication Behavior Detected production building block
Kusto New PA, PCA, or PCAS added to Azure DevOps available
Kusto New User Assigned to Privileged Role available
Kusto NRT PIM Elevation Request Rejected available
Kusto NRT Privileged Role Assigned Outside PIM available
YARA-L O365 Admin Login Activity To Uncommon Microsoft Cloud Apps
YARA-L O365 Login Activity To Azure AD PowerShell App
YARA-L O365 Login Activity To Uncommon Microsoft Cloud Apps
Splunk O365 Security And Compliance Alert Triggered production
Elastic Okta Admin Console Login Failure production building block
Panther Okta AiTM Phishing Attempt Blocked by FastPass
Elastic Okta Alerts Following Unusual Proxy Authentication production
Splunk Okta Authentication Failed During MFA Challenge production
Sigma Okta New Admin Console Behaviours test
Panther Okta New Behaviors Acessing Admin Console
Panther Okta Org2Org application created of modified
Elastic Okta Sign-In Events via Third-Party IdP production
Elastic Okta Successful Login After Credential Attack production
Splunk Okta Successful Single Factor Authentication production
Splunk Okta ThreatInsight Threat Detected production
Elastic Okta User Session Impersonation production
Elastic Okta User Sessions Started from Different Geolocations production
YARA-L OneLogin Multiple Users Login Failures From The Same IP
YARA-L OneLogin Super User Privileges Assigned
YARA-L OneLogin User Logins From Multiple Countries
Sigma Password Reset By User Account test
Sigma PIM Approvals And Deny Elevation test
Kusto PIM Elevation Request Rejected available
Kusto Possible AiTM Phishing Attempt Against Microsoft Entra ID available
Sigma Potential MFA Bypass Using Legacy Client Authentication test
Elastic Potential Okta MFA Bombing via Push Notifications production
Elastic Potentially Successful Okta MFA Bombing via Push Notifications production
Sigma Privileged Account Creation test
Kusto Privileged Account Permissions Changed
Kusto Privileged Accounts - Sign in Failure Spikes available
Kusto Privileged Role Assigned Outside PIM available
Kusto Privileged User Logon from new ASN
Kusto Service Principal Assigned App Role With Sensitive Access
Kusto Service Principal Assigned Privileged Role
Kusto Service Principal Authentication Attempt from New Country
Panther Sign In from Rogue State
Sigma Sign-in Failure Due to Conditional Access Requirements Not Met test
Sigma Sign-ins by Unknown Devices test
Sigma Sign-ins from Non-Compliant Devices test
Panther Slack Primary Owner Transferred
Kusto SlackAudit - User login after deactivated. available
Elastic Successful Application SSO from Rare Unknown Client Device production
Sigma Successful Authentications From Countries You Do Not Operate Out Of test
Kusto Suspicious linking of existing user to external User
Sigma Suspicious Login Activity Classified By Google experimental
Kusto Suspicious Login from deleted guest account
Kusto Suspicious modification of Global Administrator user properties
Kusto Suspicious Sign In by Entra ID Connect Sync Account available
Kusto Suspicious Sign In Followed by MFA Modification available
Panther Suspicious Snowflake Sessions - Unusual Application
Sigma Temporary Access Pass Added To An Account test
Kusto Threat Essentials - User Assigned Privileged Role available
Elastic Unauthorized Access to an Okta Application production
Elastic Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials production
Elastic Unusual AWS Command for a User production
Elastic Unusual AWS S3 Object Encryption with SSE-C production
Elastic Unusual Azure Activity Logs Event for a User production
Elastic Unusual City For a GCP Event production
Elastic Unusual City For an AWS Command production
Elastic Unusual City for an Azure Activity Logs Event production
Elastic Unusual Country For a GCP Event production
Elastic Unusual Country For an AWS Command production
Elastic Unusual Country for an Azure Activity Logs Event production
Elastic Unusual GCP Event for a User production
Elastic Unusual Host Name for Okta Privileged Operations Detected production
Elastic Unusual Region Name for Okta Privileged Operations Detected production
Elastic Unusual Source IP for Okta Privileged Operations Detected production
Kusto URL Added to Application from Unknown Domain
Sigma Use of Legacy Authentication Protocols test
Sigma User Access Blocked by Azure Conditional Access test
Kusto User Accounts - Sign in Failure due to CA Spikes available
Kusto User Added to Admin Role
Sigma User Added To Privilege Role test
Kusto User Assigned New Privileged Role available
Kusto User Login from Different Countries within 3 hours available
Sigma User State Changed From Guest To Member test
Sigma Users Added to Global or Device Admin Roles test
Sigma Users Authenticating To Other Azure AD Tenants test
Splunk Windows Entra User Management Via Azure CLI production
Panther Wiz Rotate Service Account Secret
Panther Wiz Service Account Change

Replication Through Removable Media T1091 9 rules

Elastic Execution from a Removable Media with Network Connection production
Sigma External Disk Drive Or USB Storage Device Was Recognized By The System test
Elastic First Time Seen Removable Device production
Elastic New USB Storage Device Mounted production
Splunk Removable Media Detected (Windows Event Log)
Splunk Windows Process Executed From Removable Media production
Splunk Windows Replication Through Removable Media production
Splunk Windows USBSTOR Registry Key Modification production
Splunk Windows WPDBusEnum Registry Key Modification production

External Remote Services T1133 216 rules

Elastic Accepted Default Telnet Port Connection production
Kusto Apache - Apache 2.4.49 flaw CVE-2021-41773 available
Kusto Apache - Command in URI available
Kusto Apache - Known malicious user agent available
Kusto Apache - Multiple client errors from single IP available
Kusto Apache - Multiple server errors from single IP available
Kusto Apache - Private IP in URL available
Kusto Apache - Put suspicious file available
Kusto Apache - Request from private IP available
Kusto Apache - Requests to rare files available
Kusto ApexOne - Commands in Url available
Elastic AWS EC2 Network Access Control List Creation production
Elastic AWS EC2 Security Group Configuration Change production
Elastic AWS RDS DB Instance Made Public production
Panther AWS RDS Instance Modified to be Publicly Accessible
Kusto AWS Security Hub - Detect EC2 Security groups allowing unrestricted high-risk ports available
Panther AWS VPC Default Network ACL Restricts All Traffic
Panther AWS VPC Default Security Group Restrictions
Splunk Cisco Network Interface Modifications production
Kusto Cisco SE - Malware outbreak available
Kusto Cisco SE - Multiple malware on host available
Kusto Cisco SE - Unexpected binary file available
Kusto CiscoISE - Command executed with the highest privileges from new IP available
Kusto CiscoISE - Command executed with the highest privileges by new user available
Kusto Claroty - Login to uncommon location available
Kusto Claroty - Multiple failed logins by user available
Kusto Claroty - Multiple failed logins to same destinations available
Kusto Claroty - New Asset available
Kusto Cloudflare - Bad client IP available
Kusto Cloudflare - Bad client IP available
Kusto Cloudflare - Client request from country in blocklist available
Kusto Cloudflare - Client request from country in blocklist available
Kusto Cloudflare - Empty user agent available
Kusto Cloudflare - Empty user agent available
Kusto Cloudflare - Multiple error requests from single source available
Kusto Cloudflare - Multiple error requests from single source available
Kusto Cloudflare - Multiple user agents for single source available
Kusto Cloudflare - Multiple user agents for single source available
Kusto Cloudflare - Unexpected client request available
Kusto Cloudflare - Unexpected client request available
Kusto Cloudflare - Unexpected URI available
Kusto Cloudflare - Unexpected URI available
Kusto Cloudflare - WAF Allowed threat available
Kusto Cloudflare - WAF Allowed threat available
Kusto Cloudflare - XSS probing pattern in request available
Kusto Cloudflare - XSS probing pattern in request available
Splunk Confluence Unauthenticated Remote Code Execution CVE-2022-26134 production
Kusto Cross-Cloud Unauthorized Credential Access Detection From AWS RDS Login
Kusto Dataverse - Login by a sensitive privileged user available
Kusto Dataverse - Login from IP in the block list available
Kusto Dataverse - Login from IP not in the allow list available
Kusto Dataverse - New sign-in from an unauthorized domain available
Kusto Dataverse - New user agent type that was not used with Office 365 available
Kusto Dataverse - TI map IP to DataverseActivity available
Splunk Detect attackers scanning for vulnerable JBoss servers experimental
Splunk Detect Exchange Web Shell production
Kusto Detect instances of multiple client errors occurring within a brief period of time (ASIM Web Session) available
Kusto Detect instances of multiple server errors occurring within a brief period of time (ASIM Web Session) available
Kusto Detect known risky user agents (ASIM Web Session) available
Kusto Detect Local File Inclusion(LFI) in web requests (ASIM Web Session) available
Kusto Detect presence of uncommon user agents in web requests (ASIM Web Session) available
Kusto Detect threat information in web requests (ASIM Web Session) available
Kusto Detect URLs containing known malicious keywords or commands (ASIM Web Session) available
Kusto Detect web requests to potentially harmful files (ASIM Web Session) available
Splunk Disabled Pre-Authentication Accounts Discovery - PowerShell (PowerShell)
Splunk Disabled Pre-Authentication Accounts Discovery - PowerShell (Sysmon)
Splunk Disabled Pre-Authentication Accounts Discovery - PowerShell (Windows Event Log)
Splunk Exchange PowerShell Abuse via SSRF experimental
Splunk Exploit Public Facing Application via Apache Commons Text production
Splunk Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952 production
Sigma External Remote RDP Logon from Public IP test
Sigma External Remote SMB Logon from Public IP test
Splunk F5 BIG-IP iControl REST Vulnerability CVE-2022-1388 production
Sigma Failed Logon From Public IP test
Elastic First Occurrence of Okta User Session Started via Proxy production
Sigma FortiGate - New VPN SSL Web Portal Added experimental
Sigma FortiGate - VPN SSL Settings Modified experimental
Splunk Fortinet Appliance Auth bypass production
Kusto Fortiweb - WAF Allowed threat available
Kusto GCP Audit Logs - Open Firewall Rule Created or Modified available
Kusto GCP Security Command Center - Detect Firewall rules allowing unrestricted high-risk ports available
Kusto GSA - Detect Connections Outside Operational Hours available
Kusto GWorkspace - Alert events available
Splunk Hunting for Log4Shell production
Kusto Identify instances where a single source is observed using multiple user agents (ASIM Web Session) available
Kusto Imperva - Abnormal protocol usage available
Kusto Imperva - Critical severity event not blocked available
Kusto Imperva - Forbidden HTTP request method in request available
Kusto Imperva - Malicious Client available
Kusto Imperva - Malicious user agent available
Kusto Imperva - Multiple user agents from same source available
Kusto Imperva - Possible command injection available
Kusto Imperva - Request from unexpected countries available
Kusto Imperva - Request from unexpected IP address to admin panel available
Kusto Imperva - Request to unexpected destination port available
Elastic Insecure AWS EC2 VPC Security Group Ingress Rule Added production
Splunk Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078 production
Splunk Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082 production
Kusto Jamf Protect - Network Threats available
Splunk Java Writing JSP File production
Elastic Kubernetes Exposed Service Created With Type NodePort production
Splunk Living Off The Land Detection production
Splunk Log4Shell CVE-2021-44228 Exploitation production
Splunk Log4Shell JNDI Payload Injection Attempt production
Splunk Log4Shell JNDI Payload Injection with Outbound Connection production
Splunk MS Exchange Mailbox Replication service writing Active Server Pages experimental
Kusto NGINX - Command in URI available
Kusto NGINX - Known malicious user agent available
Kusto NGINX - Multiple client errors from single IP address available
Kusto NGINX - Multiple server errors from single IP address available
Kusto NGINX - Multiple user agents for single source available
Kusto NGINX - Private IP address in URL available
Kusto NGINX - Put file and get file from same IP address available
Elastic Ollama API Accessed from External Network production
Sigma OpenCanary - RDP New Connection Attempt experimental
Sigma OpenCanary - SSH Login Attempt test
Sigma OpenCanary - SSH New Connection Attempt test
Sigma OpenCanary - Telnet Login Attempt test
Kusto Oracle - Command in URI available
Kusto Oracle - Malicious user agent available
Kusto Oracle - Multiple client errors from single IP available
Kusto Oracle - Multiple server errors from single IP available
Kusto Oracle - Multiple user agents for single source available
Kusto Oracle - Private IP in URL available
Kusto Oracle - Put file and get file from same IP address available
Kusto Oracle - Put suspicious file available
Kusto OracleDBAudit - Connection to database from external IP available
Splunk Outbound Network Connection from Java Using Default Ports production
Kusto Palo Alto Prisma Cloud - High risk score alert available
Kusto Palo Alto Prisma Cloud - High severity alert opened for several days available
Kusto Palo Alto Prisma Cloud - Maximum risk score alert available
Kusto Palo Alto Prisma Cloud - Network ACL allow all outbound traffic available
Kusto Palo Alto Prisma Cloud - Network ACL allow ingress traffic to server administration ports available
Kusto Palo Alto Prisma Cloud - Network ACLs Inbound rule to allow All Traffic available
Kusto PaloAlto - Dropping or denying session with traffic available
Kusto PaloAlto - File type changed available
Kusto PaloAlto - Forbidden countries available
Kusto PaloAlto - Inbound connection to high risk ports available
Kusto PaloAlto - MAC address conflict available
Kusto PaloAlto - Possible attack without response available
Kusto PaloAlto - Possible flooding available
Kusto PaloAlto - Put and post method request in high risk file type available
Kusto PaloAlto - User privileges was changed available
Splunk PaperCut NG Remote Web Access Attempt production
Splunk PaperCut NG Suspicious Behavior Debug Log production
Sigma Potential Exploitation of GoAnywhere MFT Vulnerability experimental
Elastic Potential macOS SSH Brute Force Detected production
Splunk ProxyShell ProxyNotShell Behavior Detected production
Kusto Radiflow - New Activity Detected available
Elastic RDP (Remote Desktop Protocol) from the Internet production
Splunk RDP Brute-force Detection (Windows Event Log)
Splunk RDP Connection (Sysmon)
Splunk RDP Connection (Windows Event Log)
Splunk RDP Hijacking (Windows Event Log)
Splunk RDP Logon_Logoff Event (Windows Event Log)
Sigma Remote Access Tool - ScreenConnect Installation Execution test
Sigma Remote Access Tool - Team Viewer Session Started On Linux Host test
Sigma Remote Access Tool - Team Viewer Session Started On MacOS Host test
Sigma Remote Access Tool - Team Viewer Session Started On Windows Host test
Elastic Remote SSH Login Enabled via systemsetup Command production
Elastic RPC (Remote Procedure Call) from the Internet production
Sigma Running Chrome VPN Extensions via the Registry 2 VPN Extension test
Kusto SailPointIdentityNowAlertForTriggers available
Kusto SailPointIdentityNowEventType available
Kusto SailPointIdentityNowEventTypeTechnicalName available
Kusto SailPointIdentityNowFailedEvents available
Kusto SailPointIdentityNowFailedEventsBasedOnTime available
Kusto SailPointIdentityNowUserWithFailedEvent available
Kusto Semperis DSP Operations Critical Notifications available
Kusto SlackAudit - Empty User Agent available
Kusto SonicWall - Allowed SSH, Telnet, and RDP Connections experimental
Splunk Spring4Shell Payload URL Request production
Elastic Successful SSH Authentication from Unusual SSH Public Key production
Elastic Successful SSH Authentication from Unusual User production
Splunk Supernova Webshell experimental
Sigma Suspicious File Created by ArcSOC.exe experimental
Splunk Temporary ConnectWise xml File Activity (Windows Event Log)
Kusto Tomcat - Commands in URI available
Kusto Tomcat - Known malicious user agent available
Kusto Tomcat - Multiple client errors from single IP address available
Kusto Tomcat - Multiple empty requests from same IP available
Kusto Tomcat - Multiple server errors from single IP address available
Kusto Tomcat - Put file and get file from same IP address available
Kusto Tomcat - Request from localhost IP address available
Kusto Tomcat - Server errors after multiple requests from same IP available
Kusto Ubiquiti - RDP from external source available
Kusto Ubiquiti - SSH from external source available
Kusto Ubiquiti - Unknown MAC Joined AP available
Sigma Unusual Child Process of dns.exe test
Sigma Unusual File Deletion by Dns.exe test
Sigma Unusual File Modification by dns.exe test
Elastic Unusual SSHD Child Process production
Sigma User Added to Remote Desktop Users Group test
Elastic Virtual Private Network Connection Attempt production
Splunk VMWare Aria Operations Exploit Attempt production
Splunk VMware Server Side Template Injection Hunt production
Splunk VMware Workspace ONE Freemarker Server-side Template Injection production
Elastic VNC (Virtual Network Computing) from the Internet production
Splunk Web JSP Request via URL production
Splunk Web or Application Server Spawning a Shell production
Splunk Web Spring Cloud Function FunctionRouter production
Splunk Web Spring4Shell HTTP Request Class Module production
Splunk Windows Exchange Autodiscover SSRF Abuse production
Splunk Windows MOVEit Transfer Writing ASPX production
Splunk Windows PaperCut NG Spawn Shell production
Splunk Windows RDPClient Connection Sequence Events production
Panther Wiz Issue Followed By SSH to EC2 Instance
Elastic Zoom Meeting with no Passcode production
Kusto Zscaler - Forbidden countries available
Kusto Zscaler - Shared ZPA session available
Kusto Zscaler - Unexpected event count of rejects by policy available
Kusto Zscaler - Unexpected update operation available
Kusto Zscaler - Unexpected ZPA session duration available
Kusto Zscaler - ZPA connections from new country available
Kusto Zscaler - ZPA connections from new IP available
Kusto Zscaler - ZPA connections outside operational hours available

Drive-by Compromise T1189 39 rules

Kusto A client made a web request to a potentially harmful file (ASIM Web Session schema)
Kusto Apache - Request to sensitive files available
Kusto App Gateway WAF - XSS Detection available
Kusto Application Gateway WAF - XSS Detection
Kusto Box - Executable file in folder available
Kusto Box - Forbidden file type downloaded available
Kusto Cisco Cloud Security - Request to blocklisted file type available
Kusto Cisco SDWAN - Intrusion Events available
Kusto Cisco SDWAN - IPS Event Threshold available
Kusto Cisco WSA - Internet access from public IP available
Kusto Cisco WSA - Multiple attempts to download unwanted file available
Kusto Cisco WSA - Multiple errors to resource from risky category available
Kusto Cisco WSA - Multiple infected files available
Kusto Cisco WSA - Unexpected file type available
Kusto Cisco WSA - Unscannable file or scan error available
Kusto Critical Risks available
Sigma Cross Site Scripting Strings test
Splunk Detect hosts connecting to dynamic domain providers production
Sigma Flash Player Update from Suspicious Location test
Kusto Front Door Premium WAF - XSS Detection available
Kusto Malformed user agent
Kusto McAfee ePO - Multiple threats on same host available
Kusto McAfee ePO - Threat was not blocked available
Kusto New UserAgent observed in last 24 hours available
Kusto NGINX - Request to sensitive files available
Kusto Oracle - Request to sensitive files available
Elastic Potential Fake CAPTCHA Phishing Attack production
Elastic Potential Masquerading as Business App Installer production
Kusto Power Apps - Multiple users access a malicious link after launching new app available
Kusto RecordedFuture Threat Hunting Hash All Actors
Kusto SlackAudit - Suspicious file downloaded. available
Elastic Suspicious Browser Child Process production
Sigma Suspicious Browser Child Process - MacOS test
Kusto Tomcat - Request to sensitive files available
Elastic Unusual Web Request production
Kusto Vulerabilities available
Kusto Web sites blocked by Eset available
Kusto Website blocked by ESET
Elastic WPS Office Exploitation via DLL Hijack production

Exploit Public-Facing Application T1190 516 rules

Kusto A potentially malicious web request was executed against a web server available
Kusto Abnormal Deny Rate for Source IP available
Elastic Accepted Default Telnet Port Connection production
Splunk Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint production
Splunk Adobe ColdFusion Access Control Bypass production
Splunk Adobe ColdFusion Unauthenticated Arbitrary File Read production
Sigma ADSelfService Exploitation test
Kusto AFD WAF - Code Injection available
Kusto AFD WAF - Path Traversal Attack available
Elastic Anomalous React Server Components Flight Data Patterns production building block
Kusto Anomalous User Agent connection attempt
Kusto Apache - Apache 2.4.49 flaw CVE-2021-41773 available
Kusto Apache - Command in URI available
Kusto Apache - Known malicious user agent available
Kusto Apache - Multiple client errors from single IP available
Kusto Apache - Multiple server errors from single IP available
Kusto Apache - Private IP in URL available
Kusto Apache - Put suspicious file available
Kusto Apache - Request from private IP available
Kusto Apache - Requests to rare files available
Sigma Apache Spark Shell Command Injection - ProcessCreation test
Sigma Apache Spark Shell Command Injection - Weblogs test
Sigma Apache Threading Error test
Kusto ApexOne - Attack Discovery Detection available
Kusto ApexOne - Commands in Url available
Kusto ApexOne - Multiple deny or terminate actions on single IP available
Kusto ApexOne - Spyware with failed response available
Kusto API - JWT validation available
Kusto API - Rate limiting available
Kusto API - Suspicious Login available
Kusto App Gateway WAF - Scanner Detection available
Kusto App Gateway WAF - SQLi Detection available
Kusto App GW WAF - Code Injection available
Kusto App GW WAF - Path Traversal Attack available
Kusto Application Gateway WAF - SQLi Detection
Panther AppOmni Alert Passthrough
Sigma Arcadyan Router Exploitations test
Sigma Atlassian Bitbucket Command Injection Via Archive API test
Sigma Atlassian Confluence CVE-2022-26134 test
Kusto AV detections related to SpringShell Vulnerability available
Panther AWS Application Load Balancer Web ACL
Panther AWS ELB SSL Policies
Panther AWS Enforces SSL Policies
Panther AWS Lambda Public Access
Panther AWS Network ACL Restricts Inbound Traffic
Panther AWS Security Group - Only DMZ Publicly Accessible
Panther AWS Security Group Administrative Ingress
Panther AWS Security Group Restricts Access To CDE
Panther AWS Security Group Restricts Inbound Traffic
Panther AWS Security Group Tightly Restricts Inbound Traffic
Panther AWS WAF Has XSS Predicate
Panther AWS WAF Managed Admin Protection Passthrough Rule
Panther AWS WAF Managed Core Rule Set Passthrough Rule
Panther AWS WAF Managed IP Reputation Passthrough Rule
Panther AWS WAF Managed Known Bad Inputs Passthrough Rule
Panther AWS WAF Managed SQL Database Passthrough Rule
Panther AWS WAF ReactJS RCE Attempt via Body
Kusto Azure WAF matching for Log4j vuln(CVE-2021-44228) available
Kusto BitSight - new alert found available
Kusto BitSight - new breach found available
Sigma Cisco ASA Exploitation Activity - Proxy experimental
Sigma Cisco ASA FTD Exploit CVE-2020-3452 test
Splunk Cisco IOS XE Implant Access production
Splunk Cisco IOS XE Request Platform Package Describe Shell Pattern production
Splunk Cisco IOS XE WebUI Login From IOSd Local Port production
Splunk Cisco IOS XE WebUI Programmatic Configuration production
Splunk Cisco NVM - Webserver Download From File Sharing Website production
Splunk Cisco SD-WAN - Arbitrary File Overwrite Exploitation Activity production
Splunk Cisco SD-WAN - Low Frequency Rogue Peer production
Splunk Cisco SD-WAN - Peering Activity production
Kusto Cisco SDWAN - Intrusion Events available
Kusto Cisco SDWAN - IPS Event Threshold available
Kusto Cisco SE - Malware outbreak available
Kusto Cisco SE - Multiple malware on host available
Kusto Cisco SE - Unexpected binary file available
Kusto Cisco SE High Events Last Hour available
Splunk Cisco Secure Firewall - High Priority Intrusion Classification production
Splunk Cisco Secure Firewall - Lumma Stealer Activity production
Splunk Cisco Secure Firewall - Oracle E-Business Suite Correlation production
Splunk Cisco Secure Firewall - Oracle E-Business Suite Exploitation production
Splunk Cisco Secure Firewall - React Server Components RCE Attempt production
Splunk Cisco Secure Firewall - Static Tundra Smart Install Abuse production
Splunk Cisco Secure Firewall - Veeam CVE-2023-27532 Exploitation Activity production
Splunk Cisco Smart Install Oversized Packet Detection production
Splunk Cisco Smart Install Port Discovery and Status production
Splunk Citrix ADC and Gateway CitrixBleed 2 Memory Disclosure production
Splunk Citrix ADC and Gateway Unauthorized Data Disclosure production
Splunk Citrix ADC Exploitation CVE-2023-3519 production
Sigma Citrix ADS Exploitation CVE-2020-8193 CVE-2020-8195 test
Sigma Citrix Netscaler Attack CVE-2019-19781 test
Splunk Citrix ShareFile Exploitation CVE-2023-24489 production
Kusto Claroty - Login to uncommon location available
Kusto Claroty - Multiple failed logins by user available
Kusto Claroty - Multiple failed logins to same destinations available
Kusto Claroty - New Asset available
Kusto Cloudflare - Bad client IP available
Kusto Cloudflare - Bad client IP available
Kusto Cloudflare - Client request from country in blocklist available
Kusto Cloudflare - Client request from country in blocklist available
Kusto Cloudflare - Empty user agent available
Kusto Cloudflare - Empty user agent available
Kusto Cloudflare - Multiple error requests from single source available
Kusto Cloudflare - Multiple error requests from single source available
Kusto Cloudflare - Multiple user agents for single source available
Kusto Cloudflare - Multiple user agents for single source available
Kusto Cloudflare - Unexpected client request available
Kusto Cloudflare - Unexpected client request available
Kusto Cloudflare - Unexpected URI available
Kusto Cloudflare - Unexpected URI available
Kusto Cloudflare - WAF Allowed threat available
Kusto Cloudflare - WAF Allowed threat available
Kusto Cloudflare - XSS probing pattern in request available
Kusto Cloudflare - XSS probing pattern in request available
Sigma Commvault QLogin Argument Injection Authentication Bypass (CVE-2025-57791) experimental
Splunk Confluence CVE-2023-22515 Trigger Vulnerability production
Splunk Confluence Data Center and Server Privilege Escalation production
Sigma Confluence Exploitation CVE-2019-3398 test
Splunk Confluence Pre-Auth RCE via OGNL Injection CVE-2023-22527 production
Splunk Confluence Unauthenticated Remote Code Execution CVE-2022-26134 production
Splunk ConnectWise ScreenConnect Authentication Bypass production
Splunk ConnectWise ScreenConnect Path Traversal production
Splunk ConnectWise ScreenConnect Path Traversal Windows SACL production
Kusto Credential errors stateful anomaly on database available
Splunk CrushFTP Authentication Bypass Exploitation production
Splunk CrushFTP Server Side Template Injection production
Sigma CVE-2010-5278 Exploitation Attempt test
Sigma CVE-2020-0688 Exchange Exploitation via Web Log test
Sigma CVE-2020-0688 Exploitation Attempt test
Sigma CVE-2020-0688 Exploitation via Eventlog test
Sigma CVE-2020-10148 SolarWinds Orion API Auth Bypass test
Sigma CVE-2020-5902 F5 BIG-IP Exploitation Attempt test
Sigma CVE-2021-21972 VSphere Exploitation test
Sigma CVE-2021-21978 Exploitation Attempt test
Sigma CVE-2021-33766 Exchange ProxyToken Exploitation test
Sigma CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Exploit test
Sigma CVE-2021-41773 Exploitation Attempt test
Sigma CVE-2022-31656 VMware Workspace ONE Access Auth Bypass test
Sigma CVE-2022-31659 VMware Workspace ONE Access RCE test
Sigma CVE-2023-1389 Potential Exploitation Attempt - Unauthenticated Command Injection In TP-Link Archer AX21 test
Sigma CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Linux) test
Sigma CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Windows) test
Sigma CVE-2023-22518 Exploitation Attempt - Vulnerable Endpoint Connection (Proxy) test
Sigma CVE-2023-22518 Exploitation Attempt - Vulnerable Endpoint Connection (Webserver) test
Sigma CVE-2023-46747 Exploitation Activity - Proxy test
Sigma CVE-2023-46747 Exploitation Activity - Webserver test
Sigma CVE-2023-4966 Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Proxy test
Sigma CVE-2023-4966 Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Webserver test
Sigma CVE-2023-4966 Potential Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Proxy test
Sigma CVE-2023-4966 Potential Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Webserver test
Panther CVE-2023-7028 - GitLab Audit Password Reset Multiple Emails
Panther CVE-2023-7028 - GitLab Production Password Reset Multiple Emails
Sigma CVE-2024-50623 Exploitation Attempt - Cleo experimental
Kusto Dataverse - Login by a sensitive privileged user available
Kusto Dataverse - Login from IP in the block list available
Kusto Dataverse - Login from IP not in the allow list available
Kusto Dataverse - New sign-in from an unauthorized domain available
Kusto Dataverse - New user agent type that was not used with Office 365 available
Kusto Dataverse - Suspicious use of TDS endpoint available
Elastic Deprecated - Unusual Command Execution from Web Server Parent production
Elastic Deprecated - Unusual Process Spawned from Web Server Parent production
Splunk Detect Exchange Web Shell production
Splunk Detect F5 TMUI RCE CVE-2020-5902 experimental
Kusto Detect instances of multiple client errors occurring within a brief period of time (ASIM Web Session) available
Kusto Detect instances of multiple server errors occurring within a brief period of time (ASIM Web Session) available
Kusto Detect known risky user agents (ASIM Web Session) available
Kusto Detect Local File Inclusion(LFI) in web requests (ASIM Web Session) available
Splunk Detect Outbound LDAP Traffic production
Kusto Detect port misuse by anomaly based detection (ASIM Network Session schema) available
Kusto Detect port misuse by static threshold (ASIM Network Session schema) available
Kusto Detect presence of uncommon user agents in web requests (ASIM Web Session) available
Kusto Detect threat information in web requests (ASIM Web Session) available
Kusto Detect URLs containing known malicious keywords or commands (ASIM Web Session) available
Splunk Detect Zerologon via Zeek experimental
Sigma Django Framework Exceptions stable
Sigma DNS Query to External Service Interaction Domains test
Sigma DNS RCE CVE-2020-1350 test
Kusto Dynatrace Application Security - Attack detection available
Panther EKS Anonymous API Access Detected
Panther EKS Audit Log Reporting system Namespace is Used From A Public IP
Sigma Exchange Exploitation CVE-2021-28480 test
Sigma Exchange Exploitation Used by HAFNIUM test
Kusto Exchange OAB Virtual Directory Attribute Containing Potential Webshell available
Splunk Exchange PowerShell Abuse via SSRF experimental
Sigma Exchange ProxyShell Pattern test
Kusto Exchange Server Suspicious File Downloads.
Kusto Exchange SSRF Autodiscover ProxyShell - Detection
Splunk Exploit Public Facing Application via Apache Commons Text production
Splunk Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952 production
Sigma Exploitation Activity of CVE-2025-59287 - WSUS Deserialization experimental
Sigma Exploitation Activity of CVE-2025-59287 - WSUS Suspicious Child Process experimental
Sigma Exploitation of CVE-2021-26814 in Wazuh test
Sigma Exploited CVE-2020-10189 Zoho ManageEngine test
Sigma F5 BIG-IP iControl Rest API Command Execution - Proxy test
Sigma F5 BIG-IP iControl Rest API Command Execution - Webserver test
Splunk F5 BIG-IP iControl REST Vulnerability CVE-2022-1388 production
Sigma Failed Logon From Public IP test
Kusto Failed sign-ins into LastPass due to MFA available
Kusto Firewall errors stateful anomaly on database available
Elastic FortiGate FortiCloud SSO Login from Unusual Source production
Splunk Fortinet Appliance Auth bypass production
Sigma Fortinet CVE-2018-13379 Exploitation test
Sigma Fortinet CVE-2021-22123 Exploitation test
Kusto Fortiweb - WAF Allowed threat available
Kusto Front Door Premium WAF - SQLi Detection available
Panther GCP K8S Service Type NodePort Deployed Deprecated
Kusto GCP Security Command Center - Detect Open/Unrestricted API Keys available
Kusto GitHub Security Vulnerability in Repository
Sigma Grafana Path Traversal Exploitation CVE-2021-43798 test
Kusto GWorkspace - Alert events available
Sigma Hack Tool User Agent test
Kusto High count of connections by client IP on many ports
Kusto High Number of Urgent Vulnerabilities Detected available
Kusto High severity malicious activity detected available
Splunk HTTP Duplicated Header production
Splunk HTTP Rapid POST with Mixed Status Codes production
Splunk HTTP Request to Reserved Name on IIS Server production
Kusto Hunt for public facing devices and exposed ports over time
Kusto Hunt for public facing devices via DeviceNetworkEvents
Kusto Hunt for public facing devices via public tag
Kusto Hunt for public remotly exploitable devices (with high EPSS)
Splunk Hunting for Log4Shell production
Kusto Identify instances where a single source is observed using multiple user agents (ASIM Web Session) available
Kusto Identify SysAid Server web shell creation
Kusto Imperva - Abnormal protocol usage available
Kusto Imperva - Critical severity event not blocked available
Kusto Imperva - Forbidden HTTP request method in request available
Kusto Imperva - Malicious Client available
Kusto Imperva - Malicious user agent available
Kusto Imperva - Multiple user agents from same source available
Kusto Imperva - Possible command injection available
Kusto Imperva - Request from unexpected countries available
Kusto Imperva - Request from unexpected IP address to admin panel available
Kusto Imperva - Request to unexpected destination port available
Elastic Inbound Connection to an Unsecure Elasticsearch Node production
Sigma Ingress/Egress Security Group Modification test
Elastic Initial Access via File Upload Followed by GET Request production
Splunk Ivanti Connect Secure Command Injection Attempts production
Splunk Ivanti Connect Secure SSRF in SAML Component production
Splunk Ivanti Connect Secure System Information Access via Auth Bypass production
Splunk Ivanti EPM SQL Injection Remote Code Execution production
Splunk Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078 production
Splunk Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082 production
Splunk Ivanti VTM New Account Creation production
Splunk Java Class File download by Java User Agent production
Sigma Java Payload Strings test
Splunk Java Writing JSP File production
Splunk Jenkins Arbitrary File Read CVE-2024-23897 production
Splunk JetBrains TeamCity Authentication Bypass CVE-2024-27198 production
Splunk JetBrains TeamCity Authentication Bypass Suricata CVE-2024-27198 production
Splunk JetBrains TeamCity Limited Auth Bypass Suricata CVE-2024-27199 production
Splunk JetBrains TeamCity RCE Attempt production
Sigma JNDIExploit Pattern test
Splunk Juniper Networks Remote Code Execution Exploit Detection production
Panther Kubernetes Anonymous API Access Detected Experimental
Panther Kubernetes NodePort Service Deployed
Panther Kubernetes System Principal Accessed from Non-Cloud Public IP Experimental
Sigma Linux Suspicious Child Process from Node.js - React2Shell experimental
Splunk Linux Suspicious React or Next.js Child Process production
Splunk Living Off The Land Detection production
Sigma LoadBalancer Security Group Modification test
Sigma Log4j RCE CVE-2021-44228 Generic test
Sigma Log4j RCE CVE-2021-44228 in Fields test
Splunk Log4Shell CVE-2021-44228 Exploitation production
Splunk Log4Shell JNDI Payload Injection Attempt production
Splunk Log4Shell JNDI Payload Injection with Outbound Connection production
Sigma LPE InstallerFileTakeOver PoC CVE-2021-41379 test
Kusto Microsoft Defender for Endpoint (MDE) signatures for Azure Synapse pipelines and Azure Data Factory
Elastic Microsoft Exchange Server UM Spawning Suspicious Processes production
Elastic Microsoft Exchange Server UM Writing Suspicious Files production
Elastic Microsoft Exchange Worker Spawning Suspicious Processes production
Splunk Microsoft SQL Server Suspicious Child Process - Windows (Sysmon)
Splunk Microsoft SQL Server Suspicious Child Process - Windows (Windows Event Log)
Splunk MOVEit Certificate Store Access Failure production
Splunk MOVEit Empty Key Fingerprint Authentication Attempt production
Splunk MS Exchange Mailbox Replication service writing Active Server Pages experimental
Kusto New High Severity Vulnerability Detected Across Multiple Hosts available
Kusto NGINX - Command in URI available
Kusto NGINX - Known malicious user agent available
Kusto NGINX - Multiple client errors from single IP address available
Kusto NGINX - Multiple server errors from single IP address available
Kusto NGINX - Multiple user agents for single source available
Kusto NGINX - Private IP address in URL available
Kusto NGINX - Put file and get file from same IP address available
Kusto NGINX - Sql injection patterns available
Splunk Nginx ConnectWise ScreenConnect Authentication Bypass production
Kusto OCI - Inbound SSH connection available
Kusto OCI - Unexpected user agent available
Kusto OLE object manipulation attempts stateful anomaly on database available
Elastic Ollama API Accessed from External Network production
Splunk Ollama Possible RCE via Model Loading experimental
Splunk Ollama Suspicious Prompt Injection Jailbreak experimental
Kusto OMI Vulnerability Exploitation
Sigma OMIGOD HTTP No Authentication RCE - CVE-2021-38647 stable
Sigma OMIGOD SCX RunAsProvider ExecuteScript test
Sigma OMIGOD SCX RunAsProvider ExecuteShellCommand test
Sigma OpenCanary - FTP Login Attempt test
Sigma OpenCanary - HTTP GET Request test
Sigma OpenCanary - HTTP POST Login Attempt test
Kusto Oracle - Command in URI available
Kusto Oracle - Malicious user agent available
Kusto Oracle - Multiple client errors from single IP available
Kusto Oracle - Multiple server errors from single IP available
Kusto Oracle - Multiple user agents for single source available
Kusto Oracle - Oracle WebLogic Exploit CVE-2021-2109 available
Kusto Oracle - Private IP in URL available
Kusto Oracle - Put file and get file from same IP address available
Kusto Oracle - Put suspicious file available
Sigma Oracle WebLogic Exploit test
Sigma Oracle WebLogic Exploit CVE-2020-14882 test
Sigma Oracle WebLogic Exploit CVE-2021-2109 test
Kusto OracleDBAudit - Connection to database from external IP available
Kusto OracleDBAudit - SQL injection patterns available
Splunk Outbound Network Connection from Java Using Default Ports production
Sigma OWASSRF Exploitation Attempt Using Public POC - Proxy test
Sigma OWASSRF Exploitation Attempt Using Public POC - Webserver test
Kusto PaloAlto - Dropping or denying session with traffic available
Kusto PaloAlto - File type changed available
Kusto PaloAlto - Forbidden countries available
Kusto PaloAlto - Inbound connection to high risk ports available
Kusto PaloAlto - MAC address conflict available
Kusto PaloAlto - Possible attack without response available
Kusto PaloAlto - Possible flooding available
Kusto PaloAlto - Put and post method request in high risk file type available
Kusto PaloAlto - User privileges was changed available
Splunk PaperCut NG Remote Web Access Attempt production
Splunk PaperCut NG Suspicious Behavior Debug Log production
Sigma Path Traversal Exploitation Attempts test
Kusto Pathlock TDnR - J2EE Security Events available
Kusto Pathlock TDnR - SAP HTTP Webserver Events available
Kusto Pathlock TDnR - SAP Web Dispatcher HTTP Events available
Kusto Ping Federate - OAuth old version available
Kusto Ping Federate - SAML old version available
Sigma Potential Atlassian Confluence CVE-2021-26084 Exploitation Attempt test
Elastic Potential Buffer Overflow Attack Detected production
Sigma Potential Centos Web Panel Exploitation Attempt - CVE-2022-44877 test
Elastic Potential Code Execution via Postgresql production
Elastic Potential cPanel WHM CRLF Authentication Bypass (CVE-2026-41940) production
Sigma Potential CVE-2021-26084 Exploitation Attempt test
Sigma Potential CVE-2021-27905 Exploitation Attempt test
Sigma Potential CVE-2021-44228 Exploitation Attempt - VMware Horizon test
Sigma Potential CVE-2022-21587 Exploitation Attempt test
Sigma Potential CVE-2022-22954 Exploitation Attempt - VMware Workspace ONE Access Remote Code Execution test
Sigma Potential CVE-2022-26809 Exploitation Attempt test
Sigma Potential CVE-2022-46169 Exploitation Attempt test
Sigma Potential CVE-2023-2283 Exploitation test
Sigma Potential CVE-2023-23752 Exploitation Attempt test
Sigma Potential CVE-2023-25717 Exploitation Attempt test
Sigma Potential CVE-2023-27997 Exploitation Indicators test
Sigma Potential Exploitation Attempt Of Undocumented WindowsServer RCE test
Sigma Potential Exploitation of CrushFTP RCE Vulnerability (CVE-2025-54309) experimental
Sigma Potential Exploitation of CVE-2025-4427/4428 Ivanti EPMM Pre-Auth RCE experimental
Sigma Potential Exploitation of GoAnywhere MFT Vulnerability experimental
Splunk Potential Exposed SMB_RDP Port - Windows (Windows Event Log)
Sigma Potential Information Disclosure CVE-2023-43261 Exploitation - Proxy test
Sigma Potential Information Disclosure CVE-2023-43261 Exploitation - Web test
Elastic Potential JAVA/JNDI Exploitation Attempt production
Sigma Potential JNDI Injection Exploitation In JVM Based Application test
Elastic Potential Linux Hack Tool Launched production
Sigma Potential Local File Read Vulnerability In JVM Based Application test
Sigma Potential MOVEit Transfer CVE-2023-34362 Exploitation - File Activity test
Sigma Potential OGNL Injection Exploitation In JVM Based Application test
Sigma Potential OWASSRF Exploitation Attempt - Proxy test
Sigma Potential OWASSRF Exploitation Attempt - Webserver test
Sigma Potential RCE Exploitation Attempt In NodeJS test
Sigma Potential SAP NetViewer Webshell Command Execution experimental
Elastic Potential SAP NetWeaver Exploitation production
Sigma Potential SAP NetWeaver Webshell Creation experimental
Sigma Potential SAP NetWeaver Webshell Creation - Linux experimental
Sigma Potential Server Side Template Injection In Velocity test
Sigma Potential SharePoint ToolShell CVE-2025-53770 Exploitation - File Create experimental
Sigma Potential SharePoint ToolShell CVE-2025-53770 Exploitation Indicators experimental
Splunk Potential SMB Activity from External IP - Windows (Windows Event Log)
Sigma Potential SpEL Injection In Spring Framework test
Elastic Potential Telnet Authentication Bypass (CVE-2026-24061) production
Elastic Potential Toolshell Initial Exploit (CVE-2025-53770 & CVE-2025-53771) production building block
Elastic Potential VIEWSTATE RCE Attempt on SharePoint/IIS production building block
Elastic Potential Webshell Deployed via Apache Struts CVE-2023-50164 Exploitation production
Sigma Potential XXE Exploitation Attempt In JVM Based Application test
Sigma Process Execution Error In JVM Based Application test
Sigma ProxyLogon Reset Virtual Directories Based On IIS Log test
Splunk ProxyShell ProxyNotShell Behavior Detected production
Sigma Pulse Connect Secure RCE Attack CVE-2021-22893 stable
Sigma Pulse Secure Attack CVE-2019-11510 test
Kusto PulseConnectSecure - CVE-2021-22893 Possible Pulse Connect Secure RCE Vulnerability Attack
Sigma Python SQL Exceptions stable
Elastic RDP (Remote Desktop Protocol) from the Internet production
Sigma RDS Database Security Group Modification test
Elastic React2Shell (CVE-2025-55182) Exploitation Attempt production
Elastic React2Shell Network Security Alert production
Sigma Rejetto HTTP File Server RCE test
Sigma Remote Access Tool - ScreenConnect Server Web Shell Execution test
Elastic RPC (Remote Procedure Call) from the Internet production
Elastic RPC (Remote Procedure Call) to the Internet production
Sigma Ruby on Rails Framework Exceptions stable
Panther S3 Public Access Block Deleted Experimental
YARA-L sap gateway acl bypass attempt
Splunk SAP NetWeaver Visual Composer Exploitation Attempt production
Elastic ScreenConnect Server Spawning Suspicious Processes production
Kusto Sentinel One - Alert from custom rule available
Kusto Sentinel One - Multiple alerts on host available
Kusto Sentinel One - Same custom rule triggered on different hosts available
Sigma SharePoint ToolShell CVE-2025-53770 Exploitation - Web IIS experimental
Kusto Silk Typhoon New UM Service Child Process
Kusto Silk Typhoon Suspicious Exchange Request
Kusto Silk Typhoon Suspicious File Downloads.
Kusto Silk Typhoon Suspicious UM Service Error
Kusto Silverfort - Log4Shell Incident
Sigma Sitecore Pre-Auth RCE CVE-2021-42237 test
Elastic SMB (Windows File Sharing) Activity to the Internet production
Kusto SonicWall - Allowed SSH, Telnet, and RDP Connections experimental
Sigma SonicWall SSL/VPN Jarrewrite Exploitation test
Sigma Spring Framework Exceptions stable
Splunk Spring4Shell Payload URL Request production
Sigma SQL Injection Strings In URI test
Splunk SQL Injection with Long URLs experimental
Sigma Successful IIS Shortname Fuzzing Scan test
Elastic Suspicious Child Execution via Web Server production
Sigma Suspicious Child Process of SAP NetWeaver experimental
Sigma Suspicious Child Process of SAP NetWeaver - Linux experimental
Sigma Suspicious Child Process of SolarWinds WebHelpDesk experimental
Sigma Suspicious Child Process Of SQL Server test
Elastic Suspicious Command Execution via Web Server production
Splunk Suspicious Confluence Child Process - Windows (Sysmon)
Splunk Suspicious Confluence Child Process - Windows (Windows Event Log)
Sigma Suspicious CrushFTP Child Process experimental
Sigma Suspicious File Drop by Exchange test
Sigma Suspicious File Write to SharePoint Layouts Directory experimental
Sigma Suspicious File Write to Webapps Root Directory experimental
Splunk Suspicious Java Classes experimental
Elastic Suspicious JetBrains TeamCity Child Process production
Sigma Suspicious MSExchangeMailboxReplication ASPX Write test
Sigma Suspicious Named Error test
Sigma Suspicious OpenSSH Daemon Error test
Sigma Suspicious Process By Web Server Process test
Sigma Suspicious Processes Spawned by WinRM test
Elastic Suspicious React Server Child Process production
Elastic Suspicious SolarWinds Web Help Desk Java Module Load or Child Process production
Sigma Suspicious SQL Error Messages test
Sigma Suspicious SQL Query test
Sigma Suspicious User-Agents Related To Recon Tools test
Sigma Suspicious VSFTPD Error Messages test
Kusto Syntax errors stateful anomaly on database available
Elastic Telnet Authentication Bypass via User Environment Variable production
Sigma Terminal Service Process Spawn test
Sigma TerraMaster TOS CVE-2020-28188 test
Kusto Tomcat - Commands in URI available
Kusto Tomcat - Known malicious user agent available
Kusto Tomcat - Multiple client errors from single IP address available
Kusto Tomcat - Multiple empty requests from same IP available
Kusto Tomcat - Multiple server errors from single IP address available
Kusto Tomcat - Put file and get file from same IP address available
Kusto Tomcat - Request from localhost IP address available
Kusto Tomcat - Server errors after multiple requests from same IP available
Kusto Tomcat - Sql injection patterns available
Splunk Tomcat Session Deserialization Attempt production
Splunk Tomcat Session File Upload Attempt production
Elastic Unusual Child Execution via Web Server production
Elastic Unusual Child Process of dns.exe production
Elastic Unusual Command Execution via Web Server production
Elastic Unusual Exim4 Child Process production
Elastic Unusual File Creation by Web Server production building block
Elastic Unusual File Operation by dns.exe production
Elastic Unusual Process For MSSQL Service Accounts production building block
Panther Upwind API Detection Passthrough Experimental
Panther Upwind Vulnerability Detection Passthrough Experimental
Kusto User agent search for log4j exploitation attempt available
Splunk VMWare Aria Operations Exploit Attempt production
Kusto VMware ESXi - Dormant VM started
Splunk VMware Server Side Template Injection Hunt production
Sigma VMware vCenter Server File Upload CVE-2021-22005 test
Splunk VMware Workspace ONE Freemarker Server-side Template Injection production
Elastic VNC (Virtual Network Computing) from the Internet production
Kusto Vulnerable Machines related to log4j CVE-2021-44228 available
Kusto Vulnerable Machines related to OMIGOD CVE-2021-38647
Kusto Web Application attack detected available
Splunk Web JSP Request via URL production
Splunk Web or Application Server Spawning a Shell production
Splunk Web Remote ShellServlet Access production
Elastic Web Server Exploitation Detected via Defend for Containers production
Elastic Web Server Local File Inclusion Activity production
Elastic Web Server Potential Command Injection Request production
Elastic Web Server Potential Remote File Inclusion Activity production
Elastic Web Server Potential SQL Injection Request production building block
Elastic Web Shell Detection: Script Process Child of Common Web Processes production
Splunk Web Spring Cloud Function FunctionRouter production
Splunk Web Spring4Shell HTTP Request Class Module production
Splunk WebLogic CVE-2017-10271 (PowerShell)
Splunk WebLogic CVE-2017-10271 (Sysmon)
Splunk WebLogic CVE-2017-10271 (Windows Event Log)
Splunk Windows Exchange Autodiscover SSRF Abuse production
Splunk Windows Identify PowerShell Web Access IIS Pool production
Splunk Windows IIS Server PSWA Console Access production
Splunk Windows Metasploit Confluence Plugin Execution production
Splunk Windows MOVEit Transfer Writing ASPX production
Splunk Windows PaperCut NG Spawn Shell production
Elastic Windows Server Update Service Spawning Suspicious Processes production
Splunk Windows SharePoint Spinstall0 GET Request production
Splunk Windows SharePoint Spinstall0 Webshell File Creation production
Splunk Windows SharePoint ToolPane Endpoint Exploitation Attempt production
Splunk Windows Shell or Script Execution From IIS Directory production
Splunk Windows Shell Process from CrushFTP production
Sigma Windows Suspicious Child Process from Node.js - React2Shell experimental
Splunk Windows Suspicious React or Next.js Child Process production
Splunk Windows TeamCity Payload Execution from Temp Directory production
Splunk Windows TeamCity Plugin Installed production
Splunk Windows Unusual File Creation in Confluence Directory production
Splunk Windows WSUS Spawning Shell production
Splunk WinRM Spawning a Process experimental
Splunk WordPress Bricks Builder plugin RCE production
Splunk WS FTP Remote Code Execution production
Sigma Zimbra Collaboration Suite Email Server Unauthenticated RCE test
Elastic Zoom Meeting with no Passcode production
Kusto Zscaler - Forbidden countries available
Kusto Zscaler - Unexpected update operation available
Kusto Zscaler - ZPA connections from new country available
Kusto Zscaler - ZPA connections outside operational hours available

Supply Chain Compromise T1195 82 rules

Splunk 3CX Supply Chain Attack Network Indicators production
Splunk 3CXDesktopApp.exe Execution (EDR)
Splunk 3CXDesktopApp.exe Execution (Sysmon)
Splunk 3CXDesktopApp.exe Execution (Windows Event Log)
Panther Action Performed by Netskope Personnel
Sigma Axios NPM Compromise File Creation Indicators - Linux experimental
Sigma Axios NPM Compromise File Creation Indicators - MacOS experimental
Sigma Axios NPM Compromise File Creation Indicators - Windows experimental
Sigma Axios NPM Compromise Indicators - Linux experimental
Sigma Axios NPM Compromise Indicators - macOS experimental
Sigma Axios NPM Compromise Indicators - Windows experimental
Kusto BTP - Cloud Integration package import or transport available
Elastic Command Execution via SolarWinds Process production
Panther CVE-2023-7028 - GitLab Audit Password Reset Multiple Emails
Panther CVE-2023-7028 - GitLab Production Password Reset Multiple Emails
Elastic Deprecated - SUNBURST Command and Control Activity production
Elastic DPKG Package Installed by Unusual Parent Process production
Elastic Elastic Defend Alert from GenAI Utility or Descendant production
Elastic Elastic Defend Alert from Package Manager Install Ancestry production
Elastic Execution via GitHub Actions Runner production
Elastic GitHub Actions Unusual Bot Push to Repository production
Elastic GitHub Actions Workflow Modification Blocked production
Elastic Github Activity on a Private Repository from an Unusual IP production
Panther GitHub Branch Protection Disabled
Panther GitHub Branch Protection Policy Override
Splunk GitHub Enterprise Delete Branch Ruleset production
Splunk GitHub Enterprise Disable 2FA Requirement production
Splunk GitHub Enterprise Disable Audit Log Event Stream production
Splunk GitHub Enterprise Disable Classic Branch Protection Rule production
Splunk GitHub Enterprise Disable Dependabot production
Splunk GitHub Enterprise Disable IP Allow List production
Splunk GitHub Enterprise Modify Audit Log Event Stream production
Splunk GitHub Enterprise Pause Audit Log Event Stream production
Splunk GitHub Enterprise Register Self Hosted Runner production
Splunk GitHub Enterprise Remove Organization production
Splunk GitHub Enterprise Repository Archived production
Splunk GitHub Enterprise Repository Deleted production
Splunk GitHub Organizations Delete Branch Ruleset production
Splunk GitHub Organizations Disable 2FA Requirement production
Splunk GitHub Organizations Disable Classic Branch Protection Rule production
Splunk GitHub Organizations Disable Dependabot production
Splunk GitHub Organizations Repository Archived production
Splunk GitHub Organizations Repository Deleted production
Panther GitHub Repository Collaborator Change
Panther GitHub Team Modified
Panther GitHub User Added or Removed from Org
Panther GitHub Workflow Dispatched by GitHub Actions Bot Experimental
Splunk GitHub Workflow File Creation or Modification production
Panther GitHub Workflow Permissions Modified
Kusto Google DNS - Malicous Python packages
Splunk Hunting 3CXDesktopApp Software production
Sigma LiteLLM / TeamPCP Supply Chain Attack Indicators experimental
Kusto McAfee ePO - Multiple threats on same host available
Kusto McAfee ePO - Threat was not blocked available
Elastic Network Connection to OAST Domain via Script Interpreter production
Elastic New GitHub Self Hosted Action Runner production
Elastic Node.js Pre or Post-Install Script Execution production
Sigma Notepad++ Updater DNS Query to Uncommon Domains experimental
Sigma Octopus Scanner Malware test
Elastic Ollama DNS Query to Untrusted Domain production building block
Sigma Outdated Dependency Or Vulnerability Alert Disabled test
Elastic Remote GitHub Actions Runner Registration production
Elastic RPM Package Installed by Unusual Parent Process production
Splunk Shai-Hulud 2 Exfiltration Artifact Files production
Sigma Shai-Hulud 2.0 Malicious NPM Package Installation experimental
Sigma Shai-Hulud 2.0 Malicious NPM Package Installation - Linux experimental
Sigma Shai-Hulud Malicious Bun Execution experimental
Sigma Shai-Hulud Malicious Bun Execution - Linux experimental
Splunk Shai-Hulud Workflow File Creation or Modification production
Elastic SolarWinds Process Disabling Services via Registry production
Kusto Solorigate Defender Detections
Kusto SUNBURST and SUPERNOVA backdoor hashes available
Kusto SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events)
Kusto SUNBURST network beacons available
Sigma Suspicious Child Process of Notepad++ Updater - GUP.Exe experimental
Elastic Suspicious Execution from VS Code Extension production
Elastic Suspicious SolarWinds Child Process production
Elastic Tampering with RUNNER_TRACKING_ID in GitHub Actions Runners production
Sigma TeamPCP LiteLLM Supply Chain Attack Persistence Indicators experimental
Sigma Uncommon File Created by Notepad++ Updater Gup.EXE experimental
Elastic Unusual DPKG Execution production
Splunk Windows Vulnerable 3CX Software production

Supply Chain Compromise: Compromise Software Dependencies and Development Tools T1195.001 10 rules

Panther A backdoored version of XZ or liblzma is vulnerable to CVE-2024-3094
Panther AWS EC2 Vulnerable XZ Image Launched
Elastic GitHub Actions Workflow Modification Blocked production
Elastic Network Connection to OAST Domain via Script Interpreter production
Elastic New GitHub Self Hosted Action Runner production
Elastic Node.js Pre or Post-Install Script Execution production
Sigma Octopus Scanner Malware test
Elastic Ollama DNS Query to Untrusted Domain production building block
Sigma Outdated Dependency Or Vulnerability Alert Disabled test
Elastic Tampering with RUNNER_TRACKING_ID in GitHub Actions Runners production

Supply Chain Compromise: Compromise Software Supply Chain T1195.002 51 rules

Splunk 3CX Supply Chain Attack Network Indicators production
Sigma Axios NPM Compromise File Creation Indicators - Linux experimental
Sigma Axios NPM Compromise File Creation Indicators - MacOS experimental
Sigma Axios NPM Compromise File Creation Indicators - Windows experimental
Sigma Axios NPM Compromise Indicators - Linux experimental
Sigma Axios NPM Compromise Indicators - macOS experimental
Sigma Axios NPM Compromise Indicators - Windows experimental
Elastic Command Execution via SolarWinds Process production
Elastic Deprecated - SUNBURST Command and Control Activity production
Elastic DPKG Package Installed by Unusual Parent Process production
Elastic Elastic Defend Alert from GenAI Utility or Descendant production
Elastic Elastic Defend Alert from Package Manager Install Ancestry production
Elastic Execution via GitHub Actions Runner production
Elastic GitHub Actions Unusual Bot Push to Repository production
Elastic GitHub Actions Workflow Modification Blocked production
Elastic Github Activity on a Private Repository from an Unusual IP production
Panther GitHub Artifact Download from Cross-Fork Workflow
Panther GitHub Commits Skipping Workflows
Panther GitHub Cross-Fork Workflow Run
Panther GitHub Malicious Comment/Review Content
Panther GitHub Malicious Commit Content
Panther GitHub Malicious Issue/Pages Content
Panther GitHub Malicious Pull Request Content
Panther GitHub pull_request_target Workflow on Self-Hosted Runner
Panther GitHub pull_request_target Workflow Usage
Panther GitHub pull_request_target Workflow with Checkout Action
Panther GitHub Sha1-Hulud Malicious Repository Created
Panther GitHub Supply Chain - Software Installation Tool User Agents
Panther GitHub Workflow Contains Checkout Action
Panther GitHub Workflow Downloading Artifacts
Panther GitHub Workflow Using Self-Hosted Runner
Splunk Hunting 3CXDesktopApp Software production
Sigma LiteLLM / TeamPCP Supply Chain Attack Indicators experimental
Elastic New GitHub Self Hosted Action Runner production
Sigma Notepad++ Updater DNS Query to Uncommon Domains experimental
Elastic Ollama DNS Query to Untrusted Domain production building block
Elastic Remote GitHub Actions Runner Registration production
Elastic RPM Package Installed by Unusual Parent Process production
Splunk Shai-Hulud 2 Exfiltration Artifact Files production
Sigma Shai-Hulud 2.0 Malicious NPM Package Installation experimental
Sigma Shai-Hulud 2.0 Malicious NPM Package Installation - Linux experimental
Sigma Shai-Hulud Malicious Bun Execution experimental
Sigma Shai-Hulud Malicious Bun Execution - Linux experimental
Elastic SolarWinds Process Disabling Services via Registry production
Sigma Suspicious Child Process of Notepad++ Updater - GUP.Exe experimental
Elastic Suspicious Execution from VS Code Extension production
Elastic Suspicious SolarWinds Child Process production
Sigma TeamPCP LiteLLM Supply Chain Attack Persistence Indicators experimental
Sigma Uncommon File Created by Notepad++ Updater Gup.EXE experimental
Elastic Unusual DPKG Execution production
Splunk Windows Vulnerable 3CX Software production

Trusted Relationship T1199 18 rules

Kusto Anomalous login followed by Teams action
Panther AppOmni Alert Passthrough
Kusto Azure Portal sign in from another Azure Tenant available
Kusto Dataverse - TI map IP to DataverseActivity available
Elastic Entra ID Illicit Consent Grant via Registered Application production
Elastic Entra ID OAuth Authorization Code Grant for Unusual User, App, and Resource production
Elastic Entra ID OAuth Phishing via First-Party Microsoft Application production
Kusto External Upstream Source Added to Azure DevOps Feed available
Sigma Microsoft 365 - User Restricted from Sending Email test
Kusto Netskope - New Risky App Access vs 7-Day Baseline available
Kusto Netskope - Unsanctioned/Risky Cloud App Access (Shadow IT) available
Elastic New GitHub App Installed production
Panther Okta Identity Provider Created or Modified
Panther Okta Identity Provider Sign-in
Elastic Okta Sign-In Events via Third-Party IdP production
Panther Okta Support Access Granted
Panther Okta Support Reset Credential
Panther Salesforce Third-Party Integration Monitoring

Hardware Additions T1200 14 rules

Splunk Detect ARP Poisoning experimental
Splunk Detect IPv6 Network Infrastructure Threats experimental
Splunk Detect Port Security Violation experimental
Splunk Detect Rogue DHCP Server experimental
Splunk Detect Traffic Mirroring experimental
Sigma Device Installation Blocked test
Sigma External Disk Drive Or USB Storage Device Was Recognized By The System test
Splunk Linux Auditd Hardware Addition Swapoff production
Splunk Linux Hardware Addition SwapOff production
Kusto Potential DHCP Starvation Attack available
Sigma USB Device Plugged test
Splunk Windows Process Executed From Removable Media production
Splunk Windows USBSTOR Registry Key Modification production
Splunk Windows WPDBusEnum Registry Key Modification production

Phishing T1566 255 rules

Kusto Accessed files shared by temporary external user available
Kusto Acronis - Multiple Inboxes with Malicious Content Detected
Panther AppOmni Alert Passthrough
Sigma Arbitrary Shell Command Execution Via Settingcontent-Ms test
Splunk Azure AD Device Code Authentication production
Panther Azure Device Code Authentication with Broker Client
Panther Azure VS Code OAuth Phishing Experimental
YARA-L Chrome Browser Safe Browsing User Bypass
Kusto Cisco SEG - Malicious attachment not blocked available
Kusto Cisco SEG - Multiple suspiciuos attachments received available
Kusto Cisco SEG - Possible outbreak available
Kusto Cisco SEG - Potential phishing link available
Kusto Cisco SEG - Suspicious link available
Kusto Cisco SEG - Suspicious sender domain available
Kusto Cisco SEG - Unexpected attachment available
Kusto Cisco SEG - Unexpected link available
Kusto Cisco SEG - Unscannable attacment available
Kusto Cisco WSA - Access to unwanted site available
Kusto Contrast Blocks available
Kusto Contrast Exploits available
Kusto Contrast Probes available
Kusto Contrast Suspicious available
Kusto Corelight - Network Service Scanning Multiple IP Addresses available
Kusto Corelight - Possible Typo Squatting or Punycode Phishing HTTP Request available
Kusto Corelight - SMTP Email containing NON Ascii Characters within the Subject available
Elastic Creation of SettingContent-ms Files production building block
Kusto Cross-Cloud Suspicious Compute resource creation in GCP
Kusto Cross-Cloud Suspicious user activity observed in GCP Envourment
Sigma CVE-2021-31979 CVE-2021-33771 Exploits test
Sigma CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum test
Kusto CyberBlindSpot - Any Issue Detected available
Kusto Dataverse - TI map URL to DataverseActivity available
Elastic Deprecated - M365 Security Compliance Email Reported by User as Malware or Phish production
Kusto Detect Direct Send phishing emails
Kusto Detect external user sending suspicious link to multiple users
Kusto Detect Malicious Teams Message
Splunk Detect Outlook exe writing a zip file production
Kusto Detect Possible Teams BEC Attack by High Teams Recipients
Kusto Detect web requests to potentially harmful files (ASIM Web Session) available
Sigma Disk Image Mounting Via Hdiutil - MacOS test
Panther DNS request to denylisted domain
Sigma Download From Suspicious TLD - Blacklist test
Sigma Download From Suspicious TLD - Whitelist test
Elastic Downloaded Shortcut Files production
Elastic Downloaded URL Files production
Sigma Droppers Exploiting CVE-2017-11882 stable
Kusto Egress Defend - Dangerous Attachment Detected available
Splunk Email Attachments With Lots Of Spaces experimental
Elastic Entra ID Concurrent Sign-in with Suspicious Properties production
Elastic Entra ID Illicit Consent Grant via Registered Application production
Elastic Entra ID Kali365 Default User-Agent Detected production
Elastic Entra ID Microsoft Authentication Broker DRS Sign-In from Suspicious ASN production
Elastic Entra ID Microsoft Authentication Broker Sign-In with Non-Standard User Agent production
Elastic Entra ID OAuth Authorization Code Grant for Unusual User, App, and Resource production
Elastic Entra ID OAuth Device Code Flow with Concurrent Sign-ins production
Elastic Entra ID OAuth Device Code Grant by Microsoft Authentication Broker production
Elastic Entra ID OAuth Device Code Grant by Unusual User production
Elastic Entra ID OAuth Device Code Phishing via AiTM production
Elastic Entra ID OAuth Flow by Microsoft Authentication Broker to Device Registration Service (DRS) production
Elastic Entra ID OAuth Phishing via First-Party Microsoft Application production
Elastic Entra ID Potential AiTM Sign-In via OfficeHome (Tycoon2FA) production
Elastic Entra ID Sharepoint or OneDrive Accessed by Unusual Client production
Elastic Execution of File Written or Modified by Microsoft Office production
Sigma Exploit for CVE-2017-0261 test
Sigma Exploit for CVE-2017-8759 test
Elastic File with Suspicious Extension Downloaded production building block
Splunk Gdrive suspicious file sharing experimental
Panther GitHub Malicious Comment/Review Content
Panther Gmail Malicious SMTP Response
YARA-L gmail spike in undeliverables
Kusto Google DNS - Exchange online autodiscover abuse
Kusto Google Threat Intelligence - Threat Hunting Url
Elastic Google Workspace Device Registration After OAuth from Suspicious ASN production
Elastic Google Workspace Object Copied to External Drive with App Consent production
Panther Gsuite Email Bypassed Spam Filter
Splunk GSuite Email Suspicious Attachment production
Splunk Gsuite Email Suspicious Subject With Attachment production
Splunk Gsuite Email With Known Abuse Web Service Link production
Panther GSuite Government Backed Attack
Splunk Gsuite suspicious calendar invite experimental
Splunk Gsuite Suspicious Shared File Name experimental
Panther GSuite Workspace Gmail Pre-Delivery Message Scanning Disabled
Panther GSuite Workspace Gmail Security Sandbox Disabled
Kusto GWorkspace - Possible maldoc file name in Google drive available
Sigma HTML File Opened From Download Folder experimental
Sigma HTML Help HH.EXE Suspicious Child Process test
Sigma ISO File Created Within Temp Folders test
Sigma ISO Image Mounted test
Sigma ISO or Image Mount Indicator in Recent Files test
Kusto KnowBe4 Defend - Dangerous Attachment Detected available
Elastic M365 AIR Investigation Signal production building block
Elastic M365 Azure Monitor Alert Email with Financial or Billing Theme production
Elastic M365 Identity OAuth Flow by First-Party Microsoft App from Multiple IPs production
Elastic M365 Identity OAuth Flow by User Sign-in to Device Registration production
Elastic M365 Identity OAuth Illicit Consent Grant by Rare Client and User production
Elastic M365 Identity OAuth Phishing via First-Party Microsoft Application production
Elastic M365 Identity Unusual SSO Authentication Errors for User production
Elastic M365 Potential AiTM UserLoggedIn via Office App (Tycoon2FA) production
Elastic M365 Quarantine and Hygiene Signal production building block
Elastic M365 Threat Intelligence Signal production building block
Splunk Malicious Document Execution (Sysmon)
Splunk Malicious Document Execution (Windows Event Log)
Panther Malicious SSO DNS Lookup
Kusto McAfee ePO - Spam Email detected available
YARA-L Microsoft Entra ID Device code phishing attack
Kusto Mimecast Secure Email Gateway - Attachment Protect available
Kusto Mimecast Secure Email Gateway - Attachment Protect
Kusto Mimecast Secure Email Gateway - URL Protect available
Kusto Mimecast Secure Email Gateway - URL Protect
Elastic Network Traffic to Rare Destination Country production
Splunk O365 Email Reported By Admin Found Malicious production
Splunk O365 Email Reported By User Found Malicious production
Splunk O365 Safe Links Detection production
Splunk O365 Threat Intelligence Suspicious Email Delivered production
Splunk O365 ZAP Activity Detection production
Kusto Office ASR rule triggered from browser spawned office process. available
Sigma Office Macro File Creation test
Sigma Office Macro File Creation From Suspicious Process test
Sigma Office Macro File Download test
Panther Okta AiTM Phishing Attempt Blocked by FastPass
Kusto Okta Fast Pass phishing Detection available
Sigma Okta FastPass Phishing Detection test
Elastic Okta FastPass Phishing Detection production
YARA-L Okta Phishing Detection With Fastpass Origin Check
Sigma Password Protected ZIP File Opened (Email Attachment) test
Kusto Phishing link click observed in Network Traffic
Sigma Phishing Pattern ISO in Archive test
Kusto Possible Phishing with CSL and Network Sessions available
Elastic Potential CVE-2025-33053 Exploitation production
Elastic Potential Execution via FileFix Phishing Attack production
Elastic Potential Fake CAPTCHA Phishing Attack production
Elastic Potential Foxmail Exploitation production
Sigma Potential Initial Access via DLL Search Order Hijacking test
Sigma Potential Malicious Usage of CloudTrail System Manager test
Elastic Potential Process Injection from Malicious Document production building block
Elastic Potential Remote File Execution via MSIEXEC production
Kusto Power Apps - Bulk sharing of Power Apps to newly created guest users available
Kusto Power Apps - Multiple users access a malicious link after launching new app available
Kusto Preview - TI map Email entity to Cloud App Events
Splunk Process Creating LNK file in Suspicious Location production
Panther Proofpoint Active Threat Campaign Detected Experimental
Panther Proofpoint High Impostor Score Detected Experimental
Panther Proofpoint Malware Detected Experimental
Panther Proofpoint Multiple Threats Detected Experimental
Panther Proofpoint Phishing Email Detected Experimental
Panther Proofpoint Virus Detected Experimental
Kusto ProofpointPOD - High risk message not discarded available
Kusto ProofpointPOD - Suspicious attachment available
Sigma Rapid creation of clients with the dynamic client registration endpoint experimental
Splunk RDP File Executed from Outlook Temp Directory (Sysmon)
Splunk RDP File Executed from Outlook Temp Directory (Windows Event Log)
Splunk RDP File Written by Outlook (Sysmon)
Splunk RDP File Written by Outlook (Windows Event Log)
Kusto RecordedFuture Threat Hunting Domain All Actors
Kusto Red Sift - Email with URL to previously unseen domain available
Kusto Red Sift - New email with URL from previously unseen sender available
Kusto Red Sift - New email with URL from previously unseen source available
Elastic Remote Desktop File Opened from Suspicious Path production
Elastic Remote XSL Script Execution via COM production
Panther Spam Email Surge Experimental
Kusto Stale last password change available
Kusto Star Blizzard C2 Domains August 2022
Sigma Suspicious Double Extension File Execution stable
Splunk Suspicious Email Attachment Extensions experimental
Sigma Suspicious Email Delivered In Microsoft 365 experimental
Elastic Suspicious Execution from INET Cache production
Sigma Suspicious Execution From Outlook Temporary Folder test
Sigma Suspicious Execution via macOS Script Editor test
Elastic Suspicious Execution via Microsoft Office Add-Ins production
Elastic Suspicious Explorer Child Process production
Sigma Suspicious External WebDAV Execution test
Sigma Suspicious File Created in Outlook Temporary Directory experimental
Sigma Suspicious HH.EXE Execution test
Elastic Suspicious HTML File Creation production
Sigma Suspicious HWP Sub Processes test
Elastic Suspicious macOS MS Office Child Process production
Sigma Suspicious Microsoft OneNote Child Process test
Elastic Suspicious MS Office Child Process production
Elastic Suspicious MS Outlook Child Process production
Kusto Suspicious MSC File Launched
Kusto Suspicious parentprocess relationship - Office child processes. available
Elastic Suspicious PDF Reader Child Process production
Kusto T1566.002 Spearphishing Link - Rare URL Clicks
Kusto TI map Domain entity to EmailEvents
Kusto TI map Domain entity to EmailEvents
Kusto TI map Domain entity to EmailUrlInfo
Kusto TI map Domain entity to EmailUrlInfo
Kusto TI map Email entity to AzureActivity
Kusto TI map Email entity to AzureActivity
Kusto TI map Email entity to Cloud App Events
Kusto TI map Email entity to EmailEvents
Kusto TI map Email entity to EmailEvents
Kusto TI map Email entity to OfficeActivity
Kusto TI map Email entity to OfficeActivity
Kusto TI map Email entity to PaloAlto CommonSecurityLog
Kusto TI map Email entity to PaloAlto CommonSecurityLog
Kusto TI map Email entity to SecurityAlert
Kusto TI map Email entity to SecurityAlert
Kusto TI map Email entity to SecurityEvent
Kusto TI map Email entity to SecurityEvent
Kusto TI map Email entity to SigninLogs
Kusto TI map Email entity to SigninLogs
Kusto Trend Micro CAS - Infected user available
Kusto Trend Micro CAS - Multiple infected users available
Kusto Trend Micro CAS - Possible phishing mail available
Kusto Trend Micro CAS - Suspicious filename available
Kusto Trend Micro CAS - Unexpected file on file share available
Kusto Trend Micro CAS - Unexpected file via mail available
Elastic Unusual DNS Activity production
Elastic Unusual Execution via Microsoft Common Console File production
Elastic Unusual Network Destination Domain Name production
Sigma Ursnif Malware C2 URL Pattern stable
Kusto User Accessed Suspicious URL Categories available
Kusto Valimail Enforce - DMARC Policy Weakened to None available
Kusto Votiro - File Blocked in Email
Kusto VTI - High Severity Domain Collision Detection
Sigma WebDAV Temporary Local File Creation test
Kusto Website blocked by ESET
Splunk Windows CAB File on Disk production
Splunk Windows Defender ASR Audit Events production
Splunk Windows Defender ASR Block Events production
Splunk Windows Defender ASR Rules Stacking production
Splunk Windows InProcServer32 New Outlook Form production
Splunk Windows ISO LNK File Creation production
Splunk Windows Office Product Dropped Cab or Inf File production
Splunk Windows Office Product Dropped Uncommon File production
Splunk Windows Office Product Loaded MSHTML Module production
Splunk Windows Office Product Loading Taskschd DLL production
Splunk Windows Office Product Loading VBE7 DLL production
Splunk Windows Office Product Spawned Child Process For Download production
Splunk Windows Office Product Spawned Control production
Splunk Windows Office Product Spawned MSDT production
Splunk Windows Office Product Spawned Rundll32 With No DLL production
Splunk Windows Office Product Spawned Uncommon Process production
Splunk Windows Phishing Outlook Drop Dll In FORM Dir production
Splunk Windows Phishing PDF File Executes URL Link production
Splunk Windows Phishing Recent ISO Exec Registry production
Sigma Windows Registry Trust Record Modification test
Elastic Windows Script Executing PowerShell production
Elastic Windows Script Interpreter Executing Process via WMI production
Splunk Windows Spearphishing Attachment Connect To None MS Office Domain production
Splunk Windows Spearphishing Attachment Onenote Spawn Mshta production
Splunk Windows Universal Data Link File Creation production
Splunk Zscaler Adware Activities Threat Blocked production
Splunk Zscaler Behavior Analysis Threat Blocked production
Splunk Zscaler CryptoMiner Downloaded Threat Blocked production
Splunk Zscaler Employment Search Web Activity production
Splunk Zscaler Exploit Threat Blocked production
Splunk Zscaler Legal Liability Threat Blocked production
Splunk Zscaler Malware Activity Threat Blocked production
Splunk Zscaler Phishing Activity Threat Blocked production
Splunk Zscaler Potentially Abused File Download production
Splunk Zscaler Privacy Risk Destinations Threat Blocked production
Splunk Zscaler Scam Destinations Threat Blocked production
Splunk Zscaler Virus Download threat blocked production

Phishing: Spearphishing Attachment T1566.001 94 rules

Kusto Acronis - Multiple Inboxes with Malicious Content Detected
Sigma Arbitrary Shell Command Execution Via Settingcontent-Ms test
Elastic Creation of SettingContent-ms Files production building block
Elastic Deprecated - M365 Security Compliance Email Reported by User as Malware or Phish production
Splunk Detect Outlook exe writing a zip file production
Sigma Disk Image Mounting Via Hdiutil - MacOS test
Elastic Downloaded Shortcut Files production
Elastic Downloaded URL Files production
Sigma Droppers Exploiting CVE-2017-11882 stable
Splunk Email Attachments With Lots Of Spaces experimental
Elastic Execution of File Written or Modified by Microsoft Office production
Sigma Exploit for CVE-2017-0261 test
Sigma Exploit for CVE-2017-8759 test
Elastic File with Suspicious Extension Downloaded production building block
Panther Gmail Potential Spoofed Email Delivered
Panther Gsuite Attachments Downloaded from Spam Email
Splunk GSuite Email Suspicious Attachment production
Splunk Gsuite Email Suspicious Subject With Attachment production
Splunk Gsuite Email With Known Abuse Web Service Link production
Splunk Gsuite Suspicious Shared File Name experimental
Sigma HTML File Opened From Download Folder experimental
Sigma HTML Help HH.EXE Suspicious Child Process test
Sigma ISO File Created Within Temp Folders test
Sigma ISO Image Mounted test
Sigma ISO or Image Mount Indicator in Recent Files test
Elastic M365 Quarantine and Hygiene Signal production building block
Elastic M365 Threat Intelligence Signal production building block
Splunk Malicious Document Execution (Sysmon)
Splunk Malicious Document Execution (Windows Event Log)
Panther Malware Detected in Email
Elastic Network Traffic to Rare Destination Country production
Splunk O365 Email Reported By Admin Found Malicious production
Splunk O365 Email Reported By User Found Malicious production
Splunk O365 Safe Links Detection production
Splunk O365 Threat Intelligence Suspicious Email Delivered production
Splunk O365 ZAP Activity Detection production
Sigma Office Macro File Creation test
Sigma Office Macro File Creation From Suspicious Process test
Sigma Office Macro File Download test
Sigma Password Protected ZIP File Opened (Email Attachment) test
Elastic Potential CVE-2025-33053 Exploitation production
Elastic Potential Execution via FileFix Phishing Attack production
Elastic Potential Fake CAPTCHA Phishing Attack production
Elastic Potential Foxmail Exploitation production
Sigma Potential Initial Access via DLL Search Order Hijacking test
Elastic Potential Process Injection from Malicious Document production building block
Splunk RDP File Executed from Outlook Temp Directory (Sysmon)
Splunk RDP File Executed from Outlook Temp Directory (Windows Event Log)
Splunk RDP File Written by Outlook (Sysmon)
Splunk RDP File Written by Outlook (Windows Event Log)
Elastic Remote Desktop File Opened from Suspicious Path production
Panther Slack Potentially Malicious File Shared
Sigma Suspicious Double Extension File Execution stable
Splunk Suspicious Email Attachment Extensions experimental
Sigma Suspicious Email Delivered In Microsoft 365 experimental
Elastic Suspicious Execution from INET Cache production
Sigma Suspicious Execution From Outlook Temporary Folder test
Elastic Suspicious Execution via Microsoft Office Add-Ins production
Elastic Suspicious Explorer Child Process production
Sigma Suspicious File Created in Outlook Temporary Directory experimental
Sigma Suspicious HH.EXE Execution test
Elastic Suspicious HTML File Creation production
Sigma Suspicious HWP Sub Processes test
Elastic Suspicious macOS MS Office Child Process production
Sigma Suspicious Microsoft OneNote Child Process test
Elastic Suspicious MS Office Child Process production
Elastic Suspicious MS Outlook Child Process production
Elastic Suspicious PDF Reader Child Process production
Elastic Unusual Execution via Microsoft Common Console File production
Elastic Unusual Network Destination Domain Name production
Sigma Ursnif Malware C2 URL Pattern stable
Splunk Windows CAB File on Disk production
Splunk Windows Defender ASR Audit Events production
Splunk Windows Defender ASR Block Events production
Splunk Windows Defender ASR Rules Stacking production
Splunk Windows ISO LNK File Creation production
Splunk Windows Office Product Dropped Cab or Inf File production
Splunk Windows Office Product Dropped Uncommon File production
Splunk Windows Office Product Loaded MSHTML Module production
Splunk Windows Office Product Loading Taskschd DLL production
Splunk Windows Office Product Loading VBE7 DLL production
Splunk Windows Office Product Spawned Child Process For Download production
Splunk Windows Office Product Spawned Control production
Splunk Windows Office Product Spawned MSDT production
Splunk Windows Office Product Spawned Rundll32 With No DLL production
Splunk Windows Office Product Spawned Uncommon Process production
Splunk Windows Phishing PDF File Executes URL Link production
Splunk Windows Phishing Recent ISO Exec Registry production
Sigma Windows Registry Trust Record Modification test
Elastic Windows Script Executing PowerShell production
Elastic Windows Script Interpreter Executing Process via WMI production
Splunk Windows Spearphishing Attachment Connect To None MS Office Domain production
Splunk Windows Spearphishing Attachment Onenote Spawn Mshta production
Splunk Windows Universal Data Link File Creation production

Phishing: Spearphishing Link T1566.002 57 rules

Kusto Acronis - Multiple Inboxes with Malicious Content Detected
Splunk Azure AD Device Code Authentication production
Panther Azure Device Code Authentication with Broker Client
YARA-L Chrome Browser Safe Browsing User Bypass
Elastic Deprecated - M365 Security Compliance Email Reported by User as Malware or Phish production
Kusto Detect external user sending suspicious link to multiple users
Kusto Detect Malicious Teams Message
Elastic Downloaded Shortcut Files production
Elastic Downloaded URL Files production
Elastic Entra ID Concurrent Sign-in with Suspicious Properties production
Elastic Entra ID Illicit Consent Grant via Registered Application production
Elastic Entra ID Kali365 Default User-Agent Detected production
Elastic Entra ID Microsoft Authentication Broker DRS Sign-In from Suspicious ASN production
Elastic Entra ID Microsoft Authentication Broker Sign-In with Non-Standard User Agent production
Elastic Entra ID OAuth Authorization Code Grant for Unusual User, App, and Resource production
Elastic Entra ID OAuth Device Code Flow with Concurrent Sign-ins production
Elastic Entra ID OAuth Device Code Grant by Microsoft Authentication Broker production
Elastic Entra ID OAuth Device Code Grant by Unusual User production
Elastic Entra ID OAuth Device Code Phishing via AiTM production
Elastic Entra ID OAuth Flow by Microsoft Authentication Broker to Device Registration Service (DRS) production
Elastic Entra ID OAuth Phishing via First-Party Microsoft Application production
Elastic Execution of File Written or Modified by Microsoft Office production
Elastic File with Suspicious Extension Downloaded production building block
Panther Gmail Potential Spoofed Email Delivered
Elastic Google Workspace Device Registration After OAuth from Suspicious ASN production
Elastic Google Workspace Object Copied to External Drive with App Consent production
Panther Gsuite Link Clicked in Spam Email
Elastic M365 Identity OAuth Flow by First-Party Microsoft App from Multiple IPs production
Elastic M365 Identity OAuth Flow by User Sign-in to Device Registration production
Elastic M365 Identity OAuth Illicit Consent Grant by Rare Client and User production
Elastic M365 Identity OAuth Phishing via First-Party Microsoft Application production
Elastic M365 Quarantine and Hygiene Signal production building block
Elastic M365 Threat Intelligence Signal production building block
Elastic Network Traffic to Rare Destination Country production
Splunk O365 Email Reported By Admin Found Malicious production
Splunk O365 Email Reported By User Found Malicious production
Splunk O365 Threat Intelligence Suspicious Email Delivered production
Splunk O365 ZAP Activity Detection production
Kusto Office ASR rule triggered from browser spawned office process. available
Elastic Okta FastPass Phishing Detection production
Elastic Potential CVE-2025-33053 Exploitation production
Elastic Potential Execution via FileFix Phishing Attack production
Sigma Potential Malicious Usage of CloudTrail System Manager test
Elastic Potential Remote File Execution via MSIEXEC production
Splunk Process Creating LNK file in Suspicious Location production
Elastic Remote XSL Script Execution via COM production
Sigma Suspicious Email Delivered In Microsoft 365 experimental
Sigma Suspicious Execution via macOS Script Editor test
Elastic Suspicious Explorer Child Process production
Elastic Suspicious HTML File Creation production
Kusto Suspicious parentprocess relationship - Office child processes. available
Kusto T1566.002 Spearphishing Link - Rare URL Clicks
Elastic Unusual Execution via Microsoft Common Console File production
Elastic Unusual Network Destination Domain Name production
Splunk Windows Defender ASR Audit Events production
Splunk Windows Defender ASR Block Events production
Splunk Windows Defender ASR Rules Stacking production

Phishing: Spearphishing via Service T1566.003 1 rule

Elastic M365 Azure Monitor Alert Email with Financial or Billing Theme production

Content Injection T1659 4 rules

Kusto Dynatrace - Problem detection available
Kusto Dynatrace Application Security - Code-Level runtime vulnerability detection available
Kusto Dynatrace Application Security - Non-critical runtime vulnerability detection available
Kusto Dynatrace Application Security - Third-Party runtime vulnerability detection available

No specific technique 29 rules

Sigma .Class Extension URI Ending Request test
Sigma Cisco Duo Successful MFA Authentication Via Bypass Code test
Kusto Cisco Umbrella - Request Allowed to harmful/malicious URI category
Kusto Cisco Umbrella - Request to blocklisted file type
Sigma CVE-2023-23397 Exploitation Attempt test
Sigma CVE-2024-1212 Exploitation - Progress Kemp LoadMaster Unauthenticated Command Injection test
Sigma CVE-2024-1708 - ScreenConnect Path Traversal Exploitation - Security test
Sigma CVE-2024-1709 - ScreenConnect Authentication Bypass Exploitation test
Sigma Exploitation Indicator Of CVE-2022-42475 test
Sigma Exploitation Indicators Of CVE-2023-20198 test
Sigma Failed Console Login test
Panther GitHub User Added to Org Moderators
YARA-L Google Cloud identity low and medium alert escalation
Sigma HTTP Request to Low Reputation TLD or Suspicious File Extension experimental
Elastic M365 Purview Security Compliance Signal production building block
Sigma Many Failed Logins test
Sigma New AWS Lambda Function URL Configuration Created experimental
Sigma Potential CVE-2023-25157 Exploitation Attempt test
Sigma Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection test
Kusto Radiflow - Platform Alert available
Sigma Remote Access Tool - AnyDesk Execution With Known Revoked Signing Certificate test
Sigma Shell Process Spawned by Java.EXE test
Kusto Spearphishing Attachment: ISO Images (Microsoft Defender for Endpoint)
Kusto Spearphishing Attachment: ISO Images (Microsoft Sentinel)
Sigma Successful Exchange ProxyShell Attack test
Sigma Successful Logins and Signups from Flagged IPs experimental
Sigma Suspicious Child Process Of Veeam Dabatase test
Sigma Suspicious Processes Spawned by Java.EXE test
Sigma Suspicious Shells Spawn by Java Utility Keytool test

Execution

Windows Management Instrumentation T1047 117 rules

Sigma Application Removed Via Wmic.EXE test
Sigma Application Terminated Via Wmic.EXE test
Sigma Blue Mockingbird test
Sigma Blue Mockingbird - Registry test
Sigma Computer System Reconnaissance Via Wmic.EXE test
Elastic Delayed Execution via Ping production
Elastic Deprecated - PowerShell Script with Remote Execution Capabilities via WinRM production building block
Elastic Enumeration Command Spawned via WMIPrvSE production
Sigma HackTool - CrackMapExec Execution test
Sigma HackTool - CrackMapExec Execution Patterns stable
Sigma HackTool - Potential Impacket Lateral Movement Activity stable
Sigma Hardware Model Reconnaissance Via Wmic.EXE test
Sigma HTML Help HH.EXE Suspicious Child Process test
Splunk Impacket Lateral Movement Commandline Parameters production
Splunk Impacket Lateral Movement smbexec CommandLine Parameters production
Splunk Impacket Lateral Movement WMIExec Commandline Parameters production
YARA-L Impacket WMIExec CISA Report
Sigma Impacket WMIexec process execution experimental
Splunk Impacket_Empire's WMIExec (Windows Event Log)
Elastic Microsoft Build Engine Started by a System Process production
Sigma MITRE BZAR Indicators for Execution test
Elastic Mofcomp Activity production
Sigma New Process Created Via Wmic.EXE test
Sigma Password Set to Never Expire via WMI experimental
Elastic Persistence via WMI Event Subscription production
Elastic Persistence via WMI Standard Registry Provider production
Splunk Possible Lateral Movement PowerShell Spawn production
Sigma Potential Maze Ransomware Activity test
Sigma Potential Product Class Reconnaissance Via Wmic.EXE test
Sigma Potential Product Reconnaissance Via Wmic.EXE test
Sigma Potential Remote SquiblyTwo Technique Execution test
Sigma Potential Unquoted Service Path Reconnaissance Via Wmic.EXE test
Sigma Potential Windows Defender Tampering Via Wmic.EXE test
Sigma Potential WMI Lateral Movement WmiPrvSE Spawned PowerShell stable
Kusto Powershell Empire Cmdlets Executed in Command Line available
Splunk PowerShell Invoke CIMMethod CIMSession production
Splunk PowerShell Invoke WmiExec Usage production
Splunk Process Execution via WMI production
Sigma Process Reconnaissance Via Wmic.EXE test
Sigma PSExec and WMI Process Creations Block test
Sigma RDP Enable or Disable via Win32_TerminalServiceSetting WMI Class experimental
Sigma Registry Manipulation via WMI Stdregprov experimental
Sigma Remote DCOM/WMI Lateral Movement test
Splunk Remote Process Instantiation via WMI production
Splunk Remote Process Instantiation via WMI and PowerShell production
Splunk Remote Process Instantiation via WMI and PowerShell Script Block production
Splunk Remote WMI Command Attempt production
Splunk Remote WMIC Query (PowerShell)
Splunk Remote WMIC Query (Windows Event Log)
Sigma Script Event Consumer Spawning Process test
Splunk Script Execution via WMI production
Elastic Security Software Discovery using WMIC production building block
Elastic Service Control Spawned via Script Interpreter production
Sigma Service Reconnaissance Via Wmic.EXE test
Sigma Service Started/Stopped Via Wmic.EXE test
Sigma Service Startup Type Change Via Wmic.EXE experimental
Sigma Successful Account Login Via WMI stable
Elastic Suspicious .NET Code Compilation production
Sigma Suspicious Autorun Registry Modified via WMI experimental
Elastic Suspicious Cmd Execution via WMI production
Sigma Suspicious Encoded Scripts in a WMI Consumer test
Elastic Suspicious Execution from a Mounted Device production
Sigma Suspicious HH.EXE Execution test
Elastic Suspicious Managed Code Hosting Process production
Sigma Suspicious Microsoft Office Child Process test
Sigma Suspicious Process Created Via Wmic.EXE test
Elastic Suspicious ScreenConnect Client Child Process production
Elastic Suspicious WMI Image Load from MS Office production
Sigma Suspicious WMIC Execution Via Office Process test
Elastic Suspicious WMIC XSL Script Execution production
Sigma Suspicious WmiPrvSE Child Process test
Sigma System Disk And Volume Reconnaissance Via Wmic.EXE test
Splunk System Enumeration with WMIC (Sysmon)
Splunk System Enumeration with WMIC (Windows Event Log)
Sigma T1047 Wmiprvse Wbemcomn DLL Hijack test
Sigma UNC2452 PowerShell Pattern test
Elastic Volume Shadow Copy Deletion via PowerShell production
Elastic Volume Shadow Copy Deletion via WMIC production
Elastic Web Shell Detection: Script Process Child of Common Web Processes production
Sigma Windows Hotfix Updates Reconnaissance Via Wmic.EXE test
Elastic Windows Script Interpreter Executing Process via WMI production
Elastic Windows System Information Discovery production building block
Splunk Windows WinRAR Launched Outside Default Installation Directory production
Splunk Windows WMI Impersonate Token production
Splunk Windows WMI Process And Service List production
Splunk Windows WMI Process Call Create production
Splunk Windows WMI Reconnaissance Class Query production
Splunk WinRM Tools (PowerShell)
Splunk WinRM Tools (Sysmon)
Splunk WinRM Tools (Windows Event Log)
Sigma WMI Event Consumer Created Named Pipe test
Elastic WMI Incoming Lateral Movement production
Sigma WMI module loaded by suspicious process experimental
Sigma WMI Module Loaded By Uncommon Process test
Splunk WMI Permanent Event Subscription experimental
Sigma WMI spwaning PowerShell process - WMImplant experimental
Splunk WMI subscription execution (Sysmon)
Splunk WMI subscription execution (Windows Event Log)
Splunk WMI Temporary Event Subscription experimental
Elastic WMI WBEMTEST Utility Execution production building block
Splunk WMIC Explicit Credentials (Sysmon)
Splunk WMIC Explicit Credentials (Windows Event Log)
Splunk WMIC Host Reconniassance (PowerShell)
Splunk WMIC Host Reconniassance (Sysmon)
Splunk WMIC Host Reconniassance (Windows Event Log)
Elastic WMIC Remote Command production building block
Sigma WMIC Remote Command Execution test
Sigma WMIC Unquoted Services Path Lookup - PowerShell test
Sigma Wmiexec Default Output File test
Sigma WMImplant Hack Tool test
Splunk Wmiprvse LOLBAS Execution Process Spawn production
Sigma WmiPrvSE Spawned A Process stable
Splunk WmiPrvSE Suspicious Child Process (Sysmon)
Splunk WmiPrvSE Suspicious Child Process (Windows Event Log)
Sigma Wmiprvse Wbemcomn DLL Hijack test
Sigma Wmiprvse Wbemcomn DLL Hijack - File test
Sigma XSL Script Execution Via WMIC.EXE test

Scheduled Task/Job T1053 197 rules

Elastic A scheduled task was created production
Elastic At Job Created or Modified production
Elastic At.exe Command Lateral Movement production building block
Kusto AV detections related to Tarrask malware available
Elastic Azure Automation Runbook Created or Modified production
Sigma Azure Kubernetes CronJob test
Sigma ChromeLoader Malware Execution test
Splunk Cisco Isovalent - Cron Job Creation production
Sigma Cisco Modify Configuration test
Splunk Cisco Secure Firewall - Wget or Curl Download production
Splunk Create_Modify Schtasks (PowerShell)
Splunk Create_Modify Schtasks (Sysmon)
Splunk Create_Modify Schtasks (Windows Event Log)
Elastic Creation or Modification of a new GPO Scheduled Task or Service production
Kusto Critical Risks available
Elastic Cron Job Created or Modified production
Sigma Defrag Deactivation test
Sigma Defrag Deactivation - Security test
Kusto Detect Rare scheduled task created
Kusto Detect Unsigned executable launch from scheduled task
Sigma Diamond Sleet APT Scheduled Task Creation test
Elastic Executable Bit Set for Potential Persistence Script production
Sigma Fortinet APT group abuse on Windows (task) experimental
Sigma HackTool - CrackMapExec Execution test
Sigma HackTool - CrackMapExec Execution Patterns stable
Sigma HackTool - Default PowerSploit/Empire Scheduled Task Creation test
Sigma HackTool - SharPersist Execution test
Sigma HAFNIUM Exchange Exploitation Activity test
Splunk Hidden Scheduled Task Created - Windows (Windows Event Log)
Splunk Impacket atexec.py Execution (PowerShell)
Splunk Impacket atexec.py Execution (Sysmon)
Splunk Impacket atexec.py Execution (Windows Event Log)
Splunk Impacket atexec.py Scheduled Task Creation (Windows Event Log)
Splunk Impacket atexec.py Temp File Creation (Sysmon)
Splunk Impacket atexec.py Temp File Creation (Windows Event Log)
Sigma Important Scheduled Task Deleted/Disabled test
Sigma Interactive AT Job test
Sigma Interactive privileged shell triggered by schedule task (deprecated) experimental
Sigma Kapeka Backdoor Persistence Activity test
Sigma Kapeka Backdoor Scheduled Task Creation test
Splunk Kubernetes Cron Job Creation production
Elastic Kubernetes Sensitive Configuration File Activity production
Elastic Kubernetes Static Pod Manifest File Access production
Splunk Linux Add Files In Known Crontab Directories production
Splunk Linux Adding Crontab Using List Parameter production
Splunk Linux At Allow Config File Creation production
Splunk Linux At Application Execution production
Splunk Linux Auditd At Application Execution production
Splunk Linux Auditd Edit Cron Table Parameter production
Splunk Linux Auditd Possible Append Cronjob Entry On Existing Cronjob File production
Splunk Linux Auditd Service Restarted production
Splunk Linux Edit Cron Table Parameter production
Splunk Linux Possible Append Command To At Allow Config File production
Splunk Linux Possible Append Cronjob Entry on Existing Cronjob File production
Splunk Linux Possible Cronjob Modification With Editor production
Splunk Linux Service File Created In Systemd Directory production
Splunk Linux Service Restarted production
Splunk Linux Service Started Or Enabled production
Elastic Local Scheduled Task Creation production
Sigma Massive remote schedule task creation via named pipes (CrackMapExec with ATexec) experimental
Kusto Mimecast Secure Email Gateway - AV available
Kusto Mimecast Secure Email Gateway - AV
Kusto Mimecast Secure Email Gateway - Virus available
Kusto Mimecast Secure Email Gateway - Virus
YARA-L MITRE ATT&CK T1053.005 Windows Creation Of Scheduled Task
Sigma MITRE BZAR Indicators for Execution test
Elastic Modification of Persistence Relevant Files Detected via Defend for Containers production
Sigma Modifying Crontab test
Kusto New Agent Added to Pool by New User or Added to a New OS Type available
Sigma New Cron File Created experimental
Sigma OilRig APT Activity test
Sigma OilRig APT Registry Persistence test
Sigma OilRig APT Schedule Task Persistence - Security test
Sigma OilRig APT Schedule Task Persistence - System test
Sigma Operation Wocao Activity test
Sigma Operation Wocao Activity - Security test
Elastic Outbound Scheduled Task Activity via PowerShell production
Kusto Pathlock TDnR - SAP Batch Job Events available
Kusto Pathlock TDnR - SAP System Job Monitoring Events available
Sigma Persistence and Execution at Scale via GPO Scheduled Task test
Elastic Persistence via a Windows Installer production
Elastic Persistence via Scheduled Job Creation production
Kusto Persistence Via Scheduled Tasks
Elastic Persistence via TelemetryController Scheduled Task Hijack production
Elastic Pod or Container Creation with Suspicious Command-Line production
Splunk Possible Lateral Movement PowerShell Spawn production
Sigma Potential ACTINIUM Persistence Activity test
Sigma Potential BearLPE Exploitation test
Elastic Potential Persistence via File Modification production
Sigma Potential Persistence Via Microsoft Compatibility Appraiser test
Elastic Potential Persistence via Periodic Tasks production
Sigma Potential Persistence Via Powershell Search Order Hijacking - Task test
Elastic Potential PowerShell HackTool Script by Function Names production
Sigma Potential Registry Persistence Attempt Via Windows Telemetry test
Sigma Potential SSH Tunnel Persistence Install Using A Scheduled Task experimental
Sigma Powershell Create Scheduled Task test
Kusto Powershell Empire Cmdlets Executed in Command Line available
Elastic Privilege Escalation via Root Crontab File Modification production
Splunk Randomly Generated Scheduled Task Name experimental
Splunk Rare Schedule Task Created (Windows Event Log)
Splunk Rare Scheduled Task (Windows Event Log)
Sigma Remote schedule task creation via named pipes (ATexec) experimental
Sigma Remote Schedule Task Lateral Movement via ATSvc test
Sigma Remote Schedule Task Lateral Movement via ITaskSchedulerService test
Sigma Remote Schedule Task Lateral Movement via SASec test
Elastic Remote Scheduled Task Creation production
Elastic Remote Scheduled Task Creation via RPC production
Sigma Remote Task Creation via ATSVC Named Pipe test
Sigma Remote Task Creation via ATSVC Named Pipe - Zeek test
Sigma Renamed Schtasks Execution experimental
Sigma Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE test
Splunk Schedule Task with HTTP Command Arguments production
Splunk Schedule Task with Rundll32 Command Trigger production
Sigma Scheduled Cron Task/Job - Linux test
Sigma Scheduled Cron Task/Job - MacOs test
Sigma Scheduled persistent task with SYSTEM privileges creation experimental
Sigma Scheduled Task Created - FileCreation test
Sigma Scheduled Task Created - Registry test
Sigma Scheduled task created and deleted fastly (ATexec.py) experimental
Elastic Scheduled Task Created by a Windows Script production
Sigma Scheduled Task Creation From Potential Suspicious Parent Location test
Sigma Scheduled Task Creation Masquerading as System Processes experimental
Splunk Scheduled Task Creation on Remote Endpoint using At production
Sigma Scheduled Task Creation Via Schtasks.EXE test
Sigma Scheduled task creation with command line experimental
Sigma Scheduled Task Creation with Curl and PowerShell Execution Combo experimental
Splunk Scheduled Task Deleted Or Created via CMD production
Sigma Scheduled Task Deletion test
Sigma Scheduled Task Executed From A Suspicious Location test
Sigma Scheduled Task Executed Uncommon LOLBIN test
Sigma Scheduled Task Executing Encoded Payload from Registry test
Sigma Scheduled Task Executing Payload from Registry test
Elastic Scheduled Task Execution at Scale via GPO production
Splunk Scheduled Task Initiation on Remote Endpoint production
Splunk Scheduled Task with Potential SSH Tunnel - Windows (PowerShell)
Splunk Scheduled Task with Potential SSH Tunnel - Windows (Sysmon)
Splunk Scheduled Task with Potential SSH Tunnel - Windows (Windows Event Log)
Sigma Scheduled Task/Job At stable
Sigma Scheduled TaskCache Change by Uncommon Program test
Elastic Scheduled Tasks AT Command Enabled production
Sigma Schtasks Creation Or Modification With SYSTEM Privileges test
Sigma Schtasks From Suspicious Folders test
Splunk Schtasks Run Task On Demand production
Splunk Schtasks scheduling job on remote system production
Splunk Schtasks used for forcing a reboot production
Sigma Serpent Backdoor Payload Execution Via Scheduled Task test
Splunk Short Lived Scheduled Task production
Sigma Suspicious Command Patterns In Scheduled Task Creation test
Panther Suspicious cron detected
Elastic Suspicious CronTab Creation or Modification production
Elastic Suspicious Echo or Printf Execution Detected via Defend for Containers production
Elastic Suspicious Execution from Foomatic-rip or Cupsd Parent production
Elastic Suspicious Execution via Scheduled Task production
Elastic Suspicious Image Load (taskschd.dll) from MS Office production
Sigma Suspicious Modification Of Scheduled Tasks test
Elastic Suspicious Network Activity to the Internet by Previously Unknown Executable production
Sigma Suspicious Scheduled Task Creation test
Sigma Suspicious Scheduled Task Creation Involving Temp Folder test
Sigma Suspicious Scheduled Task Creation via Masqueraded XML File test
Splunk Suspicious Scheduled Task from Public Directory production
Sigma Suspicious Scheduled Task Name As GUID test
Sigma Suspicious Scheduled Task Update test
Sigma Suspicious Scheduled Task Write to System32 Tasks test
Sigma Suspicious Schtasks Execution AppData Folder test
Sigma Suspicious Schtasks Schedule Type With High Privileges test
Sigma Suspicious Schtasks Schedule Types test
Elastic Suspicious ScreenConnect Client Child Process production
Splunk Svchost LOLBAS Execution Process Spawn production
Elastic Systemd Timer Created production
Sigma Task Scheduler DLL Loaded By Application Located In Potentially Suspicious Location test
Panther Teleport Scheduled Jobs
Elastic Temporarily Scheduled Task Creation production
Sigma Triple Cross eBPF Rootkit Default Persistence test
Sigma Turla Group Commands May 2020 test
Elastic UAC Bypass via DiskCleanup Scheduled Task Hijack production
Sigma Uncommon One Time Only Scheduled Task At 00:00 test
Elastic Unusual Scheduled Task Update production
Kusto Vulerabilities available
Splunk Windows Compatibility Telemetry Suspicious Child Process production
Splunk Windows Compatibility Telemetry Tampering Through Registry production
Splunk Windows Enable Win32 ScheduledJob via Registry production
Splunk Windows Hidden Schedule Task Settings production
Splunk Windows Level RMM Watchdog Task Created production
Splunk Windows PowerShell ScheduleTask production
Splunk Windows Registry Delete Task SD production
Splunk Windows Scheduled Task Created in a Group Policy Object production
Splunk Windows Scheduled Task Created Via XML production
Splunk Windows Scheduled Task DLL Module Loaded production
Splunk Windows Scheduled Task Service Spawned Shell production
Splunk Windows Scheduled Task with Highest Privileges production
Splunk Windows Scheduled Task with Suspicious Command production
Splunk Windows Scheduled Task with Suspicious Name production
Splunk Windows Scheduled Tasks for CompMgmtLauncher or Eventvwr production
Splunk Windows Schtasks Create Run As System production
Splunk WinEvent Scheduled Task Created to Spawn Shell production
Splunk WinEvent Scheduled Task Created Within Public Path production
Splunk WinEvent Windows Task Scheduler Event Action Started production

Scheduled Task/Job: At T1053.002 18 rules

Elastic At Job Created or Modified production
Elastic At.exe Command Lateral Movement production building block
Sigma Interactive AT Job test
Splunk Linux At Application Execution production
Splunk Linux Auditd At Application Execution production
Splunk Linux Possible Append Command To At Allow Config File production
Sigma MITRE BZAR Indicators for Execution test
Elastic Modification of Persistence Relevant Files Detected via Defend for Containers production
Elastic Pod or Container Creation with Suspicious Command-Line production
Elastic Potential Persistence via File Modification production
Sigma Remote Schedule Task Lateral Movement via ATSvc test
Sigma Remote Schedule Task Lateral Movement via ITaskSchedulerService test
Sigma Remote Schedule Task Lateral Movement via SASec test
Sigma Remote Task Creation via ATSVC Named Pipe test
Sigma Remote Task Creation via ATSVC Named Pipe - Zeek test
Splunk Scheduled Task Creation on Remote Endpoint using At production
Sigma Scheduled Task/Job At stable
Elastic Scheduled Tasks AT Command Enabled production

Scheduled Task/Job: Cron T1053.003 29 rules

Sigma Azure Kubernetes CronJob test
Splunk Cisco Isovalent - Cron Job Creation production
Splunk Cisco Secure Firewall - Wget or Curl Download production
Elastic Cron Job Created or Modified production
Elastic Executable Bit Set for Potential Persistence Script production
Panther GCP GKE Kubernetes Cron Job Created Or Modified
Panther Kubernetes CronJob Created or Modified Experimental
Splunk Linux Add Files In Known Crontab Directories production
Splunk Linux Adding Crontab Using List Parameter production
Splunk Linux At Allow Config File Creation production
Splunk Linux Auditd Edit Cron Table Parameter production
Splunk Linux Auditd Possible Append Cronjob Entry On Existing Cronjob File production
Splunk Linux Edit Cron Table Parameter production
Splunk Linux Possible Append Cronjob Entry on Existing Cronjob File production
Splunk Linux Possible Cronjob Modification With Editor production
Elastic Modification of Persistence Relevant Files Detected via Defend for Containers production
Sigma Modifying Crontab test
Sigma New Cron File Created experimental
Elastic Pod or Container Creation with Suspicious Command-Line production
Elastic Potential Persistence via File Modification production
Elastic Potential Persistence via Periodic Tasks production
Elastic Privilege Escalation via Root Crontab File Modification production
Sigma Scheduled Cron Task/Job - Linux test
Sigma Scheduled Cron Task/Job - MacOs test
Elastic Suspicious CronTab Creation or Modification production
Elastic Suspicious Echo or Printf Execution Detected via Defend for Containers production
Elastic Suspicious Execution from Foomatic-rip or Cupsd Parent production
Elastic Suspicious Network Activity to the Internet by Previously Unknown Executable production
Sigma Triple Cross eBPF Rootkit Default Persistence test

Scheduled Task/Job: Scheduled Task T1053.005 118 rules

Elastic A scheduled task was created production
Elastic At.exe Command Lateral Movement production building block
Panther Azure Automation Schedule Created or Modified
Sigma ChromeLoader Malware Execution test
Splunk Create_Modify Schtasks (PowerShell)
Splunk Create_Modify Schtasks (Sysmon)
Splunk Create_Modify Schtasks (Windows Event Log)
Elastic Creation or Modification of a new GPO Scheduled Task or Service production
Sigma Defrag Deactivation test
Kusto Detect Rare scheduled task created
Kusto Detect Unsigned executable launch from scheduled task
Sigma Diamond Sleet APT Scheduled Task Creation test
Sigma Fortinet APT group abuse on Windows (task) experimental
Sigma HackTool - Default PowerSploit/Empire Scheduled Task Creation test
Splunk Impacket atexec.py Execution (PowerShell)
Splunk Impacket atexec.py Execution (Sysmon)
Splunk Impacket atexec.py Execution (Windows Event Log)
Splunk Impacket atexec.py Scheduled Task Creation (Windows Event Log)
Splunk Impacket atexec.py Temp File Creation (Sysmon)
Splunk Impacket atexec.py Temp File Creation (Windows Event Log)
Sigma Important Scheduled Task Deleted/Disabled test
Sigma Interactive privileged shell triggered by schedule task (deprecated) experimental
Sigma Kapeka Backdoor Persistence Activity test
Sigma Kapeka Backdoor Scheduled Task Creation test
Elastic Local Scheduled Task Creation production
Sigma Massive remote schedule task creation via named pipes (CrackMapExec with ATexec) experimental
YARA-L MITRE ATT&CK T1053.005 Windows Creation Of Scheduled Task
Sigma OilRig APT Activity test
Sigma OilRig APT Registry Persistence test
Sigma OilRig APT Schedule Task Persistence - Security test
Sigma OilRig APT Schedule Task Persistence - System test
Sigma Operation Wocao Activity test
Sigma Operation Wocao Activity - Security test
Elastic Outbound Scheduled Task Activity via PowerShell production
Sigma Persistence and Execution at Scale via GPO Scheduled Task test
Elastic Persistence via a Windows Installer production
Elastic Persistence via Scheduled Job Creation production
Kusto Persistence Via Scheduled Tasks
Elastic Persistence via TelemetryController Scheduled Task Hijack production
Splunk Possible Lateral Movement PowerShell Spawn production
Sigma Potential ACTINIUM Persistence Activity test
Sigma Potential BearLPE Exploitation test
Sigma Potential Persistence Via Microsoft Compatibility Appraiser test
Sigma Potential Persistence Via Powershell Search Order Hijacking - Task test
Elastic Potential PowerShell HackTool Script by Function Names production
Sigma Potential Registry Persistence Attempt Via Windows Telemetry test
Sigma Potential SSH Tunnel Persistence Install Using A Scheduled Task experimental
Sigma Powershell Create Scheduled Task test
Kusto Powershell Empire Cmdlets Executed in Command Line available
Splunk Randomly Generated Scheduled Task Name experimental
Splunk Rare Schedule Task Created (Windows Event Log)
Splunk Rare Scheduled Task (Windows Event Log)
Sigma Remote schedule task creation via named pipes (ATexec) experimental
Elastic Remote Scheduled Task Creation production
Elastic Remote Scheduled Task Creation via RPC production
Sigma Renamed Schtasks Execution experimental
Sigma Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE test
Sigma Scheduled persistent task with SYSTEM privileges creation experimental
Sigma Scheduled Task Created - FileCreation test
Sigma Scheduled Task Created - Registry test
Sigma Scheduled task created and deleted fastly (ATexec.py) experimental
Elastic Scheduled Task Created by a Windows Script production
Sigma Scheduled Task Creation From Potential Suspicious Parent Location test
Sigma Scheduled Task Creation Masquerading as System Processes experimental
Sigma Scheduled Task Creation Via Schtasks.EXE test
Sigma Scheduled task creation with command line experimental
Sigma Scheduled Task Creation with Curl and PowerShell Execution Combo experimental
Splunk Scheduled Task Deleted Or Created via CMD production
Sigma Scheduled Task Deletion test
Sigma Scheduled Task Executed From A Suspicious Location test
Sigma Scheduled Task Executed Uncommon LOLBIN test
Sigma Scheduled Task Executing Encoded Payload from Registry test
Sigma Scheduled Task Executing Payload from Registry test
Elastic Scheduled Task Execution at Scale via GPO production
Splunk Scheduled Task Initiation on Remote Endpoint production
Sigma Scheduled TaskCache Change by Uncommon Program test
Sigma Schtasks Creation Or Modification With SYSTEM Privileges test
Sigma Schtasks From Suspicious Folders test
Splunk Schtasks scheduling job on remote system production
Splunk Schtasks used for forcing a reboot production
Sigma Serpent Backdoor Payload Execution Via Scheduled Task test
Splunk Short Lived Scheduled Task production
Sigma Suspicious Command Patterns In Scheduled Task Creation test
Elastic Suspicious Execution via Scheduled Task production
Elastic Suspicious Image Load (taskschd.dll) from MS Office production
Sigma Suspicious Modification Of Scheduled Tasks test
Sigma Suspicious Scheduled Task Creation test
Sigma Suspicious Scheduled Task Creation Involving Temp Folder test
Sigma Suspicious Scheduled Task Creation via Masqueraded XML File test
Splunk Suspicious Scheduled Task from Public Directory production
Sigma Suspicious Scheduled Task Name As GUID test
Sigma Suspicious Scheduled Task Update test
Sigma Suspicious Schtasks Execution AppData Folder test
Sigma Suspicious Schtasks Schedule Type With High Privileges test
Sigma Suspicious Schtasks Schedule Types test
Elastic Suspicious ScreenConnect Client Child Process production
Splunk Svchost LOLBAS Execution Process Spawn production
Sigma Task Scheduler DLL Loaded By Application Located In Potentially Suspicious Location test
Elastic Temporarily Scheduled Task Creation production
Sigma Turla Group Commands May 2020 test
Elastic UAC Bypass via DiskCleanup Scheduled Task Hijack production
Sigma Uncommon One Time Only Scheduled Task At 00:00 test
Elastic Unusual Scheduled Task Update production
Splunk Windows Compatibility Telemetry Suspicious Child Process production
Splunk Windows Compatibility Telemetry Tampering Through Registry production
Splunk Windows Enable Win32 ScheduledJob via Registry production
Splunk Windows PowerShell ScheduleTask production
Splunk Windows Registry Delete Task SD production
Splunk Windows Scheduled Task Created in a Group Policy Object production
Splunk Windows Scheduled Task Created Via XML production
Splunk Windows Scheduled Task Service Spawned Shell production
Splunk Windows Scheduled Task with Highest Privileges production
Splunk Windows Scheduled Task with Suspicious Command production
Splunk Windows Scheduled Task with Suspicious Name production
Splunk Windows Schtasks Create Run As System production
Splunk WinEvent Scheduled Task Created to Spawn Shell production
Splunk WinEvent Scheduled Task Created Within Public Path production
Splunk WinEvent Windows Task Scheduler Event Action Started production

Scheduled Task/Job: Systemd Timers T1053.006 6 rules

Splunk Linux Auditd Service Restarted production
Splunk Linux Service File Created In Systemd Directory production
Splunk Linux Service Restarted production
Splunk Linux Service Started Or Enabled production
Elastic Modification of Persistence Relevant Files Detected via Defend for Containers production
Elastic Systemd Timer Created production

Scheduled Task/Job: Container Orchestration Job T1053.007 4 rules

Splunk Cisco Isovalent - Cron Job Creation production
Splunk Kubernetes Cron Job Creation production
Elastic Kubernetes Sensitive Configuration File Activity production
Elastic Kubernetes Static Pod Manifest File Access production

Command and Scripting Interpreter T1059 1092 rules

Splunk 1 or 2 Character Executable (Windows Event Log)
Kusto A host is potentially running a hacking tool (ASIM Web Session schema)
Kusto A host is potentially running PowerShell to send HTTP(S) requests (ASIM Web Session schema)
Sigma Abusable DLL Potential Sideloading From Suspicious Location test
Sigma Add Insecure Download Source To Winget test
Sigma Add New Download Source To Winget test
Sigma Add Potential Suspicious New Download Source To Winget test
Sigma Adwind RAT / JRAT test
Sigma Adwind RAT / JRAT File Artifact test
Sigma Alternate PowerShell Hosts - PowerShell Module test
Sigma Alternate PowerShell Hosts Pipe test
Elastic Anomalous React Server Components Flight Data Patterns production building block
Elastic Anomalous Windows Process Creation production
Kusto ApexOne - Suspicious commandline arguments available
Kusto App Gateway WAF - SQLi Detection available
Elastic Apple Script Execution followed by Network Connection production
Elastic Apple Scripting Execution with Administrator Privileges production
Kusto Application Gateway WAF - SQLi Detection
Sigma AppLocker Prevented Application or Script from Running test
Sigma Atlassian Confluence CVE-2022-26134 test
Sigma Atomic MacOS Stealer - FileGrabber Activity experimental
Elastic Attempt to Install or Run Kali Linux via WSL production
Splunk AutoHotkey Execution (PowerShell)
Splunk AutoHotkey Execution (Sysmon)
Splunk AutoHotkey Execution (Windows Event Log)
Splunk AutoIt Execution (PowerShell)
Splunk AutoIt Execution (Sysmon)
Splunk AutoIt Execution (Windows Event Log)
Elastic AWS CloudShell Environment Created production
Elastic AWS EC2 LOLBin Execution via SSM SendCommand production
Panther AWS EC2 Startup Script Change
Sigma AWS EC2 Startup Shell Script Change test
Elastic AWS EC2 Stop, Start, and User Data Modification Correlation production
Sigma AWS IAM S3Browser LoginProfile Creation test
Sigma AWS IAM S3Browser Templated S3 Bucket Policy Creation test
Sigma AWS IAM S3Browser User or AccessKey Creation test
Kusto AWS Security Hub - Detect SSM documents public sharing enabled available
Elastic AWS SSM `SendCommand` with Run Shell Command Parameters production
Elastic AWS SSM Session Manager Child Process Execution production
Panther AWS WAF Managed Known Bad Inputs Passthrough Rule
Panther AWS WAF ReactJS RCE Attempt via Body
Kusto AWSCloudTrail - EC2 Startup Shell Script Changed available
Sigma Axios NPM Compromise Indicators - Linux experimental
Sigma Axios NPM Compromise Indicators - macOS experimental
Sigma Axios NPM Compromise Indicators - Windows experimental
Panther Azure Automation Runbook Created or Modified
Kusto Azure Machine Learning Write Operations available
Sigma Azure New CloudShell Created test
Elastic Azure Run Command Correlated with Process Execution production
Elastic Azure Run Command Script Child Process production
Panther Azure Serverless Script Execution
Kusto Azure VM Run Command operations executing a unique PowerShell script
Sigma Bad Opsec Powershell Code Artifacts test
Elastic Base64 Decoded Payload Piped to Interpreter production
Sigma Base64 Encoded PowerShell Command Detected test
YARA-L Base64 Encoded PowerShell Command Detected
Kusto Base64 encoded Windows process command-lines available
Kusto Base64 encoded Windows process command-lines (Normalized Process Events)
Elastic Binary Content Copy via Cmd.exe production building block
Elastic Binary Executed from Shared Memory Directory production
Sigma BloodHound Collection Files test
Elastic Boot File Copy production
Elastic BPF filter applied using TC production
Sigma BPFDoor Abnormal Process ID or Lock File Accessed test
Sigma BPFtrace Unsafe Option Usage test
Kusto BTP - Cloud Integration artifact deployment available
Sigma bXOR Operator Usage In PowerShell Command Line - PowerShell Classic test
Splunk Bypass or Unrestricted PowerShell Execution (PowerShell)
Sigma Capsh Shell Invocation - Linux test
Sigma Certificate Exported Via PowerShell test
Sigma Change PowerShell Policies to an Insecure Level test
Sigma Change PowerShell Policies to an Insecure Level - PowerShell test
Sigma ChromeLoader Malware Execution test
Kusto Cisco Cloud Security - Hack Tool User-Agent Detected available
Kusto Cisco Cloud Security - Windows PowerShell User-Agent Detected available
Splunk Cisco IOS XE Guestshell Activation and Destroy production
Splunk Cisco IOS XE Request Platform Package Describe Shell Pattern production
Splunk Cisco NVM - Installation of Typosquatted Python Package production
Splunk Cisco NVM - MSHTML or MSHTA Network Execution Without URL in CLI production
Splunk Cisco NVM - Susp Script From Archive Triggering Network Activity production
Splunk Cisco NVM - Suspicious File Download via Headless Browser production
Splunk Cisco Secure Firewall - Binary File Type Download production
Splunk Cisco Secure Firewall - Citrix NetScaler Memory Overread Attempt production
Splunk Cisco Secure Firewall - Communication Over Suspicious Ports production
Splunk Cisco Secure Firewall - High Volume of Intrusion Events Per Host production
Splunk Cisco Secure Firewall - Possibly Compromised Host experimental
Splunk Cisco Secure Firewall - Privileged Command Execution via HTTP production
Splunk Cisco Secure Firewall - Veeam CVE-2023-27532 Exploitation Activity production
Splunk Cisco Secure Firewall - Wget or Curl Download production
Kusto CiscoISE - Command executed with the highest privileges from new IP available
Kusto CiscoISE - Command executed with the highest privileges by new user available
Elastic Clearing Windows Console History production
Sigma Clfs.SYS Loaded By Process Located In a Potential Suspicious Location experimental
Sigma Clipboard Access Via OSAScript test
Splunk CMD Carry Out String Command Parameter production
Splunk CMD Echo Pipe - Escalation production
Splunk CMD execution with _c (PowerShell)
Splunk CMD execution with _c (Sysmon)
Splunk CMD execution with _c (Windows Event Log)
Sigma Cmd.EXE Missing Space Characters Execution Anomaly test
Elastic Command and Scripting Interpreter via Windows Scripts production
Elastic Command Execution via SolarWinds Process production
Splunk Command Line .cmd Execution (Sysmon)
Splunk Command Line .cmd Execution (Windows Event Log)
Sigma Command Line Execution with Suspicious URL and AppData Strings test
Elastic Command Line Obfuscation via Whitespace Padding production
Splunk Command Line Spawned by Archive Utility - Windows (Sysmon)
Splunk Command Line Spawned by Archive Utility - Windows (Windows Event Log)
Splunk Command Line Utility Added to Accessibility Features (PowerShell)
Splunk Command Line Utility Added to Accessibility Features (Sysmon)
Splunk Command Line Utility Added to Accessibility Features (Windows Event Log)
Splunk Command Output Redirected to Localhost (Windows Event Log)
Elastic Command Shell Activity Started via RunDLL32 production
Splunk Command-Line Interface Execution (PowerShell)
Splunk Command-Line Interface Execution (Sysmon)
Splunk Command-Line Interface Execution (Windows Event Log)
Splunk Common Exchange Recon cmdlets (PowerShell)
Splunk Common Reconnaissance Commands (PowerShell)
Splunk Common Reconnaissance Commands (Sysmon)
Splunk Common Reconnaissance Commands (Windows Event Log)
Elastic Conhost Spawned By Suspicious Parent Process production
Sigma Conhost Spawned By Uncommon Parent Process test
Sigma Conhost.exe CommandLine Path Traversal test
Splunk Conhost.exe Kernel call (Sysmon)
Splunk Conhost.exe Kernel call (Windows Event Log)
Splunk Consent.exe Suspicious Child Process (Sysmon)
Splunk Consent.exe Suspicious Child Process (Windows Event Log)
Sigma ConvertTo-SecureString Cmdlet Usage Via CommandLine test
YARA-L ConvertTo-SecureString Cmdlet Usage Via CommandLine
Elastic Creation of Hidden Login Item via Apple Script production
Kusto Critical Risks available
Kusto Cross-Cloud Suspicious Compute resource creation in GCP
Kusto Cross-Cloud Suspicious user activity observed in GCP Envourment
Panther Crowdstrike Reverse Shell Tool Executed
Splunk CrushFTP Authentication Bypass Exploitation production
Sigma Csc.EXE Execution Form Potentially Suspicious Parent test
Sigma Cscript/Wscript Uncommon Script Extension Execution test
Elastic Cupsd or Foomatic-rip Shell Execution production
Elastic Curl Execution via Shell Profile production
Elastic Curl or Wget Egress Network Connection via LoLBin production
Sigma CVE-2022-24527 Microsoft Connected Cache LPE test
Sigma CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Linux) test
Sigma CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Windows) test
Sigma DarkGate - Autoit3.EXE Execution Parameters test
Sigma DarkGate - Autoit3.EXE File Creation By Uncommon Process test
Sigma DarkGate - Drop DarkGate Loader In C:\Temp Directory test
Panther Databricks Global Init Script Changes Experimental
Elastic Decoded Payload Piped to Interpreter Detected via Defend for Containers production
Kusto Deimos Component Execution available
Elastic Delayed Execution via Ping production
Elastic Deprecated - EggShell Backdoor Execution production
Elastic Deprecated - Microsoft Exchange Transport Agent Install Script production building block
Elastic Deprecated - Potential PowerShell Obfuscated Script production
Elastic Deprecated - PowerShell Script with Discovery Capabilities production building block
Elastic Deprecated - PowerShell Script with Remote Execution Capabilities via WinRM production building block
Elastic Deprecated - Uncommon Destination Port Connection by Web Server production
Elastic Deprecated - Unusual Command Execution from Web Server Parent production
Elastic Deprecated - Unusual Process Spawned from Web Server Parent production
Splunk Detect Certify With PowerShell Script Block Logging production
Splunk Detect Empire with PowerShell Script Block Logging production
Kusto Detect Local File Inclusion(LFI) in web requests (ASIM Web Session) available
Splunk Detect Mimikatz With PowerShell Script Block Logging production
Splunk Detect Outbound LDAP Traffic production
Kusto Detect port misuse by anomaly based detection (ASIM Network Session schema) available
Kusto Detect port misuse by static threshold (ASIM Network Session schema) available
Splunk Detect Prohibited Applications Spawning cmd exe production
Kusto Detect Suspicious Commands Initiated by Webserver Processes available
Splunk Detect Use of cmd exe to Launch Script Interpreters production
Sigma Detection of PowerShell Execution via Sqlps.exe test
Elastic Direct Interactive Kubernetes API Request by Common Utilities production
Elastic Direct Interactive Kubernetes API Request by Unusual Utilities production
Elastic Direct Interactive Kubernetes API Request Detected via Defend for Containers production
Elastic Disabling Windows Defender Security Settings via PowerShell production
Sigma DNS Query by Finger Utility experimental
Kusto Doppelpaymer Stop Services available
Elastic Dracut Module Creation production
Sigma DSInternals Suspicious PowerShell Cmdlets test
Sigma DSInternals Suspicious PowerShell Cmdlets - ScriptBlock test
Elastic Dynamic IEX Reconstruction via Method String Access production
Elastic Dynamic Linker (ld.so) Creation production
Kusto Dynatrace - Problem detection available
Kusto Dynatrace Application Security - Attack detection available
Kusto Dynatrace Application Security - Code-Level runtime vulnerability detection available
Kusto Dynatrace Application Security - Non-critical runtime vulnerability detection available
Kusto Dynatrace Application Security - Third-Party runtime vulnerability detection available
Elastic Egress Connection from Entrypoint in Container production
Sigma Elevated System Shell Spawned test
Sigma Elevated System Shell Spawned From Uncommon Parent Location test
Sigma Elise Backdoor Activity test
Sigma Emotet Loader Execution Via .LNK File test
Elastic Encoded Payload Detected via Defend for Containers production
Splunk Encoded Powershell Command (PowerShell)
Splunk Encoded Powershell Command (Sysmon)
Splunk Encoded Powershell Command (Windows Event Log)
Sigma Encoded PowerShell payload deployed (PowerShell) experimental
Sigma Encoded PowerShell payload deployed via process execution experimental
Elastic Entra ID PowerShell Sign-in production
Sigma Equation Group Indicators test
Sigma ESXi Account Creation Via ESXCLI test
Sigma ESXi Admin Permission Assigned To Account Via ESXCLI test
Sigma ESXi Network Configuration Discovery Via ESXCLI test
Splunk ESXi Reverse Shell Patterns production
Sigma ESXi Storage Information Discovery Via ESXCLI test
Sigma ESXi Syslog Configuration Change Via ESXCLI test
Sigma ESXi System Information Discovery Via ESXCLI test
Sigma ESXi VM Kill Via ESXCLI test
Sigma ESXi VM List Discovery Via ESXCLI test
Sigma ESXi VSAN Information Discovery Via ESXCLI test
Splunk Excessive distinct processes from Windows Temp production
Splunk Excessive number of taskhost processes production
Splunk Exchange PowerShell Module Usage production
Sigma Exchange PowerShell Snap-Ins Usage test
Kusto Exchange Worker Process Making Remote Call
Splunk Executable Create Script Process (PowerShell)
Splunk Executable Create Script Process (Sysmon)
Splunk Executable Create Script Process (Windows Event Log)
Splunk Executable Process from Suspicious Folder (PowerShell)
Splunk Executable Process from Suspicious Folder (Sysmon)
Splunk Executable Process from Suspicious Folder (Windows Event Log)
Sigma Execute Code with Pester.bat test
Sigma Execute Code with Pester.bat as Parent test
Splunk Execute Javascript With Jscript COM CLSID production
Kusto Execution attempts stateful anomaly on database available
Elastic Execution from Unusual Directory - Command Line production
Elastic Execution of a Downloaded Windows Script production
Elastic Execution of Persistent Suspicious Program production
Sigma Execution of Powershell Script in Public Folder test
Elastic Execution via Electron Child Process Node.js Module production
Elastic Execution via GitHub Actions Runner production
Elastic Execution via MS VisualStudio Pre/Post Build Events production building block
Elastic Execution via MSSQL xp_cmdshell Stored Procedure production
Elastic Execution via OpenClaw Agent production
Elastic Execution via Windows Subsystem for Linux production
Elastic Execution with Explicit Credentials via Scripting production
Sigma Exploited CVE-2020-10189 Zoho ManageEngine test
Sigma Exploiting SetupComplete.cmd CVE-2019-1378 test
Splunk Explorer Child Process with Suspicious Command Line Padding (Sysmon)
Elastic Exporting Exchange Mailbox via PowerShell production
Sigma FakeUpdates/SocGholish Activity test
Elastic File Creation and Execution Detected via Defend for Containers production
Elastic File Creation by Cups or Foomatic-rip Child production
Elastic File Creation in /var/log via Suspicious Process production
Elastic File Creation, Execution and Self-Deletion in Suspicious Directory production
Elastic File Download Detected via Defend for Containers production
Elastic File Execution Permission Modification Detected via Defend for Containers production
Elastic File Transfer or Listener Established via Netcat production
Elastic File Transfer Utility Launched from Unusual Parent production
Elastic First Time Python Spawned a Shell on Host production
Elastic Forbidden Direct Interactive Kubernetes API Request production
Sigma Forfiles Command Execution test
Kusto Front Door Premium WAF - SQLi Detection available
Elastic GenAI or MCP Server Child Process Execution production building block
Splunk Get-ForestTrust with PowerShell Script Block production
Splunk GetLocalUser with PowerShell Script Block production
Splunk GetWmiObject User Account with PowerShell Script Block production
Elastic Git Hook Child Process production
Elastic Git Hook Command Execution production
Elastic Git Hook Created or Modified production
Elastic Git Hook Egress Network Connection production
Splunk Git Hooks Spawn System32 Process (Sysmon)
Splunk Git Spawns System32 Process (Sysmon)
Splunk Git Spawns System32 Process (Windows Event Log)
Elastic GitHub Actions Unusual Bot Push to Repository production
Elastic GitHub Actions Workflow Modification Blocked production
Elastic Github Activity on a Private Repository from an Unusual IP production
Elastic GitHub Authentication Token Access via Node.js production
Splunk Go Run Execution (PowerShell)
Splunk Go Run Execution (Sysmon)
Splunk Go Run Execution (Windows Event Log)
Elastic Google Calendar C2 via Script Interpreter production
Kusto Google Threat Intelligence - Threat Hunting Hash
Sigma Greenbug Espionage Group Indicators test
Sigma HackTool - Bloodhound/Sharphound Execution test
Sigma HackTool - CACTUSTORCH Remote Thread Creation test
Sigma HackTool - Covenant PowerShell Launcher test
Sigma HackTool - CrackMapExec Execution test
Sigma HackTool - CrackMapExec Execution Patterns stable
Sigma HackTool - CrackMapExec PowerShell Obfuscation test
Sigma HackTool - Default PowerSploit/Empire Scheduled Task Creation test
Sigma HackTool - Empire PowerShell Launch Parameters test
YARA-L Hacktool - IronSharpPack Execution
Sigma HackTool - Jlaive In-Memory Assembly Execution test
Sigma HackTool - Koadic Execution test
Sigma HackTool - NetExec File Indicators experimental
Sigma HackTool - RedMimicry Winnti Playbook Execution test
Sigma HackTool - Sliver C2 Implant Activity Pattern test
Sigma HackTool - Stracciatella Execution test
Sigma Hacktool Ruler test
Sigma Headless Process Launched Via Conhost.EXE test
Sigma Hidden Powershell in Link File Pattern test
Splunk High Entropy Powershell (PowerShell)
Elastic Host File System Changes via Windows Subsystem for Linux production
Sigma HTML Help HH.EXE Suspicious Child Process test
Splunk Impacket atexec.py Execution (PowerShell)
Splunk Impacket atexec.py Execution (Sysmon)
Splunk Impacket atexec.py Execution (Windows Event Log)
Splunk Impacket atexec.py Scheduled Task Creation (Windows Event Log)
Splunk Impacket atexec.py Temp File Creation (Sysmon)
Splunk Impacket atexec.py Temp File Creation (Windows Event Log)
Splunk Impacket SMBexec (Windows Event Log)
Splunk Impacket_Empire's WMIExec (Windows Event Log)
Sigma Import PowerShell Modules From Suspicious Directories test
Sigma Import PowerShell Modules From Suspicious Directories - ProcCreation test
Elastic Incoming Execution via PowerShell Remoting production
Elastic Ingress Tool Transfer Followed by Execution and Deletion Detected via Defend for Containers production
Elastic Initramfs Unpacking via unmkinitramfs production
Sigma Inline Python Execution - Spawn Shell Via OS System Library test
Sigma Install New Package Via Winget Local Manifest test
Sigma Installation of WSL Kali-Linux experimental
Sigma Interactive Bash Suspicious Children test
Elastic Interactive Exec Into Container Detected via Defend for Containers production
Elastic Interactive Shell Launched via Unusual Parent Process in a Container production
Elastic Interactive Shell Spawn Detected via Defend for Containers production
Elastic Interactive Terminal Spawned via Perl production
Elastic Interactive Terminal Spawned via Python production
Sigma Invocation Of Crypto-Classes From The "Cryptography" PowerShell Namespace test
Splunk Invoke-Expression Command (PowerShell)
Splunk Invoke-Expression Command (Sysmon)
Splunk Invoke-Expression Command (Windows Event Log)
Sigma Invoke-Obfuscation CLIP+ Launcher test
Sigma Invoke-Obfuscation CLIP+ Launcher - PowerShell test
Sigma Invoke-Obfuscation CLIP+ Launcher - PowerShell Module test
Sigma Invoke-Obfuscation CLIP+ Launcher - Security test
Sigma Invoke-Obfuscation CLIP+ Launcher - System test
Sigma Invoke-Obfuscation COMPRESS OBFUSCATION test
Sigma Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell test
Sigma Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module test
Sigma Invoke-Obfuscation COMPRESS OBFUSCATION - Security test
Sigma Invoke-Obfuscation COMPRESS OBFUSCATION - System test
Sigma Invoke-Obfuscation Obfuscated IEX Invocation test
Sigma Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell test
Sigma Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module test
Sigma Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell test
Sigma Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell Module test
Sigma Invoke-Obfuscation RUNDLL LAUNCHER - Security test
Sigma Invoke-Obfuscation RUNDLL LAUNCHER - System test
Sigma Invoke-Obfuscation STDIN+ Launcher test
Sigma Invoke-Obfuscation STDIN+ Launcher - Powershell test
Sigma Invoke-Obfuscation STDIN+ Launcher - PowerShell Module test
Sigma Invoke-Obfuscation STDIN+ Launcher - Security test
Sigma Invoke-Obfuscation STDIN+ Launcher - System test
Sigma Invoke-Obfuscation VAR+ Launcher test
Sigma Invoke-Obfuscation VAR+ Launcher - PowerShell test
Sigma Invoke-Obfuscation VAR+ Launcher - PowerShell Module test
Sigma Invoke-Obfuscation VAR+ Launcher - Security test
Sigma Invoke-Obfuscation VAR+ Launcher - System test
Sigma Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION test
Sigma Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell test
Sigma Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module test
Sigma Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security test
Sigma Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System test
Sigma Invoke-Obfuscation Via Stdin test
Sigma Invoke-Obfuscation Via Stdin - Powershell test
Sigma Invoke-Obfuscation Via Stdin - PowerShell Module test
Sigma Invoke-Obfuscation Via Stdin - Security test
Sigma Invoke-Obfuscation Via Stdin - System test
Sigma Invoke-Obfuscation Via Use Clip test
Sigma Invoke-Obfuscation Via Use Clip - Powershell test
Sigma Invoke-Obfuscation Via Use Clip - PowerShell Module test
Sigma Invoke-Obfuscation Via Use Clip - Security test
Sigma Invoke-Obfuscation Via Use Clip - System test
Sigma Invoke-Obfuscation Via Use MSHTA test
Sigma Invoke-Obfuscation Via Use MSHTA - PowerShell test
Sigma Invoke-Obfuscation Via Use MSHTA - PowerShell Module test
Sigma Invoke-Obfuscation Via Use MSHTA - Security test
Sigma Invoke-Obfuscation Via Use MSHTA - System test
Sigma Invoke-Obfuscation Via Use Rundll32 - PowerShell test
Sigma Invoke-Obfuscation Via Use Rundll32 - PowerShell Module test
Sigma Invoke-Obfuscation Via Use Rundll32 - Security test
Sigma Invoke-Obfuscation Via Use Rundll32 - System test
Splunk Invoke-WebRequest Command (PowerShell)
Splunk Invoke-WebRequest Command (Sysmon)
Splunk Invoke-WebRequest Command (Windows Event Log)
Kusto Java Executing cmd to run Powershell available
Sigma JexBoss Command Sequence test
Splunk Jscript Execution Using Cscript App production
Splunk Juniper Networks Remote Code Execution Exploit Detection production
Sigma JXA In-memory Execution Via OSAScript test
Sigma Kalambur Backdoor Curl TOR SOCKS Proxy Execution experimental
Elastic Kill Command Execution production
Elastic Kubernetes Direct API Request via Curl or Wget production
Elastic Kubernetes Pod Exec Potential Reverse Shell production
Sigma Lace Tempest PowerShell Evidence Eraser test
Sigma Lace Tempest PowerShell Launcher test
Sigma Lazarus Group Activity test
Splunk Linux Decode Base64 to Shell production
Splunk Linux Docker Shell Execution production
Splunk Linux Magic SysRq Key Abuse production
Elastic Linux Restricted Shell Breakout via Linux Binary(s) production
Sigma Linux Reverse Shell Indicator test
Sigma Linux Suspicious Child Process from Node.js - React2Shell experimental
Splunk Linux Suspicious React or Next.js Child Process production
Splunk Linux Unix Shell Enable All SysRq Functions production
Splunk Living Off The Land Detection production
Splunk Log4Shell CVE-2021-44228 Exploitation production
Elastic Long Base64 Encoded Command via Scripting Interpreter production
Elastic M365 Security Compliance Admin Signal production building block
Elastic M365 SharePoint/OneDrive File Access via PowerShell production
Splunk MacOS AMOS Stealer - Virtual Machine Check Activity production
Splunk MacOS LOLbin production
Sigma macOS Network Utility Tools for C2 experimental
Sigma MacOS Scripting Interpreter AppleScript test
Sigma Malicious Base64 Encoded PowerShell Keywords in Command Lines test
Sigma Malicious Nishang PowerShell Commandlets test
Sigma Malicious PowerShell Commandlets - PoshModule test
Sigma Malicious PowerShell Commandlets - ProcessCreation test
Sigma Malicious PowerShell Commandlets - ScriptBlock test
Sigma Malicious PowerShell Keywords test
Splunk Malicious PowerShell Process - Execution Policy Bypass production
Splunk Malicious PowerShell Process With Obfuscation Techniques production
Sigma Malicious PowerShell Scripts - FileCreation test
Sigma Malicious PowerShell Scripts - PoshModule test
Sigma Malicious ShellIntel PowerShell Commandlets test
Elastic Manual Dracut Execution production
Sigma Manual Execution of Script Inside of a Compressed File test
Splunk MCP Filesystem Server Suspicious Extension Write production
Splunk MCP Prompt Injection production
Elastic Memory Swap Modification production
Sigma MERCURY APT Activity test
Sigma Metasploit reverse shell injection in SQL Server experimental
Splunk Meterpreter Reverse Shell (Windows Event Log)
Elastic Microsoft Build Engine Started an Unusual Process production
Elastic Microsoft Build Engine Started by a Script Process production
Splunk Microsoft Build Engine Suspicious Parent Process (Sysmon)
Splunk Microsoft Build Engine Suspicious Parent Process (Windows Event Log)
Elastic Microsoft Exchange Worker Spawning Suspicious Processes production
Elastic Microsoft Management Console File from Unusual Path production
Kusto Midnight Blizzard - Script payload stored in Registry
Sigma MMC Loading Script Engines DLLs experimental
Splunk Modify Exchange Access Settings (PowerShell)
Splunk MS Scripting Process Loading Ldap Module production
Splunk MS Scripting Process Loading WMI Module production
Sigma MSHTA Execution with Suspicious File Extensions test
Elastic Multi-Base64 Decoding Attempt from Suspicious Location production
Sigma Net WebClient Casing Anomalies test
Elastic Netcat File Transfer or Listener Detected via Defend for Containers production
Elastic Netcat Listener Established via rlwrap production
Sigma Netcat The Powershell Version test
Elastic Network Connection by Cups or Foomatic-rip Child production
Elastic Network Connection from Binary with RWX Memory Region production
Sigma Network Connection Initiated By PowerShell Process test
Sigma Network Connection Initiated via Finger.EXE experimental
Elastic Network Connection to OAST Domain via Script Interpreter production
Elastic Network Connection via Recently Compiled Executable production
Elastic Network Connections Initiated Through XDG Autostart Entry production
Elastic NetworkManager Dispatcher Script Creation production
Elastic New ActiveSyncAllowedDeviceID Added via PowerShell production
Kusto New CloudShell User available
Sigma New PowerShell Instance Created test
Splunk NirCmd Execution (Sysmon)
Splunk NirCmd Execution (Windows Event Log)
Splunk Nishang PowershellTCPOneLine production
Sigma Node Process Executions test
Elastic Node.js Pre or Post-Install Script Execution production
Sigma NodeJS Execution of JavaScript File experimental
Sigma Nohup Execution test
Sigma Non Interactive PowerShell Process Spawned test
Splunk Non-MSIExec .msi Installation (PowerShell)
Splunk Non-MSIExec .msi Installation (Windows Event Log)
Kusto NRT Base64 Encoded Windows Process Command-lines available
Kusto NRT Process executed from binary hidden in Base64 encoded file available
Sigma Nslookup PowerShell Download Cradle test
Sigma NTFS Alternate Data Stream test
Sigma Obfuscated PowerShell MSI Install via WindowsInstaller COM experimental
Sigma Obfuscated PowerShell OneLiner Execution test
Kusto Office Apps Launching Wscipt available
Splunk Ollama Suspicious Prompt Injection Jailbreak experimental
Sigma OpenEDR Spawning Command Shell experimental
Elastic Openssl Client or Server Activity production
Sigma Operation Wocao Activity test
Sigma Operation Wocao Activity - Security test
Sigma Operator Bloopers Cobalt Strike Commands test
Sigma Operator Bloopers Cobalt Strike Modules test
Sigma Osacompile Execution By Potentially Suspicious Applet/Osascript test
Sigma OSACompile Run-Only Execution test
Elastic Outbound Scheduled Task Activity via PowerShell production
Sigma Outlook EnableUnsafeClientMailRules Setting Enabled test
Splunk Output to File (PowerShell)
Splunk Output to File (Windows Event Log)
Splunk Parent in Public Folder Suspicious Process (Sysmon)
Splunk Parent in Public Folder Suspicious Process (Windows Event Log)
Kusto Pathlock TDnR - Function Module Tested in Production available
Kusto Pathlock TDnR - Logical OS Command Changes available
Kusto Pathlock TDnR - SAP Batch Job Events available
Kusto Pathlock TDnR - TMS Transport and Import Events available
Sigma Payload Decoded and Decrypted via Built-in Utilities test
Sigma Payload downloaded via PowerShell
Elastic Payload Execution via Shell Pipe Detected by Defend for Containers production
Sigma PCRE.NET Package Image Load test
Sigma PCRE.NET Package Temp Files test
Sigma Perl Inline Command Execution test
Elastic Perl Outbound Network Connection production
Elastic Persistence via Folder Action Script production
Sigma Php Inline Command Execution test
Sigma PipeShell exfiltration over named pipes experimental
Elastic Pod or Container Creation with Suspicious Command-Line production
Splunk Possible Lateral Movement PowerShell Spawn production
Sigma Potential Abuse of Linux Magic System Request Key experimental
Elastic Potential Antimalware Scan Interface Bypass via PowerShell production
Sigma Potential APT FIN7 Exploitation Activity test
Sigma Potential APT FIN7 POWERHOLD Execution test
Sigma Potential APT10 Cloud Hopper Activity test
Sigma Potential Arbitrary Command Execution Via FTP.EXE test
Sigma Potential Atlassian Confluence CVE-2021-26084 Exploitation Attempt test
Splunk Potential AutoHotkey .ahk Execution (PowerShell)
Splunk Potential AutoHotkey .ahk Execution (Sysmon)
Splunk Potential AutoHotkey .ahk Execution (Windows Event Log)
Sigma Potential Baby Shark Malware Activity test
Elastic Potential Backdoor Execution Through PAM_EXEC production
Sigma Potential BlackByte Ransomware Activity test
Sigma Potential Bumblebee Remote Thread Creation test
Sigma Potential CobaltStrike Process Patterns test
Elastic Potential Code Execution via Postgresql production
Elastic Potential Command Shell via NetCat production
Sigma Potential CommandLine Path Traversal Via Cmd.EXE test
Sigma Potential CVE-2021-40444 Exploitation Attempt test
Sigma Potential CVE-2022-22954 Exploitation Attempt - VMware Workspace ONE Access Remote Code Execution test
Sigma Potential Data Exfiltration Activity Via CommandLine Tools test
Elastic Potential Direct Kubelet Access via Process Arguments production
Elastic Potential Direct Kubelet Access via Process Arguments Detected via Defend for Containers production
Sigma Potential DLL File Download Via PowerShell Invoke-WebRequest test
Sigma Potential Dosfuscation Activity test
Sigma Potential Dropper Script Execution Via WScript/CScript/MSHTA test
Elastic Potential Dynamic IEX Reconstruction via Environment Variables production
Sigma Potential Emotet Activity stable
Sigma Potential Encoded PowerShell Patterns In CommandLine test
Elastic Potential Etherhiding C2 via Blockchain Connection production
Elastic Potential Execution via FileFix Phishing Attack production
Elastic Potential Execution via SSH Backdoor production
Sigma Potential Exploitation of CrushFTP RCE Vulnerability (CVE-2025-54309) experimental
Sigma Potential Exploitation of GoAnywhere MFT Vulnerability experimental
Elastic Potential Fake CAPTCHA Phishing Attack production
Elastic Potential Git CVE-2025-48384 Exploitation production
Elastic Potential Hex Payload Execution via Command-Line production
Elastic Potential Hex Payload Execution via Common Utility production
Sigma Potential In-Memory Download And Compile Of Payloads test
Elastic Potential JAVA/JNDI Exploitation Attempt production
Sigma Potential KamiKakaBot Activity - Lure Document Execution test
Elastic Potential Kubeletctl Execution production
Elastic Potential Kubeletctl Execution Detected via Defend for Containers production
Elastic Potential Malicious PowerShell Based on Alert Correlation production
Elastic Potential Malware-Driven SSH Brute Force Attempt production
Elastic Potential Meterpreter Reverse Shell production
Sigma Potential MOVEit Transfer CVE-2023-34362 Exploitation - Dynamic Compilation Via Csc.EXE test
Sigma Potential Netcat Reverse Shell Execution test
Sigma Potential Persistence Via Powershell Search Order Hijacking - Task test
Sigma Potential Persistence Via VMwareToolBoxCmd.EXE VM State Change Script test
Sigma Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXE test
Sigma Potential PowerShell Command Line Obfuscation test
Sigma Potential PowerShell Downgrade Attack test
Elastic Potential PowerShell HackTool Script by Author production
Elastic Potential PowerShell HackTool Script by Function Names production
Elastic Potential PowerShell Obfuscated Script via High Entropy production
Sigma Potential PowerShell Obfuscation Using Alias Cmdlets test
Sigma Potential PowerShell Obfuscation Using Character Join test
Elastic Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion production
Elastic Potential PowerShell Obfuscation via Character Array Reconstruction production
Elastic Potential PowerShell Obfuscation via Concatenated Dynamic Command Invocation production
Elastic Potential PowerShell Obfuscation via High Numeric Character Proportion production
Elastic Potential PowerShell Obfuscation via High Special Character Proportion production building block
Elastic Potential PowerShell Obfuscation via Invalid Escape Sequences production
Elastic Potential PowerShell Obfuscation via Reverse Keywords production
Sigma Potential PowerShell Obfuscation Via Reversed Commands test
Elastic Potential PowerShell Obfuscation via Special Character Overuse production
Elastic Potential PowerShell Obfuscation via String Concatenation production
Elastic Potential PowerShell Obfuscation via String Reordering production
Sigma Potential PowerShell Obfuscation Via WCHAR/CHAR test
Elastic Potential PowerShell Pass-the-Hash/Relay Script production
Splunk Potential PowerShell Post-Exploitation Activity (Sysmon)
Splunk Potential PowerShell Post-Exploitation Activity (Windows Event Log)
Sigma Potential Powershell ReverseShell Connection stable
Sigma Potential POWERTRASH Script Execution test
Elastic Potential Privilege Escalation via Python cap_setuid production
Elastic Potential Process Injection via PowerShell production
Splunk Potential Proxy Malware via AutoRun Key (PowerShell)
Splunk Potential Proxy Malware via AutoRun Key (Sysmon)
Splunk Potential Proxy Malware via AutoRun Key (Windows Event Log)
Sigma Potential QBot Activity stable
Kusto Potential Ransomware activity related to Cobalt Strike available
Sigma Potential Reconnaissance Activity Via GatherNetworkInfo.VBS test
Sigma Potential Remote PowerShell Session Initiated test
Sigma Potential Remote SquiblyTwo Technique Execution test
Elastic Potential Reverse Shell production
Elastic Potential Reverse Shell Activity via Terminal production
Elastic Potential Reverse Shell via Background Process production
Elastic Potential Reverse Shell via Child production
Elastic Potential Reverse Shell via Java production
Elastic Potential Reverse Shell via Suspicious Binary production
Elastic Potential Reverse Shell via Suspicious Child Process production
Elastic Potential Reverse Shell via UDP production
Elastic Potential SAP NetWeaver Exploitation production
Sigma Potential SAP NetWeaver Webshell Creation experimental
Elastic Potential SAP NetWeaver WebShell Creation production
Sigma Potential SAP NetWeaver Webshell Creation - Linux experimental
Elastic Potential SharpRDP Behavior production
Elastic Potential Shell via Wildcard Injection Detected production
Sigma Potential Suspicious PowerShell Keywords test
Elastic Potential Upgrade of Non-interactive Shell production
Elastic Potential Veeam Credential Access Command production
Sigma Potential WinAPI Calls Via PowerShell Scripts test
Sigma Potential WMI Lateral Movement WmiPrvSE Spawned PowerShell stable
Sigma Potential Xterm Reverse Shell test
Sigma Potentially Suspicious Command Executed Via Run Dialog Box - Registry test
Sigma Potentially Suspicious Execution From Parent Process In Public Folder test
Sigma Potentially Suspicious Inline JavaScript Execution via NodeJS Binary experimental
Sigma Potentially Suspicious Long Filename Pattern - Linux experimental
Sigma Potentially Suspicious NTFS Symlink Behavior Modification test
Sigma Potentially Suspicious PowerShell Child Processes test
Sigma Potentially Suspicious Powershell Script Execution From Temp Folder test
Elastic Potentially Suspicious Process Started via tmux or screen production
Sigma Potentially Suspicious WebDAV LNK Execution test
Splunk PowerShell - Connect To Internet With Hidden Window production
Splunk PowerShell 4104 Hunting production
Sigma PowerShell ADRecon Execution test
Sigma PowerShell Base64 Encoded FromBase64String Cmdlet test
Sigma PowerShell Base64 Encoded IEX Cmdlet test
Sigma PowerShell Base64 Encoded Invoke Keyword test
Sigma PowerShell Base64 Encoded Reflective Assembly Load test
Sigma PowerShell Base64 Encoded WMI Classes test
Sigma PowerShell Called from an Executable Version Mismatch test
Splunk PowerShell Clipboard Access (PowerShell)
Splunk Powershell COM Hijacking InprocServer32 Modification production
Sigma PowerShell Core DLL Loaded By Non PowerShell Process test
Sigma PowerShell Create Local User test
Splunk PowerShell CreateDecryptor (PowerShell)
Splunk PowerShell CreateDecryptor (Sysmon)
Splunk PowerShell CreateDecryptor (Windows Event Log)
Splunk Powershell Creating Thread Mutex production
Sigma PowerShell Credential Prompt test
Splunk PowerShell Domain Enumeration production
Splunk PowerShell Downgrade (PowerShell)
Splunk PowerShell Downgrade (Sysmon)
Splunk PowerShell Downgrade (Windows Event Log)
Sigma PowerShell Downgrade Attack - PowerShell test
Splunk PowerShell Download Activity (PowerShell)
Sigma PowerShell Download and Execution Cradles test
Sigma PowerShell Download Pattern test
Sigma PowerShell Download Via Net.WebClient - PowerShell Classic test
YARA-L PowerShell DownloadFile
Splunk PowerShell DownloadFile_DownloadString (PowerShell)
Splunk PowerShell DownloadFile_DownloadString (Sysmon)
Splunk PowerShell DownloadFile_DownloadString (Windows Event Log)
Kusto Powershell Empire Cmdlets Executed in Command Line available
Splunk PowerShell Enable PowerShell Remoting production
Splunk PowerShell Environment Variable Execution production
Sigma Powershell Execute Batch Script test
Splunk Powershell Execute COM Object production
Sigma Powershell Executed From Headless ConHost Process test
Splunk Powershell Fileless Process Injection via GetProcAddress production
Splunk Powershell Fileless Script Contains Base64 Encoded Content production
Splunk PowerShell Hidden Window (PowerShell)
Splunk PowerShell Hidden Window (Windows Event Log)
Splunk Powershell ICMP Data Exfiltration (PowerShell)
Sigma Powershell Inline Execution From A File test
Elastic PowerShell Invoke-NinjaCopy script production
Elastic PowerShell Kerberos Ticket Dump production
Elastic PowerShell Kerberos Ticket Request production
Elastic PowerShell Keylogging Script production
Splunk Powershell Load Module in Meterpreter production
Splunk PowerShell Loading DotNET into Memory via Reflection production
Elastic PowerShell Mailbox Collection Script production
Elastic PowerShell MiniDump Script production
Splunk PowerShell Modifying Registry Values (PowerShell)
Splunk PowerShell Modifying Registry Values (Sysmon)
Splunk PowerShell Modifying Registry Values (Windows Event Log)
Sigma PowerShell MSI Install via WindowsInstaller COM From Remote Location experimental
Sigma Powershell MsXml COM Object test
Elastic PowerShell Obfuscation via Negative Index String Reversal production
Splunk PowerShell PInvoke Process Injection API Chain production
Splunk Powershell Processing Stream Of Data production
Sigma PowerShell PSAttack test
Elastic PowerShell PSReflect Script production
Sigma PowerShell Remote Session Creation test
Splunk PowerShell Script Block With URL Chain production
Sigma PowerShell Script Run in AppData test
Elastic PowerShell Script with Archive Compression Capabilities production building block
Elastic PowerShell Script with Log Clear Capabilities production building block
Elastic PowerShell Script with Password Policy Discovery Capabilities production building block
Elastic PowerShell Script with Token Impersonation Capabilities production
Elastic PowerShell Script with Veeam Credential Access Capabilities production
Elastic PowerShell Script with Webcam Video Capture Capabilities production
Elastic PowerShell Script with Windows Defender Tampering Capabilities production
Elastic PowerShell Share Enumeration Script production
Sigma PowerShell ShellCode test
Splunk PowerShell Start or Stop Service production
Elastic PowerShell Suspicious Discovery Related Windows API Functions production
Elastic PowerShell Suspicious Payload Encoded and Compressed production
Elastic PowerShell Suspicious Script with Audio Capture Capabilities production
Elastic PowerShell Suspicious Script with Clipboard Retrieval Capabilities production
Elastic PowerShell Suspicious Script with Screenshot Capabilities production
Splunk Powershell Using memory As Backing Store production
Sigma PowerShell Web Access Installation - PsScript test
YARA-L PowerShell Web Download
Splunk PowerShell WebRequest Using Memory Stream production
Kusto PowerShell without powershell.exe
Sigma Powershell XML Execute Command test
Splunk PowerShell XML Retrieval (PowerShell)
Splunk PowerShell XML Retrieval (Sysmon)
Splunk PowerShell XML Retrieval (Windows Event Log)
Sigma PowerView PowerShell Cmdlets - ScriptBlock test
Splunk PowerView_SharpView Commands (PowerShell)
Elastic Printer User (lp) Shell Execution production
Elastic Privileged Container Creation with Host Directory Mount production
Elastic Privileged Docker Container Creation production
Elastic Process Activity via Compiled HTML File production
Elastic Process Backgrounded by Unusual Parent production
Kusto Process Creation with Suspicious CommandLine Arguments available
Kusto Process executed from binary hidden in Base64 encoded file available
Kusto Process Execution Frequency Anomaly available
Sigma Process Signal from Suspicious Parent Process experimental
Elastic Process Spawned from Message-of-the-Day (MOTD) production
Elastic Process Started from Process ID (PID) File production
Elastic Process Started with Executable Stack production
Splunk Process Writing DynamicWrapperX production
Elastic Prompt for Credentials with Osascript production
Elastic Proxy Execution via Console Window Host production
Elastic Proxy Shell Execution via Busybox production
Sigma PSAsyncShell - Asynchronous TCP Reverse Shell test
Sigma PUA - AdvancedRun Execution test
Sigma PUA - Wsudo Suspicious Execution test
Splunk Python Execution (Windows Event Log)
Sigma Python Inline Command Execution test
Sigma Python One-Liners with Base64 Decoding experimental
Sigma Python One-Liners with Base64 Decoding - Linux experimental
Sigma Python Path Configuration File Creation - Linux test
Sigma Python Path Configuration File Creation - MacOS test
Sigma Python Path Configuration File Creation - Windows test
Elastic Python Path File (pth) Creation production
Elastic Python Site or User Customize File Creation production
Sigma Python Spawning Pretty TTY on Windows test
Sigma Python Spawning Pretty TTY Via PTY Module test
Kusto Qakbot Discovery Activies available
Elastic Rare Powershell Script production
Splunk Rare Process Execution (Sysmon)
Splunk Rare Process Execution (Windows Event Log)
Sigma Raspberry Robin Initial Execution From External Drive test
Sigma Raspberry Robin Subsequent Execution of Commands test
Elastic React2Shell (CVE-2025-55182) Exploitation Attempt production
Elastic React2Shell Network Security Alert production
Sigma Read Contents From Stdin Via Cmd.EXE test
Splunk Recon Using WMI Class production
Kusto RecordedFuture Threat Hunting Hash All Actors
Sigma Registry Modification Attempt Via VBScript experimental
Sigma Registry Modification Attempt Via VBScript - PowerShell experimental
Sigma Registry Set With Crypto-Classes From The "Cryptography" PowerShell Namespace test
Sigma Registry Tampering by Potentially Suspicious Processes experimental
Sigma Remote Access Tool - ScreenConnect Command Execution test
Sigma Remote Access Tool - ScreenConnect File Transfer test
Sigma Remote Access Tool - ScreenConnect Remote Command Execution test
Sigma Remote Access Tool - ScreenConnect Temporary File test
Splunk Remote Admin Tools (EDR)
Splunk Remote Admin Tools (PowerShell)
Splunk Remote Admin Tools (Sysmon)
Splunk Remote Admin Tools (Windows Event Log)
Elastic Remote File Download via PowerShell production
Elastic Remote File Download via Script Interpreter production
Elastic Remote GitHub Actions Runner Registration production
Sigma Remote LSASS Process Access Through Windows Remote Management stable
Sigma Remote PowerShell Session (PS Classic) test
Sigma Remote PowerShell Session (PS Module) test
Sigma Remote PowerShell Session Host Process (WinRM) test
Sigma Remote PowerShell Sessions Network Connections (WinRM) test
Sigma Remote Thread Creation Via PowerShell test
Sigma Remote Thread Creation Via PowerShell In Uncommon Target test
Elastic Remote XSL Script Execution via COM production
Elastic Renamed Automation Script Interpreter production
Sigma Renamed CURL.EXE Execution test
Sigma Renamed FTP.EXE Execution test
Sigma Renamed NirCmd.EXE Execution test
Sigma Renamed PingCastle Binary Execution test
Sigma Renamed Powershell Under Powershell Channel test
Sigma REvil Kaseya Incident Malware Patterns test
Elastic Root Network Connection via GDB CAP_SYS_PTRACE production
Sigma Rorschach Ransomware Execution Activity test
Elastic ROT Encoded Python Script Execution production
Sigma Ruby Inline Command Execution test
Sigma Run PowerShell Script from Redirected Input Stream test
Splunk Ryuk Wake on LAN Command production
YARA-L sap execution of sensitive abap program
Elastic Scheduled Task Created by a Windows Script production
Sigma Scheduled Task Executing Encoded Payload from Registry test
Sigma Scheduled Task Executing Payload from Registry test
Elastic ScreenConnect Server Spawning Suspicious Processes production
Splunk Script Connected to External Destination - Windows (Sysmon)
Splunk Script Connected to External Destination - Windows (Windows Event Log)
Elastic Script Execution via Microsoft HTML Application production
Elastic Script Interpreter Connection to Non-Standard Port production
Sigma Script Interpreter Execution From Suspicious Folder test
Kusto Script Interpreter Loading DotNet Assembly From Memory
Sigma Script Interpreter Spawning Credential Scanner - Linux experimental
Sigma Script Interpreter Spawning Credential Scanner - Windows experimental
Sigma Serial console process spawning CMD shell (via command) experimental
Sigma Serpent Backdoor Payload Execution Via Scheduled Task test
Elastic Service Account Token or Certificate Access Followed by Kubernetes API Request production
Elastic Service Control Spawned via Script Interpreter production
Splunk Set Default PowerShell Execution Policy To Unrestricted or Bypass production
Sigma Shai-Hulud Malware Indicators - Linux experimental
Sigma Shai-Hulud Malware Indicators - Windows experimental
Splunk SharpHound Enumeration (Windows Event Log)
Elastic Shell Execution via Apple Scripting production
Sigma Shell Execution via Git - Linux test
Sigma Shell Execution via Rsync - Linux experimental
Sigma Shell Invocation via Env Command - Linux test
Sigma Shell Invocation Via Ssh - Linux test
Sigma Silence.EDA Detection test
Elastic Simple HTTP Web Server Connection production
Elastic Simple HTTP Web Server Creation production
Splunk Sliver C2 Implant Activity Pattern (PowerShell)
Splunk Sliver C2 Implant Activity Pattern (Sysmon)
Splunk Sliver C2 Implant Activity Pattern (Windows Event Log)
Sigma Sofacy Trojan Loader Activity test
Kusto SonicWall - Allowed SSH, Telnet, and RDP Connections experimental
Sigma SQL Client Tools PowerShell Session Detection test
Panther StopInstance FOLLOWED BY ModifyInstanceAttributes
Kusto SUNBURST and SUPERNOVA backdoor hashes available
Kusto SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events)
Kusto SUNBURST network beacons available
Kusto SUNBURST suspicious SolarWinds child processes (Normalized Process Events)
Elastic Suspicious .NET Code Compilation production
Elastic Suspicious .NET Reflection via PowerShell production
Sigma Suspicious Activity in Shell Commands test
Elastic Suspicious APT Package Manager Execution production
Elastic Suspicious APT Package Manager Network Connection production
Sigma Suspicious ArcSOC.exe Child Process experimental
Elastic Suspicious Automator Workflows Execution production
Elastic Suspicious AWS S3 Connection via Script Interpreter production
Elastic Suspicious Browser Child Process production
Sigma Suspicious Browser Child Process - MacOS test
Elastic Suspicious Child Execution via Web Server production
Splunk Suspicious Child Process for mshta.exe (Sysmon)
Splunk Suspicious Child Process for mshta.exe (Windows Event Log)
Sigma Suspicious Child Process Of BgInfo.EXE test
Sigma Suspicious Child Process of SAP NetWeaver experimental
Sigma Suspicious Child Process of SAP NetWeaver - Linux experimental
Elastic Suspicious Cmd Execution via WMI production
Elastic Suspicious Command Execution via Web Server production
Elastic Suspicious Command Prompt Network Connection production
Sigma Suspicious Commands Linux test
Elastic Suspicious Content Extracted or Decompressed via Funzip production
Sigma Suspicious CrushFTP Child Process experimental
Elastic Suspicious Curl to Jamf Endpoint production
Elastic Suspicious Data Encryption via OpenSSL Utility production
Sigma Suspicious Deno File Written from Remote Source experimental
Sigma Suspicious Download and Execute Pattern via Curl/Wget experimental
Elastic Suspicious Echo or Printf Execution Detected via Defend for Containers production
Elastic Suspicious Emond Child Process production
Sigma Suspicious Encoded And Obfuscated Reflection Assembly Load Function Call test
Sigma Suspicious Encoded PowerShell Command Line test
Splunk Suspicious Executable by CMD.exe (Sysmon)
Splunk Suspicious Executable by CMD.exe (Windows Event Log)
Splunk Suspicious Executable by Powershell (EDR)
Splunk Suspicious Executable by Powershell (Sysmon)
Splunk Suspicious Executable by Powershell (Windows Event Log)
Elastic Suspicious Execution from a Mounted Device production
Elastic Suspicious Execution from VS Code Extension production
Sigma Suspicious Execution of Powershell with Base64 test
Sigma Suspicious Execution via macOS Script Editor test
Elastic Suspicious Execution via Windows Subsystem for Linux production
Elastic Suspicious Execution with NodeJS production
Elastic Suspicious Explorer Child Process production
Sigma Suspicious File Characteristics Due to Missing Fields test
Sigma Suspicious File Created In PerfLogs test
Elastic Suspicious File Creation via Pkg Install Script production
Sigma Suspicious File Execution From Internet Hosted WebDav Share test
Elastic Suspicious File Made Executable via Chmod Inside A Container production
Sigma Suspicious Filename with Embedded Base64 Commands experimental
Sigma Suspicious Greedy Compression Using Rar.EXE test
Sigma Suspicious HH.EXE Execution test
Sigma Suspicious HWP Sub Processes test
Sigma Suspicious Installer Package Child Process test
Elastic Suspicious Installer Package Spawns Network Event production
Sigma Suspicious Interactive PowerShell as SYSTEM test
Elastic Suspicious Interpreter Execution Detected via Defend for Containers production
Sigma Suspicious Invocation of Shell via AWK - Linux test
Sigma Suspicious Invocation of Shell via Rsync experimental
Sigma Suspicious Java Children Processes test
Elastic Suspicious JavaScript Execution via Deno production
Elastic Suspicious JetBrains TeamCity Child Process production
Splunk Suspicious Linux Discovery Commands production
Elastic Suspicious macOS MS Office Child Process production
Elastic Suspicious Microsoft HTML Application Child Process production
Sigma Suspicious Microsoft Office Child Process - MacOS test
Elastic Suspicious Mining Process Creation Event production
Elastic Suspicious MS Office Child Process production
Elastic Suspicious MS Outlook Child Process production
Elastic Suspicious Named Pipe Creation production
Elastic Suspicious Network Connection via systemd production
Elastic Suspicious Path Invocation from Command Line production
Sigma Suspicious Persistence Via VMwareToolBoxCmd.EXE VM State Change Script test
Elastic Suspicious Portable Executable Encoded in Powershell Script production
Splunk Suspicious Powershell (PowerShell)
Splunk Suspicious PowerShell Clipboard Activity (PowerShell)
Splunk Suspicious PowerShell Clipboard Activity (Sysmon)
Splunk Suspicious PowerShell Clipboard Activity (Windows Event Log)
Kusto Suspicious Powershell Commandlet Executed available
Sigma Suspicious PowerShell Download - PoshModule test
Sigma Suspicious PowerShell Download - Powershell Script test
Sigma Suspicious PowerShell Download and Execute Pattern test
Sigma Suspicious PowerShell Encoded Command Patterns test
Elastic Suspicious PowerShell Engine ImageLoad production
Sigma Suspicious PowerShell IEX Execution Patterns test
Sigma Suspicious PowerShell Invocation From Script Engines test
Sigma Suspicious PowerShell Invocations - Generic test
Sigma Suspicious PowerShell Invocations - Generic - PowerShell Module test
Sigma Suspicious PowerShell Invocations - Specific test
Sigma Suspicious PowerShell Invocations - Specific - PowerShell Module test
Sigma Suspicious PowerShell Parameter Substring test
Splunk Suspicious PowerShell Parameter Substring (PowerShell)
Splunk Suspicious PowerShell Parameter Substring (Sysmon)
Splunk Suspicious PowerShell Parameter Substring (Windows Event Log)
Sigma Suspicious PowerShell Parent Process test
Elastic Suspicious Powershell Script production
Sigma Suspicious PrinterPorts Creation (CVE-2020-1048) test
Splunk Suspicious Process DNS Query Known Abuse Web Services production
Elastic Suspicious Process Execution Detected via Defend for Containers production
Sigma Suspicious Process Spawned by CentreStack Portal AppPool experimental
Splunk Suspicious Process With Discord DNS Query production
Sigma Suspicious Program Names test
Elastic Suspicious Python Shell Command Execution production
Sigma Suspicious RASdial Activity test
Elastic Suspicious React Server Child Process production
Splunk Suspicious reCAPTCHA Command Line (PowerShell)
Splunk Suspicious reCAPTCHA Command Line (Sysmon)
Sigma Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS test
Sigma Suspicious Remote Child Process From Outlook test
Sigma Suspicious Reverse Shell Command Line test
Sigma Suspicious Runscripthelper.exe test
Sigma Suspicious Scan Loop Network test
Sigma Suspicious Schtasks Execution AppData Folder test
Elastic Suspicious ScreenConnect Client Child Process production
Elastic Suspicious Script Object Execution production
Sigma Suspicious Scripting in a WMI Consumer test
Elastic Suspicious Shell Execution via Velociraptor production
Elastic Suspicious SolarWinds Web Help Desk Java Module Load or Child Process production
Elastic Suspicious System Commands Executed by Previously Unknown Executable production
Sigma Suspicious Usage of For Loop with Recursive Directory Search in CMD experimental
Elastic Suspicious Windows Command Shell Arguments production
Elastic Suspicious Windows Powershell Arguments production
Sigma Suspicious WSMAN Provider Image Loads test
Sigma Suspicious XOR Encoded PowerShell Command test
Elastic Suspicious Zoom Child Process production
Elastic Svchost spawning Cmd production
Sigma Sysprep on AppData Folder test
Elastic System Binary Path File Permission Modification production
Elastic System Information Discovery via Windows Command Shell production building block
Elastic System Path File Creation and Execution Detected via Defend for Containers production
Elastic System Shells via Services production
Elastic Systemd Shell Execution During Boot production
Elastic Tampering with RUNNER_TRACKING_ID in GitHub Actions Runners production
Kusto TEARDROP memory-only dropper available
Panther Teleport Suspicious Commands Executed
Sigma TropicTrooper Campaign November 2018 stable
Sigma Turla Group Commands May 2020 test
Sigma Turla Group Lateral Movement test
Sigma UNC2452 PowerShell Pattern test
Sigma UNC2452 Process Creation Patterns test
Sigma Uncommon Child Process Of BgInfo.EXE test
Sigma Uncommon PowerShell Hosts test
Elastic Unknown Execution of Binary with RWX Memory Region production
Splunk Unloading AMSI via Reflection production
Elastic Unusual Base64 Encoding/Decoding Activity production
Elastic Unusual Child Execution via Web Server production
Elastic Unusual Command Execution via Web Server production
Elastic Unusual D-Bus Daemon Child Process production
Elastic Unusual Execution from Kernel Thread (kthreadd) Parent production
Elastic Unusual Exim4 Child Process production
Elastic Unusual File Creation by Web Server production building block
Elastic Unusual Interactive Shell Launched from System User production
Elastic Unusual LD_PRELOAD/LD_LIBRARY_PATH Command Line Arguments production
Elastic Unusual Library Load via Python production
Sigma Unusual Parent Process For Cmd.EXE test
Elastic Unusual Parent Process for cmd.exe production
Elastic Unusual Pkexec Execution production
Elastic Unusual Process For MSSQL Service Accounts production building block
Sigma Unusually Long PowerShell CommandLine test
Panther Upwind Runtime Detection Passthrough Experimental
Sigma Ursnif Redirection Of Discovery Commands test
Sigma Usage Of Web Request Commands And Cmdlets test
Sigma Usage Of Web Request Commands And Cmdlets - ScriptBlock test
Sigma Use of FSharp Interpreters test
Sigma Use of OpenConsole test
Sigma Use of Pcalua For Execution test
Panther User Logged in as root
Splunk Vbscript Execution Using Wscript App production
Elastic Veeam Backup Library Loaded by Unusual Process production
Sigma Vice Society directory crawling script for data exfiltration (via ps_script) stable
Sigma Vim GTFOBin Abuse - Linux test
Sigma VMToolsd Suspicious Child Process test
Elastic Volume Shadow Copy Deletion via PowerShell production
Kusto Vulerabilities available
YARA-L W3WP Launching Encoded Powershell
Elastic Web Server Exploitation Detected via Defend for Containers production
Elastic Web Server Potential Command Injection Request production
Elastic Web Server Potential SQL Injection Request production building block
Elastic Web Server Spawned via Python production
Elastic Web Shell Detection: Script Process Child of Common Web Processes production
Splunk WebDAV LNK Execution (Sysmon)
Splunk WebDAV LNK Execution (Windows Event Log)
Splunk WebLogic CVE-2017-10271 (PowerShell)
Splunk WebLogic CVE-2017-10271 (Sysmon)
Splunk WebLogic CVE-2017-10271 (Windows Event Log)
Splunk Wermgr Process Spawned CMD Or Powershell Process production
Sigma WinAPI Function Calls Via PowerShell Scripts test
Sigma WinAPI Library Calls Via PowerShell Scripts test
Splunk Windows Account Access Removal via Logoff Exec production
Splunk Windows Apache Benchmark Binary production
Splunk Windows AutoIt3 Execution production
Kusto Windows Binaries Executed from Non-Default Directory available
Kusto Windows Binaries Lolbins Renamed available
Splunk Windows Cmdline Tool Execution From Non-Shell Process production
Splunk Windows Cobalt Strike PowerShell Loader production
Splunk Windows Command and Scripting Interpreter Hunting Path Traversal production
Splunk Windows Command and Scripting Interpreter Path Traversal Exec production
Splunk Windows Command Shell DCRat ForkBomb Payload production
Splunk Windows Common Abused Cmd Shell Risk Behavior production
Splunk Windows Copy Files (PowerShell)
Splunk Windows Copy Files (Sysmon)
Splunk Windows Copy Files (Windows Event Log)
Splunk Windows Crowdstrike RTR Script Execution production
Splunk Windows Default Cobalt Strike PowerShell Beacon production
Sigma Windows Defender AMSI Trigger Detected stable
Splunk Windows Defender ASR Audit Events production
Splunk Windows Defender ASR Block Events production
Splunk Windows Defender ASR Rules Stacking production
Sigma Windows Defender Exclusions Added - PowerShell test
Elastic Windows Defender Exclusions Added via PowerShell production
Sigma Windows Defender Threat Detected stable
Splunk Windows Enable PowerShell Web Access production
Splunk Windows Explorer LNK Exploit Process Launch With Padding production
Splunk Windows Explorer.exe Spawning PowerShell or Cmd production
Splunk Windows File Association Modification via Ftype production
Splunk Windows File Download Via PowerShell production
Elastic Windows Firewall Disabled via PowerShell production
Splunk Windows GrimResource - MMC Process Accessing APDS DLL production
Splunk Windows Identify Protocol Handlers production
Splunk Windows MSExchange Management Mailbox Cmdlet Usage production
Splunk Windows Outlook Macro Created by Suspicious Process production
Splunk Windows PaperCut NG Spawn Shell production
Splunk Windows Powershell Cryptography Namespace production
Splunk Windows PowerShell FakeCAPTCHA Clipboard Execution production
Splunk Windows PowerShell Get CIMInstance Remote Computer production
Splunk Windows Powershell History File Deletion production
Splunk Windows Powershell Import Applocker Policy production
Splunk Windows PowerShell Invoke-RestMethod IP Information Collection production
Splunk Windows PowerShell Invoke-Sqlcmd Execution production
Splunk Windows Powershell Logoff User via Quser production
Splunk Windows PowerShell Module File Created production
Splunk Windows PowerShell MSIX Package Installation production
Splunk Windows PowerShell Process Implementing Manual Base64 Decoder production
Splunk Windows PowerShell Process With Malicious String production
Splunk Windows Powershell RemoteSigned File production
Splunk Windows PowerShell ScheduleTask production
Splunk Windows PowerShell Script Block With Malicious String production
Splunk Windows PowerShell Script From WindowsApps Directory production
Splunk Windows PowerShell Script TabExpansion Direct Call production
Splunk Windows PowerShell WMI Win32 ScheduledJob production
Splunk Windows PowGoop Beacon Decoding production
Splunk Windows Process Accessing Windows Recall Directory production
Splunk Windows Process Execution From RDP Share production
Splunk Windows Remote Image Load production
Splunk Windows Scheduled Task Service Spawned Shell production
Elastic Windows Script Executing PowerShell production
Elastic Windows Script Execution from Archive production
Elastic Windows Script Interpreter Executing Process via WMI production
Elastic Windows Server Update Service Spawning Suspicious Processes production
Splunk Windows Shell Process from CrushFTP production
Sigma Windows Shell/Scripting Application File Write to Suspicious Folder test
Sigma Windows Shell/Scripting Processes Spawning Suspicious Programs test
Splunk Windows Software Discovery Via PowerShell production
Splunk Windows SQL Server Extended Procedure DLL Loading Hunt production
Splunk Windows SQLCMD Execution production
Splunk Windows SSH Proxy Command production
Elastic Windows Subsystem for Linux Distribution Installed production
Sigma Windows Suspicious Child Process from Node.js - React2Shell experimental
Splunk Windows Suspicious React or Next.js Child Process production
Splunk Windows Suspicious VMWare Tools Child Process production
Elastic Windows System Information Discovery production building block
Splunk Windows TeamCity Payload Execution from Temp Directory production
Splunk Windows TeamCity Plugin Installed production
Splunk Windows TinyCC Shellcode Execution production
Splunk Windows WinDBG Spawning AutoIt3 production
Splunk Windows XLL File Creation Outside of Typical Location production
Sigma WMImplant Hack Tool test
Sigma Writing Of Malicious Files To The Fonts Folder test
Sigma WScript or CScript Dropper - File test
Sigma Wscript Shell Run In CommandLine test
Splunk Wscript_Cscript Execution (PowerShell)
Splunk Wscript_Cscript Execution (Sysmon)
Splunk Wscript_Cscript Execution (Windows Event Log)
Sigma WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript test
Sigma XSL Script Execution Via WMIC.EXE test
Sigma ZxShell Malware test

Command and Scripting Interpreter: PowerShell T1059.001 471 rules

Kusto A host is potentially running PowerShell to send HTTP(S) requests (ASIM Web Session schema)
Sigma Alternate PowerShell Hosts - PowerShell Module test
Sigma Alternate PowerShell Hosts Pipe test
Sigma AppLocker Prevented Application or Script from Running test
Sigma AWS EC2 Startup Shell Script Change test
Elastic AWS SSM `SendCommand` with Run Shell Command Parameters production
Elastic AWS SSM Session Manager Child Process Execution production
Elastic Azure Run Command Correlated with Process Execution production
Elastic Azure Run Command Script Child Process production
Kusto Azure VM Run Command operations executing a unique PowerShell script
Sigma Bad Opsec Powershell Code Artifacts test
Sigma Base64 Encoded PowerShell Command Detected test
YARA-L Base64 Encoded PowerShell Command Detected
Sigma BloodHound Collection Files test
Sigma bXOR Operator Usage In PowerShell Command Line - PowerShell Classic test
Splunk Bypass or Unrestricted PowerShell Execution (PowerShell)
Sigma Certificate Exported Via PowerShell test
Sigma Change PowerShell Policies to an Insecure Level test
Sigma Change PowerShell Policies to an Insecure Level - PowerShell test
Sigma ChromeLoader Malware Execution test
Kusto Cisco Cloud Security - Windows PowerShell User-Agent Detected available
Splunk Cisco Secure Firewall - Communication Over Suspicious Ports production
Splunk Cisco Secure Firewall - Veeam CVE-2023-27532 Exploitation Activity production
Elastic Clearing Windows Console History production
Sigma Cmd.EXE Missing Space Characters Execution Anomaly test
Elastic Command and Scripting Interpreter via Windows Scripts production
Elastic Command Execution via SolarWinds Process production
Sigma Command Line Execution with Suspicious URL and AppData Strings test
Elastic Command Line Obfuscation via Whitespace Padding production
Elastic Command Shell Activity Started via RunDLL32 production
Splunk Command-Line Interface Execution (PowerShell)
Splunk Command-Line Interface Execution (Sysmon)
Splunk Command-Line Interface Execution (Windows Event Log)
Splunk Common Exchange Recon cmdlets (PowerShell)
Sigma ConvertTo-SecureString Cmdlet Usage Via CommandLine test
YARA-L ConvertTo-SecureString Cmdlet Usage Via CommandLine
Splunk CrushFTP Authentication Bypass Exploitation production
Sigma CVE-2022-24527 Microsoft Connected Cache LPE test
Elastic Delayed Execution via Ping production
Elastic Deprecated - Microsoft Exchange Transport Agent Install Script production building block
Elastic Deprecated - Potential PowerShell Obfuscated Script production
Elastic Deprecated - PowerShell Script with Discovery Capabilities production building block
Elastic Deprecated - PowerShell Script with Remote Execution Capabilities via WinRM production building block
Splunk Detect Certify With PowerShell Script Block Logging production
Splunk Detect Empire with PowerShell Script Block Logging production
Splunk Detect Mimikatz With PowerShell Script Block Logging production
Sigma Detection of PowerShell Execution via Sqlps.exe test
Elastic Disabling Windows Defender Security Settings via PowerShell production
Sigma DSInternals Suspicious PowerShell Cmdlets test
Sigma DSInternals Suspicious PowerShell Cmdlets - ScriptBlock test
Elastic Dynamic IEX Reconstruction via Method String Access production
Splunk Encoded Powershell Command (PowerShell)
Splunk Encoded Powershell Command (Sysmon)
Splunk Encoded Powershell Command (Windows Event Log)
Sigma Encoded PowerShell payload deployed (PowerShell) experimental
Elastic Entra ID PowerShell Sign-in production
Splunk Exchange PowerShell Module Usage production
Sigma Exchange PowerShell Snap-Ins Usage test
Kusto Exchange Worker Process Making Remote Call
Sigma Execute Code with Pester.bat test
Sigma Execute Code with Pester.bat as Parent test
Kusto Execution attempts stateful anomaly on database available
Elastic Execution from Unusual Directory - Command Line production
Elastic Execution of a Downloaded Windows Script production
Elastic Execution of Persistent Suspicious Program production
Sigma Execution of Powershell Script in Public Folder test
Elastic Execution via GitHub Actions Runner production
Elastic Execution via OpenClaw Agent production
Elastic Execution with Explicit Credentials via Scripting production
Sigma Exploited CVE-2020-10189 Zoho ManageEngine test
Elastic Exporting Exchange Mailbox via PowerShell production
Sigma FakeUpdates/SocGholish Activity test
Splunk Get-ForestTrust with PowerShell Script Block production
Splunk GetLocalUser with PowerShell Script Block production
Splunk GetWmiObject User Account with PowerShell Script Block production
Sigma Greenbug Espionage Group Indicators test
Sigma HackTool - Bloodhound/Sharphound Execution test
Sigma HackTool - Covenant PowerShell Launcher test
Sigma HackTool - CrackMapExec Execution test
Sigma HackTool - CrackMapExec Execution Patterns stable
Sigma HackTool - CrackMapExec PowerShell Obfuscation test
Sigma HackTool - Default PowerSploit/Empire Scheduled Task Creation test
Sigma HackTool - Empire PowerShell Launch Parameters test
Sigma Headless Process Launched Via Conhost.EXE test
Sigma Hidden Powershell in Link File Pattern test
Splunk High Entropy Powershell (PowerShell)
Sigma HTML Help HH.EXE Suspicious Child Process test
Splunk Impacket_Empire's WMIExec (Windows Event Log)
Sigma Import PowerShell Modules From Suspicious Directories test
Sigma Import PowerShell Modules From Suspicious Directories - ProcCreation test
Elastic Incoming Execution via PowerShell Remoting production
Sigma Invocation Of Crypto-Classes From The "Cryptography" PowerShell Namespace test
Splunk Invoke-Expression Command (PowerShell)
Splunk Invoke-Expression Command (Sysmon)
Splunk Invoke-Expression Command (Windows Event Log)
Sigma Invoke-Obfuscation CLIP+ Launcher test
Sigma Invoke-Obfuscation CLIP+ Launcher - PowerShell test
Sigma Invoke-Obfuscation CLIP+ Launcher - PowerShell Module test
Sigma Invoke-Obfuscation CLIP+ Launcher - Security test
Sigma Invoke-Obfuscation CLIP+ Launcher - System test
Sigma Invoke-Obfuscation COMPRESS OBFUSCATION test
Sigma Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell test
Sigma Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module test
Sigma Invoke-Obfuscation COMPRESS OBFUSCATION - Security test
Sigma Invoke-Obfuscation COMPRESS OBFUSCATION - System test
Sigma Invoke-Obfuscation Obfuscated IEX Invocation test
Sigma Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell test
Sigma Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module test
Sigma Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell test
Sigma Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell Module test
Sigma Invoke-Obfuscation RUNDLL LAUNCHER - Security test
Sigma Invoke-Obfuscation RUNDLL LAUNCHER - System test
Sigma Invoke-Obfuscation STDIN+ Launcher test
Sigma Invoke-Obfuscation STDIN+ Launcher - Powershell test
Sigma Invoke-Obfuscation STDIN+ Launcher - PowerShell Module test
Sigma Invoke-Obfuscation STDIN+ Launcher - Security test
Sigma Invoke-Obfuscation STDIN+ Launcher - System test
Sigma Invoke-Obfuscation VAR+ Launcher test
Sigma Invoke-Obfuscation VAR+ Launcher - PowerShell test
Sigma Invoke-Obfuscation VAR+ Launcher - PowerShell Module test
Sigma Invoke-Obfuscation VAR+ Launcher - Security test
Sigma Invoke-Obfuscation VAR+ Launcher - System test
Sigma Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION test
Sigma Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell test
Sigma Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module test
Sigma Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security test
Sigma Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System test
Sigma Invoke-Obfuscation Via Stdin test
Sigma Invoke-Obfuscation Via Stdin - Powershell test
Sigma Invoke-Obfuscation Via Stdin - PowerShell Module test
Sigma Invoke-Obfuscation Via Stdin - Security test
Sigma Invoke-Obfuscation Via Stdin - System test
Sigma Invoke-Obfuscation Via Use Clip test
Sigma Invoke-Obfuscation Via Use Clip - Powershell test
Sigma Invoke-Obfuscation Via Use Clip - PowerShell Module test
Sigma Invoke-Obfuscation Via Use Clip - Security test
Sigma Invoke-Obfuscation Via Use Clip - System test
Sigma Invoke-Obfuscation Via Use MSHTA test
Sigma Invoke-Obfuscation Via Use MSHTA - PowerShell test
Sigma Invoke-Obfuscation Via Use MSHTA - PowerShell Module test
Sigma Invoke-Obfuscation Via Use MSHTA - Security test
Sigma Invoke-Obfuscation Via Use MSHTA - System test
Sigma Invoke-Obfuscation Via Use Rundll32 - PowerShell test
Sigma Invoke-Obfuscation Via Use Rundll32 - PowerShell Module test
Sigma Invoke-Obfuscation Via Use Rundll32 - Security test
Sigma Invoke-Obfuscation Via Use Rundll32 - System test
Splunk Invoke-WebRequest Command (PowerShell)
Splunk Invoke-WebRequest Command (Sysmon)
Splunk Invoke-WebRequest Command (Windows Event Log)
Sigma Kalambur Backdoor Curl TOR SOCKS Proxy Execution experimental
Sigma Lace Tempest PowerShell Evidence Eraser test
Sigma Lace Tempest PowerShell Launcher test
Elastic Long Base64 Encoded Command via Scripting Interpreter production
Elastic M365 Security Compliance Admin Signal production building block
Elastic M365 SharePoint/OneDrive File Access via PowerShell production
Sigma Malicious Base64 Encoded PowerShell Keywords in Command Lines test
Sigma Malicious Nishang PowerShell Commandlets test
Sigma Malicious PowerShell Commandlets - PoshModule test
Sigma Malicious PowerShell Commandlets - ProcessCreation test
Sigma Malicious PowerShell Commandlets - ScriptBlock test
Sigma Malicious PowerShell Keywords test
Splunk Malicious PowerShell Process - Execution Policy Bypass production
Splunk Malicious PowerShell Process With Obfuscation Techniques production
Sigma Malicious PowerShell Scripts - FileCreation test
Sigma Malicious PowerShell Scripts - PoshModule test
Sigma Malicious ShellIntel PowerShell Commandlets test
Sigma MERCURY APT Activity test
Splunk Meterpreter Reverse Shell (Windows Event Log)
Elastic Microsoft Build Engine Started an Unusual Process production
Elastic Microsoft Build Engine Started by a Script Process production
Splunk Microsoft Build Engine Suspicious Parent Process (Sysmon)
Splunk Microsoft Build Engine Suspicious Parent Process (Windows Event Log)
Elastic Microsoft Exchange Worker Spawning Suspicious Processes production
Splunk Modify Exchange Access Settings (PowerShell)
Sigma Net WebClient Casing Anomalies test
Sigma Netcat The Powershell Version test
Sigma Network Connection Initiated By PowerShell Process test
Elastic New ActiveSyncAllowedDeviceID Added via PowerShell production
Sigma New PowerShell Instance Created test
Splunk Nishang PowershellTCPOneLine production
Sigma Non Interactive PowerShell Process Spawned test
Sigma Nslookup PowerShell Download Cradle test
Sigma NTFS Alternate Data Stream test
Sigma Obfuscated PowerShell MSI Install via WindowsInstaller COM experimental
Sigma Obfuscated PowerShell OneLiner Execution test
Sigma Operation Wocao Activity test
Sigma Operation Wocao Activity - Security test
Elastic Outbound Scheduled Task Activity via PowerShell production
Sigma Payload downloaded via PowerShell
Sigma PipeShell exfiltration over named pipes experimental
Splunk Possible Lateral Movement PowerShell Spawn production
Elastic Potential Antimalware Scan Interface Bypass via PowerShell production
Sigma Potential APT FIN7 Exploitation Activity test
Sigma Potential APT FIN7 POWERHOLD Execution test
Sigma Potential Baby Shark Malware Activity test
Sigma Potential BlackByte Ransomware Activity test
Sigma Potential Bumblebee Remote Thread Creation test
Elastic Potential Command Shell via NetCat production
Sigma Potential Data Exfiltration Activity Via CommandLine Tools test
Sigma Potential DLL File Download Via PowerShell Invoke-WebRequest test
Elastic Potential Dynamic IEX Reconstruction via Environment Variables production
Sigma Potential Emotet Activity stable
Sigma Potential Encoded PowerShell Patterns In CommandLine test
Elastic Potential Execution via FileFix Phishing Attack production
Sigma Potential Exploitation of CrushFTP RCE Vulnerability (CVE-2025-54309) experimental
Sigma Potential Exploitation of GoAnywhere MFT Vulnerability experimental
Elastic Potential Fake CAPTCHA Phishing Attack production
Elastic Potential Malicious PowerShell Based on Alert Correlation production
Sigma Potential Persistence Via Powershell Search Order Hijacking - Task test
Sigma Potential PowerShell Command Line Obfuscation test
Sigma Potential PowerShell Downgrade Attack test
Elastic Potential PowerShell HackTool Script by Author production
Elastic Potential PowerShell HackTool Script by Function Names production
Elastic Potential PowerShell Obfuscated Script via High Entropy production
Sigma Potential PowerShell Obfuscation Using Alias Cmdlets test
Sigma Potential PowerShell Obfuscation Using Character Join test
Elastic Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion production
Elastic Potential PowerShell Obfuscation via Character Array Reconstruction production
Elastic Potential PowerShell Obfuscation via Concatenated Dynamic Command Invocation production
Elastic Potential PowerShell Obfuscation via High Numeric Character Proportion production
Elastic Potential PowerShell Obfuscation via High Special Character Proportion production building block
Elastic Potential PowerShell Obfuscation via Invalid Escape Sequences production
Elastic Potential PowerShell Obfuscation via Reverse Keywords production
Sigma Potential PowerShell Obfuscation Via Reversed Commands test
Elastic Potential PowerShell Obfuscation via Special Character Overuse production
Elastic Potential PowerShell Obfuscation via String Concatenation production
Elastic Potential PowerShell Obfuscation via String Reordering production
Sigma Potential PowerShell Obfuscation Via WCHAR/CHAR test
Elastic Potential PowerShell Pass-the-Hash/Relay Script production
Splunk Potential PowerShell Post-Exploitation Activity (Sysmon)
Splunk Potential PowerShell Post-Exploitation Activity (Windows Event Log)
Sigma Potential Powershell ReverseShell Connection stable
Sigma Potential POWERTRASH Script Execution test
Elastic Potential Process Injection via PowerShell production
Splunk Potential Proxy Malware via AutoRun Key (PowerShell)
Splunk Potential Proxy Malware via AutoRun Key (Sysmon)
Splunk Potential Proxy Malware via AutoRun Key (Windows Event Log)
Sigma Potential Remote PowerShell Session Initiated test
Elastic Potential SAP NetWeaver Exploitation production
Elastic Potential SharpRDP Behavior production
Sigma Potential Suspicious PowerShell Keywords test
Elastic Potential Veeam Credential Access Command production
Sigma Potential WinAPI Calls Via PowerShell Scripts test
Sigma Potential WMI Lateral Movement WmiPrvSE Spawned PowerShell stable
Sigma Potentially Suspicious Command Executed Via Run Dialog Box - Registry test
Sigma Potentially Suspicious PowerShell Child Processes test
Sigma Potentially Suspicious Powershell Script Execution From Temp Folder test
Sigma Potentially Suspicious WebDAV LNK Execution test
Splunk PowerShell - Connect To Internet With Hidden Window production
Splunk PowerShell 4104 Hunting production
Sigma PowerShell ADRecon Execution test
Sigma PowerShell Base64 Encoded FromBase64String Cmdlet test
Sigma PowerShell Base64 Encoded IEX Cmdlet test
Sigma PowerShell Base64 Encoded Invoke Keyword test
Sigma PowerShell Base64 Encoded Reflective Assembly Load test
Sigma PowerShell Base64 Encoded WMI Classes test
Sigma PowerShell Called from an Executable Version Mismatch test
Splunk PowerShell Clipboard Access (PowerShell)
Splunk Powershell COM Hijacking InprocServer32 Modification production
Sigma PowerShell Core DLL Loaded By Non PowerShell Process test
Sigma PowerShell Create Local User test
Splunk PowerShell CreateDecryptor (PowerShell)
Splunk PowerShell CreateDecryptor (Sysmon)
Splunk PowerShell CreateDecryptor (Windows Event Log)
Splunk Powershell Creating Thread Mutex production
Sigma PowerShell Credential Prompt test
Splunk PowerShell Domain Enumeration production
Splunk PowerShell Downgrade (PowerShell)
Splunk PowerShell Downgrade (Sysmon)
Splunk PowerShell Downgrade (Windows Event Log)
Sigma PowerShell Downgrade Attack - PowerShell test
Splunk PowerShell Download Activity (PowerShell)
Sigma PowerShell Download Pattern test
Sigma PowerShell Download Via Net.WebClient - PowerShell Classic test
YARA-L PowerShell DownloadFile
Splunk PowerShell DownloadFile_DownloadString (PowerShell)
Splunk PowerShell DownloadFile_DownloadString (Sysmon)
Splunk PowerShell DownloadFile_DownloadString (Windows Event Log)
Kusto Powershell Empire Cmdlets Executed in Command Line available
Splunk PowerShell Enable PowerShell Remoting production
Splunk PowerShell Environment Variable Execution production
Splunk Powershell Execute COM Object production
Sigma Powershell Executed From Headless ConHost Process test
Splunk Powershell Fileless Process Injection via GetProcAddress production
Splunk Powershell Fileless Script Contains Base64 Encoded Content production
Splunk Powershell ICMP Data Exfiltration (PowerShell)
Sigma Powershell Inline Execution From A File test
Elastic PowerShell Invoke-NinjaCopy script production
Elastic PowerShell Kerberos Ticket Dump production
Elastic PowerShell Kerberos Ticket Request production
Elastic PowerShell Keylogging Script production
Splunk Powershell Load Module in Meterpreter production
Splunk PowerShell Loading DotNET into Memory via Reflection production
Elastic PowerShell Mailbox Collection Script production
Elastic PowerShell MiniDump Script production
Splunk PowerShell Modifying Registry Values (PowerShell)
Splunk PowerShell Modifying Registry Values (Sysmon)
Splunk PowerShell Modifying Registry Values (Windows Event Log)
Sigma PowerShell MSI Install via WindowsInstaller COM From Remote Location experimental
Sigma Powershell MsXml COM Object test
Elastic PowerShell Obfuscation via Negative Index String Reversal production
Splunk PowerShell PInvoke Process Injection API Chain production
Splunk Powershell Processing Stream Of Data production
Sigma PowerShell PSAttack test
Elastic PowerShell PSReflect Script production
Sigma PowerShell Remote Session Creation test
Splunk PowerShell Script Block With URL Chain production
Sigma PowerShell Script Run in AppData test
Elastic PowerShell Script with Archive Compression Capabilities production building block
Elastic PowerShell Script with Log Clear Capabilities production building block
Elastic PowerShell Script with Password Policy Discovery Capabilities production building block
Elastic PowerShell Script with Token Impersonation Capabilities production
Elastic PowerShell Script with Veeam Credential Access Capabilities production
Elastic PowerShell Script with Webcam Video Capture Capabilities production
Elastic PowerShell Script with Windows Defender Tampering Capabilities production
Elastic PowerShell Share Enumeration Script production
Sigma PowerShell ShellCode test
Splunk PowerShell Start or Stop Service production
Elastic PowerShell Suspicious Discovery Related Windows API Functions production
Elastic PowerShell Suspicious Payload Encoded and Compressed production
Elastic PowerShell Suspicious Script with Audio Capture Capabilities production
Elastic PowerShell Suspicious Script with Clipboard Retrieval Capabilities production
Elastic PowerShell Suspicious Script with Screenshot Capabilities production
Splunk Powershell Using memory As Backing Store production
Sigma PowerShell Web Access Installation - PsScript test
YARA-L PowerShell Web Download
Splunk PowerShell WebRequest Using Memory Stream production
Kusto PowerShell without powershell.exe
Sigma Powershell XML Execute Command test
Splunk PowerShell XML Retrieval (PowerShell)
Splunk PowerShell XML Retrieval (Sysmon)
Splunk PowerShell XML Retrieval (Windows Event Log)
Sigma PowerView PowerShell Cmdlets - ScriptBlock test
Splunk PowerView_SharpView Commands (PowerShell)
Elastic Process Activity via Compiled HTML File production
Elastic Proxy Execution via Console Window Host production
Sigma PSAsyncShell - Asynchronous TCP Reverse Shell test
Elastic Rare Powershell Script production
Sigma Raspberry Robin Initial Execution From External Drive test
Sigma Raspberry Robin Subsequent Execution of Commands test
Splunk Recon Using WMI Class production
Sigma Registry Set With Crypto-Classes From The "Cryptography" PowerShell Namespace test
Elastic Remote File Download via PowerShell production
Sigma Remote LSASS Process Access Through Windows Remote Management stable
Sigma Remote PowerShell Session (PS Classic) test
Sigma Remote PowerShell Session (PS Module) test
Sigma Remote PowerShell Session Host Process (WinRM) test
Sigma Remote PowerShell Sessions Network Connections (WinRM) test
Sigma Remote Thread Creation Via PowerShell test
Sigma Remote Thread Creation Via PowerShell In Uncommon Target test
Sigma Renamed Powershell Under Powershell Channel test
Sigma Rorschach Ransomware Execution Activity test
Elastic Scheduled Task Created by a Windows Script production
Sigma Scheduled Task Executing Encoded Payload from Registry test
Sigma Scheduled Task Executing Payload from Registry test
Elastic ScreenConnect Server Spawning Suspicious Processes production
Elastic Service Control Spawned via Script Interpreter production
Splunk Set Default PowerShell Execution Policy To Unrestricted or Bypass production
Sigma Silence.EDA Detection test
Sigma SQL Client Tools PowerShell Session Detection test
Elastic Suspicious .NET Reflection via PowerShell production
Elastic Suspicious Browser Child Process production
Sigma Suspicious CrushFTP Child Process experimental
Elastic Suspicious Emond Child Process production
Sigma Suspicious Encoded And Obfuscated Reflection Assembly Load Function Call test
Sigma Suspicious Encoded PowerShell Command Line test
Splunk Suspicious Executable by Powershell (EDR)
Splunk Suspicious Executable by Powershell (Sysmon)
Splunk Suspicious Executable by Powershell (Windows Event Log)
Elastic Suspicious Execution from a Mounted Device production
Elastic Suspicious Execution from VS Code Extension production
Sigma Suspicious Execution of Powershell with Base64 test
Elastic Suspicious Explorer Child Process production
Sigma Suspicious File Execution From Internet Hosted WebDav Share test
Sigma Suspicious HH.EXE Execution test
Sigma Suspicious Interactive PowerShell as SYSTEM test
Elastic Suspicious JetBrains TeamCity Child Process production
Elastic Suspicious Microsoft HTML Application Child Process production
Elastic Suspicious MS Office Child Process production
Elastic Suspicious MS Outlook Child Process production
Elastic Suspicious Portable Executable Encoded in Powershell Script production
Splunk Suspicious Powershell (PowerShell)
Splunk Suspicious PowerShell Clipboard Activity (PowerShell)
Splunk Suspicious PowerShell Clipboard Activity (Sysmon)
Splunk Suspicious PowerShell Clipboard Activity (Windows Event Log)
Sigma Suspicious PowerShell Download - PoshModule test
Sigma Suspicious PowerShell Download - Powershell Script test
Sigma Suspicious PowerShell Download and Execute Pattern test
Sigma Suspicious PowerShell Encoded Command Patterns test
Elastic Suspicious PowerShell Engine ImageLoad production
Sigma Suspicious PowerShell IEX Execution Patterns test
Sigma Suspicious PowerShell Invocation From Script Engines test
Sigma Suspicious PowerShell Invocations - Generic test
Sigma Suspicious PowerShell Invocations - Generic - PowerShell Module test
Sigma Suspicious PowerShell Invocations - Specific test
Sigma Suspicious PowerShell Invocations - Specific - PowerShell Module test
Sigma Suspicious PowerShell Parameter Substring test
Splunk Suspicious PowerShell Parameter Substring (PowerShell)
Splunk Suspicious PowerShell Parameter Substring (Sysmon)
Splunk Suspicious PowerShell Parameter Substring (Windows Event Log)
Sigma Suspicious PowerShell Parent Process test
Elastic Suspicious Powershell Script production
Sigma Suspicious PrinterPorts Creation (CVE-2020-1048) test
Elastic Suspicious React Server Child Process production
Sigma Suspicious Schtasks Execution AppData Folder test
Elastic Suspicious ScreenConnect Client Child Process production
Elastic Suspicious Shell Execution via Velociraptor production
Elastic Suspicious SolarWinds Web Help Desk Java Module Load or Child Process production
Elastic Suspicious Windows Powershell Arguments production
Sigma Suspicious WSMAN Provider Image Loads test
Sigma Suspicious XOR Encoded PowerShell Command test
Elastic Suspicious Zoom Child Process production
Elastic System Shells via Services production
Sigma TropicTrooper Campaign November 2018 stable
Sigma Turla Group Commands May 2020 test
Sigma UNC2452 PowerShell Pattern test
Sigma UNC2452 Process Creation Patterns test
Sigma Uncommon PowerShell Hosts test
Splunk Unloading AMSI via Reflection production
Sigma Unusually Long PowerShell CommandLine test
Sigma Usage Of Web Request Commands And Cmdlets test
Sigma Usage Of Web Request Commands And Cmdlets - ScriptBlock test
Elastic Veeam Backup Library Loaded by Unusual Process production
Sigma Vice Society directory crawling script for data exfiltration (via ps_script) stable
Elastic Volume Shadow Copy Deletion via PowerShell production
YARA-L W3WP Launching Encoded Powershell
Elastic Web Shell Detection: Script Process Child of Common Web Processes production
Splunk WebDAV LNK Execution (Sysmon)
Splunk WebDAV LNK Execution (Windows Event Log)
Splunk WebLogic CVE-2017-10271 (PowerShell)
Splunk WebLogic CVE-2017-10271 (Sysmon)
Splunk WebLogic CVE-2017-10271 (Windows Event Log)
Sigma WinAPI Function Calls Via PowerShell Scripts test
Sigma WinAPI Library Calls Via PowerShell Scripts test
Splunk Windows Account Access Removal via Logoff Exec production
Splunk Windows Cobalt Strike PowerShell Loader production
Splunk Windows Crowdstrike RTR Script Execution production
Splunk Windows Default Cobalt Strike PowerShell Beacon production
Elastic Windows Defender Exclusions Added via PowerShell production
Splunk Windows Enable PowerShell Web Access production
Splunk Windows Explorer LNK Exploit Process Launch With Padding production
Splunk Windows Explorer.exe Spawning PowerShell or Cmd production
Splunk Windows File Download Via PowerShell production
Elastic Windows Firewall Disabled via PowerShell production
Splunk Windows MSExchange Management Mailbox Cmdlet Usage production
Splunk Windows Powershell Cryptography Namespace production
Splunk Windows PowerShell FakeCAPTCHA Clipboard Execution production
Splunk Windows PowerShell Get CIMInstance Remote Computer production
Splunk Windows Powershell Import Applocker Policy production
Splunk Windows PowerShell Invoke-RestMethod IP Information Collection production
Splunk Windows PowerShell Invoke-Sqlcmd Execution production
Splunk Windows Powershell Logoff User via Quser production
Splunk Windows PowerShell Module File Created production
Splunk Windows PowerShell MSIX Package Installation production
Splunk Windows PowerShell Process Implementing Manual Base64 Decoder production
Splunk Windows PowerShell Process With Malicious String production
Splunk Windows Powershell RemoteSigned File production
Splunk Windows PowerShell ScheduleTask production
Splunk Windows PowerShell Script Block With Malicious String production
Splunk Windows PowerShell Script From WindowsApps Directory production
Splunk Windows PowerShell Script TabExpansion Direct Call production
Splunk Windows PowerShell WMI Win32 ScheduledJob production
Splunk Windows PowGoop Beacon Decoding production
Elastic Windows Script Executing PowerShell production
Elastic Windows Server Update Service Spawning Suspicious Processes production
Splunk Windows Shell Process from CrushFTP production
Sigma Windows Shell/Scripting Processes Spawning Suspicious Programs test
Splunk Windows Software Discovery Via PowerShell production
Splunk Windows SSH Proxy Command production
Splunk Windows Suspicious React or Next.js Child Process production
Sigma WMImplant Hack Tool test

Command and Scripting Interpreter: AppleScript T1059.002 27 rules

Elastic Apple Script Execution followed by Network Connection production
Elastic Apple Scripting Execution with Administrator Privileges production
Sigma Atomic MacOS Stealer - FileGrabber Activity experimental
Sigma Axios NPM Compromise Indicators - macOS experimental
Sigma Clipboard Access Via OSAScript test
Elastic Creation of Hidden Login Item via Apple Script production
Panther CrowdStrike MacOS Osascript as Administrator
Elastic Execution via GitHub Actions Runner production
Elastic Execution via OpenClaw Agent production
Elastic Execution with Explicit Credentials via Scripting production
Elastic Google Calendar C2 via Script Interpreter production
Sigma JXA In-memory Execution Via OSAScript test
Splunk MacOS AMOS Stealer - Virtual Machine Check Activity production
Sigma MacOS Scripting Interpreter AppleScript test
Sigma Osacompile Execution By Potentially Suspicious Applet/Osascript test
Sigma OSACompile Run-Only Execution test
Elastic Potential Etherhiding C2 via Blockchain Connection production
Elastic Prompt for Credentials with Osascript production
Elastic Shell Execution via Apple Scripting production
Elastic Suspicious AWS S3 Connection via Script Interpreter production
Elastic Suspicious Browser Child Process production
Elastic Suspicious Curl to Jamf Endpoint production
Elastic Suspicious Emond Child Process production
Sigma Suspicious Execution via macOS Script Editor test
Elastic Suspicious Installer Package Spawns Network Event production
Elastic Suspicious macOS MS Office Child Process production
Sigma Suspicious Microsoft Office Child Process - MacOS test

Command and Scripting Interpreter: Windows Command Shell T1059.003 148 rules

Sigma AppLocker Prevented Application or Script from Running test
Sigma AWS EC2 Startup Shell Script Change test
Sigma Axios NPM Compromise Indicators - Windows experimental
Elastic Binary Content Copy via Cmd.exe production building block
Splunk CMD Carry Out String Command Parameter production
Splunk CMD Echo Pipe - Escalation production
Splunk CMD execution with _c (PowerShell)
Splunk CMD execution with _c (Sysmon)
Splunk CMD execution with _c (Windows Event Log)
Elastic Command and Scripting Interpreter via Windows Scripts production
Elastic Command Execution via SolarWinds Process production
Splunk Command Line .cmd Execution (Sysmon)
Splunk Command Line .cmd Execution (Windows Event Log)
Sigma Command Line Execution with Suspicious URL and AppData Strings test
Elastic Command Shell Activity Started via RunDLL32 production
Splunk Command-Line Interface Execution (PowerShell)
Splunk Command-Line Interface Execution (Sysmon)
Splunk Command-Line Interface Execution (Windows Event Log)
Splunk Common Reconnaissance Commands (PowerShell)
Splunk Common Reconnaissance Commands (Sysmon)
Splunk Common Reconnaissance Commands (Windows Event Log)
Sigma Conhost.exe CommandLine Path Traversal test
Splunk CrushFTP Authentication Bypass Exploitation production
Elastic Delayed Execution via Ping production
Splunk Detect Prohibited Applications Spawning cmd exe production
Splunk Detect Use of cmd exe to Launch Script Interpreters production
Sigma DNS Query by Finger Utility experimental
Sigma Elise Backdoor Activity test
Sigma Encoded PowerShell payload deployed via process execution experimental
Kusto Exchange Worker Process Making Remote Call
Splunk Executable Create Script Process (PowerShell)
Splunk Executable Create Script Process (Sysmon)
Splunk Executable Create Script Process (Windows Event Log)
Kusto Execution attempts stateful anomaly on database available
Elastic Execution from Unusual Directory - Command Line production
Elastic Execution of a Downloaded Windows Script production
Elastic Execution via GitHub Actions Runner production
Elastic Execution via MS VisualStudio Pre/Post Build Events production building block
Elastic Execution via MSSQL xp_cmdshell Stored Procedure production
Elastic Execution via OpenClaw Agent production
Sigma Exploited CVE-2020-10189 Zoho ManageEngine test
Sigma Exploiting SetupComplete.cmd CVE-2019-1378 test
Sigma HackTool - CrackMapExec Execution test
Sigma HackTool - CrackMapExec Execution Patterns stable
Sigma HackTool - Jlaive In-Memory Assembly Execution test
Sigma HackTool - Koadic Execution test
Sigma HackTool - RedMimicry Winnti Playbook Execution test
Sigma Headless Process Launched Via Conhost.EXE test
Sigma HTML Help HH.EXE Suspicious Child Process test
Splunk Impacket atexec.py Execution (PowerShell)
Splunk Impacket atexec.py Execution (Sysmon)
Splunk Impacket atexec.py Execution (Windows Event Log)
Splunk Impacket atexec.py Scheduled Task Creation (Windows Event Log)
Splunk Impacket atexec.py Temp File Creation (Sysmon)
Splunk Impacket atexec.py Temp File Creation (Windows Event Log)
Sigma Metasploit reverse shell injection in SQL Server experimental
Splunk Meterpreter Reverse Shell (Windows Event Log)
Elastic Microsoft Build Engine Started by a Script Process production
Splunk Microsoft Build Engine Suspicious Parent Process (Sysmon)
Splunk Microsoft Build Engine Suspicious Parent Process (Windows Event Log)
Elastic Microsoft Exchange Worker Spawning Suspicious Processes production
Sigma Network Connection Initiated via Finger.EXE experimental
Sigma OpenEDR Spawning Command Shell experimental
Sigma Operator Bloopers Cobalt Strike Commands test
Sigma Operator Bloopers Cobalt Strike Modules test
Splunk Output to File (PowerShell)
Splunk Output to File (Windows Event Log)
Sigma Potential APT FIN7 Exploitation Activity test
Sigma Potential Baby Shark Malware Activity test
Elastic Potential Command Shell via NetCat production
Sigma Potential CommandLine Path Traversal Via Cmd.EXE test
Elastic Potential Execution via FileFix Phishing Attack production
Sigma Potential Exploitation of CrushFTP RCE Vulnerability (CVE-2025-54309) experimental
Elastic Potential Fake CAPTCHA Phishing Attack production
Sigma Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXE test
Elastic Potential SAP NetWeaver Exploitation production
Sigma Potential SAP NetWeaver Webshell Creation experimental
Sigma Potential SAP NetWeaver Webshell Creation - Linux experimental
Elastic Potential SharpRDP Behavior production
Splunk PowerShell Downgrade (PowerShell)
Splunk PowerShell Downgrade (Sysmon)
Splunk PowerShell Downgrade (Windows Event Log)
Kusto Powershell Empire Cmdlets Executed in Command Line available
Sigma Powershell Execute Batch Script test
Sigma Powershell Executed From Headless ConHost Process test
Elastic Process Activity via Compiled HTML File production
Elastic Proxy Execution via Console Window Host production
Sigma PUA - AdvancedRun Execution test
Splunk Rare Process Execution (Sysmon)
Splunk Rare Process Execution (Windows Event Log)
Sigma Read Contents From Stdin Via Cmd.EXE test
Sigma Remote Access Tool - ScreenConnect Command Execution test
Sigma Remote Access Tool - ScreenConnect File Transfer test
Sigma Remote Access Tool - ScreenConnect Remote Command Execution test
Sigma Remote Access Tool - ScreenConnect Temporary File test
Splunk Remote Admin Tools (EDR)
Splunk Remote Admin Tools (PowerShell)
Splunk Remote Admin Tools (Sysmon)
Splunk Remote Admin Tools (Windows Event Log)
Sigma Rorschach Ransomware Execution Activity test
Splunk Ryuk Wake on LAN Command production
Elastic ScreenConnect Server Spawning Suspicious Processes production
Sigma Serial console process spawning CMD shell (via command) experimental
Elastic Service Control Spawned via Script Interpreter production
Splunk SharpHound Enumeration (Windows Event Log)
Sigma Sofacy Trojan Loader Activity test
Sigma Suspicious Child Process of SAP NetWeaver experimental
Sigma Suspicious Child Process of SAP NetWeaver - Linux experimental
Elastic Suspicious Cmd Execution via WMI production
Elastic Suspicious Command Prompt Network Connection production
Sigma Suspicious CrushFTP Child Process experimental
Splunk Suspicious Executable by Powershell (EDR)
Splunk Suspicious Executable by Powershell (Sysmon)
Splunk Suspicious Executable by Powershell (Windows Event Log)
Elastic Suspicious Execution from a Mounted Device production
Elastic Suspicious Execution from VS Code Extension production
Elastic Suspicious Explorer Child Process production
Sigma Suspicious HH.EXE Execution test
Sigma Suspicious HWP Sub Processes test
Elastic Suspicious JetBrains TeamCity Child Process production
Elastic Suspicious Microsoft HTML Application Child Process production
Elastic Suspicious MS Office Child Process production
Elastic Suspicious MS Outlook Child Process production
Sigma Suspicious Process Spawned by CentreStack Portal AppPool experimental
Elastic Suspicious React Server Child Process production
Elastic Suspicious ScreenConnect Client Child Process production
Elastic Suspicious Shell Execution via Velociraptor production
Elastic Suspicious SolarWinds Web Help Desk Java Module Load or Child Process production
Sigma Suspicious Usage of For Loop with Recursive Directory Search in CMD experimental
Elastic Suspicious Windows Command Shell Arguments production
Elastic Suspicious Zoom Child Process production
Elastic System Information Discovery via Windows Command Shell production building block
Elastic System Shells via Services production
Elastic Web Shell Detection: Script Process Child of Common Web Processes production
Splunk WebDAV LNK Execution (Sysmon)
Splunk WebDAV LNK Execution (Windows Event Log)
Splunk Windows Command Shell DCRat ForkBomb Payload production
Splunk Windows File Association Modification via Ftype production
Splunk Windows PowerShell FakeCAPTCHA Clipboard Execution production
Splunk Windows Powershell History File Deletion production
Splunk Windows PowerShell Invoke-Sqlcmd Execution production
Elastic Windows Server Update Service Spawning Suspicious Processes production
Splunk Windows Shell Process from CrushFTP production
Splunk Windows SQLCMD Execution production
Splunk Windows Suspicious React or Next.js Child Process production
Elastic Windows System Information Discovery production building block
Splunk Windows TinyCC Shellcode Execution production
Sigma ZxShell Malware test

Command and Scripting Interpreter: Unix Shell T1059.004 162 rules

Elastic Attempt to Install or Run Kali Linux via WSL production
Elastic AWS EC2 LOLBin Execution via SSM SendCommand production
Sigma AWS EC2 Startup Shell Script Change test
Elastic AWS SSM `SendCommand` with Run Shell Command Parameters production
Elastic AWS SSM Session Manager Child Process Execution production
Sigma Axios NPM Compromise Indicators - Linux experimental
Sigma Axios NPM Compromise Indicators - macOS experimental
Elastic Azure Run Command Script Child Process production
Elastic Base64 Decoded Payload Piped to Interpreter production
Elastic Boot File Copy production
Elastic BPF filter applied using TC production
Sigma BPFtrace Unsafe Option Usage test
Splunk Common Reconnaissance Commands (PowerShell)
Splunk Common Reconnaissance Commands (Sysmon)
Splunk Common Reconnaissance Commands (Windows Event Log)
Elastic Cupsd or Foomatic-rip Shell Execution production
Elastic Curl Execution via Shell Profile production
Elastic Curl or Wget Egress Network Connection via LoLBin production
Elastic Decoded Payload Piped to Interpreter Detected via Defend for Containers production
Elastic Deprecated - Uncommon Destination Port Connection by Web Server production
Elastic Deprecated - Unusual Command Execution from Web Server Parent production
Elastic Deprecated - Unusual Process Spawned from Web Server Parent production
Elastic Direct Interactive Kubernetes API Request by Common Utilities production
Elastic Direct Interactive Kubernetes API Request by Unusual Utilities production
Elastic Direct Interactive Kubernetes API Request Detected via Defend for Containers production
Elastic Dracut Module Creation production
Elastic Dynamic Linker (ld.so) Creation production
Elastic Egress Connection from Entrypoint in Container production
Elastic Encoded Payload Detected via Defend for Containers production
Sigma Equation Group Indicators test
Elastic Execution via GitHub Actions Runner production
Elastic Execution via OpenClaw Agent production
Elastic Execution via Windows Subsystem for Linux production
Elastic Execution with Explicit Credentials via Scripting production
Elastic File Creation and Execution Detected via Defend for Containers production
Elastic File Creation by Cups or Foomatic-rip Child production
Elastic File Creation in /var/log via Suspicious Process production
Elastic File Creation, Execution and Self-Deletion in Suspicious Directory production
Elastic File Download Detected via Defend for Containers production
Elastic File Transfer or Listener Established via Netcat production
Elastic File Transfer Utility Launched from Unusual Parent production
Elastic First Time Python Spawned a Shell on Host production
Elastic Forbidden Direct Interactive Kubernetes API Request production
Elastic Git Hook Child Process production
Elastic Git Hook Command Execution production
Elastic Git Hook Created or Modified production
Elastic Git Hook Egress Network Connection production
Elastic GitHub Authentication Token Access via Node.js production
Elastic Host File System Changes via Windows Subsystem for Linux production
Elastic Ingress Tool Transfer Followed by Execution and Deletion Detected via Defend for Containers production
Elastic Initramfs Unpacking via unmkinitramfs production
Sigma Interactive Bash Suspicious Children test
Elastic Interactive Exec Into Container Detected via Defend for Containers production
Elastic Interactive Shell Launched via Unusual Parent Process in a Container production
Elastic Interactive Shell Spawn Detected via Defend for Containers production
Elastic Interactive Terminal Spawned via Perl production
Elastic Interactive Terminal Spawned via Python production
Sigma JexBoss Command Sequence test
Elastic Kill Command Execution production
Elastic Kubernetes Direct API Request via Curl or Wget production
Splunk Linux Decode Base64 to Shell production
Splunk Linux Magic SysRq Key Abuse production
Elastic Linux Restricted Shell Breakout via Linux Binary(s) production
Sigma Linux Reverse Shell Indicator test
Splunk Linux Suspicious React or Next.js Child Process production
Splunk Linux Unix Shell Enable All SysRq Functions production
Splunk MacOS LOLbin production
Elastic Manual Dracut Execution production
Elastic Memory Swap Modification production
Elastic Multi-Base64 Decoding Attempt from Suspicious Location production
Elastic Netcat File Transfer or Listener Detected via Defend for Containers production
Elastic Netcat Listener Established via rlwrap production
Elastic Network Connection by Cups or Foomatic-rip Child production
Elastic Network Connection from Binary with RWX Memory Region production
Elastic Network Connection via Recently Compiled Executable production
Elastic Network Connections Initiated Through XDG Autostart Entry production
Elastic NetworkManager Dispatcher Script Creation production
Elastic Node.js Pre or Post-Install Script Execution production
Sigma Nohup Execution test
Elastic Openssl Client or Server Activity production
Elastic Payload Execution via Shell Pipe Detected by Defend for Containers production
Elastic Pod or Container Creation with Suspicious Command-Line production
Sigma Potential Abuse of Linux Magic System Request Key experimental
Elastic Potential Code Execution via Postgresql production
Elastic Potential Direct Kubelet Access via Process Arguments production
Elastic Potential Direct Kubelet Access via Process Arguments Detected via Defend for Containers production
Elastic Potential Etherhiding C2 via Blockchain Connection production
Elastic Potential Execution via SSH Backdoor production
Elastic Potential Git CVE-2025-48384 Exploitation production
Elastic Potential Hex Payload Execution via Command-Line production
Elastic Potential Hex Payload Execution via Common Utility production
Elastic Potential JAVA/JNDI Exploitation Attempt production
Elastic Potential Kubeletctl Execution production
Elastic Potential Kubeletctl Execution Detected via Defend for Containers production
Elastic Potential Malware-Driven SSH Brute Force Attempt production
Elastic Potential Meterpreter Reverse Shell production
Elastic Potential Reverse Shell production
Elastic Potential Reverse Shell via Background Process production
Elastic Potential Reverse Shell via Child production
Elastic Potential Reverse Shell via Java production
Elastic Potential Reverse Shell via Suspicious Binary production
Elastic Potential Reverse Shell via Suspicious Child Process production
Elastic Potential Reverse Shell via UDP production
Elastic Potential SAP NetWeaver Exploitation production
Elastic Potential Shell via Wildcard Injection Detected production
Elastic Potential Upgrade of Non-interactive Shell production
Sigma Potentially Suspicious Long Filename Pattern - Linux experimental
Elastic Printer User (lp) Shell Execution production
Elastic Privileged Container Creation with Host Directory Mount production
Elastic Privileged Docker Container Creation production
Elastic Process Backgrounded by Unusual Parent production
Elastic Process Spawned from Message-of-the-Day (MOTD) production
Elastic Process Started with Executable Stack production
Elastic Proxy Shell Execution via Busybox production
Elastic Python Path File (pth) Creation production
Elastic Python Site or User Customize File Creation production
Elastic Root Network Connection via GDB CAP_SYS_PTRACE production
Sigma Script Interpreter Spawning Credential Scanner - Linux experimental
Elastic Service Account Token or Certificate Access Followed by Kubernetes API Request production
Elastic Shell Execution via Apple Scripting production
Sigma Shell Invocation via Env Command - Linux test
Elastic Simple HTTP Web Server Connection production
Elastic Simple HTTP Web Server Creation production
Sigma Suspicious Activity in Shell Commands test
Elastic Suspicious APT Package Manager Execution production
Elastic Suspicious APT Package Manager Network Connection production
Elastic Suspicious Browser Child Process production
Sigma Suspicious Commands Linux test
Elastic Suspicious Content Extracted or Decompressed via Funzip production
Sigma Suspicious Download and Execute Pattern via Curl/Wget experimental
Elastic Suspicious Echo or Printf Execution Detected via Defend for Containers production
Elastic Suspicious Emond Child Process production
Elastic Suspicious Execution via Windows Subsystem for Linux production
Elastic Suspicious File Creation via Pkg Install Script production
Sigma Suspicious Filename with Embedded Base64 Commands experimental
Elastic Suspicious Installer Package Spawns Network Event production
Elastic Suspicious Interpreter Execution Detected via Defend for Containers production
Splunk Suspicious Linux Discovery Commands production
Elastic Suspicious macOS MS Office Child Process production
Elastic Suspicious Mining Process Creation Event production
Elastic Suspicious Named Pipe Creation production
Elastic Suspicious Path Invocation from Command Line production
Elastic Suspicious Process Execution Detected via Defend for Containers production
Elastic Suspicious React Server Child Process production
Sigma Suspicious Reverse Shell Command Line test
Elastic Suspicious System Commands Executed by Previously Unknown Executable production
Elastic System Path File Creation and Execution Detected via Defend for Containers production
Elastic Systemd Shell Execution During Boot production
Elastic Unknown Execution of Binary with RWX Memory Region production
Elastic Unusual Base64 Encoding/Decoding Activity production
Elastic Unusual Child Execution via Web Server production
Elastic Unusual Command Execution via Web Server production
Elastic Unusual D-Bus Daemon Child Process production
Elastic Unusual Execution from Kernel Thread (kthreadd) Parent production
Elastic Unusual File Creation by Web Server production building block
Elastic Unusual Interactive Shell Launched from System User production
Elastic Unusual LD_PRELOAD/LD_LIBRARY_PATH Command Line Arguments production
Elastic Unusual Pkexec Execution production
Elastic Web Server Exploitation Detected via Defend for Containers production
Elastic Web Server Potential Command Injection Request production
Elastic Web Server Potential SQL Injection Request production building block
Elastic Windows Subsystem for Linux Distribution Installed production

Command and Scripting Interpreter: Visual Basic T1059.005 62 rules

Sigma Adwind RAT / JRAT test
Sigma Adwind RAT / JRAT File Artifact test
Sigma AppLocker Prevented Application or Script from Running test
Sigma Axios NPM Compromise Indicators - Windows experimental
Splunk Cisco NVM - MSHTML or MSHTA Network Execution Without URL in CLI production
Splunk Cisco NVM - Susp Script From Archive Triggering Network Activity production
Elastic Command and Scripting Interpreter via Windows Scripts production
Sigma Csc.EXE Execution Form Potentially Suspicious Parent test
Sigma Cscript/Wscript Uncommon Script Extension Execution test
Elastic Delayed Execution via Ping production
Splunk Executable Process from Suspicious Folder (PowerShell)
Splunk Executable Process from Suspicious Folder (Sysmon)
Splunk Executable Process from Suspicious Folder (Windows Event Log)
Splunk Execute Javascript With Jscript COM CLSID production
Elastic Execution of a Downloaded Windows Script production
Sigma HackTool - CACTUSTORCH Remote Thread Creation test
Sigma HackTool - Koadic Execution test
Sigma HackTool - NetExec File Indicators experimental
Sigma HTML Help HH.EXE Suspicious Child Process test
Elastic Microsoft Build Engine Started by a Script Process production
Splunk Microsoft Build Engine Suspicious Parent Process (Sysmon)
Splunk Microsoft Build Engine Suspicious Parent Process (Windows Event Log)
Elastic Microsoft Management Console File from Unusual Path production
Sigma MMC Loading Script Engines DLLs experimental
Sigma Potential APT10 Cloud Hopper Activity test
Sigma Potential Dropper Script Execution Via WScript/CScript/MSHTA test
Sigma Potential QBot Activity stable
Sigma Potential Reconnaissance Activity Via GatherNetworkInfo.VBS test
Sigma Potential Remote SquiblyTwo Technique Execution test
Sigma Registry Modification Attempt Via VBScript experimental
Sigma Registry Modification Attempt Via VBScript - PowerShell experimental
Sigma Registry Tampering by Potentially Suspicious Processes experimental
Elastic Remote File Download via Script Interpreter production
Elastic Remote XSL Script Execution via COM production
Elastic Scheduled Task Created by a Windows Script production
Elastic Script Execution via Microsoft HTML Application production
Elastic Script Interpreter Connection to Non-Standard Port production
Kusto Script Interpreter Loading DotNet Assembly From Memory
Elastic Service Control Spawned via Script Interpreter production
Elastic Suspicious .NET Code Compilation production
Sigma Suspicious Child Process Of BgInfo.EXE test
Elastic Suspicious Explorer Child Process production
Sigma Suspicious HH.EXE Execution test
Splunk Suspicious Process DNS Query Known Abuse Web Services production
Splunk Suspicious Process With Discord DNS Query production
Sigma Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS test
Elastic Suspicious ScreenConnect Client Child Process production
Sigma Suspicious Scripting in a WMI Consumer test
Sigma Uncommon Child Process Of BgInfo.EXE test
Splunk Vbscript Execution Using Wscript App production
Elastic Web Shell Detection: Script Process Child of Common Web Processes production
Splunk Windows Outlook Macro Created by Suspicious Process production
Elastic Windows Script Executing PowerShell production
Elastic Windows Script Execution from Archive production
Elastic Windows Script Interpreter Executing Process via WMI production
Sigma Windows Shell/Scripting Processes Spawning Suspicious Programs test
Sigma WScript or CScript Dropper - File test
Splunk Wscript_Cscript Execution (PowerShell)
Splunk Wscript_Cscript Execution (Sysmon)
Splunk Wscript_Cscript Execution (Windows Event Log)
Sigma WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript test
Sigma XSL Script Execution Via WMIC.EXE test

Command and Scripting Interpreter: Python T1059.006 54 rules

Sigma AppLocker Prevented Application or Script from Running test
Sigma Axios NPM Compromise Indicators - Linux experimental
Elastic Base64 Decoded Payload Piped to Interpreter production
Elastic Decoded Payload Piped to Interpreter Detected via Defend for Containers production
Elastic Deprecated - EggShell Backdoor Execution production
Elastic Deprecated - Unusual Process Spawned from Web Server Parent production
Sigma Emotet Loader Execution Via .LNK File test
Elastic Encoded Payload Detected via Defend for Containers production
Elastic Execution via GitHub Actions Runner production
Elastic Execution via OpenClaw Agent production
Elastic Execution with Explicit Credentials via Scripting production
Elastic First Time Python Spawned a Shell on Host production
Elastic Google Calendar C2 via Script Interpreter production
Elastic Interactive Terminal Spawned via Python production
Elastic Long Base64 Encoded Command via Scripting Interpreter production
Elastic Payload Execution via Shell Pipe Detected by Defend for Containers production
Elastic Perl Outbound Network Connection production
Sigma Potential CVE-2022-22954 Exploitation Attempt - VMware Workspace ONE Access Remote Code Execution test
Elastic Potential Etherhiding C2 via Blockchain Connection production
Elastic Potential Hex Payload Execution via Common Utility production
Elastic Potential JAVA/JNDI Exploitation Attempt production
Elastic Potential Privilege Escalation via Python cap_setuid production
Elastic Potential Reverse Shell via Suspicious Child Process production
Elastic Potential Reverse Shell via UDP production
Elastic Potential SAP NetWeaver Exploitation production
Elastic Process Spawned from Message-of-the-Day (MOTD) production
Splunk Python Execution (Windows Event Log)
Sigma Python One-Liners with Base64 Decoding experimental
Sigma Python One-Liners with Base64 Decoding - Linux experimental
Sigma Python Path Configuration File Creation - Linux test
Sigma Python Path Configuration File Creation - MacOS test
Sigma Python Path Configuration File Creation - Windows test
Elastic Python Path File (pth) Creation production
Elastic Python Site or User Customize File Creation production
Elastic ROT Encoded Python Script Execution production
Elastic Script Interpreter Connection to Non-Standard Port production
Sigma Serpent Backdoor Payload Execution Via Scheduled Task test
Elastic Simple HTTP Web Server Connection production
Elastic Simple HTTP Web Server Creation production
Elastic Suspicious APT Package Manager Execution production
Elastic Suspicious AWS S3 Connection via Script Interpreter production
Elastic Suspicious Browser Child Process production
Elastic Suspicious Curl to Jamf Endpoint production
Elastic Suspicious Emond Child Process production
Sigma Suspicious File Characteristics Due to Missing Fields test
Elastic Suspicious Installer Package Spawns Network Event production
Elastic Suspicious Interpreter Execution Detected via Defend for Containers production
Elastic Suspicious macOS MS Office Child Process production
Elastic Suspicious Python Shell Command Execution production
Elastic Suspicious React Server Child Process production
Elastic Unusual Base64 Encoding/Decoding Activity production
Elastic Unusual Library Load via Python production
Elastic Web Server Potential Command Injection Request production
Elastic Web Server Spawned via Python production

Command and Scripting Interpreter: JavaScript T1059.007 70 rules

Sigma Adwind RAT / JRAT test
Sigma Adwind RAT / JRAT File Artifact test
Elastic Anomalous React Server Components Flight Data Patterns production building block
Sigma AppLocker Prevented Application or Script from Running test
Elastic Command and Scripting Interpreter via Windows Scripts production
Sigma Csc.EXE Execution Form Potentially Suspicious Parent test
Sigma Cscript/Wscript Uncommon Script Extension Execution test
Elastic Deprecated - Unusual Process Spawned from Web Server Parent production
Splunk Executable Process from Suspicious Folder (PowerShell)
Splunk Executable Process from Suspicious Folder (Sysmon)
Splunk Executable Process from Suspicious Folder (Windows Event Log)
Elastic Execution of a Downloaded Windows Script production
Elastic Execution via Electron Child Process Node.js Module production
Elastic Execution via GitHub Actions Runner production
Elastic Execution via OpenClaw Agent production
Elastic Google Calendar C2 via Script Interpreter production
Sigma HackTool - CACTUSTORCH Remote Thread Creation test
Sigma HackTool - Koadic Execution test
Sigma HTML Help HH.EXE Suspicious Child Process test
Splunk Jscript Execution Using Cscript App production
Sigma JXA In-memory Execution Via OSAScript test
Elastic Long Base64 Encoded Command via Scripting Interpreter production
Elastic Microsoft Build Engine Started by a Script Process production
Elastic Microsoft Management Console File from Unusual Path production
Splunk MS Scripting Process Loading Ldap Module production
Splunk MS Scripting Process Loading WMI Module production
Sigma MSHTA Execution with Suspicious File Extensions test
Sigma Node Process Executions test
Elastic Node.js Pre or Post-Install Script Execution production
Sigma NodeJS Execution of JavaScript File experimental
Sigma Potential Dropper Script Execution Via WScript/CScript/MSHTA test
Elastic Potential Etherhiding C2 via Blockchain Connection production
Sigma Potential In-Memory Download And Compile Of Payloads test
Elastic Potential JAVA/JNDI Exploitation Attempt production
Sigma Potential Remote SquiblyTwo Technique Execution test
Elastic Potential SAP NetWeaver Exploitation production
Elastic Potential SAP NetWeaver WebShell Creation production
Sigma Potentially Suspicious Inline JavaScript Execution via NodeJS Binary experimental
Elastic React2Shell (CVE-2025-55182) Exploitation Attempt production
Elastic React2Shell Network Security Alert production
Elastic Remote File Download via Script Interpreter production
Elastic Remote XSL Script Execution via COM production
Elastic Script Execution via Microsoft HTML Application production
Elastic Script Interpreter Connection to Non-Standard Port production
Kusto Script Interpreter Loading DotNet Assembly From Memory
Sigma Script Interpreter Spawning Credential Scanner - Windows experimental
Elastic Suspicious .NET Code Compilation production
Elastic Suspicious Automator Workflows Execution production
Elastic Suspicious AWS S3 Connection via Script Interpreter production
Elastic Suspicious Curl to Jamf Endpoint production
Sigma Suspicious Deno File Written from Remote Source experimental
Elastic Suspicious Execution from VS Code Extension production
Elastic Suspicious Execution with NodeJS production
Sigma Suspicious HH.EXE Execution test
Sigma Suspicious Installer Package Child Process test
Elastic Suspicious Installer Package Spawns Network Event production
Elastic Suspicious JavaScript Execution via Deno production
Elastic Suspicious React Server Child Process production
Elastic Web Shell Detection: Script Process Child of Common Web Processes production
Splunk Windows Cmdline Tool Execution From Non-Shell Process production
Splunk Windows GrimResource - MMC Process Accessing APDS DLL production
Elastic Windows Script Executing PowerShell production
Elastic Windows Script Execution from Archive production
Elastic Windows Script Interpreter Executing Process via WMI production
Sigma WScript or CScript Dropper - File test
Splunk Wscript_Cscript Execution (PowerShell)
Splunk Wscript_Cscript Execution (Sysmon)
Splunk Wscript_Cscript Execution (Windows Event Log)
Sigma WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript test
Sigma XSL Script Execution Via WMIC.EXE test

Command and Scripting Interpreter: Cloud API T1059.009 6 rules

Elastic AWS CloudShell Environment Created production
Elastic AWS EC2 Stop, Start, and User Data Modification Correlation production
Sigma AWS IAM S3Browser LoginProfile Creation test
Sigma AWS IAM S3Browser Templated S3 Bucket Policy Creation test
Sigma AWS IAM S3Browser User or AccessKey Creation test
Splunk Windows SQL Server Extended Procedure DLL Loading Hunt production

Command and Scripting Interpreter: AutoHotKey & AutoIT T1059.010 1 rule

Elastic Renamed Automation Script Interpreter production

Command and Scripting Interpreter: Lua T1059.011 9 rules

Elastic Base64 Decoded Payload Piped to Interpreter production
Elastic Decoded Payload Piped to Interpreter Detected via Defend for Containers production
Elastic Deprecated - Unusual Process Spawned from Web Server Parent production
Elastic Potential Hex Payload Execution via Common Utility production
Elastic Potential Reverse Shell via UDP production
Elastic Process Spawned from Message-of-the-Day (MOTD) production
Elastic Suspicious Interpreter Execution Detected via Defend for Containers production
Elastic Suspicious React Server Child Process production
Elastic Web Server Potential Command Injection Request production

Command and Scripting Interpreter: Hypervisor CLI T1059.012 9 rules

Sigma ESXi Account Creation Via ESXCLI test
Sigma ESXi Admin Permission Assigned To Account Via ESXCLI test
Sigma ESXi Network Configuration Discovery Via ESXCLI test
Sigma ESXi Storage Information Discovery Via ESXCLI test
Sigma ESXi Syslog Configuration Change Via ESXCLI test
Sigma ESXi System Information Discovery Via ESXCLI test
Sigma ESXi VM Kill Via ESXCLI test
Sigma ESXi VM List Discovery Via ESXCLI test
Sigma ESXi VSAN Information Discovery Via ESXCLI test

Command and Scripting Interpreter: Container CLI/API T1059.013 1 rule

Splunk Linux Docker Shell Execution production

Software Deployment Tools T1072 31 rules

Kusto Azure DevOps Pipeline Created and Deleted on the Same Day available
Kusto BTP - Malware detected in BAS dev space available
Splunk Detection of tools built by NirSoft experimental
Panther GitHub Artifact Download from Cross-Fork Workflow
Panther GitHub Cross-Fork Workflow Run
Panther GitHub Malicious Issue/Pages Content
Panther GitHub Malicious Pull Request Content
Panther GitHub pull_request_target Workflow on Self-Hosted Runner
Panther GitHub pull_request_target Workflow Usage
Panther GitHub pull_request_target Workflow with Checkout Action
Panther GitHub Workflow Contains Checkout Action
Panther GitHub Workflow Using Self-Hosted Runner
Panther Intune Create or Modify Client App
Panther Intune New Device Management Script
Splunk Microsoft Intune Device Health Scripts production
Splunk Microsoft Intune DeviceManagementConfigurationPolicies production
Splunk Microsoft Intune Manual Device Management production
Splunk Microsoft Intune Mobile Apps experimental
Kusto New EXE deployed via Default Domain or Default Domain Controller Policies available
Kusto New EXE deployed via Default Domain or Default Domain Controller Policies (ASIM Version)
Elastic New GitHub App Installed production
Sigma PDQ Deploy Remote Adminstartion Tool Execution test
Elastic Potential WSUS Abuse for Lateral Movement production
Sigma PUA - Radmin Viewer Utility Execution test
Splunk Radmin execution (EDR)
Splunk Radmin execution (Sysmon)
Splunk Radmin execution (Windows Event Log)
Sigma Restricted Software Access By SRP test
Sigma Suspicious Csi.exe Usage test
Elastic Suspicious Curl to Jamf Endpoint production
Elastic Tool Installation Detected via Defend for Containers production

Native API T1106 35 rules

Elastic Abnormal Process ID or Lock File Created production
Sigma BPFDoor Abnormal Process ID or Lock File Accessed test
Kusto Dataverse - Suspicious use of Web API available
Sigma HackTool - CobaltStrike BOF Injection Pattern test
Sigma HackTool - HandleKatz Duplicating LSASS Handle test
Sigma HackTool - RedMimicry Winnti Playbook Execution test
Sigma HackTool - WinPwn Execution test
Sigma HackTool - WinPwn Execution - ScriptBlock test
Kusto LSASS Dumping using Debug Privileges
Elastic LSASS Process Access via Windows API production
Elastic Network Connection from Binary with RWX Memory Region production
Elastic Persistence via Hidden Run Key Detected production
Sigma Potential Binary Proxy Execution Via Cdb.EXE test
Elastic Potential Credential Access via LSASS Memory Dump production
Sigma Potential Direct Syscall of NtOpenProcess test
Elastic Potential Process Injection via PowerShell production
Sigma Potential WinAPI Calls Via CommandLine test
Sigma Potential WinAPI Calls Via PowerShell Scripts test
Kusto Powershell Empire Cmdlets Executed in Command Line available
Elastic PowerShell Kerberos Ticket Dump production
Elastic PowerShell Keylogging Script production
Elastic PowerShell PSReflect Script production
Elastic PowerShell Script with Token Impersonation Capabilities production
Elastic PowerShell Share Enumeration Script production
Elastic PowerShell Suspicious Discovery Related Windows API Functions production
Elastic PowerShell Suspicious Script with Audio Capture Capabilities production
Kusto Process Injection From Untrusted Process
Sigma Suspicious Mshta.EXE Execution Patterns test
Elastic Suspicious Process Access via Direct System Call production
Elastic Suspicious SolarWinds Child Process production
Kusto Suspicious VM Instance Creation Activity Detected
Sigma Turla Group Named Pipes test
Elastic Unknown Execution of Binary with RWX Memory Region production
Sigma WinAPI Function Calls Via PowerShell Scripts test
Sigma WinAPI Library Calls Via PowerShell Scripts test

Trusted Developer Utilities Proxy Execution T1127 58 rules

Elastic Anomalous Linux Compiler Activity production
Sigma AspNetCompiler Execution test
Sigma C# IL Code Compilation Via Ilasm.EXE test
Splunk CDB Execution (Sysmon)
Splunk CDB Execution (Windows Event Log)
Kusto CyberArkEPM - MSBuild usage as LOLBin
Elastic Delayed Execution via Ping production
Sigma Detection of PowerShell Execution via Sqlps.exe test
Splunk ETW Registry Disabled production
Elastic Execution of Persistent Suspicious Program production
Elastic Execution via Microsoft DotNet ClickOnce Host production building block
Elastic Execution via MS VisualStudio Pre/Post Build Events production building block
Sigma JScript Compiler Execution test
Sigma Kavremover Dropped Binary LOLBIN Usage test
Elastic Microsoft Build Engine Started an Unusual Process production
Elastic Microsoft Build Engine Started by a Script Process production
Elastic Microsoft Build Engine Started by a System Process production
Elastic Microsoft Build Engine Started by an Office Application production
Splunk Microsoft Build Engine Suspicious Parent Process (Sysmon)
Splunk Microsoft Build Engine Suspicious Parent Process (Windows Event Log)
Elastic Microsoft Build Engine Using an Alternate Name production
Sigma Microsoft Workflow Compiler Execution test
Elastic MsBuild Making Network Connections production
Splunk MSBuild Suspicious Spawned By Script Process production
Elastic Network Activity to a Suspicious Top Level Domain production
Sigma Node Process Executions test
Sigma Potential Arbitrary Code Execution Via Node.EXE test
Sigma Potential Binary Proxy Execution Via Cdb.EXE test
Elastic Potential Credential Access via Trusted Developer Utility production
Sigma Potential Mftrace.EXE Abuse test
Sigma Potentially Suspicious ASP.NET Compilation Via AspNetCompiler test
Kusto Powershell Empire Cmdlets Executed in Command Line available
Elastic Process Injection by the Microsoft Build Engine production
Splunk Proxy Execution via Appcert (PowerShell)
Splunk Proxy Execution via Appcert (Sysmon)
Splunk Proxy Execution via Appcert (Windows Event Log)
Sigma Remote Thread Creation Ttdinject.exe Proxy test
Sigma Silenttrinity Stager Msbuild Activity test
Sigma SQL Client Tools PowerShell Session Detection test
Elastic Suspicious .NET Code Compilation production
Sigma Suspicious Child Process of AspNetCompiler test
Elastic Suspicious Execution from a Mounted Device production
Sigma Suspicious File Created by ArcSOC.exe experimental
Splunk Suspicious microsoft workflow compiler rename production
Splunk Suspicious microsoft workflow compiler usage production
Splunk Suspicious msbuild path production
Splunk Suspicious MSBuild Rename production
Splunk Suspicious MSBuild Spawn production
Sigma Suspicious Use of CSharp Interactive Console test
Kusto Trusted Developer Utilities Proxy Execution available
Splunk Unusual AppCert Child Process (Sysmon)
Splunk Unusual AppCert Child Process (Windows Event Log)
Elastic Unusual Network Activity from a Windows System Binary production
Elastic Unusual Process Network Connection production
Sigma Use of Remote.exe test
Sigma Use of TTDInject.exe test
Sigma Use of VSIISExeLauncher.exe test
Sigma Use of Wfc.exe test

Trusted Developer Utilities Proxy Execution: MSBuild T1127.001 22 rules

Elastic Delayed Execution via Ping production
Elastic Execution of Persistent Suspicious Program production
Elastic Execution via MS VisualStudio Pre/Post Build Events production building block
Elastic Microsoft Build Engine Started an Unusual Process production
Elastic Microsoft Build Engine Started by a Script Process production
Elastic Microsoft Build Engine Started by a System Process production
Elastic Microsoft Build Engine Started by an Office Application production
Splunk Microsoft Build Engine Suspicious Parent Process (Sysmon)
Splunk Microsoft Build Engine Suspicious Parent Process (Windows Event Log)
Elastic Microsoft Build Engine Using an Alternate Name production
Elastic MsBuild Making Network Connections production
Splunk MSBuild Suspicious Spawned By Script Process production
Elastic Network Activity to a Suspicious Top Level Domain production
Elastic Potential Credential Access via Trusted Developer Utility production
Kusto Powershell Empire Cmdlets Executed in Command Line available
Elastic Process Injection by the Microsoft Build Engine production
Sigma Silenttrinity Stager Msbuild Activity test
Elastic Suspicious Execution from a Mounted Device production
Splunk Suspicious msbuild path production
Splunk Suspicious MSBuild Rename production
Splunk Suspicious MSBuild Spawn production
Elastic Unusual Network Activity from a Windows System Binary production

Trusted Developer Utilities Proxy Execution: ClickOnce T1127.002 1 rule

Elastic Execution via Microsoft DotNet ClickOnce Host production building block

Shared Modules T1129 17 rules

Elastic Execution via local SxS Shared Module production
Elastic ImageLoad via Windows Update Auto Update Client production
Sigma Katz Stealer DLL Loaded experimental
YARA-L sap function module testing detected
YARA-L sap sensitive rfc function module execution
Elastic Suspicious Execution from Foomatic-rip or Cupsd Parent production
Elastic Suspicious Execution via Microsoft Office Add-Ins production
Elastic Suspicious SolarWinds Web Help Desk Java Module Load or Child Process production
Sigma Unsigned .node File Loaded experimental
Elastic Unsigned DLL loaded by DNS Service production
Elastic Unusual Library Load via Python production
Splunk Windows Executable in Loaded Modules production
Splunk Windows PowerShell Module File Created production
Splunk Windows PowerShell Script TabExpansion Direct Call production
Splunk Windows Remote Image Load production
Splunk Windows XLL File Creation Outside of Typical Location production
Elastic WPS Office Exploitation via DLL Hijack production

BITS Jobs T1197 35 rules

Sigma BITS Client BitsProxy DLL Loaded By Uncommon Process experimental
Splunk BITS Job Persistence production
Sigma BITS payload downloaded via commandline experimental
Sigma BITS payload downloaded via PowerShell experimental
Sigma BITS Transfer Job Download From Direct IP test
Sigma BITS Transfer Job Download From File Sharing Domains test
Sigma BITS Transfer Job Download To Potential Suspicious Folder test
Sigma BITS Transfer Job Downloading File Potential Suspicious Extension test
Sigma BITS Transfer Job With Uncommon Or Suspicious Remote TLD test
Elastic Bitsadmin Activity production building block
Kusto Bitsadmin Activity available
Splunk BITSAdmin Download File production
Splunk BITSadmin Execution (PowerShell)
Splunk BITSadmin Execution (Sysmon)
Splunk BITSadmin Execution (Windows Event Log)
Splunk BitsAdmin NetCat PowerCat File Transfer (EDR)
Splunk BitsAdmin NetCat PowerCat File Transfer (Sysmon)
Splunk BitsAdmin NetCat PowerCat File Transfer (Windows Event Log)
Sigma Bitsadmin to Uncommon IP Server Address test
Sigma Bitsadmin to Uncommon TLD test
Splunk Cisco NVM - Curl Execution With Insecure Flags production
Splunk Cisco NVM - Suspicious Download From File Sharing Website production
Sigma File Download Via Bitsadmin test
Sigma File Download Via Bitsadmin To A Suspicious Target Folder test
Sigma File with high volume downloaded via BITS experimental
Sigma File With Suspicious Extension Downloaded Via Bitsadmin test
Elastic Ingress Transfer via Windows BITS production
Sigma Monitoring For Persistence Via BITS test
Sigma New BITS Job Created Via Bitsadmin test
Sigma New BITS Job Created Via PowerShell test
Elastic Persistence via BITS Job Notify Cmdline production
Splunk PowerShell Start-BitsTransfer production
Sigma Suspicious Download From Direct IP Via Bitsadmin test
Sigma Suspicious Download From File-Sharing Website Via Bitsadmin test
Elastic Unsigned BITS Service Client Process production building block

Exploitation for Client Execution T1203 106 rules

Splunk Abuse EQNEDT32.EXE (EDR)
Splunk Abuse EQNEDT32.EXE (Sysmon)
Splunk Abuse EQNEDT32.EXE (Windows Event Log)
Kusto AFD WAF - Code Injection available
Kusto AFD WAF - Path Traversal Attack available
Elastic Anomalous Windows Process Creation production
Kusto Antivirus Detected an Infected File available
Sigma Antivirus Exploitation Framework Detection stable
Kusto App Gateway WAF - Scanner Detection available
Kusto App Gateway WAF - XSS Detection available
Kusto App GW WAF - Code Injection available
Kusto App GW WAF - Path Traversal Attack available
Kusto Application Gateway WAF - XSS Detection
Sigma Audit CVE Event test
Panther AWS SSM Distributed Command Experimental
Panther AWS SSM Multiple Sessions
Kusto BitSight - compromised systems detected available
Kusto BitSight - diligence risk category detected available
Splunk Cisco Secure Firewall - Binary File Type Download production
Splunk Cisco Secure Firewall - Blocked Connection production
Splunk Cisco Secure Firewall - Citrix NetScaler Memory Overread Attempt production
Splunk Cisco Secure Firewall - High Priority Intrusion Classification production
Splunk Cisco Secure Firewall - Malware File Downloaded production
Splunk Cisco Secure Firewall - Possibly Compromised Host experimental
Splunk Cisco Secure Firewall - Repeated Blocked Connections production
Elastic Creation of SettingContent-ms Files production building block
Elastic Cupsd or Foomatic-rip Shell Execution production
Sigma CVE-2021-26858 Exchange Exploitation test
Sigma CVE-2021-31979 CVE-2021-33771 Exploits test
Sigma CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum test
Sigma CVE-2023-38331 Exploitation Attempt - Suspicious WinRAR Child Process test
Panther Databricks Install Library on All Clusters Experimental
Kusto Detect CVE exploits on network for which a device is vulnerable
Kusto Detect port misuse by anomaly based detection (ASIM Network Session schema) available
Kusto Detect port misuse by static threshold (ASIM Network Session schema) available
Kusto Detect web requests to potentially harmful files (ASIM Web Session) available
Splunk Detect Windows DNS SIGRed via Splunk Stream experimental
Splunk Detect Windows DNS SIGRed via Zeek experimental
Sigma Dfsvc.EXE Initiated Network Connection Over Uncommon Port test
Sigma Dfsvc.EXE Network Connection To Non-Local IPs test
Sigma Download From Suspicious TLD - Blacklist test
Sigma Download From Suspicious TLD - Whitelist test
Sigma Droppers Exploiting CVE-2017-11882 stable
Elastic Execution of File Written or Modified by Microsoft Office production
Kusto Execution of software vulnerable to webp buffer overflow of CVE-2023-4863 available
Elastic Exploit - Detected - Elastic Endgame production
Elastic Exploit - Prevented - Elastic Endgame production
Sigma Exploit for CVE-2017-0261 test
Sigma Exploit for CVE-2017-8759 test
Sigma Exploitation Activity of CVE-2025-59287 - WSUS Deserialization experimental
Sigma Exploitation Activity of CVE-2025-59287 - WSUS Suspicious Child Process experimental
Elastic File Creation by Cups or Foomatic-rip Child production
Kusto Front Door Premium WAF - XSS Detection available
Kusto GitHub Security Vulnerability in Repository
Sigma Java Running with Remote Debugging test
Kusto Malformed user agent
Elastic Network Connection by Cups or Foomatic-rip Child production
Sigma Network Connection Initiated By Eqnedt32.EXE test
Kusto New UserAgent observed in last 24 hours available
Sigma Office Application Initiated Network Connection To Non-Local IP test
Kusto Office Apps Launching Wscipt available
Sigma OMIGOD HTTP No Authentication RCE - CVE-2021-38647 stable
Sigma OMIGOD SCX RunAsProvider ExecuteScript test
Sigma OMIGOD SCX RunAsProvider ExecuteShellCommand test
Kusto PE file dropped in Color Profile Folder
Sigma Potential CVE-2021-26857 Exploitation Attempt stable
Elastic Potential CVE-2025-33053 Exploitation production
Sigma Potential Exploitation of CVE-2025-4427/4428 Ivanti EPMM Pre-Auth RCE experimental
Splunk Potential Follina_DogWalk Activity - mdst.exe (Sysmon)
Elastic Potential Foxmail Exploitation production
Elastic Potential Git CVE-2025-48384 Exploitation production
Elastic Potential JAVA/JNDI Exploitation Attempt production
Elastic Potential Notepad Markdown RCE Exploitation production
Elastic Potential SAP NetWeaver Exploitation production
Elastic Potential SAP NetWeaver WebShell Creation production
Elastic Potential Shell via Wildcard Injection Detected production
Sigma Potentially Suspicious Child Process of KeyScrambler.exe test
Sigma Potentially Suspicious Child Process Of WinRAR.EXE test
Kusto Prestige ransomware IOCs Oct 2022
Elastic Printer User (lp) Shell Execution production
Elastic Segfault Detected production building block
Elastic Segfault from Sensitive Process Detected production
Sigma Shai-Hulud Malicious Bun Execution experimental
Sigma Shai-Hulud Malicious Bun Execution - Linux experimental
Splunk Sunburst Correlation DLL and Network Event experimental
Sigma Suspicious ArcSOC.exe Child Process experimental
Elastic Suspicious Browser Child Process production
Sigma Suspicious Browser Child Process - MacOS test
Elastic Suspicious Communication App Child Process production
Sigma Suspicious Download and Execute Pattern via Curl/Wget experimental
Elastic Suspicious Execution from Foomatic-rip or Cupsd Parent production
Sigma Suspicious HWP Sub Processes test
Sigma Suspicious Invocation of Shell via Rsync experimental
Elastic Suspicious macOS MS Office Child Process production
Elastic Suspicious MS Office Child Process production
Elastic Suspicious Outlook Child Process production building block
Elastic Suspicious PDF Reader Child Process production
Splunk Suspicious process Spawned by Java (Windows Event Log)
Sigma Suspicious Spool Service Child Process test
Elastic Suspicious Zoom Child Process production
Elastic Unusual Executable File Creation by a System Critical Process production
Kusto Vulnerable Machines related to log4j CVE-2021-44228 available
Kusto Vulnerable Machines related to OMIGOD CVE-2021-38647
Splunk Windows MSC EvilTwin Directory Path Manipulation production
Splunk Windows Remote Image Load production
Elastic WPS Office Exploitation via DLL Hijack production

User Execution T1204 266 rules

Splunk 3CXDesktopApp.exe Execution (EDR)
Splunk 3CXDesktopApp.exe Execution (Sysmon)
Splunk 3CXDesktopApp.exe Execution (Windows Event Log)
Kusto Acronis - Multiple Endpoints Accessing Malicious URLs
Elastic Anomalous Process For a Windows Population production
Elastic Anomalous Windows Process Creation production
Sigma Antivirus Hacktool Detection stable
Sigma AppLocker Prevented Application or Script from Running test
Panther AppOmni Alert Passthrough
Sigma Arbitrary Shell Command Execution Via Settingcontent-Ms test
Splunk ASL AWS ECR Container Upload Outside Business Hours production
Splunk ASL AWS ECR Container Upload Unknown User production
Kusto Audit policy manipulation using auditpol utility
Panther AWS command executed on the command line
Panther AWS EC2 Image Monitoring
Splunk AWS ECR Container Scanning Findings High production
Splunk AWS ECR Container Scanning Findings Low Informational Unknown production
Splunk AWS ECR Container Scanning Findings Medium production
Splunk AWS ECR Container Upload Outside Business Hours production
Splunk AWS ECR Container Upload Unknown User production
YARA-L AWS GuardDuty Malicious Or Suspicious File Executed
Splunk AWS Lambda UpdateFunctionCode production
YARA-L AWS Successful API From Tor Exit Node
Kusto AWSCloudTrail - Successful API executed from a Tor exit node available
Elastic Base64 Decoded Payload Piped to Interpreter production
Splunk Batch File Write to System32 production
Splunk Cisco Isovalent - Non Allowlisted Image Use production
Splunk Cisco Isovalent - Pods Running Offensive Tools production
Splunk Cisco NVM - Susp Script From Archive Triggering Network Activity production
Kusto Cisco SE - Dropper activity on host available
Kusto Cisco SE - Generic IOC available
Kusto Cisco SE - Malware execusion on host available
Kusto Cisco SE High Events Last Hour available
Splunk Cisco Secure Firewall - Lumma Stealer Activity production
Splunk Clop Common Exec Parameter production
Sigma CLR DLL Loaded Via Office Applications test
Splunk Command Line Spawned by Archive Utility - Windows (Sysmon)
Splunk Command Line Spawned by Archive Utility - Windows (Windows Event Log)
Splunk Conti Common Exec parameter production
Elastic Creation of SettingContent-ms Files production building block
Kusto Critical Severity Detection available
Splunk CVE-2022-30190: Microsoft Office Code Execution Vulnerability (EDR)
Splunk CVE-2022-30190: Microsoft Office Code Execution Vulnerability (Sysmon)
Splunk CVE-2022-30190: Microsoft Office Code Execution Vulnerability (Windows Event Log)
Kusto CyberArkEPM - Attack attempt not blocked
Kusto CyberArkEPM - Multiple attack types
Kusto CyberArkEPM - Possible execution of Powershell Empire
Kusto CyberArkEPM - Process started from different locations
Kusto CyberArkEPM - Renamed Windows binary
Kusto CyberArkEPM - Uncommon process Internet access
Kusto CyberArkEPM - Uncommon Windows process started from System folder
Kusto CyberArkEPM - Unexpected executable extension
Kusto CyberArkEPM - Unexpected executable location
Sigma DarkSide Ransomware Pattern test
Kusto Dataverse - Malware found in SharePoint document management site available
Kusto Dataverse - TI map URL to DataverseActivity available
Elastic Decoded Payload Piped to Interpreter Detected via Defend for Containers production
Kusto Detect .NET runtime being loaded in JScript for code execution available
Kusto Detect Malicious Teams Message
Splunk Detect Rare Executables production
Sigma DotNET Assembly DLL Loaded Via Office Application test
Sigma Download From Suspicious TLD - Blacklist test
Sigma Download From Suspicious TLD - Whitelist test
Elastic Downloaded Shortcut Files production
Elastic Downloaded URL Files production
Splunk Drop IcedID License dat production
Sigma Droppers Exploiting CVE-2017-11882 stable
Sigma Edge abuse for payload download via console experimental
Sigma Edge/Chrome headless feature abuse for payload download experimental
Kusto Egress Defend - Dangerous Attachment Detected available
Kusto Egress Defend - Dangerous Link Click available
Elastic Elastic Defend Alert Followed by Telemetry Loss production
Elastic Encoded Payload Detected via Defend for Containers production
Elastic Executable File Creation with Multiple Extensions production
Elastic Executable File Download via Wget production
Splunk Executable Process from Suspicious Folder (PowerShell)
Splunk Executable Process from Suspicious Folder (Sysmon)
Splunk Executable Process from Suspicious Folder (Windows Event Log)
Elastic Execution of a Downloaded Windows Script production
Elastic Execution of File Written or Modified by Microsoft Office production
Sigma Exploit for CVE-2017-0261 test
Sigma Exploit for CVE-2017-8759 test
Splunk Explorer Child Process with Suspicious Command Line Padding (Sysmon)
Elastic File with Right-to-Left Override Character (RTLO) Created/Executed production
Elastic File with Suspicious Extension Downloaded production building block
Sigma File With Uncommon Extension Created By An Office Application test
Sigma FileFix - Command Evidence in TypedPaths experimental
Sigma Flash Player Update from Suspicious Location test
Sigma GAC DLL Loaded Via Office Applications test
Elastic Gatekeeper Override and Execution production
YARA-L GCP Successful API Call From Tor Exit Node
YARA-L Google Workspace Malicious File Downloaded
Elastic Google Workspace Object Copied to External Drive with App Consent production
Sigma HackTool - LittleCorporal Generated Maldoc Injection test
YARA-L High Risk User Download Executable From Macro
Kusto High severity malicious activity detected available
Elastic Ingress Tool Transfer Followed by Execution and Deletion Detected via Defend for Containers production
Kusto Insider Risk_High User Security Alert Correlations
Kusto Insider Risk_High User Security Incidents Correlation
Kusto Insider Risk_Microsoft Purview Insider Risk Management Alert Observed
Kusto Insider Risk_Risky User Access By Application
Splunk ISO File in Temp Folder (Windows Event Log)
Splunk ISO Image Mounted - Windows (PowerShell)
Splunk ISO Image Mounted - Windows (Windows Event Log)
Sigma Kapeka Backdoor Loaded Via Rundll32.EXE test
Kusto KnowBe4 Defend - Dangerous Attachment Detected available
Kusto KnowBe4 Defend - Dangerous Link Click available
Kusto Known Malware Detected available
Splunk Kubernetes Anomalous Inbound Network Activity from Process experimental
Splunk Kubernetes Anomalous Inbound Outbound Network IO experimental
Splunk Kubernetes Anomalous Inbound to Outbound Network IO Ratio experimental
Splunk Kubernetes Anomalous Outbound Network Activity from Process experimental
Splunk Kubernetes Anomalous Traffic on Network Edge experimental
Splunk Kubernetes Create or Update Privileged Pod production
Splunk Kubernetes DaemonSet Deployed production
Splunk Kubernetes Falco Shell Spawned production
Splunk Kubernetes newly seen TCP edge experimental
Splunk Kubernetes newly seen UDP edge experimental
Splunk Kubernetes Node Port Creation production
Splunk Kubernetes Pod Created in Default Namespace production
Splunk Kubernetes Pod With Host Network Attachment production
Splunk Kubernetes Previously Unseen Container Image Name experimental
Splunk Kubernetes Previously Unseen Process experimental
Splunk Kubernetes Process Running From New Path experimental
Splunk Kubernetes Process with Anomalous Resource Utilisation experimental
Splunk Kubernetes Process with Resource Ratio Anomalies experimental
Splunk Kubernetes Shell Running on Worker Node experimental
Splunk Kubernetes Shell Running on Worker Node with CPU Activity experimental
Splunk Kubernetes Unauthorized Access production
Elastic M365 AIR Investigation Signal production building block
Elastic M365 Threat Intelligence Signal production building block
Sigma macOS Gatekeeper User Override experimental
Sigma macOS XProtect Malware Detection experimental
Panther Malicious Content Detected
Splunk Malicious Document Execution (Sysmon)
Splunk Malicious Document Execution (Windows Event Log)
Elastic Malicious File - Detected - Elastic Defend production
Elastic Malicious File - Prevented - Elastic Defend production
Kusto Malware Detected available
Elastic Masquerading Space After Filename production
Kusto Medium severity malicious activity detected available
Elastic Microsoft Build Engine Started by an Office Application production
Kusto Microsoft COVID-19 file hash indicator matches available
Splunk Microsoft Diagnostic Tool "DogWalk" Package Path Traversal (EDR)
Splunk Microsoft Diagnostic Tool "DogWalk" Package Path Traversal (Sysmon)
Splunk Microsoft Diagnostic Tool "DogWalk" Package Path Traversal (Windows Event Log)
Sigma Microsoft Excel Add-In Loaded test
Sigma Microsoft Excel Add-In Loaded From Uncommon Location test
Elastic Microsoft Management Console File from Unusual Path production
Sigma Microsoft VBA For Outlook Addin Loaded Via Outlook test
Sigma Microsoft Word Add-In Loaded test
Sigma MMC Executing Files with Reversed Extensions Using RTLO Abuse experimental
Elastic MS Office Macro Security Registry Modifications production
Elastic Multi-Base64 Decoding Attempt from Suspicious Location production
Kusto Netskope - WebTransaction Error Detection available
Elastic Network Connection via Compiled HTML File production
Kusto Network endpoint to host executable correlation available
Elastic Network Traffic to Rare Destination Country production
Sigma New Application in AppCompat test
Elastic Node.js Pre or Post-Install Script Execution production
Splunk O365 SharePoint Malware Detection production
Splunk O365 Threat Intelligence Suspicious File Detected production
Splunk Office Spawns Suspicious Child Process (Sysmon)
Splunk Office Spawns Suspicious Child Process (Windows Event Log)
Sigma Payload Decoded and Decrypted via Built-in Utilities test
Sigma Potential ClickFix Execution Pattern - Registry experimental
Splunk Potential CVE-2024-21413: Outbound SMB from Outlook (Sysmon)
Splunk Potential CVE-2024-21413: Outbound SMB from Outlook (Windows Event Log)
Elastic Potential Execution via FileFix Phishing Attack production
Elastic Potential Fake CAPTCHA Phishing Attack production
Elastic Potential Hex Payload Execution via Command-Line production
Elastic Potential Hex Payload Execution via Common Utility production
Elastic Potential Masquerading as Business App Installer production
Sigma Potential Maze Ransomware Activity test
Elastic Potential Notepad Markdown RCE Exploitation production
Sigma Potential Snatch Ransomware Activity stable
Sigma Potential Suspicious Browser Launch From Document Reader Process test
Elastic Potential Widespread Malware Infection Across Multiple Hosts production
Sigma Potentially Suspicious WebDAV LNK Execution test
Sigma PrinterNightmare Mimikatz Driver Name test
Elastic Process Activity via Compiled HTML File production
Splunk Process Executed from Downloads Folder - Windows (Sysmon)
Splunk Process Executed from Downloads Folder - Windows (Windows Event Log)
Panther Proofpoint Active Threat Campaign Detected Experimental
Panther Proofpoint Malware Detected Experimental
Panther Proofpoint Multiple Threats Detected Experimental
Panther Proofpoint Virus Detected Experimental
Splunk Rare executable from Microsoft Office (Sysmon)
Splunk Rare executable from Microsoft Office (Windows Event Log)
Splunk Rare Process Execution (Sysmon)
Splunk Rare Process Execution (Windows Event Log)
Elastic Remote Desktop File Opened from Suspicious Path production
Sigma Remote DLL Load Via Rundll32.EXE test
Splunk Revil Common Exec Parameter production
Splunk Risk Rule for Dev Sec Ops by Repository production
Splunk Single Letter Process On Endpoint production
Kusto SonicWall - Capture ATP Malicious File Detection experimental
Elastic Spike in host-based traffic production
Sigma Successful MSIX/AppX Package Installation experimental
Elastic Suspicious Apple Mail Rule Plist Modification production
Sigma Suspicious Binaries and Scripts in Public Folder experimental
Sigma Suspicious Binary In User Directory Spawned From Office Application test
Sigma Suspicious ClickFix/FileFix Execution Pattern experimental
Sigma Suspicious Deno File Written from Remote Source experimental
Elastic Suspicious Execution from a Mounted Device production
Elastic Suspicious Execution from a WebDav Share production
Elastic Suspicious Execution from INET Cache production
Elastic Suspicious Execution from VS Code Extension production
Sigma Suspicious Execution via macOS Script Editor test
Elastic Suspicious Execution via Microsoft Office Add-Ins production
Sigma Suspicious Explorer Process with Whitespace Padding - ClickFix/FileFix experimental
Sigma Suspicious FileFix Execution Pattern experimental
Elastic Suspicious HTML File Creation production
Sigma Suspicious LNK Command-Line Padding with Whitespace Characters experimental
Elastic Suspicious macOS MS Office Child Process production
Sigma Suspicious Microsoft Office Child Process test
Sigma Suspicious Microsoft Office Child Process - MacOS test
Elastic Suspicious MS Outlook Child Process production
Kusto Suspicious office child process created
Sigma Suspicious Outlook Child Process test
Elastic Suspicious PDF Reader Child Process production
Splunk Suspicious Process Executed From Container File production
Kusto Suspicious Process Injection from Office application available
Sigma Suspicious Space Characters in RunMRU Registry Path - ClickFix experimental
Sigma Suspicious Space Characters in TypedPaths Registry Path - FileFix experimental
Sigma Suspicious Startup Folder Persistence test
Elastic Suspicious Troubleshooting Pack Cabinet Execution production building block
Sigma Suspicious WMIC Execution Via Office Process test
Sigma Suspicious WmiPrvSE Child Process test
Splunk Symbolic OR Hard File Link Created (PowerShell)
Splunk Symbolic OR Hard File Link Created (Windows Event Log)
Sigma Symlink Etc Passwd test
Kusto Threats detected by Eset available
Kusto Threats detected by ESET
Elastic Unusual Base64 Encoding/Decoding Activity production
Elastic Unusual Execution via Microsoft Common Console File production
Elastic Unusual Windows Path Activity production
Sigma Ursnif Malware C2 URL Pattern stable
Sigma VBA DLL Loaded Via Office Application test
Kusto VTI - High Severity SHA1 Collision Detection
Splunk WebDAV LNK Execution (Sysmon)
Splunk WebDAV LNK Execution (Windows Event Log)
Splunk Windows Advanced Installer MSIX with AI_STUBS Execution production
Sigma Windows AppX Deployment Full Trust Package Installation experimental
Splunk Windows AppX Deployment Full Trust Package Installation production
Splunk Windows AppX Deployment Package Installation Success production
Sigma Windows AppX Deployment Unsigned Package Installation experimental
Splunk Windows AppX Deployment Unsigned Package Installation production
Splunk Windows Binary Execution from an Archive experimental
Splunk Windows Default Cobalt Strike PowerShell Beacon production
Splunk Windows Developer-Signed MSIX Package Installation production
Splunk Windows EFI Volume Mount Attempt Via Mountvol production
Splunk Windows Explorer LNK Exploit Process Launch With Padding production
Splunk Windows Explorer.exe Spawning PowerShell or Cmd production
Splunk Windows ISO LNK File Creation production
Splunk Windows MSIX Package Interaction production
Sigma Windows MSIX Package Support Framework AI_STUBS Execution experimental
Splunk Windows Mustang Panda USB Tool Execution production
Splunk Windows NorthStar C2 Agent Execution production
Splunk Windows PowerShell FakeCAPTCHA Clipboard Execution production
Splunk Windows PowerShell Script From WindowsApps Directory production
Elastic Windows Script Execution from Archive production
Splunk Windows Suspect Process With Authentication Traffic production
Splunk Windows Suspicious QEMU Execution production
Splunk Windows Universal Data Link File Creation production
Splunk Windows User Execution Malicious URL Shortcut File production

User Execution: Malicious Link T1204.001 16 rules

Kusto Acronis - Multiple Endpoints Accessing Malicious URLs
Kusto Detect Malicious Teams Message
Elastic Google Workspace Object Copied to External Drive with App Consent production
Panther Gsuite Link Clicked in Spam Email
Elastic M365 Threat Intelligence Signal production building block
Splunk Malicious Document Execution (Sysmon)
Splunk Malicious Document Execution (Windows Event Log)
Elastic Network Traffic to Rare Destination Country production
Sigma Potential ClickFix Execution Pattern - Registry experimental
Splunk Potential CVE-2024-21413: Outbound SMB from Outlook (Sysmon)
Splunk Potential CVE-2024-21413: Outbound SMB from Outlook (Windows Event Log)
Sigma Suspicious ClickFix/FileFix Execution Pattern experimental
Sigma Suspicious Execution via macOS Script Editor test
Sigma Symlink Etc Passwd test
Splunk Windows ISO LNK File Creation production
Splunk Windows PowerShell FakeCAPTCHA Clipboard Execution production

User Execution: Malicious File T1204.002 145 rules

Splunk 3CXDesktopApp.exe Execution (EDR)
Splunk 3CXDesktopApp.exe Execution (Sysmon)
Splunk 3CXDesktopApp.exe Execution (Windows Event Log)
Elastic Anomalous Process For a Windows Population production
Elastic Anomalous Windows Process Creation production
Sigma AppLocker Prevented Application or Script from Running test
YARA-L AWS GuardDuty Malicious Or Suspicious File Executed
Elastic Base64 Decoded Payload Piped to Interpreter production
Splunk Batch File Write to System32 production
Splunk Cisco NVM - Susp Script From Archive Triggering Network Activity production
Kusto Cisco SE - Dropper activity on host available
Kusto Cisco SE - Generic IOC available
Kusto Cisco SE - Malware execusion on host available
Kusto Cisco SE High Events Last Hour available
Sigma CLR DLL Loaded Via Office Applications test
Splunk Command Line Spawned by Archive Utility - Windows (Sysmon)
Splunk Command Line Spawned by Archive Utility - Windows (Windows Event Log)
Elastic Creation of SettingContent-ms Files production building block
Kusto Critical Severity Detection available
Splunk CVE-2022-30190: Microsoft Office Code Execution Vulnerability (EDR)
Splunk CVE-2022-30190: Microsoft Office Code Execution Vulnerability (Sysmon)
Splunk CVE-2022-30190: Microsoft Office Code Execution Vulnerability (Windows Event Log)
Elastic Decoded Payload Piped to Interpreter Detected via Defend for Containers production
Sigma DotNET Assembly DLL Loaded Via Office Application test
Sigma Download From Suspicious TLD - Blacklist test
Sigma Download From Suspicious TLD - Whitelist test
Elastic Downloaded Shortcut Files production
Elastic Downloaded URL Files production
Splunk Drop IcedID License dat production
Sigma Droppers Exploiting CVE-2017-11882 stable
Elastic Elastic Defend Alert Followed by Telemetry Loss production
Elastic Encoded Payload Detected via Defend for Containers production
Elastic Executable File Creation with Multiple Extensions production
Elastic Executable File Download via Wget production
Elastic Execution of a Downloaded Windows Script production
Elastic Execution of File Written or Modified by Microsoft Office production
Sigma Exploit for CVE-2017-0261 test
Sigma Exploit for CVE-2017-8759 test
Splunk Explorer Child Process with Suspicious Command Line Padding (Sysmon)
Elastic File with Right-to-Left Override Character (RTLO) Created/Executed production
Elastic File with Suspicious Extension Downloaded production building block
Sigma File With Uncommon Extension Created By An Office Application test
Sigma Flash Player Update from Suspicious Location test
Sigma GAC DLL Loaded Via Office Applications test
Elastic Gatekeeper Override and Execution production
YARA-L Google Workspace Malicious File Downloaded
Panther Gsuite Attachments Downloaded from Spam Email
Sigma HackTool - LittleCorporal Generated Maldoc Injection test
YARA-L High Risk User Download Executable From Macro
Elastic Ingress Tool Transfer Followed by Execution and Deletion Detected via Defend for Containers production
Splunk ISO File in Temp Folder (Windows Event Log)
Splunk ISO Image Mounted - Windows (PowerShell)
Splunk ISO Image Mounted - Windows (Windows Event Log)
Sigma Kapeka Backdoor Loaded Via Rundll32.EXE test
Elastic M365 Threat Intelligence Signal production building block
Splunk Malicious Document Execution (Sysmon)
Splunk Malicious Document Execution (Windows Event Log)
Elastic Malicious File - Detected - Elastic Defend production
Elastic Malicious File - Prevented - Elastic Defend production
Kusto Malware Detected available
Panther Malware Detected in Email
Elastic Masquerading Space After Filename production
Elastic Microsoft Build Engine Started by an Office Application production
Kusto Microsoft COVID-19 file hash indicator matches available
Sigma Microsoft Excel Add-In Loaded test
Sigma Microsoft Excel Add-In Loaded From Uncommon Location test
Elastic Microsoft Management Console File from Unusual Path production
Sigma Microsoft VBA For Outlook Addin Loaded Via Outlook test
Sigma Microsoft Word Add-In Loaded test
Sigma MMC Executing Files with Reversed Extensions Using RTLO Abuse experimental
Elastic MS Office Macro Security Registry Modifications production
Elastic Multi-Base64 Decoding Attempt from Suspicious Location production
Elastic Network Connection via Compiled HTML File production
Elastic Network Traffic to Rare Destination Country production
Sigma New Application in AppCompat test
Splunk O365 SharePoint Malware Detection production
Splunk O365 Threat Intelligence Suspicious File Detected production
Splunk Office Spawns Suspicious Child Process (Sysmon)
Splunk Office Spawns Suspicious Child Process (Windows Event Log)
Elastic Potential Execution via FileFix Phishing Attack production
Elastic Potential Hex Payload Execution via Command-Line production
Elastic Potential Hex Payload Execution via Common Utility production
Elastic Potential Masquerading as Business App Installer production
Sigma Potential Maze Ransomware Activity test
Elastic Potential Notepad Markdown RCE Exploitation production
Sigma Potential Suspicious Browser Launch From Document Reader Process test
Elastic Potential Widespread Malware Infection Across Multiple Hosts production
Elastic Process Activity via Compiled HTML File production
Splunk Rare executable from Microsoft Office (Sysmon)
Splunk Rare executable from Microsoft Office (Windows Event Log)
Splunk Rare Process Execution (Sysmon)
Splunk Rare Process Execution (Windows Event Log)
Elastic Remote Desktop File Opened from Suspicious Path production
Sigma Remote DLL Load Via Rundll32.EXE test
Splunk Single Letter Process On Endpoint production
Panther Slack Potentially Malicious File Shared
Sigma Successful MSIX/AppX Package Installation experimental
Sigma Suspicious Binary In User Directory Spawned From Office Application test
Elastic Suspicious Execution from a Mounted Device production
Elastic Suspicious Execution from a WebDav Share production
Elastic Suspicious Execution from INET Cache production
Elastic Suspicious Execution from VS Code Extension production
Elastic Suspicious Execution via Microsoft Office Add-Ins production
Elastic Suspicious HTML File Creation production
Sigma Suspicious LNK Command-Line Padding with Whitespace Characters experimental
Elastic Suspicious macOS MS Office Child Process production
Sigma Suspicious Microsoft Office Child Process test
Sigma Suspicious Microsoft Office Child Process - MacOS test
Elastic Suspicious MS Outlook Child Process production
Sigma Suspicious Outlook Child Process test
Elastic Suspicious PDF Reader Child Process production
Splunk Suspicious Process Executed From Container File production
Sigma Suspicious Startup Folder Persistence test
Elastic Suspicious Troubleshooting Pack Cabinet Execution production building block
Sigma Suspicious WMIC Execution Via Office Process test
Sigma Suspicious WmiPrvSE Child Process test
Splunk Symbolic OR Hard File Link Created (PowerShell)
Splunk Symbolic OR Hard File Link Created (Windows Event Log)
Elastic Unusual Base64 Encoding/Decoding Activity production
Elastic Unusual Execution via Microsoft Common Console File production
Elastic Unusual Windows Path Activity production
Sigma Ursnif Malware C2 URL Pattern stable
Sigma VBA DLL Loaded Via Office Application test
Splunk Windows Advanced Installer MSIX with AI_STUBS Execution production
Sigma Windows AppX Deployment Full Trust Package Installation experimental
Splunk Windows AppX Deployment Full Trust Package Installation production
Splunk Windows AppX Deployment Package Installation Success production
Sigma Windows AppX Deployment Unsigned Package Installation experimental
Splunk Windows AppX Deployment Unsigned Package Installation production
Splunk Windows Binary Execution from an Archive experimental
Splunk Windows Default Cobalt Strike PowerShell Beacon production
Splunk Windows Developer-Signed MSIX Package Installation production
Splunk Windows EFI Volume Mount Attempt Via Mountvol production
Splunk Windows Explorer LNK Exploit Process Launch With Padding production
Splunk Windows Explorer.exe Spawning PowerShell or Cmd production
Splunk Windows MSIX Package Interaction production
Sigma Windows MSIX Package Support Framework AI_STUBS Execution experimental
Splunk Windows Mustang Panda USB Tool Execution production
Splunk Windows NorthStar C2 Agent Execution production
Splunk Windows PowerShell Script From WindowsApps Directory production
Elastic Windows Script Execution from Archive production
Splunk Windows Suspect Process With Authentication Traffic production
Splunk Windows Suspicious QEMU Execution production
Splunk Windows Universal Data Link File Creation production
Splunk Windows User Execution Malicious URL Shortcut File production

User Execution: Malicious Image T1204.003 10 rules

Splunk ASL AWS ECR Container Upload Outside Business Hours production
Splunk ASL AWS ECR Container Upload Unknown User production
Splunk AWS ECR Container Scanning Findings High production
Splunk AWS ECR Container Scanning Findings Low Informational Unknown production
Splunk AWS ECR Container Scanning Findings Medium production
Splunk AWS ECR Container Upload Outside Business Hours production
Splunk AWS ECR Container Upload Unknown User production
Splunk Cisco Isovalent - Non Allowlisted Image Use production
Splunk Cisco Isovalent - Pods Running Offensive Tools production
Splunk Risk Rule for Dev Sec Ops by Repository production

User Execution: Malicious Copy and Paste T1204.004 8 rules

Sigma FileFix - Command Evidence in TypedPaths experimental
Elastic Potential Execution via FileFix Phishing Attack production
Elastic Potential Fake CAPTCHA Phishing Attack production
Sigma Suspicious ClickFix/FileFix Execution Pattern experimental
Sigma Suspicious Explorer Process with Whitespace Padding - ClickFix/FileFix experimental
Sigma Suspicious FileFix Execution Pattern experimental
Sigma Suspicious Space Characters in RunMRU Registry Path - ClickFix experimental
Sigma Suspicious Space Characters in TypedPaths Registry Path - FileFix experimental

User Execution: Malicious Library T1204.005 1 rule

Elastic Node.js Pre or Post-Install Script Execution production

Inter-Process Communication T1559 31 rules

Kusto Azure DevOps Personal Access Token (PAT) misuse available
Sigma CMSTP Execution Process Access stable
Sigma Connection to Suspicious XPC Service experimental
Sigma Dllhost.EXE Initiated Network Connection To Non-Local IP Address test
Sigma DNS Query Request By Regsvr32.EXE test
Sigma Enable Microsoft Dynamic Data Exchange test
Elastic Execution of COM object via Xwizard production
Elastic Incoming DCOM Lateral Movement via MSHTA production
Elastic Incoming DCOM Lateral Movement with MMC production
Elastic Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows production
Sigma macOS XPC Service Abuse experimental
Sigma Network Connection Initiated By Regsvr32.EXE test
Elastic Potential Command and Control via Internet Explorer production
Splunk Process Writing DynamicWrapperX production
Elastic Remote XSL Script Execution via COM production
Elastic Suspicious Explorer Child Process production
Elastic Suspicious Image Load (taskschd.dll) from MS Office production
Elastic Suspicious Inter-Process Communication via Outlook production
Kusto Suspicious named pipes available
Sigma Trickbot Malware Activity stable
Elastic UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer production
Elastic UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface production
Elastic UAC Bypass via ICMLuaUtil Elevated COM Interface production
Elastic Unix Socket Connection production
Elastic Unusual D-Bus Daemon Child Process production
Splunk Windows Anonymous Pipe Activity production
Splunk Windows PUA Named Pipe production
Splunk Windows RMM Named Pipe production
Splunk Windows Suspicious C2 Named Pipe production
Splunk Windows Suspicious Named Pipe production
Sigma XPC Connection from Unusual Location experimental

Inter-Process Communication: Component Object Model T1559.001 17 rules

Sigma CMSTP Execution Process Access stable
Sigma Dllhost.EXE Initiated Network Connection To Non-Local IP Address test
Sigma DNS Query Request By Regsvr32.EXE test
Elastic Execution of COM object via Xwizard production
Elastic Incoming DCOM Lateral Movement via MSHTA production
Elastic Incoming DCOM Lateral Movement with MMC production
Elastic Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows production
Sigma Network Connection Initiated By Regsvr32.EXE test
Elastic Potential Command and Control via Internet Explorer production
Splunk Process Writing DynamicWrapperX production
Elastic Remote XSL Script Execution via COM production
Elastic Suspicious Explorer Child Process production
Elastic Suspicious Image Load (taskschd.dll) from MS Office production
Elastic Suspicious Inter-Process Communication via Outlook production
Elastic UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer production
Elastic UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface production
Elastic UAC Bypass via ICMLuaUtil Elevated COM Interface production

Inter-Process Communication: Dynamic Data Exchange T1559.002 1 rule

Sigma Enable Microsoft Dynamic Data Exchange test

System Services T1569 102 rules

Kusto Azure DevOps Pipeline modified by a new user available
Sigma CobaltStrike Service Installations - Security test
Sigma CobaltStrike Service Installations - System test
Sigma CosmicDuke Service Installation test
Sigma Credential Dumping Tools Service Execution - Security test
Sigma Credential Dumping Tools Service Execution - System test
Sigma CSExec Service File Creation test
Sigma CSExec Service Installation test
Sigma CVE-2021-1675 Print Spooler Exploitation test
Sigma CVE-2021-1675 Print Spooler Exploitation IPC Access test
Kusto Dataverse - Anomalous application user activity available
Splunk Detect Renamed PSExec production
Kusto Dev-0228 File Path Hashes November 2021
Kusto Dev-0228 File Path Hashes November 2021 (ASIM Version)
Sigma DNS Events Related To Mining Pools test
Sigma DNS RCE CVE-2020-1350 test
Splunk Excessive Usage Of SC Service Utility production
Elastic Execution of an Unsigned Service production building block
Splunk First Time Seen Running Windows Service experimental
Sigma HackTool - SharpUp PrivEsc Tool Execution test
Sigma HackTool Service Registration or Execution test
Splunk Impacket PSexec (Windows Event Log)
Splunk Impacket SMBexec (Windows Event Log)
Sigma KrbRelayUp service installation (native) experimental
Sigma Launch Agent/Daemon Execution Via Launchctl test
Elastic Launch Service Creation and Immediate Loading production
Splunk Linux Auditd Service Started production
Splunk Malicious Powershell Executed As A Service production
Sigma Massive remote service creation via named pipes (TChopper, CME) experimental
Sigma Massive remote service creation via named pipes - Tchopper experimental
Sigma Massive service failures - Tchopper experimental
Sigma Massive service installation - Tchopper experimental
Sigma Metasploit Or Impacket Service Installation Via SMB PsExec test
Sigma MITRE BZAR Indicators for Execution test
Sigma PAExec Service Installation test
Sigma Possible CVE-2021-1675 Print Spooler Exploitation test
Sigma Potential CobaltStrike Service Installations - Registry test
Sigma Potential CVE-2022-26809 Exploitation Attempt test
Elastic Potential Privilege Escalation via Service ImagePath Modification production
Sigma PowerShell as a Service in Registry test
Kusto Powershell Empire Cmdlets Executed in Command Line available
Sigma PowerShell Scripts Installed as Services test
Sigma PowerShell Scripts Installed as Services - Security test
Sigma ProcessHacker Privilege Elevation test
Sigma PSExec and WMI Process Creations Block test
Sigma PSexec application execution experimental
Sigma PsExec Default Named Pipe test
Sigma Psexec Execution test
Elastic PsExec Network Connection production
Splunk PSexec Service Creation (Windows Event Log)
Sigma PsExec Service File Creation test
Sigma PsExec Service Installation test
Sigma PsExec Tool Execution From Suspicious Locations - PipeName test
Sigma PUA - CSExec Default Named Pipe test
Sigma PUA - CsExec Execution test
Sigma PUA - NirCmd Execution test
Sigma PUA - NirCmd Execution As LOCAL SYSTEM test
Sigma PUA - NSudo Execution test
Sigma PUA - PAExec Default Named Pipe test
Sigma PUA - RemCom Default Named Pipe test
Sigma PUA - RunXCmd Execution test
Sigma RemCom Service File Creation test
Sigma RemCom Service Installation test
Sigma Remote Access Tool Services Have Been Installed - Security test
Sigma Remote Access Tool Services Have Been Installed - System test
Splunk Remote Admin Tools (EDR)
Splunk Remote Admin Tools (PowerShell)
Splunk Remote Admin Tools (Sysmon)
Splunk Remote Admin Tools (Windows Event Log)
Sigma Remote Server Service Abuse for Lateral Movement test
Sigma Remote service creation via named pipes experimental
Elastic Remote Windows Service Installed production
Elastic Remotely Started Services via RPC production
Sigma Renamed Procdump tool used for dumping LSASS process experimental
Sigma Rundll32 Execution Without Parameters test
Elastic Service Command Lateral Movement production
Elastic Service Control Spawned via Script Interpreter production
Splunk Service Created containing Command Shell (Windows Event Log)
Splunk Service Installed (Windows Event Log)
Splunk SimpleHelp Remote Access Tool Service Installation (Windows Event Log)
Sigma Sliver C2 Default Service Installation test
Sigma smbexec.py Service Installation test
Sigma Start Windows Service Via Net.EXE test
Elastic Suspicious Process Execution via Renamed PsExec Executable production
Elastic Svchost spawning Cmd production
Elastic System Shells via Services production
Elastic Systemd Service Started by Unusual Parent Process production
Elastic Unsigned DLL Loaded by Svchost production
Elastic Unusual Process For a Windows Host production
Elastic Unusual Windows Service production
Sigma WFP Filter Added via Registry experimental
Splunk Windows ScManager Security Descriptor Tampering Via Sc.EXE production
Splunk Windows Service Create SliverC2 production
Splunk Windows Service Created (Sysmon)
Splunk Windows Service Created (Windows Event Log)
Splunk Windows Service Created with Suspicious Service Name production
Splunk Windows Service Created with Suspicious Service Path production
Splunk Windows Service Execution RemCom production
Splunk Windows Service Started (PowerShell)
Splunk Windows Service Started (Sysmon)
Splunk Windows Service Started (Windows Event Log)
Splunk Windows Snake Malware Service Create production

System Services: Launchctl T1569.001 2 rules

Sigma Launch Agent/Daemon Execution Via Launchctl test
Elastic Launch Service Creation and Immediate Loading production

System Services: Service Execution T1569.002 85 rules

Sigma CobaltStrike Service Installations - Security test
Sigma CobaltStrike Service Installations - System test
Sigma CosmicDuke Service Installation test
Sigma Credential Dumping Tools Service Execution - Security test
Sigma Credential Dumping Tools Service Execution - System test
Sigma CSExec Service File Creation test
Sigma CSExec Service Installation test
Splunk Detect Renamed PSExec production
Sigma DNS Events Related To Mining Pools test
Sigma DNS RCE CVE-2020-1350 test
Splunk Excessive Usage Of SC Service Utility production
Elastic Execution of an Unsigned Service production building block
Splunk First Time Seen Running Windows Service experimental
Sigma HackTool - SharpUp PrivEsc Tool Execution test
Sigma HackTool Service Registration or Execution test
Splunk Impacket PSexec (Windows Event Log)
Splunk Impacket SMBexec (Windows Event Log)
Splunk Linux Auditd Service Started production
Splunk Malicious Powershell Executed As A Service production
Sigma Metasploit Or Impacket Service Installation Via SMB PsExec test
Sigma MITRE BZAR Indicators for Execution test
Sigma PAExec Service Installation test
Sigma Potential CobaltStrike Service Installations - Registry test
Sigma Potential CVE-2022-26809 Exploitation Attempt test
Elastic Potential Privilege Escalation via Service ImagePath Modification production
Sigma PowerShell as a Service in Registry test
Kusto Powershell Empire Cmdlets Executed in Command Line available
Sigma PowerShell Scripts Installed as Services test
Sigma PowerShell Scripts Installed as Services - Security test
Sigma ProcessHacker Privilege Elevation test
Sigma PSExec and WMI Process Creations Block test
Sigma PSexec application execution experimental
Sigma PsExec Default Named Pipe test
Elastic PsExec Network Connection production
Splunk PSexec Service Creation (Windows Event Log)
Sigma PsExec Service File Creation test
Sigma PsExec Service Installation test
Sigma PsExec Tool Execution From Suspicious Locations - PipeName test
Sigma PUA - CSExec Default Named Pipe test
Sigma PUA - CsExec Execution test
Sigma PUA - NirCmd Execution test
Sigma PUA - NirCmd Execution As LOCAL SYSTEM test
Sigma PUA - NSudo Execution test
Sigma PUA - PAExec Default Named Pipe test
Sigma PUA - RemCom Default Named Pipe test
Sigma PUA - RunXCmd Execution test
Sigma RemCom Service File Creation test
Sigma RemCom Service Installation test
Sigma Remote Access Tool Services Have Been Installed - Security test
Sigma Remote Access Tool Services Have Been Installed - System test
Splunk Remote Admin Tools (EDR)
Splunk Remote Admin Tools (PowerShell)
Splunk Remote Admin Tools (Sysmon)
Splunk Remote Admin Tools (Windows Event Log)
Sigma Remote Server Service Abuse for Lateral Movement test
Elastic Remote Windows Service Installed production
Elastic Remotely Started Services via RPC production
Sigma Renamed Procdump tool used for dumping LSASS process experimental
Sigma Rundll32 Execution Without Parameters test
Elastic Service Command Lateral Movement production
Elastic Service Control Spawned via Script Interpreter production
Splunk Service Created containing Command Shell (Windows Event Log)
Splunk SimpleHelp Remote Access Tool Service Installation (Windows Event Log)
Sigma Sliver C2 Default Service Installation test
Sigma smbexec.py Service Installation test
Sigma Start Windows Service Via Net.EXE test
Elastic Suspicious Process Execution via Renamed PsExec Executable production
Elastic Svchost spawning Cmd production
Elastic System Shells via Services production
Elastic Systemd Service Started by Unusual Parent Process production
Elastic Unsigned DLL Loaded by Svchost production
Elastic Unusual Process For a Windows Host production
Elastic Unusual Windows Service production
Sigma WFP Filter Added via Registry experimental
Splunk Windows ScManager Security Descriptor Tampering Via Sc.EXE production
Splunk Windows Service Create SliverC2 production
Splunk Windows Service Created (Sysmon)
Splunk Windows Service Created (Windows Event Log)
Splunk Windows Service Created with Suspicious Service Name production
Splunk Windows Service Created with Suspicious Service Path production
Splunk Windows Service Execution RemCom production
Splunk Windows Service Started (PowerShell)
Splunk Windows Service Started (Sysmon)
Splunk Windows Service Started (Windows Event Log)
Splunk Windows Snake Malware Service Create production

Hijack Execution Flow T1574 246 rules

Sigma Abuse of Service Permissions to Hide Services Via Set-Service test
Sigma Abuse of Service Permissions to Hide Services Via Set-Service - PS test
Elastic APT Package Manager Configuration File Creation production
Sigma APT27 - Emissary Panda Activity test
Sigma Aruba Network Service Potential DLL Sideloading test
Elastic Boot File Copy production
Sigma Changing Existing Service ImagePath Value Via Reg.EXE test
Sigma Code Injection by ld.so Preload test
Kusto COM Registry Key Modified to Point to File in Color Profile Folder
Sigma Creation Of Non-Existent System DLL test
Sigma Creation of WerFault.exe/Wer.dll in Unusual Folder test
Kusto Dataverse - TI map URL to DataverseActivity available
Elastic Deprecated - Adobe Hijack Persistence production
Elastic Deprecated - Suspicious PrintSpooler Service Executable File Creation production
Splunk Detect Path Interception By Creation Of program exe production
Kusto Detect Suspicious Commands Initiated by Webserver Processes available
Sigma DHCP Callout DLL Installation test
Sigma DHCP Server Error Failed Loading the CallOut DLL test
Sigma DHCP Server Loaded the CallOut DLL test
Sigma Diamond Sleet APT DLL Sideloading Indicators test
Sigma DLL Execution Via Register-cimprovider.exe test
Kusto DLL Hijacking: Loading from an Unusual Directory
Sigma DLL Names Used By SVR For GraphicalProton Backdoor test
Sigma DLL Search Order Hijackig Via Additional Space in Path test
Sigma DLL ServerLevelPluginDll command installation experimental
Sigma DLL ServerLevelPluginDll registration ("serverlevelplugindll" feature abuse) experimental
Sigma DLL ServerLevelPluginDll registration (Reg via Sysmon) experimental
Sigma DLL Sideloading by VMware Xfer Utility test
Sigma DLL Sideloading Of ShellChromeAPI.DLL test
Elastic DNF Package Manager Plugin File Creation production
Sigma DNS Server Error Failed Loading the ServerLevelPluginDLL test
Elastic DPKG Package Installed by Unusual Parent Process production
Elastic Dracut Module Creation production
Elastic Dylib Injection via Process Environment Variables production
Elastic Dynamic Linker (ld.so) Creation production
Elastic Dynamic Linker Copy production
Elastic Dynamic Linker Creation production
Elastic Dynamic Linker Modification Detected via Defend for Containers production
Sigma Enabling COR Profiler Environment Variables test
Elastic Execution via local SxS Shared Module production
Sigma Exploiting SetupComplete.cmd CVE-2019-1378 test
Sigma Fax Service DLL Search Order Hijack test
Elastic Git Hook Child Process production
Elastic Git Hook Command Execution production
Elastic Git Hook Created or Modified production
Elastic Git Hook Egress Network Connection production
Splunk GitHub Workflow File Creation or Modification production
Elastic GRUB Configuration File Creation production
Elastic GRUB Configuration Generation through Built-in Utilities production
Sigma HackTool - Powerup Write Hijack DLL test
Sigma HackTool - SharpUp PrivEsc Tool Execution test
Kusto Hijack Execution Flow - DLL Side-Loading available
Elastic Initramfs Extraction via CPIO production
Elastic Initramfs Unpacking via unmkinitramfs production
Splunk iphlpapi.dll File Write to Appdata_Local_Microsoft (Sysmon)
Sigma Lazarus APT DLL Sideloading Activity test
Splunk Linux Auditd Preload Hijack Library Calls production
Splunk Linux Auditd Preload Hijack Via Preload File production
Splunk Linux Preload Hijack Library Calls production
Sigma Malicious DLL File Dropped in the Teams or OneDrive Folder test
Sigma Microsoft Defender Blocked from Loading Unsigned DLL test
Sigma Microsoft Office DLL Sideload test
Sigma Mimispool printer driver installation (PrintNightmare vulnerability - CVE-2021-36958) experimental
Elastic Modification of Dynamic Linker Preload Shared Object production
Elastic Modification of Environment Variable via Unsigned or Untrusted Parent production
Sigma Modification of ld.so.preload test
Splunk MSI Module Loaded by Non-System Binary production
Splunk Msmpeng Application DLL Side Loading production
Elastic NetworkManager Dispatcher Script Creation production
Sigma New DNS ServerLevelPluginDll Installed test
Sigma New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE test
Elastic Node.js Pre or Post-Install Script Execution production
Elastic Persistence via DirectoryService Plugin Modification production
Elastic Persistence via TelemetryController Scheduled Task Hijack production
Elastic Persistence via Update Orchestrator Service Hijack production
Sigma Pingback Backdoor Activity test
Sigma Pingback Backdoor DLL Loading Activity test
Sigma Pingback Backdoor File Indicators test
Elastic Pod or Container Creation with Suspicious Command-Line production
Sigma Possible impact of 'SMOKEDHAM backdoor' with MSDTC service privilege escalation via command line production
Sigma Possible Privilege Escalation via Weak Service Permissions test
Sigma Potential 7za.DLL Sideloading test
Sigma Potential Antivirus Software DLL Sideloading test
Sigma Potential appverifUI.DLL Sideloading test
Sigma Potential AVKkid.DLL Sideloading test
Sigma Potential Azure Browser SSO Abuse test
Sigma Potential CCleanerDU.DLL Sideloading test
Sigma Potential CCleanerReactivator.DLL Sideloading test
Sigma Potential Chrome Frame Helper DLL Sideloading test
Elastic Potential CVE-2025-32463 Nsswitch File Creation production
Elastic Potential CVE-2025-41244 vmtoolsd LPE Exploitation Attempt production
Elastic Potential DLL Side-Loading via Trusted Microsoft Programs production
Sigma Potential DLL Sideloading Of DBGCORE.DLL test
Sigma Potential DLL Sideloading Of DBGHELP.DLL test
Sigma Potential DLL Sideloading Of DbgModel.DLL test
Sigma Potential DLL Sideloading Of KeyScramblerIE.DLL Via KeyScrambler.EXE test
Sigma Potential DLL Sideloading Of Libcurl.DLL Via GUP.EXE test
Sigma Potential DLL Sideloading Of MpSvc.DLL test
Sigma Potential DLL Sideloading Of MsCorSvc.DLL test
Sigma Potential DLL Sideloading Of Non-Existent DLLs From System Folders test
Sigma Potential DLL Sideloading Via ClassicExplorer32.dll test
Sigma Potential DLL Sideloading Via comctl32.dll test
Sigma Potential DLL Sideloading Via DeviceEnroller.EXE test
Sigma Potential DLL Sideloading Via JsSchHlp test
Sigma Potential DLL Sideloading Via VMware Xfer test
Sigma Potential EACore.DLL Sideloading test
Sigma Potential Edputil.DLL Sideloading test
Elastic Potential Exploitation of an Unquoted Service Path Vulnerability production
Sigma Potential Goopdate.DLL Sideloading test
Sigma Potential Initial Access via DLL Search Order Hijacking test
Sigma Potential Iviewers.DLL Sideloading test
Sigma Potential JLI.dll Side-Loading experimental
Sigma Potential Libvlc.DLL Sideloading test
Elastic Potential Masquerading as System32 DLL production building block
Sigma Potential Mfdetours.DLL Sideloading test
Sigma Potential Mpclient.DLL Sideloading test
Sigma Potential Mpclient.DLL Sideloading Via Defender Binaries test
Sigma Potential Notepad++ CVE-2025-49144 Exploitation experimental
Sigma Potential Persistence Attempt Via Existing Service Tampering test
Elastic Potential Persistence via File Modification production
Sigma Potential PlugX Activity test
Sigma Potential PrintNightmare Exploitation Attempt test
Elastic Potential privilege escalation via CVE-2022-38028 production
Elastic Potential Privilege Escalation via InstallerFileTakeOver production
Elastic Potential Privilege Escalation via PKEXEC production
Elastic Potential Privilege Escalation via Service ImagePath Modification production
Sigma Potential Privilege Escalation via Service Permissions Weakness test
Sigma Potential Python DLL SideLoading test
Sigma Potential Raspberry Robin Aclui Dll SideLoading test
Sigma Potential Rcdll.DLL Sideloading test
Sigma Potential Registry Persistence Attempt Via DbgManagedDebugger test
Sigma Potential RjvPlatform.DLL Sideloading From Default Location test
Sigma Potential RjvPlatform.DLL Sideloading From Non-Default Location test
Sigma Potential RoboForm.DLL Sideloading test
Sigma Potential ShellDispatch.DLL Sideloading test
Sigma Potential SmadHook.DLL Sideloading test
Elastic Potential snap-confine Privilege Escalation via CVE-2026-3888 production
Sigma Potential SolidPDFCreator.DLL Sideloading test
Elastic Potential Sudo Hijacking production
Sigma Potential Suspicious Activity Using SeCEdit test
Elastic Potential Suspicious File Edit production
Sigma Potential System DLL Sideloading From Non System Locations test
Sigma Potential Vcruntime140 DLL Sideloading experimental
Sigma Potential Vivaldi_elf.DLL Sideloading test
Sigma Potential Waveedit.DLL Sideloading test
Sigma Potential Wazuh Security Platform DLL Sideloading test
Elastic Potential Windows Session Hijacking via CcmExec production
Sigma Potential WWlib.DLL Sideloading test
Sigma Potentially Suspicious Child Process of KeyScrambler.exe test
Kusto Powershell Empire Cmdlets Executed in Command Line available
Elastic Privilege Escalation via Windir Environment Variable production
Elastic Python Path File (pth) Creation production
Elastic Python Site or User Customize File Creation production
Splunk Reg exe Manipulating Windows Services Registry Keys production
Sigma Registry Modification for OCI DLL Redirection experimental
Sigma Registry-Free Process Scope COR_PROFILER test
Sigma Regsvr32 DLL Execution With Uncommon Extension test
Sigma Renamed Vmnat.exe Execution test
Elastic RPM Package Installed by Unusual Parent Process production
Sigma Service abuse with malicious ImagePath (Reg via command) experimental
Sigma Service DACL Abuse To Hide Services Via Sc.EXE test
Sigma Service permissions hijacked for privileges abuse (PowerShell) experimental
Sigma Service permissions hijacked for privileges abuse (reg via command) experimental
Sigma Service permissions hijacked for privileges abuse (Reg via PowerShell) experimental
Sigma Service permissions hijacked for privileges abuse (service) experimental
Sigma Service Registry Key Read Access Request test
Sigma Service Registry Permissions Weakness Check test
Sigma Service Security Descriptor Tampering Via Sc.EXE test
Sigma Setup16.EXE Execution With Custom .Lst File test
Splunk Shai-Hulud Workflow File Creation or Modification production
Elastic Shared Object Created by Previously Unknown Process production
Elastic Signed Proxy Execution via MS Work Folders production
Sigma Small Sieve Malware CommandLine Indicator test
Sigma Spool process spawned a CMD shell (PrintNightmare vulnerability - CVE-2021-36958) experimental
Elastic Suspicious Antimalware Scan Interface DLL production
Elastic Suspicious APT Package Manager Execution production
Elastic Suspicious APT Package Manager Network Connection production
Elastic Suspicious DLL Loaded for Persistence or Privilege Escalation production
Elastic Suspicious Dynamic Linker Discovery via od production
Elastic Suspicious Echo or Printf Execution Detected via Defend for Containers production
Sigma Suspicious GUP Usage test
Elastic Suspicious Kworker UID Elevation production
Elastic Suspicious Microsoft Antimalware Service Execution production
Elastic Suspicious Network Connection via systemd production
Elastic Suspicious Path Invocation from Command Line production
Elastic Suspicious Print Spooler Point and Print DLL production
Sigma Suspicious Printer Driver Empty Manufacturer test
Sigma Suspicious Service DACL Modification Via Set-Service Cmdlet - PS test
Elastic Suspicious Symbolic Link Created production
Sigma Suspicious Unsigned Thor Scanner Execution stable
Elastic System Binary Symlink to Suspicious Location production
Sigma System Control Panel Item Loaded From Uncommon Location test
Sigma SystemNightmare by GentilKiwi - External printer mapped (CVE-2021-1675 / CVE-2021-34527) experimental
Sigma SystemNightmare by GentilKiwi - New external device added (CVE-2021-1675 / CVE-2021-34527) experimental
Sigma Tasks Folder Evasion test
Sigma Third Party Software DLL Sideloading test
Sigma Trusted Path Bypass via Windows Directory Spoofing experimental
Elastic UAC Bypass Attempt via Privileged IFileOperation COM Interface production
Sigma UAC Bypass With Fake DLL test
Elastic UID Elevation from Previously Unknown Executable production
Sigma Unsigned .node File Loaded experimental
Sigma Unsigned Binary Loaded From Suspicious Location test
Elastic Unsigned DLL Loaded by a Trusted Process production building block
Elastic Unsigned DLL Loaded by Svchost production
Elastic Unsigned DLL Side-Loading from a Suspicious Folder production
Sigma Unsigned Mfdetours.DLL Sideloading test
Sigma Unsigned Module Loaded by ClickOnce Application test
Elastic Untrusted DLL Loaded by Azure AD Connect Authentication Agent production
Elastic Unusual DPKG Execution production
Elastic Unusual LD_PRELOAD/LD_LIBRARY_PATH Command Line Arguments production
Elastic Unusual Persistence via Services Registry production
Elastic Unusual Preload Environment Variable Process Execution production
Elastic Unusual Process Modifying GenAI Configuration File production
Sigma Use Of Hidden Paths Or Files test
Sigma Using SettingSyncHost.exe as LOLBin test
Sigma VMGuestLib DLL Sideload test
Sigma VMMap Signed Dbghelp.DLL Potential Sideloading test
Sigma VMMap Unsigned Dbghelp.DLL Potential Sideloading test
Splunk Windows BitDefender Submission Wizard DLL Sideloading experimental
Splunk Windows DLL Search Order Hijacking Hunt with Sysmon production
Splunk Windows DLL Search Order Hijacking with iscsicpl production
Splunk Windows DLL Side-Loading In Calc production
Splunk Windows DLL Side-Loading Process Child Of Calc production
Splunk Windows Get-Variable.EXE Execution from WindowsApps Folder production
Splunk Windows Hijack Execution Flow Version Dll Side Load production
Splunk Windows Known Abused DLL Created production
Splunk Windows Known Abused DLL Loaded Suspiciously production
Splunk Windows Known GraphicalProton Loaded Modules production
Splunk Windows Masquerading Explorer As Child Process production
Splunk Windows Mock Trusted Directory MSC File Creation production
Splunk Windows Mustang Panda USB Tool Execution production
Splunk Windows Potential AppDomainManager Hijack Artifacts Creation production
Splunk Windows PowerShell Module File Created production
Splunk Windows Rundll32 Execution With Log.DLL production
Splunk Windows Service Creation Using Registry Entry production
Splunk Windows Set Custom DNS ServerLevelPlugin Via Dnscmd production
Sigma Windows Spooler Service Suspicious Binary Load test
Splunk Windows SqlWriter SQLDumper DLL Sideload production
Splunk Windows Unsigned DLL Side-Loading production
Splunk Windows Unsigned DLL Side-Loading In Same Process Path production
Splunk Windows Unsigned MS DLL Side-Loading production
Sigma Winnti Malware HK University Campaign test
Sigma Winnti Pipemon Characteristics stable
Elastic WPS Office Exploitation via DLL Hijack production
Sigma Xwizard.EXE Execution From Non-Default Location test
Elastic Yum Package Manager Plugin File Creation production

Hijack Execution Flow: DLL T1574.001 123 rules

Sigma APT27 - Emissary Panda Activity test
Sigma Aruba Network Service Potential DLL Sideloading test
Sigma Creation Of Non-Existent System DLL test
Sigma Creation of WerFault.exe/Wer.dll in Unusual Folder test
Elastic Deprecated - Suspicious PrintSpooler Service Executable File Creation production
Sigma DHCP Callout DLL Installation test
Sigma DHCP Server Error Failed Loading the CallOut DLL test
Sigma DHCP Server Loaded the CallOut DLL test
Sigma Diamond Sleet APT DLL Sideloading Indicators test
Kusto DLL Hijacking: Loading from an Unusual Directory
Sigma DLL Names Used By SVR For GraphicalProton Backdoor test
Sigma DLL Search Order Hijackig Via Additional Space in Path test
Sigma DLL Sideloading by VMware Xfer Utility test
Sigma DLL Sideloading Of ShellChromeAPI.DLL test
Sigma DNS Server Error Failed Loading the ServerLevelPluginDLL test
Elastic Execution via local SxS Shared Module production
Sigma Fax Service DLL Search Order Hijack test
Sigma HackTool - Powerup Write Hijack DLL test
Sigma Lazarus APT DLL Sideloading Activity test
Sigma Malicious DLL File Dropped in the Teams or OneDrive Folder test
Sigma Microsoft Defender Blocked from Loading Unsigned DLL test
Sigma Microsoft Office DLL Sideload test
Splunk MSI Module Loaded by Non-System Binary production
Splunk Msmpeng Application DLL Side Loading production
Sigma New DNS ServerLevelPluginDll Installed test
Sigma New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE test
Sigma Pingback Backdoor Activity test
Sigma Pingback Backdoor DLL Loading Activity test
Sigma Pingback Backdoor File Indicators test
Sigma Potential 7za.DLL Sideloading test
Sigma Potential Antivirus Software DLL Sideloading test
Sigma Potential appverifUI.DLL Sideloading test
Sigma Potential AVKkid.DLL Sideloading test
Sigma Potential Azure Browser SSO Abuse test
Sigma Potential CCleanerDU.DLL Sideloading test
Sigma Potential CCleanerReactivator.DLL Sideloading test
Sigma Potential Chrome Frame Helper DLL Sideloading test
Elastic Potential DLL Side-Loading via Trusted Microsoft Programs production
Sigma Potential DLL Sideloading Of DBGCORE.DLL test
Sigma Potential DLL Sideloading Of DBGHELP.DLL test
Sigma Potential DLL Sideloading Of DbgModel.DLL test
Sigma Potential DLL Sideloading Of KeyScramblerIE.DLL Via KeyScrambler.EXE test
Sigma Potential DLL Sideloading Of Libcurl.DLL Via GUP.EXE test
Sigma Potential DLL Sideloading Of MpSvc.DLL test
Sigma Potential DLL Sideloading Of MsCorSvc.DLL test
Sigma Potential DLL Sideloading Of Non-Existent DLLs From System Folders test
Sigma Potential DLL Sideloading Via ClassicExplorer32.dll test
Sigma Potential DLL Sideloading Via comctl32.dll test
Sigma Potential DLL Sideloading Via DeviceEnroller.EXE test
Sigma Potential DLL Sideloading Via JsSchHlp test
Sigma Potential DLL Sideloading Via VMware Xfer test
Sigma Potential EACore.DLL Sideloading test
Sigma Potential Edputil.DLL Sideloading test
Sigma Potential Goopdate.DLL Sideloading test
Sigma Potential Initial Access via DLL Search Order Hijacking test
Sigma Potential Iviewers.DLL Sideloading test
Sigma Potential JLI.dll Side-Loading experimental
Sigma Potential Libvlc.DLL Sideloading test
Elastic Potential Masquerading as System32 DLL production building block
Sigma Potential Mfdetours.DLL Sideloading test
Sigma Potential Mpclient.DLL Sideloading test
Sigma Potential Mpclient.DLL Sideloading Via Defender Binaries test
Sigma Potential PlugX Activity test
Sigma Potential Python DLL SideLoading test
Sigma Potential Raspberry Robin Aclui Dll SideLoading test
Sigma Potential Rcdll.DLL Sideloading test
Sigma Potential RjvPlatform.DLL Sideloading From Default Location test
Sigma Potential RjvPlatform.DLL Sideloading From Non-Default Location test
Sigma Potential RoboForm.DLL Sideloading test
Sigma Potential ShellDispatch.DLL Sideloading test
Sigma Potential SmadHook.DLL Sideloading test
Sigma Potential SolidPDFCreator.DLL Sideloading test
Sigma Potential System DLL Sideloading From Non System Locations test
Sigma Potential Vcruntime140 DLL Sideloading experimental
Sigma Potential Vivaldi_elf.DLL Sideloading test
Sigma Potential Waveedit.DLL Sideloading test
Sigma Potential Wazuh Security Platform DLL Sideloading test
Elastic Potential Windows Session Hijacking via CcmExec production
Sigma Potential WWlib.DLL Sideloading test
Sigma Potentially Suspicious Child Process of KeyScrambler.exe test
Kusto Powershell Empire Cmdlets Executed in Command Line available
Sigma Registry Modification for OCI DLL Redirection experimental
Sigma Renamed Vmnat.exe Execution test
Sigma Small Sieve Malware CommandLine Indicator test
Elastic Suspicious Antimalware Scan Interface DLL production
Elastic Suspicious DLL Loaded for Persistence or Privilege Escalation production
Sigma Suspicious GUP Usage test
Elastic Suspicious Microsoft Antimalware Service Execution production
Sigma Suspicious Unsigned Thor Scanner Execution stable
Sigma System Control Panel Item Loaded From Uncommon Location test
Sigma Tasks Folder Evasion test
Sigma Third Party Software DLL Sideloading test
Elastic UAC Bypass Attempt via Privileged IFileOperation COM Interface production
Sigma UAC Bypass With Fake DLL test
Sigma Unsigned .node File Loaded experimental
Sigma Unsigned Binary Loaded From Suspicious Location test
Elastic Unsigned DLL Loaded by a Trusted Process production building block
Elastic Unsigned DLL Side-Loading from a Suspicious Folder production
Sigma Unsigned Mfdetours.DLL Sideloading test
Sigma Unsigned Module Loaded by ClickOnce Application test
Elastic Untrusted DLL Loaded by Azure AD Connect Authentication Agent production
Sigma Use Of Hidden Paths Or Files test
Sigma VMGuestLib DLL Sideload test
Sigma VMMap Signed Dbghelp.DLL Potential Sideloading test
Sigma VMMap Unsigned Dbghelp.DLL Potential Sideloading test
Splunk Windows DLL Search Order Hijacking Hunt with Sysmon production
Splunk Windows DLL Search Order Hijacking with iscsicpl production
Splunk Windows DLL Side-Loading In Calc production
Splunk Windows DLL Side-Loading Process Child Of Calc production
Splunk Windows Hijack Execution Flow Version Dll Side Load production
Splunk Windows Known Abused DLL Created production
Splunk Windows Known Abused DLL Loaded Suspiciously production
Splunk Windows Known GraphicalProton Loaded Modules production
Splunk Windows Masquerading Explorer As Child Process production
Splunk Windows Mustang Panda USB Tool Execution production
Splunk Windows SqlWriter SQLDumper DLL Sideload production
Splunk Windows Unsigned DLL Side-Loading production
Splunk Windows Unsigned DLL Side-Loading In Same Process Path production
Splunk Windows Unsigned MS DLL Side-Loading production
Sigma Winnti Malware HK University Campaign test
Sigma Winnti Pipemon Characteristics stable
Elastic WPS Office Exploitation via DLL Hijack production
Sigma Xwizard.EXE Execution From Non-Default Location test

Hijack Execution Flow: DLL Side-Loading T1574.002 11 rules

Kusto DLL Hijacking: Loading from an Unusual Directory
Sigma DLL ServerLevelPluginDll command installation experimental
Sigma DLL ServerLevelPluginDll registration ("serverlevelplugindll" feature abuse) experimental
Sigma DLL ServerLevelPluginDll registration (Reg via Sysmon) experimental
Kusto Hijack Execution Flow - DLL Side-Loading available
Splunk iphlpapi.dll File Write to Appdata_Local_Microsoft (Sysmon)
Sigma Mimispool printer driver installation (PrintNightmare vulnerability - CVE-2021-36958) experimental
Sigma Possible impact of 'SMOKEDHAM backdoor' with MSDTC service privilege escalation via command line production
Sigma Spool process spawned a CMD shell (PrintNightmare vulnerability - CVE-2021-36958) experimental
Sigma SystemNightmare by GentilKiwi - External printer mapped (CVE-2021-1675 / CVE-2021-34527) experimental
Sigma SystemNightmare by GentilKiwi - New external device added (CVE-2021-1675 / CVE-2021-34527) experimental

Hijack Execution Flow: Dylib Hijacking T1574.004 1 rule

Kusto Powershell Empire Cmdlets Executed in Command Line available

Hijack Execution Flow: Executable Installer File Permissions Weakness T1574.005 2 rules

Sigma HackTool - SharpUp PrivEsc Tool Execution test
Sigma Setup16.EXE Execution With Custom .Lst File test

Hijack Execution Flow: Dynamic Linker Hijacking T1574.006 24 rules

Sigma Code Injection by ld.so Preload test
Elastic Dylib Injection via Process Environment Variables production
Elastic Dynamic Linker (ld.so) Creation production
Elastic Dynamic Linker Copy production
Elastic Dynamic Linker Creation production
Elastic Dynamic Linker Modification Detected via Defend for Containers production
Splunk GitHub Workflow File Creation or Modification production
Splunk Linux Auditd Preload Hijack Library Calls production
Splunk Linux Auditd Preload Hijack Via Preload File production
Splunk Linux Preload Hijack Library Calls production
Elastic Modification of Dynamic Linker Preload Shared Object production
Elastic Modification of Environment Variable via Unsigned or Untrusted Parent production
Sigma Modification of ld.so.preload test
Elastic Pod or Container Creation with Suspicious Command-Line production
Elastic Potential CVE-2025-32463 Nsswitch File Creation production
Elastic Potential Persistence via File Modification production
Elastic Potential Privilege Escalation via PKEXEC production
Elastic Potential Suspicious File Edit production
Splunk Shai-Hulud Workflow File Creation or Modification production
Elastic Shared Object Created by Previously Unknown Process production
Elastic Suspicious Dynamic Linker Discovery via od production
Elastic Suspicious Echo or Printf Execution Detected via Defend for Containers production
Elastic Unusual LD_PRELOAD/LD_LIBRARY_PATH Command Line Arguments production
Elastic Unusual Preload Environment Variable Process Execution production

Hijack Execution Flow: Path Interception by PATH Environment Variable T1574.007 9 rules

Kusto DLL Hijacking: Loading from an Unusual Directory
Elastic Modification of Environment Variable via Unsigned or Untrusted Parent production
Elastic Potential CVE-2025-41244 vmtoolsd LPE Exploitation Attempt production
Elastic Potential Privilege Escalation via PKEXEC production
Sigma Potential Suspicious Activity Using SeCEdit test
Kusto Powershell Empire Cmdlets Executed in Command Line available
Elastic Privilege Escalation via Windir Environment Variable production
Elastic Suspicious Path Invocation from Command Line production
Sigma Trusted Path Bypass via Windows Directory Spoofing experimental

Hijack Execution Flow: Path Interception by Search Order Hijacking T1574.008 6 rules

Kusto DLL Hijacking: Loading from an Unusual Directory
Sigma Potential Notepad++ CVE-2025-49144 Exploitation experimental
Kusto Powershell Empire Cmdlets Executed in Command Line available
Elastic Signed Proxy Execution via MS Work Folders production
Sigma Using SettingSyncHost.exe as LOLBin test
Splunk Windows Get-Variable.EXE Execution from WindowsApps Folder production

Hijack Execution Flow: Path Interception by Unquoted Path T1574.009 4 rules

Splunk Detect Path Interception By Creation Of program exe production
Kusto DLL Hijacking: Loading from an Unusual Directory
Elastic Potential Exploitation of an Unquoted Service Path Vulnerability production
Kusto Powershell Empire Cmdlets Executed in Command Line available

Hijack Execution Flow: Services File Permissions Weakness T1574.010 7 rules

Elastic Deprecated - Adobe Hijack Persistence production
Elastic Potential privilege escalation via CVE-2022-38028 production
Sigma Service abuse with malicious ImagePath (Reg via command) experimental
Sigma Service permissions hijacked for privileges abuse (PowerShell) experimental
Sigma Service permissions hijacked for privileges abuse (reg via command) experimental
Sigma Service permissions hijacked for privileges abuse (Reg via PowerShell) experimental
Sigma Service permissions hijacked for privileges abuse (service) experimental

Hijack Execution Flow: Services Registry Permissions Weakness T1574.011 17 rules

Sigma Abuse of Service Permissions to Hide Services Via Set-Service test
Sigma Abuse of Service Permissions to Hide Services Via Set-Service - PS test
Sigma Changing Existing Service ImagePath Value Via Reg.EXE test
Elastic Persistence via Update Orchestrator Service Hijack production
Sigma Possible Privilege Escalation via Weak Service Permissions test
Sigma Potential Persistence Attempt Via Existing Service Tampering test
Elastic Potential Privilege Escalation via Service ImagePath Modification production
Sigma Potential Privilege Escalation via Service Permissions Weakness test
Splunk Reg exe Manipulating Windows Services Registry Keys production
Sigma Service DACL Abuse To Hide Services Via Sc.EXE test
Sigma Service Registry Key Read Access Request test
Sigma Service Registry Permissions Weakness Check test
Sigma Service Security Descriptor Tampering Via Sc.EXE test
Sigma Suspicious Service DACL Modification Via Set-Service Cmdlet - PS test
Elastic Unsigned DLL Loaded by Svchost production
Elastic Unusual Persistence via Services Registry production
Splunk Windows Service Creation Using Registry Entry production

Hijack Execution Flow: COR_PROFILER T1574.012 2 rules

Sigma Enabling COR Profiler Environment Variables test
Sigma Registry-Free Process Scope COR_PROFILER test

Hijack Execution Flow: KernelCallbackTable T1574.013 2 rules

Elastic Suspicious Kworker UID Elevation production
Elastic UID Elevation from Previously Unknown Executable production

Hijack Execution Flow: AppDomainManager T1574.014 1 rule

Splunk Windows Potential AppDomainManager Hijack Artifacts Creation production

Container Administration Command T1609 27 rules

Elastic Container Management Utility Execution Detected via Defend for Containers production
Elastic Container Management Utility Run Inside A Container production
Elastic Container Runtime CLI Execution with Suspicious Arguments production
Elastic Direct Interactive Kubernetes API Request by Common Utilities production
Elastic Direct Interactive Kubernetes API Request by Unusual Utilities production
Elastic Direct Interactive Kubernetes API Request Detected via Defend for Containers production
Elastic Docker Socket Enumeration production
Elastic Forbidden Direct Interactive Kubernetes API Request production
Elastic Interactive Exec Into Container Detected via Defend for Containers production
Elastic Kubectl Apply Pod from URL production
Elastic Kubernetes Ephemeral Container Added to Pod production
Elastic Kubernetes Pod Creation Using Common Debug or Base Images production building block
Elastic Kubernetes Pod Exec Cloud Instance Metadata Access production
Elastic Kubernetes Pod Exec Potential Reverse Shell production
Elastic Kubernetes Pod Exec Sensitive File or Credential Path Access production
Elastic Kubernetes Pod Exec with Curl or Wget to HTTPS production
Sigma Kubernetes Potential Enumeration Activity experimental
Elastic Kubernetes User Exec into Pod production
Elastic Pod or Container Creation with Suspicious Command-Line production
Elastic Potential Kubectl Masquerading via Unexpected Process production
Elastic Potential Kubeletctl Execution production
Elastic Potential Kubeletctl Execution Detected via Defend for Containers production
Sigma Potential Remote Command Execution In Pod Container test
Sigma Potential Sidecar Injection Into Running Deployment test
Elastic Privileged Container Creation with Host Directory Mount production
Elastic Privileged Docker Container Creation production
Elastic Suspicious Container Runtime CLI Execution production

Deploy Container T1610 22 rules

Panther AWS EC2 Launch Unusual EC2 Instances
Elastic Direct Interactive Kubernetes API Request by Unusual Utilities production
Panther GCP K8s New Daemonset Deployed Deprecated
Panther GCP K8s Pod Using Host PID Namespace Deprecated
Elastic Kubectl Apply Pod from URL production
Elastic Kubernetes Anonymous User Create/Update/Patch Pods Request production
Elastic Kubernetes Container Created with Excessive Linux Capabilities production
Panther Kubernetes DaemonSet Created
Elastic Kubernetes Pod Created with a Sensitive hostPath Volume production
Elastic Kubernetes Pod Created With HostIPC production
Elastic Kubernetes Pod Created With HostNetwork production
Elastic Kubernetes Pod Created With HostPID production
Elastic Kubernetes Pod Creation Using Common Debug or Base Images production building block
Panther Kubernetes Pod Using Host PID Namespace
Elastic Kubernetes Privileged Pod Created production
Elastic Kubernetes Sensitive Configuration File Activity production
Elastic Pod or Container Creation with Suspicious Command-Line production
Elastic Potential Kubectl Masquerading via Unexpected Process production
Elastic Potential Privilege Escalation through Writable Docker Socket production
Elastic Potential Privilege Escalation via Container Misconfiguration production
Elastic Privileged Container Creation with Host Directory Mount production
Elastic Privileged Docker Container Creation production

Serverless Execution T1648 12 rules

Elastic AWS Lambda Function Created or Updated production building block
Elastic AWS Lambda Layer Added to Existing Function production
YARA-L AWS Lambda Update Function Code
Elastic Azure Automation Runbook Created or Modified production
Elastic First Occurrence GitHub Event for a Personal Access Token (PAT) production building block
Elastic First Occurrence of GitHub Repo Interaction From a New IP production building block
Elastic First Occurrence of GitHub User Interaction with Private Repo production building block
Elastic First Occurrence of Private Repo Event from Specific GitHub Personal Access Token (PAT) production building block
Elastic First Time AWS CloudFormation Stack Creation production
Elastic GitHub App Deleted production
Elastic GitHub Repo Created production building block
Elastic High Number of Cloned GitHub Repos From PAT production

Cloud Administration Command T1651 22 rules

Elastic AWS EC2 LOLBin Execution via SSM SendCommand production
Elastic AWS SSM `SendCommand` Execution by Rare User production
Elastic AWS SSM `SendCommand` with Run Shell Command Parameters production
Elastic AWS SSM Command Document Created by Rare User production
Elastic AWS SSM Session Manager Child Process Execution production
Kusto AWSCloudTrail - Suspicious command sent to EC2 available
Elastic Azure Compute VM Command Executed production
Elastic Azure Run Command Correlated with Process Execution production
Elastic Azure Run Command Script Child Process production
Panther Azure Serverless Script Execution
Panther Azure VM Command Executed
Elastic Azure VM Extension Deployment by User production
Kusto Detect Custom Script or Run Command deployment by risky user
Kusto Detect entra token request via specific BOF (IOC based)
Kusto Detect executable drops via Azure custom script extension
Kusto Detect first time Azure Custom Script or Run Command deployment
Kusto Detect non-admin requesting token for admin applications
Kusto Detect process drops via Azure Custom Script Extension performing lateral movement
Kusto Detect suspicious foci token logins
Kusto Detect suspicious foci token logins V2
Elastic First Time AWS CloudFormation Stack Creation production
Elastic GCP Pub/Sub Topic Creation production

No specific technique 152 rules

Sigma AADInternals PowerShell Cmdlets Execution - ProccessCreation test
Sigma AADInternals PowerShell Cmdlets Execution - PsScript test
Sigma Add Windows Capability Via PowerShell Cmdlet test
Sigma Add Windows Capability Via PowerShell Script test
Sigma Arbitrary Binary Execution Using GUP Utility test
Sigma Assembly DLL Creation Via AspNetCompiler test
Sigma Base64 MZ Header In CommandLine test
Sigma Bash Interactive Shell test
Sigma Cab File Extraction Via Wusa.EXE test
Sigma Cab File Extraction Via Wusa.EXE From Potentially Suspicious Paths test
Sigma Chromium Browser Headless Execution To Mockbin Like Site test
Sigma ClickOnce Deployment Execution - Dfsvc.EXE Child Process test
Sigma CodeIntegrity - Unmet Signing Level Requirements By File Under Validation experimental
Sigma Command Executed Via Run Dialog Box - Registry test
Sigma Computer Password Change Via Ksetup.EXE test
Sigma Cscript/Wscript Potentially Suspicious Child Process test
Sigma Curl Web Request With Potential Custom User-Agent test
Sigma CVE-2021-44077 POC Default Dropped File test
Sigma CVE-2023-38331 Exploitation Attempt - Suspicious Double Extension File test
Sigma CVE-2023-40477 Potential Exploitation - .REV File Creation test
Sigma CVE-2023-40477 Potential Exploitation - WinRAR Application Crash test
Sigma Diamond Sleet APT File Creation Indicators test
Sigma Diamond Sleet APT Process Activity Indicators test
Sigma Dump Ntds.dit To Suspicious Location test
Sigma Enable BPF Kprobes Tracing test
Panther Execution of Command Line Tool with Base64 Encoded Arguments
Sigma Execution Of Script Located In Potentially Suspicious Directory test
Sigma File Creation Related To RAT Clients experimental
Sigma File Decryption Using Gpg4win test
Sigma File Download From IP URL Via Curl.EXE test
Sigma File Encryption Using Gpg4win test
Sigma File Encryption/Decryption Via Gpg4win From Suspicious Locations test
Sigma Forest Blizzard APT - Process Creation Activity experimental
Elastic GitHub UEBA - Multiple Alerts from a GitHub Account production
Sigma Goofy Guineapig Backdoor IOC test
Sigma Google Cloud Kubernetes CronJob test
Sigma Griffon Malware Attack Pattern test
Sigma IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols Via CLI test
Sigma ImagingDevices Unusual Parent/Child Processes test
Sigma Import New Module Via PowerShell CommandLine test
Sigma Insecure Proxy/DOH Transfer Via Curl.EXE test
Sigma Insecure Transfer Via Curl.EXE test
Sigma JAMF MDM Execution test
Sigma JAMF MDM Potential Suspicious Child Process test
Sigma Kubernetes CronJob/Job Modification test
Elastic Kubernetes Forbidden Creation Request production
Sigma Lace Tempest Cobalt Strike Download test
Sigma Lace Tempest File Indicators test
Sigma Lace Tempest Malware Loader Execution test
Sigma Loading Diagcab Package From Remote Path test
Sigma Local File Read Using Curl.EXE test
Sigma Logged-On User Password Change Via Ksetup.EXE test
Sigma macOS ESF Suspicious Process Execution experimental
Sigma Mint Sandstorm - AsperaFaspex Suspicious Process Execution test
Sigma Mint Sandstorm - Log4J Wstomcat Process Execution test
Sigma Mint Sandstorm - ManageEngine Suspicious Process Execution test
Sigma Mshtml.DLL RunHTMLApplication Suspicious Usage test
Sigma MSI Installation From Suspicious Locations test
Sigma MSMQ Corrupted Packet Encountered test
Sigma MSSQL XPCmdshell Option Change test
Sigma MSSQL XPCmdshell Suspicious Execution test
Sigma Named Pipe Created Via Mkfifo test
Sigma New Virtual Smart Card Created Via TpmVscMgr.EXE test
Sigma Onyx Sleet APT File Creation Indicators test
Sigma PaperCut MF/NG Exploitation Related Indicators test
Sigma PaperCut MF/NG Potential Exploitation test
Sigma Peach Sandstorm APT Process Activity Indicators test
Sigma Pikabot Fake DLL Extension Execution Via Rundll32.EXE test
Sigma Possible PrintNightmare Print Driver Install - CVE-2021-1675 stable
Sigma Potential APT FIN7 Reconnaissance/POWERTRASH Related Activity test
Sigma Potential APT FIN7 Related PowerShell Script Created test
Sigma Potential APT Mustang Panda Activity Against Australian Gov test
Sigma Potential Cookies Session Hijacking test
Sigma Potential CVE-2022-29072 Exploitation Attempt test
Sigma Potential CVE-2023-21554 QueueJumper Exploitation test
Sigma Potential CVE-2023-36874 Exploitation - Fake Wermgr Execution test
Sigma Potential CVE-2023-36874 Exploitation - Fake Wermgr.Exe Creation test
Sigma Potential CVE-2023-36874 Exploitation - Uncommon Report.Wer Location test
Sigma Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection - File Creation test
Sigma Potential Discovery Activity Via Dnscmd.EXE test
Sigma Potential DLL Injection Via AccCheckConsole test
Sigma Potential Exploitation Attempt From Office Application test
Sigma Potential Exploitation of CVE-2022-21919 or CVE-2021-34484 for LPE test
Sigma Potential Exploitation of CVE-2024-3094 - Suspicious SSH Child Process test
Sigma Potential Exploitation of CVE-2024-37085 - Suspicious Creation Of ESX Admins Group test
Sigma Potential Exploitation of CVE-2024-37085 - Suspicious ESX Admins Group Activity test
Sigma Potential File Override/Append Via SET Command test
Sigma Potential Goofy Guineapig Backdoor Activity test
Sigma Potential MuddyWater APT Activity test
Sigma Potential Perl Reverse Shell Execution test
Sigma Potential PHP Reverse Shell test
Sigma Potential Qakbot Rundll32 Execution test
Sigma Potential Raspberry Robin Dot Ending File test
Sigma Potential RDP Session Hijacking Activity test
Sigma Potential Renamed Rundll32 Execution test
Sigma Potential Ruby Reverse Shell test
Sigma Potential ShellDispatch.DLL Functionality Abuse test
Sigma Potential SNAKE Malware Installation Binary Indicator test
Sigma Potential SNAKE Malware Installation CLI Arguments Indicator test
Sigma Potential SNAKE Malware Persistence Service Execution test
Sigma Potentially Suspicious Child Process Of ClickOnce Application test
Sigma Potentially Suspicious Electron Application CommandLine test
Sigma Potentially Suspicious Execution Of PDQDeployRunner test
Sigma Potentially Suspicious File Download From File Sharing Domain Via PowerShell.EXE test
Sigma Potentially Suspicious Named Pipe Created Via Mkfifo test
Sigma PowerShell Execution With Potential Decryption Capabilities test
Sigma PowerShell Script Execution Policy Enabled test
Sigma PsExec Service Child Process Execution as LOCAL SYSTEM test
Sigma PsExec Service Execution test
Sigma Public IP Created test
Sigma Python Reverse Shell Execution Via PTY And Socket Modules test
Sigma Qakbot Regsvr32 Calc Pattern test
Sigma Qakbot Rundll32 Exports Execution test
Sigma Qakbot Rundll32 Fake DLL Extension Execution test
Sigma Qakbot Uninstaller Execution test
Sigma Query Usage To Exfil Data test
Kusto Radiflow - Platform Alert available
Sigma Rebuild Performance Counter Values Via Lodctr.EXE test
Sigma Remote Access Tool - Ammy Admin Agent Execution test
Sigma Remote Access Tool - AnyDesk Execution With Known Revoked Signing Certificate test
Sigma Remote Access Tool - Cmd.EXE Execution via AnyViewer test
Sigma Remote Access Tool - ScreenConnect Remote Command Execution - Hunting test
Sigma Renamed PsExec Service Execution test
Sigma Shell Execution Of Process Located In Tmp Directory test
Sigma SNAKE Malware Installer Name Indicators test
Sigma SNAKE Malware Kernel Driver File Indicator test
Sigma SNAKE Malware WerFault Persistence File Creation test
Kusto SUNBURST suspicious SolarWinds child processes
Sigma Suspicious Application Installed test
Sigma Suspicious Digital Signature Of AppX Package test
Sigma Suspicious Electron Application Child Processes test
Sigma Suspicious Execution Location Of Wermgr.EXE test
Sigma Suspicious File Creation In Uncommon AppData Folder test
Sigma Suspicious File Download From File Sharing Domain Via Curl.EXE test
Sigma Suspicious File Download From File Sharing Domain Via Wget.EXE test
Sigma Suspicious File Download From IP Via Curl.EXE test
Sigma Suspicious File Download From IP Via Wget.EXE test
Sigma Suspicious File Download From IP Via Wget.EXE - Paths test
Sigma Suspicious New Instance Of An Office COM Object test
Sigma Suspicious Nohup Execution test
Sigma Suspicious WindowsTerminal Child Processes test
Sigma Sysinternals Tools AppX Versions Execution test
Sigma UNC4841 - Barracuda ESG Exploitation Indicators test
Sigma UNC4841 - Email Exfiltration File Pattern test
Sigma UNC4841 - Potential SEASPY Execution test
Sigma Uncommon Child Processes Of SndVol.exe test
Sigma Virtual Machine Created test
Sigma Wab Execution From Non Default Location test
Sigma Wab/Wabmig Unusual Parent Or Child Processes test
Sigma Weak or Abused Passwords In CLI test
Sigma WinSxS Executable File Creation By Non-System Process test
Sigma Wusa.EXE Executed By Parent Process Located In Suspicious Location test

Persistence

Boot or Logon Initialization Scripts T1037 37 rules

YARA-L AWS EC2 User Data Modified
Elastic Chkconfig Service Add production
Panther Databricks Global Init Script Changes Experimental
Elastic Executable Bit Set for Potential Persistence Script production
Elastic GenAI Process Accessing Sensitive Files production
Splunk Linux File Creation In Init Boot Directory production
Splunk Logon Script Event Trigger Execution production
Splunk Logon Script Registry Key added (EDR)
Splunk Logon Script Registry Key added (PowerShell)
Splunk Logon Script Registry Key added (Sysmon)
Splunk Logon Script Registry Key added (Windows Event Log)
Splunk MacOS LoginHook Persistence production
Elastic Message-of-the-Day (MOTD) File Creation production
Elastic Modification of Persistence Relevant Files Detected via Defend for Containers production
Elastic Persistence via Folder Action Script production
Elastic Persistence via Login or Logout Hook production
Elastic Pod or Container Creation with Suspicious Command-Line production
Elastic Potential Execution of rc.local Script production
Elastic Potential Persistence via Atom Init Script Modification production
Elastic Potential Persistence via File Modification production
Elastic Potential Persistence via Login Hook production
Sigma Potential Persistence Via Logon Scripts - CommandLine test
Sigma Potential Persistence Via Logon Scripts - Registry test
Elastic Potential Suspicious File Edit production
Elastic Process Spawned from Message-of-the-Day (MOTD) production
Elastic rc.local/rc.common File Creation production
Sigma Startup Item File Created - MacOS test
Elastic Startup/Logon Script added to Group Policy Object production
Elastic Suspicious Echo or Printf Execution Detected via Defend for Containers production
Elastic Suspicious Network Activity to the Internet by Previously Unknown Executable production
Elastic Suspicious rc.local Error Message production
Elastic Suspicious StartupItem Plist Creation production
Elastic System V Init Script Created production
Elastic Systemd-udevd Rule File Creation production
Elastic Uncommon Registry Persistence Change production
Sigma Uncommon Userinit Child Process test
Elastic Unusual Exim4 Child Process production

Boot or Logon Initialization Scripts: Logon Script (Windows) T1037.001 8 rules

Splunk Logon Script Event Trigger Execution production
Splunk Logon Script Registry Key added (EDR)
Splunk Logon Script Registry Key added (PowerShell)
Splunk Logon Script Registry Key added (Sysmon)
Splunk Logon Script Registry Key added (Windows Event Log)
Sigma Potential Persistence Via Logon Scripts - CommandLine test
Sigma Potential Persistence Via Logon Scripts - Registry test
Sigma Uncommon Userinit Child Process test

Boot or Logon Initialization Scripts: Login Hook T1037.002 3 rules

Splunk MacOS LoginHook Persistence production
Elastic Persistence via Login or Logout Hook production
Elastic Potential Persistence via Login Hook production

Boot or Logon Initialization Scripts: RC Scripts T1037.004 11 rules

Elastic Executable Bit Set for Potential Persistence Script production
Elastic GenAI Process Accessing Sensitive Files production
Splunk Linux File Creation In Init Boot Directory production
Elastic Pod or Container Creation with Suspicious Command-Line production
Elastic Potential Execution of rc.local Script production
Elastic Potential Persistence via File Modification production
Elastic Potential Suspicious File Edit production
Elastic rc.local/rc.common File Creation production
Elastic Suspicious Network Activity to the Internet by Previously Unknown Executable production
Elastic Suspicious rc.local Error Message production
Elastic System V Init Script Created production

Boot or Logon Initialization Scripts: Startup Items T1037.005 2 rules

Sigma Startup Item File Created - MacOS test
Elastic Suspicious StartupItem Plist Creation production

Scheduled Task/Job T1053 197 rules

Elastic A scheduled task was created production
Elastic At Job Created or Modified production
Elastic At.exe Command Lateral Movement production building block
Kusto AV detections related to Tarrask malware available
Elastic Azure Automation Runbook Created or Modified production
Sigma Azure Kubernetes CronJob test
Sigma ChromeLoader Malware Execution test
Splunk Cisco Isovalent - Cron Job Creation production
Sigma Cisco Modify Configuration test
Splunk Cisco Secure Firewall - Wget or Curl Download production
Splunk Create_Modify Schtasks (PowerShell)
Splunk Create_Modify Schtasks (Sysmon)
Splunk Create_Modify Schtasks (Windows Event Log)
Elastic Creation or Modification of a new GPO Scheduled Task or Service production
Kusto Critical Risks available
Elastic Cron Job Created or Modified production
Sigma Defrag Deactivation test
Sigma Defrag Deactivation - Security test
Kusto Detect Rare scheduled task created
Kusto Detect Unsigned executable launch from scheduled task
Sigma Diamond Sleet APT Scheduled Task Creation test
Elastic Executable Bit Set for Potential Persistence Script production
Sigma Fortinet APT group abuse on Windows (task) experimental
Sigma HackTool - CrackMapExec Execution test
Sigma HackTool - CrackMapExec Execution Patterns stable
Sigma HackTool - Default PowerSploit/Empire Scheduled Task Creation test
Sigma HackTool - SharPersist Execution test
Sigma HAFNIUM Exchange Exploitation Activity test
Splunk Hidden Scheduled Task Created - Windows (Windows Event Log)
Splunk Impacket atexec.py Execution (PowerShell)
Splunk Impacket atexec.py Execution (Sysmon)
Splunk Impacket atexec.py Execution (Windows Event Log)
Splunk Impacket atexec.py Scheduled Task Creation (Windows Event Log)
Splunk Impacket atexec.py Temp File Creation (Sysmon)
Splunk Impacket atexec.py Temp File Creation (Windows Event Log)
Sigma Important Scheduled Task Deleted/Disabled test
Sigma Interactive AT Job test
Sigma Interactive privileged shell triggered by schedule task (deprecated) experimental
Sigma Kapeka Backdoor Persistence Activity test
Sigma Kapeka Backdoor Scheduled Task Creation test
Splunk Kubernetes Cron Job Creation production
Elastic Kubernetes Sensitive Configuration File Activity production
Elastic Kubernetes Static Pod Manifest File Access production
Splunk Linux Add Files In Known Crontab Directories production
Splunk Linux Adding Crontab Using List Parameter production
Splunk Linux At Allow Config File Creation production
Splunk Linux At Application Execution production
Splunk Linux Auditd At Application Execution production
Splunk Linux Auditd Edit Cron Table Parameter production
Splunk Linux Auditd Possible Append Cronjob Entry On Existing Cronjob File production
Splunk Linux Auditd Service Restarted production
Splunk Linux Edit Cron Table Parameter production
Splunk Linux Possible Append Command To At Allow Config File production
Splunk Linux Possible Append Cronjob Entry on Existing Cronjob File production
Splunk Linux Possible Cronjob Modification With Editor production
Splunk Linux Service File Created In Systemd Directory production
Splunk Linux Service Restarted production
Splunk Linux Service Started Or Enabled production
Elastic Local Scheduled Task Creation production
Sigma Massive remote schedule task creation via named pipes (CrackMapExec with ATexec) experimental
Kusto Mimecast Secure Email Gateway - AV available
Kusto Mimecast Secure Email Gateway - AV
Kusto Mimecast Secure Email Gateway - Virus available
Kusto Mimecast Secure Email Gateway - Virus
YARA-L MITRE ATT&CK T1053.005 Windows Creation Of Scheduled Task
Sigma MITRE BZAR Indicators for Execution test
Elastic Modification of Persistence Relevant Files Detected via Defend for Containers production
Sigma Modifying Crontab test
Kusto New Agent Added to Pool by New User or Added to a New OS Type available
Sigma New Cron File Created experimental
Sigma OilRig APT Activity test
Sigma OilRig APT Registry Persistence test
Sigma OilRig APT Schedule Task Persistence - Security test
Sigma OilRig APT Schedule Task Persistence - System test
Sigma Operation Wocao Activity test
Sigma Operation Wocao Activity - Security test
Elastic Outbound Scheduled Task Activity via PowerShell production
Kusto Pathlock TDnR - SAP Batch Job Events available
Kusto Pathlock TDnR - SAP System Job Monitoring Events available
Sigma Persistence and Execution at Scale via GPO Scheduled Task test
Elastic Persistence via a Windows Installer production
Elastic Persistence via Scheduled Job Creation production
Kusto Persistence Via Scheduled Tasks
Elastic Persistence via TelemetryController Scheduled Task Hijack production
Elastic Pod or Container Creation with Suspicious Command-Line production
Splunk Possible Lateral Movement PowerShell Spawn production
Sigma Potential ACTINIUM Persistence Activity test
Sigma Potential BearLPE Exploitation test
Elastic Potential Persistence via File Modification production
Sigma Potential Persistence Via Microsoft Compatibility Appraiser test
Elastic Potential Persistence via Periodic Tasks production
Sigma Potential Persistence Via Powershell Search Order Hijacking - Task test
Elastic Potential PowerShell HackTool Script by Function Names production
Sigma Potential Registry Persistence Attempt Via Windows Telemetry test
Sigma Potential SSH Tunnel Persistence Install Using A Scheduled Task experimental
Sigma Powershell Create Scheduled Task test
Kusto Powershell Empire Cmdlets Executed in Command Line available
Elastic Privilege Escalation via Root Crontab File Modification production
Splunk Randomly Generated Scheduled Task Name experimental
Splunk Rare Schedule Task Created (Windows Event Log)
Splunk Rare Scheduled Task (Windows Event Log)
Sigma Remote schedule task creation via named pipes (ATexec) experimental
Sigma Remote Schedule Task Lateral Movement via ATSvc test
Sigma Remote Schedule Task Lateral Movement via ITaskSchedulerService test
Sigma Remote Schedule Task Lateral Movement via SASec test
Elastic Remote Scheduled Task Creation production
Elastic Remote Scheduled Task Creation via RPC production
Sigma Remote Task Creation via ATSVC Named Pipe test
Sigma Remote Task Creation via ATSVC Named Pipe - Zeek test
Sigma Renamed Schtasks Execution experimental
Sigma Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE test
Splunk Schedule Task with HTTP Command Arguments production
Splunk Schedule Task with Rundll32 Command Trigger production
Sigma Scheduled Cron Task/Job - Linux test
Sigma Scheduled Cron Task/Job - MacOs test
Sigma Scheduled persistent task with SYSTEM privileges creation experimental
Sigma Scheduled Task Created - FileCreation test
Sigma Scheduled Task Created - Registry test
Sigma Scheduled task created and deleted fastly (ATexec.py) experimental
Elastic Scheduled Task Created by a Windows Script production
Sigma Scheduled Task Creation From Potential Suspicious Parent Location test
Sigma Scheduled Task Creation Masquerading as System Processes experimental
Splunk Scheduled Task Creation on Remote Endpoint using At production
Sigma Scheduled Task Creation Via Schtasks.EXE test
Sigma Scheduled task creation with command line experimental
Sigma Scheduled Task Creation with Curl and PowerShell Execution Combo experimental
Splunk Scheduled Task Deleted Or Created via CMD production
Sigma Scheduled Task Deletion test
Sigma Scheduled Task Executed From A Suspicious Location test
Sigma Scheduled Task Executed Uncommon LOLBIN test
Sigma Scheduled Task Executing Encoded Payload from Registry test
Sigma Scheduled Task Executing Payload from Registry test
Elastic Scheduled Task Execution at Scale via GPO production
Splunk Scheduled Task Initiation on Remote Endpoint production
Splunk Scheduled Task with Potential SSH Tunnel - Windows (PowerShell)
Splunk Scheduled Task with Potential SSH Tunnel - Windows (Sysmon)
Splunk Scheduled Task with Potential SSH Tunnel - Windows (Windows Event Log)
Sigma Scheduled Task/Job At stable
Sigma Scheduled TaskCache Change by Uncommon Program test
Elastic Scheduled Tasks AT Command Enabled production
Sigma Schtasks Creation Or Modification With SYSTEM Privileges test
Sigma Schtasks From Suspicious Folders test
Splunk Schtasks Run Task On Demand production
Splunk Schtasks scheduling job on remote system production
Splunk Schtasks used for forcing a reboot production
Sigma Serpent Backdoor Payload Execution Via Scheduled Task test
Splunk Short Lived Scheduled Task production
Sigma Suspicious Command Patterns In Scheduled Task Creation test
Panther Suspicious cron detected
Elastic Suspicious CronTab Creation or Modification production
Elastic Suspicious Echo or Printf Execution Detected via Defend for Containers production
Elastic Suspicious Execution from Foomatic-rip or Cupsd Parent production
Elastic Suspicious Execution via Scheduled Task production
Elastic Suspicious Image Load (taskschd.dll) from MS Office production
Sigma Suspicious Modification Of Scheduled Tasks test
Elastic Suspicious Network Activity to the Internet by Previously Unknown Executable production
Sigma Suspicious Scheduled Task Creation test
Sigma Suspicious Scheduled Task Creation Involving Temp Folder test
Sigma Suspicious Scheduled Task Creation via Masqueraded XML File test
Splunk Suspicious Scheduled Task from Public Directory production
Sigma Suspicious Scheduled Task Name As GUID test
Sigma Suspicious Scheduled Task Update test
Sigma Suspicious Scheduled Task Write to System32 Tasks test
Sigma Suspicious Schtasks Execution AppData Folder test
Sigma Suspicious Schtasks Schedule Type With High Privileges test
Sigma Suspicious Schtasks Schedule Types test
Elastic Suspicious ScreenConnect Client Child Process production
Splunk Svchost LOLBAS Execution Process Spawn production
Elastic Systemd Timer Created production
Sigma Task Scheduler DLL Loaded By Application Located In Potentially Suspicious Location test
Panther Teleport Scheduled Jobs
Elastic Temporarily Scheduled Task Creation production
Sigma Triple Cross eBPF Rootkit Default Persistence test
Sigma Turla Group Commands May 2020 test
Elastic UAC Bypass via DiskCleanup Scheduled Task Hijack production
Sigma Uncommon One Time Only Scheduled Task At 00:00 test
Elastic Unusual Scheduled Task Update production
Kusto Vulerabilities available
Splunk Windows Compatibility Telemetry Suspicious Child Process production
Splunk Windows Compatibility Telemetry Tampering Through Registry production
Splunk Windows Enable Win32 ScheduledJob via Registry production
Splunk Windows Hidden Schedule Task Settings production
Splunk Windows Level RMM Watchdog Task Created production
Splunk Windows PowerShell ScheduleTask production
Splunk Windows Registry Delete Task SD production
Splunk Windows Scheduled Task Created in a Group Policy Object production
Splunk Windows Scheduled Task Created Via XML production
Splunk Windows Scheduled Task DLL Module Loaded production
Splunk Windows Scheduled Task Service Spawned Shell production
Splunk Windows Scheduled Task with Highest Privileges production
Splunk Windows Scheduled Task with Suspicious Command production
Splunk Windows Scheduled Task with Suspicious Name production
Splunk Windows Scheduled Tasks for CompMgmtLauncher or Eventvwr production
Splunk Windows Schtasks Create Run As System production
Splunk WinEvent Scheduled Task Created to Spawn Shell production
Splunk WinEvent Scheduled Task Created Within Public Path production
Splunk WinEvent Windows Task Scheduler Event Action Started production

Scheduled Task/Job: At T1053.002 18 rules

Elastic At Job Created or Modified production
Elastic At.exe Command Lateral Movement production building block
Sigma Interactive AT Job test
Splunk Linux At Application Execution production
Splunk Linux Auditd At Application Execution production
Splunk Linux Possible Append Command To At Allow Config File production
Sigma MITRE BZAR Indicators for Execution test
Elastic Modification of Persistence Relevant Files Detected via Defend for Containers production
Elastic Pod or Container Creation with Suspicious Command-Line production
Elastic Potential Persistence via File Modification production
Sigma Remote Schedule Task Lateral Movement via ATSvc test
Sigma Remote Schedule Task Lateral Movement via ITaskSchedulerService test
Sigma Remote Schedule Task Lateral Movement via SASec test
Sigma Remote Task Creation via ATSVC Named Pipe test
Sigma Remote Task Creation via ATSVC Named Pipe - Zeek test
Splunk Scheduled Task Creation on Remote Endpoint using At production
Sigma Scheduled Task/Job At stable
Elastic Scheduled Tasks AT Command Enabled production

Scheduled Task/Job: Cron T1053.003 29 rules

Sigma Azure Kubernetes CronJob test
Splunk Cisco Isovalent - Cron Job Creation production
Splunk Cisco Secure Firewall - Wget or Curl Download production
Elastic Cron Job Created or Modified production
Elastic Executable Bit Set for Potential Persistence Script production
Panther GCP GKE Kubernetes Cron Job Created Or Modified
Panther Kubernetes CronJob Created or Modified Experimental
Splunk Linux Add Files In Known Crontab Directories production
Splunk Linux Adding Crontab Using List Parameter production
Splunk Linux At Allow Config File Creation production
Splunk Linux Auditd Edit Cron Table Parameter production
Splunk Linux Auditd Possible Append Cronjob Entry On Existing Cronjob File production
Splunk Linux Edit Cron Table Parameter production
Splunk Linux Possible Append Cronjob Entry on Existing Cronjob File production
Splunk Linux Possible Cronjob Modification With Editor production
Elastic Modification of Persistence Relevant Files Detected via Defend for Containers production
Sigma Modifying Crontab test
Sigma New Cron File Created experimental
Elastic Pod or Container Creation with Suspicious Command-Line production
Elastic Potential Persistence via File Modification production
Elastic Potential Persistence via Periodic Tasks production
Elastic Privilege Escalation via Root Crontab File Modification production
Sigma Scheduled Cron Task/Job - Linux test
Sigma Scheduled Cron Task/Job - MacOs test
Elastic Suspicious CronTab Creation or Modification production
Elastic Suspicious Echo or Printf Execution Detected via Defend for Containers production
Elastic Suspicious Execution from Foomatic-rip or Cupsd Parent production
Elastic Suspicious Network Activity to the Internet by Previously Unknown Executable production
Sigma Triple Cross eBPF Rootkit Default Persistence test

Scheduled Task/Job: Scheduled Task T1053.005 118 rules

Elastic A scheduled task was created production
Elastic At.exe Command Lateral Movement production building block
Panther Azure Automation Schedule Created or Modified
Sigma ChromeLoader Malware Execution test
Splunk Create_Modify Schtasks (PowerShell)
Splunk Create_Modify Schtasks (Sysmon)
Splunk Create_Modify Schtasks (Windows Event Log)
Elastic Creation or Modification of a new GPO Scheduled Task or Service production
Sigma Defrag Deactivation test
Kusto Detect Rare scheduled task created
Kusto Detect Unsigned executable launch from scheduled task
Sigma Diamond Sleet APT Scheduled Task Creation test
Sigma Fortinet APT group abuse on Windows (task) experimental
Sigma HackTool - Default PowerSploit/Empire Scheduled Task Creation test
Splunk Impacket atexec.py Execution (PowerShell)
Splunk Impacket atexec.py Execution (Sysmon)
Splunk Impacket atexec.py Execution (Windows Event Log)
Splunk Impacket atexec.py Scheduled Task Creation (Windows Event Log)
Splunk Impacket atexec.py Temp File Creation (Sysmon)
Splunk Impacket atexec.py Temp File Creation (Windows Event Log)
Sigma Important Scheduled Task Deleted/Disabled test
Sigma Interactive privileged shell triggered by schedule task (deprecated) experimental
Sigma Kapeka Backdoor Persistence Activity test
Sigma Kapeka Backdoor Scheduled Task Creation test
Elastic Local Scheduled Task Creation production
Sigma Massive remote schedule task creation via named pipes (CrackMapExec with ATexec) experimental
YARA-L MITRE ATT&CK T1053.005 Windows Creation Of Scheduled Task
Sigma OilRig APT Activity test
Sigma OilRig APT Registry Persistence test
Sigma OilRig APT Schedule Task Persistence - Security test
Sigma OilRig APT Schedule Task Persistence - System test
Sigma Operation Wocao Activity test
Sigma Operation Wocao Activity - Security test
Elastic Outbound Scheduled Task Activity via PowerShell production
Sigma Persistence and Execution at Scale via GPO Scheduled Task test
Elastic Persistence via a Windows Installer production
Elastic Persistence via Scheduled Job Creation production
Kusto Persistence Via Scheduled Tasks
Elastic Persistence via TelemetryController Scheduled Task Hijack production
Splunk Possible Lateral Movement PowerShell Spawn production
Sigma Potential ACTINIUM Persistence Activity test
Sigma Potential BearLPE Exploitation test
Sigma Potential Persistence Via Microsoft Compatibility Appraiser test
Sigma Potential Persistence Via Powershell Search Order Hijacking - Task test
Elastic Potential PowerShell HackTool Script by Function Names production
Sigma Potential Registry Persistence Attempt Via Windows Telemetry test
Sigma Potential SSH Tunnel Persistence Install Using A Scheduled Task experimental
Sigma Powershell Create Scheduled Task test
Kusto Powershell Empire Cmdlets Executed in Command Line available
Splunk Randomly Generated Scheduled Task Name experimental
Splunk Rare Schedule Task Created (Windows Event Log)
Splunk Rare Scheduled Task (Windows Event Log)
Sigma Remote schedule task creation via named pipes (ATexec) experimental
Elastic Remote Scheduled Task Creation production
Elastic Remote Scheduled Task Creation via RPC production
Sigma Renamed Schtasks Execution experimental
Sigma Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE test
Sigma Scheduled persistent task with SYSTEM privileges creation experimental
Sigma Scheduled Task Created - FileCreation test
Sigma Scheduled Task Created - Registry test
Sigma Scheduled task created and deleted fastly (ATexec.py) experimental
Elastic Scheduled Task Created by a Windows Script production
Sigma Scheduled Task Creation From Potential Suspicious Parent Location test
Sigma Scheduled Task Creation Masquerading as System Processes experimental
Sigma Scheduled Task Creation Via Schtasks.EXE test
Sigma Scheduled task creation with command line experimental
Sigma Scheduled Task Creation with Curl and PowerShell Execution Combo experimental
Splunk Scheduled Task Deleted Or Created via CMD production
Sigma Scheduled Task Deletion test
Sigma Scheduled Task Executed From A Suspicious Location test
Sigma Scheduled Task Executed Uncommon LOLBIN test
Sigma Scheduled Task Executing Encoded Payload from Registry test
Sigma Scheduled Task Executing Payload from Registry test
Elastic Scheduled Task Execution at Scale via GPO production
Splunk Scheduled Task Initiation on Remote Endpoint production
Sigma Scheduled TaskCache Change by Uncommon Program test
Sigma Schtasks Creation Or Modification With SYSTEM Privileges test
Sigma Schtasks From Suspicious Folders test
Splunk Schtasks scheduling job on remote system production
Splunk Schtasks used for forcing a reboot production
Sigma Serpent Backdoor Payload Execution Via Scheduled Task test
Splunk Short Lived Scheduled Task production
Sigma Suspicious Command Patterns In Scheduled Task Creation test
Elastic Suspicious Execution via Scheduled Task production
Elastic Suspicious Image Load (taskschd.dll) from MS Office production
Sigma Suspicious Modification Of Scheduled Tasks test
Sigma Suspicious Scheduled Task Creation test
Sigma Suspicious Scheduled Task Creation Involving Temp Folder test
Sigma Suspicious Scheduled Task Creation via Masqueraded XML File test
Splunk Suspicious Scheduled Task from Public Directory production
Sigma Suspicious Scheduled Task Name As GUID test
Sigma Suspicious Scheduled Task Update test
Sigma Suspicious Schtasks Execution AppData Folder test
Sigma Suspicious Schtasks Schedule Type With High Privileges test
Sigma Suspicious Schtasks Schedule Types test
Elastic Suspicious ScreenConnect Client Child Process production
Splunk Svchost LOLBAS Execution Process Spawn production
Sigma Task Scheduler DLL Loaded By Application Located In Potentially Suspicious Location test
Elastic Temporarily Scheduled Task Creation production
Sigma Turla Group Commands May 2020 test
Elastic UAC Bypass via DiskCleanup Scheduled Task Hijack production
Sigma Uncommon One Time Only Scheduled Task At 00:00 test
Elastic Unusual Scheduled Task Update production
Splunk Windows Compatibility Telemetry Suspicious Child Process production
Splunk Windows Compatibility Telemetry Tampering Through Registry production
Splunk Windows Enable Win32 ScheduledJob via Registry production
Splunk Windows PowerShell ScheduleTask production
Splunk Windows Registry Delete Task SD production
Splunk Windows Scheduled Task Created in a Group Policy Object production
Splunk Windows Scheduled Task Created Via XML production
Splunk Windows Scheduled Task Service Spawned Shell production
Splunk Windows Scheduled Task with Highest Privileges production
Splunk Windows Scheduled Task with Suspicious Command production
Splunk Windows Scheduled Task with Suspicious Name production
Splunk Windows Schtasks Create Run As System production
Splunk WinEvent Scheduled Task Created to Spawn Shell production
Splunk WinEvent Scheduled Task Created Within Public Path production
Splunk WinEvent Windows Task Scheduler Event Action Started production

Scheduled Task/Job: Systemd Timers T1053.006 6 rules

Splunk Linux Auditd Service Restarted production
Splunk Linux Service File Created In Systemd Directory production
Splunk Linux Service Restarted production
Splunk Linux Service Started Or Enabled production
Elastic Modification of Persistence Relevant Files Detected via Defend for Containers production
Elastic Systemd Timer Created production

Scheduled Task/Job: Container Orchestration Job T1053.007 4 rules

Splunk Cisco Isovalent - Cron Job Creation production
Splunk Kubernetes Cron Job Creation production
Elastic Kubernetes Sensitive Configuration File Activity production
Elastic Kubernetes Static Pod Manifest File Access production

Valid Accounts T1078 728 rules

Panther A Login from Outside the Corporate Office
Elastic Access to a Sensitive LDAP Attribute production
Kusto Account added and removed from privileged groups
Kusto Account Created and Deleted in Short Timeframe available
Sigma Account Created And Deleted Within A Close Time Frame test
Kusto Account created or deleted by non-approved user available
Sigma Account Disabled or Blocked for Sign in Attempts test
Elastic Account Discovery Command via SYSTEM Account production
Kusto Account Elevated to New Role
Sigma Account renamed to admin (or likely) account to evade defense experimental
Splunk Account set to active via Net.exe (EDR)
Splunk Account set to active via Net.exe (Sysmon)
Splunk Account set to active via Net.exe (Windows Event Log)
Sigma Account Tampering - Suspicious Failed Logon Reasons test
Kusto Acronis - Login from Abnormal IP - Low Occurrence
Sigma Activity From Anonymous IP Address test
Kusto Addition of a Temporary Access Pass to a Privileged Account
Kusto Admin promotion after Role Management Application Permission Grant available
Panther Admin Role Assigned
Sigma Admin User Remote Logon test
Elastic AdminSDHolder Backdoor production
Kusto AdminSDHolder Modifications
Elastic AdminSDHolder SDProp Exclusion Added production
Kusto Anomalous login followed by Teams action
Kusto Anomalous sign-in location by user account and authenticating application available
Kusto Anomalous Single Factor Signin
Kusto Anomaly Sign In Event from an IP
Kusto ApexOne - Device access permissions was changed available
Elastic Apple Scripting Execution with Administrator Privileges production
Sigma Application AppID Uri Configuration Changes test
Kusto Application ID URI Changed
Kusto Application Redirect URL Update
Sigma Application URI Configuration Changes test
Sigma Application Using Device Code Authentication Flow test
Sigma Applications That Are Using ROPC Authentication Flow test
Panther AppOmni Alert Passthrough
Splunk ASL AWS Create Policy Version to allow all resources production
Splunk ASL AWS SAML Update identity provider production
Kusto Attempt to bypass conditional access rule in Microsoft Entra ID available
Elastic Attempt to Enable the Root Account production
Sigma Attempt To Get Credentials For Identity experimental
Sigma Attempt To Get Federation Token experimental
Sigma Attempt To Get Signin Token experimental
Kusto Attempts to sign in to disabled accounts available
Sigma Atypical Travel test
Kusto Authentication Attempt from New Country
Kusto Authentications of Privileged Accounts Outside of Expected Controls
Sigma Authentications To Important Apps Using Single Factor Authentication test
Elastic AWS Access Token Used from Multiple Addresses production
YARA-L AWS API Call Outside Of Organization
Elastic AWS AssumeRoleWithWebIdentity from Kubernetes SA and External ASN production
Panther AWS Backdoor Administrative IAM Role Created
Elastic AWS Bedrock Foundation Model Enumeration Followed by Invocation via Long-Term Key production
Splunk AWS Bedrock Invoke Model Access Denied production
Elastic AWS CloudShell Environment Created production
Panther AWS CloudTrail Password Spraying Experimental
YARA-L AWS Console Login Without MFA
Splunk AWS Create Policy Version to allow all resources production
Elastic AWS Credentials Used from GitHub Actions and Non-CI/CD Infrastructure production
Elastic AWS EC2 Instance Console Login via Assumed Role production
Elastic AWS EC2 Instance Interaction with IAM Service production building block
Elastic AWS EC2 Instance Profile Associated with Running Instance production
Elastic AWS EC2 Unauthorized Admin Credential Fetch via Assumed Role production
Panther AWS GuardDuty Critical Severity Finding
YARA-L AWS IAM Administrator Access Policy Attached
Elastic AWS IAM API Calls via Temporary Session Tokens production
Elastic AWS IAM Assume Role Policy Update production
Elastic AWS IAM CompromisedKeyQuarantine Policy Attached to User production
Panther AWS IAM Group Users
Elastic AWS IAM Login Profile Added for Root production
Elastic AWS IAM Login Profile Added to User production building block
Elastic AWS IAM Long-Term Access Key Correlated with Elevated Detection Alerts production
Elastic AWS IAM Long-Term Access Key First Seen from Source IP production
Elastic AWS IAM OIDC Provider Created by Rare User production
Panther AWS IAM Policy Administrative Privileges
Panther AWS IAM Policy Assigned to User
Panther AWS IAM Policy Blocklist
Panther AWS IAM Policy Does Not Grant Any Administrative Access
Panther AWS IAM Policy Does Not Grant Network Admin Access
Panther AWS IAM Resource Does Not Have Inline Policy
Panther AWS IAM Role Restricts Usage
Sigma AWS IAM S3Browser LoginProfile Creation test
Sigma AWS IAM S3Browser Templated S3 Bucket Policy Creation test
Sigma AWS IAM S3Browser User or AccessKey Creation test
Elastic AWS IAM SAML Provider Created production
Elastic AWS IAM Sensitive Operations via Lambda Execution Role production
Panther AWS IAM User Not In Conflicting Groups
Elastic AWS IAM Virtual MFA Device Registration Attempt with Session Token production
Sigma AWS Key Pair Import Activity experimental
Elastic AWS Management Console Root Login production
Panther AWS Potential Backdoor Lambda Function Through Resource-Based Policy Experimental
Elastic AWS Rare Source AS Organization Activity production
Panther AWS Root Account Hardware MFA
Panther AWS Root Account MFA
Sigma AWS Root Credentials test
YARA-L AWS SAML Identity Provider Changes
Sigma AWS SAML Provider Deletion Activity experimental
Splunk AWS SAML Update identity provider production
Kusto AWS Security Hub - Detect IAM Policies allowing full administrative privileges available
Splunk AWS SetDefaultPolicyVersion production
Elastic AWS Sign-In Console Login with Federated User production
Elastic AWS Sign-In Root Password Recovery Requested production
Elastic AWS Sign-In Token Created production building block
Elastic AWS STS AssumeRole with New MFA Device production
Elastic AWS STS AssumeRoot by Rare User and Member Account production
Elastic AWS STS GetSessionToken Usage production building block
Elastic AWS STS Role Assumption by User production
Elastic AWS STS Role Chaining production
Sigma AWS Successful Console Login Without MFA experimental
YARA-L AWS Successful Login After Multiple Failed Attempts
Splunk AWS Successful Single-Factor Authentication production
Sigma AWS Suspicious SAML Activity test
Elastic AWS Suspicious User Agent Fingerprint production
YARA-L AWS User Creates Permanent Access Key
Panther AWS.Administrative.IAM.User.Created
Kusto AWSCloudTrail - Changes to Amazon VPC settings available
Kusto AWSCloudTrail - Login to AWS Management Console without MFA available
Kusto AWSCloudTrail - NRT Login to AWS Management Console without MFA available
Kusto AWSCloudTrail - SAML update identity provider available
Splunk Azure AD Authentication Failed During MFA Challenge production
Splunk Azure AD Multiple AppIDs and UserAgents Authentication Spike production
Splunk Azure AD Multiple Failed MFA Requests For User production
Sigma Azure AD Only Single Factor Authentication Required test
Splunk Azure AD Service Principal Authentication production
Splunk Azure AD Successful PowerShell Authentication production
Splunk Azure AD Successful Single-Factor Authentication production
Sigma Azure AD Threat Intelligence test
Elastic Azure Arc Cluster Credential Access by Identity from Unusual Source production
Elastic Azure Automation Account Created production
Panther Azure Automation Account Created
Panther Azure Device Code Authentication with Broker Client
Sigma Azure Domain Federation Settings Modified test
Panther Azure High-Risk Sign-In
Panther Azure Invite External Users
Sigma Azure Kubernetes Admission Controller test
Elastic Azure Kubernetes Services (AKS) Kubernetes Rolebindings Created production
Sigma Azure Login Bypassing Conditional Access Policies experimental
Kusto Azure Machine Learning Write Operations available
Panther Azure Many Failed SignIns
Panther Azure MFA Disabled
Panther Azure Microsoft Graph Single Session from Multiple IP Addresses Experimental
Panther Azure Protection Multiple Alerts for User
Kusto Azure RBAC (Elevate Access)
Panther Azure RiskLevel Passthrough
Panther Azure ROPC Login Attempt Without MFA Experimental
Splunk Azure Runbook Webhook Created production
Elastic Azure Service Principal Sign-In Followed by Arc Cluster Credential Access production
Elastic Azure Storage Account Keys Accessed by Privileged User production
Sigma Azure Subscription Permission Elevation Via ActivityLogs test
Sigma Azure Subscription Permission Elevation Via AuditLogs test
Sigma Azure Unusual Authentication Interruption test
Sigma Azure Windows virtual machine login via serial console experimental
Sigma Bitbucket User Login Failure test
Kusto Bitglass - Impossible travel distance available
Kusto Bitglass - Login from new device available
Kusto Bitglass - New admin user available
Kusto Bitglass - New risky user available
Kusto Bitglass - User Agent string has changed for user available
Kusto Bitglass - User login from new geo location available
Sigma Bitlocker Key Retrieval test
Kusto Box - Inactive user login available
Kusto Box - New external user available
Kusto Box - User logged in as admin available
Kusto Box - User role changed to owner available
Panther Box New Login
Panther Box Shield Suspicious Alert Triggered
Panther Box Untrusted Device Login
Sigma Brutforce with denied access due to account restrictions policies experimental
Kusto BTP - Build Work Zone unauthorized access and role tampering available
Kusto BTP - User added to Cloud Identity Service privileged Administrators list available
Kusto BTP - User added to sensitive privileged role collection available
Kusto Bulk Changes to Privileged Account Permissions available
Kusto Changes to Application Logout URL
Kusto Changes to Application Ownership
Kusto Changes to PIM Settings
Sigma Changes To PIM Settings test
Kusto Cisco - firewall block but success logon to Microsoft Entra ID
Splunk Cisco ASA - New Local User Account Created production
Splunk Cisco ASA - User Privilege Level Change production
Sigma Cisco BGP Authentication Failures test
Kusto Cisco Duo - Admin password reset available
Kusto Cisco Duo - Admin user created available
Kusto Cisco Duo - Authentication device new location available
Kusto Cisco Duo - Multiple admin 2FA failures available
Kusto Cisco Duo - Multiple user login failures available
Kusto Cisco Duo - New access device available
Kusto Cisco Duo - Unexpected authentication factor available
Splunk Cisco IOS Suspicious Privileged Account Creation production
Splunk Cisco IOS XE WebUI Login From IOSd Local Port production
Splunk Cisco IOS XE WebUI Programmatic Configuration production
Sigma Cisco LDP Authentication Failures test
Splunk Cisco Privileged Account Creation with HTTP Command Execution production
Splunk Cisco Privileged Account Creation with Suspicious SSH Activity production
Splunk Cisco Secure Firewall - High Priority Intrusion Classification production
Splunk Cloud API Calls From Previously Unseen User Roles production
Splunk Cloud Compute Instance Created By Previously Unseen User production
Splunk Cloud Instance Modified By Previously Unseen User production
Splunk Cloud Provisioning Activity From Previously Unseen City production
Splunk Cloud Provisioning Activity From Previously Unseen Country production
Splunk Cloud Provisioning Activity From Previously Unseen IP Address production
Splunk Cloud Provisioning Activity From Previously Unseen Region production
Panther CloudTrail Password Spraying Deprecated
Sigma Commvault QLogin with PublicSharingUser and GUID Password (CVE-2025-57788) experimental
Kusto Conditional Access - A Conditional Access user/group/role exclusion has changed
Kusto Conditional Access Policy Modified by New User
Sigma Console Login With MFA test
Sigma Console Login Without MFA test
Kusto Copilot - Jailbreak Attempt Detected available
Kusto Correlate Unfamiliar sign-in properties & atypical travel alerts available
Kusto Cross-Cloud Suspicious Compute resource creation in GCP
Kusto Cross-Cloud Suspicious user activity observed in GCP Envourment
Kusto Cross-tenant Access Settings Organization Added available
Kusto Cross-tenant Access Settings Organization Deleted available
Kusto Cross-tenant Access Settings Organization Inbound Collaboration Settings Changed available
Kusto Cross-tenant Access Settings Organization Inbound Direct Settings Changed available
Kusto Cross-tenant Access Settings Organization Outbound Collaboration Settings Changed available
Kusto Cross-tenant Access Settings Organization Outbound Direct Settings Changed available
Elastic CyberArk Privileged Access Security Error production
Panther Databricks Attempted Logon From Denied IP Experimental
Panther Databricks Delta Sharing IP Access Failures Experimental
Panther Databricks Employee Logon Experimental
Panther Databricks Non-SSO Login Detected Experimental
Panther Databricks Potential Privilege Escalation Experimental
Panther Databricks Repeated Failed Login Attempts Experimental
Kusto Dataverse - Hierarchy security manipulation available
Kusto Dataverse - Login by a sensitive privileged user available
Kusto Dataverse - Login from IP in the block list available
Kusto Dataverse - Login from IP not in the allow list available
Kusto Dataverse - New Dataverse application user activity type available
Kusto Dataverse - New non-interactive identity granted access available
Kusto Dataverse - New sign-in from an unauthorized domain available
Kusto Dataverse - New user agent type that was not used before available
Kusto Dataverse - Organization settings modified available
Kusto Dataverse - TI map IP to DataverseActivity available
Elastic Delegated Managed Service Account Modification by an Unusual User production
Kusto Detect changes to Connect Sync Application
Kusto Detect credential add to Connect Sync Application
Kusto Detect device code login with user risk
Splunk Detect Excessive Account Lockouts From Endpoint production
Splunk Detect Excessive User Account Lockouts production
Kusto Detect PIM Alert Disabling activity
Kusto Detecting Impossible travel with mailbox permission tampering & Privilege Escalation attempt
Sigma Device Registration or Join Without MFA test
Elastic dMSA Account Creation by an Unusual User production
Sigma DMSA Link Attributes Modified experimental
Sigma DMSA Service Account Created in Specific OUs - PowerShell experimental
Kusto EatonForeseer - Unauthorized Logins available
Kusto Elevation of Privilege attempt detected available
Kusto Email access via active sync
Kusto End-user consent stopped due to risk-based consent
Elastic Entra ID Actor Token User Impersonation Abuse production
YARA-L Entra ID Admin Login Activity to Uncommon MS Cloud Apps
Elastic Entra ID Concurrent Sign-in with Suspicious Properties production
Elastic Entra ID External Guest User Invited production
Elastic Entra ID High Risk Sign-in production
Elastic Entra ID High Risk User Sign-in Heuristic production
Elastic Entra ID Kali365 Default User-Agent Detected production
YARA-L Entra ID Login Activity to Uncommon MS Cloud Apps
Elastic Entra ID Microsoft Authentication Broker Sign-In to Unusual Resource production
Elastic Entra ID Microsoft Authentication Broker Sign-In with Non-Standard User Agent production
Elastic Entra ID OAuth Authorization Code Grant for Unusual User, App, and Resource production
Elastic Entra ID OAuth Device Code Flow with Concurrent Sign-ins production
Elastic Entra ID OAuth Device Code Grant by Microsoft Authentication Broker production
Elastic Entra ID OAuth Device Code Grant by Unusual User production
Elastic Entra ID OAuth Device Code Phishing via AiTM production
Elastic Entra ID OAuth Flow by Microsoft Authentication Broker to Device Registration Service (DRS) production
Elastic Entra ID OAuth Phishing via First-Party Microsoft Application production
Elastic Entra ID OAuth PRT Issuance to Non-Managed Device Detected production
Elastic Entra ID OAuth ROPC Grant Login Detected production
Elastic Entra ID OAuth User Impersonation to Microsoft Graph production
Elastic Entra ID OAuth user_impersonation Scope for Unusual User and Client production
Elastic Entra ID PowerShell Sign-in production
Elastic Entra ID Privileged Identity Management (PIM) Role Modified production
Elastic Entra ID Protection - Risk Detection - Sign-in Risk production
Elastic Entra ID Protection - Risk Detection - User Risk production
Elastic Entra ID Protection Admin Confirmed Compromise production
Elastic Entra ID Protection Alerts for User Detected production
Elastic Entra ID Protection User Alert and Device Registration production
Elastic Entra ID Service Principal Federated Credential Authentication by Unusual Client production
Elastic Entra ID Service Principal with Unusual Source ASN production
Elastic Entra ID Sharepoint or OneDrive Accessed by Unusual Client production
Elastic Entra ID User Added as Service Principal Owner production
Elastic Entra ID User Reported Suspicious Activity production
Elastic Entra ID User Sign-in with Unusual Authentication Type production
Elastic Entra ID User Sign-in with Unusual Client production
Elastic Entra ID User Sign-in with Unusual Non-Managed Device production
Splunk ESXi Account Modified production
Splunk ESXi External Root Login Activity production
Splunk ESXi Shared or Stolen Root Account production
Splunk ESXi User Granted Admin Role production
Elastic Execution with Explicit Credentials via Scripting production
Kusto External guest invitation followed by Microsoft Entra ID PowerShell signin available
Sigma External Remote RDP Logon from Public IP test
Sigma External Remote SMB Logon from Public IP test
Elastic External User Added to Google Workspace Group production
Kusto F&O - Bank account change following network alias reassignment available
Kusto F&O - Non-interactive account mapped to self or sensitive privileged user available
Kusto F&O - Unusual sign-in activity using single factor authentication available
Sigma Failed Authentications From Countries You Do Not Operate Out Of test
Kusto Failed AWS Console logons but success logon to AzureAD
Kusto Failed AzureAD logons but success logon to AWS Console
Kusto Failed AzureAD logons but success logon to host
Kusto Failed host logons but success logon to AzureAD
Sigma Failed Logon From Public IP test
Kusto Failed sign-ins into LastPass due to MFA available
Elastic First Occurrence of GitHub Repo Interaction From a New IP production building block
Elastic First Occurrence of IP Address For GitHub Personal Access Token (PAT) production building block
Elastic First Occurrence of IP Address For GitHub User production building block
Elastic First Occurrence of Okta User Session Started via Proxy production
Elastic First Occurrence of Personal Access Token (PAT) Use For a GitHub User production building block
Elastic First Occurrence of Private Repo Event from Specific GitHub Personal Access Token (PAT) production building block
Elastic First Occurrence of User Agent For a GitHub Personal Access Token (PAT) production building block
Elastic First Occurrence of User-Agent For a GitHub User production building block
Elastic First Time Seen Account Performing DCSync production
Elastic First Time Seen Google Workspace OAuth Login from Third-Party Application production
Elastic First-Time FortiGate Administrator Login production
Elastic FortiGate Administrator Login from Multiple IP Addresses production
Elastic FortiGate FortiCloud SSO Login from Unusual Source production
Elastic FortiGate SSL VPN Login Followed by SIEM Alert by User production
Kusto GCP Audit Logs - Data Access Logging Exemption Added for Principal available
Kusto GCP Audit Logs - Storage Bucket Made Public available
Splunk GCP Authentication Failed During MFA Challenge production
Splunk GCP Detect gcploit framework experimental
Kusto GCP IAM - High privileged role added to service account available
Elastic GCP IAM Custom Role Creation production
Panther GCP IAM Role Has Changed
Splunk GCP Multiple Failed MFA Requests For User production
Splunk GCP Successful Single-Factor Authentication production
YARA-L GCP Workload Identity Pool Disabled Or Deleted
Splunk Geographic Improbable Location experimental
Sigma Get Credentials For Identity experimental
Sigma Get Federation Token experimental
Sigma Get Signin Token experimental
Kusto GitHub - A payment method was removed available
Kusto GitHub - Oauth application - a client secret was removed available
Kusto GitHub - pull request was created available
Kusto GitHub - pull request was merged available
Kusto GitHub - Repository was created available
Kusto GitHub - Repository was destroyed available
Kusto GitHub - User visibility Was changed available
Kusto GitHub - User was added to the organization available
Kusto GitHub - User was blocked available
Kusto GitHub - User was invited to the repository available
Kusto GitHub Activites from a New Country available
Elastic Github Activity on a Private Repository from an Unusual IP production
Sigma Github New Secret Created test
Sigma Github Self Hosted Runner Changes Detected test
Sigma Github SSH Certificate Configuration Changed test
Panther GitHub User Access Key Created
Kusto GitLab - TI - Connection from Malicious IP available
Kusto GitLab - User Impersonation available
Sigma Google Cloud Kubernetes Admission Controller test
Elastic Google Workspace Device Registration Burst for Single User production
YARA-L Google Workspace External User Added To Group
Sigma Google Workspace Government Attack Warning experimental
Elastic Google Workspace Login Flagged Suspicious production building block
YARA-L Google Workspace SAML IDP Configuration Change
Elastic Google Workspace Suspended User Account Renewed production
Elastic Google Workspace User Login with Unusual ASN production
Elastic Google Workspace User Sign-in from Atypical Device Type production
YARA-L Google Workspace User Unsuspended
Kusto Group created then added to built in domain local or global group
Kusto GSA - Detect Connections Outside Operational Hours available
Panther GSuite Login Type
Sigma Guest Account Enabled Via Sysadminctl test
Kusto Guest accounts added in Entra ID Groups other than the ones specified available
Sigma Guest User Invited By Non Approved Inviters test
Kusto Guest Users Invited to Tenant by New Inviters
Sigma Guest Users Invited To Tenant By Non Approved Inviters test
Elastic High Command Line Entropy Detected for Privileged Commands production
Elastic High Number of Okta User Password Reset or Unlock Attempts production
Kusto High risk Office operation conducted by IP Address that recently attempted to log into a disabled account
Kusto High-Risk Cross-Cloud User Impersonation
Sigma Huawei BGP Authentication Failures test
Kusto Hunt for critical credentials on devices with non-critical accounts
Kusto Hunt for privilege escalation paths with high ACLs
Panther IAM Administrator Role Policy Attached
Panther IAM Inline Policy Network Admin
Panther IAM Role Created
Panther IAM Role Policy Updated to Allow Internet Access
Panther IAM User Created
Panther IAM User Policy Attached with Administrator Access
Kusto Illusive Incidents Analytic Rule available
Sigma Impossible Travel test
Panther Impossible Travel for Login Action
Sigma Increased Failed Authentications Of Any Type test
Sigma Invalid PIM License test
Kusto IP with multiple failed Microsoft Entra ID logins successfully logs in to Palo Alto VPN
Kusto Jira - Global permission added available
Kusto Jira - New site admin user available
Kusto Jira - New site admin user available
Kusto Jira - New user created available
Kusto Jira - User's password changed multiple times available
Sigma Juniper BGP Missing MD5 test
Elastic Kerberos Pre-authentication Disabled for User production
Elastic Kubeconfig File Creation or Modification production
Sigma Kubernetes Admission Controller Modification test
Elastic Kubernetes Anonymous Request Authorized by Unusual User Agent production
Elastic Kubernetes Suspicious Assignment of Controller Service Account production
Elastic Kubernetes Unusual Decision by User Agent production
Panther Lambda Code Updated by User Experimental
Panther Lambda Configuration Updated with Layers by User
Sigma Lateral movement detection (based on "special groups" feature) experimental
Sigma Login to Disabled Account test
YARA-L Logins From Terminated Employees
Panther Logins Without MFA
Panther Logins Without SAML
Sigma Logon from a Risky IP Address test
Splunk M365 Copilot Application Usage Pattern Anomalies production
Splunk M365 Copilot Session Origin Anomalies production
Elastic M365 Entra ID Risk Detection Signal production building block
Elastic M365 Identity Login from Atypical Region production
Elastic M365 Identity Login from Impossible Travel Location production
Elastic M365 Identity OAuth Flow by First-Party Microsoft App from Multiple IPs production
Elastic M365 Identity OAuth Phishing via First-Party Microsoft Application production
Elastic M365 Identity Unusual SSO Authentication Errors for User production
Elastic M365 Identity User Account Lockouts production
Elastic M365 or Entra ID Identity Sign-in from a Suspicious Source production
Kusto M365D Alerts Correlation to non-Microsoft Network device network activity involved in successful sign-in Activity
Sigma macOS Authentication Events experimental
Sigma macOS SSH Connection Detection experimental
Sigma macOS Sudo Privilege Escalation Attempts experimental
Kusto Malicious BEC Inbox Rule
Kusto Malicious Inbox Rule available
Sigma Malicious Usage Of IMDS Credentials Outside Of AWS Infrastructure test
Sigma Measurable Increase Of Successful Authentications test
Kusto MFA Rejected by User available
Sigma Microsoft 365 - Impossible Travel Activity test
Kusto Microsoft Entra ID PowerShell accessing non-Entra ID resources available
Kusto Microsoft Entra ID Role Management Permission Grant available
Elastic Microsoft Graph Request User Impersonation by Unusual Client production
Elastic Mounting Hidden or WebDav Remote Shares production
Sigma Multifactor Authentication Denied test
Sigma Multifactor Authentication Interrupted test
Splunk Multiple Host logons (Windows Event Log)
Elastic Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy production
Kusto Multiple Password Reset by user
Kusto Netskope - Impossible Travel Detection (Two Countries in Less Than 1 Hour) available
Sigma Network login performed to multiple targets experimental
Sigma New Country test
Kusto New country signIn with correct password
Kusto New Device/Location sign-in along with critical operation available
Sigma New DMSA Service Account Created in Specific OUs experimental
Elastic New Okta Authentication Behavior Detected production building block
Kusto New PA, PCA, or PCAS added to Azure DevOps available
Kusto New User Assigned to Privileged Role available
Kusto New user created and added to the built-in administrators group
Kusto Non-admin guest available
Kusto NRT Malicious Inbox Rule
Kusto NRT PIM Elevation Request Rejected available
Kusto NRT Privileged Role Assigned Outside PIM available
Kusto NRT User added to Microsoft Entra ID Privileged Groups available
YARA-L O365 Admin Login Activity To Uncommon Microsoft Cloud Apps
YARA-L O365 Login Activity To Azure AD PowerShell App
YARA-L O365 Login Activity To Uncommon Microsoft Cloud Apps
Splunk O365 Multiple AppIDs and UserAgents Authentication Spike production
Splunk O365 Security And Compliance Alert Triggered production
Panther Okta AD Agent Authentication Anomaly - Z-Score Detection Experimental
Elastic Okta Admin Console Login Failure production building block
Panther Okta Admin Role Assigned
Elastic Okta Alerts Following Unusual Proxy Authentication production
Splunk Okta Authentication Failed During MFA Challenge production
Panther Okta Login Without Push
YARA-L Okta Multiple User's Logins With Invalid Credentials From The Same IP
Sigma Okta New Admin Console Behaviours test
YARA-L Okta New API Token Created
Splunk Okta New API Token Created production
Splunk Okta Non-Standard VPN Usage experimental
Splunk Okta Phishing Detection with FastPass Origin Check experimental
Splunk Okta Risk Threshold Exceeded production
Elastic Okta Sign-In Events via Third-Party IdP production
YARA-L Okta Successful High Risk User Logins
Elastic Okta Successful Login After Credential Attack production
Splunk Okta Successful Single Factor Authentication production
Splunk Okta Suspicious Activity Reported production
Panther Okta SWA Bulk Access, New Source, and Credential Extraction - Behavioral Experimental
Panther Okta SWA Off-Hours Credential Access - Behavioral Experimental
Splunk Okta ThreatInsight Threat Detected production
YARA-L Okta User Account Lockout
YARA-L Okta User Login Out Of Hours
YARA-L Okta User Logins From Multiple Cities
Elastic Okta User Session Impersonation production
Elastic Okta User Sessions Started from Different Geolocations production
YARA-L Okta User Suspicious Activity Reported
Panther OneLogin High Risk Failed Login FOLLOWED BY Successful Login
YARA-L OneLogin Multiple Users Login Failures From The Same IP
YARA-L OneLogin Super User Privileges Assigned
YARA-L OneLogin User Logins From Multiple Countries
Panther OpenAI Admin Role Assignment
Panther OpenAI Anomalous API Key Activity
Sigma OpenCanary - SSH Login Attempt test
Sigma OpenCanary - SSH New Connection Attempt test
Sigma OpenCanary - Telnet Login Attempt test
Kusto OracleDBAudit - Connection to database from external IP available
Kusto OracleDBAudit - Connection to database from unknown IP available
Kusto OracleDBAudit - New user account available
Kusto OracleDBAudit - User activity after long inactivity time available
Kusto OracleDBAudit - User connected to database from new IP available
Kusto Palo Alto Prisma Cloud - Access keys are not rotated for 90 days available
Kusto Palo Alto Prisma Cloud - Anomalous access key usage available
Kusto Palo Alto Prisma Cloud - IAM Group with Administrator Access Permissions available
Kusto Palo Alto Prisma Cloud - Inactive user available
Sigma Password Provided In Command Line Of Net.EXE test
Sigma Password Reset By User Account test
Kusto Pathlock TDnR - Emergency User (AdminTrack) Activity available
Kusto Pathlock TDnR - Multiple Login Sessions Detected available
Kusto Pathlock TDnR - SAP Cloud Account Administration Events available
Kusto Pathlock TDnR - SAP HANA Database Audit Trail available
Kusto Pathlock TDnR - User Access Management Password Resets available
Sigma PIM Alert Setting Changes To Disabled test
Sigma PIM Approvals And Deny Elevation test
Kusto PIM Elevation Request Rejected available
Kusto Ping Federate - Abnormal password resets for user available
Kusto Ping Federate - Authentication from new IP. available
Kusto Ping Federate - Forbidden country available
Kusto Ping Federate - New user SSO success login available
Kusto Ping Federate - Password reset request from unexpected source IP address.. available
Kusto Ping Federate - Unexpected authentication URL. available
Kusto Ping Federate - Unexpected country for user available
Kusto Ping Federate - Unusual mail domain. available
Splunk PingID Multiple Failed MFA Requests For User production
Kusto Possible AiTM Phishing Attempt Against Microsoft Entra ID available
Elastic Potential Account Takeover - Logon from New Source IP production
Elastic Potential Account Takeover - Mixed Logon Types production
Elastic Potential Admin Group Account Addition production
Panther Potential Compromised Okta Credentials
Elastic Potential Credential Access via DCSync production
Elastic Potential Hidden Local User Account Creation production
Elastic Potential Impersonation Attempt via Kubectl production
Sigma Potential MFA Bypass Using Legacy Client Authentication test
Elastic Potential Okta MFA Bombing via Push Notifications production
Splunk Potential password in username production
Elastic Potential Privileged Escalation via SamAccountName Spoofing production
Kusto Potential Ransomware activity related to Cobalt Strike available
Elastic Potential Successful SSH Brute Force Attack production
Elastic Potential Suspicious DebugFS Root Device Access production
Elastic Potentially Successful Okta MFA Bombing via Push Notifications production
Kusto Power Apps - App activity from unauthorized geo available
Kusto Power Platform - Account added to privileged Microsoft Entra roles available
Kusto Power Platform - Possibly compromised user accesses Power Platform services available
Sigma Privileged Account Creation test
Kusto Privileged Account Permissions Changed
Kusto Privileged Accounts - Sign in Failure Spikes available
Kusto Privileged Role Assigned Outside PIM available
Kusto Privileged User Logon from new ASN
Kusto ProofpointPOD - Binary file in attachment available
Kusto ProofpointPOD - Email sender in TI list
Kusto ProofpointPOD - Email sender IP in TI list
Kusto ProofpointPOD - Possible data exfiltration to private email available
Elastic Rare User Logon production
Sigma RDP reconnaissance with valid credentials performed on multiple hosts experimental
Kusto RecordedFuture Threat Hunting Url All Actors
Kusto Red Sift - Login from previously unseen IP address available
Sigma Refresh Token Exchange from Excessive Locations experimental
Sigma Refresh Token Exchange from Multiple User Agents experimental
Sigma Refresh Token Reuse Detection experimental
Elastic Remote Computer Account DnsHostName Update production
Sigma Roles Activated Too Frequently test
Sigma Roles Activation Doesn't Require MFA test
Sigma Roles Are Not Being Used test
Sigma Roles Assigned Outside PIM test
Panther Root Account Activity
Sigma Root Account Enable Via Dsenableroot test
Panther Root Console Login
Splunk Rubeus Password Change (Windows Event Log)
Panther Salesforce API Anomaly Detection (RET Passthrough)
YARA-L sap break glass account login
YARA-L sap impossible travel
YARA-L sap multi terminal logon
Kusto Semperis DSP Failed Logons available
Kusto Sentinel One - Admin login from new location available
Kusto Sentinel One - New admin created available
Kusto Service Principal Assigned App Role With Sensitive Access
Kusto Service Principal Assigned Privileged Role
Kusto Service Principal Authentication Attempt from New Country
Kusto Service principal not using client credentials available
Splunk Short Lived Windows Accounts production
Sigma Sign-in Failure Due to Conditional Access Requirements Not Met test
Sigma Sign-ins by Unknown Devices test
Kusto Sign-ins from IPs that attempt sign-ins to disabled accounts available
Kusto Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization)
Sigma Sign-ins from Non-Compliant Devices test
Kusto SlackAudit - User email linked to account changed. available
Kusto SlackAudit - User login after deactivated. available
Kusto SlackAudit - User role changed to admin or owner available
Kusto Snowflake - Multiple login failures by user available
Kusto Snowflake - Multiple login failures from single IP available
Kusto Snowflake - User granted admin privileges available
Panther Snowflake Account Admin Granted
Panther Snowflake Account Admin Granted
Elastic Spike in Group Application Assignment Change Events production
Elastic Spike in Group Lifecycle Change Events production
Elastic Spike in Group Management Events production
Elastic Spike in Group Membership Events production
Elastic Spike in Group Privilege Change Events production
Elastic Spike in Logon Events production
Elastic Spike in Privileged Command Execution by a User production
Elastic Spike in Special Logon Events production
Elastic Spike in Special Privilege Use Events production
Elastic Spike in Successful Logon Events from a Source IP production
Elastic Spike in User Account Management Events production
Elastic Spike in User Lifecycle Management Change Events production
Sigma SQL Server - Connection attempt using a disabled account experimental
Sigma Stale Accounts In A Privileged Role test
Kusto StealthTalk - After hours work available
Kusto StealthTalk - Login outside work zone available
Kusto StealthTalk - Multi new devices registration available
Sigma Success login attempt on a Windows OpenSSH server experimental
Elastic Successful Application SSO from Rare Unknown Client Device production
Sigma Successful Authentications From Countries You Do Not Operate Out Of test
Kusto Successful AWS Console Login from IP Address Observed Conducting Password Spray
Kusto Successful logins to SOC Prime platform from bad IP addresses available
Kusto Successful logon from IP and failure from a different IP available
Elastic Successful SSH Authentication from Unusual IP Address production
Elastic Successful SSH Authentication from Unusual SSH Public Key production
Elastic Successful SSH Authentication from Unusual User production
Elastic Suspicious Activity Reported by Okta User production
Kusto Suspicious AWS console logins by credential access alerts
Sigma Suspicious Browser Activity test
Splunk Suspicious Computer Account Name Change production
Sigma Suspicious Computer Machine Password by PowerShell test
Splunk Suspicious Kerberos Service Ticket Request production
Kusto Suspicious linking of existing user to external User
Sigma Suspicious Login Activity Classified By Google experimental
Kusto Suspicious Login from deleted guest account
Kusto Suspicious modification of Global Administrator user properties
Sigma Suspicious Remote Logon with Explicit Credentials test
Kusto Suspicious Service Principal creation activity available
Kusto Suspicious Sign In by Entra ID Connect Sync Account available
Kusto Suspicious Sign In Followed by MFA Modification available
Sigma Suspicious SignIns From A Non Registered Device test
Splunk Suspicious Ticket Granting Ticket Request production
Kusto Suspicious VM Instance Creation Activity Detected
Sigma Temporary Access Pass Added To An Account test
Kusto Threat Essentials - NRT User added to Microsoft Entra ID Privileged Groups available
Kusto Threat Essentials - User Assigned Privileged Role available
Sigma Too Many Global Admins test
Elastic Unauthorized Access to an Okta Application production
Elastic Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials production
Sigma Unfamiliar Sign-In Properties test
Elastic Unusual AWS Command for a User production
Elastic Unusual AWS S3 Object Encryption with SSE-C production
Elastic Unusual Azure Activity Logs Event for a User production
Elastic Unusual City For a GCP Event production
Elastic Unusual City For an AWS Command production
Elastic Unusual City for an Azure Activity Logs Event production
Elastic Unusual Country For a GCP Event production
Elastic Unusual Country For an AWS Command production
Elastic Unusual Country for an Azure Activity Logs Event production
Elastic Unusual GCP Event for a User production
Elastic Unusual Group Name Accessed by a User production
Elastic Unusual Host Name for Okta Privileged Operations Detected production
Elastic Unusual Host Name for Windows Privileged Operations Detected production
Elastic Unusual Hour for a User to Logon production
Elastic Unusual Interactive Shell Launched from System User production
Elastic Unusual Linux Username production
Elastic Unusual Login via System User production
Splunk Unusual Number of Computer Service Tickets Requested experimental
Splunk Unusual Number of Remote Endpoint Authentication Events experimental
Elastic Unusual Privilege Type assigned to a User production
Elastic Unusual Process Detected for Privileged Commands by a User production
Elastic Unusual Region Name for Okta Privileged Operations Detected production
Elastic Unusual Region Name for Windows Privileged Operations Detected production
Elastic Unusual Source IP for a User to Logon from production
Elastic Unusual Source IP for Okta Privileged Operations Detected production
Elastic Unusual Source IP for Windows Privileged Operations Detected production
Elastic Unusual Spike in Concurrent Active Sessions by a User production
Elastic Unusual Windows Remote User production
Elastic Unusual Windows User Privilege Elevation Activity production
Elastic Unusual Windows Username production
Kusto URL Added to Application from Unknown Domain
Sigma Use of Legacy Authentication Protocols test
Sigma User Access Blocked by Azure Conditional Access test
Kusto User account added to built in domain local or global group
Kusto User account created and deleted within 10 mins
Kusto User account enabled and disabled within 10 mins
Kusto User Accounts - Sign in Failure due to CA Spikes available
Sigma User Added To Admin Group Via Dscl test
Sigma User Added To Admin Group Via DseditGroup test
Sigma User Added To Admin Group Via Sysadminctl test
Kusto User Added to Admin Role
Sigma User Added to an Administrator's Azure AD Role test
Sigma User Added to Local Administrator Group stable
Kusto User added to Microsoft Entra ID Privileged Groups available
Sigma User Added To Privilege Role test
Elastic User Added to the Admin Group production
Kusto User Assigned New Privileged Role available
Kusto User joining Zoom meeting from suspicious timezone
Panther User Logged in wihout MFA
Kusto User Login from Different Countries within 3 hours available
Kusto User login from different countries within 3 hours (Uses Authentication Normalization)
Kusto User Sign in from different countries available
Sigma User State Changed From Guest To Member test
Kusto UserAccountDisabled available
Sigma Users Added to Global or Device Admin Roles test
Sigma Users Authenticating To Other Azure AD Tenants test
Kusto Valimail Enforce - High-Value User Management Event available
Kusto Valimail Enforce - Unusual Rate of Configuration Changes or User Additions available
Kusto vCenter - Root impersonation available
Kusto VMware ESXi - Multiple new VMs started available
Kusto VMware ESXi - New VM started available
Kusto VMware ESXi - Root impersonation available
Kusto VMware ESXi - Root login available
Kusto VMware ESXi - Root password changed available
Kusto VMware ESXi - Shared or stolen root account available
Kusto VMware vCenter - Root login available
Splunk Windows Azure PowerShell Module Installation Via PowerShell Script production
Splunk Windows ConvertTo-AADIntBackdoor Execution Via PowerShell Script production
Splunk Windows Entra User Management Via Azure CLI production
Splunk Windows Group Policy Object Created production
Splunk Windows Guest Account Enabled Via Net.EXE production
Splunk Windows Large Number of Computer Service Tickets Requested production
Splunk Windows Multiple Account Passwords Changed production
Splunk Windows Multiple Accounts Deleted production
Splunk Windows Multiple Accounts Disabled production
Splunk Windows PowerView AD Access Control List Enumeration production
Splunk WMIC Explicit Credentials (Sysmon)
Splunk WMIC Explicit Credentials (Windows Event Log)
Kusto Workspace deletion activity from an infected device
Panther Zendesk Account Owner Changed
Panther Zendesk Mobile App Access Modified
Splunk Zoom High Video Latency experimental
Kusto Zscaler - Connections by dormant user available
Kusto Zscaler - Shared ZPA session available
Kusto Zscaler - Unexpected event count of rejects by policy available
Kusto Zscaler - Unexpected ZPA session duration available
Kusto Zscaler - ZPA connections by new user available
Kusto Zscaler - ZPA connections from new IP available

Valid Accounts: Default Accounts T1078.001 15 rules

Splunk Account set to active via Net.exe (EDR)
Splunk Account set to active via Net.exe (Sysmon)
Splunk Account set to active via Net.exe (Windows Event Log)
Sigma Admin User Remote Logon test
Kusto AWS Security Hub - Detect IAM Policies allowing full administrative privileges available
Sigma Commvault QLogin with PublicSharingUser and GUID Password (CVE-2025-57788) experimental
Sigma Guest Account Enabled Via Sysadminctl test
Elastic Kubernetes Anonymous Request Authorized by Unusual User Agent production
Elastic Kubernetes Suspicious Assignment of Controller Service Account production
Splunk Okta New API Token Created production
Splunk Okta Phishing Detection with FastPass Origin Check experimental
Splunk Okta Suspicious Activity Reported production
Sigma Root Account Enable Via Dsenableroot test
Panther Snowflake Grant to Public Role
Splunk Windows Guest Account Enabled Via Net.EXE production

Valid Accounts: Domain Accounts T1078.002 28 rules

Elastic Access to a Sensitive LDAP Attribute production
Sigma Account renamed to admin (or likely) account to evade defense experimental
Sigma Admin User Remote Logon test
Elastic AdminSDHolder Backdoor production
Elastic AdminSDHolder SDProp Exclusion Added production
Elastic Delegated Managed Service Account Modification by an Unusual User production
Splunk Detect Excessive Account Lockouts From Endpoint production
Elastic dMSA Account Creation by an Unusual User production
Sigma DMSA Link Attributes Modified experimental
Sigma DMSA Service Account Created in Specific OUs - PowerShell experimental
Elastic First Time Seen Account Performing DCSync production
Kusto High-Risk Cross-Cloud User Impersonation
Elastic Kerberos Pre-authentication Disabled for User production
Sigma Malicious Usage Of IMDS Credentials Outside Of AWS Infrastructure test
Sigma New DMSA Service Account Created in Specific OUs experimental
Elastic Potential Credential Access via DCSync production
Elastic Potential Privileged Escalation via SamAccountName Spoofing production
Elastic Rare User Logon production
Elastic Remote Computer Account DnsHostName Update production
Elastic Spike in Special Logon Events production
Elastic Spike in Successful Logon Events from a Source IP production
Splunk Suspicious Computer Account Name Change production
Splunk Suspicious Kerberos Service Ticket Request production
Splunk Suspicious Ticket Granting Ticket Request production
Elastic Unusual Windows User Privilege Elevation Activity production
Elastic Unusual Windows Username production
Splunk Windows Group Policy Object Created production
Splunk Windows PowerView AD Access Control List Enumeration production

Valid Accounts: Local Accounts T1078.003 23 rules

Elastic Account Discovery Command via SYSTEM Account production
Sigma Admin User Remote Logon test
Elastic Attempt to Enable the Root Account production
Splunk Cisco ASA - New Local User Account Created production
Splunk Cisco ASA - User Privilege Level Change production
Splunk Detect Excessive User Account Lockouts production
Elastic Mounting Hidden or WebDav Remote Shares production
Elastic Potential Admin Group Account Addition production
Elastic Potential Hidden Local User Account Creation production
Splunk Potential password in username production
Elastic Potential Suspicious DebugFS Root Device Access production
Elastic Rare User Logon production
Sigma Root Account Enable Via Dsenableroot test
Splunk Short Lived Windows Accounts production
Elastic Spike in Successful Logon Events from a Source IP production
Elastic Unusual Interactive Shell Launched from System User production
Elastic Unusual Login via System User production
Elastic Unusual Windows User Privilege Elevation Activity production
Elastic Unusual Windows Username production
Sigma User Added To Admin Group Via Dscl test
Sigma User Added To Admin Group Via DseditGroup test
Sigma User Added To Admin Group Via Sysadminctl test
Elastic User Added to the Admin Group production

Valid Accounts: Cloud Accounts T1078.004 290 rules

Kusto Account Created and Deleted in Short Timeframe available
Kusto Account created or deleted by non-approved user available
Sigma Account Disabled or Blocked for Sign in Attempts test
Kusto Account Elevated to New Role
Kusto Addition of a Temporary Access Pass to a Privileged Account
Kusto Admin promotion after Role Management Application Permission Grant available
Kusto Anomalous Single Factor Signin
Sigma Application AppID Uri Configuration Changes test
Kusto Application ID URI Changed
Kusto Application Redirect URL Update
Sigma Application URI Configuration Changes test
Splunk ASL AWS Create Policy Version to allow all resources production
Sigma Attempt To Get Credentials For Identity experimental
Sigma Attempt To Get Federation Token experimental
Sigma Attempt To Get Signin Token experimental
Kusto Authentication Attempt from New Country
Kusto Authentications of Privileged Accounts Outside of Expected Controls
Elastic AWS Access Token Used from Multiple Addresses production
YARA-L AWS API Call Outside Of Organization
Elastic AWS AssumeRoleWithWebIdentity from Kubernetes SA and External ASN production
Elastic AWS Bedrock Foundation Model Enumeration Followed by Invocation via Long-Term Key production
Elastic AWS CloudShell Environment Created production
Panther AWS Compromised IAM Key Quarantine
YARA-L AWS Console Login Without MFA
Splunk AWS Create Policy Version to allow all resources production
Elastic AWS Credentials Used from GitHub Actions and Non-CI/CD Infrastructure production
Elastic AWS EC2 Instance Console Login via Assumed Role production
Elastic AWS EC2 Instance Interaction with IAM Service production building block
Elastic AWS EC2 Instance Profile Associated with Running Instance production
Elastic AWS EC2 Unauthorized Admin Credential Fetch via Assumed Role production
YARA-L AWS IAM Administrator Access Policy Attached
Elastic AWS IAM API Calls via Temporary Session Tokens production
Elastic AWS IAM Assume Role Policy Update production
Elastic AWS IAM CompromisedKeyQuarantine Policy Attached to User production
Elastic AWS IAM Login Profile Added for Root production
Elastic AWS IAM Login Profile Added to User production building block
Elastic AWS IAM Long-Term Access Key Correlated with Elevated Detection Alerts production
Elastic AWS IAM Long-Term Access Key First Seen from Source IP production
Elastic AWS IAM OIDC Provider Created by Rare User production
Sigma AWS IAM S3Browser LoginProfile Creation test
Sigma AWS IAM S3Browser Templated S3 Bucket Policy Creation test
Sigma AWS IAM S3Browser User or AccessKey Creation test
Elastic AWS IAM SAML Provider Created production
Elastic AWS IAM Sensitive Operations via Lambda Execution Role production
Elastic AWS IAM Virtual MFA Device Registration Attempt with Session Token production
Panther AWS IMDS Credential Usage Outside Expected Services Experimental
Elastic AWS Management Console Root Login production
Elastic AWS Rare Source AS Organization Activity production
Sigma AWS Root Credentials test
Sigma AWS SAML Provider Deletion Activity experimental
Splunk AWS SetDefaultPolicyVersion production
Elastic AWS Sign-In Console Login with Federated User production
Elastic AWS Sign-In Root Password Recovery Requested production
Elastic AWS Sign-In Token Created production building block
Elastic AWS STS AssumeRole with New MFA Device production
Elastic AWS STS AssumeRoot by Rare User and Member Account production
Elastic AWS STS GetSessionToken Usage production building block
Elastic AWS STS Role Assumption by User production
Elastic AWS STS Role Chaining production
Sigma AWS Successful Console Login Without MFA experimental
Splunk AWS Successful Single-Factor Authentication production
Elastic AWS Suspicious User Agent Fingerprint production
YARA-L AWS User Creates Permanent Access Key
Splunk Azure AD Authentication Failed During MFA Challenge production
Splunk Azure AD Multiple Failed MFA Requests For User production
Sigma Azure AD Only Single Factor Authentication Required test
Splunk Azure AD Service Principal Authentication production
Splunk Azure AD Successful PowerShell Authentication production
Splunk Azure AD Successful Single-Factor Authentication production
Elastic Azure Arc Cluster Credential Access by Identity from Unusual Source production
Panther Azure Automation Runbook Created or Modified
Panther Azure Device Code Authentication with Broker Client
Panther Azure Kubernetes RoleBinding or ClusterRoleBinding Created
Elastic Azure Kubernetes Services (AKS) Kubernetes Rolebindings Created production
Panther Azure Microsoft Graph Single Session from Multiple IP Addresses Experimental
Panther Azure Policy DeployIfNotExists Action Triggered
Panther Azure Privileged or Elevated Role Assignment
Panther Azure Protection Multiple Alerts for User
Panther Azure ROPC Login Attempt Without MFA Experimental
Splunk Azure Runbook Webhook Created production
Elastic Azure Service Principal Sign-In Followed by Arc Cluster Credential Access production
Elastic Azure Storage Account Keys Accessed by Privileged User production
Sigma Azure Subscription Permission Elevation Via ActivityLogs test
Sigma Bitbucket User Login Failure test
Sigma Bitlocker Key Retrieval test
Kusto Bulk Changes to Privileged Account Permissions available
Kusto Changes to Application Logout URL
Kusto Changes to Application Ownership
Kusto Changes to PIM Settings
Sigma Changes To PIM Settings test
Splunk Cloud Compute Instance Created By Previously Unseen User production
Splunk Cloud Instance Modified By Previously Unseen User production
Kusto Conditional Access Policy Modified by New User
Kusto Cross-tenant Access Settings Organization Added available
Kusto Cross-tenant Access Settings Organization Deleted available
Kusto Cross-tenant Access Settings Organization Inbound Collaboration Settings Changed available
Kusto Cross-tenant Access Settings Organization Inbound Direct Settings Changed available
Kusto Cross-tenant Access Settings Organization Outbound Collaboration Settings Changed available
Kusto Cross-tenant Access Settings Organization Outbound Direct Settings Changed available
Kusto Detect changes to Connect Sync Application
Kusto Detect credential add to Connect Sync Application
Kusto Detect device code login with user risk
Sigma Device Registration or Join Without MFA test
Kusto End-user consent stopped due to risk-based consent
Elastic Entra ID Actor Token User Impersonation Abuse production
YARA-L Entra ID Admin Login Activity to Uncommon MS Cloud Apps
Elastic Entra ID Concurrent Sign-in with Suspicious Properties production
Elastic Entra ID High Risk Sign-in production
Elastic Entra ID High Risk User Sign-in Heuristic production
Elastic Entra ID Kali365 Default User-Agent Detected production
YARA-L Entra ID Login Activity to Uncommon MS Cloud Apps
Elastic Entra ID Microsoft Authentication Broker Sign-In to Unusual Resource production
Elastic Entra ID Microsoft Authentication Broker Sign-In with Non-Standard User Agent production
Elastic Entra ID OAuth Authorization Code Grant for Unusual User, App, and Resource production
Elastic Entra ID OAuth Device Code Flow with Concurrent Sign-ins production
Elastic Entra ID OAuth Device Code Grant by Microsoft Authentication Broker production
Elastic Entra ID OAuth Device Code Grant by Unusual User production
Elastic Entra ID OAuth Device Code Phishing via AiTM production
Elastic Entra ID OAuth Flow by Microsoft Authentication Broker to Device Registration Service (DRS) production
Elastic Entra ID OAuth Phishing via First-Party Microsoft Application production
Elastic Entra ID OAuth PRT Issuance to Non-Managed Device Detected production
Elastic Entra ID OAuth ROPC Grant Login Detected production
Elastic Entra ID OAuth User Impersonation to Microsoft Graph production
Elastic Entra ID OAuth user_impersonation Scope for Unusual User and Client production
Elastic Entra ID PowerShell Sign-in production
Elastic Entra ID Protection - Risk Detection - Sign-in Risk production
Elastic Entra ID Protection - Risk Detection - User Risk production
Elastic Entra ID Protection Admin Confirmed Compromise production
Elastic Entra ID Protection Alerts for User Detected production
Elastic Entra ID Protection User Alert and Device Registration production
Elastic Entra ID Service Principal Federated Credential Authentication by Unusual Client production
Elastic Entra ID Service Principal with Unusual Source ASN production
Elastic Entra ID Sharepoint or OneDrive Accessed by Unusual Client production
Elastic Entra ID User Added as Service Principal Owner production
Elastic Entra ID User Reported Suspicious Activity production
Elastic Entra ID User Sign-in with Unusual Authentication Type production
Elastic Entra ID User Sign-in with Unusual Client production
Elastic Entra ID User Sign-in with Unusual Non-Managed Device production
Kusto External guest invitation followed by Microsoft Entra ID PowerShell signin available
Elastic External User Added to Google Workspace Group production
Sigma Failed Authentications From Countries You Do Not Operate Out Of test
Elastic First Occurrence of GitHub Repo Interaction From a New IP production building block
Elastic First Occurrence of IP Address For GitHub Personal Access Token (PAT) production building block
Elastic First Occurrence of IP Address For GitHub User production building block
Elastic First Occurrence of Okta User Session Started via Proxy production
Elastic First Occurrence of Personal Access Token (PAT) Use For a GitHub User production building block
Elastic First Occurrence of Private Repo Event from Specific GitHub Personal Access Token (PAT) production building block
Elastic First Occurrence of User Agent For a GitHub Personal Access Token (PAT) production building block
Elastic First Occurrence of User-Agent For a GitHub User production building block
Elastic First Time Seen Google Workspace OAuth Login from Third-Party Application production
Elastic FortiGate FortiCloud SSO Login from Unusual Source production
Panther GAIA GCPW Credential Theft Attack Chain
Kusto GCP Audit Logs - Data Access Logging Exemption Added for Principal available
Kusto GCP Audit Logs - Storage Bucket Made Public available
Splunk GCP Authentication Failed During MFA Challenge production
Splunk GCP Multiple Failed MFA Requests For User production
Splunk GCP Successful Single-Factor Authentication production
Panther GCP User Added to Privileged Group
YARA-L GCP Workload Identity Pool Disabled Or Deleted
Sigma Get Credentials For Identity experimental
Sigma Get Federation Token experimental
Sigma Get Signin Token experimental
Elastic Github Activity on a Private Repository from an Unusual IP production
Sigma Github New Secret Created test
Sigma Github Self Hosted Runner Changes Detected test
Sigma Github SSH Certificate Configuration Changed test
Elastic Google Workspace Device Registration Burst for Single User production
YARA-L Google Workspace External User Added To Group
Elastic Google Workspace Login Flagged Suspicious production building block
Panther Google Workspace Login Type Anomaly
Panther Google Workspace OAuth Application Authorized with Privileged Scopes Experimental
Panther Google Workspace OAuth Token Requests from New IP
Panther Google Workspace Rapid Multi-IP Authentication
Elastic Google Workspace Suspended User Account Renewed production
Elastic Google Workspace User Login with Unusual ASN production
Elastic Google Workspace User Sign-in from Atypical Device Type production
YARA-L Google Workspace User Unsuspended
Kusto Guest accounts added in Entra ID Groups other than the ones specified available
Sigma Guest User Invited By Non Approved Inviters test
Kusto Guest Users Invited to Tenant by New Inviters
Elastic High Number of Okta User Password Reset or Unlock Attempts production
Kusto High-Risk Cross-Cloud User Impersonation
Panther IAM Role Added to RDS Instance or Cluster
Panther Kubernetes ClusterRoleBinding to Privileged Role
Panther Kubernetes Role With Node Proxy Permissions Created
Panther Kubernetes Role With Pod Exec Permissions Created
Panther Kubernetes Role With Wildcard Permissions Created Experimental
Panther Kubernetes Service Account Token Theft from Pod
Panther Kubernetes System Role Modified or Deleted Experimental
Sigma Login to Disabled Account test
Elastic M365 Entra ID Risk Detection Signal production building block
Elastic M365 Identity Login from Atypical Region production
Elastic M365 Identity Login from Impossible Travel Location production
Elastic M365 Identity OAuth Flow by First-Party Microsoft App from Multiple IPs production
Elastic M365 Identity OAuth Phishing via First-Party Microsoft Application production
Elastic M365 Identity Unusual SSO Authentication Errors for User production
Elastic M365 Identity User Account Lockouts production
Sigma macOS SSH Connection Detection experimental
Kusto MFA Rejected by User available
Kusto Microsoft Entra ID Role Management Permission Grant available
Elastic Microsoft Graph Request User Impersonation by Unusual Client production
Sigma Multifactor Authentication Denied test
Sigma Multifactor Authentication Interrupted test
Elastic Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy production
Elastic New Okta Authentication Behavior Detected production building block
Kusto New PA, PCA, or PCAS added to Azure DevOps available
Kusto New User Assigned to Privileged Role available
Kusto NRT PIM Elevation Request Rejected available
Kusto NRT Privileged Role Assigned Outside PIM available
YARA-L O365 Admin Login Activity To Uncommon Microsoft Cloud Apps
YARA-L O365 Login Activity To Azure AD PowerShell App
YARA-L O365 Login Activity To Uncommon Microsoft Cloud Apps
Splunk O365 Security And Compliance Alert Triggered production
Elastic Okta Admin Console Login Failure production building block
Panther Okta AiTM Phishing Attempt Blocked by FastPass
Elastic Okta Alerts Following Unusual Proxy Authentication production
Splunk Okta Authentication Failed During MFA Challenge production
Sigma Okta New Admin Console Behaviours test
Panther Okta New Behaviors Acessing Admin Console
Panther Okta Org2Org application created of modified
Elastic Okta Sign-In Events via Third-Party IdP production
Elastic Okta Successful Login After Credential Attack production
Splunk Okta Successful Single Factor Authentication production
Splunk Okta ThreatInsight Threat Detected production
Elastic Okta User Session Impersonation production
Elastic Okta User Sessions Started from Different Geolocations production
YARA-L OneLogin Multiple Users Login Failures From The Same IP
YARA-L OneLogin Super User Privileges Assigned
YARA-L OneLogin User Logins From Multiple Countries
Sigma Password Reset By User Account test
Sigma PIM Approvals And Deny Elevation test
Kusto PIM Elevation Request Rejected available
Kusto Possible AiTM Phishing Attempt Against Microsoft Entra ID available
Sigma Potential MFA Bypass Using Legacy Client Authentication test
Elastic Potential Okta MFA Bombing via Push Notifications production
Elastic Potentially Successful Okta MFA Bombing via Push Notifications production
Sigma Privileged Account Creation test
Kusto Privileged Account Permissions Changed
Kusto Privileged Accounts - Sign in Failure Spikes available
Kusto Privileged Role Assigned Outside PIM available
Kusto Privileged User Logon from new ASN
Kusto Service Principal Assigned App Role With Sensitive Access
Kusto Service Principal Assigned Privileged Role
Kusto Service Principal Authentication Attempt from New Country
Panther Sign In from Rogue State
Sigma Sign-in Failure Due to Conditional Access Requirements Not Met test
Sigma Sign-ins by Unknown Devices test
Sigma Sign-ins from Non-Compliant Devices test
Panther Slack Primary Owner Transferred
Kusto SlackAudit - User login after deactivated. available
Elastic Successful Application SSO from Rare Unknown Client Device production
Sigma Successful Authentications From Countries You Do Not Operate Out Of test
Kusto Suspicious linking of existing user to external User
Sigma Suspicious Login Activity Classified By Google experimental
Kusto Suspicious Login from deleted guest account
Kusto Suspicious modification of Global Administrator user properties
Kusto Suspicious Sign In by Entra ID Connect Sync Account available
Kusto Suspicious Sign In Followed by MFA Modification available
Panther Suspicious Snowflake Sessions - Unusual Application
Sigma Temporary Access Pass Added To An Account test
Kusto Threat Essentials - User Assigned Privileged Role available
Elastic Unauthorized Access to an Okta Application production
Elastic Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials production
Elastic Unusual AWS Command for a User production
Elastic Unusual AWS S3 Object Encryption with SSE-C production
Elastic Unusual Azure Activity Logs Event for a User production
Elastic Unusual City For a GCP Event production
Elastic Unusual City For an AWS Command production
Elastic Unusual City for an Azure Activity Logs Event production
Elastic Unusual Country For a GCP Event production
Elastic Unusual Country For an AWS Command production
Elastic Unusual Country for an Azure Activity Logs Event production
Elastic Unusual GCP Event for a User production
Elastic Unusual Host Name for Okta Privileged Operations Detected production
Elastic Unusual Region Name for Okta Privileged Operations Detected production
Elastic Unusual Source IP for Okta Privileged Operations Detected production
Kusto URL Added to Application from Unknown Domain
Sigma Use of Legacy Authentication Protocols test
Sigma User Access Blocked by Azure Conditional Access test
Kusto User Accounts - Sign in Failure due to CA Spikes available
Kusto User Added to Admin Role
Sigma User Added To Privilege Role test
Kusto User Assigned New Privileged Role available
Kusto User Login from Different Countries within 3 hours available
Sigma User State Changed From Guest To Member test
Sigma Users Added to Global or Device Admin Roles test
Sigma Users Authenticating To Other Azure AD Tenants test
Splunk Windows Entra User Management Via Azure CLI production
Panther Wiz Rotate Service Account Secret
Panther Wiz Service Account Change

Account Manipulation T1098 529 rules

Panther A long-lived cert was created
Sigma A Member Was Added to a Security-Enabled Global Group stable
Sigma A Member Was Removed From a Security-Enabled Global Group stable
Sigma A New Trust Was Created To A Domain stable
Sigma A Security-Enabled Global Group Was Deleted stable
Panther A user authenticated with SAML, but from an unknown company domain
Panther A User Role with Sensitive Permissions has been Created
Panther A User's Panther Account was Modified
Kusto Account added and removed from privileged groups
Elastic Account Configured with Never-Expiring Password production
Sigma Account marked as sensitive and cannot be delegated had its protection removed (weakness introduction) experimental
Elastic Account Password Reset Remotely production
Sigma Account password set to never expire. experimental
Splunk Account set to active via Net.exe (EDR)
Splunk Account set to active via Net.exe (Sysmon)
Splunk Account set to active via Net.exe (Windows Event Log)
Sigma Account set with Kerberos DES encryption activated (weakness introduction) experimental
Sigma Account set with Kerberos pre-authentication not required (AS-REP Roasting) experimental
Sigma Account set with password not required (weakness introduction) experimental
Sigma Account set with reversible encryption (weakness introduction) experimental
Elastic Active Directory Group Modification by SYSTEM production
Sigma Active Directory User Backdoors test
Kusto AD account with Don't Expire Password
Kusto AD user enabled and password not set within 48 hours available
Sigma Added Credentials to Existing Application test
Kusto Admin promotion after Role Management Application Permission Grant available
Elastic Administrator Privileges Assigned to an Okta Group production
Elastic AdminSDHolder Backdoor production
Elastic AdminSDHolder SDProp Exclusion Added production
Panther An administrator account was created, deleted, or modified.
Kusto Anomalous login followed by Teams action
Sigma Anomalous User Activity test
Panther Anthropic Role Granted
Sigma API Key Created test
Sigma App Assigned To Azure RBAC/Microsoft Entra Role test
Sigma App Granted Privileged Delegated Or App Permissions test
Elastic Application Added to Google Workspace Domain production
Panther AppOmni Alert Passthrough
Splunk ASL AWS IAM Delete Policy production
Splunk ASL AWS IAM Failure Group Deletion production
Splunk ASL AWS IAM Successful Group Deletion production
Kusto Attempt to bypass conditional access rule in Microsoft Entra ID available
Sigma Attempt To Create API Key test
Elastic Attempt to Create Okta API Token production
Elastic Attempt to Reset MFA Factors for an Okta User Account production
Panther Auth0 New Admin Invited FOLLOWED BY Tenant Member Account Deletion
Panther Auth0 Same Phone Number Shared Across Multiple Users as MFA
Kusto Authentication Method Changed for Privileged Account
Kusto Authentication Methods Changed for Privileged Account available
Elastic AWS Bedrock Foundation Model Access Enabled or Entitlement Granted production
Elastic AWS Bedrock Resource-Based Policy Modified or Deleted production
Elastic AWS Bedrock Unauthorized Foundation Model Access Attempt production
Elastic AWS Bedrock Unauthorized Resource-Based Policy Modification Attempt production
Elastic AWS EC2 CreateKeyPair by New Principal from Non-Cloud AS Organization production
Elastic AWS EC2 Instance Connect SSH Public Key Uploaded production
Elastic AWS EC2 Instance Interaction with IAM Service production building block
Elastic AWS EKS Access Entry Granted Cluster Admin Policy production
Elastic AWS EKS Access Entry Modified production
Elastic AWS First Occurrence of STS GetFederationToken Request by User production
YARA-L AWS IAM Activity By S3 Browser Utility
YARA-L AWS IAM Activity From EC2 Instance
Elastic AWS IAM AdministratorAccess Policy Attached to Group production
Elastic AWS IAM AdministratorAccess Policy Attached to Role production
Elastic AWS IAM AdministratorAccess Policy Attached to User production
Elastic AWS IAM API Calls via Temporary Session Tokens production
Elastic AWS IAM Assume Role Policy Update production
Sigma AWS IAM Backdoor Users Keys test
Elastic AWS IAM Customer Managed Policy Version Created or Default Version Set production
Elastic AWS IAM Customer-Managed Policy Attached to Role by Rare User production
Splunk AWS IAM Delete Policy production
Splunk AWS IAM Failure Group Deletion production
Elastic AWS IAM Login Profile Added for Root production
Elastic AWS IAM Login Profile Added to User production building block
Elastic AWS IAM Roles Anywhere Profile Creation production
Elastic AWS IAM Roles Anywhere Trust Anchor Created with External CA production
Elastic AWS IAM SAML Provider Created production
Elastic AWS IAM Sensitive Operations via Lambda Execution Role production
Splunk AWS IAM Successful Group Deletion production
Elastic AWS IAM User Addition to Group production
Elastic AWS IAM User Created Access Keys For Another User production
Elastic AWS IAM Virtual MFA Device Registration Attempt with Session Token production
Panther AWS Network ACL Overly Permissive Entry Created
Elastic AWS RDS DB Instance or Cluster Password Modified production
Panther AWS RDS Instance Modified to be Publicly Accessible
Panther AWS RDS Master Password Updated
Panther AWS RDS Security Group Ingress Authorized
Panther AWS Root Account Access Keys
Sigma AWS Route 53 Domain Transfer Lock Disabled test
Elastic AWS Route 53 Domain Transfer Lock Disabled production
Sigma AWS Route 53 Domain Transferred to Another Account test
Elastic AWS Route 53 Domain Transferred to Another Account production
Elastic AWS Route 53 Private Hosted Zone Associated With a VPC production
Elastic AWS S3 Bucket Policy Added to Share with External Account production
Kusto AWS Security Hub - Detect IAM Policies allowing full administrative privileges available
Kusto AWS Security Hub - Detect IAM root user Access Key existence available
Kusto AWS Security Hub - Detect root user lacking MFA available
Elastic AWS Sensitive IAM Operations Performed via CloudShell production
Elastic AWS STS AssumeRoot by Rare User and Member Account production
Panther AWS User API Key Created
Panther AWS User Login Profile Created or Modified
Sigma AWS User Login Profile Was Modified test
Kusto AWSCloudTrail - Changes to internet facing AWS RDS Database instances available
Kusto AWSCloudTrail - CloudFormation policy created then used for privilege escalation available
Kusto AWSCloudTrail - Created CRUD S3 policy and then privilege escalation available
Kusto AWSCloudTrail - Creation of Access Key for IAM User available
Kusto AWSCloudTrail - Creation of CRUD DynamoDB policy and then privilege escalation available
Kusto AWSCloudTrail - Creation of CRUD KMS policy and then privilege escalation available
Kusto AWSCloudTrail - Creation of CRUD Lambda policy and then privilege escalation available
Kusto AWSCloudTrail - Creation of DataPipeline policy and then privilege escalation available
Kusto AWSCloudTrail - Creation of EC2 policy and then privilege escalation available
Kusto AWSCloudTrail - Creation of Glue policy and then privilege escalation available
Kusto AWSCloudTrail - Creation of Lambda policy and then privilege escalation available
Kusto AWSCloudTrail - Creation of new CRUD IAM policy and then privilege escalation available
Kusto AWSCloudTrail - Creation of SSM policy and then privilege escalation available
Kusto AWSCloudTrail - Policy version set to default available
Kusto AWSCloudTrail - Privilege escalation via CloudFormation policy available
Kusto AWSCloudTrail - Privilege escalation via CRUD DynamoDB policy available
Kusto AWSCloudTrail - Privilege escalation via CRUD IAM policy available
Kusto AWSCloudTrail - Privilege escalation via CRUD KMS policy available
Kusto AWSCloudTrail - Privilege escalation via CRUD Lambda policy available
Kusto AWSCloudTrail - Privilege escalation via CRUD S3 policy available
Kusto AWSCloudTrail - Privilege escalation via DataPipeline policy available
Kusto AWSCloudTrail - Privilege escalation via EC2 policy available
Kusto AWSCloudTrail - Privilege escalation via Glue policy available
Kusto AWSCloudTrail - Privilege escalation via Lambda policy available
Kusto AWSCloudTrail - Privilege escalation via SSM policy available
Kusto AWSCloudTrail - Privilege escalation with admin managed policy available
Kusto AWSCloudTrail - Privilege escalation with AdministratorAccess managed policy available
Kusto AWSCloudTrail - Privilege escalation with FullAccess managed policy available
Splunk Azure AD Admin Consent Bypassed by Service Principal production
Splunk Azure AD Application Administrator Role Assigned production
Splunk Azure AD FullAccessAsApp Permission Assigned production
Splunk Azure AD Global Administrator Role Assigned production
Splunk Azure AD New MFA Method Registered production
Splunk Azure AD PIM Role Assigned production
Splunk Azure AD PIM Role Assignment Activated production
Splunk Azure AD Privileged Role Assigned production
Splunk Azure AD Privileged Role Assigned to Service Principal production
Splunk Azure AD Service Principal New Client Credentials production
Splunk Azure AD Service Principal Owner Added production
Splunk Azure AD Service Principal Privilege Escalation production
Splunk Azure AD Tenant Wide Admin Consent Granted production
Splunk Azure AD User Enabled And Password Reset production
Splunk Azure AD User ImmutableId Attribute Updated production
Kusto Azure DevOps Administrator Group Monitoring available
Kusto Azure DevOps Pull Request Policy Bypassing - Historic allow list available
Kusto Azure DevOps Service Connection Abuse available
Kusto Azure DevOps Service Connection Addition/Abuse - Historic allow list available
Elastic Azure Event Hub Authorization Rule Created or Updated production
Panther Azure Kubernetes RoleBinding or ClusterRoleBinding Created
Elastic Azure Kubernetes Services (AKS) Kubernetes Rolebindings Created production
Panther Azure Privileged or Elevated Role Assignment
Elastic Azure RBAC Built-In Administrator Roles Assigned production
Panther Azure Service Principal Credentials Added
Elastic Azure Storage Account Key Regenerated production
Panther Azure Storage Account Key Regenerated
Panther Azure Storage Account Shared Key Access Enabled
Panther Azure User Elevated to User Access Administrator Role
Elastic Azure VM Extension Deployment by User production
Sigma Bitbucket Global Permission Changed test
Sigma Bulk Deletion Changes To Privileged Account Permissions test
Panther Carbon Black Admin Role Granted
Sigma Change to Authentication Method test
Splunk Cisco ASA - User Privilege Level Change production
Splunk Cisco Configuration Archive Logging Analysis production
Sigma Cisco Local Accounts test
Kusto CiscoISE - Device PostureStatus changed to non-compliant available
Kusto CiscoISE - ISE administrator password has been reset available
YARA-L Client Secret Added to Entra ID Application
Sigma Computer account created with privileges experimental
Sigma Computer account manipulation for delegation (RBCD) experimental
Sigma Computer account renamed without a trailing $ (CVE-2021-42278/42287) experimental
Kusto Conditional Access - A Conditional Access user/group/role exclusion has changed
Kusto Copilot - Plugin Created by Non-Admin User available
Splunk Create_Add Local_Domain User (EDR)
Splunk Create_Add Local_Domain User (Sysmon)
Splunk Create_Add Local_Domain User (Windows Event Log)
Kusto Credential added after admin consented to Application available
Panther CVE-2023-7028 - GitLab Audit Password Reset Multiple Emails
Panther CVE-2023-7028 - GitLab Production Password Reset Multiple Emails
Panther Databricks Account Admin Privileged Role Assignment Experimental
Panther Databricks Account-Level Configuration Changes Experimental
Panther Databricks High Priority Configuration Changes Experimental
Panther Databricks Long-Lifetime Token Generated Experimental
Panther Databricks Metastore Admin Privilege Granted Experimental
Panther Databricks Principal Removed From Group Experimental
Panther Databricks User Password Changed Experimental
Panther Databricks User Role Modified Experimental
Panther Databricks Workspace Admin Privileged Role Assignment Experimental
Panther Databricks Workspace-Level Configuration Changes Experimental
Kusto Dataverse - New non-interactive identity granted access available
Elastic Delegated Managed Service Account Modification by an Unusual User production
Panther DEPRECATED - AWS User Login Profile Modified
Elastic Deprecated - M365 Teams Guest Access Enabled production
Kusto Detect changes to Connect Sync Application
Kusto Detect credential add to Connect Sync Application
Kusto Detect PIM Alert Disabling activity
Kusto DEV-0270 New User Creation available
Kusto Device Registration from Malicious IP available
Sigma Disabled guest or builtin account activated experimental
Sigma Disabled guest or builtin account activated (command)
Elastic dMSA Account Creation by an Unusual User production
Sigma DMSA Link Attributes Modified experimental
Sigma DMSA Service Account Created in Specific OUs - PowerShell experimental
Sigma Domain group membership change experimental
Kusto DSRM Account Abuse
Sigma DSRM password changed (native) experimental
Sigma DSRM password changed (Reg via command) experimental
Sigma DSRM password changed (Reg via PowerShell) experimental
Elastic EKS Authentication Configuration Modified production
Sigma Enabled User Right in AD to Control User Objects test
YARA-L Entra ID Add User Outside PIM
YARA-L Entra ID Add User To Admin Role
Elastic Entra ID ADRS Token Request by Microsoft Authentication Broker production
Elastic Entra ID Application Credential Modified production
Elastic Entra ID Device Registration with ROADtools Default OS Build production
Elastic Entra ID Device with ROADtools Default OS Build (Entity Analytics) production
Elastic Entra ID Domain Federation Configuration Change production
Elastic Entra ID Elevated Access to User Access Administrator production
Elastic Entra ID Federated Identity Credential Issuer Modified production
Elastic Entra ID Global Administrator Role Assigned production
Elastic Entra ID Global Administrator Role Assigned (PIM User) production
Elastic Entra ID Microsoft Authentication Broker DRS Sign-In from Suspicious ASN production
Elastic Entra ID OAuth PRT Issuance to Non-Managed Device Detected production
Elastic Entra ID Privileged Identity Management (PIM) Role Modified production
Elastic Entra ID Protection User Alert and Device Registration production
YARA-L Entra ID Recently Created User Assigned an Entra ID Role
Elastic Entra ID Register Device with Unusual User Agent (Azure AD Join) production
Elastic Entra ID Service Principal Credentials Created by Unusual User production
Elastic Entra ID Service Principal Federated Credential Authentication by Unusual Client production
Elastic Entra ID Sharepoint or OneDrive Accessed by Unusual Client production
Elastic Entra ID Unusual Cloud Device Registration production
Elastic Entra ID User Added as Registered Application Owner production
Elastic Entra ID User Added as Service Principal Owner production
Elastic Entra ID User Sign-in with Unusual Non-Managed Device production
Splunk ESXi Account Modified production
Sigma ESXi Admin Permission Assigned To Account Via ESXCLI test
Splunk ESXi User Granted Admin Role production
Kusto External User Access Enabled
Elastic External User Added to Google Workspace Group production
Kusto F&O - Non-interactive account mapped to self or sensitive privileged user available
Kusto Firewall rule manipulation attempts stateful anomaly on database available
Elastic First Occurrence GitHub Event for a Personal Access Token (PAT) production building block
Elastic First Occurrence of Personal Access Token (PAT) Use For a GitHub User production building block
Sigma GCP Access Policy Deleted test
YARA-L GCP Admin Privileged Roles Added To Service Accounts
Elastic GCP IAM Custom Role Creation production
YARA-L GCP IAM Organization Policy Updated Or Deleted
Elastic GCP IAM Service Account Key Deletion production
Elastic GCP Service Account Key Creation production
Elastic GCP Storage Bucket Permissions Modification production
Panther GitHub Malicious Commit Content
Panther GitHub Org Authentication Method Changed
Panther GitHub Org IP Allow List modified
Sigma Github Outside Collaborator Detected test
Elastic GitHub Owner Role Granted To User production
YARA-L GitHub Personal Access Token Created from Tor IP Address
YARA-L GitHub Repository Deploy Key Created Or Modified
Panther GitHub User Role Updated
YARA-L Google Cloud Service Account Key Created or Uploaded
Elastic Google Workspace Admin Role Assigned to a User production
YARA-L Google Workspace Admin Role Assignment
Elastic Google Workspace API Access Granted via Domain-Wide Delegation production
Sigma Google Workspace Application Access Level Modified test
Elastic Google Workspace Custom Admin Role Created production
YARA-L Google Workspace Custom Admin Role Created
Elastic Google Workspace Device Registration After OAuth from Suspicious ASN production
Elastic Google Workspace Device Registration Burst for Single User production
Sigma Google Workspace Granted Domain API Access test
Panther Google Workspace OAuth Application Authorized with Privileged Scopes Experimental
Elastic Google Workspace Object Copied to External Drive with App Consent production
YARA-L Google Workspace Password Policy Changed
Elastic Google Workspace Password Policy Modified production
Elastic Google Workspace Role Modified production
Elastic Google Workspace Suspended User Account Renewed production
Sigma Google Workspace User Granted Admin Privileges test
Elastic Google Workspace User Organizational Unit Changed production
YARA-L Google Workspace User Ou Changed
Elastic Google Workspace User Sign-in from Atypical Device Type production
Sigma Granting Of Permissions To An Account test
Kusto Group created then added to built in domain local or global group
Panther GSuite Workspace Gmail Default Routing Rule Modified
Panther GSuite Workspace Trusted Domain Allowlist Modified
Kusto GWorkspace - Admin permissions granted available
Kusto GWorkspace - User access has been changed available
Sigma Hidden account creation (with fast deletion) experimental
Sigma High risk Active Directory group membership change experimental
Sigma High risk local/domain local group membership change experimental
Kusto High risk Office operation conducted by IP Address that recently attempted to log into a disabled account
Kusto High-Risk Admin Activity available
Sigma Host constrained delegation settings changed for potential abuse (Rubeus) - Any protocol experimental
Sigma Host constrained delegation settings changed for potential abuse (Rubeus) - Kerberos only experimental
Sigma Host set with constrained delegation experimental
Sigma Host set with unconstrained delegation experimental
Sigma Host unconstrained delegation settings changed for potential abuse (Rubeus) experimental
Sigma IAM Access Key Created test
Sigma IAM Access Key Creation Attempt test
Sigma IAM Admin Policy Attached test
Sigma IAM Login Profile Created test
Sigma IAM Policy Attachment Attempt test
Kusto Illusive Incidents Analytic Rule available
Elastic Kerberos Pre-authentication Disabled for User production
Elastic KRBTGT Delegation Backdoor production
Panther Kubernetes Client Certificate Credential Created
Elastic Kubernetes Client Certificate Signing Request Created or Approved production
Elastic Kubernetes Cluster-Admin Role Binding Created production
Panther Kubernetes ClusterRoleBinding to Privileged Role
Elastic Kubernetes Creation of a RoleBinding Referencing a ServiceAccount production
Elastic Kubernetes Creation or Modification of Sensitive Role production
Panther Kubernetes Long-Lived Service Account Token Created Experimental
Elastic Kubernetes RBAC Wildcard Elevation on Existing Role production
Elastic Kubernetes Sensitive RBAC Change Followed by Workload Modification production
Elastic Kubernetes Service Account Modified RBAC Objects production
Panther Kubernetes System Role Modified or Deleted Experimental
Splunk Linux Auditd Possible Access Or Modification Of Sshd Config File production
Elastic Linux Group Creation production
Splunk Linux Possible Access Or Modification Of sshd Config File production
Splunk Linux Possible Ssh Key File Creation production
Splunk Linux SSH Authorized Keys Modification production
Elastic Linux User Account Credential Modification production
Elastic Linux User Added to Privileged Group production
Kusto Local Admin Group Changes available
Sigma Local group membership change experimental
Elastic M365 Exchange Mailbox Audit Logging Bypass Added production
Elastic M365 Exchange Mailbox High-Risk Permission Delegated production
Elastic M365 Exchange Management Group Role Assigned production
Elastic M365 Exchange MFA Notification Email Deleted or Moved production
Elastic M365 Identity Global Administrator Role Assigned production
Elastic M365 Identity OAuth Flow by User Sign-in to Device Registration production
Elastic M365 Identity OAuth Illicit Consent Grant by Rare Client and User production
Elastic M365 Security Compliance Admin Signal production building block
Elastic M365 SharePoint Site Administrator Added production
Sigma macOS User Account Manipulation experimental
Kusto Mail.Read Permissions Granted to Application available
Kusto Malicious BEC Inbox Rule
Kusto Malicious Inbox Rule available
Sigma Massive group membership changes detected experimental
Sigma Medium risk Active Directory group membership change experimental
Sigma Medium risk local/domain local group membership change experimental
Sigma Member added to DNSadmin group experimental
Splunk Member added to security-enabled global group (Windows Event Log)
Kusto Microsoft Entra ID Role Management Permission Grant available
Elastic Modification of the msPKIAccountCredentials production
Kusto Modified domain federation trust settings available
Kusto Multi-Factor Authentication Disabled for a User available
Elastic New ActiveSyncAllowedDeviceID Added via PowerShell production
Sigma New DMSA Service Account Created in Specific OUs experimental
Kusto New External User Granted Admin Role available
Elastic New GitHub App Installed production
Elastic New GitHub Owner Added production
Elastic New GitHub Personal Access Token (PAT) Added production
Panther New IAM Credentials Updated
Sigma New member added to a "OCS/Lync/Skype for Business" administration group (low risk) experimental
Sigma New member added to a "OCS/Lync/Skype for Business" administration group (medium risk) experimental
Sigma New member added to an "OCS/Lync/Skype for Business" administration group (high risk) experimental
Sigma New member added to an Exchange administration group (high risk) experimental
Sigma New member added to an Exchange administration group (medium risk) experimental
Elastic New User Added To GitHub Organization production building block
Kusto New user created and added to the built-in administrators group
Panther Notion Login FOLLOWED BY AccountChange
Kusto NRT Authentication Methods Changed for VIP Users
Kusto NRT Malicious Inbox Rule
Kusto NRT Modified domain federation trust settings available
Kusto NRT User added to Microsoft Entra ID Privileged Groups available
Sigma Number Of Resource Creation Or Deployment Activities test
YARA-L O365 AD PowerShell App Login Subsequent Activity
YARA-L O365 Add User To Admin Role
Splunk O365 Admin Consent Bypassed by Service Principal production
Splunk O365 Application Available To Other Tenants production
Splunk O365 Application Registration Owner Added production
Splunk O365 ApplicationImpersonation Role Assigned production
Splunk O365 Elevated Mailbox Permission Assigned production
YARA-L O365 Entra ID App Client Secret Added, Updated or Deleted
Splunk O365 FullAccessAsApp Permission Assigned production
Splunk O365 High Privilege Role Granted production
Splunk O365 Mailbox Folder Read Permission Assigned production
Splunk O365 Mailbox Folder Read Permission Granted production
Splunk O365 Mailbox Read Access Granted to Application production
Splunk O365 New MFA Method Registered production
Splunk O365 Privileged Role Assigned production
Splunk O365 Privileged Role Assigned To Service Principal production
YARA-L O365 Recently Created Entra ID User Assigned Roles
Splunk O365 Service Principal New Client Credentials production
Splunk O365 Service Principal Privilege Escalation production
Splunk O365 Tenant Wide Admin Consent Granted production
Kusto Office Policy Tampering available
Panther Okta AD Agent Token Abuse - Behavioral Experimental
Sigma Okta Admin Role Assigned to an User or Group test
Panther Okta Authentication Bypass via Skeleton Key Injection - Behavioral Experimental
Sigma Okta Identity Provider Created test
Panther Okta Identity Provider Created or Modified
Panther Okta Identity Provider Sign-in
Splunk Okta New Device Enrolled on Account production
Elastic Okta User Assigned Administrator Role production
Panther OpenAI Admin Role Assignment
Panther OpenAI Anomalous API Key Activity
Panther OpenAI SCIM Configuration Change
Elastic OpenSSL Password Hash Generation production
Sigma Password Change on Directory Service Restore Mode (DSRM) Account stable
Sigma Password Set to Never Expire via WMI experimental
Kusto Pathlock TDnR - Authorization Profile Changes available
Kusto Pathlock TDnR - Authorization Role Changes available
Kusto Pathlock TDnR - CUA Settings Changes available
Kusto Pathlock TDnR - Global System Change Setting Events available
Kusto Pathlock TDnR - Kerberos Keytab Changes available
Kusto Pathlock TDnR - RFC Connection Changes available
Kusto Pathlock TDnR - SAP Authorization Changes available
Kusto Pathlock TDnR - SAP Client Configuration Changes available
Kusto Pathlock TDnR - SAP Instance Profile Changes available
Kusto Pathlock TDnR - System Security Policy Changes available
Kusto Pathlock TDnR - User Access Management Password Resets available
Kusto Pathlock TDnR - User Master Data Changes available
Kusto Pathlock TDnR - User-Profile Assignment Changes available
Kusto Pathlock TDnR - User-Role Assignment Changes available
Kusto Ping Federate - Abnormal password resets for user available
Splunk PingID Mismatch Auth Source and Verification Response production
Splunk PingID New MFA Method After Credential Reset production
Splunk PingID New MFA Method Registered For User production
Elastic Pod or Container Creation with Suspicious Command-Line production
Kusto Possible SignIn from Azure Backdoor
Elastic Potential Active Directory Replication Account Backdoor production
Elastic Potential Admin Group Account Addition production
Elastic Potential Linux Backdoor User Account Creation production
Elastic Potential Persistence via File Modification production
Elastic Potential Privileged Escalation via SamAccountName Spoofing production
Elastic Potential Shadow Credentials added to AD Object production
Elastic Potential Suspicious File Edit production
Sigma Powershell LocalAccount Manipulation test
Sigma Powerview Add-DomainObjectAcl DCSync AD Extend Right test
Sigma Privilege SeMachineAccountPrivilege abuse experimental
Sigma Privileged User Has Been Created test
Kusto Rare and potentially high-risk Office operations available
Kusto Rare subscription-level operations in Azure available
Kusto RecordedFuture Threat Hunting Url All Actors
Sigma Risk for account takeover - phone number registered to multiple users experimental
Sigma Risk for account takeover - same Guardian application device is registered for MFA to multiple users experimental
Sigma Risk of Tenant Takeover experimental
Panther Root Account Access Key Created
Panther Root Password Changed
Panther Salesforce Third-Party Integration Monitoring
YARA-L sap change documents sensitive profile assignment
YARA-L sap change documents sensitive profile assignment data table
YARA-L sap change documents sensitive role assignment
YARA-L sap critial role assigned to new user
YARA-L sap critical authorization value changed
YARA-L sap critical role assigned to new user
YARA-L sap hanadb assign admin authorizations
YARA-L sap multiple password changes
YARA-L sap sensitive role assignment correlation
YARA-L sap sensitive role authorization modification
Kusto Semperis DSP RBAC Changes available
Kusto Semperis DSP Recent sIDHistory changes on AD objects available
Panther Sensitive API Calls Via VPC Endpoint
Elastic Sensitive Privilege SeEnableDelegationPrivilege assigned to a Principal production
Kusto Server Oriented Cmdlet And User Oriented Cmdlet used available
Kusto Shadow Credentials Added to Account
Kusto Shadow Credentials Added to Account (Alternative)
Elastic Shadow File Modification by Unusual Process production
Kusto Sign-ins from IPs that attempt sign-ins to disabled accounts available
Kusto Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization)
Panther Slack App Access Expanded
Panther Slack Primary Owner Transferred
Panther Slack Private Channel Made Public
Kusto SlackAudit - User role changed to admin or owner available
Panther Snowflake user with key-based auth logged in with password auth
Elastic Spike in Group Application Assignment Change Events production
Elastic Spike in Group Lifecycle Change Events production
Elastic Spike in Group Management Events production
Elastic Spike in Group Membership Events production
Elastic Spike in Group Privilege Change Events production
Elastic Spike in User Account Management Events production
Elastic Spike in User Lifecycle Management Change Events production
Sigma SPN added to an account by command line experimental
Sigma SQL Server - Member got new privileges added on a database experimental
Sigma SQL Server - Member got new privileges added on a SQL instance level experimental
Sigma SQL Server - new member added to a database role experimental
Sigma SQL Server - new member added to a server role experimental
Elastic SSH Authorized Key File Activity Detected via Defend for Containers production
Elastic SSH Authorized Keys File Activity production
Elastic SSH Key Generated via ssh-keygen production
Kusto StealthTalk - Multi new devices registration available
Sigma Suspicious Computer Account Name Change CVE-2021-42287 test
Elastic Suspicious Echo or Printf Execution Detected via Defend for Containers production
Kusto Suspicious granting of permissions to an account available
Sigma Suspicious modification of a computer account SPN experimental
Sigma Suspicious modification of a fake domain controller SPN (DCshadow) experimental
Sigma Suspicious modification of a fake domain controller SPN (DCshadow) (Directory Services) experimental
Sigma Suspicious modification of a user account SPN to enable Kerberoast attack experimental
Kusto Threat Essentials - NRT User added to Microsoft Entra ID Privileged Groups available
Elastic Unusual Group Name Accessed by a User production
Elastic Unusual Kubernetes Sensitive Workload Modification production
Elastic Unusual Login via System User production
Elastic Unusual Privilege Type assigned to a User production
Kusto User account added to built in domain local or global group
Kusto User account created and deleted within 10 mins
Sigma User account creation disguised in a computer account experimental
Kusto User account enabled and disabled within 10 mins
Elastic User account exposed to Kerberoasting production
Sigma User added to a group via commandline
Sigma User Added to an Administrator's Azure AD Role test
Sigma User Added To Highly Privileged Group test
Sigma User Added to Local Administrator Group stable
Sigma User Added to Local Administrators Group test
Kusto User added to Microsoft Entra ID Privileged Groups available
Elastic User Added to Privileged Group in Active Directory production
Elastic User Added to the Admin Group production
Elastic User or Group Creation/Modification production
Sigma User password change using current hash password - ChangeNTLM (Mimikatz) experimental
Sigma User password change without previous password known - SetNTLM (Mimikatz) experimental
Kusto User State changed from Guest to Member
Kusto VIP Mailbox manipulation available
Kusto VMware ESXi - Root password changed available
Splunk Windows AD add Self to Group production
Splunk Windows AD DSRM Account Changes production
Splunk Windows AD DSRM Password Reset production
Splunk Windows AD Privileged Group Modification production
Splunk Windows AD Self DACL Assignment production
Splunk Windows AD ServicePrincipalName Added To Domain Account production
Splunk Windows AD Short Lived Domain Account ServicePrincipalName production
Splunk Windows Azure PowerShell Module Installation Via PowerShell Script production
Splunk Windows DnsAdmins New Member Added production
Splunk Windows Entra User Management Via Azure CLI production
Splunk Windows Increase in Group or Object Modification Activity production
Splunk Windows Increase in User Modification Activity production
Sigma Windows LAPS Credential Dump From Entra ID test
Splunk Windows Multiple Account Passwords Changed production
Splunk Windows Multiple Accounts Deleted production
Splunk Windows Multiple Accounts Disabled production
Elastic WRITEDAC Access on Active Directory Object production building block

Account Manipulation: Additional Cloud Credentials T1098.001 56 rules

Panther A Teleport Role was modified or created
Sigma Added Credentials to Existing Application test
Panther Anthropic Admin API Key Created
Panther Anthropic Admin API Key Deleted
Panther Anthropic Service Key Created
Panther Anthropic Service Key Revoked
Sigma API Key Created test
Elastic Application Added to Google Workspace Domain production
Sigma Attempt To Create API Key test
Elastic Attempt to Create Okta API Token production
Elastic AWS EC2 Instance Interaction with IAM Service production building block
Elastic AWS First Occurrence of STS GetFederationToken Request by User production
Elastic AWS IAM Login Profile Added for Root production
Elastic AWS IAM Login Profile Added to User production building block
Elastic AWS IAM SAML Provider Created production
Elastic AWS IAM User Created Access Keys For Another User production
Panther AWS Privilege Escalation Via User Compromise
Elastic AWS RDS DB Instance or Cluster Password Modified production
Kusto AWS Security Hub - Detect IAM root user Access Key existence available
Elastic AWS Sensitive IAM Operations Performed via CloudShell production
Panther AWS User Takeover Via Password Reset
Kusto AWSCloudTrail - Changes to internet facing AWS RDS Database instances available
Kusto AWSCloudTrail - Creation of Access Key for IAM User available
Splunk Azure AD Service Principal New Client Credentials production
Panther Azure Service Principal Credentials Added
Elastic Azure Storage Account Key Regenerated production
YARA-L Client Secret Added to Entra ID Application
Panther Crowdstrike API Key Created
Panther Crowdstrike User Password Changed
Kusto Detect credential add to Connect Sync Application
Elastic Entra ID Application Credential Modified production
Elastic Entra ID Domain Federation Configuration Change production
Elastic Entra ID Federated Identity Credential Issuer Modified production
Elastic Entra ID Service Principal Credentials Created by Unusual User production
Elastic Entra ID Service Principal Federated Credential Authentication by Unusual Client production
Elastic Entra ID Sharepoint or OneDrive Accessed by Unusual Client production
Elastic First Occurrence GitHub Event for a Personal Access Token (PAT) production building block
Elastic First Occurrence of Personal Access Token (PAT) Use For a GitHub User production building block
Elastic GCP Service Account Key Creation production
Sigma Github Outside Collaborator Detected test
YARA-L GitHub Personal Access Token Created from Tor IP Address
YARA-L GitHub Repository Deploy Key Created Or Modified
YARA-L Google Cloud Service Account Key Created or Uploaded
Elastic Google Workspace Object Copied to External Drive with App Consent production
Sigma IAM Access Key Created test
Sigma IAM Access Key Creation Attempt test
Sigma IAM Login Profile Created test
Panther IAM Role Added to RDS Instance or Cluster
Kusto New External User Granted Admin Role available
Elastic New GitHub Personal Access Token (PAT) Added production
Elastic New User Added To GitHub Organization production building block
YARA-L O365 AD PowerShell App Login Subsequent Activity
YARA-L O365 Entra ID App Client Secret Added, Updated or Deleted
Splunk O365 Service Principal New Client Credentials production
Sigma Okta Identity Provider Created test
Panther Wiz User Role Updated Or Deleted

Account Manipulation: Additional Email Delegate Permissions T1098.002 8 rules

Splunk Azure AD FullAccessAsApp Permission Assigned production
Elastic M365 Exchange Mailbox High-Risk Permission Delegated production
Elastic New ActiveSyncAllowedDeviceID Added via PowerShell production
Splunk O365 ApplicationImpersonation Role Assigned production
Splunk O365 Elevated Mailbox Permission Assigned production
Splunk O365 FullAccessAsApp Permission Assigned production
Splunk O365 Mailbox Folder Read Permission Assigned production
Splunk O365 Mailbox Folder Read Permission Granted production

Account Manipulation: Additional Cloud Roles T1098.003 107 rules

Kusto Admin promotion after Role Management Application Permission Grant available
Elastic Administrator Privileges Assigned to an Okta Group production
Panther Anthropic Primary Owner Transferred
Sigma App Assigned To Azure RBAC/Microsoft Entra Role test
Sigma App Granted Privileged Delegated Or App Permissions test
Elastic AWS EC2 Instance Interaction with IAM Service production building block
Elastic AWS IAM AdministratorAccess Policy Attached to Group production
Elastic AWS IAM AdministratorAccess Policy Attached to Role production
Elastic AWS IAM AdministratorAccess Policy Attached to User production
Elastic AWS IAM Assume Role Policy Update production
Elastic AWS IAM Login Profile Added to User production building block
Elastic AWS IAM Roles Anywhere Profile Creation production
Elastic AWS IAM Roles Anywhere Trust Anchor Created with External CA production
Elastic AWS IAM User Addition to Group production
Kusto AWS Security Hub - Detect IAM Policies allowing full administrative privileges available
Elastic AWS Sensitive IAM Operations Performed via CloudShell production
Elastic AWS STS AssumeRoot by Rare User and Member Account production
Kusto AWSCloudTrail - CloudFormation policy created then used for privilege escalation available
Kusto AWSCloudTrail - Created CRUD S3 policy and then privilege escalation available
Kusto AWSCloudTrail - Creation of CRUD DynamoDB policy and then privilege escalation available
Kusto AWSCloudTrail - Creation of CRUD KMS policy and then privilege escalation available
Kusto AWSCloudTrail - Creation of CRUD Lambda policy and then privilege escalation available
Kusto AWSCloudTrail - Creation of DataPipeline policy and then privilege escalation available
Kusto AWSCloudTrail - Creation of EC2 policy and then privilege escalation available
Kusto AWSCloudTrail - Creation of Glue policy and then privilege escalation available
Kusto AWSCloudTrail - Creation of Lambda policy and then privilege escalation available
Kusto AWSCloudTrail - Creation of new CRUD IAM policy and then privilege escalation available
Kusto AWSCloudTrail - Creation of SSM policy and then privilege escalation available
Kusto AWSCloudTrail - Policy version set to default available
Kusto AWSCloudTrail - Privilege escalation via CloudFormation policy available
Kusto AWSCloudTrail - Privilege escalation via CRUD DynamoDB policy available
Kusto AWSCloudTrail - Privilege escalation via CRUD IAM policy available
Kusto AWSCloudTrail - Privilege escalation via CRUD KMS policy available
Kusto AWSCloudTrail - Privilege escalation via CRUD Lambda policy available
Kusto AWSCloudTrail - Privilege escalation via CRUD S3 policy available
Kusto AWSCloudTrail - Privilege escalation via DataPipeline policy available
Kusto AWSCloudTrail - Privilege escalation via EC2 policy available
Kusto AWSCloudTrail - Privilege escalation via Glue policy available
Kusto AWSCloudTrail - Privilege escalation via Lambda policy available
Kusto AWSCloudTrail - Privilege escalation via SSM policy available
Kusto AWSCloudTrail - Privilege escalation with admin managed policy available
Kusto AWSCloudTrail - Privilege escalation with AdministratorAccess managed policy available
Kusto AWSCloudTrail - Privilege escalation with FullAccess managed policy available
Splunk Azure AD Admin Consent Bypassed by Service Principal production
Splunk Azure AD Application Administrator Role Assigned production
Splunk Azure AD FullAccessAsApp Permission Assigned production
Splunk Azure AD Global Administrator Role Assigned production
Splunk Azure AD PIM Role Assigned production
Splunk Azure AD PIM Role Assignment Activated production
Splunk Azure AD Privileged Role Assigned production
Splunk Azure AD Privileged Role Assigned to Service Principal production
Splunk Azure AD Service Principal Privilege Escalation production
Splunk Azure AD Tenant Wide Admin Consent Granted production
Elastic Azure Event Hub Authorization Rule Created or Updated production
Panther Azure Privileged or Elevated Role Assignment
Elastic Azure RBAC Built-In Administrator Roles Assigned production
Panther Azure User Elevated to User Access Administrator Role
Panther Crowdstrike Admin Role Assigned
Panther Crowdstrike New Admin User Created
YARA-L Entra ID Add User Outside PIM
YARA-L Entra ID Add User To Admin Role
Elastic Entra ID Elevated Access to User Access Administrator production
Elastic Entra ID Global Administrator Role Assigned production
Elastic Entra ID Global Administrator Role Assigned (PIM User) production
Elastic Entra ID Privileged Identity Management (PIM) Role Modified production
YARA-L Entra ID Recently Created User Assigned an Entra ID Role
YARA-L GCP Admin Privileged Roles Added To Service Accounts
Elastic GCP IAM Custom Role Creation production
Panther GCP Inbound SSO Profile Created
Elastic GCP Storage Bucket Permissions Modification production
Panther GCP Workforce Pool Created or Updated
Panther GCP Workload Identity Pool Created or Updated
Sigma Github Outside Collaborator Detected test
Elastic GitHub Owner Role Granted To User production
Elastic Google Workspace Admin Role Assigned to a User production
YARA-L Google Workspace Admin Role Assignment
Sigma Google Workspace Application Access Level Modified test
Elastic Google Workspace Custom Admin Role Created production
YARA-L Google Workspace Custom Admin Role Created
Elastic Google Workspace User Organizational Unit Changed production
YARA-L Google Workspace User Ou Changed
Sigma Granting Of Permissions To An Account test
Sigma IAM Admin Policy Attached test
Sigma IAM Policy Attachment Attempt test
Elastic M365 Exchange Management Group Role Assigned production
Elastic M365 Identity Global Administrator Role Assigned production
Elastic M365 SharePoint Site Administrator Added production
Kusto Microsoft Entra ID Role Management Permission Grant available
Elastic New GitHub Owner Added production
Elastic New User Added To GitHub Organization production building block
YARA-L O365 Add User To Admin Role
Splunk O365 Admin Consent Bypassed by Service Principal production
Splunk O365 Application Available To Other Tenants production
Splunk O365 FullAccessAsApp Permission Assigned production
Splunk O365 High Privilege Role Granted production
Splunk O365 Mailbox Read Access Granted to Application production
Splunk O365 Privileged Role Assigned production
Splunk O365 Privileged Role Assigned To Service Principal production
YARA-L O365 Recently Created Entra ID User Assigned Roles
Splunk O365 Service Principal Privilege Escalation production
Splunk O365 Tenant Wide Admin Consent Granted production
Sigma Okta Admin Role Assigned to an User or Group test
Elastic Okta User Assigned Administrator Role production
Panther OpenAI Admin Role Assignment
Panther Slack User Privilege Escalation
Sigma User Added to an Administrator's Azure AD Role test
Panther ZIA Additional Cloud Roles

Account Manipulation: SSH Authorized Keys T1098.004 12 rules

Elastic AWS EC2 Instance Connect SSH Public Key Uploaded production
Splunk Linux Auditd Possible Access Or Modification Of Sshd Config File production
Splunk Linux Possible Access Or Modification Of sshd Config File production
Splunk Linux Possible Ssh Key File Creation production
Splunk Linux SSH Authorized Keys Modification production
Elastic Pod or Container Creation with Suspicious Command-Line production
Elastic Potential Persistence via File Modification production
Elastic SSH Authorized Key File Activity Detected via Defend for Containers production
Elastic SSH Authorized Keys File Activity production
Elastic SSH Key Generated via ssh-keygen production
Elastic Suspicious Echo or Printf Execution Detected via Defend for Containers production
Elastic Unusual Login via System User production

Account Manipulation: Device Registration T1098.005 22 rules

Elastic AWS IAM Virtual MFA Device Registration Attempt with Session Token production
Splunk Azure AD New MFA Method Registered production
Elastic Entra ID ADRS Token Request by Microsoft Authentication Broker production
Elastic Entra ID Device Registration with ROADtools Default OS Build production
Elastic Entra ID Device with ROADtools Default OS Build (Entity Analytics) production
Elastic Entra ID Microsoft Authentication Broker DRS Sign-In from Suspicious ASN production
Elastic Entra ID OAuth PRT Issuance to Non-Managed Device Detected production
Elastic Entra ID Protection User Alert and Device Registration production
Elastic Entra ID Register Device with Unusual User Agent (Azure AD Join) production
Elastic Entra ID Unusual Cloud Device Registration production
Elastic Entra ID User Sign-in with Unusual Non-Managed Device production
Elastic Google Workspace Device Registration After OAuth from Suspicious ASN production
Elastic Google Workspace Device Registration Burst for Single User production
Elastic Google Workspace User Sign-in from Atypical Device Type production
Elastic M365 Exchange MFA Notification Email Deleted or Moved production
Elastic M365 Identity OAuth Flow by User Sign-in to Device Registration production
Splunk O365 New MFA Method Registered production
Splunk Okta New Device Enrolled on Account production
Splunk PingID Mismatch Auth Source and Verification Response production
Splunk PingID New MFA Method After Credential Reset production
Splunk PingID New MFA Method Registered For User production
Sigma Windows LAPS Credential Dump From Entra ID test

Account Manipulation: Additional Container Cluster Roles T1098.006 12 rules

Elastic AWS EKS Access Entry Granted Cluster Admin Policy production
Elastic AWS EKS Access Entry Modified production
Elastic Azure Kubernetes Services (AKS) Kubernetes Rolebindings Created production
Elastic EKS Authentication Configuration Modified production
Elastic Kubernetes Client Certificate Signing Request Created or Approved production
Elastic Kubernetes Cluster-Admin Role Binding Created production
Elastic Kubernetes Creation of a RoleBinding Referencing a ServiceAccount production
Elastic Kubernetes Creation or Modification of Sensitive Role production
Elastic Kubernetes RBAC Wildcard Elevation on Existing Role production
Elastic Kubernetes Sensitive RBAC Change Followed by Workload Modification production
Elastic Kubernetes Service Account Modified RBAC Objects production
Elastic Unusual Kubernetes Sensitive Workload Modification production

Account Manipulation: Additional Local or Domain Groups T1098.007 9 rules

Elastic Linux Group Creation production
Elastic Linux User Added to Privileged Group production
Elastic Potential Admin Group Account Addition production
Elastic Spike in Group Lifecycle Change Events production
Elastic Spike in Group Management Events production
Elastic Unusual Group Name Accessed by a User production
Elastic User Added to Privileged Group in Active Directory production
Elastic User Added to the Admin Group production
Elastic User or Group Creation/Modification production

Redundant Access T1108 3 rules

Panther AWS User API Key Created
Panther AWS User Login Profile Created or Modified
Panther DEPRECATED - AWS User Login Profile Modified

Modify Registry T1112 254 rules

Sigma Activate Suppression of Windows Security Center Notifications test
Sigma Add DisallowRun Execution to Registry test
Sigma Allow RDP Remote Assistance Feature test
Sigma Backdoor introduction via registry permission change through WMI (DAMP) experimental
Sigma Blackbyte Ransomware Registry test
YARA-L Blackbyte Ransomware Registry
Sigma Blue Mockingbird test
Sigma Blue Mockingbird - Registry test
Sigma Change the Fax Dll test
Sigma Change User Account Associated with the FAX Service test
Sigma ClickOnce Trust Prompt Tampering test
Elastic Code Signing Policy Modification Through Registry production
Elastic Component Object Model Hijacking production
Sigma CrashControl CrashDump Disabled test
Sigma CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry test
Splunk Defender Registry Values Modified (Sysmon)
Splunk Defender Registry Values Modified (Windows Event Log)
Elastic Deprecated - Encoded Executable Stored in the Registry production
Kusto Detect Registry Run Key Creation/Modification available
Sigma DHCP Callout DLL Installation test
Sigma Disable Internal Tools or Feature in Registry test
YARA-L Disable Internal Tools or Feature in Registry
Splunk Disable Registry Tool production
Sigma Disable Security Events Logging Adding Reg Key MiniNt test
Splunk Disable Security Logs Using MiniNt Registry production
Splunk Disable Show Hidden Files production
Splunk Disable Windows App Hotkeys production
Sigma Disable Windows Security Center Notifications test
Splunk Disabling CMD Application production
Splunk Disabling ControlPanel production
Elastic Disabling Lsa Protection via Registry Modification production
Splunk Disabling NoRun Windows App production
Elastic Disabling User Account Control via Registry Modification production
Elastic DNS Global Query Block List Modified or Disabled production
Sigma DNS-over-HTTPS Enabled by Registry test
Elastic DNS-over-HTTPS Enabled via Registry production
Sigma Enable LM Hash Storage test
Sigma Enable LM Hash Storage - ProcCreation test
Splunk Enable WDigest UseLogonCredential Registry production
Sigma ETW Logging Disabled For rpcrt4.dll test
Sigma ETW Logging Disabled For SCM test
Sigma ETW Logging Disabled In .NET Processes - Registry test
Sigma ETW Logging Disabled In .NET Processes - Sysmon Registry test
Elastic File or Directory Deletion Command production building block
Sigma FlowCloud Registry Markers test
Splunk FodHelper UAC Bypass production
Elastic Full User-Mode Dumps Enabled System-Wide production
Splunk HTTP_HTTPS Default Security Zone Modified to Local Machine (PowerShell)
Splunk HTTP_HTTPS Default Security Zone Modified to Local Machine (Windows Event Log)
Elastic Image File Execution Options Injection production
Sigma Impacket SMBexec service creation (registry) experimental
Sigma Impacket SMBexec service registration (native) experimental
Sigma Imports Registry Key From a File test
Sigma Imports Registry Key From an ADS test
Elastic Installation of Security Support Provider production
Elastic Local Account TokenFilter Policy Disabled production
Splunk LocalAccountTokenFilterPolicy Registry Value Modified (PowerShell)
Splunk LocalAccountTokenFilterPolicy Registry Value Modified (Sysmon)
Splunk LocalAccountTokenFilterPolicy Registry Value Modified (Windows Event Log)
Sigma Macro Enabled In A Potentially Suspicious Document test
Splunk Malicious InProcServer32 Modification production
Sigma Microsoft Office Trusted Location Updated test
Elastic Microsoft Windows Defender Tampering production
Elastic Modification of AmsiEnable Registry Key production
Sigma Modification of IE Registry Settings test
Elastic Modification of WDigest Security Provider production
Splunk Modify Registry Key (Windows Event Log)
Elastic MS Office Macro Security Registry Modifications production
Sigma NET NGenAssemblyUsageLog Registry Key Tamper test
Sigma NetNTLM Downgrade Attack test
Sigma NetNTLM Downgrade Attack - Registry test
Elastic Netsh Helper DLL production
Elastic Network-Level Authentication (NLA) Disabled production
Sigma New BgInfo.EXE Custom DB Path Registry Configuration test
Sigma New BgInfo.EXE Custom VBScript Registry Configuration test
Sigma New BgInfo.EXE Custom WMI Query Registry Configuration test
Sigma New DNS ServerLevelPluginDll Installed test
Sigma New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE test
Sigma Non-privileged Usage of Reg or Powershell test
Elastic NullSessionPipe Registry Modification production
Sigma OceanLotus Registry Activity test
Sigma Office Macros Warning Disabled test
Elastic Office Test Registry Persistence production
Sigma OilRig APT Activity test
Sigma OilRig APT Registry Persistence test
Sigma OilRig APT Schedule Task Persistence - Security test
Sigma OilRig APT Schedule Task Persistence - System test
Sigma Outlook EnableUnsafeClientMailRules Setting Enabled - Registry test
Elastic Outlook Home Page Registry Modification production
Elastic Persistence via Hidden Run Key Detected production
Elastic Port Forwarding Rule Addition production
Splunk Possible Credential Dumping via Windows Network Providers (PowerShell)
Splunk Possible Credential Dumping via Windows Network Providers (Windows Event Log)
Elastic Potential NetNTLMv1 Downgrade Attack production
Sigma Potential NetWire RAT Activity - Registry test
Sigma Potential Persistence Via Custom Protocol Handler test
Sigma Potential Persistence Via Event Viewer Events.asp test
Elastic Potential Persistence via Mandatory User Profile production
Sigma Potential Persistence Via Outlook Home Page test
Sigma Potential Persistence Via Outlook Today Page test
Elastic Potential Privilege Escalation via Service ImagePath Modification production
Sigma Potential Qakbot Registry Activity test
Sigma Potential Raspberry Robin Registry Set Internet Settings ZoneMap test
Elastic Potential RemoteMonologue Attack production
Sigma Potential Suspicious Registry File Imported Via Reg.EXE test
Sigma Potential Tampering With RDP Related Registry Keys Via Reg.EXE test
YARA-L Potential Tampering With RDP Related Registry Keys Via Reg.EXE
Sigma Potential Ursnif Malware Activity - Registry test
Sigma Potentially Suspicious Desktop Background Change Using Reg.EXE test
Sigma Potentially Suspicious Desktop Background Change Via Registry test
Sigma PowerShell Logging Disabled Via Registry Key Tampering test
Splunk PowerShell Modifying Registry Values (PowerShell)
Splunk PowerShell Modifying Registry Values (Sysmon)
Splunk PowerShell Modifying Registry Values (Windows Event Log)
Elastic PowerShell Script Block Logging Disabled production
Elastic Privilege Escalation via Windir Environment Variable production
Splunk RDP Enabled (PowerShell)
Splunk RDP Enabled (Sysmon)
Splunk RDP Enabled (Windows Event Log)
Elastic RDP Enabled via Registry production
Sigma RDP Sensitive Settings Changed test
YARA-L RDP Sensitive Settings Changed
Sigma RDP Sensitive Settings Changed to Zero test
YARA-L RDP Sensitive Settings Changed to Zero
Sigma RedMimicry Winnti Playbook Registry Manipulation test
Sigma Reg Add Suspicious Paths test
Splunk Reg.exe Process Execution (Sysmon)
Splunk Reg.exe Process Execution (Windows Event Log)
Splunk Regini.exe Execution (Sysmon)
Splunk Regini.exe Execution (Windows Event Log)
Sigma Registry Entries For Azorult Malware test
Splunk Registry Entry Created - PowerShell (PowerShell)
Sigma Registry Explorer Policy Modification test
Sigma Registry Hide Function from User test
Splunk Registry key added with reg.exe (Sysmon)
Splunk Registry key added with reg.exe (Windows Event Log)
Sigma Registry Manipulation via WMI Stdregprov experimental
Sigma Registry Modification Attempt Via VBScript experimental
Sigma Registry Modification Attempt Via VBScript - PowerShell experimental
Sigma Registry Modification for OCI DLL Redirection experimental
Sigma Registry Modification of MS-settings Protocol Handler test
Sigma Registry Modification Via Regini.EXE test
Elastic Registry Persistence via AppInit DLL production
Sigma Registry Tampering by Potentially Suspicious Processes experimental
Splunk Remcos client registry install entry production
Sigma Remote Registry Lateral Movement test
Sigma Removal of Potential COM Hijacking Registry Keys test
Sigma RestrictedAdminMode Registry Value Tampering test
YARA-L RestrictedAdminMode Registry Value Tampering
Sigma RestrictedAdminMode Registry Value Tampering - ProcCreation test
Splunk Revil Registry Entry production
Sigma Run Once Task Configuration in Registry test
Sigma Run Once Task Execution as Configured in Registry test
Splunk Rundll32 Shimcache Flush production
Sigma Security Event Logging Disabled via MiniNt Registry Key - Process experimental
Sigma Security Event Logging Disabled via MiniNt Registry Key - Registry Set experimental
Sigma Service Binary in Suspicious Folder test
Sigma Service Binary in User Controlled Folder test
Elastic Service Disabled via Registry Modification production building block
Elastic Service Path Modification production building block
Elastic Service Path Modification via sc.exe production building block
Sigma ShimCache Flush stable
YARA-L ShimCache Flush
Elastic SolarWinds Process Disabling Services via Registry production
Elastic Startup or Run Key Registry Modification production
Elastic Suspicious ImagePath Service Creation production
Elastic Suspicious Print Spooler Point and Print DLL production
Splunk Suspicious Reg exe Process production
Sigma Suspicious Registry Modification From ADS Via Regini.EXE test
Elastic Suspicious Startup Shell Folder Modification production
Sigma Suspicious VBoxDrvInst.exe Parameters test
Sigma Sysmon Channel Reference Deletion test
Sigma Terminal Server Client Connection History Cleared - Registry test
Sigma Trust Access Disable For VBApplications test
Sigma Uncommon Microsoft Office Trusted Location Added test
Elastic Uncommon Registry Persistence Change production
Elastic Unusual Persistence via Services Registry production
Sigma User Shell Folders Registry Modification via CommandLine experimental
Sigma Wdigest CredGuard Registry Modification test
Sigma Wdigest Enable UseLogonCredential test
YARA-L Wdigest Enable UseLogonCredential
Splunk WDigest Forced Credential Caching (PowerShell)
Splunk WDigest Forced Credential Caching (Sysmon)
Splunk WDigest Forced Credential Caching (Windows Event Log)
Elastic Werfault ReflectDebugger Persistence production
Splunk Windows Anomalous Registry Value Length in Environment Key production
Splunk Windows Defender ASR Registry Modification production
Splunk Windows Defender ASR Rule Disabled production
Elastic Windows Defender Disabled via Registry Modification production
Splunk Windows Deleted Registry By A Non Critical Process File Path production
Splunk Windows Disable Change Password Through Registry production
Splunk Windows Disable Lock Workstation Feature Through Registry production
Splunk Windows Disable LogOff Button Through Registry production
Splunk Windows Disable Notification Center production
Splunk Windows Disable Shutdown Button Through Registry production
Splunk Windows Disable Windows Group Policy Features Through Registry production
Splunk Windows Downdate Registry Activity production
Sigma Windows Event Log Access Tampering Via Registry experimental
Splunk Windows Hide Notification Features Through Registry production
Splunk Windows Impair Defenses Disable AV AutoStart via Registry production
Splunk Windows InProcServer32 New Outlook Form production
Splunk Windows Modify Registry AuthenticationLevelOverride production
Splunk Windows Modify Registry Auto Minor Updates production
Splunk Windows Modify Registry Auto Update Notif production
Splunk Windows Modify Registry Configure BitLocker production
Splunk Windows Modify Registry Default Icon Setting production
Splunk Windows Modify Registry Delete Firewall Rules production
Splunk Windows Modify Registry Disable RDP production
Splunk Windows Modify Registry Disable Restricted Admin production
Splunk Windows Modify Registry Disable Toast Notifications production
Splunk Windows Modify Registry Disable Win Defender Raw Write Notif production
Splunk Windows Modify Registry Disable WinDefender Notifications production
Splunk Windows Modify Registry Disable Windows Security Center Notif production
Splunk Windows Modify Registry DisableRemoteDesktopAntiAlias production
Splunk Windows Modify Registry DisableSecuritySettings production
Splunk Windows Modify Registry Disabling WER Settings production
Splunk Windows Modify Registry DisAllow Windows App production
Splunk Windows Modify Registry Do Not Connect To Win Update production
Splunk Windows Modify Registry DontShowUI production
Splunk Windows Modify Registry EnableLinkedConnections production
Splunk Windows Modify Registry LongPathsEnabled production
Splunk Windows Modify Registry MaxConnectionPerServer production
Splunk Windows Modify Registry No Auto Reboot With Logon User production
Splunk Windows Modify Registry No Auto Update production
Splunk Windows Modify Registry NoChangingWallPaper production
Splunk Windows Modify Registry on Smart Card Group Policy production
Splunk Windows Modify Registry ProxyEnable production
Splunk Windows Modify Registry ProxyServer production
Splunk Windows Modify Registry Qakbot Binary Data Registry production
Splunk Windows Modify Registry Regedit Silent Reg Import production
Splunk Windows Modify Registry Risk Behavior production
Splunk Windows Modify Registry Suppress Win Defender Notif production
Splunk Windows Modify Registry Tamper Protection production
Splunk Windows Modify Registry to Add or Modify Firewall Rule production
Splunk Windows Modify Registry UpdateServiceUrlAlternate production
Splunk Windows Modify Registry USeWuServer production
Splunk Windows Modify Registry Utilize ProgIDs production
Splunk Windows Modify Registry ValleyRAT C2 Config production
Splunk Windows Modify Registry ValleyRat PWN Reg Entry production
Splunk Windows Modify Registry With MD5 Reg Key Name production
Splunk Windows Modify Registry WuServer production
Splunk Windows Modify Registry wuStatusServer production
Splunk Windows Modify Show Compress Color And Info Tip Registry production
Splunk Windows New InProcServer32 Added production
Splunk Windows Outlook Dialogs Disabled from Unusual Process production
Splunk Windows Outlook LoadMacroProviderOnBoot Persistence production
Splunk Windows Outlook WebView Registry Modification production
Splunk Windows Routing and Remote Access Service Registry Key Change production
Splunk Windows RunMRU Registry Key or Value Deleted production
Splunk Windows Set Network Profile Category to Private via Registry production
Splunk Windows Snake Malware Registry Modification wav OpenWithProgIds production
Splunk Windows SnappyBee Create Test Registry production
Elastic Windows Subsystem for Linux Distribution Installed production
Sigma Winlogon AllowMultipleTSSessions Enable test

External Remote Services T1133 216 rules

Elastic Accepted Default Telnet Port Connection production
Kusto Apache - Apache 2.4.49 flaw CVE-2021-41773 available
Kusto Apache - Command in URI available
Kusto Apache - Known malicious user agent available
Kusto Apache - Multiple client errors from single IP available
Kusto Apache - Multiple server errors from single IP available
Kusto Apache - Private IP in URL available
Kusto Apache - Put suspicious file available
Kusto Apache - Request from private IP available
Kusto Apache - Requests to rare files available
Kusto ApexOne - Commands in Url available
Elastic AWS EC2 Network Access Control List Creation production
Elastic AWS EC2 Security Group Configuration Change production
Elastic AWS RDS DB Instance Made Public production
Panther AWS RDS Instance Modified to be Publicly Accessible
Kusto AWS Security Hub - Detect EC2 Security groups allowing unrestricted high-risk ports available
Panther AWS VPC Default Network ACL Restricts All Traffic
Panther AWS VPC Default Security Group Restrictions
Splunk Cisco Network Interface Modifications production
Kusto Cisco SE - Malware outbreak available
Kusto Cisco SE - Multiple malware on host available
Kusto Cisco SE - Unexpected binary file available
Kusto CiscoISE - Command executed with the highest privileges from new IP available
Kusto CiscoISE - Command executed with the highest privileges by new user available
Kusto Claroty - Login to uncommon location available
Kusto Claroty - Multiple failed logins by user available
Kusto Claroty - Multiple failed logins to same destinations available
Kusto Claroty - New Asset available
Kusto Cloudflare - Bad client IP available
Kusto Cloudflare - Bad client IP available
Kusto Cloudflare - Client request from country in blocklist available
Kusto Cloudflare - Client request from country in blocklist available
Kusto Cloudflare - Empty user agent available
Kusto Cloudflare - Empty user agent available
Kusto Cloudflare - Multiple error requests from single source available
Kusto Cloudflare - Multiple error requests from single source available
Kusto Cloudflare - Multiple user agents for single source available
Kusto Cloudflare - Multiple user agents for single source available
Kusto Cloudflare - Unexpected client request available
Kusto Cloudflare - Unexpected client request available
Kusto Cloudflare - Unexpected URI available
Kusto Cloudflare - Unexpected URI available
Kusto Cloudflare - WAF Allowed threat available
Kusto Cloudflare - WAF Allowed threat available
Kusto Cloudflare - XSS probing pattern in request available
Kusto Cloudflare - XSS probing pattern in request available
Splunk Confluence Unauthenticated Remote Code Execution CVE-2022-26134 production
Kusto Cross-Cloud Unauthorized Credential Access Detection From AWS RDS Login
Kusto Dataverse - Login by a sensitive privileged user available
Kusto Dataverse - Login from IP in the block list available
Kusto Dataverse - Login from IP not in the allow list available
Kusto Dataverse - New sign-in from an unauthorized domain available
Kusto Dataverse - New user agent type that was not used with Office 365 available
Kusto Dataverse - TI map IP to DataverseActivity available
Splunk Detect attackers scanning for vulnerable JBoss servers experimental
Splunk Detect Exchange Web Shell production
Kusto Detect instances of multiple client errors occurring within a brief period of time (ASIM Web Session) available
Kusto Detect instances of multiple server errors occurring within a brief period of time (ASIM Web Session) available
Kusto Detect known risky user agents (ASIM Web Session) available
Kusto Detect Local File Inclusion(LFI) in web requests (ASIM Web Session) available
Kusto Detect presence of uncommon user agents in web requests (ASIM Web Session) available
Kusto Detect threat information in web requests (ASIM Web Session) available
Kusto Detect URLs containing known malicious keywords or commands (ASIM Web Session) available
Kusto Detect web requests to potentially harmful files (ASIM Web Session) available
Splunk Disabled Pre-Authentication Accounts Discovery - PowerShell (PowerShell)
Splunk Disabled Pre-Authentication Accounts Discovery - PowerShell (Sysmon)
Splunk Disabled Pre-Authentication Accounts Discovery - PowerShell (Windows Event Log)
Splunk Exchange PowerShell Abuse via SSRF experimental
Splunk Exploit Public Facing Application via Apache Commons Text production
Splunk Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952 production
Sigma External Remote RDP Logon from Public IP test
Sigma External Remote SMB Logon from Public IP test
Splunk F5 BIG-IP iControl REST Vulnerability CVE-2022-1388 production
Sigma Failed Logon From Public IP test
Elastic First Occurrence of Okta User Session Started via Proxy production
Sigma FortiGate - New VPN SSL Web Portal Added experimental
Sigma FortiGate - VPN SSL Settings Modified experimental
Splunk Fortinet Appliance Auth bypass production
Kusto Fortiweb - WAF Allowed threat available
Kusto GCP Audit Logs - Open Firewall Rule Created or Modified available
Kusto GCP Security Command Center - Detect Firewall rules allowing unrestricted high-risk ports available
Kusto GSA - Detect Connections Outside Operational Hours available
Kusto GWorkspace - Alert events available
Splunk Hunting for Log4Shell production
Kusto Identify instances where a single source is observed using multiple user agents (ASIM Web Session) available
Kusto Imperva - Abnormal protocol usage available
Kusto Imperva - Critical severity event not blocked available
Kusto Imperva - Forbidden HTTP request method in request available
Kusto Imperva - Malicious Client available
Kusto Imperva - Malicious user agent available
Kusto Imperva - Multiple user agents from same source available
Kusto Imperva - Possible command injection available
Kusto Imperva - Request from unexpected countries available
Kusto Imperva - Request from unexpected IP address to admin panel available
Kusto Imperva - Request to unexpected destination port available
Elastic Insecure AWS EC2 VPC Security Group Ingress Rule Added production
Splunk Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078 production
Splunk Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082 production
Kusto Jamf Protect - Network Threats available
Splunk Java Writing JSP File production
Elastic Kubernetes Exposed Service Created With Type NodePort production
Splunk Living Off The Land Detection production
Splunk Log4Shell CVE-2021-44228 Exploitation production
Splunk Log4Shell JNDI Payload Injection Attempt production
Splunk Log4Shell JNDI Payload Injection with Outbound Connection production
Splunk MS Exchange Mailbox Replication service writing Active Server Pages experimental
Kusto NGINX - Command in URI available
Kusto NGINX - Known malicious user agent available
Kusto NGINX - Multiple client errors from single IP address available
Kusto NGINX - Multiple server errors from single IP address available
Kusto NGINX - Multiple user agents for single source available
Kusto NGINX - Private IP address in URL available
Kusto NGINX - Put file and get file from same IP address available
Elastic Ollama API Accessed from External Network production
Sigma OpenCanary - RDP New Connection Attempt experimental
Sigma OpenCanary - SSH Login Attempt test
Sigma OpenCanary - SSH New Connection Attempt test
Sigma OpenCanary - Telnet Login Attempt test
Kusto Oracle - Command in URI available
Kusto Oracle - Malicious user agent available
Kusto Oracle - Multiple client errors from single IP available
Kusto Oracle - Multiple server errors from single IP available
Kusto Oracle - Multiple user agents for single source available
Kusto Oracle - Private IP in URL available
Kusto Oracle - Put file and get file from same IP address available
Kusto Oracle - Put suspicious file available
Kusto OracleDBAudit - Connection to database from external IP available
Splunk Outbound Network Connection from Java Using Default Ports production
Kusto Palo Alto Prisma Cloud - High risk score alert available
Kusto Palo Alto Prisma Cloud - High severity alert opened for several days available
Kusto Palo Alto Prisma Cloud - Maximum risk score alert available
Kusto Palo Alto Prisma Cloud - Network ACL allow all outbound traffic available
Kusto Palo Alto Prisma Cloud - Network ACL allow ingress traffic to server administration ports available
Kusto Palo Alto Prisma Cloud - Network ACLs Inbound rule to allow All Traffic available
Kusto PaloAlto - Dropping or denying session with traffic available
Kusto PaloAlto - File type changed available
Kusto PaloAlto - Forbidden countries available
Kusto PaloAlto - Inbound connection to high risk ports available
Kusto PaloAlto - MAC address conflict available
Kusto PaloAlto - Possible attack without response available
Kusto PaloAlto - Possible flooding available
Kusto PaloAlto - Put and post method request in high risk file type available
Kusto PaloAlto - User privileges was changed available
Splunk PaperCut NG Remote Web Access Attempt production
Splunk PaperCut NG Suspicious Behavior Debug Log production
Sigma Potential Exploitation of GoAnywhere MFT Vulnerability experimental
Elastic Potential macOS SSH Brute Force Detected production
Splunk ProxyShell ProxyNotShell Behavior Detected production
Kusto Radiflow - New Activity Detected available
Elastic RDP (Remote Desktop Protocol) from the Internet production
Splunk RDP Brute-force Detection (Windows Event Log)
Splunk RDP Connection (Sysmon)
Splunk RDP Connection (Windows Event Log)
Splunk RDP Hijacking (Windows Event Log)
Splunk RDP Logon_Logoff Event (Windows Event Log)
Sigma Remote Access Tool - ScreenConnect Installation Execution test
Sigma Remote Access Tool - Team Viewer Session Started On Linux Host test
Sigma Remote Access Tool - Team Viewer Session Started On MacOS Host test
Sigma Remote Access Tool - Team Viewer Session Started On Windows Host test
Elastic Remote SSH Login Enabled via systemsetup Command production
Elastic RPC (Remote Procedure Call) from the Internet production
Sigma Running Chrome VPN Extensions via the Registry 2 VPN Extension test
Kusto SailPointIdentityNowAlertForTriggers available
Kusto SailPointIdentityNowEventType available
Kusto SailPointIdentityNowEventTypeTechnicalName available
Kusto SailPointIdentityNowFailedEvents available
Kusto SailPointIdentityNowFailedEventsBasedOnTime available
Kusto SailPointIdentityNowUserWithFailedEvent available
Kusto Semperis DSP Operations Critical Notifications available
Kusto SlackAudit - Empty User Agent available
Kusto SonicWall - Allowed SSH, Telnet, and RDP Connections experimental
Splunk Spring4Shell Payload URL Request production
Elastic Successful SSH Authentication from Unusual SSH Public Key production
Elastic Successful SSH Authentication from Unusual User production
Splunk Supernova Webshell experimental
Sigma Suspicious File Created by ArcSOC.exe experimental
Splunk Temporary ConnectWise xml File Activity (Windows Event Log)
Kusto Tomcat - Commands in URI available
Kusto Tomcat - Known malicious user agent available
Kusto Tomcat - Multiple client errors from single IP address available
Kusto Tomcat - Multiple empty requests from same IP available
Kusto Tomcat - Multiple server errors from single IP address available
Kusto Tomcat - Put file and get file from same IP address available
Kusto Tomcat - Request from localhost IP address available
Kusto Tomcat - Server errors after multiple requests from same IP available
Kusto Ubiquiti - RDP from external source available
Kusto Ubiquiti - SSH from external source available
Kusto Ubiquiti - Unknown MAC Joined AP available
Sigma Unusual Child Process of dns.exe test
Sigma Unusual File Deletion by Dns.exe test
Sigma Unusual File Modification by dns.exe test
Elastic Unusual SSHD Child Process production
Sigma User Added to Remote Desktop Users Group test
Elastic Virtual Private Network Connection Attempt production
Splunk VMWare Aria Operations Exploit Attempt production
Splunk VMware Server Side Template Injection Hunt production
Splunk VMware Workspace ONE Freemarker Server-side Template Injection production
Elastic VNC (Virtual Network Computing) from the Internet production
Splunk Web JSP Request via URL production
Splunk Web or Application Server Spawning a Shell production
Splunk Web Spring Cloud Function FunctionRouter production
Splunk Web Spring4Shell HTTP Request Class Module production
Splunk Windows Exchange Autodiscover SSRF Abuse production
Splunk Windows MOVEit Transfer Writing ASPX production
Splunk Windows PaperCut NG Spawn Shell production
Splunk Windows RDPClient Connection Sequence Events production
Panther Wiz Issue Followed By SSH to EC2 Instance
Elastic Zoom Meeting with no Passcode production
Kusto Zscaler - Forbidden countries available
Kusto Zscaler - Shared ZPA session available
Kusto Zscaler - Unexpected event count of rejects by policy available
Kusto Zscaler - Unexpected update operation available
Kusto Zscaler - Unexpected ZPA session duration available
Kusto Zscaler - ZPA connections from new country available
Kusto Zscaler - ZPA connections from new IP available
Kusto Zscaler - ZPA connections outside operational hours available

Create Account T1136 157 rules

Kusto Account created from non-approved sources
Kusto Account Creation available
Kusto Anomalous login followed by Teams action
Panther AppOmni Alert Passthrough
Splunk ASL AWS Create Access Key production
Splunk ASL AWS UpdateLoginProfile production
Elastic Attempt to Create Okta API Token production
Panther Auth0 Fraud Risk by Volume
Panther Auth0 New Admin Invited
Panther Auth0 New Admin Invited FOLLOWED BY Tenant Member Account Deletion
Panther Auth0 Rapid Dynamic Client Creation
Splunk AWS CreateAccessKey production
Splunk AWS CreateLoginProfile production
Sigma AWS ElastiCache Security Group Created test
Elastic AWS IAM Create User via Assumed Role on EC2 Instance production
Elastic AWS IAM Group Creation production
Elastic AWS IAM Sensitive Operations via Lambda Execution Role production
YARA-L AWS Privilege Escalation Using IAM Access Key
YARA-L AWS Privilege Escalation Using IAM Login Profile
Elastic AWS Sensitive IAM Operations Performed via CloudShell production
Splunk AWS UpdateLoginProfile production
Splunk Azure AD External Guest User Invited production
Splunk Azure AD Multiple Service Principals Created by SP production
Splunk Azure AD Multiple Service Principals Created by User production
Splunk Azure AD Service Principal Created production
Splunk Azure Automation Account Created production
Splunk Azure Automation Runbook Created production
Panther Carbon Black API Key Created or Retrieved
Panther Carbon Black User Added Outside Org
Splunk Cisco ASA - New Local User Account Created production
Splunk Cisco IOS Suspicious Privileged Account Creation production
Sigma Cisco Local Accounts test
Splunk Cisco Privileged Account Creation with HTTP Command Execution production
Splunk Cisco Privileged Account Creation with Suspicious SSH Activity production
Sigma Computer account created with privileges experimental
Splunk Create_Add Local_Domain User (EDR)
Splunk Create_Add Local_Domain User (Sysmon)
Splunk Create_Add Local_Domain User (Windows Event Log)
Elastic Creation of a Hidden Local User Account production
Sigma Creation of a Local Hidden User Account by Registry test
Sigma Creation Of A Local User Account test
Sigma Creation Of An User Account test
Kusto Cross-tenant Access Settings Organization Added available
Kusto Cross-tenant Access Settings Organization Deleted available
Kusto Cross-tenant Access Settings Organization Inbound Collaboration Settings Changed available
Kusto Cross-tenant Access Settings Organization Inbound Direct Settings Changed available
Kusto Cross-tenant Access Settings Organization Outbound Collaboration Settings Changed available
Kusto Cross-tenant Access Settings Organization Outbound Direct Settings Changed available
Sigma DarkGate - User Created Via Net.EXE test
Panther Databricks Account Admin Privileged Role Assignment Experimental
Panther Databricks Group Created Experimental
Panther Databricks User Account Created Experimental
Panther Databricks Workspace Admin Privileged Role Assignment Experimental
Splunk Detect New Local Admin account production
Elastic dMSA Account Creation by an Unusual User production
Elastic Entra ID External Guest User Invited production
Elastic Entra ID Service Principal Created production
Sigma ESXi Account Creation Via ESXCLI test
Splunk ESXi Account Modified production
Kusto External guest invitation followed by Microsoft Entra ID PowerShell signin available
Kusto External user added and removed in short timeframe available
Kusto F&O - Non-interactive account mapped to self or sensitive privileged user available
Sigma FortiGate - New Administrator Account Created experimental
Sigma FortiGate - New Local User Created experimental
Sigma Fortinet APT group abuse on Windows (user) experimental
Panther GCP Corporate Email Not Used
YARA-L GCP Free Gmail Domains Added To IAM Policy
Kusto GCP IAM - New Service Account available
Elastic GCP Service Account Creation production
Kusto GitLab - External User Added to GitLab available
Kusto Guest accounts added in Entra ID Groups other than the ones specified available
Sigma Hidden account creation (with fast deletion) experimental
Sigma Hidden Local User Creation test
Panther IAM Entity Created Without CloudFormation
Sigma IAM User Created test
Sigma IAM User Creation Attempt test
Splunk Linux Add User Account production
Splunk Linux Auditd Add User Account production
Splunk Linux Auditd Add User Account Type production
Elastic Linux Group Creation production
Elastic Linux User Account Creation production
Elastic Linux User Added to Privileged Group production
Sigma Local User Creation test
Splunk MacOS Account Created production
Sigma macOS User Account Manipulation experimental
Sigma Manipulation of User Computer or Group Security Principals Across AD test
Panther New AWS Account Created
Sigma New Federated Domain Added - Exchange test
Sigma New Github Organization Member Added test
Elastic New GitHub Owner Added production
Elastic New GitHub Personal Access Token (PAT) Added production
Sigma New Kubernetes Service Account Created test
Panther New User Account Created
Sigma New User Created Via Net.EXE test
YARA-L New User Created Via Net.EXE
Sigma New User Created Via Net.EXE With Never Expire Option test
Splunk O365 Add App Role Assignment Grant User production
Splunk O365 Added Service Principal production
Splunk O365 External Guest User Invited production
Splunk O365 External Identity Policy Changed production
Splunk O365 Multiple Service Principals Created by SP production
Splunk O365 Multiple Service Principals Created by User production
Splunk O365 New Federated Domain Added production
Splunk O365 SharePoint Allowed Domains Policy Changed production
Elastic OpenSSL Password Hash Generation production
Kusto Pathlock TDnR - SAP Cloud Account Administration Events available
Kusto Ping Federate - New user SSO success login available
Elastic Potential Hidden Local User Account Creation production
Elastic Potential Linux Backdoor User Account Creation production
Elastic Potential Persistence via File Modification production
Sigma PowerShell Create Local User test
Kusto Powershell Empire Cmdlets Executed in Command Line available
Sigma Privileged User Has Been Created test
Sigma PSEXEC Remote Execution File Artefact test
Kusto Rare application consent available
Sigma Risk of signup fraud - rapid creation of fake accounts experimental
Sigma Risk of signup fraud - rapid creation of fake accounts with disposable email domains experimental
Sigma Risk of Tenant Takeover experimental
YARA-L sap hanadb user admin actions
YARA-L sap security audit log user created deleted or unlocked
YARA-L sap user creates and uses new user
Sigma Serv-U Exploitation CVE-2021-35211 by DEV-0322 test
Elastic Shadow File Modification by Unusual Process production
Splunk Short Lived Windows Accounts production
Panther Slack Organization Created
Panther Snowflake User Created
Panther Snowflake User Created
Panther Snowflake User Enabled
Panther Snowflake User Enabled
Elastic Spike in User Account Management Events production
Sigma SQL SA admin user enabled experimental
Sigma Suspicious computer account created by a computer account experimental
Elastic Suspicious Passwd File Event Action production
Sigma Suspicious Windows ANONYMOUS LOGON Local Account Created test
Panther Teleport Create User Accounts
Kusto Unusual identity creation using exchange powershell
Sigma User account created by a computer account experimental
Kusto User Account Created Using Incorrect Naming Format
Kusto User account created without expected attributes defined
Elastic User Account Creation production
Sigma User account creation disguised in a computer account experimental
Sigma User Added to Remote Desktop Users Group test
Sigma User creation via commandline
Sigma User enumeration and creation related to Manic Menagerie 2.0 (via cmdline)
Elastic User or Group Creation/Modification production
Splunk User_Domain Enumeration Tool - Windows (PowerShell)
Splunk User_Domain Enumeration Tool - Windows (Sysmon)
Splunk User_Domain Enumeration Tool - Windows (Windows Event Log)
Splunk Windows Azure PowerShell Module Installation Via PowerShell Script production
Splunk Windows Computer Account Changed to Domain Controller production
Splunk Windows Create Local Account production
Splunk Windows Create Local Administrator Account Via Net production
Splunk Windows Entra User Management Via Azure CLI production
Splunk Windows ESX Admins Group Creation Security Event production
Splunk Windows ESX Admins Group Creation via Net production
Splunk Windows ESX Admins Group Creation via PowerShell production
Splunk Windows Privileged Group Modification production

Create Account: Local Account T1136.001 49 rules

Splunk Cisco ASA - New Local User Account Created production
Sigma Cisco Local Accounts test
Splunk Create_Add Local_Domain User (EDR)
Splunk Create_Add Local_Domain User (Sysmon)
Splunk Create_Add Local_Domain User (Windows Event Log)
Elastic Creation of a Hidden Local User Account production
Sigma Creation of a Local Hidden User Account by Registry test
Sigma Creation Of A Local User Account test
Sigma Creation Of An User Account test
Sigma DarkGate - User Created Via Net.EXE test
Splunk Detect New Local Admin account production
Splunk ESXi Account Modified production
Sigma FortiGate - New Administrator Account Created experimental
Sigma FortiGate - New Local User Created experimental
Sigma Hidden Local User Creation test
Splunk Linux Add User Account production
Splunk Linux Auditd Add User Account production
Splunk Linux Auditd Add User Account Type production
Elastic Linux Group Creation production
Elastic Linux User Account Creation production
Elastic Linux User Added to Privileged Group production
Sigma Local User Creation test
Sigma macOS User Account Manipulation experimental
Sigma New User Created Via Net.EXE test
YARA-L New User Created Via Net.EXE
Sigma New User Created Via Net.EXE With Never Expire Option test
Elastic OpenSSL Password Hash Generation production
Elastic Potential Hidden Local User Account Creation production
Elastic Potential Linux Backdoor User Account Creation production
Elastic Potential Persistence via File Modification production
Sigma PowerShell Create Local User test
Kusto Powershell Empire Cmdlets Executed in Command Line available
Sigma Privileged User Has Been Created test
Sigma Serv-U Exploitation CVE-2021-35211 by DEV-0322 test
Elastic Shadow File Modification by Unusual Process production
Splunk Short Lived Windows Accounts production
Elastic Suspicious Passwd File Event Action production
Sigma Suspicious Windows ANONYMOUS LOGON Local Account Created test
Elastic User Account Creation production
Sigma User Added to Remote Desktop Users Group test
Sigma User creation via commandline
Sigma User enumeration and creation related to Manic Menagerie 2.0 (via cmdline)
Elastic User or Group Creation/Modification production
Splunk Windows Create Local Account production
Splunk Windows Create Local Administrator Account Via Net production
Splunk Windows ESX Admins Group Creation Security Event production
Splunk Windows ESX Admins Group Creation via Net production
Splunk Windows ESX Admins Group Creation via PowerShell production
Splunk Windows Privileged Group Modification production

Create Account: Domain Account T1136.002 18 rules

Splunk Create_Add Local_Domain User (EDR)
Splunk Create_Add Local_Domain User (Sysmon)
Splunk Create_Add Local_Domain User (Windows Event Log)
Elastic dMSA Account Creation by an Unusual User production
Sigma Manipulation of User Computer or Group Security Principals Across AD test
Kusto Powershell Empire Cmdlets Executed in Command Line available
Sigma PSEXEC Remote Execution File Artefact test
Sigma Suspicious Windows ANONYMOUS LOGON Local Account Created test
Elastic User Account Creation production
Sigma User creation via commandline
Splunk User_Domain Enumeration Tool - Windows (PowerShell)
Splunk User_Domain Enumeration Tool - Windows (Sysmon)
Splunk User_Domain Enumeration Tool - Windows (Windows Event Log)
Splunk Windows Computer Account Changed to Domain Controller production
Splunk Windows ESX Admins Group Creation Security Event production
Splunk Windows ESX Admins Group Creation via Net production
Splunk Windows ESX Admins Group Creation via PowerShell production
Splunk Windows Privileged Group Modification production

Create Account: Cloud Account T1136.003 56 rules

Kusto Account created from non-approved sources
Splunk ASL AWS Create Access Key production
Splunk ASL AWS UpdateLoginProfile production
Splunk AWS CreateAccessKey production
Splunk AWS CreateLoginProfile production
Sigma AWS ElastiCache Security Group Created test
Elastic AWS IAM Create User via Assumed Role on EC2 Instance production
Elastic AWS IAM Group Creation production
Elastic AWS IAM Sensitive Operations via Lambda Execution Role production
YARA-L AWS Privilege Escalation Using IAM Access Key
YARA-L AWS Privilege Escalation Using IAM Login Profile
Elastic AWS Sensitive IAM Operations Performed via CloudShell production
Splunk AWS UpdateLoginProfile production
Splunk Azure AD External Guest User Invited production
Splunk Azure AD Multiple Service Principals Created by SP production
Splunk Azure AD Multiple Service Principals Created by User production
Splunk Azure AD Service Principal Created production
Splunk Azure Automation Account Created production
Splunk Azure Automation Runbook Created production
Kusto Cross-tenant Access Settings Organization Added available
Kusto Cross-tenant Access Settings Organization Deleted available
Kusto Cross-tenant Access Settings Organization Inbound Collaboration Settings Changed available
Kusto Cross-tenant Access Settings Organization Inbound Direct Settings Changed available
Kusto Cross-tenant Access Settings Organization Outbound Collaboration Settings Changed available
Kusto Cross-tenant Access Settings Organization Outbound Direct Settings Changed available
Panther Crowdstrike Ephemeral User Account
Panther Crowdstrike New Admin User Created
Panther Crowdstrike New User Created
Elastic Entra ID External Guest User Invited production
Elastic Entra ID Service Principal Created production
Kusto External guest invitation followed by Microsoft Entra ID PowerShell signin available
YARA-L GCP Free Gmail Domains Added To IAM Policy
Panther GCP Inbound SSO Profile Created
Elastic GCP Service Account Creation production
Panther GCP Workforce Pool Created or Updated
Panther GCP Workload Identity Pool Created or Updated
Kusto Guest accounts added in Entra ID Groups other than the ones specified available
Sigma IAM User Created test
Sigma IAM User Creation Attempt test
Sigma New Federated Domain Added - Exchange test
Sigma New Github Organization Member Added test
Elastic New GitHub Owner Added production
Elastic New GitHub Personal Access Token (PAT) Added production
Splunk O365 Add App Role Assignment Grant User production
Splunk O365 Added Service Principal production
Splunk O365 External Guest User Invited production
Splunk O365 External Identity Policy Changed production
Splunk O365 Multiple Service Principals Created by SP production
Splunk O365 Multiple Service Principals Created by User production
Splunk O365 New Federated Domain Added production
Splunk O365 SharePoint Allowed Domains Policy Changed production
Kusto User Account Created Using Incorrect Naming Format
Kusto User account created without expected attributes defined
Splunk Windows Azure PowerShell Module Installation Via PowerShell Script production
Panther Wiz User Created Or Deleted
Panther ZIA Cloud Account Created

Office Application Startup T1137 27 rules

Kusto Aqua Blizzard AV hits - Feb 2022 available
Sigma Code Executed Via Office Add-in XLL File test
Sigma IE Change Domain Zone test
Elastic M365 Exchange Inbox Phishing Evasion Rule Created production
Elastic M365 Exchange Inbox Rule with Obfuscated Name production
Sigma New Outlook Macro Created test
Sigma Office Application Startup - Office Test test
Elastic Office Test Registry Persistence production
Elastic Outlook Home Page Registry Modification production
Sigma Outlook Macro Execution Without Warning Setting Enabled test
Sigma Outlook Security Settings Updated - Registry test
Sigma Outlook Task/Note Reminder Received test
Elastic Persistence via Microsoft Office AddIns production
Elastic Persistence via Microsoft Outlook VBA production
Sigma Potential Persistence Via Excel Add-in - Registry test
Sigma Potential Persistence Via Microsoft Office Add-In test
Sigma Potential Persistence Via Microsoft Office Startup Folder test
Sigma Potential Persistence Via Outlook Form test
Sigma Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting test
Sigma Potential Persistence Via Visual Studio Tools for Office test
Sigma Registry Modification to Hidden File Extension test
Elastic Suspicious Execution via Microsoft Office Add-Ins production
Sigma Suspicious Microsoft Office Child Process - MacOS test
Sigma Suspicious Outlook Macro Created test
Splunk Windows Outlook LoadMacroProviderOnBoot Persistence production
Splunk Windows Outlook Macro Created by Suspicious Process production
Splunk Windows Outlook Macro Security Modified production

Office Application Startup: Office Template Macros T1137.001 1 rule

Elastic Persistence via Microsoft Outlook VBA production

Office Application Startup: Office Test T1137.002 3 rules

Sigma Office Application Startup - Office Test test
Elastic Office Test Registry Persistence production
Sigma Suspicious Microsoft Office Child Process - MacOS test

Office Application Startup: Outlook Forms T1137.003 1 rule

Sigma Potential Persistence Via Outlook Form test

Office Application Startup: Outlook Home Page T1137.004 1 rule

Elastic Outlook Home Page Registry Modification production

Office Application Startup: Outlook Rules T1137.005 3 rules

Elastic M365 Exchange Inbox Phishing Evasion Rule Created production
Elastic M365 Exchange Inbox Rule with Obfuscated Name production
Panther Microsoft Exchange External Forwarding

Office Application Startup: Add-ins T1137.006 6 rules

Sigma Code Executed Via Office Add-in XLL File test
Elastic Persistence via Microsoft Office AddIns production
Sigma Potential Persistence Via Excel Add-in - Registry test
Sigma Potential Persistence Via Microsoft Office Add-In test
Sigma Potential Persistence Via Visual Studio Tools for Office test
Elastic Suspicious Execution via Microsoft Office Add-Ins production

Software Extensions T1176 10 rules

Elastic Browser Extension Install production
Sigma ChromeLoader Malware Execution test
Sigma Chromium Browser Instance Executed With Custom Extension test
Kusto GWorkspace - Multiple user agents for single source available
Kusto Hunt for compromised browser extensions
Elastic Manual Loading of a Suspicious Chromium Extension production
Panther OSQuery Detected Unwanted Chrome Extensions
Sigma Suspicious Chromium Browser Instance Executed With Custom Extension test
Elastic Uncommon Registry Persistence Change production
Splunk Windows Disable Internet Explorer Addons production

Software Extensions: Browser Extensions T1176.001 5 rules

Elastic Browser Extension Install production
Sigma Chromium Browser Instance Executed With Custom Extension test
Elastic Manual Loading of a Suspicious Chromium Extension production
Sigma Suspicious Chromium Browser Instance Executed With Custom Extension test
Splunk Windows Disable Internet Explorer Addons production

BITS Jobs T1197 35 rules

Sigma BITS Client BitsProxy DLL Loaded By Uncommon Process experimental
Splunk BITS Job Persistence production
Sigma BITS payload downloaded via commandline experimental
Sigma BITS payload downloaded via PowerShell experimental
Sigma BITS Transfer Job Download From Direct IP test
Sigma BITS Transfer Job Download From File Sharing Domains test
Sigma BITS Transfer Job Download To Potential Suspicious Folder test
Sigma BITS Transfer Job Downloading File Potential Suspicious Extension test
Sigma BITS Transfer Job With Uncommon Or Suspicious Remote TLD test
Elastic Bitsadmin Activity production building block
Kusto Bitsadmin Activity available
Splunk BITSAdmin Download File production
Splunk BITSadmin Execution (PowerShell)
Splunk BITSadmin Execution (Sysmon)
Splunk BITSadmin Execution (Windows Event Log)
Splunk BitsAdmin NetCat PowerCat File Transfer (EDR)
Splunk BitsAdmin NetCat PowerCat File Transfer (Sysmon)
Splunk BitsAdmin NetCat PowerCat File Transfer (Windows Event Log)
Sigma Bitsadmin to Uncommon IP Server Address test
Sigma Bitsadmin to Uncommon TLD test
Splunk Cisco NVM - Curl Execution With Insecure Flags production
Splunk Cisco NVM - Suspicious Download From File Sharing Website production
Sigma File Download Via Bitsadmin test
Sigma File Download Via Bitsadmin To A Suspicious Target Folder test
Sigma File with high volume downloaded via BITS experimental
Sigma File With Suspicious Extension Downloaded Via Bitsadmin test
Elastic Ingress Transfer via Windows BITS production
Sigma Monitoring For Persistence Via BITS test
Sigma New BITS Job Created Via Bitsadmin test
Sigma New BITS Job Created Via PowerShell test
Elastic Persistence via BITS Job Notify Cmdline production
Splunk PowerShell Start-BitsTransfer production
Sigma Suspicious Download From Direct IP Via Bitsadmin test
Sigma Suspicious Download From File-Sharing Website Via Bitsadmin test
Elastic Unsigned BITS Service Client Process production building block

Traffic Signaling T1205 1 rule

Elastic Unusual Linux Network Port Activity production

Traffic Signaling: Port Knocking T1205.001 1 rule

Elastic Unusual Linux Network Port Activity production

Server Software Component T1505 144 rules

Sigma Antivirus Web Shell Detection test
YARA-L Attempted SharePoint Webshell Creation CVE-2025-53770
Elastic AWS Bedrock Agent Created by IAM User or Root production
Elastic AWS Bedrock Agent or Action Group Manipulation production
Elastic AWS Bedrock Third-Party or External Knowledge Base Associated to Agent production
Kusto Azure DevOps New Extension Added available
Sigma Chopper Webshell Process Pattern test
Splunk Cisco Configuration Archive Logging Analysis production
Sigma Cisco Modify Configuration test
Splunk Cisco Secure Firewall - Privileged Command Execution via HTTP production
Kusto Cloudflare - Unexpected POST requests available
Kusto Cloudflare - Unexpected POST requests available
Sigma Commvault QOperation Path Traversal Webshell Drop (CVE-2025-57790) experimental
Splunk Confluence Unauthenticated Remote Code Execution CVE-2022-26134 production
Kusto Corelight - Possible Webshell available
Kusto Corelight - Possible Webshell (Rare PUT or POST) available
Sigma CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Exploit test
Elastic Deprecated - Microsoft Exchange Transport Agent Install Script production building block
Elastic Deprecated - Uncommon Destination Port Connection by Web Server production
Elastic Deprecated - Unusual Command Execution from Web Server Parent production
Elastic Deprecated - Unusual Process Spawned from Web Server Parent production
Splunk Detect Exchange Web Shell production
Kusto Detect potential presence of a malicious file with a double extension (ASIM Web Session) available
Sigma DEWMODE Webshell Access test
Splunk ESXi Malicious VIB Forced Install production
Sigma ETW Logging/Processing Option Disabled On IIS Server test
Sigma Exchange transport agent injection via configuration file experimental
Sigma Exchange transport agent installation artifacts (native) experimental
Sigma Exchange transport agent installation artifacts (PowerShell) experimental
Sigma Execution From Webserver Root Folder test
Elastic Execution via MSSQL xp_cmdshell Stored Procedure production
Splunk Exploit Public Facing Application via Apache Commons Text production
Sigma Failed MSExchange Transport Agent Installation test
Sigma HTTP Logging Disabled On IIS Server test
Sigma IIS Native-Code Module Command Line Installation test
Splunk IIS Worker (W3WP) Spawn Command Line (Windows Event Log)
Elastic Initial Access via File Upload Followed by GET Request production
Sigma Linux Webshell Indicators test
Kusto Malicious web application requests linked with Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts
Elastic Microsoft Exchange Server UM Writing Suspicious Files production
Elastic Microsoft Exchange Worker Spawning Suspicious Processes production
Splunk Microsoft SQL Server Suspicious Child Process - Windows (Sysmon)
Splunk Microsoft SQL Server Suspicious Child Process - Windows (Windows Event Log)
Sigma MOVEit CVE-2023-34362 Exploitation Attempt - Potential Web Shell Request test
Splunk MS Exchange Mailbox Replication service writing Active Server Pages experimental
Sigma MSExchange Transport Agent Installation test
Sigma New Module Module Added To IIS Server test
Sigma Oracle WebLogic Exploit test
Kusto Pathlock TDnR - ABAP Source Code Changes available
Kusto Pathlock TDnR - ICF Web Service Changes available
Sigma Potential CVE-2023-27363 Exploitation - HTA File Creation By FoxitPDFReader test
Sigma Potential Java WebShell Upload in SAP NetViewer Server experimental
Sigma Potential SAP NetViewer Webshell Command Execution experimental
Elastic Potential SAP NetWeaver Exploitation production
Elastic Potential SAP NetWeaver WebShell Creation production
Sigma Potential Suspicious Activity Using SeCEdit test
Elastic Potential Web Shell ASPX File Creation production
Sigma Potential Webshell Creation On Static Website test
Elastic Potential Webshell Deployed via Apache Struts CVE-2023-50164 Exploitation production
YARA-L Potential Webshell Process Execution
Sigma Previously Installed IIS Module Was Removed test
Sigma Rejetto HTTP File Server RCE test
Elastic ScreenConnect Server Spawning Suspicious Processes production
Splunk Shell Spawned by Web Server - Windows (Windows Event Log)
Sigma Shellshock Expression test
Elastic Simple HTTP Web Server Connection production
Elastic Simple HTTP Web Server Creation production
Panther Slack App Added
Sigma Solarwinds SUPERNOVA Webshell Access test
Splunk Spring4Shell Payload URL Request production
Sigma SQL Server Dedicated Admin Connection (DAC) mode activated (native) experimental
Sigma SQL Server Dedicated Admin Connection (DAC) suspicious activity stable
Sigma SQL Server lateral movement with CLR activation experimental
Kusto SQL Server spawning suspicious child process
Sigma SQL server sqlcmd utility abuse for privilege escalation experimental
Sigma SQL Server started in single mode (command) experimental
Sigma SQL Server xp_cmdshell activation (native event) experimental
YARA-L Successful SharePoint Webshell Creation CVE-2025-53770
Splunk Supernova Webshell experimental
Kusto SUPERNOVA webshell
Sigma Suspicious ASPX File Drop by Exchange test
Elastic Suspicious Child Execution via Web Server production
Sigma Suspicious Child Process Of SQL Server test
Elastic Suspicious Command Execution via Web Server production
Sigma Suspicious File Drop by Exchange test
Sigma Suspicious File Write to SharePoint Layouts Directory experimental
Sigma Suspicious File Write to Webapps Root Directory experimental
YARA-L Suspicious Filewrites To Sharepoint Layouts
Sigma Suspicious IIS Module Registration test
Sigma Suspicious MSExchangeMailboxReplication ASPX Write test
Sigma Suspicious Process By Web Server Process test
Sigma Suspicious Process Spawned by CentreStack Portal AppPool experimental
Sigma Suspicious SQL Query test
Sigma Suspicious Windows Strings In URI test
Splunk Tomcat Session Deserialization Attempt production
Splunk Tomcat Session File Upload Attempt production
Elastic Unsigned DLL loaded by DNS Service production
Elastic Unusual Child Execution via Web Server production
Elastic Unusual Command Execution via Web Server production
Elastic Unusual File Creation by Web Server production building block
Elastic Unusual Process For MSSQL Service Accounts production building block
Splunk Web JSP Request via URL production
Elastic Web Server Exploitation Detected via Defend for Containers production
Elastic Web Server Potential Command Injection Request production
Elastic Web Server Potential SQL Injection Request production building block
Elastic Web Shell Detection: Script Process Child of Common Web Processes production
Sigma Webserver IIS configuration edited (SYSMON) experimental
Sigma Webserver IIS module installed (command) experimental
Sigma Webserver IIS module installed (command) experimental
Sigma Webserver IIS module installed (PowerShell) experimental
Sigma Webserver IIS module installed via GAC manipulation (PowerShell) experimental
Sigma Webshell Detection With Command Line Keywords test
Sigma Webshell Hacking Activity Patterns test
Sigma Webshell ReGeorg Detection Via Web Logs test
Sigma Webshell Remote Command Execution test
Sigma Webshell Tool Reconnaissance Activity test
Splunk Windows Disable Windows Event Logging Disable HTTP Logging production
Splunk Windows IIS Components Add New Module production
Splunk Windows IIS Components Get-WebGlobalModule Module Query production
Splunk Windows IIS Components Module Failed to Load production
Splunk Windows IIS Components New Module Added production
Splunk Windows Metasploit Confluence Plugin Execution production
Splunk Windows Potential Web Shell Creation For VMware Workspace ONE production
Splunk Windows PowerShell Add Module to Global Assembly Cache production
Splunk Windows PowerShell Disable HTTP Logging production
Splunk Windows PowerShell IIS Components WebGlobalModule Usage production
Splunk Windows Server Software Component GACUtil Install to GAC production
Elastic Windows Server Update Service Spawning Suspicious Processes production
Splunk Windows SharePoint Spinstall0 GET Request production
Splunk Windows SharePoint Spinstall0 Webshell File Creation production
Splunk Windows SharePoint ToolPane Endpoint Exploitation Attempt production
Splunk Windows Shell or Script Execution From IIS Directory production
Splunk Windows Shell Process from CrushFTP production
Splunk Windows SQL Server Configuration Option Hunt production
Splunk Windows SQL Server Critical Procedures Enabled production
Splunk Windows SQL Server Extended Procedure DLL Loading Hunt production
Splunk Windows SQL Server Startup Procedure production
Splunk Windows SQL Server xp_cmdshell Config Change production
Splunk Windows Sqlservr Spawning Shell production
Splunk Windows Suspicious Child Process Spawned From WebServer production
Splunk Windows TeamCity Payload Execution from Temp Directory production
Splunk Windows TeamCity Plugin Installed production
Sigma Windows Webshell Strings test
Splunk Windows WSUS Spawning Shell production

Server Software Component: SQL Stored Procedures T1505.001 18 rules

Elastic Execution via MSSQL xp_cmdshell Stored Procedure production
Splunk Microsoft SQL Server Suspicious Child Process - Windows (Sysmon)
Splunk Microsoft SQL Server Suspicious Child Process - Windows (Windows Event Log)
Sigma Potential CVE-2023-27363 Exploitation - HTA File Creation By FoxitPDFReader test
Sigma SQL Server Dedicated Admin Connection (DAC) mode activated (native) experimental
Sigma SQL Server Dedicated Admin Connection (DAC) suspicious activity stable
Sigma SQL Server lateral movement with CLR activation experimental
Kusto SQL Server spawning suspicious child process
Sigma SQL server sqlcmd utility abuse for privilege escalation experimental
Sigma SQL Server started in single mode (command) experimental
Sigma Suspicious SQL Query test
Elastic Unusual Process For MSSQL Service Accounts production building block
Splunk Windows SQL Server Configuration Option Hunt production
Splunk Windows SQL Server Critical Procedures Enabled production
Splunk Windows SQL Server Extended Procedure DLL Loading Hunt production
Splunk Windows SQL Server Startup Procedure production
Splunk Windows SQL Server xp_cmdshell Config Change production
Splunk Windows Sqlservr Spawning Shell production

Server Software Component: Transport Agent T1505.002 6 rules

Elastic Deprecated - Microsoft Exchange Transport Agent Install Script production building block
Sigma Exchange transport agent injection via configuration file experimental
Sigma Exchange transport agent installation artifacts (native) experimental
Sigma Exchange transport agent installation artifacts (PowerShell) experimental
Sigma Failed MSExchange Transport Agent Installation test
Sigma MSExchange Transport Agent Installation test

Server Software Component: Web Shell T1505.003 77 rules

Sigma Antivirus Web Shell Detection test
YARA-L Attempted SharePoint Webshell Creation CVE-2025-53770
Sigma Chopper Webshell Process Pattern test
Splunk Cisco Configuration Archive Logging Analysis production
Splunk Cisco Secure Firewall - Privileged Command Execution via HTTP production
Sigma Commvault QOperation Path Traversal Webshell Drop (CVE-2025-57790) experimental
Sigma CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Exploit test
Elastic Deprecated - Uncommon Destination Port Connection by Web Server production
Elastic Deprecated - Unusual Command Execution from Web Server Parent production
Elastic Deprecated - Unusual Process Spawned from Web Server Parent production
Splunk Detect Exchange Web Shell production
Sigma DEWMODE Webshell Access test
Sigma Execution From Webserver Root Folder test
Splunk Exploit Public Facing Application via Apache Commons Text production
Sigma IIS Native-Code Module Command Line Installation test
Elastic Initial Access via File Upload Followed by GET Request production
Sigma Linux Webshell Indicators test
Elastic Microsoft Exchange Server UM Writing Suspicious Files production
Elastic Microsoft Exchange Worker Spawning Suspicious Processes production
Sigma MOVEit CVE-2023-34362 Exploitation Attempt - Potential Web Shell Request test
Splunk MS Exchange Mailbox Replication service writing Active Server Pages experimental
Sigma Oracle WebLogic Exploit test
Sigma Potential Java WebShell Upload in SAP NetViewer Server experimental
Sigma Potential SAP NetViewer Webshell Command Execution experimental
Elastic Potential SAP NetWeaver Exploitation production
Elastic Potential SAP NetWeaver WebShell Creation production
Elastic Potential Web Shell ASPX File Creation production
Sigma Potential Webshell Creation On Static Website test
Elastic Potential Webshell Deployed via Apache Struts CVE-2023-50164 Exploitation production
YARA-L Potential Webshell Process Execution
Sigma Rejetto HTTP File Server RCE test
Elastic ScreenConnect Server Spawning Suspicious Processes production
Splunk Shell Spawned by Web Server - Windows (Windows Event Log)
Sigma Shellshock Expression test
Elastic Simple HTTP Web Server Connection production
Elastic Simple HTTP Web Server Creation production
Sigma Solarwinds SUPERNOVA Webshell Access test
Splunk Spring4Shell Payload URL Request production
YARA-L Successful SharePoint Webshell Creation CVE-2025-53770
Splunk Supernova Webshell experimental
Sigma Suspicious ASPX File Drop by Exchange test
Elastic Suspicious Child Execution via Web Server production
Sigma Suspicious Child Process Of SQL Server test
Elastic Suspicious Command Execution via Web Server production
Sigma Suspicious File Drop by Exchange test
Sigma Suspicious File Write to SharePoint Layouts Directory experimental
Sigma Suspicious File Write to Webapps Root Directory experimental
YARA-L Suspicious Filewrites To Sharepoint Layouts
Sigma Suspicious MSExchangeMailboxReplication ASPX Write test
Sigma Suspicious Process By Web Server Process test
Sigma Suspicious Process Spawned by CentreStack Portal AppPool experimental
Sigma Suspicious Windows Strings In URI test
Splunk Tomcat Session Deserialization Attempt production
Splunk Tomcat Session File Upload Attempt production
Elastic Unusual Child Execution via Web Server production
Elastic Unusual Command Execution via Web Server production
Elastic Unusual File Creation by Web Server production building block
Splunk Web JSP Request via URL production
Elastic Web Server Exploitation Detected via Defend for Containers production
Elastic Web Server Potential Command Injection Request production
Elastic Web Shell Detection: Script Process Child of Common Web Processes production
Sigma Webshell Detection With Command Line Keywords test
Sigma Webshell Hacking Activity Patterns test
Sigma Webshell ReGeorg Detection Via Web Logs test
Sigma Webshell Remote Command Execution test
Sigma Webshell Tool Reconnaissance Activity test
Splunk Windows Metasploit Confluence Plugin Execution production
Splunk Windows Potential Web Shell Creation For VMware Workspace ONE production
Elastic Windows Server Update Service Spawning Suspicious Processes production
Splunk Windows SharePoint Spinstall0 GET Request production
Splunk Windows SharePoint Spinstall0 Webshell File Creation production
Splunk Windows SharePoint ToolPane Endpoint Exploitation Attempt production
Splunk Windows Suspicious Child Process Spawned From WebServer production
Splunk Windows TeamCity Payload Execution from Temp Directory production
Splunk Windows TeamCity Plugin Installed production
Sigma Windows Webshell Strings test
Splunk Windows WSUS Spawning Shell production

Server Software Component: IIS Components T1505.004 22 rules

Sigma ETW Logging/Processing Option Disabled On IIS Server test
Sigma HTTP Logging Disabled On IIS Server test
Splunk IIS Worker (W3WP) Spawn Command Line (Windows Event Log)
Sigma New Module Module Added To IIS Server test
Sigma Previously Installed IIS Module Was Removed test
Splunk Shell Spawned by Web Server - Windows (Windows Event Log)
Sigma Suspicious IIS Module Registration test
Sigma Webserver IIS configuration edited (SYSMON) experimental
Sigma Webserver IIS module installed (command) experimental
Sigma Webserver IIS module installed (command) experimental
Sigma Webserver IIS module installed (PowerShell) experimental
Sigma Webserver IIS module installed via GAC manipulation (PowerShell) experimental
Splunk Windows Disable Windows Event Logging Disable HTTP Logging production
Splunk Windows IIS Components Add New Module production
Splunk Windows IIS Components Get-WebGlobalModule Module Query production
Splunk Windows IIS Components Module Failed to Load production
Splunk Windows IIS Components New Module Added production
Splunk Windows PowerShell Add Module to Global Assembly Cache production
Splunk Windows PowerShell Disable HTTP Logging production
Splunk Windows PowerShell IIS Components WebGlobalModule Usage production
Splunk Windows Server Software Component GACUtil Install to GAC production
Splunk Windows Shell or Script Execution From IIS Directory production

Server Software Component: Terminal Services DLL T1505.005 1 rule

Sigma Potential Suspicious Activity Using SeCEdit test

Server Software Component: vSphere Installation Bundles T1505.006 1 rule

Splunk ESXi Malicious VIB Forced Install production

Implant Internal Image T1525 5 rules

Elastic AWS Bedrock Untrusted Model Imported or Marketplace Endpoint Registered production
Sigma AWS ECS Task Definition That Queries The Credential Endpoint test
Panther ECR CRUD Actions
Panther Kubernetes Pod Created in System Namespace Experimental
Panther Lambda CRUD Actions

Pre-OS Boot T1542 17 rules

Elastic Boot File Copy production
Splunk Detect Software Download To Network Device experimental
Elastic Dracut Module Creation production
Elastic GRUB Configuration File Creation production
Elastic GRUB Configuration Generation through Built-in Utilities production
Elastic Initramfs Extraction via CPIO production
Elastic Initramfs Unpacking via unmkinitramfs production
Elastic Manual Dracut Execution production
Sigma Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE test
Sigma UEFI Persistence Via Wpbbin - FileCreation test
Sigma UEFI Persistence Via Wpbbin - ProcessCreation test
Splunk Windows BootLoader Inventory experimental
Splunk Windows EFI Bootloader File Modification production
Splunk Windows EFI Volume Mount Attempt Via Mountvol production
Splunk Windows Registry BootExecute Modification production
Splunk Windows Suspicious File in EFI Volume production
Splunk Windows WinLogon with Public Network Connection production

Pre-OS Boot: System Firmware T1542.001 4 rules

Sigma UEFI Persistence Via Wpbbin - FileCreation test
Sigma UEFI Persistence Via Wpbbin - ProcessCreation test
Splunk Windows BootLoader Inventory experimental
Splunk Windows Suspicious File in EFI Volume production

Pre-OS Boot: Bootkit T1542.003 4 rules

Elastic Initramfs Unpacking via unmkinitramfs production
Sigma Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE test
Splunk Windows EFI Bootloader File Modification production
Splunk Windows WinLogon with Public Network Connection production

Pre-OS Boot: TFTP Boot T1542.005 1 rule

Splunk Detect Software Download To Network Device experimental

Create or Modify System Process T1543 218 rules

Sigma Allow Service Access Using Security Descriptor Tampering Via Sc.EXE test
Elastic Anomalous Process For a Linux Population production
Elastic Anomalous Process For a Windows Population production
Elastic Anomalous Windows Process Creation production
Elastic APT Package Manager Configuration File Creation production
Sigma Atomic MacOS Stealer - Persistence Indicators experimental
Elastic Authentication via Unusual PAM Grantor production
Elastic Boot File Copy production
Elastic Chkconfig Service Add production
Splunk Cisco Isovalent - Late Process Execution production
Splunk Cisco Isovalent - Nsenter Usage in Kubernetes Pod production
Splunk Cisco Isovalent - Shell Execution production
Splunk Clop Ransomware Known Service Name production
Splunk CMD Echo Pipe - Escalation production
Sigma CobaltStrike Service Installations - Security test
Sigma CobaltStrike Service Installations - System test
Sigma CodeIntegrity - Blocked Driver Load With Revoked Certificate test
Sigma CodeIntegrity - Blocked Image/Driver Load For Policy Violation test
Kusto COM Event System Loading New DLL
Sigma CosmicDuke Service Installation test
Elastic Creation of Hidden Launch Agent or Daemon production
Elastic Creation or Modification of a new GPO Scheduled Task or Service production
Elastic D-Bus Service Created production
Panther Databricks Install Library on All Clusters Experimental
Sigma Deny Service Access Using Security Descriptor Tampering Via Sc.EXE test
Sigma Devcon Execution Disabling VMware VMCI Device experimental
Elastic DNF Package Manager Plugin File Creation production
Elastic DPKG Package Installed by Unusual Parent Process production
Elastic Dracut Module Creation production
Sigma Driver Load From A Temporary Directory test
Splunk Driver Loaded from Unusual Path - Windows (Sysmon)
Sigma EAP service activation by Liontail framework for DLL sideloading (via command) stable
Sigma Encoded PowerShell payload deployed via service experimental
Elastic Execution of an Unsigned Service production building block
Elastic Finder Sync Plugin Registered and Enabled production
Elastic First Time Python Created a LaunchAgent or LaunchDaemon production
Elastic First Time Seen Driver Loaded production
Elastic Git Hook Child Process production
Elastic Git Hook Command Execution production
Elastic Git Hook Created or Modified production
Elastic Git Hook Egress Network Connection production
Elastic GRUB Configuration File Creation production
Elastic GRUB Configuration Generation through Built-in Utilities production
Splunk Impacket Lateral Movement Commandline Parameters production
Splunk Impacket Lateral Movement smbexec CommandLine Parameters production
Splunk Impacket Lateral Movement WMIExec Commandline Parameters production
Sigma Impacket SMBexec service creation (registry) experimental
Sigma Impacket SMBexec service registration (native) experimental
Elastic Initramfs Extraction via CPIO production
Elastic Initramfs Unpacking via unmkinitramfs production
Splunk Kernel Service Installed - Windows (Windows Event Log)
Sigma KrbRelayUp Service Installation test
Panther Kubernetes DaemonSet Created
Elastic Kubernetes Sensitive Configuration File Activity production
Elastic Kubernetes Static Pod Manifest File Access production
Sigma Launch Agent/Daemon Execution Via Launchctl test
Elastic Launch Service Creation and Immediate Loading production
Sigma LiteLLM / TeamPCP Supply Chain Attack Indicators experimental
Splunk LLM Model File Creation production
Sigma macOS ESF Launch Persistence Creation experimental
Splunk MacOS Kextload Usage production
Sigma macOS LaunchAgent/LaunchDaemon Persistence experimental
Sigma Malicious Driver Load test
Sigma Malicious Driver Load By Name test
Kusto McAfee ePO - Multiple threats on same host available
Sigma Mimikatz driver deployed via service experimental
Sigma Mimikatz driver registration (Reg via Sysmon) experimental
Elastic Modification of Persistence Relevant Files Detected via Defend for Containers production
Sigma Moriya Rootkit - System test
Sigma Moriya Rootkit File Created test
Elastic Namespace Manipulation Using Unshare production
Elastic Namespace Manipulation Using Unshare in a Container production
Elastic Network Logon Provider Registry Modification production
Elastic NetworkManager Dispatcher Script Creation production
Sigma New Kernel Driver Via SC.EXE test
Sigma New PDQDeploy Service - Client Side test
Sigma New PDQDeploy Service - Server Side test
Sigma New Service Creation Using PowerShell test
Sigma New Service Creation Using Sc.EXE test
Elastic Node.js Pre or Post-Install Script Execution production
Sigma OilRig APT Activity test
Sigma OilRig APT Registry Persistence test
Sigma OilRig APT Schedule Task Persistence - Security test
Sigma OilRig APT Schedule Task Persistence - System test
Kusto Pathlock TDnR - Logical OS Command Changes available
Kusto Pathlock TDnR - TMS Transport and Import Events available
Elastic Persistence via a Hidden Plist Filename production
Elastic Persistence via Docker Shortcut Modification production
Elastic Persistence via Suspicious Launch Agent or Launch Daemon production
Elastic Persistence via Update Orchestrator Service Hijack production
Elastic Persistence via WMI Standard Registry Provider production
Elastic Pluggable Authentication Module (PAM) Creation in Unusual Directory production
Elastic Pluggable Authentication Module (PAM) Source Download production
Elastic Pluggable Authentication Module (PAM) Version Discovery production
Elastic Pluggable Authentication Module or Configuration Creation production
Elastic Polkit Policy Creation production
Sigma Possible impact of 'SMOKEDHAM backdoor' with MSDTC service privilege escalation via command line production
Splunk Possible Lateral Movement PowerShell Spawn production
Elastic Potential Backdoor Execution Through PAM_EXEC production
Sigma Potential CobaltStrike Service Installations - Registry test
Elastic Potential Execution via SSH Backdoor production
Sigma Potential Persistence Attempt Via Existing Service Tampering test
Elastic Potential Persistence via File Modification production
Sigma Potential Persistence Via PlistBuddy test
Elastic Potential Privilege Escalation via Service ImagePath Modification production
Elastic Potential Suspicious File Edit production
Kusto Powershell Empire Cmdlets Executed in Command Line available
Sigma ProcessHacker Privilege Elevation test
Sigma PSEXEC Remote Execution File Artefact test
Splunk PSexec Service Creation (Windows Event Log)
Sigma PSexec service installation experimental
Sigma PUA - Kernel Driver Utility (KDU) Execution experimental
Sigma PUA - Process Hacker Driver Load test
Sigma PUA - Process Hacker Execution test
Sigma PUA - System Informer Driver Load test
Sigma PUA - System Informer Execution test
Splunk Randomly Generated Windows Service Name experimental
Kusto Rare Process as a Service available
Sigma RDP session hijack via service creation abuse experimental
Sigma Remote Access Tool Services Have Been Installed - Security test
Sigma Remote Access Tool Services Have Been Installed - System test
Elastic Remote Windows Service Installed production
Elastic Renaming of OpenSSH Binaries production
Elastic RPM Package Installed by Unusual Parent Process production
Sigma Service abuse with backdoored "command failure" (Reg via command) experimental
Sigma Service abuse with backdoored "command failure" (Reg via PowerShell) experimental
Sigma Service abuse with backdoored "command failure" (service) experimental
Sigma Service abuse with malicious ImagePath (Reg via PowerShell) experimental
Sigma Service abuse with malicious ImagePath (service) experimental
Elastic Service Command Lateral Movement production
Elastic Service Control Spawned via Script Interpreter production
Sigma Service creation (command) experimental
Sigma Service creation (PowerShell) experimental
Elastic Service Creation via Local Kerberos Authentication production
Elastic Service DACL Modification via sc.exe production
Sigma Service Installation in Suspicious Folder test
Sigma Service Installation with Suspicious Folder Pattern test
Splunk Service Installed (Windows Event Log)
Sigma Service Installed By Unusual Client - Security test
Sigma Service Installed By Unusual Client - System test
Elastic Service Path Modification production building block
Elastic Service Path Modification via sc.exe production building block
Sigma Service permissions hijacked for privileges abuse (PowerShell) experimental
Sigma Service permissions hijacked for privileges abuse (reg via command) experimental
Sigma Service permissions hijacked for privileges abuse (Reg via PowerShell) experimental
Sigma Service permissions hijacked for privileges abuse (service) experimental
Sigma Service Reload or Start - Linux test
Sigma ServiceDll Hijack test
Splunk Services LOLBAS Execution Process Spawn production
Splunk SimpleHelp Remote Access Tool Service Installation (Windows Event Log)
Sigma Sliver C2 Default Service Installation test
Sigma Special File Creation via Mknod Syscall experimental
Sigma StoneDrill Service Install test
Kusto SUNBURST suspicious SolarWinds child processes (Normalized Process Events)
Splunk Suspicious .sys Created - Windows (Sysmon)
Elastic Suspicious APT Package Manager Execution production
Elastic Suspicious APT Package Manager Network Connection production
Elastic Suspicious Echo or Printf Execution Detected via Defend for Containers production
Elastic Suspicious Hidden Child Process of Launchd production
Elastic Suspicious ImagePath Service Creation production
Elastic Suspicious Mining Process Creation Event production
Elastic Suspicious Network Connection via systemd production
Sigma Suspicious New Service Creation test
Splunk Suspicious PlistBuddy Usage experimental
Splunk Suspicious PlistBuddy Usage via OSquery experimental
Elastic Suspicious ScreenConnect Client Child Process production
Sigma Suspicious Service DACL Modification Via Set-Service Cmdlet test
Sigma Suspicious Service Installation test
Sigma Suspicious Service Installation Script test
Sigma Suspicious Service Path Modification test
Elastic Suspicious Service was Installed in the System production
YARA-L Suspicious Windows Service Installation Detected
Sigma Sysinternals PsService Execution test
Sigma Sysinternals PsSuspend Execution test
Elastic System Shells via Services production
Elastic Systemd Generator Created production
Elastic Systemd Service Created production
Sigma Systemd Service Creation test
Elastic Systemd Service Started by Unusual Parent Process production
Elastic Systemd Shell Execution During Boot production
Sigma TeamPCP LiteLLM Supply Chain Attack Persistence Indicators experimental
Kusto TEARDROP memory-only dropper available
Sigma Turla PNG Dropper Service test
Sigma Turla Service Install test
Sigma Uncommon Service Installation Image Path test
Elastic Unsigned DLL Loaded by Svchost production
Elastic Unusual D-Bus Daemon Child Process production
Elastic Unusual DPKG Execution production
Elastic Unusual Persistence via Services Registry production
Elastic Unusual Pkexec Execution production
Elastic Unusual Process For a Linux Host production
Elastic Unusual Process For a Windows Host production
Elastic Unusual Windows Path Activity production
Elastic Unusual Windows Service production
Sigma Vulnerable Driver Load test
Sigma Vulnerable Driver Load By Name test
Sigma Vulnerable HackSys Extreme Vulnerable Driver Load test
Sigma Vulnerable WinRing0 Driver Load test
Splunk Windows Bluetooth Service Installed From Uncommon Location production
Splunk Windows KrbRelayUp Service Creation production
Splunk Windows Local LLM Framework Execution production
Splunk Windows Process Execution in Temp Dir production
Splunk Windows Remote Create Service production
Splunk Windows Service Create Kernel Mode Driver production
Splunk Windows Service Create RemComSvc production
Splunk Windows Service Create with Tscon production
Splunk Windows Service Created (Sysmon)
Splunk Windows Service Created (Windows Event Log)
Splunk Windows Service Creation on Remote Endpoint production
Splunk Windows Service Initiation on Remote Endpoint production
Elastic Windows Service Installed via an Unusual Client production
Splunk Windows Suspicious Driver Loaded Path production
Splunk Windows Suspicious Process File Path production
Splunk Windows Vulnerable Driver Installed production
Splunk Windows Vulnerable Driver Loaded production
Splunk Wscript Or Cscript Suspicious Child Process production
Splunk XMRIG Driver Loaded production
Elastic Yum Package Manager Plugin File Creation production

Create or Modify System Process: Launch Agent T1543.001 11 rules

Elastic Creation of Hidden Launch Agent or Daemon production
Elastic First Time Python Created a LaunchAgent or LaunchDaemon production
Sigma Launch Agent/Daemon Execution Via Launchctl test
Elastic Launch Service Creation and Immediate Loading production
Sigma macOS LaunchAgent/LaunchDaemon Persistence experimental
Elastic Persistence via a Hidden Plist Filename production
Elastic Persistence via Suspicious Launch Agent or Launch Daemon production
Sigma Potential Persistence Via PlistBuddy test
Elastic Suspicious Hidden Child Process of Launchd production
Splunk Suspicious PlistBuddy Usage experimental
Splunk Suspicious PlistBuddy Usage via OSquery experimental

Create or Modify System Process: Systemd Service T1543.002 14 rules

Sigma LiteLLM / TeamPCP Supply Chain Attack Indicators experimental
Elastic Modification of Persistence Relevant Files Detected via Defend for Containers production
Elastic Potential Persistence via File Modification production
Elastic Potential Suspicious File Edit production
Sigma Service Reload or Start - Linux test
Elastic Suspicious Mining Process Creation Event production
Elastic Suspicious Network Connection via systemd production
Elastic Systemd Generator Created production
Elastic Systemd Service Created production
Sigma Systemd Service Creation test
Elastic Systemd Service Started by Unusual Parent Process production
Elastic Systemd Shell Execution During Boot production
Sigma TeamPCP LiteLLM Supply Chain Attack Persistence Indicators experimental
Elastic Unusual Process For a Linux Host production

Create or Modify System Process: Windows Service T1543.003 117 rules

Sigma Allow Service Access Using Security Descriptor Tampering Via Sc.EXE test
Elastic Anomalous Process For a Linux Population production
Splunk CMD Echo Pipe - Escalation production
Sigma CobaltStrike Service Installations - Security test
Sigma CobaltStrike Service Installations - System test
Sigma CosmicDuke Service Installation test
Elastic Creation or Modification of a new GPO Scheduled Task or Service production
Sigma Deny Service Access Using Security Descriptor Tampering Via Sc.EXE test
Sigma Devcon Execution Disabling VMware VMCI Device experimental
Sigma Driver Load From A Temporary Directory test
Splunk Driver Loaded from Unusual Path - Windows (Sysmon)
Sigma EAP service activation by Liontail framework for DLL sideloading (via command) stable
Sigma Encoded PowerShell payload deployed via service experimental
Elastic Execution of an Unsigned Service production building block
Elastic First Time Seen Driver Loaded production
Splunk Impacket Lateral Movement Commandline Parameters production
Splunk Impacket Lateral Movement smbexec CommandLine Parameters production
Splunk Impacket Lateral Movement WMIExec Commandline Parameters production
Sigma Impacket SMBexec service creation (registry) experimental
Sigma Impacket SMBexec service registration (native) experimental
Splunk Kernel Service Installed - Windows (Windows Event Log)
Sigma Malicious Driver Load test
Sigma Malicious Driver Load By Name test
Sigma Mimikatz driver deployed via service experimental
Sigma Mimikatz driver registration (Reg via Sysmon) experimental
Sigma Moriya Rootkit - System test
Sigma Moriya Rootkit File Created test
Sigma New Kernel Driver Via SC.EXE test
Sigma New PDQDeploy Service - Client Side test
Sigma New PDQDeploy Service - Server Side test
Sigma New Service Creation Using PowerShell test
Sigma New Service Creation Using Sc.EXE test
Sigma OilRig APT Activity test
Sigma OilRig APT Registry Persistence test
Sigma OilRig APT Schedule Task Persistence - Security test
Sigma OilRig APT Schedule Task Persistence - System test
Elastic Persistence via Update Orchestrator Service Hijack production
Elastic Persistence via WMI Standard Registry Provider production
Sigma Possible impact of 'SMOKEDHAM backdoor' with MSDTC service privilege escalation via command line production
Splunk Possible Lateral Movement PowerShell Spawn production
Sigma Potential CobaltStrike Service Installations - Registry test
Sigma Potential Persistence Attempt Via Existing Service Tampering test
Elastic Potential Privilege Escalation via Service ImagePath Modification production
Kusto Powershell Empire Cmdlets Executed in Command Line available
Sigma ProcessHacker Privilege Elevation test
Sigma PSEXEC Remote Execution File Artefact test
Splunk PSexec Service Creation (Windows Event Log)
Sigma PSexec service installation experimental
Sigma PUA - Kernel Driver Utility (KDU) Execution experimental
Splunk Randomly Generated Windows Service Name experimental
Kusto Rare Process as a Service available
Sigma RDP session hijack via service creation abuse experimental
Sigma Remote Access Tool Services Have Been Installed - Security test
Sigma Remote Access Tool Services Have Been Installed - System test
Elastic Remote Windows Service Installed production
Sigma Service abuse with backdoored "command failure" (Reg via command) experimental
Sigma Service abuse with backdoored "command failure" (Reg via PowerShell) experimental
Sigma Service abuse with backdoored "command failure" (service) experimental
Sigma Service abuse with malicious ImagePath (Reg via PowerShell) experimental
Sigma Service abuse with malicious ImagePath (service) experimental
Elastic Service Command Lateral Movement production
Elastic Service Control Spawned via Script Interpreter production
Sigma Service creation (command) experimental
Sigma Service creation (PowerShell) experimental
Elastic Service Creation via Local Kerberos Authentication production
Elastic Service DACL Modification via sc.exe production
Sigma Service Installation in Suspicious Folder test
Sigma Service Installation with Suspicious Folder Pattern test
Elastic Service Path Modification production building block
Elastic Service Path Modification via sc.exe production building block
Sigma Service permissions hijacked for privileges abuse (PowerShell) experimental
Sigma Service permissions hijacked for privileges abuse (reg via command) experimental
Sigma Service permissions hijacked for privileges abuse (Reg via PowerShell) experimental
Sigma Service permissions hijacked for privileges abuse (service) experimental
Sigma ServiceDll Hijack test
Splunk Services LOLBAS Execution Process Spawn production
Sigma Sliver C2 Default Service Installation test
Sigma Special File Creation via Mknod Syscall experimental
Sigma StoneDrill Service Install test
Splunk Suspicious .sys Created - Windows (Sysmon)
Elastic Suspicious ImagePath Service Creation production
Sigma Suspicious New Service Creation test
Elastic Suspicious ScreenConnect Client Child Process production
Sigma Suspicious Service DACL Modification Via Set-Service Cmdlet test
Sigma Suspicious Service Installation test
Sigma Suspicious Service Installation Script test
Sigma Suspicious Service Path Modification test
Elastic Suspicious Service was Installed in the System production
YARA-L Suspicious Windows Service Installation Detected
Sigma Sysinternals PsService Execution test
Sigma Sysinternals PsSuspend Execution test
Elastic System Shells via Services production
Sigma Turla PNG Dropper Service test
Sigma Turla Service Install test
Sigma Uncommon Service Installation Image Path test
Elastic Unsigned DLL Loaded by Svchost production
Elastic Unusual Persistence via Services Registry production
Elastic Unusual Process For a Windows Host production
Elastic Unusual Windows Path Activity production
Elastic Unusual Windows Service production
Sigma Vulnerable Driver Load test
Sigma Vulnerable Driver Load By Name test
Sigma Vulnerable HackSys Extreme Vulnerable Driver Load test
Sigma Vulnerable WinRing0 Driver Load test
Splunk Windows Bluetooth Service Installed From Uncommon Location production
Splunk Windows KrbRelayUp Service Creation production
Splunk Windows Remote Create Service production
Splunk Windows Service Create Kernel Mode Driver production
Splunk Windows Service Create RemComSvc production
Splunk Windows Service Create with Tscon production
Splunk Windows Service Creation on Remote Endpoint production
Splunk Windows Service Initiation on Remote Endpoint production
Elastic Windows Service Installed via an Unusual Client production
Splunk Windows Suspicious Driver Loaded Path production
Splunk Windows Vulnerable Driver Installed production
Splunk Windows Vulnerable Driver Loaded production
Splunk XMRIG Driver Loaded production

Create or Modify System Process: Launch Daemon T1543.004 9 rules

Sigma Atomic MacOS Stealer - Persistence Indicators experimental
Elastic Creation of Hidden Launch Agent or Daemon production
Elastic First Time Python Created a LaunchAgent or LaunchDaemon production
Sigma Launch Agent/Daemon Execution Via Launchctl test
Elastic Launch Service Creation and Immediate Loading production
Elastic Persistence via Suspicious Launch Agent or Launch Daemon production
Sigma Potential Persistence Via PlistBuddy test
Elastic Suspicious Echo or Printf Execution Detected via Defend for Containers production
Elastic Suspicious Hidden Child Process of Launchd production

Create or Modify System Process: Container Service T1543.005 2 rules

Elastic Kubernetes Sensitive Configuration File Activity production
Elastic Kubernetes Static Pod Manifest File Access production

Event Triggered Execution T1546 212 rules

Kusto [Deprecated] - Zinc Actor IOCs domains hashes IPs and useragent - October 2022 available
Splunk Access Common Package Config file (EDR)
Splunk Access Common Package Config file (PowerShell)
Splunk Access Common Package Config file (Sysmon)
Splunk Access Common Package Config file (Windows Event Log)
Sigma AdminSDHolder permissions changed for persistence experimental
Kusto ApexOne - Possible exploit or execute operation available
Elastic APT Package Manager Configuration File Creation production
Elastic AWS Lambda Function Policy Updated to Allow Public Invocation production
Elastic Azure Automation Webhook Created production
Panther Azure Automation Webhook Created
Elastic Bash Shell Profile Modification production
Kusto BTP - Cloud Integration artifact deployment available
Kusto BTP - Cloud Integration package import or transport available
Kusto Caramel Tsunami Actor IOC - July 2021 available
Sigma Change Default File Association To Executable Via Assoc test
Sigma Change Default File Association Via Assoc test
Sigma COM Hijack via Sdclt test
Sigma COM Hijacking via TreatAs test
Sigma COM Object Hijacking Via Modification Of Default System CLSID Default Value experimental
Splunk Command Line Utility Added to Accessibility Features (PowerShell)
Splunk Command Line Utility Added to Accessibility Features (Sysmon)
Splunk Command Line Utility Added to Accessibility Features (Windows Event Log)
Elastic Component Object Model Hijacking production
Kusto Component Object Model Hijacking - Vault7 trick available
Sigma Control Panel Items test
Kusto Copilot - Plugin Created by Non-Admin User available
Elastic Curl Execution via Shell Profile production
Elastic D-Bus Service Created production
Kusto Dataminr - urgent alerts detected available
Kusto Defender Alert Evidence available
Splunk Detect WMI Event Subscription Persistence production
Elastic DNF Package Manager Plugin File Creation production
Elastic Docker Release File Creation production
Elastic DPKG Package Installed by Unusual Parent Process production
Kusto Egress Defend - Dangerous Attachment Detected available
Elastic Emond Rules Creation or Modification production
Elastic Executable Bit Set for Potential Persistence Script production
Kusto Generate alerts based on ExtraHop detections recommended for triage available
Elastic Git Hook Child Process production
Elastic Git Hook Command Execution production
Elastic Git Hook Created or Modified production
Elastic Git Hook Egress Network Connection production
Elastic GitHub Actions Workflow Modification Blocked production
Sigma HAFNIUM Exchange Exploitation Activity test
Elastic Image File Execution Options Injection production
Elastic Installation of Custom Shim Databases production
Kusto KnowBe4 Defend - Dangerous Attachment Detected available
Panther Kubernetes Admission Controller Webhook Created
Elastic Kubernetes Admission Webhook Created or Modified production
Splunk Linux Auditd Unix Shell Configuration Modification production
Splunk Linux File Creation In Profile Directory production
Splunk Linux Possible Append Command To Profile Config File production
Sigma MacOS Emond Launch Daemon test
Kusto Mimecast Secure Email Gateway - Internal Email Protect available
Kusto Mimecast Secure Email Gateway - Internal Email Protect
Kusto Modification of Accessibility Features
Elastic Modification of Persistence Relevant Files Detected via Defend for Containers production
Elastic Mofcomp Activity production
Sigma MSSQL Extended Stored Procedure Backdoor Maggie test
Elastic Netsh Helper DLL production
Sigma Netsh helper DLL abuse (process) experimental
Sigma Netsh helper DLL abuse (Reg via Sysmon) experimental
Elastic Network Connection Initiated by Suspicious SSHD Child Process production
Elastic NetworkManager Dispatcher Script Creation production
Sigma New ActiveScriptEventConsumer Created Via Wmic.EXE test
Sigma New DLL Added to AppCertDlls Registry Key test
Sigma New DLL Added to AppInit_DLLs Registry Key test
Sigma New Netsh Helper DLL Registered From A Suspicious Location test
Sigma New Outlook Macro Created test
Sigma Outlook Macro Execution Without Warning Setting Enabled test
Splunk Overwriting Accessibility Binaries production
Sigma Path To Screensaver Binary Modified test
Elastic Persistence via Folder Action Script production
Elastic Persistence via PowerShell profile production
Sigma Persistence Via Sticky Key Backdoor test
Elastic Persistence via WMI Event Subscription production
Elastic Pod or Container Creation with Suspicious Command-Line production
Elastic Potential Application Shimming via Sdbinst production
Sigma Potential COM Object Hijacking Via TreatAs Subkey - Registry test
Elastic Potential Modification of Accessibility Binaries production
Sigma Potential Persistence Using DebugPath test
Sigma Potential Persistence Via App Paths Default Property test
Sigma Potential Persistence Via AppCompat RegisterAppRestart Layer test
Elastic Potential Persistence via Atom Init Script Modification production
Elastic Potential Persistence via File Modification production
Sigma Potential Persistence Via GlobalFlags test
Sigma Potential Persistence Via Netsh Helper DLL test
Sigma Potential Persistence Via Netsh Helper DLL - Registry test
Sigma Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting test
Sigma Potential Persistence Via PowerShell User Profile Using Add-Content test
Sigma Potential Persistence Via Scrobj.dll COM Hijacking test
Sigma Potential Persistence Via Shim Database In Uncommon Location test
Sigma Potential Persistence Via Shim Database Modification test
Sigma Potential Privilege Escalation Using Symlink Between Osk and Cmd test
Sigma Potential PSFactoryBuffer COM Hijacking test
Elastic Potential release_agent Container Escape Detected via Defend for Containers production
Sigma Potential Remote WMI ActiveScriptEventConsumers Activity test
Elastic Potential RemoteMonologue Attack production
Sigma Potential Shim Database Persistence via Sdbinst.EXE test
Sigma Potential Suspicious Activity Using SeCEdit test
Elastic Potential Suspicious File Edit production
Splunk Powershell COM Hijacking InprocServer32 Modification production
Kusto Powershell Empire Cmdlets Executed in Command Line available
Splunk Powershell Execute COM Object production
Sigma PowerShell Profile Modification test
Sigma Powershell WMI Persistence test
Elastic Python Path File (pth) Creation production
Elastic Python Site or User Customize File Creation production
Splunk Registry Keys for Creating SHIM Databases production
Splunk Registry Keys Used For Privilege Escalation production
Sigma Registry Modification of MS-settings Protocol Handler test
Elastic Registry Persistence via AppCert DLL production
Kusto Registry Persistence via AppCert DLL Modification available
Elastic Registry Persistence via AppInit DLL production
Kusto Registry Persistence via AppInit DLLs Modification available
Elastic RPM Package Installed by Unusual Parent Process production
Kusto Rubrik Threat Monitoring available
Sigma Rundll32 Registered COM Objects test
Splunk Rundll32 Spawned by Disk Cleanup (Sysmon)
Splunk Rundll32 Spawned by Disk Cleanup (Windows Event Log)
Splunk Screensaver Event Trigger Execution production
Elastic Screensaver Plist File Modified by Unexpected Process production
Sigma Session Manager Autorun Keys Modification test
Elastic Shell Configuration Creation production
Sigma Shell Open Registry Keys Manipulation test
Splunk Shim Database File Creation production
Splunk Shim Database Installation With Suspicious Parameters production
Sigma SOURGUM Actor Behaviours test
Sigma Stickey key called CMD via command execution experimental
Sigma Stickey key called CMD via command execution (hash detection) experimental
Sigma Stickey key IFEO (Reg via command) experimental
Sigma Stickey key IFEO registry changed (Reg via Sysmon) experimental
Sigma Sticky key file created from CMD copy experimental
Sigma Sticky Key Like Backdoor Execution test
Sigma Sticky Key Like Backdoor Usage - Registry test
Sigma Sticky key sethc command for replacement by CMD experimental
Sigma Sticky key sethc file failed replacement experimental
Kusto SUNBURST and SUPERNOVA backdoor hashes available
Kusto SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events)
Kusto SUNBURST network beacons available
Elastic Suspicious Apple Mail Rule Plist Modification production
Elastic Suspicious APT Package Manager Execution production
Elastic Suspicious APT Package Manager Network Connection production
Elastic Suspicious Calendar File Modification production
Sigma Suspicious Debugger Registration Cmdline test
Splunk Suspicious DLLhost Execution (EDR)
Splunk Suspicious DLLhost Execution (PowerShell)
Splunk Suspicious DLLhost Execution (Windows Event Log)
Elastic Suspicious Echo or Printf Execution Detected via Defend for Containers production
Elastic Suspicious Emond Child Process production
Sigma Suspicious Encoded Scripts in a WMI Consumer test
Splunk Suspicious Execution of Accessibility Tool Debuggers (Sysmon)
Splunk Suspicious Execution of Accessibility Tool Debuggers (Windows Event Log)
Elastic Suspicious File Creation via Pkg Install Script production
Sigma Suspicious Get-Variable.exe Creation test
Sigma Suspicious GetTypeFromCLSID ShellExecute test
Splunk Suspicious InprocServer32 Registry Modification (Sysmon)
Splunk Suspicious InprocServer32 Registry Modification (Windows Event Log)
Sigma Suspicious Outlook Macro Created test
Splunk Suspicious Registry Key Created (PowerShell)
Splunk Suspicious Registry Key Created (Windows Event Log)
Sigma Suspicious ScreenSave Change by Reg.exe test
Sigma Suspicious Screensaver Binary File Creation test
Sigma Suspicious Shell Open Command Registry Modification experimental
Sigma Suspicious Shim Database Patching Activity test
Elastic Suspicious WerFault Child Process production
Elastic Suspicious WMI Event Subscription Created production
Sigma System crash behavior manipulation - WMImplant (registry) experimental
Elastic Systemd Generator Created production
Elastic Systemd-udevd Rule File Creation production
Elastic Trap Signals Execution production
Sigma Uncommon Extension Shim Database Installation Via Sdbinst.EXE test
Elastic Uncommon Registry Persistence Change production
Elastic Unexpected Child Process of macOS Screensaver Engine production
Sigma Unix Shell Configuration Modification test
Elastic Unusual DPKG Execution production
Elastic Unusual Process Modifying GenAI Configuration File production
Elastic Unusual SSHD Child Process production
Kusto Vectra Create Detection Alert for Accounts available
Kusto Vectra Create Detection Alert for Hosts available
Kusto Vectra Create Incident Based on Priority for Accounts available
Kusto Vectra Create Incident Based on Priority for Hosts available
Kusto Vectra Create Incident Based on Tag for Accounts available
Kusto Vectra Create Incident Based on Tag for Hosts available
Sigma VsCode Powershell Profile Modification test
Elastic Werfault ReflectDebugger Persistence production
Splunk Windows AD AdminSDHolder ACL Modified production
Splunk Windows AppCertDLL Modification Via Command Line production
Splunk Windows Change File Association Command To Notepad production
Splunk Windows COM Hijacking InprocServer32 Modification production
Splunk Windows Compatibility Telemetry Suspicious Child Process production
Splunk Windows Compatibility Telemetry Tampering Through Registry production
Splunk Windows Event Triggered Image File Execution Options Injection production
Splunk Windows MOF Event Triggered Execution via WMI production
Splunk Windows New Default File Association Value Set production
Sigma WMI ActiveScriptEventConsumers Activity Via Scrcons.EXE DLL Load test
Sigma WMI Backdoor Exchange Transport Agent test
Sigma WMI Event Subscription test
Splunk WMI Permanent Event Subscription - Sysmon production
Sigma WMI Persistence test
Sigma WMI Persistence - Command Line Event Consumer test
Sigma WMI Persistence - Script Event Consumer test
Sigma WMI Persistence - Script Event Consumer File Write test
Sigma WMI Persistence - Security test
Sigma WMI registration experimental
Sigma WMI registration (PowerShell) experimental
Splunk WMI subscription execution (Sysmon)
Splunk WMI subscription execution (Windows Event Log)
Sigma Writing Local Admin Share test
Elastic Yum Package Manager Plugin File Creation production
Kusto Zinc Actor IOCs files - October 2022 available

Event Triggered Execution: Change Default File Association T1546.001 7 rules

Sigma Change Default File Association To Executable Via Assoc test
Sigma Change Default File Association Via Assoc test
Sigma Registry Modification of MS-settings Protocol Handler test
Sigma Shell Open Registry Keys Manipulation test
Sigma Suspicious Shell Open Command Registry Modification experimental
Splunk Windows Change File Association Command To Notepad production
Splunk Windows New Default File Association Value Set production

Event Triggered Execution: Screensaver T1546.002 8 rules

Sigma Path To Screensaver Binary Modified test
Splunk Screensaver Event Trigger Execution production
Elastic Screensaver Plist File Modified by Unexpected Process production
Sigma Suspicious ScreenSave Change by Reg.exe test
Sigma Suspicious Screensaver Binary File Creation test
Elastic Uncommon Registry Persistence Change production
Elastic Unexpected Child Process of macOS Screensaver Engine production
Sigma Writing Local Admin Share test

Event Triggered Execution: Windows Management Instrumentation Event Subscription T1546.003 23 rules

Splunk Detect WMI Event Subscription Persistence production
Elastic Mofcomp Activity production
Sigma New ActiveScriptEventConsumer Created Via Wmic.EXE test
Elastic Persistence via WMI Event Subscription production
Sigma Potential Remote WMI ActiveScriptEventConsumers Activity test
Sigma Powershell WMI Persistence test
Sigma Suspicious Encoded Scripts in a WMI Consumer test
Elastic Suspicious WMI Event Subscription Created production
Sigma System crash behavior manipulation - WMImplant (registry) experimental
Splunk Windows MOF Event Triggered Execution via WMI production
Sigma WMI ActiveScriptEventConsumers Activity Via Scrcons.EXE DLL Load test
Sigma WMI Backdoor Exchange Transport Agent test
Sigma WMI Event Subscription test
Splunk WMI Permanent Event Subscription - Sysmon production
Sigma WMI Persistence test
Sigma WMI Persistence - Command Line Event Consumer test
Sigma WMI Persistence - Script Event Consumer test
Sigma WMI Persistence - Script Event Consumer File Write test
Sigma WMI Persistence - Security test
Sigma WMI registration experimental
Sigma WMI registration (PowerShell) experimental
Splunk WMI subscription execution (Sysmon)
Splunk WMI subscription execution (Windows Event Log)

Event Triggered Execution: Unix Shell Configuration Modification T1546.004 14 rules

Elastic Bash Shell Profile Modification production
Elastic Curl Execution via Shell Profile production
Splunk Linux Auditd Unix Shell Configuration Modification production
Splunk Linux File Creation In Profile Directory production
Splunk Linux Possible Append Command To Profile Config File production
Elastic Modification of Persistence Relevant Files Detected via Defend for Containers production
Elastic Network Connection Initiated by Suspicious SSHD Child Process production
Elastic Pod or Container Creation with Suspicious Command-Line production
Elastic Potential Persistence via File Modification production
Elastic Potential Suspicious File Edit production
Elastic Shell Configuration Creation production
Elastic Suspicious Echo or Printf Execution Detected via Defend for Containers production
Sigma Unix Shell Configuration Modification test
Elastic Unusual SSHD Child Process production

Event Triggered Execution: Trap T1546.005 1 rule

Elastic Trap Signals Execution production

Event Triggered Execution: Netsh Helper DLL T1546.007 7 rules

Elastic Netsh Helper DLL production
Sigma Netsh helper DLL abuse (process) experimental
Sigma Netsh helper DLL abuse (Reg via Sysmon) experimental
Sigma New Netsh Helper DLL Registered From A Suspicious Location test
Sigma Potential Persistence Via Netsh Helper DLL test
Sigma Potential Persistence Via Netsh Helper DLL - Registry test
Sigma Potential Suspicious Activity Using SeCEdit test

Event Triggered Execution: Accessibility Features T1546.008 22 rules

Splunk Command Line Utility Added to Accessibility Features (PowerShell)
Splunk Command Line Utility Added to Accessibility Features (Sysmon)
Splunk Command Line Utility Added to Accessibility Features (Windows Event Log)
Kusto Modification of Accessibility Features
Splunk Overwriting Accessibility Binaries production
Sigma Persistence Via Sticky Key Backdoor test
Elastic Potential Modification of Accessibility Binaries production
Sigma Potential Privilege Escalation Using Symlink Between Osk and Cmd test
Sigma Potential Suspicious Activity Using SeCEdit test
Kusto Powershell Empire Cmdlets Executed in Command Line available
Sigma Stickey key called CMD via command execution experimental
Sigma Stickey key called CMD via command execution (hash detection) experimental
Sigma Stickey key IFEO (Reg via command) experimental
Sigma Stickey key IFEO registry changed (Reg via Sysmon) experimental
Sigma Sticky key file created from CMD copy experimental
Sigma Sticky Key Like Backdoor Execution test
Sigma Sticky Key Like Backdoor Usage - Registry test
Sigma Sticky key sethc command for replacement by CMD experimental
Sigma Sticky key sethc file failed replacement experimental
Sigma Suspicious Debugger Registration Cmdline test
Splunk Suspicious Execution of Accessibility Tool Debuggers (Sysmon)
Splunk Suspicious Execution of Accessibility Tool Debuggers (Windows Event Log)

Event Triggered Execution: AppCert DLLs T1546.009 5 rules

Sigma New DLL Added to AppCertDlls Registry Key test
Elastic Registry Persistence via AppCert DLL production
Kusto Registry Persistence via AppCert DLL Modification available
Sigma Session Manager Autorun Keys Modification test
Splunk Windows AppCertDLL Modification Via Command Line production

Event Triggered Execution: AppInit DLLs T1546.010 3 rules

Sigma New DLL Added to AppInit_DLLs Registry Key test
Elastic Registry Persistence via AppInit DLL production
Kusto Registry Persistence via AppInit DLLs Modification available

Event Triggered Execution: Application Shimming T1546.011 11 rules

Elastic Installation of Custom Shim Databases production
Elastic Potential Application Shimming via Sdbinst production
Sigma Potential Persistence Via AppCompat RegisterAppRestart Layer test
Sigma Potential Persistence Via Shim Database In Uncommon Location test
Sigma Potential Persistence Via Shim Database Modification test
Sigma Potential Shim Database Persistence via Sdbinst.EXE test
Splunk Registry Keys for Creating SHIM Databases production
Splunk Shim Database File Creation production
Splunk Shim Database Installation With Suspicious Parameters production
Sigma Suspicious Shim Database Patching Activity test
Sigma Uncommon Extension Shim Database Installation Via Sdbinst.EXE test

Event Triggered Execution: Image File Execution Options Injection T1546.012 10 rules

Elastic Image File Execution Options Injection production
Sigma Potential Persistence Via App Paths Default Property test
Sigma Potential Persistence Via GlobalFlags test
Splunk Registry Keys Used For Privilege Escalation production
Splunk Suspicious Registry Key Created (PowerShell)
Splunk Suspicious Registry Key Created (Windows Event Log)
Elastic Suspicious WerFault Child Process production
Elastic Uncommon Registry Persistence Change production
Elastic Werfault ReflectDebugger Persistence production
Splunk Windows Event Triggered Image File Execution Options Injection production

Event Triggered Execution: PowerShell Profile T1546.013 4 rules

Elastic Persistence via PowerShell profile production
Sigma Potential Persistence Via PowerShell User Profile Using Add-Content test
Sigma PowerShell Profile Modification test
Sigma VsCode Powershell Profile Modification test

Event Triggered Execution: Emond T1546.014 3 rules

Elastic Emond Rules Creation or Modification production
Sigma MacOS Emond Launch Daemon test
Elastic Suspicious Emond Child Process production

Event Triggered Execution: Component Object Model Hijacking T1546.015 22 rules

Sigma COM Hijacking via TreatAs test
Sigma COM Object Hijacking Via Modification Of Default System CLSID Default Value experimental
Elastic Component Object Model Hijacking production
Kusto Component Object Model Hijacking - Vault7 trick available
Sigma Potential COM Object Hijacking Via TreatAs Subkey - Registry test
Sigma Potential Persistence Using DebugPath test
Sigma Potential Persistence Via Scrobj.dll COM Hijacking test
Sigma Potential PSFactoryBuffer COM Hijacking test
Elastic Potential RemoteMonologue Attack production
Splunk Powershell COM Hijacking InprocServer32 Modification production
Splunk Powershell Execute COM Object production
Sigma Rundll32 Registered COM Objects test
Splunk Rundll32 Spawned by Disk Cleanup (Sysmon)
Splunk Rundll32 Spawned by Disk Cleanup (Windows Event Log)
Sigma SOURGUM Actor Behaviours test
Splunk Suspicious DLLhost Execution (EDR)
Splunk Suspicious DLLhost Execution (PowerShell)
Splunk Suspicious DLLhost Execution (Windows Event Log)
Sigma Suspicious GetTypeFromCLSID ShellExecute test
Splunk Suspicious InprocServer32 Registry Modification (Sysmon)
Splunk Suspicious InprocServer32 Registry Modification (Windows Event Log)
Splunk Windows COM Hijacking InprocServer32 Modification production

Event Triggered Execution: Installer Packages T1546.016 9 rules

Elastic APT Package Manager Configuration File Creation production
Elastic DNF Package Manager Plugin File Creation production
Elastic DPKG Package Installed by Unusual Parent Process production
Elastic RPM Package Installed by Unusual Parent Process production
Elastic Suspicious APT Package Manager Execution production
Elastic Suspicious APT Package Manager Network Connection production
Elastic Suspicious File Creation via Pkg Install Script production
Elastic Unusual DPKG Execution production
Elastic Yum Package Manager Plugin File Creation production

Event Triggered Execution: Udev Rules T1546.017 3 rules

Elastic Executable Bit Set for Potential Persistence Script production
Elastic Potential Persistence via File Modification production
Elastic Systemd-udevd Rule File Creation production

Event Triggered Execution: Python Startup Hooks T1546.018 2 rules

Elastic Python Path File (pth) Creation production
Elastic Python Site or User Customize File Creation production

Boot or Logon Autostart Execution T1547 201 rules

Splunk Active Setup Registry Autostart production
Splunk Add DLL_EXE Registry Value (Sysmon)
Sigma Add Port Monitor Persistence in Registry test
Splunk Additional dll added to Spool Driver (Sysmon)
Splunk Additional dll added to Spool Driver (Windows Event Log)
Sigma Atbroker Registry Change test
Elastic Attempt to Unload Elastic Endpoint Security Kernel Extension production
Elastic Authorization Plugin Modification production
Elastic BPF Program or Map Load via bpftool production
Sigma Bypass UAC Using Event Viewer test
Sigma Classes Autorun Keys Modification test
Sigma Common Autorun Keys Modification test
Sigma Creation Exe for Service with Unquoted Path test
Elastic Creation of Hidden Login Item via Apple Script production
Kusto Cross-Cloud Suspicious Compute resource creation in GCP
Kusto Cross-Cloud Suspicious user activity observed in GCP Envourment
Sigma CurrentControlSet Autorun Keys Modification test
YARA-L CurrentControlSet Autorun Keys Modification
Sigma CurrentVersion Autorun Keys Modification test
YARA-L CurrentVersion Autorun Keys Modification
Sigma CurrentVersion NT Autorun Keys Modification test
Sigma Default RDP Port Changed to Non Standard Port test
YARA-L Default RDP Port Changed to Non Standard Port
Sigma Desktop.INI Created by Uncommon Process test
Kusto Detect Print Processors Registry Driver Key Creation/Modification available
Kusto Detect Registry Run Key Creation/Modification available
Sigma Direct Autorun Keys Modification test
YARA-L Direct Autorun Keys Modification
Sigma DLL Load via LSASS test
Elastic Executable Bit Set for Potential Persistence Script production
Splunk Execution from Startup Folder (Sysmon)
Splunk Execution from Startup Folder (Windows Event Log)
Elastic Execution of Persistent Suspicious Program production
Sigma File Creation In Suspicious Directory By Msdt.EXE test
Splunk File Written to Startup Folder - Windows (Sysmon)
Splunk File Written to Startup Folder - Windows (Windows Event Log)
Elastic First Time Seen Driver Loaded production
Sigma Forest Blizzard APT - Custom Protocol Handler Creation test
Sigma Forest Blizzard APT - Custom Protocol Handler DLL Registry Set test
Kusto Imminent Ransomware available
Elastic Installation of Security Support Provider production
Sigma Internet Explorer Autorun Keys Modification test
Sigma Kapeka Backdoor Autorun Persistence test
Elastic KDE AutoStart Script or Desktop File Creation production
Elastic Kernel Driver Load production
Elastic Kernel Driver Load by non-root User production
Sigma Kernel Extension Loaded from Temporary Directory experimental
Elastic Kernel Load or Unload via Kexec Detected production
Elastic Kernel Module Load from Unusual Location production
Elastic Kernel Module Load via Built-in Utility production
Elastic Kernel Module Removal production
Elastic Kernel Object File Creation production
Elastic Lateral Movement via Startup Folder production
Sigma Leviathan Registry Key Activity test
Splunk Linux Auditd Insert Kernel Module Using Insmod Utility production
Splunk Linux Auditd Install Kernel Module Using Modprobe Utility production
Splunk Linux Auditd Kernel Module Using Rmmod Utility production
Splunk Linux Auditd Unload Module Via Modprobe production
Splunk Linux File Created In Kernel Driver Directory production
Splunk Linux Insert Kernel Module Using Insmod Utility production
Splunk Linux Install Kernel Module Using Modprobe Utility production
Elastic Loadable Kernel Module Configuration File Creation production
Sigma Loading of Kernel Module via Insmod test
Splunk LSA Authentication Packages Registry Key Modified (PowerShell)
Splunk LSA Authentication Packages Registry Key Modified (Sysmon)
Splunk LSA Authentication Packages Registry Key Modified (Windows Event Log)
Sigma macOS Configuration Profile Installation experimental
Kusto Midnight Blizzard - suspicious rundll32.exe execution of vbscript
Kusto Midnight Blizzard - suspicious rundll32.exe execution of vbscript (Normalized Process Events)
Elastic Mimikatz Memssp Log File Detected production
Sigma MITRE BZAR Indicators for Persistence test
Sigma Modify User Shell Folders Startup Value test
YARA-L Modify User Shell Folders Startup Value
Splunk Monitor Registry Keys for Print Monitors production
Sigma Narrator's Feedback-Hub Persistence test
Elastic Network Connections Initiated Through XDG Autostart Entry production
Splunk New AutoRun Registry Key (PowerShell)
Sigma New Custom Shim Database Created test
Sigma New RUN Key Pointing to Suspicious Folder experimental
YARA-L New RUN Key Pointing to Suspicious Folder
Sigma New TimeProviders Registered With Uncommon DLL Name test
Sigma NTFS hard link creation experimental
Sigma NTFS symbolic link configuration change experimental
Sigma NTFS symbolic link creation experimental
Sigma Office Autorun Keys Modification test
Elastic Persistence via a Hidden Plist Filename production
Elastic Persistence via a Windows Installer production
Elastic Persistence via DirectoryService Plugin Modification production
Elastic Persistence via Docker Shortcut Modification production
Elastic Persistence via Hidden Run Key Detected production
Elastic Persistence via Suspicious Launch Agent or Launch Daemon production
Elastic Persistence via WMI Standard Registry Provider production
Elastic Persistent Scripts in the Startup Directory production
Elastic Pod or Container Creation with Suspicious Command-Line production
Sigma Potential KamiKakaBot Activity - Winlogon Shell Persistence test
Elastic Potential LSA Authentication Package Abuse production
Splunk Potential LSA password filter (PowerShell)
Splunk Potential LSA password filter (Windows Event Log)
Sigma Potential Persistence Attempt Via Run Keys Using Reg.EXE test
Elastic Potential Persistence via File Modification production
Elastic Potential Persistence via Login Hook production
Elastic Potential Persistence via Mandatory User Profile production
Elastic Potential Persistence via Time Provider Modification production
Elastic Potential Port Monitor or Print Processor Registration Abuse production
Elastic Potential PowerShell HackTool Script by Function Names production
Splunk Potential Proxy Malware via AutoRun Key (PowerShell)
Splunk Potential Proxy Malware via AutoRun Key (Sysmon)
Splunk Potential Proxy Malware via AutoRun Key (Windows Event Log)
Elastic Potential REMCOS Trojan Execution production
Sigma Potential RipZip Attack on Startup Folder test
Sigma Potential Ryuk Ransomware Activity stable
Sigma Potential Startup Shortcut Persistence Via PowerShell.EXE test
Sigma Potential Suspicious Activity Using SeCEdit test
YARA-L Potential Suspicious Activity Using SeCEdit
Kusto Powershell Empire Cmdlets Executed in Command Line available
Splunk Print Processor Registry Autostart production
Splunk Print Spooler Adding A Printer Driver production
Splunk Print Spooler Failed to Load a Plug-in production
Sigma Print spooler privilege escalation via printer added (CVE-2020-1048) experimental
Splunk Rare dll called by Spoolsv.exe (Windows Event Log)
Splunk Registry Keys Used For Persistence production
Sigma Registry Persistence Mechanisms in Recycle Bin test
Sigma Registry Persistence via Explorer Run Key test
Kusto Registry Run Keys - Suspicious Registry Run Keys
Sigma Registry Set With Crypto-Classes From The "Cryptography" PowerShell Namespace test
Sigma Security package (SSP) added (Reg via command) experimental
Sigma Security package (SSP) loaded into LSA (native) experimental
Sigma Security Support Provider (SSP) Added to LSA Configuration test
Sigma Session Manager Autorun Keys Modification test
YARA-L Session Manager Autorun Keys Modification
Splunk Shortcut Created in Startup Folder - Windows (PowerShell)
Elastic Shortcut File Written or Modified on Startup Folder production building block
Splunk Spoolsv Spawning Rundll32 production
Splunk Spoolsv Suspicious Loaded Modules production
Splunk Spoolsv Writing a DLL production
Splunk Spoolsv Writing a DLL - Sysmon production
Sigma Startup Folder File Write test
Splunk Startup Folder Location Modified - Windows (PowerShell)
Splunk Startup Folder Location Modified - Windows (Sysmon)
Splunk Startup Folder Location Modified - Windows (Windows Event Log)
Elastic Startup Folder Persistence via Unsigned Process production
Elastic Startup or Run Key Registry Modification production
Elastic Startup Persistence by a Suspicious Process production
Sigma Startup/Logon Script Added to Group Policy Object test
Elastic Startup/Logon Script added to Group Policy Object production
Sigma Suspicious Autorun Registry Modified via WMI experimental
Sigma Suspicious Driver Install by pnputil.exe test
Elastic Suspicious File Creation via Kworker production
Sigma Suspicious GrpConv Execution test
Elastic Suspicious Modprobe File Event production building block
Elastic Suspicious Module Loaded by LSASS production
Sigma Suspicious PowerShell In Registry Run Keys test
YARA-L Suspicious Powershell In Registry Run Keys
Splunk Suspicious Registry Key Created (PowerShell)
Splunk Suspicious Registry Key Created (Windows Event Log)
Sigma Suspicious Run Key from Download test
Sigma Suspicious Startup Folder Persistence test
Elastic Suspicious Startup Shell Folder Modification production
Elastic Suspicious Usage of bpf_probe_write_user Helper production
Sigma Suspicious VBScript UN2452 Pattern test
Splunk Symbolic OR Hard File Link Created (PowerShell)
Splunk Symbolic OR Hard File Link Created (Windows Event Log)
Sigma System Scripts Autorun Keys Modification test
Sigma SystemNightmare by GentilKiwi - External printer mapped (CVE-2021-1675 / CVE-2021-34527) experimental
Sigma SystemNightmare by GentilKiwi - New external device added (CVE-2021-1675 / CVE-2021-34527) experimental
Elastic Tainted Kernel Module Load production
Elastic Tainted Out-Of-Tree Kernel Module Load production
Splunk Time Provider Persistence Registry production
Elastic Uncommon Registry Persistence Change production
Sigma Unsigned Kernel Extension Load Attempt experimental
Splunk Unusual winlogon.exe Child Process (Sysmon)
Splunk Unusual winlogon.exe Child Process (Windows Event Log)
Sigma User Shell Folders Registry Modification via CommandLine experimental
Sigma VBScript Payload Stored in Registry test
Splunk Windows Audit Policy Auditing Option Modified - Registry production
Splunk Windows Autostart Execution LSASS Driver Registry Modification production
Splunk Windows Boot or Logon Autostart Execution In Startup Folder production
Sigma Windows Event Log Access Tampering Via Registry experimental
Sigma Windows Network Access Suspicious desktop.ini Action test
Splunk Windows NorthStar C2 Agent Execution production
Splunk Windows PowerShell MSIX Package Installation production
Splunk Windows Registry BootExecute Modification production
Splunk Windows Registry Modification for Safe Mode Persistence production
Splunk Windows Security Support Provider Reg Query production
Splunk Windows Snake Malware Kernel Driver Comadmin production
Splunk Windows Snake Malware Service Create production
Sigma Windows Terminal Profile Settings Modification By Uncommon Process test
Splunk Windows Unsigned MS DLL Side-Loading production
Sigma WINEKEY Registry Modification test
Sigma Winlogon Helper DLL test
Sigma Winlogon Notify Key Logon Persistence test
Splunk WinLogon Registry Key Modified (PowerShell)
Splunk WinLogon Registry Key Modified (Sysmon)
Sigma WinRAR Creating Files in Startup Locations experimental
Sigma WinSock2 Autorun Keys Modification test
Sigma Wow6432Node Classes Autorun Keys Modification test
Splunk Wow6432Node Classes Autorun Keys Modification (PowerShell)
Splunk Wow6432Node Classes Autorun Keys Modification (Sysmon)
Splunk Wow6432Node Classes Autorun Keys Modification (Windows Event Log)
Sigma Wow6432Node CurrentVersion Autorun Keys Modification test
Sigma Wow6432Node Windows NT CurrentVersion Autorun Keys Modification test

Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder T1547.001 87 rules

Splunk Add DLL_EXE Registry Value (Sysmon)
Sigma Classes Autorun Keys Modification test
Sigma Common Autorun Keys Modification test
Sigma CurrentControlSet Autorun Keys Modification test
YARA-L CurrentControlSet Autorun Keys Modification
Sigma CurrentVersion Autorun Keys Modification test
YARA-L CurrentVersion Autorun Keys Modification
Sigma CurrentVersion NT Autorun Keys Modification test
Sigma Direct Autorun Keys Modification test
YARA-L Direct Autorun Keys Modification
Splunk Execution from Startup Folder (Sysmon)
Splunk Execution from Startup Folder (Windows Event Log)
Elastic Execution of Persistent Suspicious Program production
Sigma File Creation In Suspicious Directory By Msdt.EXE test
Splunk File Written to Startup Folder - Windows (Sysmon)
Splunk File Written to Startup Folder - Windows (Windows Event Log)
Sigma Forest Blizzard APT - Custom Protocol Handler Creation test
Sigma Forest Blizzard APT - Custom Protocol Handler DLL Registry Set test
Sigma Internet Explorer Autorun Keys Modification test
Sigma Kapeka Backdoor Autorun Persistence test
Elastic Lateral Movement via Startup Folder production
Sigma Leviathan Registry Key Activity test
Sigma Modify User Shell Folders Startup Value test
YARA-L Modify User Shell Folders Startup Value
Sigma Narrator's Feedback-Hub Persistence test
Splunk New AutoRun Registry Key (PowerShell)
Sigma New RUN Key Pointing to Suspicious Folder experimental
YARA-L New RUN Key Pointing to Suspicious Folder
Sigma Office Autorun Keys Modification test
Elastic Persistence via a Windows Installer production
Elastic Persistence via Hidden Run Key Detected production
Elastic Persistence via WMI Standard Registry Provider production
Elastic Persistent Scripts in the Startup Directory production
Sigma Potential KamiKakaBot Activity - Winlogon Shell Persistence test
Sigma Potential Persistence Attempt Via Run Keys Using Reg.EXE test
Elastic Potential Persistence via Mandatory User Profile production
Splunk Potential Proxy Malware via AutoRun Key (PowerShell)
Splunk Potential Proxy Malware via AutoRun Key (Sysmon)
Splunk Potential Proxy Malware via AutoRun Key (Windows Event Log)
Elastic Potential REMCOS Trojan Execution production
Sigma Potential Ryuk Ransomware Activity stable
Sigma Potential Startup Shortcut Persistence Via PowerShell.EXE test
Sigma Potential Suspicious Activity Using SeCEdit test
YARA-L Potential Suspicious Activity Using SeCEdit
Kusto Powershell Empire Cmdlets Executed in Command Line available
Splunk Registry Keys Used For Persistence production
Sigma Registry Persistence via Explorer Run Key test
Kusto Registry Run Keys - Suspicious Registry Run Keys
Sigma Registry Set With Crypto-Classes From The "Cryptography" PowerShell Namespace test
Sigma Session Manager Autorun Keys Modification test
YARA-L Session Manager Autorun Keys Modification
Splunk Shortcut Created in Startup Folder - Windows (PowerShell)
Elastic Shortcut File Written or Modified on Startup Folder production building block
Sigma Startup Folder File Write test
Splunk Startup Folder Location Modified - Windows (PowerShell)
Splunk Startup Folder Location Modified - Windows (Sysmon)
Splunk Startup Folder Location Modified - Windows (Windows Event Log)
Elastic Startup Folder Persistence via Unsigned Process production
Elastic Startup or Run Key Registry Modification production
Elastic Startup Persistence by a Suspicious Process production
Sigma Suspicious Autorun Registry Modified via WMI experimental
Sigma Suspicious PowerShell In Registry Run Keys test
YARA-L Suspicious Powershell In Registry Run Keys
Splunk Suspicious Registry Key Created (PowerShell)
Splunk Suspicious Registry Key Created (Windows Event Log)
Sigma Suspicious Run Key from Download test
Sigma Suspicious Startup Folder Persistence test
Elastic Suspicious Startup Shell Folder Modification production
Sigma Suspicious VBScript UN2452 Pattern test
Sigma System Scripts Autorun Keys Modification test
Elastic Uncommon Registry Persistence Change production
Sigma User Shell Folders Registry Modification via CommandLine experimental
Sigma VBScript Payload Stored in Registry test
Splunk Windows Boot or Logon Autostart Execution In Startup Folder production
Sigma Windows Event Log Access Tampering Via Registry experimental
Splunk Windows NorthStar C2 Agent Execution production
Splunk Windows PowerShell MSIX Package Installation production
Splunk Windows Registry BootExecute Modification production
Splunk Windows Registry Modification for Safe Mode Persistence production
Sigma WinRAR Creating Files in Startup Locations experimental
Sigma WinSock2 Autorun Keys Modification test
Sigma Wow6432Node Classes Autorun Keys Modification test
Splunk Wow6432Node Classes Autorun Keys Modification (PowerShell)
Splunk Wow6432Node Classes Autorun Keys Modification (Sysmon)
Splunk Wow6432Node Classes Autorun Keys Modification (Windows Event Log)
Sigma Wow6432Node CurrentVersion Autorun Keys Modification test
Sigma Wow6432Node Windows NT CurrentVersion Autorun Keys Modification test

Boot or Logon Autostart Execution: Authentication Package T1547.002 8 rules

Elastic Authorization Plugin Modification production
Splunk LSA Authentication Packages Registry Key Modified (PowerShell)
Splunk LSA Authentication Packages Registry Key Modified (Sysmon)
Splunk LSA Authentication Packages Registry Key Modified (Windows Event Log)
Elastic Potential LSA Authentication Package Abuse production
Splunk Potential LSA password filter (PowerShell)
Splunk Potential LSA password filter (Windows Event Log)
Sigma Potential Suspicious Activity Using SeCEdit test

Boot or Logon Autostart Execution: Time Providers T1547.003 3 rules

Sigma New TimeProviders Registered With Uncommon DLL Name test
Elastic Potential Persistence via Time Provider Modification production
Splunk Time Provider Persistence Registry production

Boot or Logon Autostart Execution: Winlogon Helper DLL T1547.004 8 rules

Sigma MITRE BZAR Indicators for Persistence test
Elastic Persistence via WMI Standard Registry Provider production
Splunk Unusual winlogon.exe Child Process (Sysmon)
Splunk Unusual winlogon.exe Child Process (Windows Event Log)
Sigma Winlogon Helper DLL test
Sigma Winlogon Notify Key Logon Persistence test
Splunk WinLogon Registry Key Modified (PowerShell)
Splunk WinLogon Registry Key Modified (Sysmon)

Boot or Logon Autostart Execution: Security Support Provider T1547.005 7 rules

Elastic Installation of Security Support Provider production
Elastic Mimikatz Memssp Log File Detected production
Elastic Potential PowerShell HackTool Script by Function Names production
Kusto Powershell Empire Cmdlets Executed in Command Line available
Sigma Security Support Provider (SSP) Added to LSA Configuration test
Elastic Suspicious Module Loaded by LSASS production
Splunk Windows Security Support Provider Reg Query production

Boot or Logon Autostart Execution: Kernel Modules and Extensions T1547.006 28 rules

Elastic Attempt to Unload Elastic Endpoint Security Kernel Extension production
Elastic BPF Program or Map Load via bpftool production
Elastic First Time Seen Driver Loaded production
Elastic Kernel Driver Load production
Elastic Kernel Driver Load by non-root User production
Sigma Kernel Extension Loaded from Temporary Directory experimental
Elastic Kernel Load or Unload via Kexec Detected production
Elastic Kernel Module Load from Unusual Location production
Elastic Kernel Module Load via Built-in Utility production
Elastic Kernel Module Removal production
Elastic Kernel Object File Creation production
Splunk Linux Auditd Insert Kernel Module Using Insmod Utility production
Splunk Linux Auditd Install Kernel Module Using Modprobe Utility production
Splunk Linux Auditd Kernel Module Using Rmmod Utility production
Splunk Linux Auditd Unload Module Via Modprobe production
Splunk Linux File Created In Kernel Driver Directory production
Splunk Linux Insert Kernel Module Using Insmod Utility production
Splunk Linux Install Kernel Module Using Modprobe Utility production
Elastic Loadable Kernel Module Configuration File Creation production
Sigma Loading of Kernel Module via Insmod test
Elastic Potential Persistence via File Modification production
Elastic Suspicious Modprobe File Event production building block
Elastic Suspicious Usage of bpf_probe_write_user Helper production
Elastic Tainted Kernel Module Load production
Elastic Tainted Out-Of-Tree Kernel Module Load production
Sigma Unsigned Kernel Extension Load Attempt experimental
Splunk Windows Snake Malware Kernel Driver Comadmin production
Splunk Windows Snake Malware Service Create production

Boot or Logon Autostart Execution: LSASS Driver T1547.008 4 rules

Sigma DLL Load via LSASS test
Sigma Security package (SSP) added (Reg via command) experimental
Sigma Security package (SSP) loaded into LSA (native) experimental
Splunk Windows Autostart Execution LSASS Driver Registry Modification production

Boot or Logon Autostart Execution: Shortcut Modification T1547.009 13 rules

Sigma Creation Exe for Service with Unquoted Path test
Sigma Desktop.INI Created by Uncommon Process test
Sigma New Custom Shim Database Created test
Sigma NTFS hard link creation experimental
Sigma NTFS symbolic link configuration change experimental
Sigma NTFS symbolic link creation experimental
Elastic Persistence via Docker Shortcut Modification production
Elastic Persistent Scripts in the Startup Directory production
Kusto Powershell Empire Cmdlets Executed in Command Line available
Elastic Shortcut File Written or Modified on Startup Folder production building block
Splunk Symbolic OR Hard File Link Created (PowerShell)
Splunk Symbolic OR Hard File Link Created (Windows Event Log)
Sigma Windows Network Access Suspicious desktop.ini Action test

Boot or Logon Autostart Execution: Port Monitors T1547.010 11 rules

Sigma Add Port Monitor Persistence in Registry test
Sigma Bypass UAC Using Event Viewer test
Sigma Default RDP Port Changed to Non Standard Port test
YARA-L Default RDP Port Changed to Non Standard Port
Splunk Monitor Registry Keys for Print Monitors production
Elastic Potential Port Monitor or Print Processor Registration Abuse production
Sigma Potential Suspicious Activity Using SeCEdit test
Sigma Print spooler privilege escalation via printer added (CVE-2020-1048) experimental
Splunk Rare dll called by Spoolsv.exe (Windows Event Log)
Sigma SystemNightmare by GentilKiwi - External printer mapped (CVE-2021-1675 / CVE-2021-34527) experimental
Sigma SystemNightmare by GentilKiwi - New external device added (CVE-2021-1675 / CVE-2021-34527) experimental

Boot or Logon Autostart Execution: Plist Modification T1547.011 3 rules

Panther CrowdStrike MacOS plutil Novel Plist Modification (Anomaly Detection) Experimental
Elastic Persistence via a Hidden Plist Filename production
Elastic Persistence via Suspicious Launch Agent or Launch Daemon production

Boot or Logon Autostart Execution: Print Processors T1547.012 8 rules

Elastic Potential Port Monitor or Print Processor Registration Abuse production
Splunk Print Processor Registry Autostart production
Splunk Print Spooler Adding A Printer Driver production
Splunk Print Spooler Failed to Load a Plug-in production
Splunk Spoolsv Spawning Rundll32 production
Splunk Spoolsv Suspicious Loaded Modules production
Splunk Spoolsv Writing a DLL production
Splunk Spoolsv Writing a DLL - Sysmon production

Boot or Logon Autostart Execution: XDG Autostart Entries T1547.013 5 rules

Elastic Executable Bit Set for Potential Persistence Script production
Elastic KDE AutoStart Script or Desktop File Creation production
Elastic Network Connections Initiated Through XDG Autostart Entry production
Elastic Pod or Container Creation with Suspicious Command-Line production
Elastic Potential Persistence via File Modification production

Boot or Logon Autostart Execution: Active Setup T1547.014 4 rules

Splunk Active Setup Registry Autostart production
Sigma Potential Suspicious Activity Using SeCEdit test
Elastic Uncommon Registry Persistence Change production
Splunk Windows Audit Policy Auditing Option Modified - Registry production

Boot or Logon Autostart Execution: Login Items T1547.015 2 rules

Elastic Creation of Hidden Login Item via Apple Script production
Sigma Windows Terminal Profile Settings Modification By Uncommon Process test

Compromise Host Software Binary T1554 32 rules

Splunk Circle CI Disable Security Job production
Splunk Circle CI Disable Security Step experimental
Elastic Deprecated - Adobe Hijack Persistence production
Sigma DNS HybridConnectionManager Service Bus test
Kusto Dynatrace - Problem detection available
Kusto Dynatrace Application Security - Code-Level runtime vulnerability detection available
Kusto Dynatrace Application Security - Non-critical runtime vulnerability detection available
Kusto Dynatrace Application Security - Third-Party runtime vulnerability detection available
Splunk GitHub Workflow File Creation or Modification production
Kusto GWorkspace - Unexpected OS update available
Sigma HybridConnectionManager Service Installation test
Sigma HybridConnectionManager Service Running test
Sigma Linux Setgid Capability Set on a Binary via Setcap Utility experimental
Sigma Linux Setuid Capability Set on a Binary via Setcap Utility experimental
Kusto Potential Build Process Compromise
Kusto Potential Build Process Compromise - MDE available
Elastic Potential Masquerading as Browser Process production building block
Elastic Potential Masquerading as Communication Apps production
Elastic Potential Masquerading as System32 DLL production building block
Elastic Potential Masquerading as System32 Executable production building block
Elastic Potential Masquerading as VLC DLL production building block
Elastic Potential OpenSSH Backdoor Logging Activity production
Elastic Potential SSH Password Grabbing via strace production
Kusto RecordedFuture Threat Hunting Hash All Actors
Elastic Renaming of OpenSSH Binaries production
Splunk Shai-Hulud Workflow File Creation or Modification production
Elastic Sublime Plugin or Application Script Modification production
Kusto SUNSPOT malware hashes available
Elastic Suspicious Communication App Child Process production
Elastic Suspicious Outlook Child Process production building block
Elastic Unusual Exim4 Child Process production
Elastic Unusual Process Modifying GenAI Configuration File production

Modify Authentication Process T1556 145 rules

Panther AppOmni Alert Passthrough
Splunk ASL AWS Multi-Factor Authentication Disabled production
Splunk ASL AWS New MFA Method Registered For User production
Elastic Attempt to Deactivate an Okta Policy production
Elastic Attempt to Deactivate an Okta Policy Rule production
Elastic Attempt to Delete an Okta Policy production
Elastic Attempt to Modify an Okta Policy production
Elastic Attempt to Reset MFA Factors for an Okta User Account production
Elastic Authentication via Unusual PAM Grantor production
Elastic Authorization Plugin Modification production
Elastic AWS IAM Deactivation of MFA Device production
Elastic AWS IAM Roles Anywhere Trust Anchor Created with External CA production
Elastic AWS IAM Virtual MFA Device Registration Attempt with Session Token production
Sigma AWS Identity Center Identity Provider Change test
Splunk AWS Multi-Factor Authentication Disabled production
YARA-L AWS MultiFactor Authentication Disabled
YARA-L AWS New MFA Method Registered For User
Splunk AWS New MFA Method Registered For User production
Elastic AWS RDS DB Instance Made Public production
Kusto AWS Security Hub - Detect root user lacking MFA available
Elastic AWS STS AssumeRole with New MFA Device production
Splunk Azure AD Multi-Factor Authentication Disabled production
Splunk Azure AD New MFA Method Registered For User production
Sigma Azure AD Only Single Factor Authentication Required test
Panther Azure Authentication Methods Policy OIDC Discovery URL Changed
Panther Azure Domain Federation Settings Modified
Panther Azure MFA Disabled
Kusto Azure secure score block legacy authentication available
Kusto BTP - Cloud Identity Service application configuration monitor available
Kusto BTP - Trust and authorization Identity Provider monitor available
Sigma CA Policy Removed by Non Approved Actor test
Sigma CA Policy Updated by Non Approved Actor test
Sigma Certificate-Based Authentication Enabled test
Sigma Change to Authentication Method test
Splunk Cisco ASA - AAA Policy Tampering production
Sigma Cisco Dot1x Disabled experimental
Splunk Cisco Duo Admin Login Unusual Browser production
Splunk Cisco Duo Admin Login Unusual Country production
Splunk Cisco Duo Admin Login Unusual Os production
Splunk Cisco Duo Bulk Policy Deletion production
Splunk Cisco Duo Bypass Code Generation production
Splunk Cisco Duo Policy Allow Devices Without Screen Lock production
Splunk Cisco Duo Policy Allow Network Bypass 2FA production
Splunk Cisco Duo Policy Allow Old Flash production
Splunk Cisco Duo Policy Allow Old Java production
Splunk Cisco Duo Policy Allow Tampered Devices production
Splunk Cisco Duo Policy Bypass 2FA production
Splunk Cisco Duo Policy Deny Access production
Splunk Cisco Duo Policy Skip 2FA for Other Countries production
Splunk Cisco Duo Set User Status to Bypass 2FA production
Splunk Cisco Network Interface Modifications production
Kusto Cross-Cloud Unauthorized Credential Access Detection From AWS RDS Login
Panther Databricks MFA Key Change Experimental
Panther Databricks SSO Configuration Changed Experimental
Kusto Detect changes to Connect Sync Application
Kusto Detect credential add to Connect Sync Application
Kusto Detect suspicious conditional access policy modifications
Sigma Directory Service Restore Mode(DSRM) Registry Value Tampering test
Sigma Disabled MFA to Bypass Authentication Mechanisms test
Sigma Disabling Multi Factor Authentication test
Splunk Disabling Windows Local Security Authority Defences via Registry production
Sigma Dropping Of Password Filter DLL test
Elastic Entra ID Conditional Access Policy (CAP) Modified production
Elastic Entra ID Domain Federation Configuration Change production
Elastic Entra ID External Authentication Methods (EAM) Modified production
Elastic Entra ID MFA Disabled for User production
Elastic Entra ID Protection - Risk Detection - Sign-in Risk production
Elastic Entra ID Protection - Risk Detection - User Risk production
Elastic Entra ID User Sign-in with Unusual Authentication Type production
Kusto Excessive number of HTTP authentication failures from a source (ASIM Web Session schema)
Kusto External User Access Enabled
Kusto F&O - Bank account change following network alias reassignment available
Kusto F&O - Non-interactive account mapped to self or sensitive privileged user available
Splunk GCP Multi-Factor Authentication Disabled production
Sigma Github High Risk Configuration Disabled test
Kusto GitLab - Repository visibility to Public available
Elastic Google Workspace 2SV Policy Disabled production
YARA-L Google Workspace MFA Disabled
Elastic Google Workspace MFA Enforcement Disabled production
Panther GSuite User Two Step Verification Change
Kusto Keeper Security - Password Changed available
Kusto Keeper Security - User MFA Changed available
Sigma macOS Configuration Profile Installation experimental
Elastic MFA Deactivation with no Re-Activation for Okta User Account production
Panther MFA Disabled
Elastic MFA Disabled for Google Workspace Organization production
Panther Microsoft365 MFA Disabled
Elastic Mimikatz Memssp Log File Detected production
Elastic Modification or Removal of an Okta Application Sign-On Policy production
Kusto Multi-Factor Authentication Disabled for a User available
Elastic Network Logon Provider Registry Modification production
Kusto New Device/Location sign-in along with critical operation available
Elastic New Okta Identity Provider (IdP) Added by Admin production
Sigma New Root Certificate Authority Added test
Splunk O365 Disable MFA production
Splunk O365 Excessive SSO logon errors production
Panther Okta AiTM Phishing Attempt Blocked by FastPass
Panther Okta Authentication Bypass via Skeleton Key Injection - Behavioral Experimental
Panther Okta Cleartext Passwords Extracted via SCIM Application
Panther Okta Identity Provider Created or Modified
Panther Okta MFA Globally Disabled
Sigma Okta MFA Reset or Deactivated test
Splunk Okta Multi-Factor Authentication Disabled production
Panther Okta Org2Org application created of modified
Splunk Okta Phishing Detection with FastPass Origin Check experimental
Panther Okta Sign-In from VPN Anonymizer
YARA-L Okta User Password and MFA Factor Reset or Deactivated
Panther OneLogin Authentication Factor Removed
YARA-L OneLogin User Authentication Factor Removed
Splunk PingID Mismatch Auth Source and Verification Response production
Splunk PingID New MFA Method After Credential Reset production
Splunk PingID New MFA Method Registered For User production
Elastic Pluggable Authentication Module (PAM) Creation in Unusual Directory production
Elastic Pluggable Authentication Module (PAM) Source Download production
Elastic Pluggable Authentication Module (PAM) Version Discovery production
Elastic Pluggable Authentication Module or Configuration Creation production
Elastic Polkit Policy Creation production
Sigma Possible Shadow Credentials Added test
Elastic Potential Backdoor Execution Through PAM_EXEC production
Elastic Potential Execution via SSH Backdoor production
Splunk Potential LSA password filter (PowerShell)
Splunk Potential LSA password filter (Windows Event Log)
Elastic Potential OpenSSH Backdoor Logging Activity production
Elastic Potential Persistence via File Modification production
Elastic Potential Shadow Credentials added to AD Object production
Elastic Potential SSH Password Grabbing via strace production
Sigma Potential Suspicious Activity Using SeCEdit test
Sigma Powershell Install a DLL in System Directory test
Kusto Red Sift - MFA disabled on account available
Elastic Renaming of OpenSSH Binaries production
Kusto Rouge RDP: Suspicious File Creation
Panther Slack IDP Configuration Changed
Panther Slack SSO Settings Changed
Panther Snowflake Login Without MFA
Panther Snowflake Login Without MFA
Elastic Stolen Credentials Used to Login to Okta Account After MFA Reset production
Splunk Suspicious Certificate Authentication (Windows Event Log)
Splunk Suspicious Certificate Modification (Windows Event Log)
Kusto Suspicious Sign In Followed by MFA Modification available
Elastic Untrusted DLL Loaded by Azure AD Connect Authentication Agent production
Elastic Unusual Process Modifying GenAI Configuration File production
Sigma User Added To Group With CA Policy Modification Access test
Sigma User Removed From Group With CA Policy Modification Access test
Kusto VMware ESXi - Root password changed available
Panther Wiz Update Login Settings

Modify Authentication Process: Password Filter DLL T1556.002 5 rules

Sigma Dropping Of Password Filter DLL test
Splunk Potential LSA password filter (PowerShell)
Splunk Potential LSA password filter (Windows Event Log)
Sigma Potential Suspicious Activity Using SeCEdit test
Sigma Powershell Install a DLL in System Directory test

Modify Authentication Process: Pluggable Authentication Modules T1556.003 5 rules

Elastic Authentication via Unusual PAM Grantor production
Elastic Pluggable Authentication Module (PAM) Creation in Unusual Directory production
Elastic Pluggable Authentication Module (PAM) Source Download production
Elastic Pluggable Authentication Module or Configuration Creation production
Elastic Potential Backdoor Execution Through PAM_EXEC production

Modify Authentication Process: Network Device Authentication T1556.004 2 rules

Splunk Cisco ASA - AAA Policy Tampering production
Sigma Cisco Dot1x Disabled experimental

Modify Authentication Process: Multi-Factor Authentication T1556.006 33 rules

Splunk ASL AWS Multi-Factor Authentication Disabled production
Splunk ASL AWS New MFA Method Registered For User production
Elastic Attempt to Deactivate an Okta Policy production
Elastic Attempt to Delete an Okta Policy production
Elastic Attempt to Reset MFA Factors for an Okta User Account production
Elastic AWS IAM Deactivation of MFA Device production
Elastic AWS IAM Virtual MFA Device Registration Attempt with Session Token production
Splunk AWS Multi-Factor Authentication Disabled production
YARA-L AWS MultiFactor Authentication Disabled
YARA-L AWS New MFA Method Registered For User
Splunk AWS New MFA Method Registered For User production
Kusto AWS Security Hub - Detect root user lacking MFA available
Elastic AWS STS AssumeRole with New MFA Device production
Splunk Azure AD Multi-Factor Authentication Disabled production
Splunk Azure AD New MFA Method Registered For User production
Sigma Azure AD Only Single Factor Authentication Required test
Panther Azure Domain Federation Settings Modified
Sigma Disabling Multi Factor Authentication test
Elastic Entra ID MFA Disabled for User production
Elastic Entra ID User Sign-in with Unusual Authentication Type production
Splunk GCP Multi-Factor Authentication Disabled production
Elastic Google Workspace MFA Enforcement Disabled production
Elastic MFA Deactivation with no Re-Activation for Okta User Account production
Sigma Okta MFA Reset or Deactivated test
Splunk Okta Multi-Factor Authentication Disabled production
YARA-L Okta User Password and MFA Factor Reset or Deactivated
YARA-L OneLogin User Authentication Factor Removed
Splunk PingID Mismatch Auth Source and Verification Response production
Splunk PingID New MFA Method After Credential Reset production
Splunk PingID New MFA Method Registered For User production
Panther Slack MFA Settings Changed
Elastic Stolen Credentials Used to Login to Okta Account After MFA Reset production
Kusto Suspicious Sign In Followed by MFA Modification available

Modify Authentication Process: Hybrid Identity T1556.007 6 rules

Kusto Detect changes to Connect Sync Application
Kusto Detect credential add to Connect Sync Application
Elastic Entra ID Domain Federation Configuration Change production
Panther MongoDB Identity Provider Activity
Elastic New Okta Identity Provider (IdP) Added by Admin production
Elastic Untrusted DLL Loaded by Azure AD Connect Authentication Agent production

Modify Authentication Process: Network Provider DLL T1556.008 1 rule

Elastic Network Logon Provider Registry Modification production

Modify Authentication Process: Conditional Access Policies T1556.009 13 rules

Elastic AWS RDS DB Instance Made Public production
Panther Azure Authentication Methods Policy OIDC Discovery URL Changed
Panther Crowdstrike IP Allowlist Changed
Panther Crowdstrike Single IP Allowlisted
Kusto Detect suspicious conditional access policy modifications
Elastic Entra ID Conditional Access Policy (CAP) Modified production
Elastic Entra ID External Authentication Methods (EAM) Modified production
Panther GCP Org or Folder Policy Was Changed Manually
Elastic Modification or Removal of an Okta Application Sign-On Policy production
Panther MongoDB access allowed from anywhere
Panther MongoDB org membership restriction disabled
Panther Wiz Update IP Restrictions
Panther ZIA Insecure Password Settings

Power Settings T1653 1 rule

Sigma Mask System Power Settings Via Systemctl experimental

No specific technique 97 rules

Sigma Add Debugger Entry To AeDebug For Persistence test
Sigma Add Debugger Entry To Hangs Key For Persistence test
Sigma Anydesk Remote Access Software Service Installation test
Panther AWS Bedrock Model Invocation GuardRail Intervened Experimental
Sigma AWS EnableRegion Command Monitoring experimental
Sigma COLDSTEEL Persistence Service Creation test
Sigma COLDSTEEL RAT Anonymous User Process Execution test
Sigma COLDSTEEL RAT Cleanup Command Execution test
Sigma COLDSTEEL RAT Service Persistence Execution test
Panther CrowdStrike MacOS plutil Novel Plist Modification
Sigma CVE-2024-1708 - ScreenConnect Path Traversal Exploitation test
Sigma CVE-2024-1708 - ScreenConnect Path Traversal Exploitation - Security test
Sigma CVE-2024-1709 - ScreenConnect Authentication Bypass Exploitation test
Sigma Enable Local Manifest Installation With Winget test
Sigma FortiGate - User Group Modified experimental
Sigma GitHub Repository Archive Status Changed experimental
Sigma Goofy Guineapig Backdoor Service Creation test
YARA-L Google Cloud identity low and medium alert escalation
Sigma Google Cloud Kubernetes CronJob test
YARA-L Google Workspace Application Added
Sigma Ingress Port 22 Opened test
Sigma Kubernetes CronJob/Job Modification test
Sigma macOS ESF Suspicious File Creation in Persistence Locations experimental
Sigma MSSQL Add Account To Sysadmin Role test
Sigma MSSQL SPProcoption Set test
Sigma Multi Factor Authentication Disabled For User Account test
Sigma NetSupport Manager Service Install test
Sigma Network Security Group Rule Created test
Sigma New ODBC Driver Registered test
Sigma Okta Admin Role Assignment Created test
Sigma Okta API Token Created test
Sigma Persistence Via Disk Cleanup Handler - Autorun test
Sigma Persistence Via Hhctrl.ocx test
Sigma Persistence Via TypedPaths - CommandLine test
Sigma Potential Binary Or Script Dropper Via PowerShell test
Sigma Potential COLDSTEEL Persistence Service DLL Creation test
Sigma Potential COLDSTEEL Persistence Service DLL Load test
Sigma Potential COLDSTEEL RAT File Indicators test
Sigma Potential COLDSTEEL RAT Windows User Creation test
Sigma Potential CVE-2023-36884 Exploitation Dropped File test
Sigma Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection test
Sigma Potential Encrypted Registry Blob Related To SNAKE Malware test
Sigma Potential KamiKakaBot Activity - Shutdown Schedule Task Creation test
Sigma Potential Persistence Attempt Via ErrorHandler.Cmd test
Sigma Potential Persistence Via AutodialDLL test
Sigma Potential Persistence Via CHM Helper DLL test
Sigma Potential Persistence Via Disk Cleanup Handler - Registry test
Sigma Potential Persistence Via DLLPathOverride test
Sigma Potential Persistence Via LSA Extensions test
Sigma Potential Persistence Via Mpnotify test
Sigma Potential Persistence Via MyComputer Registry Keys test
Sigma Potential Persistence Via New AMSI Providers - Registry test
Sigma Potential Persistence Via Notepad++ Plugins test
Sigma Potential Persistence Via Security Descriptors - ScriptBlock test
Sigma Potential Persistence Via TypedPaths test
Sigma Potential Privilege Escalation Attempt Via .Exe.Local Technique test
Sigma Potential SentinelOne Shell Context Menu Scan Command Tampering test
Sigma Potential Suspicious BPF Activity - Linux test
Sigma Potential Suspicious PowerShell Module File Created test
Sigma Potential Suspicious Winget Package Installation test
Sigma Potentially Suspicious Shell Script Creation in Profile Folder test
Sigma PowerShell Module File Created test
Sigma PowerShell Module File Created By Non-PowerShell Process test
Sigma PowerShell Script Dropped Via PowerShell.EXE test
Sigma Register New IFiltre For Persistence test
Sigma Remote Access Tool - Ammy Admin Agent Execution test
Sigma Remote Access Tool - Cmd.EXE Execution via AnyViewer test
Sigma Remote Utilities Host Service Install test
Sigma RTCore Suspicious Service Installation test
Kusto SAP LogServ - HANA DB - Audit Trail Policy Changes available
Kusto SAP LogServ - HANA DB - Deactivation of Audit Trail available
Kusto Scheduled Task - Suspicious Network Connection
Sigma Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor test
Sigma Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor - Task Scheduler test
Sigma ScreenConnect User Database Modification test
Sigma Shell Context Menu Command Tampering test
Sigma Shell Process Spawned by Java.EXE test
Panther Signal - Notion Account Changed
Sigma Small Sieve Malware Registry Persistence test
Sigma SNAKE Malware Covert Store Registry Key test
Sigma SNAKE Malware Service Persistence test
Kusto SUNBURST suspicious SolarWinds child processes
Sigma Suspicious Child Process Of Veeam Dabatase test
Sigma Suspicious Environment Variable Has Been Registered test
Sigma Suspicious File Creation Activity From Fake Recycle.Bin Folder test
Sigma Suspicious Process Execution From Fake Recycle.Bin Folder test
Sigma Suspicious Processes Spawned by Java.EXE test
Sigma Suspicious Shells Spawn by Java Utility Keytool test
Sigma Suspicious WindowsTerminal Child Processes test
YARA-L Unauthorized KMS Decryption
Sigma UNC4841 - Barracuda ESG Exploitation Indicators test
Sigma UNC4841 - Email Exfiltration File Pattern test
Sigma Unsigned AppX Installation Attempt Using Add-AppxPackage test
Sigma Unsigned AppX Installation Attempt Using Add-AppxPackage - PsScript test
Sigma User Added To Root/Sudoers Group Using Usermod test
Sigma User Risk and MFA Registration Policy Updated test
Sigma Winget Admin Settings Modification test

Privilege Escalation

Boot or Logon Initialization Scripts T1037 37 rules

YARA-L AWS EC2 User Data Modified
Elastic Chkconfig Service Add production
Panther Databricks Global Init Script Changes Experimental
Elastic Executable Bit Set for Potential Persistence Script production
Elastic GenAI Process Accessing Sensitive Files production
Splunk Linux File Creation In Init Boot Directory production
Splunk Logon Script Event Trigger Execution production
Splunk Logon Script Registry Key added (EDR)
Splunk Logon Script Registry Key added (PowerShell)
Splunk Logon Script Registry Key added (Sysmon)
Splunk Logon Script Registry Key added (Windows Event Log)
Splunk MacOS LoginHook Persistence production
Elastic Message-of-the-Day (MOTD) File Creation production
Elastic Modification of Persistence Relevant Files Detected via Defend for Containers production
Elastic Persistence via Folder Action Script production
Elastic Persistence via Login or Logout Hook production
Elastic Pod or Container Creation with Suspicious Command-Line production
Elastic Potential Execution of rc.local Script production
Elastic Potential Persistence via Atom Init Script Modification production
Elastic Potential Persistence via File Modification production
Elastic Potential Persistence via Login Hook production
Sigma Potential Persistence Via Logon Scripts - CommandLine test
Sigma Potential Persistence Via Logon Scripts - Registry test
Elastic Potential Suspicious File Edit production
Elastic Process Spawned from Message-of-the-Day (MOTD) production
Elastic rc.local/rc.common File Creation production
Sigma Startup Item File Created - MacOS test
Elastic Startup/Logon Script added to Group Policy Object production
Elastic Suspicious Echo or Printf Execution Detected via Defend for Containers production
Elastic Suspicious Network Activity to the Internet by Previously Unknown Executable production
Elastic Suspicious rc.local Error Message production
Elastic Suspicious StartupItem Plist Creation production
Elastic System V Init Script Created production
Elastic Systemd-udevd Rule File Creation production
Elastic Uncommon Registry Persistence Change production
Sigma Uncommon Userinit Child Process test
Elastic Unusual Exim4 Child Process production

Boot or Logon Initialization Scripts: Logon Script (Windows) T1037.001 8 rules

Splunk Logon Script Event Trigger Execution production
Splunk Logon Script Registry Key added (EDR)
Splunk Logon Script Registry Key added (PowerShell)
Splunk Logon Script Registry Key added (Sysmon)
Splunk Logon Script Registry Key added (Windows Event Log)
Sigma Potential Persistence Via Logon Scripts - CommandLine test
Sigma Potential Persistence Via Logon Scripts - Registry test
Sigma Uncommon Userinit Child Process test

Boot or Logon Initialization Scripts: Login Hook T1037.002 3 rules

Splunk MacOS LoginHook Persistence production
Elastic Persistence via Login or Logout Hook production
Elastic Potential Persistence via Login Hook production

Boot or Logon Initialization Scripts: RC Scripts T1037.004 11 rules

Elastic Executable Bit Set for Potential Persistence Script production
Elastic GenAI Process Accessing Sensitive Files production
Splunk Linux File Creation In Init Boot Directory production
Elastic Pod or Container Creation with Suspicious Command-Line production
Elastic Potential Execution of rc.local Script production
Elastic Potential Persistence via File Modification production
Elastic Potential Suspicious File Edit production
Elastic rc.local/rc.common File Creation production
Elastic Suspicious Network Activity to the Internet by Previously Unknown Executable production
Elastic Suspicious rc.local Error Message production
Elastic System V Init Script Created production

Boot or Logon Initialization Scripts: Startup Items T1037.005 2 rules

Sigma Startup Item File Created - MacOS test
Elastic Suspicious StartupItem Plist Creation production

Scheduled Task/Job T1053 197 rules

Elastic A scheduled task was created production
Elastic At Job Created or Modified production
Elastic At.exe Command Lateral Movement production building block
Kusto AV detections related to Tarrask malware available
Elastic Azure Automation Runbook Created or Modified production
Sigma Azure Kubernetes CronJob test
Sigma ChromeLoader Malware Execution test
Splunk Cisco Isovalent - Cron Job Creation production
Sigma Cisco Modify Configuration test
Splunk Cisco Secure Firewall - Wget or Curl Download production
Splunk Create_Modify Schtasks (PowerShell)
Splunk Create_Modify Schtasks (Sysmon)
Splunk Create_Modify Schtasks (Windows Event Log)
Elastic Creation or Modification of a new GPO Scheduled Task or Service production
Kusto Critical Risks available
Elastic Cron Job Created or Modified production
Sigma Defrag Deactivation test
Sigma Defrag Deactivation - Security test
Kusto Detect Rare scheduled task created
Kusto Detect Unsigned executable launch from scheduled task
Sigma Diamond Sleet APT Scheduled Task Creation test
Elastic Executable Bit Set for Potential Persistence Script production
Sigma Fortinet APT group abuse on Windows (task) experimental
Sigma HackTool - CrackMapExec Execution test
Sigma HackTool - CrackMapExec Execution Patterns stable
Sigma HackTool - Default PowerSploit/Empire Scheduled Task Creation test
Sigma HackTool - SharPersist Execution test
Sigma HAFNIUM Exchange Exploitation Activity test
Splunk Hidden Scheduled Task Created - Windows (Windows Event Log)
Splunk Impacket atexec.py Execution (PowerShell)
Splunk Impacket atexec.py Execution (Sysmon)
Splunk Impacket atexec.py Execution (Windows Event Log)
Splunk Impacket atexec.py Scheduled Task Creation (Windows Event Log)
Splunk Impacket atexec.py Temp File Creation (Sysmon)
Splunk Impacket atexec.py Temp File Creation (Windows Event Log)
Sigma Important Scheduled Task Deleted/Disabled test
Sigma Interactive AT Job test
Sigma Interactive privileged shell triggered by schedule task (deprecated) experimental
Sigma Kapeka Backdoor Persistence Activity test
Sigma Kapeka Backdoor Scheduled Task Creation test
Splunk Kubernetes Cron Job Creation production
Elastic Kubernetes Sensitive Configuration File Activity production
Elastic Kubernetes Static Pod Manifest File Access production
Splunk Linux Add Files In Known Crontab Directories production
Splunk Linux Adding Crontab Using List Parameter production
Splunk Linux At Allow Config File Creation production
Splunk Linux At Application Execution production
Splunk Linux Auditd At Application Execution production
Splunk Linux Auditd Edit Cron Table Parameter production
Splunk Linux Auditd Possible Append Cronjob Entry On Existing Cronjob File production
Splunk Linux Auditd Service Restarted production
Splunk Linux Edit Cron Table Parameter production
Splunk Linux Possible Append Command To At Allow Config File production
Splunk Linux Possible Append Cronjob Entry on Existing Cronjob File production
Splunk Linux Possible Cronjob Modification With Editor production
Splunk Linux Service File Created In Systemd Directory production
Splunk Linux Service Restarted production
Splunk Linux Service Started Or Enabled production
Elastic Local Scheduled Task Creation production
Sigma Massive remote schedule task creation via named pipes (CrackMapExec with ATexec) experimental
Kusto Mimecast Secure Email Gateway - AV available
Kusto Mimecast Secure Email Gateway - AV
Kusto Mimecast Secure Email Gateway - Virus available
Kusto Mimecast Secure Email Gateway - Virus
YARA-L MITRE ATT&CK T1053.005 Windows Creation Of Scheduled Task
Sigma MITRE BZAR Indicators for Execution test
Elastic Modification of Persistence Relevant Files Detected via Defend for Containers production
Sigma Modifying Crontab test
Kusto New Agent Added to Pool by New User or Added to a New OS Type available
Sigma New Cron File Created experimental
Sigma OilRig APT Activity test
Sigma OilRig APT Registry Persistence test
Sigma OilRig APT Schedule Task Persistence - Security test
Sigma OilRig APT Schedule Task Persistence - System test
Sigma Operation Wocao Activity test
Sigma Operation Wocao Activity - Security test
Elastic Outbound Scheduled Task Activity via PowerShell production
Kusto Pathlock TDnR - SAP Batch Job Events available
Kusto Pathlock TDnR - SAP System Job Monitoring Events available
Sigma Persistence and Execution at Scale via GPO Scheduled Task test
Elastic Persistence via a Windows Installer production
Elastic Persistence via Scheduled Job Creation production
Kusto Persistence Via Scheduled Tasks
Elastic Persistence via TelemetryController Scheduled Task Hijack production
Elastic Pod or Container Creation with Suspicious Command-Line production
Splunk Possible Lateral Movement PowerShell Spawn production
Sigma Potential ACTINIUM Persistence Activity test
Sigma Potential BearLPE Exploitation test
Elastic Potential Persistence via File Modification production
Sigma Potential Persistence Via Microsoft Compatibility Appraiser test
Elastic Potential Persistence via Periodic Tasks production
Sigma Potential Persistence Via Powershell Search Order Hijacking - Task test
Elastic Potential PowerShell HackTool Script by Function Names production
Sigma Potential Registry Persistence Attempt Via Windows Telemetry test
Sigma Potential SSH Tunnel Persistence Install Using A Scheduled Task experimental
Sigma Powershell Create Scheduled Task test
Kusto Powershell Empire Cmdlets Executed in Command Line available
Elastic Privilege Escalation via Root Crontab File Modification production
Splunk Randomly Generated Scheduled Task Name experimental
Splunk Rare Schedule Task Created (Windows Event Log)
Splunk Rare Scheduled Task (Windows Event Log)
Sigma Remote schedule task creation via named pipes (ATexec) experimental
Sigma Remote Schedule Task Lateral Movement via ATSvc test
Sigma Remote Schedule Task Lateral Movement via ITaskSchedulerService test
Sigma Remote Schedule Task Lateral Movement via SASec test
Elastic Remote Scheduled Task Creation production
Elastic Remote Scheduled Task Creation via RPC production
Sigma Remote Task Creation via ATSVC Named Pipe test
Sigma Remote Task Creation via ATSVC Named Pipe - Zeek test
Sigma Renamed Schtasks Execution experimental
Sigma Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE test
Splunk Schedule Task with HTTP Command Arguments production
Splunk Schedule Task with Rundll32 Command Trigger production
Sigma Scheduled Cron Task/Job - Linux test
Sigma Scheduled Cron Task/Job - MacOs test
Sigma Scheduled persistent task with SYSTEM privileges creation experimental
Sigma Scheduled Task Created - FileCreation test
Sigma Scheduled Task Created - Registry test
Sigma Scheduled task created and deleted fastly (ATexec.py) experimental
Elastic Scheduled Task Created by a Windows Script production
Sigma Scheduled Task Creation From Potential Suspicious Parent Location test
Sigma Scheduled Task Creation Masquerading as System Processes experimental
Splunk Scheduled Task Creation on Remote Endpoint using At production
Sigma Scheduled Task Creation Via Schtasks.EXE test
Sigma Scheduled task creation with command line experimental
Sigma Scheduled Task Creation with Curl and PowerShell Execution Combo experimental
Splunk Scheduled Task Deleted Or Created via CMD production
Sigma Scheduled Task Deletion test
Sigma Scheduled Task Executed From A Suspicious Location test
Sigma Scheduled Task Executed Uncommon LOLBIN test
Sigma Scheduled Task Executing Encoded Payload from Registry test
Sigma Scheduled Task Executing Payload from Registry test
Elastic Scheduled Task Execution at Scale via GPO production
Splunk Scheduled Task Initiation on Remote Endpoint production
Splunk Scheduled Task with Potential SSH Tunnel - Windows (PowerShell)
Splunk Scheduled Task with Potential SSH Tunnel - Windows (Sysmon)
Splunk Scheduled Task with Potential SSH Tunnel - Windows (Windows Event Log)
Sigma Scheduled Task/Job At stable
Sigma Scheduled TaskCache Change by Uncommon Program test
Elastic Scheduled Tasks AT Command Enabled production
Sigma Schtasks Creation Or Modification With SYSTEM Privileges test
Sigma Schtasks From Suspicious Folders test
Splunk Schtasks Run Task On Demand production
Splunk Schtasks scheduling job on remote system production
Splunk Schtasks used for forcing a reboot production
Sigma Serpent Backdoor Payload Execution Via Scheduled Task test
Splunk Short Lived Scheduled Task production
Sigma Suspicious Command Patterns In Scheduled Task Creation test
Panther Suspicious cron detected
Elastic Suspicious CronTab Creation or Modification production
Elastic Suspicious Echo or Printf Execution Detected via Defend for Containers production
Elastic Suspicious Execution from Foomatic-rip or Cupsd Parent production
Elastic Suspicious Execution via Scheduled Task production
Elastic Suspicious Image Load (taskschd.dll) from MS Office production
Sigma Suspicious Modification Of Scheduled Tasks test
Elastic Suspicious Network Activity to the Internet by Previously Unknown Executable production
Sigma Suspicious Scheduled Task Creation test
Sigma Suspicious Scheduled Task Creation Involving Temp Folder test
Sigma Suspicious Scheduled Task Creation via Masqueraded XML File test
Splunk Suspicious Scheduled Task from Public Directory production
Sigma Suspicious Scheduled Task Name As GUID test
Sigma Suspicious Scheduled Task Update test
Sigma Suspicious Scheduled Task Write to System32 Tasks test
Sigma Suspicious Schtasks Execution AppData Folder test
Sigma Suspicious Schtasks Schedule Type With High Privileges test
Sigma Suspicious Schtasks Schedule Types test
Elastic Suspicious ScreenConnect Client Child Process production
Splunk Svchost LOLBAS Execution Process Spawn production
Elastic Systemd Timer Created production
Sigma Task Scheduler DLL Loaded By Application Located In Potentially Suspicious Location test
Panther Teleport Scheduled Jobs
Elastic Temporarily Scheduled Task Creation production
Sigma Triple Cross eBPF Rootkit Default Persistence test
Sigma Turla Group Commands May 2020 test
Elastic UAC Bypass via DiskCleanup Scheduled Task Hijack production
Sigma Uncommon One Time Only Scheduled Task At 00:00 test
Elastic Unusual Scheduled Task Update production
Kusto Vulerabilities available
Splunk Windows Compatibility Telemetry Suspicious Child Process production
Splunk Windows Compatibility Telemetry Tampering Through Registry production
Splunk Windows Enable Win32 ScheduledJob via Registry production
Splunk Windows Hidden Schedule Task Settings production
Splunk Windows Level RMM Watchdog Task Created production
Splunk Windows PowerShell ScheduleTask production
Splunk Windows Registry Delete Task SD production
Splunk Windows Scheduled Task Created in a Group Policy Object production
Splunk Windows Scheduled Task Created Via XML production
Splunk Windows Scheduled Task DLL Module Loaded production
Splunk Windows Scheduled Task Service Spawned Shell production
Splunk Windows Scheduled Task with Highest Privileges production
Splunk Windows Scheduled Task with Suspicious Command production
Splunk Windows Scheduled Task with Suspicious Name production
Splunk Windows Scheduled Tasks for CompMgmtLauncher or Eventvwr production
Splunk Windows Schtasks Create Run As System production
Splunk WinEvent Scheduled Task Created to Spawn Shell production
Splunk WinEvent Scheduled Task Created Within Public Path production
Splunk WinEvent Windows Task Scheduler Event Action Started production

Scheduled Task/Job: At T1053.002 18 rules

Elastic At Job Created or Modified production
Elastic At.exe Command Lateral Movement production building block
Sigma Interactive AT Job test
Splunk Linux At Application Execution production
Splunk Linux Auditd At Application Execution production
Splunk Linux Possible Append Command To At Allow Config File production
Sigma MITRE BZAR Indicators for Execution test
Elastic Modification of Persistence Relevant Files Detected via Defend for Containers production
Elastic Pod or Container Creation with Suspicious Command-Line production
Elastic Potential Persistence via File Modification production
Sigma Remote Schedule Task Lateral Movement via ATSvc test
Sigma Remote Schedule Task Lateral Movement via ITaskSchedulerService test
Sigma Remote Schedule Task Lateral Movement via SASec test
Sigma Remote Task Creation via ATSVC Named Pipe test
Sigma Remote Task Creation via ATSVC Named Pipe - Zeek test
Splunk Scheduled Task Creation on Remote Endpoint using At production
Sigma Scheduled Task/Job At stable
Elastic Scheduled Tasks AT Command Enabled production

Scheduled Task/Job: Cron T1053.003 29 rules

Sigma Azure Kubernetes CronJob test
Splunk Cisco Isovalent - Cron Job Creation production
Splunk Cisco Secure Firewall - Wget or Curl Download production
Elastic Cron Job Created or Modified production
Elastic Executable Bit Set for Potential Persistence Script production
Panther GCP GKE Kubernetes Cron Job Created Or Modified
Panther Kubernetes CronJob Created or Modified Experimental
Splunk Linux Add Files In Known Crontab Directories production
Splunk Linux Adding Crontab Using List Parameter production
Splunk Linux At Allow Config File Creation production
Splunk Linux Auditd Edit Cron Table Parameter production
Splunk Linux Auditd Possible Append Cronjob Entry On Existing Cronjob File production
Splunk Linux Edit Cron Table Parameter production
Splunk Linux Possible Append Cronjob Entry on Existing Cronjob File production
Splunk Linux Possible Cronjob Modification With Editor production
Elastic Modification of Persistence Relevant Files Detected via Defend for Containers production
Sigma Modifying Crontab test
Sigma New Cron File Created experimental
Elastic Pod or Container Creation with Suspicious Command-Line production
Elastic Potential Persistence via File Modification production
Elastic Potential Persistence via Periodic Tasks production
Elastic Privilege Escalation via Root Crontab File Modification production
Sigma Scheduled Cron Task/Job - Linux test
Sigma Scheduled Cron Task/Job - MacOs test
Elastic Suspicious CronTab Creation or Modification production
Elastic Suspicious Echo or Printf Execution Detected via Defend for Containers production
Elastic Suspicious Execution from Foomatic-rip or Cupsd Parent production
Elastic Suspicious Network Activity to the Internet by Previously Unknown Executable production
Sigma Triple Cross eBPF Rootkit Default Persistence test

Scheduled Task/Job: Scheduled Task T1053.005 118 rules

Elastic A scheduled task was created production
Elastic At.exe Command Lateral Movement production building block
Panther Azure Automation Schedule Created or Modified
Sigma ChromeLoader Malware Execution test
Splunk Create_Modify Schtasks (PowerShell)
Splunk Create_Modify Schtasks (Sysmon)
Splunk Create_Modify Schtasks (Windows Event Log)
Elastic Creation or Modification of a new GPO Scheduled Task or Service production
Sigma Defrag Deactivation test
Kusto Detect Rare scheduled task created
Kusto Detect Unsigned executable launch from scheduled task
Sigma Diamond Sleet APT Scheduled Task Creation test
Sigma Fortinet APT group abuse on Windows (task) experimental
Sigma HackTool - Default PowerSploit/Empire Scheduled Task Creation test
Splunk Impacket atexec.py Execution (PowerShell)
Splunk Impacket atexec.py Execution (Sysmon)
Splunk Impacket atexec.py Execution (Windows Event Log)
Splunk Impacket atexec.py Scheduled Task Creation (Windows Event Log)
Splunk Impacket atexec.py Temp File Creation (Sysmon)
Splunk Impacket atexec.py Temp File Creation (Windows Event Log)
Sigma Important Scheduled Task Deleted/Disabled test
Sigma Interactive privileged shell triggered by schedule task (deprecated) experimental
Sigma Kapeka Backdoor Persistence Activity test
Sigma Kapeka Backdoor Scheduled Task Creation test
Elastic Local Scheduled Task Creation production
Sigma Massive remote schedule task creation via named pipes (CrackMapExec with ATexec) experimental
YARA-L MITRE ATT&CK T1053.005 Windows Creation Of Scheduled Task
Sigma OilRig APT Activity test
Sigma OilRig APT Registry Persistence test
Sigma OilRig APT Schedule Task Persistence - Security test
Sigma OilRig APT Schedule Task Persistence - System test
Sigma Operation Wocao Activity test
Sigma Operation Wocao Activity - Security test
Elastic Outbound Scheduled Task Activity via PowerShell production
Sigma Persistence and Execution at Scale via GPO Scheduled Task test
Elastic Persistence via a Windows Installer production
Elastic Persistence via Scheduled Job Creation production
Kusto Persistence Via Scheduled Tasks
Elastic Persistence via TelemetryController Scheduled Task Hijack production
Splunk Possible Lateral Movement PowerShell Spawn production
Sigma Potential ACTINIUM Persistence Activity test
Sigma Potential BearLPE Exploitation test
Sigma Potential Persistence Via Microsoft Compatibility Appraiser test
Sigma Potential Persistence Via Powershell Search Order Hijacking - Task test
Elastic Potential PowerShell HackTool Script by Function Names production
Sigma Potential Registry Persistence Attempt Via Windows Telemetry test
Sigma Potential SSH Tunnel Persistence Install Using A Scheduled Task experimental
Sigma Powershell Create Scheduled Task test
Kusto Powershell Empire Cmdlets Executed in Command Line available
Splunk Randomly Generated Scheduled Task Name experimental
Splunk Rare Schedule Task Created (Windows Event Log)
Splunk Rare Scheduled Task (Windows Event Log)
Sigma Remote schedule task creation via named pipes (ATexec) experimental
Elastic Remote Scheduled Task Creation production
Elastic Remote Scheduled Task Creation via RPC production
Sigma Renamed Schtasks Execution experimental
Sigma Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE test
Sigma Scheduled persistent task with SYSTEM privileges creation experimental
Sigma Scheduled Task Created - FileCreation test
Sigma Scheduled Task Created - Registry test
Sigma Scheduled task created and deleted fastly (ATexec.py) experimental
Elastic Scheduled Task Created by a Windows Script production
Sigma Scheduled Task Creation From Potential Suspicious Parent Location test
Sigma Scheduled Task Creation Masquerading as System Processes experimental
Sigma Scheduled Task Creation Via Schtasks.EXE test
Sigma Scheduled task creation with command line experimental
Sigma Scheduled Task Creation with Curl and PowerShell Execution Combo experimental
Splunk Scheduled Task Deleted Or Created via CMD production
Sigma Scheduled Task Deletion test
Sigma Scheduled Task Executed From A Suspicious Location test
Sigma Scheduled Task Executed Uncommon LOLBIN test
Sigma Scheduled Task Executing Encoded Payload from Registry test
Sigma Scheduled Task Executing Payload from Registry test
Elastic Scheduled Task Execution at Scale via GPO production
Splunk Scheduled Task Initiation on Remote Endpoint production
Sigma Scheduled TaskCache Change by Uncommon Program test
Sigma Schtasks Creation Or Modification With SYSTEM Privileges test
Sigma Schtasks From Suspicious Folders test
Splunk Schtasks scheduling job on remote system production
Splunk Schtasks used for forcing a reboot production
Sigma Serpent Backdoor Payload Execution Via Scheduled Task test
Splunk Short Lived Scheduled Task production
Sigma Suspicious Command Patterns In Scheduled Task Creation test
Elastic Suspicious Execution via Scheduled Task production
Elastic Suspicious Image Load (taskschd.dll) from MS Office production
Sigma Suspicious Modification Of Scheduled Tasks test
Sigma Suspicious Scheduled Task Creation test
Sigma Suspicious Scheduled Task Creation Involving Temp Folder test
Sigma Suspicious Scheduled Task Creation via Masqueraded XML File test
Splunk Suspicious Scheduled Task from Public Directory production
Sigma Suspicious Scheduled Task Name As GUID test
Sigma Suspicious Scheduled Task Update test
Sigma Suspicious Schtasks Execution AppData Folder test
Sigma Suspicious Schtasks Schedule Type With High Privileges test
Sigma Suspicious Schtasks Schedule Types test
Elastic Suspicious ScreenConnect Client Child Process production
Splunk Svchost LOLBAS Execution Process Spawn production
Sigma Task Scheduler DLL Loaded By Application Located In Potentially Suspicious Location test
Elastic Temporarily Scheduled Task Creation production
Sigma Turla Group Commands May 2020 test
Elastic UAC Bypass via DiskCleanup Scheduled Task Hijack production
Sigma Uncommon One Time Only Scheduled Task At 00:00 test
Elastic Unusual Scheduled Task Update production
Splunk Windows Compatibility Telemetry Suspicious Child Process production
Splunk Windows Compatibility Telemetry Tampering Through Registry production
Splunk Windows Enable Win32 ScheduledJob via Registry production
Splunk Windows PowerShell ScheduleTask production
Splunk Windows Registry Delete Task SD production
Splunk Windows Scheduled Task Created in a Group Policy Object production
Splunk Windows Scheduled Task Created Via XML production
Splunk Windows Scheduled Task Service Spawned Shell production
Splunk Windows Scheduled Task with Highest Privileges production
Splunk Windows Scheduled Task with Suspicious Command production
Splunk Windows Scheduled Task with Suspicious Name production
Splunk Windows Schtasks Create Run As System production
Splunk WinEvent Scheduled Task Created to Spawn Shell production
Splunk WinEvent Scheduled Task Created Within Public Path production
Splunk WinEvent Windows Task Scheduler Event Action Started production

Scheduled Task/Job: Systemd Timers T1053.006 6 rules

Splunk Linux Auditd Service Restarted production
Splunk Linux Service File Created In Systemd Directory production
Splunk Linux Service Restarted production
Splunk Linux Service Started Or Enabled production
Elastic Modification of Persistence Relevant Files Detected via Defend for Containers production
Elastic Systemd Timer Created production

Scheduled Task/Job: Container Orchestration Job T1053.007 4 rules

Splunk Cisco Isovalent - Cron Job Creation production
Splunk Kubernetes Cron Job Creation production
Elastic Kubernetes Sensitive Configuration File Activity production
Elastic Kubernetes Static Pod Manifest File Access production

Process Injection T1055 147 rules

Kusto ADWS Connection from Process Injection Target
Sigma Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection stable
Sigma APT PRIVATELOG Image Load Pattern test
Sigma ASLR Disabled Via Sysctl or Direct Syscall - Linux experimental
Splunk Cisco NVM - Non-Network Binary Making Network Connection production
Splunk Cisco NVM - Suspicious Network Connection From Process With No Args production
Splunk Cisco Secure Firewall - Communication Over Suspicious Ports production
Sigma CobaltStrike Named Pipe test
Sigma CobaltStrike Named Pipe Pattern Regex test
Sigma CobaltStrike Named Pipe Patterns test
Elastic Conhost Spawned By Suspicious Parent Process production
Splunk Create Remote Thread In Shell Application production
Sigma Created Files by Microsoft Sync Center test
Sigma CreateRemoteThread API and LoadLibrary test
Splunk DLLHost with no Command Line Arguments with Network production
Sigma Dllhost.EXE Execution Anomaly test
Sigma DotNet CLR DLL Loaded By Scripting Applications test
Splunk GPUpdate with no Command Line Arguments with Network production
Sigma HackTool - CACTUSTORCH Remote Thread Creation test
Sigma HackTool - CoercedPotato Execution test
Sigma HackTool - CoercedPotato Named Pipe Creation test
Sigma HackTool - DInjector PowerShell Cradle Execution test
Sigma HackTool - EfsPotato Named Pipe Creation test
Sigma HackTool - HollowReaper Execution experimental
Sigma HackTool - LittleCorporal Generated Maldoc Injection test
Sigma HackTool - Potential CobaltStrike Process Injection test
Sigma Injected Browser Process Spawning Rundll32 - GuLoader Activity test
Splunk Known Process Injection Commands (PowerShell)
Splunk Known Process Injection Commands (Sysmon)
Splunk Known Process Injection Commands (Windows Event Log)
Elastic Linux Process Hooking via GDB production
Splunk Loading Of Dynwrapx Module production
Sigma Lummac Stealer Activity - Execution Of More.com And Vbc.exe experimental
Sigma Malicious Named Pipe Created test
Sigma Malware Shellcode in Verclsid Target Process test
Sigma ManageEngine Endpoint Central Dctask64.EXE Potential Abuse test
Splunk Mavinject Execution (EDR)
Splunk Mavinject Execution (Sysmon)
Splunk Mavinject Execution (Windows Event Log)
Sigma Mavinject Inject DLL Into Running Process test
Kusto McAfee ePO - Multiple threats on same host available
Elastic Memory Threat - Detected - Elastic Defend production
Elastic Memory Threat - Prevented- Elastic Defend production
Sigma Microsoft Sync Center Suspicious Network Connections test
Splunk Named Pipe Created (Sysmon)
Sigma Network Connection Initiated Via Notepad.EXE test
Splunk Notepad with no Command Line Arguments production
Splunk Potential CVE-2023-23397 (EDR)
Splunk Potential CVE-2023-23397 (Sysmon)
Splunk Potential CVE-2023-23397 (Windows Event Log)
Sigma Potential DLL Injection Or Execution Using Tracker.exe test
Sigma Potential DLL Sideloading Using Coregen.exe test
Sigma Potential Dridex Activity stable
Sigma Potential Executable Run Itself As Sacrificial Process experimental
Sigma Potential Linux Process Code Injection Via DD Utility test
Sigma Potential Pikabot Hollowing Activity test
Elastic Potential PowerShell HackTool Script by Function Names production
Sigma Potential Process Hollowing Activity test
Elastic Potential Process Injection from Malicious Document production building block
Sigma Potential Process Injection Via Msra.EXE test
Elastic Potential Process Injection via PowerShell production
Sigma Potential Shellcode Injection test
Elastic Potential Sudo Token Manipulation via Process Injection production
Splunk Powershell DLL_EXE Injection (PowerShell)
Kusto Powershell Empire Cmdlets Executed in Command Line available
Splunk Powershell Fileless Process Injection via GetProcAddress production
Splunk PowerShell PInvoke Process Injection API Chain production
Splunk Powershell Remote Thread To Known Windows Process production
Sigma PowerShell ShellCode test
Elastic Privilege Escalation via GDB CAP_SYS_PTRACE production
Sigma Process Creation Using Sysnative Folder test
Splunk Process Executed with Null Command Line (Sysmon)
Splunk Process Executed with Null Command Line (Windows Event Log)
Elastic Process Injection - Detected - Elastic Endgame production
Elastic Process Injection - Prevented - Elastic Endgame production
Elastic Process Injection by the Microsoft Build Engine production
Kusto Process Injection From Untrusted Process
Kusto Process Injection Initiated By MMC
Splunk Rare Remote Thread (Sysmon)
Sigma Rare Remote Thread Creation By Uncommon Source Image test
Sigma RedSun - Named Pipe Created experimental
Sigma RedSun - TieringEngineService.exe Detected as EICAR Test File experimental
Splunk Remote Thread Created by Uncommon Process (Sysmon)
Sigma Remote Thread Created In Shell Application test
Sigma Remote Thread Creation By Uncommon Source Image test
Sigma Remote Thread Creation In Uncommon Target Image test
Splunk Remote Thread from Suspicious Folder (Sysmon)
Sigma Renamed Mavinject.EXE Execution test
Sigma Renamed ZOHO Dctask64 Execution test
Elastic Root Network Connection via GDB CAP_SYS_PTRACE production
Splunk Rundll32 Create Remote Thread To A Process production
Splunk Rundll32 CreateRemoteThread In Browser production
Splunk SearchProtocolHost with no Command Line with Network production
Kusto Solorigate Named Pipe
Sigma Suspect Svchost Activity test
Elastic Suspicious .NET Reflection via PowerShell production
Splunk Suspicious Child Process for lsass.exe (Sysmon)
Splunk Suspicious Child Process for lsass.exe (Windows Event Log)
Sigma Suspicious Child Process Of Wermgr.EXE test
Elastic Suspicious Communication App Child Process production
Splunk Suspicious DLLHost no Command Line Arguments production
Elastic Suspicious Endpoint Security Parent Process production
Splunk Suspicious GPUpdate no Command Line Arguments production
Elastic Suspicious Managed Code Hosting Process production
Kusto Suspicious named pipes available
Elastic Suspicious Outlook Child Process production building block
Splunk Suspicious Parent Process for lsass.exe or services.exe (Sysmon)
Splunk Suspicious Parent Process for lsass.exe or services.exe (Windows Event Log)
Splunk Suspicious Parent Process for spoolsv.exe (Sysmon)
Splunk Suspicious Parent Process for spoolsv.exe (Windows Event Log)
Elastic Suspicious Portable Executable Encoded in Powershell Script production
Elastic Suspicious Process Access via Direct System Call production
Elastic Suspicious Process Creation CallTrace production
Sigma Suspicious Rundll32 Invoking Inline VBScript test
Splunk Suspicious SearchProtocolHost no Command Line Arguments production
Sigma Suspicious Userinit Child Process test
Elastic Suspicious Zoom Child Process production
Sigma TAIDOOR RAT DLL Load test
Splunk Trickbot Named Pipe production
Sigma Uncommon Process Access Rights For Target Image test
Sigma Uncommon Svchost Command Line Parameter experimental
Splunk Unexpected Network Connection from System Process (Sysmon)
Splunk Unexpected Network Connection from System Process (Windows Event Log)
Elastic Unusual Child Process from a System Virtual Process production
Elastic Unusual Linux Network Activity production
Elastic Unusual Parent-Child Relationship production
Elastic Unusual Service Host Child Process - Childless Service production
Splunk Unusual svchost Child Process (Sysmon)
Splunk Unusual svchost Child Process (Windows Event Log)
Elastic Unusual Windows Network Activity production
Splunk Windows List ENV Variables Via SET Command From Uncommon Parent production
Splunk Windows Process Injection In Non-Service SearchIndexer production
Splunk Windows Process Injection into Commonly Abused Processes production
Splunk Windows Process Injection into Notepad production
Splunk Windows Process Injection Of Wermgr to Known Browser production
Splunk Windows Process Injection Remote Thread production
Splunk Windows Process Injection Wermgr Child Process production
Splunk Windows Process Injection With Public Source Path production
Splunk Windows Process With NamedPipe CommandLine production
Splunk Windows PUA Named Pipe production
Splunk Windows Rasautou DLL Execution production
Splunk Windows Remote Assistance Spawning Process production
Splunk Windows RMM Named Pipe production
Splunk Windows Suspicious C2 Named Pipe production
Splunk Windows Suspicious Named Pipe production
Splunk Winhlp32 Spawning a Process production
Splunk Wscript Or Cscript Suspicious Child Process production

Process Injection: Dynamic-link Library Injection T1055.001 21 rules

Sigma CreateRemoteThread API and LoadLibrary test
Sigma HackTool - Potential CobaltStrike Process Injection test
Splunk Loading Of Dynwrapx Module production
Sigma ManageEngine Endpoint Central Dctask64.EXE Potential Abuse test
Splunk Mavinject Execution (EDR)
Splunk Mavinject Execution (Sysmon)
Splunk Mavinject Execution (Windows Event Log)
Sigma Mavinject Inject DLL Into Running Process test
Splunk Potential CVE-2023-23397 (EDR)
Splunk Potential CVE-2023-23397 (Sysmon)
Splunk Potential CVE-2023-23397 (Windows Event Log)
Sigma Potential DLL Injection Or Execution Using Tracker.exe test
Elastic Potential Process Injection via PowerShell production
Splunk Powershell DLL_EXE Injection (PowerShell)
Splunk PowerShell PInvoke Process Injection API Chain production
Sigma Renamed Mavinject.EXE Execution test
Sigma Renamed ZOHO Dctask64 Execution test
Elastic Suspicious .NET Reflection via PowerShell production
Sigma TAIDOOR RAT DLL Load test
Splunk Windows Process Injection Of Wermgr to Known Browser production
Splunk Windows Rasautou DLL Execution production

Process Injection: Portable Executable Injection T1055.002 8 rules

Kusto ADWS Connection from Process Injection Target
Elastic Potential Process Injection via PowerShell production
Kusto Process Injection From Untrusted Process
Elastic Suspicious .NET Reflection via PowerShell production
Splunk Windows Process Injection into Commonly Abused Processes production
Splunk Windows Process Injection into Notepad production
Splunk Windows Process Injection Remote Thread production
Splunk Windows Process Injection With Public Source Path production

Process Injection: Thread Execution Hijacking T1055.003 4 rules

Sigma HackTool - LittleCorporal Generated Maldoc Injection test
Elastic Potential Process Injection via PowerShell production
Splunk PowerShell PInvoke Process Injection API Chain production
Sigma Remote Thread Creation In Uncommon Target Image test

Process Injection: Asynchronous Procedure Call T1055.004 2 rules

Elastic Potential Process Injection via PowerShell production
Splunk PowerShell PInvoke Process Injection API Chain production

Process Injection: Ptrace System Calls T1055.008 4 rules

Elastic Linux Process Hooking via GDB production
Elastic Potential Sudo Token Manipulation via Process Injection production
Elastic Privilege Escalation via GDB CAP_SYS_PTRACE production
Elastic Root Network Connection via GDB CAP_SYS_PTRACE production

Process Injection: Proc Memory T1055.009 2 rules

Sigma ASLR Disabled Via Sysctl or Direct Syscall - Linux experimental
Sigma Potential Linux Process Code Injection Via DD Utility test

Process Injection: Extra Window Memory Injection T1055.011 1 rule

Sigma Uncommon Process Access Rights For Target Image test

Process Injection: Process Hollowing T1055.012 10 rules

Sigma HackTool - CACTUSTORCH Remote Thread Creation test
Sigma HackTool - HollowReaper Execution experimental
Sigma Potential Pikabot Hollowing Activity test
Sigma Potential Process Hollowing Activity test
Splunk PowerShell PInvoke Process Injection API Chain production
Elastic Suspicious Endpoint Security Parent Process production
Elastic Suspicious Process Creation CallTrace production
Sigma Uncommon Svchost Command Line Parameter experimental
Elastic Unusual Parent-Child Relationship production
Elastic Unusual Service Host Child Process - Childless Service production

Process Injection: Process Doppelgänging T1055.013 1 rule

Splunk PowerShell PInvoke Process Injection API Chain production

Exploitation for Privilege Escalation T1068 145 rules

Elastic Anomalous Linux Compiler Activity production
Sigma Audit CVE Event test
Panther Azure Automation Schedule Created or Modified
Sigma Buffer Overflow Attempts test
Splunk Child Processes of Spoolsv exe experimental
Splunk Cisco Isovalent - Kprobe Spike production
Sigma Computer account created with privileges experimental
Sigma Computer account renamed without a trailing $ (CVE-2021-42278/42287) experimental
Splunk Consent.exe Suspicious Child Process (Sysmon)
Splunk Consent.exe Suspicious Child Process (Windows Event Log)
Kusto CTERA Mass Permissions Changes Detection Analytic available
Elastic Deprecated - Sudo Heap-Based Buffer Overflow Attempt production
Elastic Deprecated - Suspicious PrintSpooler Service Executable File Creation production
Splunk Detect Baron Samedit CVE-2021-3156 experimental
Splunk Detect Baron Samedit CVE-2021-3156 Segfault experimental
Splunk Detect Baron Samedit CVE-2021-3156 via OSQuery experimental
Kusto Detect CVE exploits on network for which a device is vulnerable
Kusto Detect LolDriver drop or load from unknown or unsigned process
Splunk Driver as Command Parameter (Windows Event Log)
Splunk Driver Loaded from Unusual Path - Windows (Sysmon)
Kusto Dynatrace Application Security - Attack detection available
Kusto Email access via active sync
Splunk Executable Running as NT AUTHORITY_SYSTEM Registered in BAM (Sysmon)
Splunk Executable Running as NT AUTHORITY_SYSTEM Registered in BAM (Windows Event Log)
Elastic Expired or Revoked Driver Loaded production
Elastic Exploit - Detected - Elastic Endgame production
Elastic Exploit - Prevented - Elastic Endgame production
Sigma Exploiting CVE-2019-1388 stable
Sigma Exploiting SetupComplete.cmd CVE-2019-1378 test
Splunk First Time Seen Child Process of Zoom experimental
Elastic First Time Seen Driver Loaded production
Kusto GitHub Security Vulnerability in Repository
Kusto Google DNS - CVE-2020-1350 (SIGRED) exploitation pattern
Kusto Google DNS - CVE-2021-34527 (PrintNightmare) external exploit
Kusto Google DNS - CVE-2021-40444 exploitation
YARA-L Hacktool - SharpSuccessor Execution
Sigma HackTool - SysmonEOP Execution test
Sigma HKTL - SharpSuccessor Privilege Escalation Tool Execution experimental
Sigma InstallerFileTakeOver LPE CVE-2021-41379 File Create Event test
Sigma Kerberos ticket without a trailing $ (CVE-2021-42278/42287) experimental
Splunk Kernel Service Installed - Windows (Windows Event Log)
Panther Kubernetes Pod with Dangerous Linux Capabilities
Splunk Linux Auditd Copy Fail Privilege Escalation production
Splunk Linux pkexec Privilege Escalation production
Sigma Linux Sudo Chroot Execution experimental
Sigma macOS Setuid/Setgid Privilege Escalation experimental
Sigma Malicious Driver Load test
Sigma Malicious Driver Load By Name test
Kusto McAfee ePO - Threat was not blocked available
Splunk Microsoft SharePoint Server Elevation of Privilege production
Elastic Modification of the msPKIAccountCredentials production
Sigma Non-Standard Nsswitch.Conf Creation - Potential CVE-2025-32463 Exploitation experimental
Sigma OMIGOD HTTP No Authentication RCE - CVE-2021-38647 stable
Sigma OMIGOD SCX RunAsProvider ExecuteScript test
Sigma OMIGOD SCX RunAsProvider ExecuteShellCommand test
Elastic Persistence via Update Orchestrator Service Hijack production
Sigma Possible Coin Miner CPU Priority Param test
Elastic Potential Buffer Overflow Attack Detected production
Elastic Potential Copy Fail (CVE-2026-31431) Exploitation via AF_ALG Socket production
Sigma Potential CVE-2021-41379 Exploitation Attempt test
Sigma Potential CVE-2024-35250 Exploitation Activity experimental
Elastic Potential CVE-2025-32463 Nsswitch File Creation production
Elastic Potential CVE-2025-32463 Sudo Chroot Execution Attempt production
Elastic Potential CVE-2025-41244 vmtoolsd LPE Exploitation Attempt production
Elastic Potential Escalation via Vulnerable MSI Repair production
Sigma Potential Exploitation of CrushFTP RCE Vulnerability (CVE-2025-54309) experimental
Sigma Potential Nimbuspwn Exploit CVE-2022-29799 and CVE-2022-27800 test
Elastic Potential privilege escalation via CVE-2022-38028 production
Elastic Potential Privilege Escalation via CVE-2023-4911 production
Elastic Potential Privilege Escalation via Enlightenment production
Elastic Potential Privilege Escalation via InstallerFileTakeOver production
Elastic Potential Privilege Escalation via Linux DAC permissions production
Elastic Potential Privilege Escalation via PKEXEC production
Elastic Potential Privilege Escalation via Python cap_setuid production
Elastic Potential Privilege Escalation via Recently Compiled Executable production
Elastic Potential Privilege Escalation via SUID/SGID Proxy Execution production
Elastic Potential Privilege Escalation via unshare and UID Change production
Elastic Potential Privilege Escalation via unshare Followed by Root Process production
Elastic Potential Privileged Escalation via SamAccountName Spoofing production
Elastic Potential Shadow File Read via Command Line Utilities production
Elastic Potential Shell via Wildcard Injection Detected production
Elastic Potential snap-confine Privilege Escalation via CVE-2026-3888 production
Elastic Potential Sudo Privilege Escalation via CVE-2019-14287 production
Sigma Potential SystemNightmare Exploitation Attempt test
Elastic Potential Telnet Authentication Bypass (CVE-2026-24061) production
Elastic Potential Unauthorized Access via Wildcard Injection Detected production
Kusto Power Platform - Account added to privileged Microsoft Entra roles available
Kusto Powershell Empire Cmdlets Executed in Command Line available
Elastic Privilege Escalation via CAP_CHOWN/CAP_FOWNER Capabilities production
Elastic Privilege Escalation via CAP_SETUID/SETGID Capabilities production
Elastic Privilege Escalation via GDB CAP_SYS_PTRACE production
Elastic Privilege Escalation via SUID/SGID production
Sigma Privilege SeMachineAccountPrivilege abuse experimental
Sigma Process Explorer Driver Creation By Non-Sysinternals Binary test
Sigma Process Monitor Driver Creation By Non-Sysinternals Binary test
Kusto Rare application consent available
Elastic Remote Computer Account DnsHostName Update production
Elastic Root Network Connection via GDB CAP_SYS_PTRACE production
Kusto Semperis DSP Zerologon vulnerability available
Kusto Silverfort - Certifried Incident
Kusto Silverfort - NoPacBreach Incident
Elastic Spike in Group Application Assignment Change Events production
Elastic Spike in Group Lifecycle Change Events production
Elastic Spike in Group Membership Events production
Elastic Spike in Group Privilege Change Events production
Elastic Spike in host-based traffic production
Elastic Spike in Special Logon Events production
Elastic Spike in Special Privilege Use Events production
Elastic Spike in User Account Management Events production
Splunk Spoolsv Suspicious Process Access production
Sigma Sudo Privilege Escalation CVE-2019-14287 test
Sigma Sudo Privilege Escalation CVE-2019-14287 - Builtin test
Splunk Suspicious .sys Created - Windows (Sysmon)
Elastic Suspicious Child Process of Adobe Acrobat Reader Update Service production
Sigma Suspicious Kerberos proxiable/S4U2self ticket (CVE-2021-42278/42287) experimental
Elastic Suspicious Passwd File Event Action production
Elastic Suspicious Print Spooler File Deletion production
Elastic Suspicious Print Spooler Point and Print DLL production
Elastic Suspicious Print Spooler SPL File Created production
Sigma Suspicious Spool Service Child Process test
Sigma Suspicious Sysmon as Execution Parent test
Elastic Telnet Authentication Bypass via User Environment Variable production
Elastic Unsigned DLL loaded by DNS Service production
Elastic Unusual Executable File Creation by a System Critical Process production
Elastic Unusual Group Name Accessed by a User production
Elastic Unusual Print Spooler Child Process production
Elastic Unusual Privilege Type assigned to a User production
Elastic Unusual Spike in Concurrent Active Sessions by a User production
Splunk VMWare Aria Operations Exploit Attempt production
Sigma Vulnerable Driver Load test
Sigma Vulnerable Driver Load By Name test
Splunk Windows Driver Inventory production
Splunk Windows Driver Load Non-Standard Path production
Splunk Windows Drivers Loaded by Signature production
Splunk Windows MSI Rollback Script Deleted By Non-Msiexec Process production
Splunk Windows Potato Privilege Escalation Tool Execution production
Splunk Windows Privilege Escalation Attempt Via MSI Rollback production
Splunk Windows Privilege Escalation Suspicious Process Elevation production
Splunk Windows Privilege Escalation System Process Without System Parent production
Splunk Windows Privilege Escalation User Process Spawn System Process production
Splunk Windows Remote Image Load production
Splunk Windows Service Create Kernel Mode Driver production
Splunk Windows System File on Disk production
Sigma XPC Privilege Escalation Attempt experimental
Splunk ZeroLogon CVE-2020-1472 (Windows Event Log)

Valid Accounts T1078 728 rules

Panther A Login from Outside the Corporate Office
Elastic Access to a Sensitive LDAP Attribute production
Kusto Account added and removed from privileged groups
Kusto Account Created and Deleted in Short Timeframe available
Sigma Account Created And Deleted Within A Close Time Frame test
Kusto Account created or deleted by non-approved user available
Sigma Account Disabled or Blocked for Sign in Attempts test
Elastic Account Discovery Command via SYSTEM Account production
Kusto Account Elevated to New Role
Sigma Account renamed to admin (or likely) account to evade defense experimental
Splunk Account set to active via Net.exe (EDR)
Splunk Account set to active via Net.exe (Sysmon)
Splunk Account set to active via Net.exe (Windows Event Log)
Sigma Account Tampering - Suspicious Failed Logon Reasons test
Kusto Acronis - Login from Abnormal IP - Low Occurrence
Sigma Activity From Anonymous IP Address test
Kusto Addition of a Temporary Access Pass to a Privileged Account
Kusto Admin promotion after Role Management Application Permission Grant available
Panther Admin Role Assigned
Sigma Admin User Remote Logon test
Elastic AdminSDHolder Backdoor production
Kusto AdminSDHolder Modifications
Elastic AdminSDHolder SDProp Exclusion Added production
Kusto Anomalous login followed by Teams action
Kusto Anomalous sign-in location by user account and authenticating application available
Kusto Anomalous Single Factor Signin
Kusto Anomaly Sign In Event from an IP
Kusto ApexOne - Device access permissions was changed available
Elastic Apple Scripting Execution with Administrator Privileges production
Sigma Application AppID Uri Configuration Changes test
Kusto Application ID URI Changed
Kusto Application Redirect URL Update
Sigma Application URI Configuration Changes test
Sigma Application Using Device Code Authentication Flow test
Sigma Applications That Are Using ROPC Authentication Flow test
Panther AppOmni Alert Passthrough
Splunk ASL AWS Create Policy Version to allow all resources production
Splunk ASL AWS SAML Update identity provider production
Kusto Attempt to bypass conditional access rule in Microsoft Entra ID available
Elastic Attempt to Enable the Root Account production
Sigma Attempt To Get Credentials For Identity experimental
Sigma Attempt To Get Federation Token experimental
Sigma Attempt To Get Signin Token experimental
Kusto Attempts to sign in to disabled accounts available
Sigma Atypical Travel test
Kusto Authentication Attempt from New Country
Kusto Authentications of Privileged Accounts Outside of Expected Controls
Sigma Authentications To Important Apps Using Single Factor Authentication test
Elastic AWS Access Token Used from Multiple Addresses production
YARA-L AWS API Call Outside Of Organization
Elastic AWS AssumeRoleWithWebIdentity from Kubernetes SA and External ASN production
Panther AWS Backdoor Administrative IAM Role Created
Elastic AWS Bedrock Foundation Model Enumeration Followed by Invocation via Long-Term Key production
Splunk AWS Bedrock Invoke Model Access Denied production
Elastic AWS CloudShell Environment Created production
Panther AWS CloudTrail Password Spraying Experimental
YARA-L AWS Console Login Without MFA
Splunk AWS Create Policy Version to allow all resources production
Elastic AWS Credentials Used from GitHub Actions and Non-CI/CD Infrastructure production
Elastic AWS EC2 Instance Console Login via Assumed Role production
Elastic AWS EC2 Instance Interaction with IAM Service production building block
Elastic AWS EC2 Instance Profile Associated with Running Instance production
Elastic AWS EC2 Unauthorized Admin Credential Fetch via Assumed Role production
Panther AWS GuardDuty Critical Severity Finding
YARA-L AWS IAM Administrator Access Policy Attached
Elastic AWS IAM API Calls via Temporary Session Tokens production
Elastic AWS IAM Assume Role Policy Update production
Elastic AWS IAM CompromisedKeyQuarantine Policy Attached to User production
Panther AWS IAM Group Users
Elastic AWS IAM Login Profile Added for Root production
Elastic AWS IAM Login Profile Added to User production building block
Elastic AWS IAM Long-Term Access Key Correlated with Elevated Detection Alerts production
Elastic AWS IAM Long-Term Access Key First Seen from Source IP production
Elastic AWS IAM OIDC Provider Created by Rare User production
Panther AWS IAM Policy Administrative Privileges
Panther AWS IAM Policy Assigned to User
Panther AWS IAM Policy Blocklist
Panther AWS IAM Policy Does Not Grant Any Administrative Access
Panther AWS IAM Policy Does Not Grant Network Admin Access
Panther AWS IAM Resource Does Not Have Inline Policy
Panther AWS IAM Role Restricts Usage
Sigma AWS IAM S3Browser LoginProfile Creation test
Sigma AWS IAM S3Browser Templated S3 Bucket Policy Creation test
Sigma AWS IAM S3Browser User or AccessKey Creation test
Elastic AWS IAM SAML Provider Created production
Elastic AWS IAM Sensitive Operations via Lambda Execution Role production
Panther AWS IAM User Not In Conflicting Groups
Elastic AWS IAM Virtual MFA Device Registration Attempt with Session Token production
Sigma AWS Key Pair Import Activity experimental
Elastic AWS Management Console Root Login production
Panther AWS Potential Backdoor Lambda Function Through Resource-Based Policy Experimental
Elastic AWS Rare Source AS Organization Activity production
Panther AWS Root Account Hardware MFA
Panther AWS Root Account MFA
Sigma AWS Root Credentials test
YARA-L AWS SAML Identity Provider Changes
Sigma AWS SAML Provider Deletion Activity experimental
Splunk AWS SAML Update identity provider production
Kusto AWS Security Hub - Detect IAM Policies allowing full administrative privileges available
Splunk AWS SetDefaultPolicyVersion production
Elastic AWS Sign-In Console Login with Federated User production
Elastic AWS Sign-In Root Password Recovery Requested production
Elastic AWS Sign-In Token Created production building block
Elastic AWS STS AssumeRole with New MFA Device production
Elastic AWS STS AssumeRoot by Rare User and Member Account production
Elastic AWS STS GetSessionToken Usage production building block
Elastic AWS STS Role Assumption by User production
Elastic AWS STS Role Chaining production
Sigma AWS Successful Console Login Without MFA experimental
YARA-L AWS Successful Login After Multiple Failed Attempts
Splunk AWS Successful Single-Factor Authentication production
Sigma AWS Suspicious SAML Activity test
Elastic AWS Suspicious User Agent Fingerprint production
YARA-L AWS User Creates Permanent Access Key
Panther AWS.Administrative.IAM.User.Created
Kusto AWSCloudTrail - Changes to Amazon VPC settings available
Kusto AWSCloudTrail - Login to AWS Management Console without MFA available
Kusto AWSCloudTrail - NRT Login to AWS Management Console without MFA available
Kusto AWSCloudTrail - SAML update identity provider available
Splunk Azure AD Authentication Failed During MFA Challenge production
Splunk Azure AD Multiple AppIDs and UserAgents Authentication Spike production
Splunk Azure AD Multiple Failed MFA Requests For User production
Sigma Azure AD Only Single Factor Authentication Required test
Splunk Azure AD Service Principal Authentication production
Splunk Azure AD Successful PowerShell Authentication production
Splunk Azure AD Successful Single-Factor Authentication production
Sigma Azure AD Threat Intelligence test
Elastic Azure Arc Cluster Credential Access by Identity from Unusual Source production
Elastic Azure Automation Account Created production
Panther Azure Automation Account Created
Panther Azure Device Code Authentication with Broker Client
Sigma Azure Domain Federation Settings Modified test
Panther Azure High-Risk Sign-In
Panther Azure Invite External Users
Sigma Azure Kubernetes Admission Controller test
Elastic Azure Kubernetes Services (AKS) Kubernetes Rolebindings Created production
Sigma Azure Login Bypassing Conditional Access Policies experimental
Kusto Azure Machine Learning Write Operations available
Panther Azure Many Failed SignIns
Panther Azure MFA Disabled
Panther Azure Microsoft Graph Single Session from Multiple IP Addresses Experimental
Panther Azure Protection Multiple Alerts for User
Kusto Azure RBAC (Elevate Access)
Panther Azure RiskLevel Passthrough
Panther Azure ROPC Login Attempt Without MFA Experimental
Splunk Azure Runbook Webhook Created production
Elastic Azure Service Principal Sign-In Followed by Arc Cluster Credential Access production
Elastic Azure Storage Account Keys Accessed by Privileged User production
Sigma Azure Subscription Permission Elevation Via ActivityLogs test
Sigma Azure Subscription Permission Elevation Via AuditLogs test
Sigma Azure Unusual Authentication Interruption test
Sigma Azure Windows virtual machine login via serial console experimental
Sigma Bitbucket User Login Failure test
Kusto Bitglass - Impossible travel distance available
Kusto Bitglass - Login from new device available
Kusto Bitglass - New admin user available
Kusto Bitglass - New risky user available
Kusto Bitglass - User Agent string has changed for user available
Kusto Bitglass - User login from new geo location available
Sigma Bitlocker Key Retrieval test
Kusto Box - Inactive user login available
Kusto Box - New external user available
Kusto Box - User logged in as admin available
Kusto Box - User role changed to owner available
Panther Box New Login
Panther Box Shield Suspicious Alert Triggered
Panther Box Untrusted Device Login
Sigma Brutforce with denied access due to account restrictions policies experimental
Kusto BTP - Build Work Zone unauthorized access and role tampering available
Kusto BTP - User added to Cloud Identity Service privileged Administrators list available
Kusto BTP - User added to sensitive privileged role collection available
Kusto Bulk Changes to Privileged Account Permissions available
Kusto Changes to Application Logout URL
Kusto Changes to Application Ownership
Kusto Changes to PIM Settings
Sigma Changes To PIM Settings test
Kusto Cisco - firewall block but success logon to Microsoft Entra ID
Splunk Cisco ASA - New Local User Account Created production
Splunk Cisco ASA - User Privilege Level Change production
Sigma Cisco BGP Authentication Failures test
Kusto Cisco Duo - Admin password reset available
Kusto Cisco Duo - Admin user created available
Kusto Cisco Duo - Authentication device new location available
Kusto Cisco Duo - Multiple admin 2FA failures available
Kusto Cisco Duo - Multiple user login failures available
Kusto Cisco Duo - New access device available
Kusto Cisco Duo - Unexpected authentication factor available
Splunk Cisco IOS Suspicious Privileged Account Creation production
Splunk Cisco IOS XE WebUI Login From IOSd Local Port production
Splunk Cisco IOS XE WebUI Programmatic Configuration production
Sigma Cisco LDP Authentication Failures test
Splunk Cisco Privileged Account Creation with HTTP Command Execution production
Splunk Cisco Privileged Account Creation with Suspicious SSH Activity production
Splunk Cisco Secure Firewall - High Priority Intrusion Classification production
Splunk Cloud API Calls From Previously Unseen User Roles production
Splunk Cloud Compute Instance Created By Previously Unseen User production
Splunk Cloud Instance Modified By Previously Unseen User production
Splunk Cloud Provisioning Activity From Previously Unseen City production
Splunk Cloud Provisioning Activity From Previously Unseen Country production
Splunk Cloud Provisioning Activity From Previously Unseen IP Address production
Splunk Cloud Provisioning Activity From Previously Unseen Region production
Panther CloudTrail Password Spraying Deprecated
Sigma Commvault QLogin with PublicSharingUser and GUID Password (CVE-2025-57788) experimental
Kusto Conditional Access - A Conditional Access user/group/role exclusion has changed
Kusto Conditional Access Policy Modified by New User
Sigma Console Login With MFA test
Sigma Console Login Without MFA test
Kusto Copilot - Jailbreak Attempt Detected available
Kusto Correlate Unfamiliar sign-in properties & atypical travel alerts available
Kusto Cross-Cloud Suspicious Compute resource creation in GCP
Kusto Cross-Cloud Suspicious user activity observed in GCP Envourment
Kusto Cross-tenant Access Settings Organization Added available
Kusto Cross-tenant Access Settings Organization Deleted available
Kusto Cross-tenant Access Settings Organization Inbound Collaboration Settings Changed available
Kusto Cross-tenant Access Settings Organization Inbound Direct Settings Changed available
Kusto Cross-tenant Access Settings Organization Outbound Collaboration Settings Changed available
Kusto Cross-tenant Access Settings Organization Outbound Direct Settings Changed available
Elastic CyberArk Privileged Access Security Error production
Panther Databricks Attempted Logon From Denied IP Experimental
Panther Databricks Delta Sharing IP Access Failures Experimental
Panther Databricks Employee Logon Experimental
Panther Databricks Non-SSO Login Detected Experimental
Panther Databricks Potential Privilege Escalation Experimental
Panther Databricks Repeated Failed Login Attempts Experimental
Kusto Dataverse - Hierarchy security manipulation available
Kusto Dataverse - Login by a sensitive privileged user available
Kusto Dataverse - Login from IP in the block list available
Kusto Dataverse - Login from IP not in the allow list available
Kusto Dataverse - New Dataverse application user activity type available
Kusto Dataverse - New non-interactive identity granted access available
Kusto Dataverse - New sign-in from an unauthorized domain available
Kusto Dataverse - New user agent type that was not used before available
Kusto Dataverse - Organization settings modified available
Kusto Dataverse - TI map IP to DataverseActivity available
Elastic Delegated Managed Service Account Modification by an Unusual User production
Kusto Detect changes to Connect Sync Application
Kusto Detect credential add to Connect Sync Application
Kusto Detect device code login with user risk
Splunk Detect Excessive Account Lockouts From Endpoint production
Splunk Detect Excessive User Account Lockouts production
Kusto Detect PIM Alert Disabling activity
Kusto Detecting Impossible travel with mailbox permission tampering & Privilege Escalation attempt
Sigma Device Registration or Join Without MFA test
Elastic dMSA Account Creation by an Unusual User production
Sigma DMSA Link Attributes Modified experimental
Sigma DMSA Service Account Created in Specific OUs - PowerShell experimental
Kusto EatonForeseer - Unauthorized Logins available
Kusto Elevation of Privilege attempt detected available
Kusto Email access via active sync
Kusto End-user consent stopped due to risk-based consent
Elastic Entra ID Actor Token User Impersonation Abuse production
YARA-L Entra ID Admin Login Activity to Uncommon MS Cloud Apps
Elastic Entra ID Concurrent Sign-in with Suspicious Properties production
Elastic Entra ID External Guest User Invited production
Elastic Entra ID High Risk Sign-in production
Elastic Entra ID High Risk User Sign-in Heuristic production
Elastic Entra ID Kali365 Default User-Agent Detected production
YARA-L Entra ID Login Activity to Uncommon MS Cloud Apps
Elastic Entra ID Microsoft Authentication Broker Sign-In to Unusual Resource production
Elastic Entra ID Microsoft Authentication Broker Sign-In with Non-Standard User Agent production
Elastic Entra ID OAuth Authorization Code Grant for Unusual User, App, and Resource production
Elastic Entra ID OAuth Device Code Flow with Concurrent Sign-ins production
Elastic Entra ID OAuth Device Code Grant by Microsoft Authentication Broker production
Elastic Entra ID OAuth Device Code Grant by Unusual User production
Elastic Entra ID OAuth Device Code Phishing via AiTM production
Elastic Entra ID OAuth Flow by Microsoft Authentication Broker to Device Registration Service (DRS) production
Elastic Entra ID OAuth Phishing via First-Party Microsoft Application production
Elastic Entra ID OAuth PRT Issuance to Non-Managed Device Detected production
Elastic Entra ID OAuth ROPC Grant Login Detected production
Elastic Entra ID OAuth User Impersonation to Microsoft Graph production
Elastic Entra ID OAuth user_impersonation Scope for Unusual User and Client production
Elastic Entra ID PowerShell Sign-in production
Elastic Entra ID Privileged Identity Management (PIM) Role Modified production
Elastic Entra ID Protection - Risk Detection - Sign-in Risk production
Elastic Entra ID Protection - Risk Detection - User Risk production
Elastic Entra ID Protection Admin Confirmed Compromise production
Elastic Entra ID Protection Alerts for User Detected production
Elastic Entra ID Protection User Alert and Device Registration production
Elastic Entra ID Service Principal Federated Credential Authentication by Unusual Client production
Elastic Entra ID Service Principal with Unusual Source ASN production
Elastic Entra ID Sharepoint or OneDrive Accessed by Unusual Client production
Elastic Entra ID User Added as Service Principal Owner production
Elastic Entra ID User Reported Suspicious Activity production
Elastic Entra ID User Sign-in with Unusual Authentication Type production
Elastic Entra ID User Sign-in with Unusual Client production
Elastic Entra ID User Sign-in with Unusual Non-Managed Device production
Splunk ESXi Account Modified production
Splunk ESXi External Root Login Activity production
Splunk ESXi Shared or Stolen Root Account production
Splunk ESXi User Granted Admin Role production
Elastic Execution with Explicit Credentials via Scripting production
Kusto External guest invitation followed by Microsoft Entra ID PowerShell signin available
Sigma External Remote RDP Logon from Public IP test
Sigma External Remote SMB Logon from Public IP test
Elastic External User Added to Google Workspace Group production
Kusto F&O - Bank account change following network alias reassignment available
Kusto F&O - Non-interactive account mapped to self or sensitive privileged user available
Kusto F&O - Unusual sign-in activity using single factor authentication available
Sigma Failed Authentications From Countries You Do Not Operate Out Of test
Kusto Failed AWS Console logons but success logon to AzureAD
Kusto Failed AzureAD logons but success logon to AWS Console
Kusto Failed AzureAD logons but success logon to host
Kusto Failed host logons but success logon to AzureAD
Sigma Failed Logon From Public IP test
Kusto Failed sign-ins into LastPass due to MFA available
Elastic First Occurrence of GitHub Repo Interaction From a New IP production building block
Elastic First Occurrence of IP Address For GitHub Personal Access Token (PAT) production building block
Elastic First Occurrence of IP Address For GitHub User production building block
Elastic First Occurrence of Okta User Session Started via Proxy production
Elastic First Occurrence of Personal Access Token (PAT) Use For a GitHub User production building block
Elastic First Occurrence of Private Repo Event from Specific GitHub Personal Access Token (PAT) production building block
Elastic First Occurrence of User Agent For a GitHub Personal Access Token (PAT) production building block
Elastic First Occurrence of User-Agent For a GitHub User production building block
Elastic First Time Seen Account Performing DCSync production
Elastic First Time Seen Google Workspace OAuth Login from Third-Party Application production
Elastic First-Time FortiGate Administrator Login production
Elastic FortiGate Administrator Login from Multiple IP Addresses production
Elastic FortiGate FortiCloud SSO Login from Unusual Source production
Elastic FortiGate SSL VPN Login Followed by SIEM Alert by User production
Kusto GCP Audit Logs - Data Access Logging Exemption Added for Principal available
Kusto GCP Audit Logs - Storage Bucket Made Public available
Splunk GCP Authentication Failed During MFA Challenge production
Splunk GCP Detect gcploit framework experimental
Kusto GCP IAM - High privileged role added to service account available
Elastic GCP IAM Custom Role Creation production
Panther GCP IAM Role Has Changed
Splunk GCP Multiple Failed MFA Requests For User production
Splunk GCP Successful Single-Factor Authentication production
YARA-L GCP Workload Identity Pool Disabled Or Deleted
Splunk Geographic Improbable Location experimental
Sigma Get Credentials For Identity experimental
Sigma Get Federation Token experimental
Sigma Get Signin Token experimental
Kusto GitHub - A payment method was removed available
Kusto GitHub - Oauth application - a client secret was removed available
Kusto GitHub - pull request was created available
Kusto GitHub - pull request was merged available
Kusto GitHub - Repository was created available
Kusto GitHub - Repository was destroyed available
Kusto GitHub - User visibility Was changed available
Kusto GitHub - User was added to the organization available
Kusto GitHub - User was blocked available
Kusto GitHub - User was invited to the repository available
Kusto GitHub Activites from a New Country available
Elastic Github Activity on a Private Repository from an Unusual IP production
Sigma Github New Secret Created test
Sigma Github Self Hosted Runner Changes Detected test
Sigma Github SSH Certificate Configuration Changed test
Panther GitHub User Access Key Created
Kusto GitLab - TI - Connection from Malicious IP available
Kusto GitLab - User Impersonation available
Sigma Google Cloud Kubernetes Admission Controller test
Elastic Google Workspace Device Registration Burst for Single User production
YARA-L Google Workspace External User Added To Group
Sigma Google Workspace Government Attack Warning experimental
Elastic Google Workspace Login Flagged Suspicious production building block
YARA-L Google Workspace SAML IDP Configuration Change
Elastic Google Workspace Suspended User Account Renewed production
Elastic Google Workspace User Login with Unusual ASN production
Elastic Google Workspace User Sign-in from Atypical Device Type production
YARA-L Google Workspace User Unsuspended
Kusto Group created then added to built in domain local or global group
Kusto GSA - Detect Connections Outside Operational Hours available
Panther GSuite Login Type
Sigma Guest Account Enabled Via Sysadminctl test
Kusto Guest accounts added in Entra ID Groups other than the ones specified available
Sigma Guest User Invited By Non Approved Inviters test
Kusto Guest Users Invited to Tenant by New Inviters
Sigma Guest Users Invited To Tenant By Non Approved Inviters test
Elastic High Command Line Entropy Detected for Privileged Commands production
Elastic High Number of Okta User Password Reset or Unlock Attempts production
Kusto High risk Office operation conducted by IP Address that recently attempted to log into a disabled account
Kusto High-Risk Cross-Cloud User Impersonation
Sigma Huawei BGP Authentication Failures test
Kusto Hunt for critical credentials on devices with non-critical accounts
Kusto Hunt for privilege escalation paths with high ACLs
Panther IAM Administrator Role Policy Attached
Panther IAM Inline Policy Network Admin
Panther IAM Role Created
Panther IAM Role Policy Updated to Allow Internet Access
Panther IAM User Created
Panther IAM User Policy Attached with Administrator Access
Kusto Illusive Incidents Analytic Rule available
Sigma Impossible Travel test
Panther Impossible Travel for Login Action
Sigma Increased Failed Authentications Of Any Type test
Sigma Invalid PIM License test
Kusto IP with multiple failed Microsoft Entra ID logins successfully logs in to Palo Alto VPN
Kusto Jira - Global permission added available
Kusto Jira - New site admin user available
Kusto Jira - New site admin user available
Kusto Jira - New user created available
Kusto Jira - User's password changed multiple times available
Sigma Juniper BGP Missing MD5 test
Elastic Kerberos Pre-authentication Disabled for User production
Elastic Kubeconfig File Creation or Modification production
Sigma Kubernetes Admission Controller Modification test
Elastic Kubernetes Anonymous Request Authorized by Unusual User Agent production
Elastic Kubernetes Suspicious Assignment of Controller Service Account production
Elastic Kubernetes Unusual Decision by User Agent production
Panther Lambda Code Updated by User Experimental
Panther Lambda Configuration Updated with Layers by User
Sigma Lateral movement detection (based on "special groups" feature) experimental
Sigma Login to Disabled Account test
YARA-L Logins From Terminated Employees
Panther Logins Without MFA
Panther Logins Without SAML
Sigma Logon from a Risky IP Address test
Splunk M365 Copilot Application Usage Pattern Anomalies production
Splunk M365 Copilot Session Origin Anomalies production
Elastic M365 Entra ID Risk Detection Signal production building block
Elastic M365 Identity Login from Atypical Region production
Elastic M365 Identity Login from Impossible Travel Location production
Elastic M365 Identity OAuth Flow by First-Party Microsoft App from Multiple IPs production
Elastic M365 Identity OAuth Phishing via First-Party Microsoft Application production
Elastic M365 Identity Unusual SSO Authentication Errors for User production
Elastic M365 Identity User Account Lockouts production
Elastic M365 or Entra ID Identity Sign-in from a Suspicious Source production
Kusto M365D Alerts Correlation to non-Microsoft Network device network activity involved in successful sign-in Activity
Sigma macOS Authentication Events experimental
Sigma macOS SSH Connection Detection experimental
Sigma macOS Sudo Privilege Escalation Attempts experimental
Kusto Malicious BEC Inbox Rule
Kusto Malicious Inbox Rule available
Sigma Malicious Usage Of IMDS Credentials Outside Of AWS Infrastructure test
Sigma Measurable Increase Of Successful Authentications test
Kusto MFA Rejected by User available
Sigma Microsoft 365 - Impossible Travel Activity test
Kusto Microsoft Entra ID PowerShell accessing non-Entra ID resources available
Kusto Microsoft Entra ID Role Management Permission Grant available
Elastic Microsoft Graph Request User Impersonation by Unusual Client production
Elastic Mounting Hidden or WebDav Remote Shares production
Sigma Multifactor Authentication Denied test
Sigma Multifactor Authentication Interrupted test
Splunk Multiple Host logons (Windows Event Log)
Elastic Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy production
Kusto Multiple Password Reset by user
Kusto Netskope - Impossible Travel Detection (Two Countries in Less Than 1 Hour) available
Sigma Network login performed to multiple targets experimental
Sigma New Country test
Kusto New country signIn with correct password
Kusto New Device/Location sign-in along with critical operation available
Sigma New DMSA Service Account Created in Specific OUs experimental
Elastic New Okta Authentication Behavior Detected production building block
Kusto New PA, PCA, or PCAS added to Azure DevOps available
Kusto New User Assigned to Privileged Role available
Kusto New user created and added to the built-in administrators group
Kusto Non-admin guest available
Kusto NRT Malicious Inbox Rule
Kusto NRT PIM Elevation Request Rejected available
Kusto NRT Privileged Role Assigned Outside PIM available
Kusto NRT User added to Microsoft Entra ID Privileged Groups available
YARA-L O365 Admin Login Activity To Uncommon Microsoft Cloud Apps
YARA-L O365 Login Activity To Azure AD PowerShell App
YARA-L O365 Login Activity To Uncommon Microsoft Cloud Apps
Splunk O365 Multiple AppIDs and UserAgents Authentication Spike production
Splunk O365 Security And Compliance Alert Triggered production
Panther Okta AD Agent Authentication Anomaly - Z-Score Detection Experimental
Elastic Okta Admin Console Login Failure production building block
Panther Okta Admin Role Assigned
Elastic Okta Alerts Following Unusual Proxy Authentication production
Splunk Okta Authentication Failed During MFA Challenge production
Panther Okta Login Without Push
YARA-L Okta Multiple User's Logins With Invalid Credentials From The Same IP
Sigma Okta New Admin Console Behaviours test
YARA-L Okta New API Token Created
Splunk Okta New API Token Created production
Splunk Okta Non-Standard VPN Usage experimental
Splunk Okta Phishing Detection with FastPass Origin Check experimental
Splunk Okta Risk Threshold Exceeded production
Elastic Okta Sign-In Events via Third-Party IdP production
YARA-L Okta Successful High Risk User Logins
Elastic Okta Successful Login After Credential Attack production
Splunk Okta Successful Single Factor Authentication production
Splunk Okta Suspicious Activity Reported production
Panther Okta SWA Bulk Access, New Source, and Credential Extraction - Behavioral Experimental
Panther Okta SWA Off-Hours Credential Access - Behavioral Experimental
Splunk Okta ThreatInsight Threat Detected production
YARA-L Okta User Account Lockout
YARA-L Okta User Login Out Of Hours
YARA-L Okta User Logins From Multiple Cities
Elastic Okta User Session Impersonation production
Elastic Okta User Sessions Started from Different Geolocations production
YARA-L Okta User Suspicious Activity Reported
Panther OneLogin High Risk Failed Login FOLLOWED BY Successful Login
YARA-L OneLogin Multiple Users Login Failures From The Same IP
YARA-L OneLogin Super User Privileges Assigned
YARA-L OneLogin User Logins From Multiple Countries
Panther OpenAI Admin Role Assignment
Panther OpenAI Anomalous API Key Activity
Sigma OpenCanary - SSH Login Attempt test
Sigma OpenCanary - SSH New Connection Attempt test
Sigma OpenCanary - Telnet Login Attempt test
Kusto OracleDBAudit - Connection to database from external IP available
Kusto OracleDBAudit - Connection to database from unknown IP available
Kusto OracleDBAudit - New user account available
Kusto OracleDBAudit - User activity after long inactivity time available
Kusto OracleDBAudit - User connected to database from new IP available
Kusto Palo Alto Prisma Cloud - Access keys are not rotated for 90 days available
Kusto Palo Alto Prisma Cloud - Anomalous access key usage available
Kusto Palo Alto Prisma Cloud - IAM Group with Administrator Access Permissions available
Kusto Palo Alto Prisma Cloud - Inactive user available
Sigma Password Provided In Command Line Of Net.EXE test
Sigma Password Reset By User Account test
Kusto Pathlock TDnR - Emergency User (AdminTrack) Activity available
Kusto Pathlock TDnR - Multiple Login Sessions Detected available
Kusto Pathlock TDnR - SAP Cloud Account Administration Events available
Kusto Pathlock TDnR - SAP HANA Database Audit Trail available
Kusto Pathlock TDnR - User Access Management Password Resets available
Sigma PIM Alert Setting Changes To Disabled test
Sigma PIM Approvals And Deny Elevation test
Kusto PIM Elevation Request Rejected available
Kusto Ping Federate - Abnormal password resets for user available
Kusto Ping Federate - Authentication from new IP. available
Kusto Ping Federate - Forbidden country available
Kusto Ping Federate - New user SSO success login available
Kusto Ping Federate - Password reset request from unexpected source IP address.. available
Kusto Ping Federate - Unexpected authentication URL. available
Kusto Ping Federate - Unexpected country for user available
Kusto Ping Federate - Unusual mail domain. available
Splunk PingID Multiple Failed MFA Requests For User production
Kusto Possible AiTM Phishing Attempt Against Microsoft Entra ID available
Elastic Potential Account Takeover - Logon from New Source IP production
Elastic Potential Account Takeover - Mixed Logon Types production
Elastic Potential Admin Group Account Addition production
Panther Potential Compromised Okta Credentials
Elastic Potential Credential Access via DCSync production
Elastic Potential Hidden Local User Account Creation production
Elastic Potential Impersonation Attempt via Kubectl production
Sigma Potential MFA Bypass Using Legacy Client Authentication test
Elastic Potential Okta MFA Bombing via Push Notifications production
Splunk Potential password in username production
Elastic Potential Privileged Escalation via SamAccountName Spoofing production
Kusto Potential Ransomware activity related to Cobalt Strike available
Elastic Potential Successful SSH Brute Force Attack production
Elastic Potential Suspicious DebugFS Root Device Access production
Elastic Potentially Successful Okta MFA Bombing via Push Notifications production
Kusto Power Apps - App activity from unauthorized geo available
Kusto Power Platform - Account added to privileged Microsoft Entra roles available
Kusto Power Platform - Possibly compromised user accesses Power Platform services available
Sigma Privileged Account Creation test
Kusto Privileged Account Permissions Changed
Kusto Privileged Accounts - Sign in Failure Spikes available
Kusto Privileged Role Assigned Outside PIM available
Kusto Privileged User Logon from new ASN
Kusto ProofpointPOD - Binary file in attachment available
Kusto ProofpointPOD - Email sender in TI list
Kusto ProofpointPOD - Email sender IP in TI list
Kusto ProofpointPOD - Possible data exfiltration to private email available
Elastic Rare User Logon production
Sigma RDP reconnaissance with valid credentials performed on multiple hosts experimental
Kusto RecordedFuture Threat Hunting Url All Actors
Kusto Red Sift - Login from previously unseen IP address available
Sigma Refresh Token Exchange from Excessive Locations experimental
Sigma Refresh Token Exchange from Multiple User Agents experimental
Sigma Refresh Token Reuse Detection experimental
Elastic Remote Computer Account DnsHostName Update production
Sigma Roles Activated Too Frequently test
Sigma Roles Activation Doesn't Require MFA test
Sigma Roles Are Not Being Used test
Sigma Roles Assigned Outside PIM test
Panther Root Account Activity
Sigma Root Account Enable Via Dsenableroot test
Panther Root Console Login
Splunk Rubeus Password Change (Windows Event Log)
Panther Salesforce API Anomaly Detection (RET Passthrough)
YARA-L sap break glass account login
YARA-L sap impossible travel
YARA-L sap multi terminal logon
Kusto Semperis DSP Failed Logons available
Kusto Sentinel One - Admin login from new location available
Kusto Sentinel One - New admin created available
Kusto Service Principal Assigned App Role With Sensitive Access
Kusto Service Principal Assigned Privileged Role
Kusto Service Principal Authentication Attempt from New Country
Kusto Service principal not using client credentials available
Splunk Short Lived Windows Accounts production
Sigma Sign-in Failure Due to Conditional Access Requirements Not Met test
Sigma Sign-ins by Unknown Devices test
Kusto Sign-ins from IPs that attempt sign-ins to disabled accounts available
Kusto Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization)
Sigma Sign-ins from Non-Compliant Devices test
Kusto SlackAudit - User email linked to account changed. available
Kusto SlackAudit - User login after deactivated. available
Kusto SlackAudit - User role changed to admin or owner available
Kusto Snowflake - Multiple login failures by user available
Kusto Snowflake - Multiple login failures from single IP available
Kusto Snowflake - User granted admin privileges available
Panther Snowflake Account Admin Granted
Panther Snowflake Account Admin Granted
Elastic Spike in Group Application Assignment Change Events production
Elastic Spike in Group Lifecycle Change Events production
Elastic Spike in Group Management Events production
Elastic Spike in Group Membership Events production
Elastic Spike in Group Privilege Change Events production
Elastic Spike in Logon Events production
Elastic Spike in Privileged Command Execution by a User production
Elastic Spike in Special Logon Events production
Elastic Spike in Special Privilege Use Events production
Elastic Spike in Successful Logon Events from a Source IP production
Elastic Spike in User Account Management Events production
Elastic Spike in User Lifecycle Management Change Events production
Sigma SQL Server - Connection attempt using a disabled account experimental
Sigma Stale Accounts In A Privileged Role test
Kusto StealthTalk - After hours work available
Kusto StealthTalk - Login outside work zone available
Kusto StealthTalk - Multi new devices registration available
Sigma Success login attempt on a Windows OpenSSH server experimental
Elastic Successful Application SSO from Rare Unknown Client Device production
Sigma Successful Authentications From Countries You Do Not Operate Out Of test
Kusto Successful AWS Console Login from IP Address Observed Conducting Password Spray
Kusto Successful logins to SOC Prime platform from bad IP addresses available
Kusto Successful logon from IP and failure from a different IP available
Elastic Successful SSH Authentication from Unusual IP Address production
Elastic Successful SSH Authentication from Unusual SSH Public Key production
Elastic Successful SSH Authentication from Unusual User production
Elastic Suspicious Activity Reported by Okta User production
Kusto Suspicious AWS console logins by credential access alerts
Sigma Suspicious Browser Activity test
Splunk Suspicious Computer Account Name Change production
Sigma Suspicious Computer Machine Password by PowerShell test
Splunk Suspicious Kerberos Service Ticket Request production
Kusto Suspicious linking of existing user to external User
Sigma Suspicious Login Activity Classified By Google experimental
Kusto Suspicious Login from deleted guest account
Kusto Suspicious modification of Global Administrator user properties
Sigma Suspicious Remote Logon with Explicit Credentials test
Kusto Suspicious Service Principal creation activity available
Kusto Suspicious Sign In by Entra ID Connect Sync Account available
Kusto Suspicious Sign In Followed by MFA Modification available
Sigma Suspicious SignIns From A Non Registered Device test
Splunk Suspicious Ticket Granting Ticket Request production
Kusto Suspicious VM Instance Creation Activity Detected
Sigma Temporary Access Pass Added To An Account test
Kusto Threat Essentials - NRT User added to Microsoft Entra ID Privileged Groups available
Kusto Threat Essentials - User Assigned Privileged Role available
Sigma Too Many Global Admins test
Elastic Unauthorized Access to an Okta Application production
Elastic Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials production
Sigma Unfamiliar Sign-In Properties test
Elastic Unusual AWS Command for a User production
Elastic Unusual AWS S3 Object Encryption with SSE-C production
Elastic Unusual Azure Activity Logs Event for a User production
Elastic Unusual City For a GCP Event production
Elastic Unusual City For an AWS Command production
Elastic Unusual City for an Azure Activity Logs Event production
Elastic Unusual Country For a GCP Event production
Elastic Unusual Country For an AWS Command production
Elastic Unusual Country for an Azure Activity Logs Event production
Elastic Unusual GCP Event for a User production
Elastic Unusual Group Name Accessed by a User production
Elastic Unusual Host Name for Okta Privileged Operations Detected production
Elastic Unusual Host Name for Windows Privileged Operations Detected production
Elastic Unusual Hour for a User to Logon production
Elastic Unusual Interactive Shell Launched from System User production
Elastic Unusual Linux Username production
Elastic Unusual Login via System User production
Splunk Unusual Number of Computer Service Tickets Requested experimental
Splunk Unusual Number of Remote Endpoint Authentication Events experimental
Elastic Unusual Privilege Type assigned to a User production
Elastic Unusual Process Detected for Privileged Commands by a User production
Elastic Unusual Region Name for Okta Privileged Operations Detected production
Elastic Unusual Region Name for Windows Privileged Operations Detected production
Elastic Unusual Source IP for a User to Logon from production
Elastic Unusual Source IP for Okta Privileged Operations Detected production
Elastic Unusual Source IP for Windows Privileged Operations Detected production
Elastic Unusual Spike in Concurrent Active Sessions by a User production
Elastic Unusual Windows Remote User production
Elastic Unusual Windows User Privilege Elevation Activity production
Elastic Unusual Windows Username production
Kusto URL Added to Application from Unknown Domain
Sigma Use of Legacy Authentication Protocols test
Sigma User Access Blocked by Azure Conditional Access test
Kusto User account added to built in domain local or global group
Kusto User account created and deleted within 10 mins
Kusto User account enabled and disabled within 10 mins
Kusto User Accounts - Sign in Failure due to CA Spikes available
Sigma User Added To Admin Group Via Dscl test
Sigma User Added To Admin Group Via DseditGroup test
Sigma User Added To Admin Group Via Sysadminctl test
Kusto User Added to Admin Role
Sigma User Added to an Administrator's Azure AD Role test
Sigma User Added to Local Administrator Group stable
Kusto User added to Microsoft Entra ID Privileged Groups available
Sigma User Added To Privilege Role test
Elastic User Added to the Admin Group production
Kusto User Assigned New Privileged Role available
Kusto User joining Zoom meeting from suspicious timezone
Panther User Logged in wihout MFA
Kusto User Login from Different Countries within 3 hours available
Kusto User login from different countries within 3 hours (Uses Authentication Normalization)
Kusto User Sign in from different countries available
Sigma User State Changed From Guest To Member test
Kusto UserAccountDisabled available
Sigma Users Added to Global or Device Admin Roles test
Sigma Users Authenticating To Other Azure AD Tenants test
Kusto Valimail Enforce - High-Value User Management Event available
Kusto Valimail Enforce - Unusual Rate of Configuration Changes or User Additions available
Kusto vCenter - Root impersonation available
Kusto VMware ESXi - Multiple new VMs started available
Kusto VMware ESXi - New VM started available
Kusto VMware ESXi - Root impersonation available
Kusto VMware ESXi - Root login available
Kusto VMware ESXi - Root password changed available
Kusto VMware ESXi - Shared or stolen root account available
Kusto VMware vCenter - Root login available
Splunk Windows Azure PowerShell Module Installation Via PowerShell Script production
Splunk Windows ConvertTo-AADIntBackdoor Execution Via PowerShell Script production
Splunk Windows Entra User Management Via Azure CLI production
Splunk Windows Group Policy Object Created production
Splunk Windows Guest Account Enabled Via Net.EXE production
Splunk Windows Large Number of Computer Service Tickets Requested production
Splunk Windows Multiple Account Passwords Changed production
Splunk Windows Multiple Accounts Deleted production
Splunk Windows Multiple Accounts Disabled production
Splunk Windows PowerView AD Access Control List Enumeration production
Splunk WMIC Explicit Credentials (Sysmon)
Splunk WMIC Explicit Credentials (Windows Event Log)
Kusto Workspace deletion activity from an infected device
Panther Zendesk Account Owner Changed
Panther Zendesk Mobile App Access Modified
Splunk Zoom High Video Latency experimental
Kusto Zscaler - Connections by dormant user available
Kusto Zscaler - Shared ZPA session available
Kusto Zscaler - Unexpected event count of rejects by policy available
Kusto Zscaler - Unexpected ZPA session duration available
Kusto Zscaler - ZPA connections by new user available
Kusto Zscaler - ZPA connections from new IP available

Valid Accounts: Default Accounts T1078.001 15 rules

Splunk Account set to active via Net.exe (EDR)
Splunk Account set to active via Net.exe (Sysmon)
Splunk Account set to active via Net.exe (Windows Event Log)
Sigma Admin User Remote Logon test
Kusto AWS Security Hub - Detect IAM Policies allowing full administrative privileges available
Sigma Commvault QLogin with PublicSharingUser and GUID Password (CVE-2025-57788) experimental
Sigma Guest Account Enabled Via Sysadminctl test
Elastic Kubernetes Anonymous Request Authorized by Unusual User Agent production
Elastic Kubernetes Suspicious Assignment of Controller Service Account production
Splunk Okta New API Token Created production
Splunk Okta Phishing Detection with FastPass Origin Check experimental
Splunk Okta Suspicious Activity Reported production
Sigma Root Account Enable Via Dsenableroot test
Panther Snowflake Grant to Public Role
Splunk Windows Guest Account Enabled Via Net.EXE production

Valid Accounts: Domain Accounts T1078.002 28 rules

Elastic Access to a Sensitive LDAP Attribute production
Sigma Account renamed to admin (or likely) account to evade defense experimental
Sigma Admin User Remote Logon test
Elastic AdminSDHolder Backdoor production
Elastic AdminSDHolder SDProp Exclusion Added production
Elastic Delegated Managed Service Account Modification by an Unusual User production
Splunk Detect Excessive Account Lockouts From Endpoint production
Elastic dMSA Account Creation by an Unusual User production
Sigma DMSA Link Attributes Modified experimental
Sigma DMSA Service Account Created in Specific OUs - PowerShell experimental
Elastic First Time Seen Account Performing DCSync production
Kusto High-Risk Cross-Cloud User Impersonation
Elastic Kerberos Pre-authentication Disabled for User production
Sigma Malicious Usage Of IMDS Credentials Outside Of AWS Infrastructure test
Sigma New DMSA Service Account Created in Specific OUs experimental
Elastic Potential Credential Access via DCSync production
Elastic Potential Privileged Escalation via SamAccountName Spoofing production
Elastic Rare User Logon production
Elastic Remote Computer Account DnsHostName Update production
Elastic Spike in Special Logon Events production
Elastic Spike in Successful Logon Events from a Source IP production
Splunk Suspicious Computer Account Name Change production
Splunk Suspicious Kerberos Service Ticket Request production
Splunk Suspicious Ticket Granting Ticket Request production
Elastic Unusual Windows User Privilege Elevation Activity production
Elastic Unusual Windows Username production
Splunk Windows Group Policy Object Created production
Splunk Windows PowerView AD Access Control List Enumeration production

Valid Accounts: Local Accounts T1078.003 23 rules

Elastic Account Discovery Command via SYSTEM Account production
Sigma Admin User Remote Logon test
Elastic Attempt to Enable the Root Account production
Splunk Cisco ASA - New Local User Account Created production
Splunk Cisco ASA - User Privilege Level Change production
Splunk Detect Excessive User Account Lockouts production
Elastic Mounting Hidden or WebDav Remote Shares production
Elastic Potential Admin Group Account Addition production
Elastic Potential Hidden Local User Account Creation production
Splunk Potential password in username production
Elastic Potential Suspicious DebugFS Root Device Access production
Elastic Rare User Logon production
Sigma Root Account Enable Via Dsenableroot test
Splunk Short Lived Windows Accounts production
Elastic Spike in Successful Logon Events from a Source IP production
Elastic Unusual Interactive Shell Launched from System User production
Elastic Unusual Login via System User production
Elastic Unusual Windows User Privilege Elevation Activity production
Elastic Unusual Windows Username production
Sigma User Added To Admin Group Via Dscl test
Sigma User Added To Admin Group Via DseditGroup test
Sigma User Added To Admin Group Via Sysadminctl test
Elastic User Added to the Admin Group production

Valid Accounts: Cloud Accounts T1078.004 290 rules

Kusto Account Created and Deleted in Short Timeframe available
Kusto Account created or deleted by non-approved user available
Sigma Account Disabled or Blocked for Sign in Attempts test
Kusto Account Elevated to New Role
Kusto Addition of a Temporary Access Pass to a Privileged Account
Kusto Admin promotion after Role Management Application Permission Grant available
Kusto Anomalous Single Factor Signin
Sigma Application AppID Uri Configuration Changes test
Kusto Application ID URI Changed
Kusto Application Redirect URL Update
Sigma Application URI Configuration Changes test
Splunk ASL AWS Create Policy Version to allow all resources production
Sigma Attempt To Get Credentials For Identity experimental
Sigma Attempt To Get Federation Token experimental
Sigma Attempt To Get Signin Token experimental
Kusto Authentication Attempt from New Country
Kusto Authentications of Privileged Accounts Outside of Expected Controls
Elastic AWS Access Token Used from Multiple Addresses production
YARA-L AWS API Call Outside Of Organization
Elastic AWS AssumeRoleWithWebIdentity from Kubernetes SA and External ASN production
Elastic AWS Bedrock Foundation Model Enumeration Followed by Invocation via Long-Term Key production
Elastic AWS CloudShell Environment Created production
Panther AWS Compromised IAM Key Quarantine
YARA-L AWS Console Login Without MFA
Splunk AWS Create Policy Version to allow all resources production
Elastic AWS Credentials Used from GitHub Actions and Non-CI/CD Infrastructure production
Elastic AWS EC2 Instance Console Login via Assumed Role production
Elastic AWS EC2 Instance Interaction with IAM Service production building block
Elastic AWS EC2 Instance Profile Associated with Running Instance production
Elastic AWS EC2 Unauthorized Admin Credential Fetch via Assumed Role production
YARA-L AWS IAM Administrator Access Policy Attached
Elastic AWS IAM API Calls via Temporary Session Tokens production
Elastic AWS IAM Assume Role Policy Update production
Elastic AWS IAM CompromisedKeyQuarantine Policy Attached to User production
Elastic AWS IAM Login Profile Added for Root production
Elastic AWS IAM Login Profile Added to User production building block
Elastic AWS IAM Long-Term Access Key Correlated with Elevated Detection Alerts production
Elastic AWS IAM Long-Term Access Key First Seen from Source IP production
Elastic AWS IAM OIDC Provider Created by Rare User production
Sigma AWS IAM S3Browser LoginProfile Creation test
Sigma AWS IAM S3Browser Templated S3 Bucket Policy Creation test
Sigma AWS IAM S3Browser User or AccessKey Creation test
Elastic AWS IAM SAML Provider Created production
Elastic AWS IAM Sensitive Operations via Lambda Execution Role production
Elastic AWS IAM Virtual MFA Device Registration Attempt with Session Token production
Panther AWS IMDS Credential Usage Outside Expected Services Experimental
Elastic AWS Management Console Root Login production
Elastic AWS Rare Source AS Organization Activity production
Sigma AWS Root Credentials test
Sigma AWS SAML Provider Deletion Activity experimental
Splunk AWS SetDefaultPolicyVersion production
Elastic AWS Sign-In Console Login with Federated User production
Elastic AWS Sign-In Root Password Recovery Requested production
Elastic AWS Sign-In Token Created production building block
Elastic AWS STS AssumeRole with New MFA Device production
Elastic AWS STS AssumeRoot by Rare User and Member Account production
Elastic AWS STS GetSessionToken Usage production building block
Elastic AWS STS Role Assumption by User production
Elastic AWS STS Role Chaining production
Sigma AWS Successful Console Login Without MFA experimental
Splunk AWS Successful Single-Factor Authentication production
Elastic AWS Suspicious User Agent Fingerprint production
YARA-L AWS User Creates Permanent Access Key
Splunk Azure AD Authentication Failed During MFA Challenge production
Splunk Azure AD Multiple Failed MFA Requests For User production
Sigma Azure AD Only Single Factor Authentication Required test
Splunk Azure AD Service Principal Authentication production
Splunk Azure AD Successful PowerShell Authentication production
Splunk Azure AD Successful Single-Factor Authentication production
Elastic Azure Arc Cluster Credential Access by Identity from Unusual Source production
Panther Azure Automation Runbook Created or Modified
Panther Azure Device Code Authentication with Broker Client
Panther Azure Kubernetes RoleBinding or ClusterRoleBinding Created
Elastic Azure Kubernetes Services (AKS) Kubernetes Rolebindings Created production
Panther Azure Microsoft Graph Single Session from Multiple IP Addresses Experimental
Panther Azure Policy DeployIfNotExists Action Triggered
Panther Azure Privileged or Elevated Role Assignment
Panther Azure Protection Multiple Alerts for User
Panther Azure ROPC Login Attempt Without MFA Experimental
Splunk Azure Runbook Webhook Created production
Elastic Azure Service Principal Sign-In Followed by Arc Cluster Credential Access production
Elastic Azure Storage Account Keys Accessed by Privileged User production
Sigma Azure Subscription Permission Elevation Via ActivityLogs test
Sigma Bitbucket User Login Failure test
Sigma Bitlocker Key Retrieval test
Kusto Bulk Changes to Privileged Account Permissions available
Kusto Changes to Application Logout URL
Kusto Changes to Application Ownership
Kusto Changes to PIM Settings
Sigma Changes To PIM Settings test
Splunk Cloud Compute Instance Created By Previously Unseen User production
Splunk Cloud Instance Modified By Previously Unseen User production
Kusto Conditional Access Policy Modified by New User
Kusto Cross-tenant Access Settings Organization Added available
Kusto Cross-tenant Access Settings Organization Deleted available
Kusto Cross-tenant Access Settings Organization Inbound Collaboration Settings Changed available
Kusto Cross-tenant Access Settings Organization Inbound Direct Settings Changed available
Kusto Cross-tenant Access Settings Organization Outbound Collaboration Settings Changed available
Kusto Cross-tenant Access Settings Organization Outbound Direct Settings Changed available
Kusto Detect changes to Connect Sync Application
Kusto Detect credential add to Connect Sync Application
Kusto Detect device code login with user risk
Sigma Device Registration or Join Without MFA test
Kusto End-user consent stopped due to risk-based consent
Elastic Entra ID Actor Token User Impersonation Abuse production
YARA-L Entra ID Admin Login Activity to Uncommon MS Cloud Apps
Elastic Entra ID Concurrent Sign-in with Suspicious Properties production
Elastic Entra ID High Risk Sign-in production
Elastic Entra ID High Risk User Sign-in Heuristic production
Elastic Entra ID Kali365 Default User-Agent Detected production
YARA-L Entra ID Login Activity to Uncommon MS Cloud Apps
Elastic Entra ID Microsoft Authentication Broker Sign-In to Unusual Resource production
Elastic Entra ID Microsoft Authentication Broker Sign-In with Non-Standard User Agent production
Elastic Entra ID OAuth Authorization Code Grant for Unusual User, App, and Resource production
Elastic Entra ID OAuth Device Code Flow with Concurrent Sign-ins production
Elastic Entra ID OAuth Device Code Grant by Microsoft Authentication Broker production
Elastic Entra ID OAuth Device Code Grant by Unusual User production
Elastic Entra ID OAuth Device Code Phishing via AiTM production
Elastic Entra ID OAuth Flow by Microsoft Authentication Broker to Device Registration Service (DRS) production
Elastic Entra ID OAuth Phishing via First-Party Microsoft Application production
Elastic Entra ID OAuth PRT Issuance to Non-Managed Device Detected production
Elastic Entra ID OAuth ROPC Grant Login Detected production
Elastic Entra ID OAuth User Impersonation to Microsoft Graph production
Elastic Entra ID OAuth user_impersonation Scope for Unusual User and Client production
Elastic Entra ID PowerShell Sign-in production
Elastic Entra ID Protection - Risk Detection - Sign-in Risk production
Elastic Entra ID Protection - Risk Detection - User Risk production
Elastic Entra ID Protection Admin Confirmed Compromise production
Elastic Entra ID Protection Alerts for User Detected production
Elastic Entra ID Protection User Alert and Device Registration production
Elastic Entra ID Service Principal Federated Credential Authentication by Unusual Client production
Elastic Entra ID Service Principal with Unusual Source ASN production
Elastic Entra ID Sharepoint or OneDrive Accessed by Unusual Client production
Elastic Entra ID User Added as Service Principal Owner production
Elastic Entra ID User Reported Suspicious Activity production
Elastic Entra ID User Sign-in with Unusual Authentication Type production
Elastic Entra ID User Sign-in with Unusual Client production
Elastic Entra ID User Sign-in with Unusual Non-Managed Device production
Kusto External guest invitation followed by Microsoft Entra ID PowerShell signin available
Elastic External User Added to Google Workspace Group production
Sigma Failed Authentications From Countries You Do Not Operate Out Of test
Elastic First Occurrence of GitHub Repo Interaction From a New IP production building block
Elastic First Occurrence of IP Address For GitHub Personal Access Token (PAT) production building block
Elastic First Occurrence of IP Address For GitHub User production building block
Elastic First Occurrence of Okta User Session Started via Proxy production
Elastic First Occurrence of Personal Access Token (PAT) Use For a GitHub User production building block
Elastic First Occurrence of Private Repo Event from Specific GitHub Personal Access Token (PAT) production building block
Elastic First Occurrence of User Agent For a GitHub Personal Access Token (PAT) production building block
Elastic First Occurrence of User-Agent For a GitHub User production building block
Elastic First Time Seen Google Workspace OAuth Login from Third-Party Application production
Elastic FortiGate FortiCloud SSO Login from Unusual Source production
Panther GAIA GCPW Credential Theft Attack Chain
Kusto GCP Audit Logs - Data Access Logging Exemption Added for Principal available
Kusto GCP Audit Logs - Storage Bucket Made Public available
Splunk GCP Authentication Failed During MFA Challenge production
Splunk GCP Multiple Failed MFA Requests For User production
Splunk GCP Successful Single-Factor Authentication production
Panther GCP User Added to Privileged Group
YARA-L GCP Workload Identity Pool Disabled Or Deleted
Sigma Get Credentials For Identity experimental
Sigma Get Federation Token experimental
Sigma Get Signin Token experimental
Elastic Github Activity on a Private Repository from an Unusual IP production
Sigma Github New Secret Created test
Sigma Github Self Hosted Runner Changes Detected test
Sigma Github SSH Certificate Configuration Changed test
Elastic Google Workspace Device Registration Burst for Single User production
YARA-L Google Workspace External User Added To Group
Elastic Google Workspace Login Flagged Suspicious production building block
Panther Google Workspace Login Type Anomaly
Panther Google Workspace OAuth Application Authorized with Privileged Scopes Experimental
Panther Google Workspace OAuth Token Requests from New IP
Panther Google Workspace Rapid Multi-IP Authentication
Elastic Google Workspace Suspended User Account Renewed production
Elastic Google Workspace User Login with Unusual ASN production
Elastic Google Workspace User Sign-in from Atypical Device Type production
YARA-L Google Workspace User Unsuspended
Kusto Guest accounts added in Entra ID Groups other than the ones specified available
Sigma Guest User Invited By Non Approved Inviters test
Kusto Guest Users Invited to Tenant by New Inviters
Elastic High Number of Okta User Password Reset or Unlock Attempts production
Kusto High-Risk Cross-Cloud User Impersonation
Panther IAM Role Added to RDS Instance or Cluster
Panther Kubernetes ClusterRoleBinding to Privileged Role
Panther Kubernetes Role With Node Proxy Permissions Created
Panther Kubernetes Role With Pod Exec Permissions Created
Panther Kubernetes Role With Wildcard Permissions Created Experimental
Panther Kubernetes Service Account Token Theft from Pod
Panther Kubernetes System Role Modified or Deleted Experimental
Sigma Login to Disabled Account test
Elastic M365 Entra ID Risk Detection Signal production building block
Elastic M365 Identity Login from Atypical Region production
Elastic M365 Identity Login from Impossible Travel Location production
Elastic M365 Identity OAuth Flow by First-Party Microsoft App from Multiple IPs production
Elastic M365 Identity OAuth Phishing via First-Party Microsoft Application production
Elastic M365 Identity Unusual SSO Authentication Errors for User production
Elastic M365 Identity User Account Lockouts production
Sigma macOS SSH Connection Detection experimental
Kusto MFA Rejected by User available
Kusto Microsoft Entra ID Role Management Permission Grant available
Elastic Microsoft Graph Request User Impersonation by Unusual Client production
Sigma Multifactor Authentication Denied test
Sigma Multifactor Authentication Interrupted test
Elastic Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy production
Elastic New Okta Authentication Behavior Detected production building block
Kusto New PA, PCA, or PCAS added to Azure DevOps available
Kusto New User Assigned to Privileged Role available
Kusto NRT PIM Elevation Request Rejected available
Kusto NRT Privileged Role Assigned Outside PIM available
YARA-L O365 Admin Login Activity To Uncommon Microsoft Cloud Apps
YARA-L O365 Login Activity To Azure AD PowerShell App
YARA-L O365 Login Activity To Uncommon Microsoft Cloud Apps
Splunk O365 Security And Compliance Alert Triggered production
Elastic Okta Admin Console Login Failure production building block
Panther Okta AiTM Phishing Attempt Blocked by FastPass
Elastic Okta Alerts Following Unusual Proxy Authentication production
Splunk Okta Authentication Failed During MFA Challenge production
Sigma Okta New Admin Console Behaviours test
Panther Okta New Behaviors Acessing Admin Console
Panther Okta Org2Org application created of modified
Elastic Okta Sign-In Events via Third-Party IdP production
Elastic Okta Successful Login After Credential Attack production
Splunk Okta Successful Single Factor Authentication production
Splunk Okta ThreatInsight Threat Detected production
Elastic Okta User Session Impersonation production
Elastic Okta User Sessions Started from Different Geolocations production
YARA-L OneLogin Multiple Users Login Failures From The Same IP
YARA-L OneLogin Super User Privileges Assigned
YARA-L OneLogin User Logins From Multiple Countries
Sigma Password Reset By User Account test
Sigma PIM Approvals And Deny Elevation test
Kusto PIM Elevation Request Rejected available
Kusto Possible AiTM Phishing Attempt Against Microsoft Entra ID available
Sigma Potential MFA Bypass Using Legacy Client Authentication test
Elastic Potential Okta MFA Bombing via Push Notifications production
Elastic Potentially Successful Okta MFA Bombing via Push Notifications production
Sigma Privileged Account Creation test
Kusto Privileged Account Permissions Changed
Kusto Privileged Accounts - Sign in Failure Spikes available
Kusto Privileged Role Assigned Outside PIM available
Kusto Privileged User Logon from new ASN
Kusto Service Principal Assigned App Role With Sensitive Access
Kusto Service Principal Assigned Privileged Role
Kusto Service Principal Authentication Attempt from New Country
Panther Sign In from Rogue State
Sigma Sign-in Failure Due to Conditional Access Requirements Not Met test
Sigma Sign-ins by Unknown Devices test
Sigma Sign-ins from Non-Compliant Devices test
Panther Slack Primary Owner Transferred
Kusto SlackAudit - User login after deactivated. available
Elastic Successful Application SSO from Rare Unknown Client Device production
Sigma Successful Authentications From Countries You Do Not Operate Out Of test
Kusto Suspicious linking of existing user to external User
Sigma Suspicious Login Activity Classified By Google experimental
Kusto Suspicious Login from deleted guest account
Kusto Suspicious modification of Global Administrator user properties
Kusto Suspicious Sign In by Entra ID Connect Sync Account available
Kusto Suspicious Sign In Followed by MFA Modification available
Panther Suspicious Snowflake Sessions - Unusual Application
Sigma Temporary Access Pass Added To An Account test
Kusto Threat Essentials - User Assigned Privileged Role available
Elastic Unauthorized Access to an Okta Application production
Elastic Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials production
Elastic Unusual AWS Command for a User production
Elastic Unusual AWS S3 Object Encryption with SSE-C production
Elastic Unusual Azure Activity Logs Event for a User production
Elastic Unusual City For a GCP Event production
Elastic Unusual City For an AWS Command production
Elastic Unusual City for an Azure Activity Logs Event production
Elastic Unusual Country For a GCP Event production
Elastic Unusual Country For an AWS Command production
Elastic Unusual Country for an Azure Activity Logs Event production
Elastic Unusual GCP Event for a User production
Elastic Unusual Host Name for Okta Privileged Operations Detected production
Elastic Unusual Region Name for Okta Privileged Operations Detected production
Elastic Unusual Source IP for Okta Privileged Operations Detected production
Kusto URL Added to Application from Unknown Domain
Sigma Use of Legacy Authentication Protocols test
Sigma User Access Blocked by Azure Conditional Access test
Kusto User Accounts - Sign in Failure due to CA Spikes available
Kusto User Added to Admin Role
Sigma User Added To Privilege Role test
Kusto User Assigned New Privileged Role available
Kusto User Login from Different Countries within 3 hours available
Sigma User State Changed From Guest To Member test
Sigma Users Added to Global or Device Admin Roles test
Sigma Users Authenticating To Other Azure AD Tenants test
Splunk Windows Entra User Management Via Azure CLI production
Panther Wiz Rotate Service Account Secret
Panther Wiz Service Account Change

Account Manipulation T1098 529 rules

Panther A long-lived cert was created
Sigma A Member Was Added to a Security-Enabled Global Group stable
Sigma A Member Was Removed From a Security-Enabled Global Group stable
Sigma A New Trust Was Created To A Domain stable
Sigma A Security-Enabled Global Group Was Deleted stable
Panther A user authenticated with SAML, but from an unknown company domain
Panther A User Role with Sensitive Permissions has been Created
Panther A User's Panther Account was Modified
Kusto Account added and removed from privileged groups
Elastic Account Configured with Never-Expiring Password production
Sigma Account marked as sensitive and cannot be delegated had its protection removed (weakness introduction) experimental
Elastic Account Password Reset Remotely production
Sigma Account password set to never expire. experimental
Splunk Account set to active via Net.exe (EDR)
Splunk Account set to active via Net.exe (Sysmon)
Splunk Account set to active via Net.exe (Windows Event Log)
Sigma Account set with Kerberos DES encryption activated (weakness introduction) experimental
Sigma Account set with Kerberos pre-authentication not required (AS-REP Roasting) experimental
Sigma Account set with password not required (weakness introduction) experimental
Sigma Account set with reversible encryption (weakness introduction) experimental
Elastic Active Directory Group Modification by SYSTEM production
Sigma Active Directory User Backdoors test
Kusto AD account with Don't Expire Password
Kusto AD user enabled and password not set within 48 hours available
Sigma Added Credentials to Existing Application test
Kusto Admin promotion after Role Management Application Permission Grant available
Elastic Administrator Privileges Assigned to an Okta Group production
Elastic AdminSDHolder Backdoor production
Elastic AdminSDHolder SDProp Exclusion Added production
Panther An administrator account was created, deleted, or modified.
Kusto Anomalous login followed by Teams action
Sigma Anomalous User Activity test
Panther Anthropic Role Granted
Sigma API Key Created test
Sigma App Assigned To Azure RBAC/Microsoft Entra Role test
Sigma App Granted Privileged Delegated Or App Permissions test
Elastic Application Added to Google Workspace Domain production
Panther AppOmni Alert Passthrough
Splunk ASL AWS IAM Delete Policy production
Splunk ASL AWS IAM Failure Group Deletion production
Splunk ASL AWS IAM Successful Group Deletion production
Kusto Attempt to bypass conditional access rule in Microsoft Entra ID available
Sigma Attempt To Create API Key test
Elastic Attempt to Create Okta API Token production
Elastic Attempt to Reset MFA Factors for an Okta User Account production
Panther Auth0 New Admin Invited FOLLOWED BY Tenant Member Account Deletion
Panther Auth0 Same Phone Number Shared Across Multiple Users as MFA
Kusto Authentication Method Changed for Privileged Account
Kusto Authentication Methods Changed for Privileged Account available
Elastic AWS Bedrock Foundation Model Access Enabled or Entitlement Granted production
Elastic AWS Bedrock Resource-Based Policy Modified or Deleted production
Elastic AWS Bedrock Unauthorized Foundation Model Access Attempt production
Elastic AWS Bedrock Unauthorized Resource-Based Policy Modification Attempt production
Elastic AWS EC2 CreateKeyPair by New Principal from Non-Cloud AS Organization production
Elastic AWS EC2 Instance Connect SSH Public Key Uploaded production
Elastic AWS EC2 Instance Interaction with IAM Service production building block
Elastic AWS EKS Access Entry Granted Cluster Admin Policy production
Elastic AWS EKS Access Entry Modified production
Elastic AWS First Occurrence of STS GetFederationToken Request by User production
YARA-L AWS IAM Activity By S3 Browser Utility
YARA-L AWS IAM Activity From EC2 Instance
Elastic AWS IAM AdministratorAccess Policy Attached to Group production
Elastic AWS IAM AdministratorAccess Policy Attached to Role production
Elastic AWS IAM AdministratorAccess Policy Attached to User production
Elastic AWS IAM API Calls via Temporary Session Tokens production
Elastic AWS IAM Assume Role Policy Update production
Sigma AWS IAM Backdoor Users Keys test
Elastic AWS IAM Customer Managed Policy Version Created or Default Version Set production
Elastic AWS IAM Customer-Managed Policy Attached to Role by Rare User production
Splunk AWS IAM Delete Policy production
Splunk AWS IAM Failure Group Deletion production
Elastic AWS IAM Login Profile Added for Root production
Elastic AWS IAM Login Profile Added to User production building block
Elastic AWS IAM Roles Anywhere Profile Creation production
Elastic AWS IAM Roles Anywhere Trust Anchor Created with External CA production
Elastic AWS IAM SAML Provider Created production
Elastic AWS IAM Sensitive Operations via Lambda Execution Role production
Splunk AWS IAM Successful Group Deletion production
Elastic AWS IAM User Addition to Group production
Elastic AWS IAM User Created Access Keys For Another User production
Elastic AWS IAM Virtual MFA Device Registration Attempt with Session Token production
Panther AWS Network ACL Overly Permissive Entry Created
Elastic AWS RDS DB Instance or Cluster Password Modified production
Panther AWS RDS Instance Modified to be Publicly Accessible
Panther AWS RDS Master Password Updated
Panther AWS RDS Security Group Ingress Authorized
Panther AWS Root Account Access Keys
Sigma AWS Route 53 Domain Transfer Lock Disabled test
Elastic AWS Route 53 Domain Transfer Lock Disabled production
Sigma AWS Route 53 Domain Transferred to Another Account test
Elastic AWS Route 53 Domain Transferred to Another Account production
Elastic AWS Route 53 Private Hosted Zone Associated With a VPC production
Elastic AWS S3 Bucket Policy Added to Share with External Account production
Kusto AWS Security Hub - Detect IAM Policies allowing full administrative privileges available
Kusto AWS Security Hub - Detect IAM root user Access Key existence available
Kusto AWS Security Hub - Detect root user lacking MFA available
Elastic AWS Sensitive IAM Operations Performed via CloudShell production
Elastic AWS STS AssumeRoot by Rare User and Member Account production
Panther AWS User API Key Created
Panther AWS User Login Profile Created or Modified
Sigma AWS User Login Profile Was Modified test
Kusto AWSCloudTrail - Changes to internet facing AWS RDS Database instances available
Kusto AWSCloudTrail - CloudFormation policy created then used for privilege escalation available
Kusto AWSCloudTrail - Created CRUD S3 policy and then privilege escalation available
Kusto AWSCloudTrail - Creation of Access Key for IAM User available
Kusto AWSCloudTrail - Creation of CRUD DynamoDB policy and then privilege escalation available
Kusto AWSCloudTrail - Creation of CRUD KMS policy and then privilege escalation available
Kusto AWSCloudTrail - Creation of CRUD Lambda policy and then privilege escalation available
Kusto AWSCloudTrail - Creation of DataPipeline policy and then privilege escalation available
Kusto AWSCloudTrail - Creation of EC2 policy and then privilege escalation available
Kusto AWSCloudTrail - Creation of Glue policy and then privilege escalation available
Kusto AWSCloudTrail - Creation of Lambda policy and then privilege escalation available
Kusto AWSCloudTrail - Creation of new CRUD IAM policy and then privilege escalation available
Kusto AWSCloudTrail - Creation of SSM policy and then privilege escalation available
Kusto AWSCloudTrail - Policy version set to default available
Kusto AWSCloudTrail - Privilege escalation via CloudFormation policy available
Kusto AWSCloudTrail - Privilege escalation via CRUD DynamoDB policy available
Kusto AWSCloudTrail - Privilege escalation via CRUD IAM policy available
Kusto AWSCloudTrail - Privilege escalation via CRUD KMS policy available
Kusto AWSCloudTrail - Privilege escalation via CRUD Lambda policy available
Kusto AWSCloudTrail - Privilege escalation via CRUD S3 policy available
Kusto AWSCloudTrail - Privilege escalation via DataPipeline policy available
Kusto AWSCloudTrail - Privilege escalation via EC2 policy available
Kusto AWSCloudTrail - Privilege escalation via Glue policy available
Kusto AWSCloudTrail - Privilege escalation via Lambda policy available
Kusto AWSCloudTrail - Privilege escalation via SSM policy available
Kusto AWSCloudTrail - Privilege escalation with admin managed policy available
Kusto AWSCloudTrail - Privilege escalation with AdministratorAccess managed policy available
Kusto AWSCloudTrail - Privilege escalation with FullAccess managed policy available
Splunk Azure AD Admin Consent Bypassed by Service Principal production
Splunk Azure AD Application Administrator Role Assigned production
Splunk Azure AD FullAccessAsApp Permission Assigned production
Splunk Azure AD Global Administrator Role Assigned production
Splunk Azure AD New MFA Method Registered production
Splunk Azure AD PIM Role Assigned production
Splunk Azure AD PIM Role Assignment Activated production
Splunk Azure AD Privileged Role Assigned production
Splunk Azure AD Privileged Role Assigned to Service Principal production
Splunk Azure AD Service Principal New Client Credentials production
Splunk Azure AD Service Principal Owner Added production
Splunk Azure AD Service Principal Privilege Escalation production
Splunk Azure AD Tenant Wide Admin Consent Granted production
Splunk Azure AD User Enabled And Password Reset production
Splunk Azure AD User ImmutableId Attribute Updated production
Kusto Azure DevOps Administrator Group Monitoring available
Kusto Azure DevOps Pull Request Policy Bypassing - Historic allow list available
Kusto Azure DevOps Service Connection Abuse available
Kusto Azure DevOps Service Connection Addition/Abuse - Historic allow list available
Elastic Azure Event Hub Authorization Rule Created or Updated production
Panther Azure Kubernetes RoleBinding or ClusterRoleBinding Created
Elastic Azure Kubernetes Services (AKS) Kubernetes Rolebindings Created production
Panther Azure Privileged or Elevated Role Assignment
Elastic Azure RBAC Built-In Administrator Roles Assigned production
Panther Azure Service Principal Credentials Added
Elastic Azure Storage Account Key Regenerated production
Panther Azure Storage Account Key Regenerated
Panther Azure Storage Account Shared Key Access Enabled
Panther Azure User Elevated to User Access Administrator Role
Elastic Azure VM Extension Deployment by User production
Sigma Bitbucket Global Permission Changed test
Sigma Bulk Deletion Changes To Privileged Account Permissions test
Panther Carbon Black Admin Role Granted
Sigma Change to Authentication Method test
Splunk Cisco ASA - User Privilege Level Change production
Splunk Cisco Configuration Archive Logging Analysis production
Sigma Cisco Local Accounts test
Kusto CiscoISE - Device PostureStatus changed to non-compliant available
Kusto CiscoISE - ISE administrator password has been reset available
YARA-L Client Secret Added to Entra ID Application
Sigma Computer account created with privileges experimental
Sigma Computer account manipulation for delegation (RBCD) experimental
Sigma Computer account renamed without a trailing $ (CVE-2021-42278/42287) experimental
Kusto Conditional Access - A Conditional Access user/group/role exclusion has changed
Kusto Copilot - Plugin Created by Non-Admin User available
Splunk Create_Add Local_Domain User (EDR)
Splunk Create_Add Local_Domain User (Sysmon)
Splunk Create_Add Local_Domain User (Windows Event Log)
Kusto Credential added after admin consented to Application available
Panther CVE-2023-7028 - GitLab Audit Password Reset Multiple Emails
Panther CVE-2023-7028 - GitLab Production Password Reset Multiple Emails
Panther Databricks Account Admin Privileged Role Assignment Experimental
Panther Databricks Account-Level Configuration Changes Experimental
Panther Databricks High Priority Configuration Changes Experimental
Panther Databricks Long-Lifetime Token Generated Experimental
Panther Databricks Metastore Admin Privilege Granted Experimental
Panther Databricks Principal Removed From Group Experimental
Panther Databricks User Password Changed Experimental
Panther Databricks User Role Modified Experimental
Panther Databricks Workspace Admin Privileged Role Assignment Experimental
Panther Databricks Workspace-Level Configuration Changes Experimental
Kusto Dataverse - New non-interactive identity granted access available
Elastic Delegated Managed Service Account Modification by an Unusual User production
Panther DEPRECATED - AWS User Login Profile Modified
Elastic Deprecated - M365 Teams Guest Access Enabled production
Kusto Detect changes to Connect Sync Application
Kusto Detect credential add to Connect Sync Application
Kusto Detect PIM Alert Disabling activity
Kusto DEV-0270 New User Creation available
Kusto Device Registration from Malicious IP available
Sigma Disabled guest or builtin account activated experimental
Sigma Disabled guest or builtin account activated (command)
Elastic dMSA Account Creation by an Unusual User production
Sigma DMSA Link Attributes Modified experimental
Sigma DMSA Service Account Created in Specific OUs - PowerShell experimental
Sigma Domain group membership change experimental
Kusto DSRM Account Abuse
Sigma DSRM password changed (native) experimental
Sigma DSRM password changed (Reg via command) experimental
Sigma DSRM password changed (Reg via PowerShell) experimental
Elastic EKS Authentication Configuration Modified production
Sigma Enabled User Right in AD to Control User Objects test
YARA-L Entra ID Add User Outside PIM
YARA-L Entra ID Add User To Admin Role
Elastic Entra ID ADRS Token Request by Microsoft Authentication Broker production
Elastic Entra ID Application Credential Modified production
Elastic Entra ID Device Registration with ROADtools Default OS Build production
Elastic Entra ID Device with ROADtools Default OS Build (Entity Analytics) production
Elastic Entra ID Domain Federation Configuration Change production
Elastic Entra ID Elevated Access to User Access Administrator production
Elastic Entra ID Federated Identity Credential Issuer Modified production
Elastic Entra ID Global Administrator Role Assigned production
Elastic Entra ID Global Administrator Role Assigned (PIM User) production
Elastic Entra ID Microsoft Authentication Broker DRS Sign-In from Suspicious ASN production
Elastic Entra ID OAuth PRT Issuance to Non-Managed Device Detected production
Elastic Entra ID Privileged Identity Management (PIM) Role Modified production
Elastic Entra ID Protection User Alert and Device Registration production
YARA-L Entra ID Recently Created User Assigned an Entra ID Role
Elastic Entra ID Register Device with Unusual User Agent (Azure AD Join) production
Elastic Entra ID Service Principal Credentials Created by Unusual User production
Elastic Entra ID Service Principal Federated Credential Authentication by Unusual Client production
Elastic Entra ID Sharepoint or OneDrive Accessed by Unusual Client production
Elastic Entra ID Unusual Cloud Device Registration production
Elastic Entra ID User Added as Registered Application Owner production
Elastic Entra ID User Added as Service Principal Owner production
Elastic Entra ID User Sign-in with Unusual Non-Managed Device production
Splunk ESXi Account Modified production
Sigma ESXi Admin Permission Assigned To Account Via ESXCLI test
Splunk ESXi User Granted Admin Role production
Kusto External User Access Enabled
Elastic External User Added to Google Workspace Group production
Kusto F&O - Non-interactive account mapped to self or sensitive privileged user available
Kusto Firewall rule manipulation attempts stateful anomaly on database available
Elastic First Occurrence GitHub Event for a Personal Access Token (PAT) production building block
Elastic First Occurrence of Personal Access Token (PAT) Use For a GitHub User production building block
Sigma GCP Access Policy Deleted test
YARA-L GCP Admin Privileged Roles Added To Service Accounts
Elastic GCP IAM Custom Role Creation production
YARA-L GCP IAM Organization Policy Updated Or Deleted
Elastic GCP IAM Service Account Key Deletion production
Elastic GCP Service Account Key Creation production
Elastic GCP Storage Bucket Permissions Modification production
Panther GitHub Malicious Commit Content
Panther GitHub Org Authentication Method Changed
Panther GitHub Org IP Allow List modified
Sigma Github Outside Collaborator Detected test
Elastic GitHub Owner Role Granted To User production
YARA-L GitHub Personal Access Token Created from Tor IP Address
YARA-L GitHub Repository Deploy Key Created Or Modified
Panther GitHub User Role Updated
YARA-L Google Cloud Service Account Key Created or Uploaded
Elastic Google Workspace Admin Role Assigned to a User production
YARA-L Google Workspace Admin Role Assignment
Elastic Google Workspace API Access Granted via Domain-Wide Delegation production
Sigma Google Workspace Application Access Level Modified test
Elastic Google Workspace Custom Admin Role Created production
YARA-L Google Workspace Custom Admin Role Created
Elastic Google Workspace Device Registration After OAuth from Suspicious ASN production
Elastic Google Workspace Device Registration Burst for Single User production
Sigma Google Workspace Granted Domain API Access test
Panther Google Workspace OAuth Application Authorized with Privileged Scopes Experimental
Elastic Google Workspace Object Copied to External Drive with App Consent production
YARA-L Google Workspace Password Policy Changed
Elastic Google Workspace Password Policy Modified production
Elastic Google Workspace Role Modified production
Elastic Google Workspace Suspended User Account Renewed production
Sigma Google Workspace User Granted Admin Privileges test
Elastic Google Workspace User Organizational Unit Changed production
YARA-L Google Workspace User Ou Changed
Elastic Google Workspace User Sign-in from Atypical Device Type production
Sigma Granting Of Permissions To An Account test
Kusto Group created then added to built in domain local or global group
Panther GSuite Workspace Gmail Default Routing Rule Modified
Panther GSuite Workspace Trusted Domain Allowlist Modified
Kusto GWorkspace - Admin permissions granted available
Kusto GWorkspace - User access has been changed available
Sigma Hidden account creation (with fast deletion) experimental
Sigma High risk Active Directory group membership change experimental
Sigma High risk local/domain local group membership change experimental
Kusto High risk Office operation conducted by IP Address that recently attempted to log into a disabled account
Kusto High-Risk Admin Activity available
Sigma Host constrained delegation settings changed for potential abuse (Rubeus) - Any protocol experimental
Sigma Host constrained delegation settings changed for potential abuse (Rubeus) - Kerberos only experimental
Sigma Host set with constrained delegation experimental
Sigma Host set with unconstrained delegation experimental
Sigma Host unconstrained delegation settings changed for potential abuse (Rubeus) experimental
Sigma IAM Access Key Created test
Sigma IAM Access Key Creation Attempt test
Sigma IAM Admin Policy Attached test
Sigma IAM Login Profile Created test
Sigma IAM Policy Attachment Attempt test
Kusto Illusive Incidents Analytic Rule available
Elastic Kerberos Pre-authentication Disabled for User production
Elastic KRBTGT Delegation Backdoor production
Panther Kubernetes Client Certificate Credential Created
Elastic Kubernetes Client Certificate Signing Request Created or Approved production
Elastic Kubernetes Cluster-Admin Role Binding Created production
Panther Kubernetes ClusterRoleBinding to Privileged Role
Elastic Kubernetes Creation of a RoleBinding Referencing a ServiceAccount production
Elastic Kubernetes Creation or Modification of Sensitive Role production
Panther Kubernetes Long-Lived Service Account Token Created Experimental
Elastic Kubernetes RBAC Wildcard Elevation on Existing Role production
Elastic Kubernetes Sensitive RBAC Change Followed by Workload Modification production
Elastic Kubernetes Service Account Modified RBAC Objects production
Panther Kubernetes System Role Modified or Deleted Experimental
Splunk Linux Auditd Possible Access Or Modification Of Sshd Config File production
Elastic Linux Group Creation production
Splunk Linux Possible Access Or Modification Of sshd Config File production
Splunk Linux Possible Ssh Key File Creation production
Splunk Linux SSH Authorized Keys Modification production
Elastic Linux User Account Credential Modification production
Elastic Linux User Added to Privileged Group production
Kusto Local Admin Group Changes available
Sigma Local group membership change experimental
Elastic M365 Exchange Mailbox Audit Logging Bypass Added production
Elastic M365 Exchange Mailbox High-Risk Permission Delegated production
Elastic M365 Exchange Management Group Role Assigned production
Elastic M365 Exchange MFA Notification Email Deleted or Moved production
Elastic M365 Identity Global Administrator Role Assigned production
Elastic M365 Identity OAuth Flow by User Sign-in to Device Registration production
Elastic M365 Identity OAuth Illicit Consent Grant by Rare Client and User production
Elastic M365 Security Compliance Admin Signal production building block
Elastic M365 SharePoint Site Administrator Added production
Sigma macOS User Account Manipulation experimental
Kusto Mail.Read Permissions Granted to Application available
Kusto Malicious BEC Inbox Rule
Kusto Malicious Inbox Rule available
Sigma Massive group membership changes detected experimental
Sigma Medium risk Active Directory group membership change experimental
Sigma Medium risk local/domain local group membership change experimental
Sigma Member added to DNSadmin group experimental
Splunk Member added to security-enabled global group (Windows Event Log)
Kusto Microsoft Entra ID Role Management Permission Grant available
Elastic Modification of the msPKIAccountCredentials production
Kusto Modified domain federation trust settings available
Kusto Multi-Factor Authentication Disabled for a User available
Elastic New ActiveSyncAllowedDeviceID Added via PowerShell production
Sigma New DMSA Service Account Created in Specific OUs experimental
Kusto New External User Granted Admin Role available
Elastic New GitHub App Installed production
Elastic New GitHub Owner Added production
Elastic New GitHub Personal Access Token (PAT) Added production
Panther New IAM Credentials Updated
Sigma New member added to a "OCS/Lync/Skype for Business" administration group (low risk) experimental
Sigma New member added to a "OCS/Lync/Skype for Business" administration group (medium risk) experimental
Sigma New member added to an "OCS/Lync/Skype for Business" administration group (high risk) experimental
Sigma New member added to an Exchange administration group (high risk) experimental
Sigma New member added to an Exchange administration group (medium risk) experimental
Elastic New User Added To GitHub Organization production building block
Kusto New user created and added to the built-in administrators group
Panther Notion Login FOLLOWED BY AccountChange
Kusto NRT Authentication Methods Changed for VIP Users
Kusto NRT Malicious Inbox Rule
Kusto NRT Modified domain federation trust settings available
Kusto NRT User added to Microsoft Entra ID Privileged Groups available
Sigma Number Of Resource Creation Or Deployment Activities test
YARA-L O365 AD PowerShell App Login Subsequent Activity
YARA-L O365 Add User To Admin Role
Splunk O365 Admin Consent Bypassed by Service Principal production
Splunk O365 Application Available To Other Tenants production
Splunk O365 Application Registration Owner Added production
Splunk O365 ApplicationImpersonation Role Assigned production
Splunk O365 Elevated Mailbox Permission Assigned production
YARA-L O365 Entra ID App Client Secret Added, Updated or Deleted
Splunk O365 FullAccessAsApp Permission Assigned production
Splunk O365 High Privilege Role Granted production
Splunk O365 Mailbox Folder Read Permission Assigned production
Splunk O365 Mailbox Folder Read Permission Granted production
Splunk O365 Mailbox Read Access Granted to Application production
Splunk O365 New MFA Method Registered production
Splunk O365 Privileged Role Assigned production
Splunk O365 Privileged Role Assigned To Service Principal production
YARA-L O365 Recently Created Entra ID User Assigned Roles
Splunk O365 Service Principal New Client Credentials production
Splunk O365 Service Principal Privilege Escalation production
Splunk O365 Tenant Wide Admin Consent Granted production
Kusto Office Policy Tampering available
Panther Okta AD Agent Token Abuse - Behavioral Experimental
Sigma Okta Admin Role Assigned to an User or Group test
Panther Okta Authentication Bypass via Skeleton Key Injection - Behavioral Experimental
Sigma Okta Identity Provider Created test
Panther Okta Identity Provider Created or Modified
Panther Okta Identity Provider Sign-in
Splunk Okta New Device Enrolled on Account production
Elastic Okta User Assigned Administrator Role production
Panther OpenAI Admin Role Assignment
Panther OpenAI Anomalous API Key Activity
Panther OpenAI SCIM Configuration Change
Elastic OpenSSL Password Hash Generation production
Sigma Password Change on Directory Service Restore Mode (DSRM) Account stable
Sigma Password Set to Never Expire via WMI experimental
Kusto Pathlock TDnR - Authorization Profile Changes available
Kusto Pathlock TDnR - Authorization Role Changes available
Kusto Pathlock TDnR - CUA Settings Changes available
Kusto Pathlock TDnR - Global System Change Setting Events available
Kusto Pathlock TDnR - Kerberos Keytab Changes available
Kusto Pathlock TDnR - RFC Connection Changes available
Kusto Pathlock TDnR - SAP Authorization Changes available
Kusto Pathlock TDnR - SAP Client Configuration Changes available
Kusto Pathlock TDnR - SAP Instance Profile Changes available
Kusto Pathlock TDnR - System Security Policy Changes available
Kusto Pathlock TDnR - User Access Management Password Resets available
Kusto Pathlock TDnR - User Master Data Changes available
Kusto Pathlock TDnR - User-Profile Assignment Changes available
Kusto Pathlock TDnR - User-Role Assignment Changes available
Kusto Ping Federate - Abnormal password resets for user available
Splunk PingID Mismatch Auth Source and Verification Response production
Splunk PingID New MFA Method After Credential Reset production
Splunk PingID New MFA Method Registered For User production
Elastic Pod or Container Creation with Suspicious Command-Line production
Kusto Possible SignIn from Azure Backdoor
Elastic Potential Active Directory Replication Account Backdoor production
Elastic Potential Admin Group Account Addition production
Elastic Potential Linux Backdoor User Account Creation production
Elastic Potential Persistence via File Modification production
Elastic Potential Privileged Escalation via SamAccountName Spoofing production
Elastic Potential Shadow Credentials added to AD Object production
Elastic Potential Suspicious File Edit production
Sigma Powershell LocalAccount Manipulation test
Sigma Powerview Add-DomainObjectAcl DCSync AD Extend Right test
Sigma Privilege SeMachineAccountPrivilege abuse experimental
Sigma Privileged User Has Been Created test
Kusto Rare and potentially high-risk Office operations available
Kusto Rare subscription-level operations in Azure available
Kusto RecordedFuture Threat Hunting Url All Actors
Sigma Risk for account takeover - phone number registered to multiple users experimental
Sigma Risk for account takeover - same Guardian application device is registered for MFA to multiple users experimental
Sigma Risk of Tenant Takeover experimental
Panther Root Account Access Key Created
Panther Root Password Changed
Panther Salesforce Third-Party Integration Monitoring
YARA-L sap change documents sensitive profile assignment
YARA-L sap change documents sensitive profile assignment data table
YARA-L sap change documents sensitive role assignment
YARA-L sap critial role assigned to new user
YARA-L sap critical authorization value changed
YARA-L sap critical role assigned to new user
YARA-L sap hanadb assign admin authorizations
YARA-L sap multiple password changes
YARA-L sap sensitive role assignment correlation
YARA-L sap sensitive role authorization modification
Kusto Semperis DSP RBAC Changes available
Kusto Semperis DSP Recent sIDHistory changes on AD objects available
Panther Sensitive API Calls Via VPC Endpoint
Elastic Sensitive Privilege SeEnableDelegationPrivilege assigned to a Principal production
Kusto Server Oriented Cmdlet And User Oriented Cmdlet used available
Kusto Shadow Credentials Added to Account
Kusto Shadow Credentials Added to Account (Alternative)
Elastic Shadow File Modification by Unusual Process production
Kusto Sign-ins from IPs that attempt sign-ins to disabled accounts available
Kusto Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization)
Panther Slack App Access Expanded
Panther Slack Primary Owner Transferred
Panther Slack Private Channel Made Public
Kusto SlackAudit - User role changed to admin or owner available
Panther Snowflake user with key-based auth logged in with password auth
Elastic Spike in Group Application Assignment Change Events production
Elastic Spike in Group Lifecycle Change Events production
Elastic Spike in Group Management Events production
Elastic Spike in Group Membership Events production
Elastic Spike in Group Privilege Change Events production
Elastic Spike in User Account Management Events production
Elastic Spike in User Lifecycle Management Change Events production
Sigma SPN added to an account by command line experimental
Sigma SQL Server - Member got new privileges added on a database experimental
Sigma SQL Server - Member got new privileges added on a SQL instance level experimental
Sigma SQL Server - new member added to a database role experimental
Sigma SQL Server - new member added to a server role experimental
Elastic SSH Authorized Key File Activity Detected via Defend for Containers production
Elastic SSH Authorized Keys File Activity production
Elastic SSH Key Generated via ssh-keygen production
Kusto StealthTalk - Multi new devices registration available
Sigma Suspicious Computer Account Name Change CVE-2021-42287 test
Elastic Suspicious Echo or Printf Execution Detected via Defend for Containers production
Kusto Suspicious granting of permissions to an account available
Sigma Suspicious modification of a computer account SPN experimental
Sigma Suspicious modification of a fake domain controller SPN (DCshadow) experimental
Sigma Suspicious modification of a fake domain controller SPN (DCshadow) (Directory Services) experimental
Sigma Suspicious modification of a user account SPN to enable Kerberoast attack experimental
Kusto Threat Essentials - NRT User added to Microsoft Entra ID Privileged Groups available
Elastic Unusual Group Name Accessed by a User production
Elastic Unusual Kubernetes Sensitive Workload Modification production
Elastic Unusual Login via System User production
Elastic Unusual Privilege Type assigned to a User production
Kusto User account added to built in domain local or global group
Kusto User account created and deleted within 10 mins
Sigma User account creation disguised in a computer account experimental
Kusto User account enabled and disabled within 10 mins
Elastic User account exposed to Kerberoasting production
Sigma User added to a group via commandline
Sigma User Added to an Administrator's Azure AD Role test
Sigma User Added To Highly Privileged Group test
Sigma User Added to Local Administrator Group stable
Sigma User Added to Local Administrators Group test
Kusto User added to Microsoft Entra ID Privileged Groups available
Elastic User Added to Privileged Group in Active Directory production
Elastic User Added to the Admin Group production
Elastic User or Group Creation/Modification production
Sigma User password change using current hash password - ChangeNTLM (Mimikatz) experimental
Sigma User password change without previous password known - SetNTLM (Mimikatz) experimental
Kusto User State changed from Guest to Member
Kusto VIP Mailbox manipulation available
Kusto VMware ESXi - Root password changed available
Splunk Windows AD add Self to Group production
Splunk Windows AD DSRM Account Changes production
Splunk Windows AD DSRM Password Reset production
Splunk Windows AD Privileged Group Modification production
Splunk Windows AD Self DACL Assignment production
Splunk Windows AD ServicePrincipalName Added To Domain Account production
Splunk Windows AD Short Lived Domain Account ServicePrincipalName production
Splunk Windows Azure PowerShell Module Installation Via PowerShell Script production
Splunk Windows DnsAdmins New Member Added production
Splunk Windows Entra User Management Via Azure CLI production
Splunk Windows Increase in Group or Object Modification Activity production
Splunk Windows Increase in User Modification Activity production
Sigma Windows LAPS Credential Dump From Entra ID test
Splunk Windows Multiple Account Passwords Changed production
Splunk Windows Multiple Accounts Deleted production
Splunk Windows Multiple Accounts Disabled production
Elastic WRITEDAC Access on Active Directory Object production building block

Account Manipulation: Additional Cloud Credentials T1098.001 56 rules

Panther A Teleport Role was modified or created
Sigma Added Credentials to Existing Application test
Panther Anthropic Admin API Key Created
Panther Anthropic Admin API Key Deleted
Panther Anthropic Service Key Created
Panther Anthropic Service Key Revoked
Sigma API Key Created test
Elastic Application Added to Google Workspace Domain production
Sigma Attempt To Create API Key test
Elastic Attempt to Create Okta API Token production
Elastic AWS EC2 Instance Interaction with IAM Service production building block
Elastic AWS First Occurrence of STS GetFederationToken Request by User production
Elastic AWS IAM Login Profile Added for Root production
Elastic AWS IAM Login Profile Added to User production building block
Elastic AWS IAM SAML Provider Created production
Elastic AWS IAM User Created Access Keys For Another User production
Panther AWS Privilege Escalation Via User Compromise
Elastic AWS RDS DB Instance or Cluster Password Modified production
Kusto AWS Security Hub - Detect IAM root user Access Key existence available
Elastic AWS Sensitive IAM Operations Performed via CloudShell production
Panther AWS User Takeover Via Password Reset
Kusto AWSCloudTrail - Changes to internet facing AWS RDS Database instances available
Kusto AWSCloudTrail - Creation of Access Key for IAM User available
Splunk Azure AD Service Principal New Client Credentials production
Panther Azure Service Principal Credentials Added
Elastic Azure Storage Account Key Regenerated production
YARA-L Client Secret Added to Entra ID Application
Panther Crowdstrike API Key Created
Panther Crowdstrike User Password Changed
Kusto Detect credential add to Connect Sync Application
Elastic Entra ID Application Credential Modified production
Elastic Entra ID Domain Federation Configuration Change production
Elastic Entra ID Federated Identity Credential Issuer Modified production
Elastic Entra ID Service Principal Credentials Created by Unusual User production
Elastic Entra ID Service Principal Federated Credential Authentication by Unusual Client production
Elastic Entra ID Sharepoint or OneDrive Accessed by Unusual Client production
Elastic First Occurrence GitHub Event for a Personal Access Token (PAT) production building block
Elastic First Occurrence of Personal Access Token (PAT) Use For a GitHub User production building block
Elastic GCP Service Account Key Creation production
Sigma Github Outside Collaborator Detected test
YARA-L GitHub Personal Access Token Created from Tor IP Address
YARA-L GitHub Repository Deploy Key Created Or Modified
YARA-L Google Cloud Service Account Key Created or Uploaded
Elastic Google Workspace Object Copied to External Drive with App Consent production
Sigma IAM Access Key Created test
Sigma IAM Access Key Creation Attempt test
Sigma IAM Login Profile Created test
Panther IAM Role Added to RDS Instance or Cluster
Kusto New External User Granted Admin Role available
Elastic New GitHub Personal Access Token (PAT) Added production
Elastic New User Added To GitHub Organization production building block
YARA-L O365 AD PowerShell App Login Subsequent Activity
YARA-L O365 Entra ID App Client Secret Added, Updated or Deleted
Splunk O365 Service Principal New Client Credentials production
Sigma Okta Identity Provider Created test
Panther Wiz User Role Updated Or Deleted

Account Manipulation: Additional Email Delegate Permissions T1098.002 8 rules

Splunk Azure AD FullAccessAsApp Permission Assigned production
Elastic M365 Exchange Mailbox High-Risk Permission Delegated production
Elastic New ActiveSyncAllowedDeviceID Added via PowerShell production
Splunk O365 ApplicationImpersonation Role Assigned production
Splunk O365 Elevated Mailbox Permission Assigned production
Splunk O365 FullAccessAsApp Permission Assigned production
Splunk O365 Mailbox Folder Read Permission Assigned production
Splunk O365 Mailbox Folder Read Permission Granted production

Account Manipulation: Additional Cloud Roles T1098.003 107 rules

Kusto Admin promotion after Role Management Application Permission Grant available
Elastic Administrator Privileges Assigned to an Okta Group production
Panther Anthropic Primary Owner Transferred
Sigma App Assigned To Azure RBAC/Microsoft Entra Role test
Sigma App Granted Privileged Delegated Or App Permissions test
Elastic AWS EC2 Instance Interaction with IAM Service production building block
Elastic AWS IAM AdministratorAccess Policy Attached to Group production
Elastic AWS IAM AdministratorAccess Policy Attached to Role production
Elastic AWS IAM AdministratorAccess Policy Attached to User production
Elastic AWS IAM Assume Role Policy Update production
Elastic AWS IAM Login Profile Added to User production building block
Elastic AWS IAM Roles Anywhere Profile Creation production
Elastic AWS IAM Roles Anywhere Trust Anchor Created with External CA production
Elastic AWS IAM User Addition to Group production
Kusto AWS Security Hub - Detect IAM Policies allowing full administrative privileges available
Elastic AWS Sensitive IAM Operations Performed via CloudShell production
Elastic AWS STS AssumeRoot by Rare User and Member Account production
Kusto AWSCloudTrail - CloudFormation policy created then used for privilege escalation available
Kusto AWSCloudTrail - Created CRUD S3 policy and then privilege escalation available
Kusto AWSCloudTrail - Creation of CRUD DynamoDB policy and then privilege escalation available
Kusto AWSCloudTrail - Creation of CRUD KMS policy and then privilege escalation available
Kusto AWSCloudTrail - Creation of CRUD Lambda policy and then privilege escalation available
Kusto AWSCloudTrail - Creation of DataPipeline policy and then privilege escalation available
Kusto AWSCloudTrail - Creation of EC2 policy and then privilege escalation available
Kusto AWSCloudTrail - Creation of Glue policy and then privilege escalation available
Kusto AWSCloudTrail - Creation of Lambda policy and then privilege escalation available
Kusto AWSCloudTrail - Creation of new CRUD IAM policy and then privilege escalation available
Kusto AWSCloudTrail - Creation of SSM policy and then privilege escalation available
Kusto AWSCloudTrail - Policy version set to default available
Kusto AWSCloudTrail - Privilege escalation via CloudFormation policy available
Kusto AWSCloudTrail - Privilege escalation via CRUD DynamoDB policy available
Kusto AWSCloudTrail - Privilege escalation via CRUD IAM policy available
Kusto AWSCloudTrail - Privilege escalation via CRUD KMS policy available
Kusto AWSCloudTrail - Privilege escalation via CRUD Lambda policy available
Kusto AWSCloudTrail - Privilege escalation via CRUD S3 policy available
Kusto AWSCloudTrail - Privilege escalation via DataPipeline policy available
Kusto AWSCloudTrail - Privilege escalation via EC2 policy available
Kusto AWSCloudTrail - Privilege escalation via Glue policy available
Kusto AWSCloudTrail - Privilege escalation via Lambda policy available
Kusto AWSCloudTrail - Privilege escalation via SSM policy available
Kusto AWSCloudTrail - Privilege escalation with admin managed policy available
Kusto AWSCloudTrail - Privilege escalation with AdministratorAccess managed policy available
Kusto AWSCloudTrail - Privilege escalation with FullAccess managed policy available
Splunk Azure AD Admin Consent Bypassed by Service Principal production
Splunk Azure AD Application Administrator Role Assigned production
Splunk Azure AD FullAccessAsApp Permission Assigned production
Splunk Azure AD Global Administrator Role Assigned production
Splunk Azure AD PIM Role Assigned production
Splunk Azure AD PIM Role Assignment Activated production
Splunk Azure AD Privileged Role Assigned production
Splunk Azure AD Privileged Role Assigned to Service Principal production
Splunk Azure AD Service Principal Privilege Escalation production
Splunk Azure AD Tenant Wide Admin Consent Granted production
Elastic Azure Event Hub Authorization Rule Created or Updated production
Panther Azure Privileged or Elevated Role Assignment
Elastic Azure RBAC Built-In Administrator Roles Assigned production
Panther Azure User Elevated to User Access Administrator Role
Panther Crowdstrike Admin Role Assigned
Panther Crowdstrike New Admin User Created
YARA-L Entra ID Add User Outside PIM
YARA-L Entra ID Add User To Admin Role
Elastic Entra ID Elevated Access to User Access Administrator production
Elastic Entra ID Global Administrator Role Assigned production
Elastic Entra ID Global Administrator Role Assigned (PIM User) production
Elastic Entra ID Privileged Identity Management (PIM) Role Modified production
YARA-L Entra ID Recently Created User Assigned an Entra ID Role
YARA-L GCP Admin Privileged Roles Added To Service Accounts
Elastic GCP IAM Custom Role Creation production
Panther GCP Inbound SSO Profile Created
Elastic GCP Storage Bucket Permissions Modification production
Panther GCP Workforce Pool Created or Updated
Panther GCP Workload Identity Pool Created or Updated
Sigma Github Outside Collaborator Detected test
Elastic GitHub Owner Role Granted To User production
Elastic Google Workspace Admin Role Assigned to a User production
YARA-L Google Workspace Admin Role Assignment
Sigma Google Workspace Application Access Level Modified test
Elastic Google Workspace Custom Admin Role Created production
YARA-L Google Workspace Custom Admin Role Created
Elastic Google Workspace User Organizational Unit Changed production
YARA-L Google Workspace User Ou Changed
Sigma Granting Of Permissions To An Account test
Sigma IAM Admin Policy Attached test
Sigma IAM Policy Attachment Attempt test
Elastic M365 Exchange Management Group Role Assigned production
Elastic M365 Identity Global Administrator Role Assigned production
Elastic M365 SharePoint Site Administrator Added production
Kusto Microsoft Entra ID Role Management Permission Grant available
Elastic New GitHub Owner Added production
Elastic New User Added To GitHub Organization production building block
YARA-L O365 Add User To Admin Role
Splunk O365 Admin Consent Bypassed by Service Principal production
Splunk O365 Application Available To Other Tenants production
Splunk O365 FullAccessAsApp Permission Assigned production
Splunk O365 High Privilege Role Granted production
Splunk O365 Mailbox Read Access Granted to Application production
Splunk O365 Privileged Role Assigned production
Splunk O365 Privileged Role Assigned To Service Principal production
YARA-L O365 Recently Created Entra ID User Assigned Roles
Splunk O365 Service Principal Privilege Escalation production
Splunk O365 Tenant Wide Admin Consent Granted production
Sigma Okta Admin Role Assigned to an User or Group test
Elastic Okta User Assigned Administrator Role production
Panther OpenAI Admin Role Assignment
Panther Slack User Privilege Escalation
Sigma User Added to an Administrator's Azure AD Role test
Panther ZIA Additional Cloud Roles

Account Manipulation: SSH Authorized Keys T1098.004 12 rules

Elastic AWS EC2 Instance Connect SSH Public Key Uploaded production
Splunk Linux Auditd Possible Access Or Modification Of Sshd Config File production
Splunk Linux Possible Access Or Modification Of sshd Config File production
Splunk Linux Possible Ssh Key File Creation production
Splunk Linux SSH Authorized Keys Modification production
Elastic Pod or Container Creation with Suspicious Command-Line production
Elastic Potential Persistence via File Modification production
Elastic SSH Authorized Key File Activity Detected via Defend for Containers production
Elastic SSH Authorized Keys File Activity production
Elastic SSH Key Generated via ssh-keygen production
Elastic Suspicious Echo or Printf Execution Detected via Defend for Containers production
Elastic Unusual Login via System User production

Account Manipulation: Device Registration T1098.005 22 rules

Elastic AWS IAM Virtual MFA Device Registration Attempt with Session Token production
Splunk Azure AD New MFA Method Registered production
Elastic Entra ID ADRS Token Request by Microsoft Authentication Broker production
Elastic Entra ID Device Registration with ROADtools Default OS Build production
Elastic Entra ID Device with ROADtools Default OS Build (Entity Analytics) production
Elastic Entra ID Microsoft Authentication Broker DRS Sign-In from Suspicious ASN production
Elastic Entra ID OAuth PRT Issuance to Non-Managed Device Detected production
Elastic Entra ID Protection User Alert and Device Registration production
Elastic Entra ID Register Device with Unusual User Agent (Azure AD Join) production
Elastic Entra ID Unusual Cloud Device Registration production
Elastic Entra ID User Sign-in with Unusual Non-Managed Device production
Elastic Google Workspace Device Registration After OAuth from Suspicious ASN production
Elastic Google Workspace Device Registration Burst for Single User production
Elastic Google Workspace User Sign-in from Atypical Device Type production
Elastic M365 Exchange MFA Notification Email Deleted or Moved production
Elastic M365 Identity OAuth Flow by User Sign-in to Device Registration production
Splunk O365 New MFA Method Registered production
Splunk Okta New Device Enrolled on Account production
Splunk PingID Mismatch Auth Source and Verification Response production
Splunk PingID New MFA Method After Credential Reset production
Splunk PingID New MFA Method Registered For User production
Sigma Windows LAPS Credential Dump From Entra ID test

Account Manipulation: Additional Container Cluster Roles T1098.006 12 rules

Elastic AWS EKS Access Entry Granted Cluster Admin Policy production
Elastic AWS EKS Access Entry Modified production
Elastic Azure Kubernetes Services (AKS) Kubernetes Rolebindings Created production
Elastic EKS Authentication Configuration Modified production
Elastic Kubernetes Client Certificate Signing Request Created or Approved production
Elastic Kubernetes Cluster-Admin Role Binding Created production
Elastic Kubernetes Creation of a RoleBinding Referencing a ServiceAccount production
Elastic Kubernetes Creation or Modification of Sensitive Role production
Elastic Kubernetes RBAC Wildcard Elevation on Existing Role production
Elastic Kubernetes Sensitive RBAC Change Followed by Workload Modification production
Elastic Kubernetes Service Account Modified RBAC Objects production
Elastic Unusual Kubernetes Sensitive Workload Modification production

Account Manipulation: Additional Local or Domain Groups T1098.007 9 rules

Elastic Linux Group Creation production
Elastic Linux User Added to Privileged Group production
Elastic Potential Admin Group Account Addition production
Elastic Spike in Group Lifecycle Change Events production
Elastic Spike in Group Management Events production
Elastic Unusual Group Name Accessed by a User production
Elastic User Added to Privileged Group in Active Directory production
Elastic User Added to the Admin Group production
Elastic User or Group Creation/Modification production

Access Token Manipulation T1134 73 rules

Kusto Access Token Manipulation - Create Process with Token available
Sigma Addition of SID History to Active Directory Object stable
Sigma Anonymous login (RottenPotatoNG) experimental
Kusto AWS Security Hub - Detect IAM root user Access Key existence available
Kusto BTP - Cloud Identity Service application configuration monitor available
Kusto BTP - Trust and authorization Identity Provider monitor available
Elastic Credential Manipulation - Detected - Elastic Endgame production
Elastic Credential Manipulation - Prevented - Elastic Endgame production
Elastic First Time Seen NewCredentials Logon Process production
Panther GitHub Artifact Download from Cross-Fork Workflow
Panther GitHub Cross-Fork Workflow Run
Panther GitHub pull_request_target Workflow on Self-Hosted Runner
Panther GitHub pull_request_target Workflow Usage
Panther GitHub pull_request_target Workflow with Checkout Action
Sigma HackTool - Impersonate Execution test
Sigma HackTool - Koh Default Named Pipe test
Sigma HackTool - NoFilter Execution test
Sigma HackTool - PPID Spoofing SelectMyParent Tool Execution test
Sigma HackTool - SharpDPAPI Execution test
Sigma HackTool - SharpImpersonation Execution test
Kusto High-Risk Cross-Cloud User Impersonation
Elastic Interactive Logon by an Unusual Process production
Elastic Kubernetes API Request Impersonating Privileged Identity production
Sigma Meterpreter or Cobalt Strike Getsystem Service Installation - Security test
Sigma Meterpreter or Cobalt Strike Getsystem Service Installation - System test
Sigma New rights granted to an account for privilege escalation experimental
Elastic Parent Process PID Spoofing production
Kusto Pathlock TDnR - Dynamic Access Control Events available
Elastic Permission Theft - Detected - Elastic Endgame production
Elastic Permission Theft - Prevented - Elastic Endgame production
Kusto Ping Federate - Abnormal password resets for user available
Kusto Possible Resource-Based Constrained Delegation Abuse
Sigma Potential Access Token Abuse test
Sigma Potential Meterpreter/CobaltStrike Activity test
Elastic Potential PowerShell HackTool Script by Function Names production
Kusto Powershell Empire Cmdlets Executed in Command Line available
Elastic PowerShell Script with Token Impersonation Capabilities production
Elastic Privilege Escalation via Named Pipe Impersonation production
Elastic Privilege Escalation via Rogue Named Pipe Impersonation production
Sigma Privilege escalation via runas (command) experimental
Sigma Privilege escalation via RunasCS experimental
Elastic Privileges Elevation via Parent Process PID Spoofing production
Elastic Process Created with a Duplicated Token production
Elastic Process Created with an Elevated Token production
Elastic Process Creation via Secondary Logon production
Kusto PRT Credential Stealing
Sigma PUA - AdvancedRun Execution test
Sigma PUA - AdvancedRun Suspicious Execution test
Sigma RedSun - Conhost.exe Spawned by TieringEngineService.exe experimental
Splunk Runas Execution in CommandLine production
Elastic SeDebugPrivilege Enabled by a Suspicious Process production
Kusto Semperis DSP Well-known privileged SIDs in sIDHistory available
Kusto Service Principal Name (SPN) Assigned to User Account
Elastic Spike in Special Privilege Use Events production
Sigma Suspicious Child Process Created as System test
Elastic Suspicious SeIncreaseBasePriorityPrivilege Use production
Sigma Suspicious SYSTEM User Process Creation test
Elastic Unusual Parent-Child Relationship production
Kusto User impersonation by Identity Protection alerts
Kusto User Session Impersonation(Okta) available
Splunk Windows Access Token Manipulation SeDebugPrivilege production
Splunk Windows Access Token Manipulation Winlogon Duplicate Token Handle production
Splunk Windows Access Token Winlogon Duplicate Handle In Uncommon Path production
Splunk Windows AD Cross Domain SID History Addition production
Splunk Windows AD Privileged Account SID History Addition production
Splunk Windows AD Same Domain SID History Addition production
Splunk Windows AD SID History Attribute Modified production
Splunk Windows Handle Duplication in Known UAC-Bypass Binaries production
Splunk Windows Parent PID Spoofing with Explorer production
Splunk Windows Privilege Escalation Suspicious Process Elevation production
Splunk Windows Privilege Escalation System Process Without System Parent production
Splunk Windows Privilege Escalation User Process Spawn System Process production
Splunk Wscript Or Cscript Suspicious Child Process production

Access Token Manipulation: Token Impersonation/Theft T1134.001 23 rules

Sigma Anonymous login (RottenPotatoNG) experimental
Kusto AWS Security Hub - Detect IAM root user Access Key existence available
Elastic First Time Seen NewCredentials Logon Process production
Sigma HackTool - Impersonate Execution test
Sigma HackTool - Koh Default Named Pipe test
Sigma HackTool - NoFilter Execution test
Sigma HackTool - SharpDPAPI Execution test
Sigma HackTool - SharpImpersonation Execution test
Sigma Meterpreter or Cobalt Strike Getsystem Service Installation - Security test
Sigma Meterpreter or Cobalt Strike Getsystem Service Installation - System test
Elastic Permission Theft - Detected - Elastic Endgame production
Elastic Permission Theft - Prevented - Elastic Endgame production
Sigma Potential Access Token Abuse test
Sigma Potential Meterpreter/CobaltStrike Activity test
Elastic PowerShell Script with Token Impersonation Capabilities production
Elastic Privilege Escalation via Named Pipe Impersonation production
Elastic Privilege Escalation via Rogue Named Pipe Impersonation production
Elastic Process Created with a Duplicated Token production
Kusto PRT Credential Stealing
Splunk Runas Execution in CommandLine production
Splunk Windows Access Token Manipulation Winlogon Duplicate Token Handle production
Splunk Windows Access Token Winlogon Duplicate Handle In Uncommon Path production
Splunk Windows Handle Duplication in Known UAC-Bypass Binaries production

Access Token Manipulation: Create Process with Token T1134.002 18 rules

Kusto Access Token Manipulation - Create Process with Token available
Elastic Interactive Logon by an Unusual Process production
Sigma Meterpreter or Cobalt Strike Getsystem Service Installation - Security test
Sigma Meterpreter or Cobalt Strike Getsystem Service Installation - System test
Sigma Potential Meterpreter/CobaltStrike Activity test
Kusto Powershell Empire Cmdlets Executed in Command Line available
Elastic PowerShell Script with Token Impersonation Capabilities production
Sigma Privilege escalation via runas (command) experimental
Sigma Privilege escalation via RunasCS experimental
Elastic Privileges Elevation via Parent Process PID Spoofing production
Elastic Process Created with a Duplicated Token production
Elastic Process Created with an Elevated Token production
Elastic Process Creation via Secondary Logon production
Sigma PUA - AdvancedRun Execution test
Sigma PUA - AdvancedRun Suspicious Execution test
Sigma RedSun - Conhost.exe Spawned by TieringEngineService.exe experimental
Sigma Suspicious Child Process Created as System test
Splunk Windows Access Token Manipulation SeDebugPrivilege production

Access Token Manipulation: Make and Impersonate Token T1134.003 7 rules

Kusto AWS Security Hub - Detect IAM root user Access Key existence available
Sigma HackTool - Impersonate Execution test
Sigma HackTool - SharpDPAPI Execution test
Sigma HackTool - SharpImpersonation Execution test
Elastic Interactive Logon by an Unusual Process production
Elastic Process Creation via Secondary Logon production
Kusto User Session Impersonation(Okta) available

Access Token Manipulation: Parent PID Spoofing T1134.004 6 rules

Sigma HackTool - PPID Spoofing SelectMyParent Tool Execution test
Elastic Parent Process PID Spoofing production
Elastic Privileges Elevation via Parent Process PID Spoofing production
Elastic Unusual Parent-Child Relationship production
Splunk Windows Parent PID Spoofing with Explorer production
Splunk Wscript Or Cscript Suspicious Child Process production

Access Token Manipulation: SID-History Injection T1134.005 6 rules

Sigma Addition of SID History to Active Directory Object stable
Kusto Powershell Empire Cmdlets Executed in Command Line available
Splunk Windows AD Cross Domain SID History Addition production
Splunk Windows AD Privileged Account SID History Addition production
Splunk Windows AD Same Domain SID History Addition production
Splunk Windows AD SID History Attribute Modified production

Domain or Tenant Policy Modification T1484 85 rules

Splunk Active Directory Privilege Escalation Identified experimental
Elastic AdminSDHolder SDProp Exclusion Added production
Elastic Application Removed from Blocklist in Google Workspace production
Panther AppOmni Alert Passthrough
Elastic Attempt to Deactivate an Okta Network Zone production
Elastic Attempt to Delete an Okta Policy Rule production
Elastic Attempt to Modify an Okta Network Zone production
Elastic Attempt to Modify an Okta Policy production
Elastic Attempt to Modify an Okta Policy Rule production
Elastic AWS IAM OIDC Provider Created by Rare User production
Elastic AWS IAM SAML Provider Created production
Elastic AWS IAM SAML Provider Updated production
Kusto AWSCloudTrail - CloudFormation policy created then used for privilege escalation available
Kusto AWSCloudTrail - Created CRUD S3 policy and then privilege escalation available
Kusto AWSCloudTrail - Creation of CRUD DynamoDB policy and then privilege escalation available
Kusto AWSCloudTrail - Creation of CRUD KMS policy and then privilege escalation available
Kusto AWSCloudTrail - Creation of CRUD Lambda policy and then privilege escalation available
Kusto AWSCloudTrail - Creation of DataPipeline policy and then privilege escalation available
Kusto AWSCloudTrail - Creation of EC2 policy and then privilege escalation available
Kusto AWSCloudTrail - Creation of Glue policy and then privilege escalation available
Kusto AWSCloudTrail - Creation of Lambda policy and then privilege escalation available
Kusto AWSCloudTrail - Creation of new CRUD IAM policy and then privilege escalation available
Kusto AWSCloudTrail - Creation of SSM policy and then privilege escalation available
Kusto AWSCloudTrail - Full Admin policy created and then attached to Roles, Users or Groups available
Splunk Azure AD New Custom Domain Added production
Splunk Azure AD New Federated Domain Added production
Sigma Changes to Device Registration Policy test
Kusto Conditional Access - Dynamic Group Exclusion Changes
Elastic Creation or Modification of a new GPO Scheduled Task or Service production
Elastic Deprecated - M365 Teams External Access Enabled production
Elastic Deprecated - M365 Teams Guest Access Enabled production
Elastic Domain Added to Google Workspace Trusted Domains production
YARA-L Entra ID conditional access policy modification
Elastic Entra ID Domain Federation Configuration Change production
Elastic Entra ID Federated Identity Credential Issuer Modified production
Elastic Google Workspace Admin Role Deletion production
Elastic Google Workspace Bitlocker Setting Disabled production
Elastic Google Workspace Password Policy Modified production
Elastic Google Workspace Restrictions for Marketplace Modified to Allow Any App production
Sigma Group Policy Abuse for Privilege Addition test
Elastic Group Policy Abuse for Privilege Addition production
Elastic M365 Exchange Anti-Phish Policy Deleted production
Elastic M365 Exchange DKIM Signing Configuration Disabled production
Elastic M365 Exchange Email Safe Link Policy Disabled production
Elastic M365 Exchange Federated Domain Created or Modified production
Elastic M365 Exchange Malware Filter Rule Modified production
Elastic M365 SharePoint Site Sharing Policy Weakened production
Elastic M365 Teams Custom Application Interaction Enabled production
Sigma macOS MDM Profile Manipulation experimental
Splunk Microsoft Intune DeviceManagementConfigurationPolicies production
Splunk Modify Group Policy (Windows Event Log)
Sigma Modify Group Policy Settings test
Sigma Modify Group Policy Settings - ScriptBlockLogging test
Sigma New Federated Domain Added test
Elastic New Okta Identity Provider (IdP) Added by Admin production
Splunk O365 Cross-Tenant Access Change production
Sigma Permissions changed on a Group Policy (GPO) experimental
Kusto Powershell Empire Cmdlets Executed in Command Line available
Elastic Scheduled Task Execution at Scale via GPO production
Kusto Shadow Credentials Added to Account
Kusto Shadow Credentials Added to Account (Alternative)
Sigma Startup/Logon Script Added to Group Policy Object test
Elastic Startup/Logon Script added to Group Policy Object production
Sigma Suspicious modification of a sensitive Group Policy (GPO) experimental
Splunk Windows AD Dangerous Deny ACL Modification production
Splunk Windows AD Dangerous Group ACL Modification production
Splunk Windows AD Dangerous User ACL Modification production
Splunk Windows AD DCShadow Privileges ACL Addition production
Splunk Windows AD Domain Replication ACL Addition production
Splunk Windows AD Domain Root ACL Deletion production
Splunk Windows AD Domain Root ACL Modification production
Splunk Windows AD GPO Deleted production
Splunk Windows AD GPO Disabled production
Splunk Windows AD GPO New CSE Addition production
Splunk Windows AD Hidden OU Creation production
Splunk Windows AD Object Owner Updated production
Splunk Windows AD Self DACL Assignment production
Splunk Windows Admon Default Group Policy Object Modified production
Splunk Windows Admon Group Policy Object Created production
Sigma Windows Default Domain GPO Modification experimental
Sigma Windows Default Domain GPO Modification via GPME experimental
Splunk Windows Default Group Policy Object Modified production
Splunk Windows Default Group Policy Object Modified with GPME production
Splunk Windows Group Policy Object Created production
Splunk Windows Scheduled Task Created in a Group Policy Object production

Domain or Tenant Policy Modification: Group Policy Modification T1484.001 24 rules

Elastic Creation or Modification of a new GPO Scheduled Task or Service production
Panther GCP User Added to Privileged Group
Sigma Group Policy Abuse for Privilege Addition test
Elastic Group Policy Abuse for Privilege Addition production
Splunk Modify Group Policy (Windows Event Log)
Sigma Modify Group Policy Settings test
Sigma Modify Group Policy Settings - ScriptBlockLogging test
Sigma Permissions changed on a Group Policy (GPO) experimental
Kusto Powershell Empire Cmdlets Executed in Command Line available
Elastic Scheduled Task Execution at Scale via GPO production
Sigma Startup/Logon Script Added to Group Policy Object test
Elastic Startup/Logon Script added to Group Policy Object production
Sigma Suspicious modification of a sensitive Group Policy (GPO) experimental
Splunk Windows AD GPO Deleted production
Splunk Windows AD GPO Disabled production
Splunk Windows AD GPO New CSE Addition production
Splunk Windows Admon Default Group Policy Object Modified production
Splunk Windows Admon Group Policy Object Created production
Sigma Windows Default Domain GPO Modification experimental
Sigma Windows Default Domain GPO Modification via GPME experimental
Splunk Windows Default Group Policy Object Modified production
Splunk Windows Default Group Policy Object Modified with GPME production
Splunk Windows Group Policy Object Created production
Splunk Windows Scheduled Task Created in a Group Policy Object production

Domain or Tenant Policy Modification: Trust Modification T1484.002 15 rules

Elastic Attempt to Deactivate an Okta Network Zone production
Elastic AWS IAM OIDC Provider Created by Rare User production
Elastic AWS IAM SAML Provider Created production
Elastic AWS IAM SAML Provider Updated production
Splunk Azure AD New Custom Domain Added production
Splunk Azure AD New Federated Domain Added production
Elastic Domain Added to Google Workspace Trusted Domains production
Elastic Entra ID Domain Federation Configuration Change production
Elastic Entra ID Federated Identity Credential Issuer Modified production
Elastic M365 Exchange Federated Domain Created or Modified production
Sigma New Federated Domain Added test
Elastic New Okta Identity Provider (IdP) Added by Admin production
Splunk O365 Cross-Tenant Access Change production
Panther Wiz SAML Identity Provider Change
Panther ZIA Trust Modification

Create or Modify System Process T1543 218 rules

Sigma Allow Service Access Using Security Descriptor Tampering Via Sc.EXE test
Elastic Anomalous Process For a Linux Population production
Elastic Anomalous Process For a Windows Population production
Elastic Anomalous Windows Process Creation production
Elastic APT Package Manager Configuration File Creation production
Sigma Atomic MacOS Stealer - Persistence Indicators experimental
Elastic Authentication via Unusual PAM Grantor production
Elastic Boot File Copy production
Elastic Chkconfig Service Add production
Splunk Cisco Isovalent - Late Process Execution production
Splunk Cisco Isovalent - Nsenter Usage in Kubernetes Pod production
Splunk Cisco Isovalent - Shell Execution production
Splunk Clop Ransomware Known Service Name production
Splunk CMD Echo Pipe - Escalation production
Sigma CobaltStrike Service Installations - Security test
Sigma CobaltStrike Service Installations - System test
Sigma CodeIntegrity - Blocked Driver Load With Revoked Certificate test
Sigma CodeIntegrity - Blocked Image/Driver Load For Policy Violation test
Kusto COM Event System Loading New DLL
Sigma CosmicDuke Service Installation test
Elastic Creation of Hidden Launch Agent or Daemon production
Elastic Creation or Modification of a new GPO Scheduled Task or Service production
Elastic D-Bus Service Created production
Panther Databricks Install Library on All Clusters Experimental
Sigma Deny Service Access Using Security Descriptor Tampering Via Sc.EXE test
Sigma Devcon Execution Disabling VMware VMCI Device experimental
Elastic DNF Package Manager Plugin File Creation production
Elastic DPKG Package Installed by Unusual Parent Process production
Elastic Dracut Module Creation production
Sigma Driver Load From A Temporary Directory test
Splunk Driver Loaded from Unusual Path - Windows (Sysmon)
Sigma EAP service activation by Liontail framework for DLL sideloading (via command) stable
Sigma Encoded PowerShell payload deployed via service experimental
Elastic Execution of an Unsigned Service production building block
Elastic Finder Sync Plugin Registered and Enabled production
Elastic First Time Python Created a LaunchAgent or LaunchDaemon production
Elastic First Time Seen Driver Loaded production
Elastic Git Hook Child Process production
Elastic Git Hook Command Execution production
Elastic Git Hook Created or Modified production
Elastic Git Hook Egress Network Connection production
Elastic GRUB Configuration File Creation production
Elastic GRUB Configuration Generation through Built-in Utilities production
Splunk Impacket Lateral Movement Commandline Parameters production
Splunk Impacket Lateral Movement smbexec CommandLine Parameters production
Splunk Impacket Lateral Movement WMIExec Commandline Parameters production
Sigma Impacket SMBexec service creation (registry) experimental
Sigma Impacket SMBexec service registration (native) experimental
Elastic Initramfs Extraction via CPIO production
Elastic Initramfs Unpacking via unmkinitramfs production
Splunk Kernel Service Installed - Windows (Windows Event Log)
Sigma KrbRelayUp Service Installation test
Panther Kubernetes DaemonSet Created
Elastic Kubernetes Sensitive Configuration File Activity production
Elastic Kubernetes Static Pod Manifest File Access production
Sigma Launch Agent/Daemon Execution Via Launchctl test
Elastic Launch Service Creation and Immediate Loading production
Sigma LiteLLM / TeamPCP Supply Chain Attack Indicators experimental
Splunk LLM Model File Creation production
Sigma macOS ESF Launch Persistence Creation experimental
Splunk MacOS Kextload Usage production
Sigma macOS LaunchAgent/LaunchDaemon Persistence experimental
Sigma Malicious Driver Load test
Sigma Malicious Driver Load By Name test
Kusto McAfee ePO - Multiple threats on same host available
Sigma Mimikatz driver deployed via service experimental
Sigma Mimikatz driver registration (Reg via Sysmon) experimental
Elastic Modification of Persistence Relevant Files Detected via Defend for Containers production
Sigma Moriya Rootkit - System test
Sigma Moriya Rootkit File Created test
Elastic Namespace Manipulation Using Unshare production
Elastic Namespace Manipulation Using Unshare in a Container production
Elastic Network Logon Provider Registry Modification production
Elastic NetworkManager Dispatcher Script Creation production
Sigma New Kernel Driver Via SC.EXE test
Sigma New PDQDeploy Service - Client Side test
Sigma New PDQDeploy Service - Server Side test
Sigma New Service Creation Using PowerShell test
Sigma New Service Creation Using Sc.EXE test
Elastic Node.js Pre or Post-Install Script Execution production
Sigma OilRig APT Activity test
Sigma OilRig APT Registry Persistence test
Sigma OilRig APT Schedule Task Persistence - Security test
Sigma OilRig APT Schedule Task Persistence - System test
Kusto Pathlock TDnR - Logical OS Command Changes available
Kusto Pathlock TDnR - TMS Transport and Import Events available
Elastic Persistence via a Hidden Plist Filename production
Elastic Persistence via Docker Shortcut Modification production
Elastic Persistence via Suspicious Launch Agent or Launch Daemon production
Elastic Persistence via Update Orchestrator Service Hijack production
Elastic Persistence via WMI Standard Registry Provider production
Elastic Pluggable Authentication Module (PAM) Creation in Unusual Directory production
Elastic Pluggable Authentication Module (PAM) Source Download production
Elastic Pluggable Authentication Module (PAM) Version Discovery production
Elastic Pluggable Authentication Module or Configuration Creation production
Elastic Polkit Policy Creation production
Sigma Possible impact of 'SMOKEDHAM backdoor' with MSDTC service privilege escalation via command line production
Splunk Possible Lateral Movement PowerShell Spawn production
Elastic Potential Backdoor Execution Through PAM_EXEC production
Sigma Potential CobaltStrike Service Installations - Registry test
Elastic Potential Execution via SSH Backdoor production
Sigma Potential Persistence Attempt Via Existing Service Tampering test
Elastic Potential Persistence via File Modification production
Sigma Potential Persistence Via PlistBuddy test
Elastic Potential Privilege Escalation via Service ImagePath Modification production
Elastic Potential Suspicious File Edit production
Kusto Powershell Empire Cmdlets Executed in Command Line available
Sigma ProcessHacker Privilege Elevation test
Sigma PSEXEC Remote Execution File Artefact test
Splunk PSexec Service Creation (Windows Event Log)
Sigma PSexec service installation experimental
Sigma PUA - Kernel Driver Utility (KDU) Execution experimental
Sigma PUA - Process Hacker Driver Load test
Sigma PUA - Process Hacker Execution test
Sigma PUA - System Informer Driver Load test
Sigma PUA - System Informer Execution test
Splunk Randomly Generated Windows Service Name experimental
Kusto Rare Process as a Service available
Sigma RDP session hijack via service creation abuse experimental
Sigma Remote Access Tool Services Have Been Installed - Security test
Sigma Remote Access Tool Services Have Been Installed - System test
Elastic Remote Windows Service Installed production
Elastic Renaming of OpenSSH Binaries production
Elastic RPM Package Installed by Unusual Parent Process production
Sigma Service abuse with backdoored "command failure" (Reg via command) experimental
Sigma Service abuse with backdoored "command failure" (Reg via PowerShell) experimental
Sigma Service abuse with backdoored "command failure" (service) experimental
Sigma Service abuse with malicious ImagePath (Reg via PowerShell) experimental
Sigma Service abuse with malicious ImagePath (service) experimental
Elastic Service Command Lateral Movement production
Elastic Service Control Spawned via Script Interpreter production
Sigma Service creation (command) experimental
Sigma Service creation (PowerShell) experimental
Elastic Service Creation via Local Kerberos Authentication production
Elastic Service DACL Modification via sc.exe production
Sigma Service Installation in Suspicious Folder test
Sigma Service Installation with Suspicious Folder Pattern test
Splunk Service Installed (Windows Event Log)
Sigma Service Installed By Unusual Client - Security test
Sigma Service Installed By Unusual Client - System test
Elastic Service Path Modification production building block
Elastic Service Path Modification via sc.exe production building block
Sigma Service permissions hijacked for privileges abuse (PowerShell) experimental
Sigma Service permissions hijacked for privileges abuse (reg via command) experimental
Sigma Service permissions hijacked for privileges abuse (Reg via PowerShell) experimental
Sigma Service permissions hijacked for privileges abuse (service) experimental
Sigma Service Reload or Start - Linux test
Sigma ServiceDll Hijack test
Splunk Services LOLBAS Execution Process Spawn production
Splunk SimpleHelp Remote Access Tool Service Installation (Windows Event Log)
Sigma Sliver C2 Default Service Installation test
Sigma Special File Creation via Mknod Syscall experimental
Sigma StoneDrill Service Install test
Kusto SUNBURST suspicious SolarWinds child processes (Normalized Process Events)
Splunk Suspicious .sys Created - Windows (Sysmon)
Elastic Suspicious APT Package Manager Execution production
Elastic Suspicious APT Package Manager Network Connection production
Elastic Suspicious Echo or Printf Execution Detected via Defend for Containers production
Elastic Suspicious Hidden Child Process of Launchd production
Elastic Suspicious ImagePath Service Creation production
Elastic Suspicious Mining Process Creation Event production
Elastic Suspicious Network Connection via systemd production
Sigma Suspicious New Service Creation test
Splunk Suspicious PlistBuddy Usage experimental
Splunk Suspicious PlistBuddy Usage via OSquery experimental
Elastic Suspicious ScreenConnect Client Child Process production
Sigma Suspicious Service DACL Modification Via Set-Service Cmdlet test
Sigma Suspicious Service Installation test
Sigma Suspicious Service Installation Script test
Sigma Suspicious Service Path Modification test
Elastic Suspicious Service was Installed in the System production
YARA-L Suspicious Windows Service Installation Detected
Sigma Sysinternals PsService Execution test
Sigma Sysinternals PsSuspend Execution test
Elastic System Shells via Services production
Elastic Systemd Generator Created production
Elastic Systemd Service Created production
Sigma Systemd Service Creation test
Elastic Systemd Service Started by Unusual Parent Process production
Elastic Systemd Shell Execution During Boot production
Sigma TeamPCP LiteLLM Supply Chain Attack Persistence Indicators experimental
Kusto TEARDROP memory-only dropper available
Sigma Turla PNG Dropper Service test
Sigma Turla Service Install test
Sigma Uncommon Service Installation Image Path test
Elastic Unsigned DLL Loaded by Svchost production
Elastic Unusual D-Bus Daemon Child Process production
Elastic Unusual DPKG Execution production
Elastic Unusual Persistence via Services Registry production
Elastic Unusual Pkexec Execution production
Elastic Unusual Process For a Linux Host production
Elastic Unusual Process For a Windows Host production
Elastic Unusual Windows Path Activity production
Elastic Unusual Windows Service production
Sigma Vulnerable Driver Load test
Sigma Vulnerable Driver Load By Name test
Sigma Vulnerable HackSys Extreme Vulnerable Driver Load test
Sigma Vulnerable WinRing0 Driver Load test
Splunk Windows Bluetooth Service Installed From Uncommon Location production
Splunk Windows KrbRelayUp Service Creation production
Splunk Windows Local LLM Framework Execution production
Splunk Windows Process Execution in Temp Dir production
Splunk Windows Remote Create Service production
Splunk Windows Service Create Kernel Mode Driver production
Splunk Windows Service Create RemComSvc production
Splunk Windows Service Create with Tscon production
Splunk Windows Service Created (Sysmon)
Splunk Windows Service Created (Windows Event Log)
Splunk Windows Service Creation on Remote Endpoint production
Splunk Windows Service Initiation on Remote Endpoint production
Elastic Windows Service Installed via an Unusual Client production
Splunk Windows Suspicious Driver Loaded Path production
Splunk Windows Suspicious Process File Path production
Splunk Windows Vulnerable Driver Installed production
Splunk Windows Vulnerable Driver Loaded production
Splunk Wscript Or Cscript Suspicious Child Process production
Splunk XMRIG Driver Loaded production
Elastic Yum Package Manager Plugin File Creation production

Create or Modify System Process: Launch Agent T1543.001 11 rules

Elastic Creation of Hidden Launch Agent or Daemon production
Elastic First Time Python Created a LaunchAgent or LaunchDaemon production
Sigma Launch Agent/Daemon Execution Via Launchctl test
Elastic Launch Service Creation and Immediate Loading production
Sigma macOS LaunchAgent/LaunchDaemon Persistence experimental
Elastic Persistence via a Hidden Plist Filename production
Elastic Persistence via Suspicious Launch Agent or Launch Daemon production
Sigma Potential Persistence Via PlistBuddy test
Elastic Suspicious Hidden Child Process of Launchd production
Splunk Suspicious PlistBuddy Usage experimental
Splunk Suspicious PlistBuddy Usage via OSquery experimental

Create or Modify System Process: Systemd Service T1543.002 14 rules

Sigma LiteLLM / TeamPCP Supply Chain Attack Indicators experimental
Elastic Modification of Persistence Relevant Files Detected via Defend for Containers production
Elastic Potential Persistence via File Modification production
Elastic Potential Suspicious File Edit production
Sigma Service Reload or Start - Linux test
Elastic Suspicious Mining Process Creation Event production
Elastic Suspicious Network Connection via systemd production
Elastic Systemd Generator Created production
Elastic Systemd Service Created production
Sigma Systemd Service Creation test
Elastic Systemd Service Started by Unusual Parent Process production
Elastic Systemd Shell Execution During Boot production
Sigma TeamPCP LiteLLM Supply Chain Attack Persistence Indicators experimental
Elastic Unusual Process For a Linux Host production

Create or Modify System Process: Windows Service T1543.003 117 rules

Sigma Allow Service Access Using Security Descriptor Tampering Via Sc.EXE test
Elastic Anomalous Process For a Linux Population production
Splunk CMD Echo Pipe - Escalation production
Sigma CobaltStrike Service Installations - Security test
Sigma CobaltStrike Service Installations - System test
Sigma CosmicDuke Service Installation test
Elastic Creation or Modification of a new GPO Scheduled Task or Service production
Sigma Deny Service Access Using Security Descriptor Tampering Via Sc.EXE test
Sigma Devcon Execution Disabling VMware VMCI Device experimental
Sigma Driver Load From A Temporary Directory test
Splunk Driver Loaded from Unusual Path - Windows (Sysmon)
Sigma EAP service activation by Liontail framework for DLL sideloading (via command) stable
Sigma Encoded PowerShell payload deployed via service experimental
Elastic Execution of an Unsigned Service production building block
Elastic First Time Seen Driver Loaded production
Splunk Impacket Lateral Movement Commandline Parameters production
Splunk Impacket Lateral Movement smbexec CommandLine Parameters production
Splunk Impacket Lateral Movement WMIExec Commandline Parameters production
Sigma Impacket SMBexec service creation (registry) experimental
Sigma Impacket SMBexec service registration (native) experimental
Splunk Kernel Service Installed - Windows (Windows Event Log)
Sigma Malicious Driver Load test
Sigma Malicious Driver Load By Name test
Sigma Mimikatz driver deployed via service experimental
Sigma Mimikatz driver registration (Reg via Sysmon) experimental
Sigma Moriya Rootkit - System test
Sigma Moriya Rootkit File Created test
Sigma New Kernel Driver Via SC.EXE test
Sigma New PDQDeploy Service - Client Side test
Sigma New PDQDeploy Service - Server Side test
Sigma New Service Creation Using PowerShell test
Sigma New Service Creation Using Sc.EXE test
Sigma OilRig APT Activity test
Sigma OilRig APT Registry Persistence test
Sigma OilRig APT Schedule Task Persistence - Security test
Sigma OilRig APT Schedule Task Persistence - System test
Elastic Persistence via Update Orchestrator Service Hijack production
Elastic Persistence via WMI Standard Registry Provider production
Sigma Possible impact of 'SMOKEDHAM backdoor' with MSDTC service privilege escalation via command line production
Splunk Possible Lateral Movement PowerShell Spawn production
Sigma Potential CobaltStrike Service Installations - Registry test
Sigma Potential Persistence Attempt Via Existing Service Tampering test
Elastic Potential Privilege Escalation via Service ImagePath Modification production
Kusto Powershell Empire Cmdlets Executed in Command Line available
Sigma ProcessHacker Privilege Elevation test
Sigma PSEXEC Remote Execution File Artefact test
Splunk PSexec Service Creation (Windows Event Log)
Sigma PSexec service installation experimental
Sigma PUA - Kernel Driver Utility (KDU) Execution experimental
Splunk Randomly Generated Windows Service Name experimental
Kusto Rare Process as a Service available
Sigma RDP session hijack via service creation abuse experimental
Sigma Remote Access Tool Services Have Been Installed - Security test
Sigma Remote Access Tool Services Have Been Installed - System test
Elastic Remote Windows Service Installed production
Sigma Service abuse with backdoored "command failure" (Reg via command) experimental
Sigma Service abuse with backdoored "command failure" (Reg via PowerShell) experimental
Sigma Service abuse with backdoored "command failure" (service) experimental
Sigma Service abuse with malicious ImagePath (Reg via PowerShell) experimental
Sigma Service abuse with malicious ImagePath (service) experimental
Elastic Service Command Lateral Movement production
Elastic Service Control Spawned via Script Interpreter production
Sigma Service creation (command) experimental
Sigma Service creation (PowerShell) experimental
Elastic Service Creation via Local Kerberos Authentication production
Elastic Service DACL Modification via sc.exe production
Sigma Service Installation in Suspicious Folder test
Sigma Service Installation with Suspicious Folder Pattern test
Elastic Service Path Modification production building block
Elastic Service Path Modification via sc.exe production building block
Sigma Service permissions hijacked for privileges abuse (PowerShell) experimental
Sigma Service permissions hijacked for privileges abuse (reg via command) experimental
Sigma Service permissions hijacked for privileges abuse (Reg via PowerShell) experimental
Sigma Service permissions hijacked for privileges abuse (service) experimental
Sigma ServiceDll Hijack test
Splunk Services LOLBAS Execution Process Spawn production
Sigma Sliver C2 Default Service Installation test
Sigma Special File Creation via Mknod Syscall experimental
Sigma StoneDrill Service Install test
Splunk Suspicious .sys Created - Windows (Sysmon)
Elastic Suspicious ImagePath Service Creation production
Sigma Suspicious New Service Creation test
Elastic Suspicious ScreenConnect Client Child Process production
Sigma Suspicious Service DACL Modification Via Set-Service Cmdlet test
Sigma Suspicious Service Installation test
Sigma Suspicious Service Installation Script test
Sigma Suspicious Service Path Modification test
Elastic Suspicious Service was Installed in the System production
YARA-L Suspicious Windows Service Installation Detected
Sigma Sysinternals PsService Execution test
Sigma Sysinternals PsSuspend Execution test
Elastic System Shells via Services production
Sigma Turla PNG Dropper Service test
Sigma Turla Service Install test
Sigma Uncommon Service Installation Image Path test
Elastic Unsigned DLL Loaded by Svchost production
Elastic Unusual Persistence via Services Registry production
Elastic Unusual Process For a Windows Host production
Elastic Unusual Windows Path Activity production
Elastic Unusual Windows Service production
Sigma Vulnerable Driver Load test
Sigma Vulnerable Driver Load By Name test
Sigma Vulnerable HackSys Extreme Vulnerable Driver Load test
Sigma Vulnerable WinRing0 Driver Load test
Splunk Windows Bluetooth Service Installed From Uncommon Location production
Splunk Windows KrbRelayUp Service Creation production
Splunk Windows Remote Create Service production
Splunk Windows Service Create Kernel Mode Driver production
Splunk Windows Service Create RemComSvc production
Splunk Windows Service Create with Tscon production
Splunk Windows Service Creation on Remote Endpoint production
Splunk Windows Service Initiation on Remote Endpoint production
Elastic Windows Service Installed via an Unusual Client production
Splunk Windows Suspicious Driver Loaded Path production
Splunk Windows Vulnerable Driver Installed production
Splunk Windows Vulnerable Driver Loaded production
Splunk XMRIG Driver Loaded production

Create or Modify System Process: Launch Daemon T1543.004 9 rules

Sigma Atomic MacOS Stealer - Persistence Indicators experimental
Elastic Creation of Hidden Launch Agent or Daemon production
Elastic First Time Python Created a LaunchAgent or LaunchDaemon production
Sigma Launch Agent/Daemon Execution Via Launchctl test
Elastic Launch Service Creation and Immediate Loading production
Elastic Persistence via Suspicious Launch Agent or Launch Daemon production
Sigma Potential Persistence Via PlistBuddy test
Elastic Suspicious Echo or Printf Execution Detected via Defend for Containers production
Elastic Suspicious Hidden Child Process of Launchd production

Create or Modify System Process: Container Service T1543.005 2 rules

Elastic Kubernetes Sensitive Configuration File Activity production
Elastic Kubernetes Static Pod Manifest File Access production

Event Triggered Execution T1546 212 rules

Kusto [Deprecated] - Zinc Actor IOCs domains hashes IPs and useragent - October 2022 available
Splunk Access Common Package Config file (EDR)
Splunk Access Common Package Config file (PowerShell)
Splunk Access Common Package Config file (Sysmon)
Splunk Access Common Package Config file (Windows Event Log)
Sigma AdminSDHolder permissions changed for persistence experimental
Kusto ApexOne - Possible exploit or execute operation available
Elastic APT Package Manager Configuration File Creation production
Elastic AWS Lambda Function Policy Updated to Allow Public Invocation production
Elastic Azure Automation Webhook Created production
Panther Azure Automation Webhook Created
Elastic Bash Shell Profile Modification production
Kusto BTP - Cloud Integration artifact deployment available
Kusto BTP - Cloud Integration package import or transport available
Kusto Caramel Tsunami Actor IOC - July 2021 available
Sigma Change Default File Association To Executable Via Assoc test
Sigma Change Default File Association Via Assoc test
Sigma COM Hijack via Sdclt test
Sigma COM Hijacking via TreatAs test
Sigma COM Object Hijacking Via Modification Of Default System CLSID Default Value experimental
Splunk Command Line Utility Added to Accessibility Features (PowerShell)
Splunk Command Line Utility Added to Accessibility Features (Sysmon)
Splunk Command Line Utility Added to Accessibility Features (Windows Event Log)
Elastic Component Object Model Hijacking production
Kusto Component Object Model Hijacking - Vault7 trick available
Sigma Control Panel Items test
Kusto Copilot - Plugin Created by Non-Admin User available
Elastic Curl Execution via Shell Profile production
Elastic D-Bus Service Created production
Kusto Dataminr - urgent alerts detected available
Kusto Defender Alert Evidence available
Splunk Detect WMI Event Subscription Persistence production
Elastic DNF Package Manager Plugin File Creation production
Elastic Docker Release File Creation production
Elastic DPKG Package Installed by Unusual Parent Process production
Kusto Egress Defend - Dangerous Attachment Detected available
Elastic Emond Rules Creation or Modification production
Elastic Executable Bit Set for Potential Persistence Script production
Kusto Generate alerts based on ExtraHop detections recommended for triage available
Elastic Git Hook Child Process production
Elastic Git Hook Command Execution production
Elastic Git Hook Created or Modified production
Elastic Git Hook Egress Network Connection production
Elastic GitHub Actions Workflow Modification Blocked production
Sigma HAFNIUM Exchange Exploitation Activity test
Elastic Image File Execution Options Injection production
Elastic Installation of Custom Shim Databases production
Kusto KnowBe4 Defend - Dangerous Attachment Detected available
Panther Kubernetes Admission Controller Webhook Created
Elastic Kubernetes Admission Webhook Created or Modified production
Splunk Linux Auditd Unix Shell Configuration Modification production
Splunk Linux File Creation In Profile Directory production
Splunk Linux Possible Append Command To Profile Config File production
Sigma MacOS Emond Launch Daemon test
Kusto Mimecast Secure Email Gateway - Internal Email Protect available
Kusto Mimecast Secure Email Gateway - Internal Email Protect
Kusto Modification of Accessibility Features
Elastic Modification of Persistence Relevant Files Detected via Defend for Containers production
Elastic Mofcomp Activity production
Sigma MSSQL Extended Stored Procedure Backdoor Maggie test
Elastic Netsh Helper DLL production
Sigma Netsh helper DLL abuse (process) experimental
Sigma Netsh helper DLL abuse (Reg via Sysmon) experimental
Elastic Network Connection Initiated by Suspicious SSHD Child Process production
Elastic NetworkManager Dispatcher Script Creation production
Sigma New ActiveScriptEventConsumer Created Via Wmic.EXE test
Sigma New DLL Added to AppCertDlls Registry Key test
Sigma New DLL Added to AppInit_DLLs Registry Key test
Sigma New Netsh Helper DLL Registered From A Suspicious Location test
Sigma New Outlook Macro Created test
Sigma Outlook Macro Execution Without Warning Setting Enabled test
Splunk Overwriting Accessibility Binaries production
Sigma Path To Screensaver Binary Modified test
Elastic Persistence via Folder Action Script production
Elastic Persistence via PowerShell profile production
Sigma Persistence Via Sticky Key Backdoor test
Elastic Persistence via WMI Event Subscription production
Elastic Pod or Container Creation with Suspicious Command-Line production
Elastic Potential Application Shimming via Sdbinst production
Sigma Potential COM Object Hijacking Via TreatAs Subkey - Registry test
Elastic Potential Modification of Accessibility Binaries production
Sigma Potential Persistence Using DebugPath test
Sigma Potential Persistence Via App Paths Default Property test
Sigma Potential Persistence Via AppCompat RegisterAppRestart Layer test
Elastic Potential Persistence via Atom Init Script Modification production
Elastic Potential Persistence via File Modification production
Sigma Potential Persistence Via GlobalFlags test
Sigma Potential Persistence Via Netsh Helper DLL test
Sigma Potential Persistence Via Netsh Helper DLL - Registry test
Sigma Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting test
Sigma Potential Persistence Via PowerShell User Profile Using Add-Content test
Sigma Potential Persistence Via Scrobj.dll COM Hijacking test
Sigma Potential Persistence Via Shim Database In Uncommon Location test
Sigma Potential Persistence Via Shim Database Modification test
Sigma Potential Privilege Escalation Using Symlink Between Osk and Cmd test
Sigma Potential PSFactoryBuffer COM Hijacking test
Elastic Potential release_agent Container Escape Detected via Defend for Containers production
Sigma Potential Remote WMI ActiveScriptEventConsumers Activity test
Elastic Potential RemoteMonologue Attack production
Sigma Potential Shim Database Persistence via Sdbinst.EXE test
Sigma Potential Suspicious Activity Using SeCEdit test
Elastic Potential Suspicious File Edit production
Splunk Powershell COM Hijacking InprocServer32 Modification production
Kusto Powershell Empire Cmdlets Executed in Command Line available
Splunk Powershell Execute COM Object production
Sigma PowerShell Profile Modification test
Sigma Powershell WMI Persistence test
Elastic Python Path File (pth) Creation production
Elastic Python Site or User Customize File Creation production
Splunk Registry Keys for Creating SHIM Databases production
Splunk Registry Keys Used For Privilege Escalation production
Sigma Registry Modification of MS-settings Protocol Handler test
Elastic Registry Persistence via AppCert DLL production
Kusto Registry Persistence via AppCert DLL Modification available
Elastic Registry Persistence via AppInit DLL production
Kusto Registry Persistence via AppInit DLLs Modification available
Elastic RPM Package Installed by Unusual Parent Process production
Kusto Rubrik Threat Monitoring available
Sigma Rundll32 Registered COM Objects test
Splunk Rundll32 Spawned by Disk Cleanup (Sysmon)
Splunk Rundll32 Spawned by Disk Cleanup (Windows Event Log)
Splunk Screensaver Event Trigger Execution production
Elastic Screensaver Plist File Modified by Unexpected Process production
Sigma Session Manager Autorun Keys Modification test
Elastic Shell Configuration Creation production
Sigma Shell Open Registry Keys Manipulation test
Splunk Shim Database File Creation production
Splunk Shim Database Installation With Suspicious Parameters production
Sigma SOURGUM Actor Behaviours test
Sigma Stickey key called CMD via command execution experimental
Sigma Stickey key called CMD via command execution (hash detection) experimental
Sigma Stickey key IFEO (Reg via command) experimental
Sigma Stickey key IFEO registry changed (Reg via Sysmon) experimental
Sigma Sticky key file created from CMD copy experimental
Sigma Sticky Key Like Backdoor Execution test
Sigma Sticky Key Like Backdoor Usage - Registry test
Sigma Sticky key sethc command for replacement by CMD experimental
Sigma Sticky key sethc file failed replacement experimental
Kusto SUNBURST and SUPERNOVA backdoor hashes available
Kusto SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events)
Kusto SUNBURST network beacons available
Elastic Suspicious Apple Mail Rule Plist Modification production
Elastic Suspicious APT Package Manager Execution production
Elastic Suspicious APT Package Manager Network Connection production
Elastic Suspicious Calendar File Modification production
Sigma Suspicious Debugger Registration Cmdline test
Splunk Suspicious DLLhost Execution (EDR)
Splunk Suspicious DLLhost Execution (PowerShell)
Splunk Suspicious DLLhost Execution (Windows Event Log)
Elastic Suspicious Echo or Printf Execution Detected via Defend for Containers production
Elastic Suspicious Emond Child Process production
Sigma Suspicious Encoded Scripts in a WMI Consumer test
Splunk Suspicious Execution of Accessibility Tool Debuggers (Sysmon)
Splunk Suspicious Execution of Accessibility Tool Debuggers (Windows Event Log)
Elastic Suspicious File Creation via Pkg Install Script production
Sigma Suspicious Get-Variable.exe Creation test
Sigma Suspicious GetTypeFromCLSID ShellExecute test
Splunk Suspicious InprocServer32 Registry Modification (Sysmon)
Splunk Suspicious InprocServer32 Registry Modification (Windows Event Log)
Sigma Suspicious Outlook Macro Created test
Splunk Suspicious Registry Key Created (PowerShell)
Splunk Suspicious Registry Key Created (Windows Event Log)
Sigma Suspicious ScreenSave Change by Reg.exe test
Sigma Suspicious Screensaver Binary File Creation test
Sigma Suspicious Shell Open Command Registry Modification experimental
Sigma Suspicious Shim Database Patching Activity test
Elastic Suspicious WerFault Child Process production
Elastic Suspicious WMI Event Subscription Created production
Sigma System crash behavior manipulation - WMImplant (registry) experimental
Elastic Systemd Generator Created production
Elastic Systemd-udevd Rule File Creation production
Elastic Trap Signals Execution production
Sigma Uncommon Extension Shim Database Installation Via Sdbinst.EXE test
Elastic Uncommon Registry Persistence Change production
Elastic Unexpected Child Process of macOS Screensaver Engine production
Sigma Unix Shell Configuration Modification test
Elastic Unusual DPKG Execution production
Elastic Unusual Process Modifying GenAI Configuration File production
Elastic Unusual SSHD Child Process production
Kusto Vectra Create Detection Alert for Accounts available
Kusto Vectra Create Detection Alert for Hosts available
Kusto Vectra Create Incident Based on Priority for Accounts available
Kusto Vectra Create Incident Based on Priority for Hosts available
Kusto Vectra Create Incident Based on Tag for Accounts available
Kusto Vectra Create Incident Based on Tag for Hosts available
Sigma VsCode Powershell Profile Modification test
Elastic Werfault ReflectDebugger Persistence production
Splunk Windows AD AdminSDHolder ACL Modified production
Splunk Windows AppCertDLL Modification Via Command Line production
Splunk Windows Change File Association Command To Notepad production
Splunk Windows COM Hijacking InprocServer32 Modification production
Splunk Windows Compatibility Telemetry Suspicious Child Process production
Splunk Windows Compatibility Telemetry Tampering Through Registry production
Splunk Windows Event Triggered Image File Execution Options Injection production
Splunk Windows MOF Event Triggered Execution via WMI production
Splunk Windows New Default File Association Value Set production
Sigma WMI ActiveScriptEventConsumers Activity Via Scrcons.EXE DLL Load test
Sigma WMI Backdoor Exchange Transport Agent test
Sigma WMI Event Subscription test
Splunk WMI Permanent Event Subscription - Sysmon production
Sigma WMI Persistence test
Sigma WMI Persistence - Command Line Event Consumer test
Sigma WMI Persistence - Script Event Consumer test
Sigma WMI Persistence - Script Event Consumer File Write test
Sigma WMI Persistence - Security test
Sigma WMI registration experimental
Sigma WMI registration (PowerShell) experimental
Splunk WMI subscription execution (Sysmon)
Splunk WMI subscription execution (Windows Event Log)
Sigma Writing Local Admin Share test
Elastic Yum Package Manager Plugin File Creation production
Kusto Zinc Actor IOCs files - October 2022 available

Event Triggered Execution: Change Default File Association T1546.001 7 rules

Sigma Change Default File Association To Executable Via Assoc test
Sigma Change Default File Association Via Assoc test
Sigma Registry Modification of MS-settings Protocol Handler test
Sigma Shell Open Registry Keys Manipulation test
Sigma Suspicious Shell Open Command Registry Modification experimental
Splunk Windows Change File Association Command To Notepad production
Splunk Windows New Default File Association Value Set production

Event Triggered Execution: Screensaver T1546.002 8 rules

Sigma Path To Screensaver Binary Modified test
Splunk Screensaver Event Trigger Execution production
Elastic Screensaver Plist File Modified by Unexpected Process production
Sigma Suspicious ScreenSave Change by Reg.exe test
Sigma Suspicious Screensaver Binary File Creation test
Elastic Uncommon Registry Persistence Change production
Elastic Unexpected Child Process of macOS Screensaver Engine production
Sigma Writing Local Admin Share test

Event Triggered Execution: Windows Management Instrumentation Event Subscription T1546.003 23 rules

Splunk Detect WMI Event Subscription Persistence production
Elastic Mofcomp Activity production
Sigma New ActiveScriptEventConsumer Created Via Wmic.EXE test
Elastic Persistence via WMI Event Subscription production
Sigma Potential Remote WMI ActiveScriptEventConsumers Activity test
Sigma Powershell WMI Persistence test
Sigma Suspicious Encoded Scripts in a WMI Consumer test
Elastic Suspicious WMI Event Subscription Created production
Sigma System crash behavior manipulation - WMImplant (registry) experimental
Splunk Windows MOF Event Triggered Execution via WMI production
Sigma WMI ActiveScriptEventConsumers Activity Via Scrcons.EXE DLL Load test
Sigma WMI Backdoor Exchange Transport Agent test
Sigma WMI Event Subscription test
Splunk WMI Permanent Event Subscription - Sysmon production
Sigma WMI Persistence test
Sigma WMI Persistence - Command Line Event Consumer test
Sigma WMI Persistence - Script Event Consumer test
Sigma WMI Persistence - Script Event Consumer File Write test
Sigma WMI Persistence - Security test
Sigma WMI registration experimental
Sigma WMI registration (PowerShell) experimental
Splunk WMI subscription execution (Sysmon)
Splunk WMI subscription execution (Windows Event Log)

Event Triggered Execution: Unix Shell Configuration Modification T1546.004 14 rules

Elastic Bash Shell Profile Modification production
Elastic Curl Execution via Shell Profile production
Splunk Linux Auditd Unix Shell Configuration Modification production
Splunk Linux File Creation In Profile Directory production
Splunk Linux Possible Append Command To Profile Config File production
Elastic Modification of Persistence Relevant Files Detected via Defend for Containers production
Elastic Network Connection Initiated by Suspicious SSHD Child Process production
Elastic Pod or Container Creation with Suspicious Command-Line production
Elastic Potential Persistence via File Modification production
Elastic Potential Suspicious File Edit production
Elastic Shell Configuration Creation production
Elastic Suspicious Echo or Printf Execution Detected via Defend for Containers production
Sigma Unix Shell Configuration Modification test
Elastic Unusual SSHD Child Process production

Event Triggered Execution: Trap T1546.005 1 rule

Elastic Trap Signals Execution production

Event Triggered Execution: Netsh Helper DLL T1546.007 7 rules

Elastic Netsh Helper DLL production
Sigma Netsh helper DLL abuse (process) experimental
Sigma Netsh helper DLL abuse (Reg via Sysmon) experimental
Sigma New Netsh Helper DLL Registered From A Suspicious Location test
Sigma Potential Persistence Via Netsh Helper DLL test
Sigma Potential Persistence Via Netsh Helper DLL - Registry test
Sigma Potential Suspicious Activity Using SeCEdit test

Event Triggered Execution: Accessibility Features T1546.008 22 rules

Splunk Command Line Utility Added to Accessibility Features (PowerShell)
Splunk Command Line Utility Added to Accessibility Features (Sysmon)
Splunk Command Line Utility Added to Accessibility Features (Windows Event Log)
Kusto Modification of Accessibility Features
Splunk Overwriting Accessibility Binaries production
Sigma Persistence Via Sticky Key Backdoor test
Elastic Potential Modification of Accessibility Binaries production
Sigma Potential Privilege Escalation Using Symlink Between Osk and Cmd test
Sigma Potential Suspicious Activity Using SeCEdit test
Kusto Powershell Empire Cmdlets Executed in Command Line available
Sigma Stickey key called CMD via command execution experimental
Sigma Stickey key called CMD via command execution (hash detection) experimental
Sigma Stickey key IFEO (Reg via command) experimental
Sigma Stickey key IFEO registry changed (Reg via Sysmon) experimental
Sigma Sticky key file created from CMD copy experimental
Sigma Sticky Key Like Backdoor Execution test
Sigma Sticky Key Like Backdoor Usage - Registry test
Sigma Sticky key sethc command for replacement by CMD experimental
Sigma Sticky key sethc file failed replacement experimental
Sigma Suspicious Debugger Registration Cmdline test
Splunk Suspicious Execution of Accessibility Tool Debuggers (Sysmon)
Splunk Suspicious Execution of Accessibility Tool Debuggers (Windows Event Log)

Event Triggered Execution: AppCert DLLs T1546.009 5 rules

Sigma New DLL Added to AppCertDlls Registry Key test
Elastic Registry Persistence via AppCert DLL production
Kusto Registry Persistence via AppCert DLL Modification available
Sigma Session Manager Autorun Keys Modification test
Splunk Windows AppCertDLL Modification Via Command Line production

Event Triggered Execution: AppInit DLLs T1546.010 3 rules

Sigma New DLL Added to AppInit_DLLs Registry Key test
Elastic Registry Persistence via AppInit DLL production
Kusto Registry Persistence via AppInit DLLs Modification available

Event Triggered Execution: Application Shimming T1546.011 11 rules

Elastic Installation of Custom Shim Databases production
Elastic Potential Application Shimming via Sdbinst production
Sigma Potential Persistence Via AppCompat RegisterAppRestart Layer test
Sigma Potential Persistence Via Shim Database In Uncommon Location test
Sigma Potential Persistence Via Shim Database Modification test
Sigma Potential Shim Database Persistence via Sdbinst.EXE test
Splunk Registry Keys for Creating SHIM Databases production
Splunk Shim Database File Creation production
Splunk Shim Database Installation With Suspicious Parameters production
Sigma Suspicious Shim Database Patching Activity test
Sigma Uncommon Extension Shim Database Installation Via Sdbinst.EXE test

Event Triggered Execution: Image File Execution Options Injection T1546.012 10 rules

Elastic Image File Execution Options Injection production
Sigma Potential Persistence Via App Paths Default Property test
Sigma Potential Persistence Via GlobalFlags test
Splunk Registry Keys Used For Privilege Escalation production
Splunk Suspicious Registry Key Created (PowerShell)
Splunk Suspicious Registry Key Created (Windows Event Log)
Elastic Suspicious WerFault Child Process production
Elastic Uncommon Registry Persistence Change production
Elastic Werfault ReflectDebugger Persistence production
Splunk Windows Event Triggered Image File Execution Options Injection production

Event Triggered Execution: PowerShell Profile T1546.013 4 rules

Elastic Persistence via PowerShell profile production
Sigma Potential Persistence Via PowerShell User Profile Using Add-Content test
Sigma PowerShell Profile Modification test
Sigma VsCode Powershell Profile Modification test

Event Triggered Execution: Emond T1546.014 3 rules

Elastic Emond Rules Creation or Modification production
Sigma MacOS Emond Launch Daemon test
Elastic Suspicious Emond Child Process production

Event Triggered Execution: Component Object Model Hijacking T1546.015 22 rules

Sigma COM Hijacking via TreatAs test
Sigma COM Object Hijacking Via Modification Of Default System CLSID Default Value experimental
Elastic Component Object Model Hijacking production
Kusto Component Object Model Hijacking - Vault7 trick available
Sigma Potential COM Object Hijacking Via TreatAs Subkey - Registry test
Sigma Potential Persistence Using DebugPath test
Sigma Potential Persistence Via Scrobj.dll COM Hijacking test
Sigma Potential PSFactoryBuffer COM Hijacking test
Elastic Potential RemoteMonologue Attack production
Splunk Powershell COM Hijacking InprocServer32 Modification production
Splunk Powershell Execute COM Object production
Sigma Rundll32 Registered COM Objects test
Splunk Rundll32 Spawned by Disk Cleanup (Sysmon)
Splunk Rundll32 Spawned by Disk Cleanup (Windows Event Log)
Sigma SOURGUM Actor Behaviours test
Splunk Suspicious DLLhost Execution (EDR)
Splunk Suspicious DLLhost Execution (PowerShell)
Splunk Suspicious DLLhost Execution (Windows Event Log)
Sigma Suspicious GetTypeFromCLSID ShellExecute test
Splunk Suspicious InprocServer32 Registry Modification (Sysmon)
Splunk Suspicious InprocServer32 Registry Modification (Windows Event Log)
Splunk Windows COM Hijacking InprocServer32 Modification production

Event Triggered Execution: Installer Packages T1546.016 9 rules

Elastic APT Package Manager Configuration File Creation production
Elastic DNF Package Manager Plugin File Creation production
Elastic DPKG Package Installed by Unusual Parent Process production
Elastic RPM Package Installed by Unusual Parent Process production
Elastic Suspicious APT Package Manager Execution production
Elastic Suspicious APT Package Manager Network Connection production
Elastic Suspicious File Creation via Pkg Install Script production
Elastic Unusual DPKG Execution production
Elastic Yum Package Manager Plugin File Creation production

Event Triggered Execution: Udev Rules T1546.017 3 rules

Elastic Executable Bit Set for Potential Persistence Script production
Elastic Potential Persistence via File Modification production
Elastic Systemd-udevd Rule File Creation production

Event Triggered Execution: Python Startup Hooks T1546.018 2 rules

Elastic Python Path File (pth) Creation production
Elastic Python Site or User Customize File Creation production

Boot or Logon Autostart Execution T1547 201 rules

Splunk Active Setup Registry Autostart production
Splunk Add DLL_EXE Registry Value (Sysmon)
Sigma Add Port Monitor Persistence in Registry test
Splunk Additional dll added to Spool Driver (Sysmon)
Splunk Additional dll added to Spool Driver (Windows Event Log)
Sigma Atbroker Registry Change test
Elastic Attempt to Unload Elastic Endpoint Security Kernel Extension production
Elastic Authorization Plugin Modification production
Elastic BPF Program or Map Load via bpftool production
Sigma Bypass UAC Using Event Viewer test
Sigma Classes Autorun Keys Modification test
Sigma Common Autorun Keys Modification test
Sigma Creation Exe for Service with Unquoted Path test
Elastic Creation of Hidden Login Item via Apple Script production
Kusto Cross-Cloud Suspicious Compute resource creation in GCP
Kusto Cross-Cloud Suspicious user activity observed in GCP Envourment
Sigma CurrentControlSet Autorun Keys Modification test
YARA-L CurrentControlSet Autorun Keys Modification
Sigma CurrentVersion Autorun Keys Modification test
YARA-L CurrentVersion Autorun Keys Modification
Sigma CurrentVersion NT Autorun Keys Modification test
Sigma Default RDP Port Changed to Non Standard Port test
YARA-L Default RDP Port Changed to Non Standard Port
Sigma Desktop.INI Created by Uncommon Process test
Kusto Detect Print Processors Registry Driver Key Creation/Modification available
Kusto Detect Registry Run Key Creation/Modification available
Sigma Direct Autorun Keys Modification test
YARA-L Direct Autorun Keys Modification
Sigma DLL Load via LSASS test
Elastic Executable Bit Set for Potential Persistence Script production
Splunk Execution from Startup Folder (Sysmon)
Splunk Execution from Startup Folder (Windows Event Log)
Elastic Execution of Persistent Suspicious Program production
Sigma File Creation In Suspicious Directory By Msdt.EXE test
Splunk File Written to Startup Folder - Windows (Sysmon)
Splunk File Written to Startup Folder - Windows (Windows Event Log)
Elastic First Time Seen Driver Loaded production
Sigma Forest Blizzard APT - Custom Protocol Handler Creation test
Sigma Forest Blizzard APT - Custom Protocol Handler DLL Registry Set test
Kusto Imminent Ransomware available
Elastic Installation of Security Support Provider production
Sigma Internet Explorer Autorun Keys Modification test
Sigma Kapeka Backdoor Autorun Persistence test
Elastic KDE AutoStart Script or Desktop File Creation production
Elastic Kernel Driver Load production
Elastic Kernel Driver Load by non-root User production
Sigma Kernel Extension Loaded from Temporary Directory experimental
Elastic Kernel Load or Unload via Kexec Detected production
Elastic Kernel Module Load from Unusual Location production
Elastic Kernel Module Load via Built-in Utility production
Elastic Kernel Module Removal production
Elastic Kernel Object File Creation production
Elastic Lateral Movement via Startup Folder production
Sigma Leviathan Registry Key Activity test
Splunk Linux Auditd Insert Kernel Module Using Insmod Utility production
Splunk Linux Auditd Install Kernel Module Using Modprobe Utility production
Splunk Linux Auditd Kernel Module Using Rmmod Utility production
Splunk Linux Auditd Unload Module Via Modprobe production
Splunk Linux File Created In Kernel Driver Directory production
Splunk Linux Insert Kernel Module Using Insmod Utility production
Splunk Linux Install Kernel Module Using Modprobe Utility production
Elastic Loadable Kernel Module Configuration File Creation production
Sigma Loading of Kernel Module via Insmod test
Splunk LSA Authentication Packages Registry Key Modified (PowerShell)
Splunk LSA Authentication Packages Registry Key Modified (Sysmon)
Splunk LSA Authentication Packages Registry Key Modified (Windows Event Log)
Sigma macOS Configuration Profile Installation experimental
Kusto Midnight Blizzard - suspicious rundll32.exe execution of vbscript
Kusto Midnight Blizzard - suspicious rundll32.exe execution of vbscript (Normalized Process Events)
Elastic Mimikatz Memssp Log File Detected production
Sigma MITRE BZAR Indicators for Persistence test
Sigma Modify User Shell Folders Startup Value test
YARA-L Modify User Shell Folders Startup Value
Splunk Monitor Registry Keys for Print Monitors production
Sigma Narrator's Feedback-Hub Persistence test
Elastic Network Connections Initiated Through XDG Autostart Entry production
Splunk New AutoRun Registry Key (PowerShell)
Sigma New Custom Shim Database Created test
Sigma New RUN Key Pointing to Suspicious Folder experimental
YARA-L New RUN Key Pointing to Suspicious Folder
Sigma New TimeProviders Registered With Uncommon DLL Name test
Sigma NTFS hard link creation experimental
Sigma NTFS symbolic link configuration change experimental
Sigma NTFS symbolic link creation experimental
Sigma Office Autorun Keys Modification test
Elastic Persistence via a Hidden Plist Filename production
Elastic Persistence via a Windows Installer production
Elastic Persistence via DirectoryService Plugin Modification production
Elastic Persistence via Docker Shortcut Modification production
Elastic Persistence via Hidden Run Key Detected production
Elastic Persistence via Suspicious Launch Agent or Launch Daemon production
Elastic Persistence via WMI Standard Registry Provider production
Elastic Persistent Scripts in the Startup Directory production
Elastic Pod or Container Creation with Suspicious Command-Line production
Sigma Potential KamiKakaBot Activity - Winlogon Shell Persistence test
Elastic Potential LSA Authentication Package Abuse production
Splunk Potential LSA password filter (PowerShell)
Splunk Potential LSA password filter (Windows Event Log)
Sigma Potential Persistence Attempt Via Run Keys Using Reg.EXE test
Elastic Potential Persistence via File Modification production
Elastic Potential Persistence via Login Hook production
Elastic Potential Persistence via Mandatory User Profile production
Elastic Potential Persistence via Time Provider Modification production
Elastic Potential Port Monitor or Print Processor Registration Abuse production
Elastic Potential PowerShell HackTool Script by Function Names production
Splunk Potential Proxy Malware via AutoRun Key (PowerShell)
Splunk Potential Proxy Malware via AutoRun Key (Sysmon)
Splunk Potential Proxy Malware via AutoRun Key (Windows Event Log)
Elastic Potential REMCOS Trojan Execution production
Sigma Potential RipZip Attack on Startup Folder test
Sigma Potential Ryuk Ransomware Activity stable
Sigma Potential Startup Shortcut Persistence Via PowerShell.EXE test
Sigma Potential Suspicious Activity Using SeCEdit test
YARA-L Potential Suspicious Activity Using SeCEdit
Kusto Powershell Empire Cmdlets Executed in Command Line available
Splunk Print Processor Registry Autostart production
Splunk Print Spooler Adding A Printer Driver production
Splunk Print Spooler Failed to Load a Plug-in production
Sigma Print spooler privilege escalation via printer added (CVE-2020-1048) experimental
Splunk Rare dll called by Spoolsv.exe (Windows Event Log)
Splunk Registry Keys Used For Persistence production
Sigma Registry Persistence Mechanisms in Recycle Bin test
Sigma Registry Persistence via Explorer Run Key test
Kusto Registry Run Keys - Suspicious Registry Run Keys
Sigma Registry Set With Crypto-Classes From The "Cryptography" PowerShell Namespace test
Sigma Security package (SSP) added (Reg via command) experimental
Sigma Security package (SSP) loaded into LSA (native) experimental
Sigma Security Support Provider (SSP) Added to LSA Configuration test
Sigma Session Manager Autorun Keys Modification test
YARA-L Session Manager Autorun Keys Modification
Splunk Shortcut Created in Startup Folder - Windows (PowerShell)
Elastic Shortcut File Written or Modified on Startup Folder production building block
Splunk Spoolsv Spawning Rundll32 production
Splunk Spoolsv Suspicious Loaded Modules production
Splunk Spoolsv Writing a DLL production
Splunk Spoolsv Writing a DLL - Sysmon production
Sigma Startup Folder File Write test
Splunk Startup Folder Location Modified - Windows (PowerShell)
Splunk Startup Folder Location Modified - Windows (Sysmon)
Splunk Startup Folder Location Modified - Windows (Windows Event Log)
Elastic Startup Folder Persistence via Unsigned Process production
Elastic Startup or Run Key Registry Modification production
Elastic Startup Persistence by a Suspicious Process production
Sigma Startup/Logon Script Added to Group Policy Object test
Elastic Startup/Logon Script added to Group Policy Object production
Sigma Suspicious Autorun Registry Modified via WMI experimental
Sigma Suspicious Driver Install by pnputil.exe test
Elastic Suspicious File Creation via Kworker production
Sigma Suspicious GrpConv Execution test
Elastic Suspicious Modprobe File Event production building block
Elastic Suspicious Module Loaded by LSASS production
Sigma Suspicious PowerShell In Registry Run Keys test
YARA-L Suspicious Powershell In Registry Run Keys
Splunk Suspicious Registry Key Created (PowerShell)
Splunk Suspicious Registry Key Created (Windows Event Log)
Sigma Suspicious Run Key from Download test
Sigma Suspicious Startup Folder Persistence test
Elastic Suspicious Startup Shell Folder Modification production
Elastic Suspicious Usage of bpf_probe_write_user Helper production
Sigma Suspicious VBScript UN2452 Pattern test
Splunk Symbolic OR Hard File Link Created (PowerShell)
Splunk Symbolic OR Hard File Link Created (Windows Event Log)
Sigma System Scripts Autorun Keys Modification test
Sigma SystemNightmare by GentilKiwi - External printer mapped (CVE-2021-1675 / CVE-2021-34527) experimental
Sigma SystemNightmare by GentilKiwi - New external device added (CVE-2021-1675 / CVE-2021-34527) experimental
Elastic Tainted Kernel Module Load production
Elastic Tainted Out-Of-Tree Kernel Module Load production
Splunk Time Provider Persistence Registry production
Elastic Uncommon Registry Persistence Change production
Sigma Unsigned Kernel Extension Load Attempt experimental
Splunk Unusual winlogon.exe Child Process (Sysmon)
Splunk Unusual winlogon.exe Child Process (Windows Event Log)
Sigma User Shell Folders Registry Modification via CommandLine experimental
Sigma VBScript Payload Stored in Registry test
Splunk Windows Audit Policy Auditing Option Modified - Registry production
Splunk Windows Autostart Execution LSASS Driver Registry Modification production
Splunk Windows Boot or Logon Autostart Execution In Startup Folder production
Sigma Windows Event Log Access Tampering Via Registry experimental
Sigma Windows Network Access Suspicious desktop.ini Action test
Splunk Windows NorthStar C2 Agent Execution production
Splunk Windows PowerShell MSIX Package Installation production
Splunk Windows Registry BootExecute Modification production
Splunk Windows Registry Modification for Safe Mode Persistence production
Splunk Windows Security Support Provider Reg Query production
Splunk Windows Snake Malware Kernel Driver Comadmin production
Splunk Windows Snake Malware Service Create production
Sigma Windows Terminal Profile Settings Modification By Uncommon Process test
Splunk Windows Unsigned MS DLL Side-Loading production
Sigma WINEKEY Registry Modification test
Sigma Winlogon Helper DLL test
Sigma Winlogon Notify Key Logon Persistence test
Splunk WinLogon Registry Key Modified (PowerShell)
Splunk WinLogon Registry Key Modified (Sysmon)
Sigma WinRAR Creating Files in Startup Locations experimental
Sigma WinSock2 Autorun Keys Modification test
Sigma Wow6432Node Classes Autorun Keys Modification test
Splunk Wow6432Node Classes Autorun Keys Modification (PowerShell)
Splunk Wow6432Node Classes Autorun Keys Modification (Sysmon)
Splunk Wow6432Node Classes Autorun Keys Modification (Windows Event Log)
Sigma Wow6432Node CurrentVersion Autorun Keys Modification test
Sigma Wow6432Node Windows NT CurrentVersion Autorun Keys Modification test

Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder T1547.001 87 rules

Splunk Add DLL_EXE Registry Value (Sysmon)
Sigma Classes Autorun Keys Modification test
Sigma Common Autorun Keys Modification test
Sigma CurrentControlSet Autorun Keys Modification test
YARA-L CurrentControlSet Autorun Keys Modification
Sigma CurrentVersion Autorun Keys Modification test
YARA-L CurrentVersion Autorun Keys Modification
Sigma CurrentVersion NT Autorun Keys Modification test
Sigma Direct Autorun Keys Modification test
YARA-L Direct Autorun Keys Modification
Splunk Execution from Startup Folder (Sysmon)
Splunk Execution from Startup Folder (Windows Event Log)
Elastic Execution of Persistent Suspicious Program production
Sigma File Creation In Suspicious Directory By Msdt.EXE test
Splunk File Written to Startup Folder - Windows (Sysmon)
Splunk File Written to Startup Folder - Windows (Windows Event Log)
Sigma Forest Blizzard APT - Custom Protocol Handler Creation test
Sigma Forest Blizzard APT - Custom Protocol Handler DLL Registry Set test
Sigma Internet Explorer Autorun Keys Modification test
Sigma Kapeka Backdoor Autorun Persistence test
Elastic Lateral Movement via Startup Folder production
Sigma Leviathan Registry Key Activity test
Sigma Modify User Shell Folders Startup Value test
YARA-L Modify User Shell Folders Startup Value
Sigma Narrator's Feedback-Hub Persistence test
Splunk New AutoRun Registry Key (PowerShell)
Sigma New RUN Key Pointing to Suspicious Folder experimental
YARA-L New RUN Key Pointing to Suspicious Folder
Sigma Office Autorun Keys Modification test
Elastic Persistence via a Windows Installer production
Elastic Persistence via Hidden Run Key Detected production
Elastic Persistence via WMI Standard Registry Provider production
Elastic Persistent Scripts in the Startup Directory production
Sigma Potential KamiKakaBot Activity - Winlogon Shell Persistence test
Sigma Potential Persistence Attempt Via Run Keys Using Reg.EXE test
Elastic Potential Persistence via Mandatory User Profile production
Splunk Potential Proxy Malware via AutoRun Key (PowerShell)
Splunk Potential Proxy Malware via AutoRun Key (Sysmon)
Splunk Potential Proxy Malware via AutoRun Key (Windows Event Log)
Elastic Potential REMCOS Trojan Execution production
Sigma Potential Ryuk Ransomware Activity stable
Sigma Potential Startup Shortcut Persistence Via PowerShell.EXE test
Sigma Potential Suspicious Activity Using SeCEdit test
YARA-L Potential Suspicious Activity Using SeCEdit
Kusto Powershell Empire Cmdlets Executed in Command Line available
Splunk Registry Keys Used For Persistence production
Sigma Registry Persistence via Explorer Run Key test
Kusto Registry Run Keys - Suspicious Registry Run Keys
Sigma Registry Set With Crypto-Classes From The "Cryptography" PowerShell Namespace test
Sigma Session Manager Autorun Keys Modification test
YARA-L Session Manager Autorun Keys Modification
Splunk Shortcut Created in Startup Folder - Windows (PowerShell)
Elastic Shortcut File Written or Modified on Startup Folder production building block
Sigma Startup Folder File Write test
Splunk Startup Folder Location Modified - Windows (PowerShell)
Splunk Startup Folder Location Modified - Windows (Sysmon)
Splunk Startup Folder Location Modified - Windows (Windows Event Log)
Elastic Startup Folder Persistence via Unsigned Process production
Elastic Startup or Run Key Registry Modification production
Elastic Startup Persistence by a Suspicious Process production
Sigma Suspicious Autorun Registry Modified via WMI experimental
Sigma Suspicious PowerShell In Registry Run Keys test
YARA-L Suspicious Powershell In Registry Run Keys
Splunk Suspicious Registry Key Created (PowerShell)
Splunk Suspicious Registry Key Created (Windows Event Log)
Sigma Suspicious Run Key from Download test
Sigma Suspicious Startup Folder Persistence test
Elastic Suspicious Startup Shell Folder Modification production
Sigma Suspicious VBScript UN2452 Pattern test
Sigma System Scripts Autorun Keys Modification test
Elastic Uncommon Registry Persistence Change production
Sigma User Shell Folders Registry Modification via CommandLine experimental
Sigma VBScript Payload Stored in Registry test
Splunk Windows Boot or Logon Autostart Execution In Startup Folder production
Sigma Windows Event Log Access Tampering Via Registry experimental
Splunk Windows NorthStar C2 Agent Execution production
Splunk Windows PowerShell MSIX Package Installation production
Splunk Windows Registry BootExecute Modification production
Splunk Windows Registry Modification for Safe Mode Persistence production
Sigma WinRAR Creating Files in Startup Locations experimental
Sigma WinSock2 Autorun Keys Modification test
Sigma Wow6432Node Classes Autorun Keys Modification test
Splunk Wow6432Node Classes Autorun Keys Modification (PowerShell)
Splunk Wow6432Node Classes Autorun Keys Modification (Sysmon)
Splunk Wow6432Node Classes Autorun Keys Modification (Windows Event Log)
Sigma Wow6432Node CurrentVersion Autorun Keys Modification test
Sigma Wow6432Node Windows NT CurrentVersion Autorun Keys Modification test

Boot or Logon Autostart Execution: Authentication Package T1547.002 8 rules

Elastic Authorization Plugin Modification production
Splunk LSA Authentication Packages Registry Key Modified (PowerShell)
Splunk LSA Authentication Packages Registry Key Modified (Sysmon)
Splunk LSA Authentication Packages Registry Key Modified (Windows Event Log)
Elastic Potential LSA Authentication Package Abuse production
Splunk Potential LSA password filter (PowerShell)
Splunk Potential LSA password filter (Windows Event Log)
Sigma Potential Suspicious Activity Using SeCEdit test

Boot or Logon Autostart Execution: Time Providers T1547.003 3 rules

Sigma New TimeProviders Registered With Uncommon DLL Name test
Elastic Potential Persistence via Time Provider Modification production
Splunk Time Provider Persistence Registry production

Boot or Logon Autostart Execution: Winlogon Helper DLL T1547.004 8 rules

Sigma MITRE BZAR Indicators for Persistence test
Elastic Persistence via WMI Standard Registry Provider production
Splunk Unusual winlogon.exe Child Process (Sysmon)
Splunk Unusual winlogon.exe Child Process (Windows Event Log)
Sigma Winlogon Helper DLL test
Sigma Winlogon Notify Key Logon Persistence test
Splunk WinLogon Registry Key Modified (PowerShell)
Splunk WinLogon Registry Key Modified (Sysmon)

Boot or Logon Autostart Execution: Security Support Provider T1547.005 7 rules

Elastic Installation of Security Support Provider production
Elastic Mimikatz Memssp Log File Detected production
Elastic Potential PowerShell HackTool Script by Function Names production
Kusto Powershell Empire Cmdlets Executed in Command Line available
Sigma Security Support Provider (SSP) Added to LSA Configuration test
Elastic Suspicious Module Loaded by LSASS production
Splunk Windows Security Support Provider Reg Query production

Boot or Logon Autostart Execution: Kernel Modules and Extensions T1547.006 28 rules

Elastic Attempt to Unload Elastic Endpoint Security Kernel Extension production
Elastic BPF Program or Map Load via bpftool production
Elastic First Time Seen Driver Loaded production
Elastic Kernel Driver Load production
Elastic Kernel Driver Load by non-root User production
Sigma Kernel Extension Loaded from Temporary Directory experimental
Elastic Kernel Load or Unload via Kexec Detected production
Elastic Kernel Module Load from Unusual Location production
Elastic Kernel Module Load via Built-in Utility production
Elastic Kernel Module Removal production
Elastic Kernel Object File Creation production
Splunk Linux Auditd Insert Kernel Module Using Insmod Utility production
Splunk Linux Auditd Install Kernel Module Using Modprobe Utility production
Splunk Linux Auditd Kernel Module Using Rmmod Utility production
Splunk Linux Auditd Unload Module Via Modprobe production
Splunk Linux File Created In Kernel Driver Directory production
Splunk Linux Insert Kernel Module Using Insmod Utility production
Splunk Linux Install Kernel Module Using Modprobe Utility production
Elastic Loadable Kernel Module Configuration File Creation production
Sigma Loading of Kernel Module via Insmod test
Elastic Potential Persistence via File Modification production
Elastic Suspicious Modprobe File Event production building block
Elastic Suspicious Usage of bpf_probe_write_user Helper production
Elastic Tainted Kernel Module Load production
Elastic Tainted Out-Of-Tree Kernel Module Load production
Sigma Unsigned Kernel Extension Load Attempt experimental
Splunk Windows Snake Malware Kernel Driver Comadmin production
Splunk Windows Snake Malware Service Create production

Boot or Logon Autostart Execution: LSASS Driver T1547.008 4 rules

Sigma DLL Load via LSASS test
Sigma Security package (SSP) added (Reg via command) experimental
Sigma Security package (SSP) loaded into LSA (native) experimental
Splunk Windows Autostart Execution LSASS Driver Registry Modification production

Boot or Logon Autostart Execution: Shortcut Modification T1547.009 13 rules

Sigma Creation Exe for Service with Unquoted Path test
Sigma Desktop.INI Created by Uncommon Process test
Sigma New Custom Shim Database Created test
Sigma NTFS hard link creation experimental
Sigma NTFS symbolic link configuration change experimental
Sigma NTFS symbolic link creation experimental
Elastic Persistence via Docker Shortcut Modification production
Elastic Persistent Scripts in the Startup Directory production
Kusto Powershell Empire Cmdlets Executed in Command Line available
Elastic Shortcut File Written or Modified on Startup Folder production building block
Splunk Symbolic OR Hard File Link Created (PowerShell)
Splunk Symbolic OR Hard File Link Created (Windows Event Log)
Sigma Windows Network Access Suspicious desktop.ini Action test

Boot or Logon Autostart Execution: Port Monitors T1547.010 11 rules

Sigma Add Port Monitor Persistence in Registry test
Sigma Bypass UAC Using Event Viewer test
Sigma Default RDP Port Changed to Non Standard Port test
YARA-L Default RDP Port Changed to Non Standard Port
Splunk Monitor Registry Keys for Print Monitors production
Elastic Potential Port Monitor or Print Processor Registration Abuse production
Sigma Potential Suspicious Activity Using SeCEdit test
Sigma Print spooler privilege escalation via printer added (CVE-2020-1048) experimental
Splunk Rare dll called by Spoolsv.exe (Windows Event Log)
Sigma SystemNightmare by GentilKiwi - External printer mapped (CVE-2021-1675 / CVE-2021-34527) experimental
Sigma SystemNightmare by GentilKiwi - New external device added (CVE-2021-1675 / CVE-2021-34527) experimental

Boot or Logon Autostart Execution: Plist Modification T1547.011 3 rules

Panther CrowdStrike MacOS plutil Novel Plist Modification (Anomaly Detection) Experimental
Elastic Persistence via a Hidden Plist Filename production
Elastic Persistence via Suspicious Launch Agent or Launch Daemon production

Boot or Logon Autostart Execution: Print Processors T1547.012 8 rules

Elastic Potential Port Monitor or Print Processor Registration Abuse production
Splunk Print Processor Registry Autostart production
Splunk Print Spooler Adding A Printer Driver production
Splunk Print Spooler Failed to Load a Plug-in production
Splunk Spoolsv Spawning Rundll32 production
Splunk Spoolsv Suspicious Loaded Modules production
Splunk Spoolsv Writing a DLL production
Splunk Spoolsv Writing a DLL - Sysmon production

Boot or Logon Autostart Execution: XDG Autostart Entries T1547.013 5 rules

Elastic Executable Bit Set for Potential Persistence Script production
Elastic KDE AutoStart Script or Desktop File Creation production
Elastic Network Connections Initiated Through XDG Autostart Entry production
Elastic Pod or Container Creation with Suspicious Command-Line production
Elastic Potential Persistence via File Modification production

Boot or Logon Autostart Execution: Active Setup T1547.014 4 rules

Splunk Active Setup Registry Autostart production
Sigma Potential Suspicious Activity Using SeCEdit test
Elastic Uncommon Registry Persistence Change production
Splunk Windows Audit Policy Auditing Option Modified - Registry production

Boot or Logon Autostart Execution: Login Items T1547.015 2 rules

Elastic Creation of Hidden Login Item via Apple Script production
Sigma Windows Terminal Profile Settings Modification By Uncommon Process test

Abuse Elevation Control Mechanism T1548 311 rules

Sigma Abused Debug Privilege by Arbitrary Parent Processes test
Kusto AFD WAF - Code Injection available
Kusto AFD WAF - Path Traversal Attack available
Splunk Allow Operation with Consent Admin production
Sigma Always Install Elevated MSI Spawned Cmd And Powershell test
Sigma Always Install Elevated Windows Installer test
Kusto App Gateway WAF - Scanner Detection available
Kusto App GW WAF - Code Injection available
Kusto App GW WAF - Path Traversal Attack available
Elastic Apple Scripting Execution with Administrator Privileges production
Panther AppOmni Alert Passthrough
Elastic AWS EC2 Instance Profile Associated with Running Instance production
Elastic AWS IAM Customer Managed Policy Version Created or Default Version Set production
Elastic AWS IAM Customer-Managed Policy Attached to Role by Rare User production
Elastic AWS KMS Key Policy Updated via PutKeyPolicy production
Sigma AWS STS AssumeRole Misuse test
Elastic AWS STS AssumeRole with New MFA Device production
Elastic AWS STS AssumeRoot by Rare User and Member Account production
Elastic AWS STS GetFederationToken with AdministratorAccess in Request production
Panther AWS STS GetSessionToken by IAM User Experimental
Sigma AWS STS GetSessionToken Misuse test
Elastic AWS STS GetSessionToken Usage production building block
Elastic AWS STS Role Assumption by Service production
Elastic AWS STS Role Assumption by User production
Elastic AWS STS Role Chaining production
Sigma AWS Suspicious SAML Activity test
Panther Box Large Number of Permission Changes
Kusto BTP - Cloud Integration access policy tampering available
Sigma Bypass UAC Using DelegateExecute test
Sigma Bypass UAC Using SilentCleanup Task test
Sigma Bypass UAC via CMSTP test
Elastic Bypass UAC via Event Viewer production
Sigma Bypass UAC via Fodhelper.exe test
Sigma Bypass UAC via WSReset.exe test
Sigma CA Policy Removed by Non Approved Actor test
Sigma CA Policy Updated by Non Approved Actor test
Kusto CiscoISE - Command executed with the highest privileges from new IP available
Kusto CiscoISE - Command executed with the highest privileges by new user available
Sigma CMSTP UAC Bypass via COM Object Access stable
Sigma COM Hijack via Sdclt test
Splunk ComputerDefaults UAC Bypass (PowerShell)
Splunk ComputerDefaults UAC Bypass (Sysmon)
Splunk ComputerDefaults UAC Bypass (Windows Event Log)
Splunk ConsentPromptBehaviorAdmin Registry Value Modified (PowerShell)
Splunk ConsentPromptBehaviorAdmin Registry Value Modified (Sysmon)
Splunk ConsentPromptBehaviorAdmin Registry Value Modified (Windows Event Log)
Sigma Credential Dumping Attempt Via Svchost test
Kusto Critical Risks available
Kusto Cross-Cloud Suspicious Compute resource creation in GCP
Kusto Cross-Cloud Suspicious user activity observed in GCP Envourment
Kusto Dataverse - Bulk record ownership re-assignment or sharing available
Kusto Dataverse - Hierarchy security manipulation available
Kusto Dataverse - Suspicious security role modifications available
Elastic Deprecated - Sudo Heap-Based Buffer Overflow Attempt production
Kusto Detect PIM elevation with user risk
Kusto Detecting Impossible travel with mailbox permission tampering & Privilege Escalation attempt
Splunk Disable UAC Remote Restriction production
Splunk Disabling Remote User Account Control production
Elastic Disabling User Account Control via Registry Modification production
Kusto Dynatrace - Problem detection available
Kusto Dynatrace Application Security - Code-Level runtime vulnerability detection available
Kusto Dynatrace Application Security - Non-critical runtime vulnerability detection available
Kusto Dynatrace Application Security - Third-Party runtime vulnerability detection available
Splunk EnableLUA Registry Value Modified (PowerShell)
Splunk EnableLUA Registry Value Modified (Sysmon)
Splunk EnableLUA Registry Value Modified (Windows Event Log)
Elastic Entra ID Actor Token User Impersonation Abuse production
Splunk Eventvwr UAC Bypass production
Elastic Execution via Electron Child Process Node.js Module production
Elastic Execution with Explicit Credentials via Scripting production
Sigma Explorer NOUACCHECK Flag test
Elastic File Execution Permission Modification Detected via Defend for Containers production
Splunk FodHelper UAC Bypass production
Elastic Full Disk Access Permission Check production
Sigma Function Call From Undocumented COM Interface EditionUpgradeManager test
Sigma GCP Break-glass Container Workload Deployed test
Panther GCP Cloud Run Service Created FOLLOWED BY Set IAM Policy
Panther GCP CloudBuild Potential Privilege Escalation
Panther GCP cloudfunctions functions create
Panther GCP cloudfunctions functions update
Panther GCP compute.instances.create Privilege Escalation
Panther GCP IAM serviceAccounts getAccessToken Privilege Escalation
Panther GCP IAM serviceAccounts signBlob
Panther GCP IAM serviceAccounts.signJwt Privilege Escalation
Panther GCP K8S Privileged Pod Created Deprecated
Panther GCP Privilege Escalation via TagBinding
Panther GCP serviceusage.apiKeys.create Privilege Escalation
Panther GCP storage hmac keys create
Panther GCP.Iam.ServiceAccountKeys.Create
Panther GCP.Privilege.Escalation.By.Deployments.Create
Sigma HackTool - Empire PowerShell UAC Bypass stable
Sigma HackTool - UACMe Akagi Execution test
Sigma HackTool - WinPwn Execution test
Sigma HackTool - WinPwn Execution - ScriptBlock test
Sigma High risk event - grant Management APIs scopes experimental
Panther IAM Assume Role Blocklist Ignored
Panther IAM Policy Modified
Kusto Illusive Incidents Analytic Rule available
Splunk Indirect Command Execution (Sysmon)
Splunk Indirect Command Execution (Windows Event Log)
Splunk Linux APT Privilege Escalation production
Splunk Linux Auditd Doas Conf File Creation production
Splunk Linux Auditd Doas Tool Execution production
Splunk Linux Auditd Nopasswd Entry In Sudoers File production
Splunk Linux Auditd Possible Access To Sudoers File production
Splunk Linux Auditd Setuid Using Chmod Utility production
Splunk Linux Auditd Setuid Using Setcap Utility production
Splunk Linux Auditd Sudo Or Su Execution production
Splunk Linux AWK Privilege Escalation production
Splunk Linux Busybox Privilege Escalation production
Splunk Linux c89 Privilege Escalation production
Splunk Linux c99 Privilege Escalation production
Sigma Linux Capabilities Discovery test
Splunk Linux Common Process For Elevation Control production
Splunk Linux Composer Privilege Escalation production
Splunk Linux Cpulimit Privilege Escalation production
Splunk Linux Csvtool Privilege Escalation production
Sigma Linux Doas Conf File Creation stable
Splunk Linux Doas Conf File Creation production
Sigma Linux Doas Tool Execution stable
Splunk Linux Doas Tool Execution production
Splunk Linux Emacs Privilege Escalation production
Splunk Linux Find Privilege Escalation production
Splunk Linux GDB Privilege Escalation production
Splunk Linux Gem Privilege Escalation production
Splunk Linux GNU Awk Privilege Escalation production
Splunk Linux Make Privilege Escalation production
Splunk Linux MySQL Privilege Escalation production
Splunk Linux Node Privilege Escalation production
Splunk Linux NOPASSWD Entry In Sudoers File production
Splunk Linux Octave Privilege Escalation production
Splunk Linux OpenVPN Privilege Escalation production
Splunk Linux Persistence and Privilege Escalation Risk Behavior production
Splunk Linux PHP Privilege Escalation production
Splunk Linux Possible Access To Sudoers File production
Splunk Linux Puppet Privilege Escalation production
Splunk Linux RPM Privilege Escalation production
Splunk Linux Ruby Privilege Escalation production
Sigma Linux Setgid Capability Set on a Binary via Setcap Utility experimental
Sigma Linux Setuid Capability Set on a Binary via Setcap Utility experimental
Splunk Linux Setuid Using Chmod Utility production
Splunk Linux Setuid Using Setcap Utility production
Splunk Linux Sqlite3 Privilege Escalation production
Splunk Linux Sudo OR Su Execution production
Splunk Linux Sudoers Tmp File Creation production
Splunk Linux Telnet Authentication Bypass production
Splunk Linux Visudo Utility Execution production
Elastic Local Account TokenFilter Policy Disabled production
Sigma macOS Multiple Failed Sudo Attempts experimental
Sigma macOS Setuid/Setgid Privilege Escalation experimental
Sigma macOS Sudo Privilege Escalation Attempts experimental
Sigma macOS TCC Privacy Bypass Attempt experimental
Splunk Mock System Directory - Windows (Sysmon)
Splunk Mock System Directory - Windows (Windows Event Log)
Elastic Modification of Persistence Relevant Files Detected via Defend for Containers production
Splunk NET Profiler UAC bypass production
Sigma New CA Policy by Non-approved Actor test
Kusto Pathlock TDnR - Authorization Check Value Changes (SU24) available
Kusto Pathlock TDnR - Authorization Profile Changes available
Kusto Pathlock TDnR - Authorization Role Changes available
Kusto Pathlock TDnR - Database Cockpit Audit Events available
Kusto Pathlock TDnR - Dynamic Access Control Events available
Kusto Pathlock TDnR - Emergency User (AdminTrack) Activity available
Kusto Pathlock TDnR - GRC Access Control Change Documents available
Kusto Pathlock TDnR - SAP Authorization Changes available
Kusto Pathlock TDnR - SU24 Table USOBT_C Changes available
Kusto Pathlock TDnR - SU24 Table USOBX_C Changes available
Kusto Pathlock TDnR - Switchable Authorization Design Changes available
Kusto Pathlock TDnR - Switchable Authorization Runtime Changes available
Kusto Pathlock TDnR - User Authorization Buffer Manipulation available
Kusto Pathlock TDnR - User Master Data Changes available
Kusto Pathlock TDnR - User-Profile Assignment Changes available
Kusto Pathlock TDnR - User-Role Assignment Changes available
Sigma Persistence Via Sudoers.d Files test
Elastic Pod or Container Creation with Suspicious Command-Line production
Elastic Potential Copy Fail (CVE-2026-31431) Exploitation via AF_ALG Socket production
Elastic Potential CVE-2025-32463 Sudo Chroot Execution Attempt production
Elastic Potential Defense Evasion via Doas production
Sigma Potential Exploitation of CVE-2025-5054 or CVE-2025-4598 experimental
Kusto Potential Fodhelper UAC Bypass available
Kusto Potential Fodhelper UAC Bypass (ASIM Version)
Splunk Potential fodhelper UAC Bypass Attempt (PowerShell)
Splunk Potential fodhelper UAC Bypass Attempt (Sysmon)
Splunk Potential fodhelper UAC Bypass Attempt (Windows Event Log)
Elastic Potential Persistence via File Modification production
Elastic Potential PowerShell HackTool Script by Function Names production
Elastic Potential Privacy Control Bypass via Localhost Secure Copy production
Elastic Potential Privacy Control Bypass via TCCDB Modification production
Elastic Potential Privilege Escalation via CVE-2023-4911 production
Elastic Potential Privilege Escalation via Enlightenment production
Sigma Potential Privilege Escalation via Local Kerberos Relay over LDAP test
Elastic Potential Privilege Escalation via Python cap_setuid production
Elastic Potential Privilege Escalation via Recently Compiled Executable production
Elastic Potential Privilege Escalation via Sudoers File Modification production
Elastic Potential Privilege Escalation via SUID/SGID production
Elastic Potential Privilege Escalation via SUID/SGID Proxy Execution production
Elastic Potential Privilege Escalation via unshare and UID Change production
Elastic Potential Root Effective Shell from Non-Standard Path via Auditd production
Elastic Potential Sudo Hijacking production
Elastic Potential Sudo Privilege Escalation via CVE-2019-14287 production
Elastic Potential Sudo Token Manipulation via Process Injection production
Elastic Potential Suspicious File Edit production
Sigma Potential UAC Bypass Via Sdclt.EXE test
Sigma Potentially Suspicious Event Viewer Child Process test
Kusto Power Platform - Account added to privileged Microsoft Entra roles available
Kusto Powershell Empire Cmdlets Executed in Command Line available
Sigma PowerShell Web Access Feature Enabled Via DISM test
Elastic Privilege Escalation via CAP_CHOWN/CAP_FOWNER Capabilities production
Elastic Privilege Escalation via CAP_SETUID/SETGID Capabilities production
Elastic Privilege Escalation via GDB CAP_SYS_PTRACE production
Elastic Privilege Escalation via SUID/SGID production
Elastic Process Capability Set via setcap Utility production
Splunk PromptOnSecureDesktop Registry Value Modified (PowerShell)
Splunk PromptOnSecureDesktop Registry Value Modified (Sysmon)
Splunk PromptOnSecureDesktop Registry Value Modified (Windows Event Log)
Sigma PwnKit Local Privilege Escalation test
Sigma Regedit as Trusted Installer test
Sigma Registry Modification of MS-settings Protocol Handler test
Sigma SCM Database Privileged Operation test
Sigma Sdclt Child Processes test
Splunk Sdclt UAC Bypass production
Kusto Semperis DSP RBAC Changes available
Splunk Services Escalate Exe production
Elastic Setcap setuid/setgid Capability Set production
Sigma Setuid and Setgid test
Sigma Shell Open Registry Keys Manipulation test
Splunk SilentCleanup UAC Bypass production
Kusto Silverfort - NoPacBreach Incident
Splunk SLUI RunAs Elevated production
Splunk SLUI Spawning a Process production
Elastic Spike in Privileged Command Execution by a User production
Elastic Sudo Command Enumeration Detected production
Sigma Sudo Privilege Escalation CVE-2019-14287 test
Sigma Sudo Privilege Escalation CVE-2019-14287 - Builtin test
Elastic Sudoers File Activity production
Elastic SUID/SGID Bit Set production
Elastic SUID/SGUID Enumeration Detected production
Splunk Suspicious ComputerDefaults.exe Execution (Sysmon)
Splunk Suspicious ComputerDefaults.exe Execution (Windows Event Log)
Elastic Suspicious Echo or Printf Execution Detected via Defend for Containers production
Elastic Suspicious File Made Executable via Chmod Inside A Container production
Kusto Suspicious granting of permissions to an account available
Sigma Suspicious Shell Open Command Registry Modification experimental
Elastic Suspicious SUID Binary Execution production
Elastic Suspicious SUID Binary Execution (Auditd Sequence) production
Elastic Suspicious Symbolic Link Created production
Elastic Suspicious TCC Access Granted for User Folders production
Elastic System Binary Path File Permission Modification production
Kusto Threats detected by Eset available
Sigma Trusted Path Bypass via Windows Directory Spoofing experimental
Sigma TrustedPath UAC Bypass Pattern test
Sigma UAC Bypass Abusing Winsat Path Parsing - File test
Sigma UAC Bypass Abusing Winsat Path Parsing - Process test
Sigma UAC Bypass Abusing Winsat Path Parsing - Registry test
Elastic UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer production
Elastic UAC Bypass Attempt via Privileged IFileOperation COM Interface production
Elastic UAC Bypass Attempt via Windows Directory Masquerading production
Elastic UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface production
Splunk UAC Bypass MMC Load Unsigned Dll production
Sigma UAC Bypass Tools Using ComputerDefaults test
Sigma UAC Bypass Using .NET Code Profiler on MMC test
Sigma UAC Bypass Using ChangePK and SLUI test
Sigma UAC Bypass Using Consent and Comctl32 - File test
Sigma UAC Bypass Using Consent and Comctl32 - Process test
Sigma UAC Bypass Using Disk Cleanup test
Sigma UAC Bypass Using DismHost test
Sigma UAC Bypass Using IDiagnostic Profile test
Sigma UAC Bypass Using IDiagnostic Profile - File test
Sigma UAC Bypass Using IEInstal - File test
Sigma UAC Bypass Using IEInstal - Process test
Sigma UAC Bypass Using Iscsicpl - ImageLoad test
Sigma UAC Bypass Using MSConfig Token Modification - File test
Sigma UAC Bypass Using MSConfig Token Modification - Process test
Sigma UAC Bypass Using NTFS Reparse Point - File test
Sigma UAC Bypass Using NTFS Reparse Point - Process test
Sigma UAC Bypass Using PkgMgr and DISM test
Sigma UAC Bypass Using Windows Media Player - File test
Sigma UAC Bypass Using Windows Media Player - Process test
Sigma UAC Bypass Using Windows Media Player - Registry test
Sigma UAC Bypass Using WOW64 Logger DLL Hijack test
Elastic UAC Bypass via DiskCleanup Scheduled Task Hijack production
Sigma UAC Bypass via Event Viewer test
Sigma UAC Bypass via ICMLuaUtil test
Elastic UAC Bypass via ICMLuaUtil Elevated COM Interface production
Sigma UAC Bypass via Sdclt test
Sigma UAC Bypass via Windows Firewall Snap-In Hijack test
Elastic UAC Bypass via Windows Firewall Snap-In Hijack production
Sigma UAC Bypass Via Wsreset test
Sigma UAC Bypass With Fake DLL test
Sigma UAC Bypass WSReset test
Sigma UAC Disabled stable
Sigma UAC Notification Disabled test
Sigma UAC Secure Desktop Prompt Disabled test
Elastic UID Elevation from Previously Unknown Executable production
Elastic Unusual Pkexec Execution production
Elastic Unusual Process Detected for Privileged Commands by a User production
Elastic Unusual Sudo Activity production
Sigma User Added To Group With CA Policy Modification Access test
Sigma User Removed From Group With CA Policy Modification Access test
Kusto Vulerabilities available
Sigma Vulnerable Netlogon Secure Channel Connection Allowed test
Splunk Windows Bypass UAC via Pkgmgr Tool production
Splunk Windows ComputerDefaults Spawning a Process production
Splunk Windows DISM Install PowerShell Web Access production
Splunk Windows Mock Trusted Directory MSC File Creation production
Splunk Windows Privilege Escalation Suspicious Process Elevation production
Splunk Windows Privilege Escalation System Process Without System Parent production
Splunk Windows Privilege Escalation User Process Spawn System Process production
Splunk Windows UAC Bypass Suspicious Child Process production
Splunk Windows UAC Bypass Suspicious Escalation Behavior production
Splunk WSReset UAC Bypass production

Abuse Elevation Control Mechanism: Setuid and Setgid T1548.001 28 rules

Elastic File Execution Permission Modification Detected via Defend for Containers production
Splunk Linux Auditd Setuid Using Chmod Utility production
Splunk Linux Auditd Setuid Using Setcap Utility production
Splunk Linux Common Process For Elevation Control production
Splunk Linux Setuid Using Chmod Utility production
Splunk Linux Setuid Using Setcap Utility production
Sigma macOS Setuid/Setgid Privilege Escalation experimental
Elastic Potential Copy Fail (CVE-2026-31431) Exploitation via AF_ALG Socket production
Elastic Potential Privilege Escalation via CVE-2023-4911 production
Elastic Potential Privilege Escalation via Enlightenment production
Elastic Potential Privilege Escalation via Python cap_setuid production
Elastic Potential Privilege Escalation via Recently Compiled Executable production
Elastic Potential Privilege Escalation via SUID/SGID production
Elastic Potential Privilege Escalation via SUID/SGID Proxy Execution production
Elastic Potential Root Effective Shell from Non-Standard Path via Auditd production
Elastic Privilege Escalation via CAP_SETUID/SETGID Capabilities production
Elastic Privilege Escalation via SUID/SGID production
Sigma PwnKit Local Privilege Escalation test
Elastic Setcap setuid/setgid Capability Set production
Sigma Setuid and Setgid test
Elastic SUID/SGID Bit Set production
Elastic SUID/SGUID Enumeration Detected production
Elastic Suspicious File Made Executable via Chmod Inside A Container production
Elastic Suspicious SUID Binary Execution production
Elastic Suspicious SUID Binary Execution (Auditd Sequence) production
Elastic System Binary Path File Permission Modification production
Elastic UID Elevation from Previously Unknown Executable production
Elastic Unusual Pkexec Execution production

Abuse Elevation Control Mechanism: Bypass User Account Control T1548.002 106 rules

Sigma Always Install Elevated MSI Spawned Cmd And Powershell test
Sigma Always Install Elevated Windows Installer test
Sigma Bypass UAC Using DelegateExecute test
Sigma Bypass UAC Using SilentCleanup Task test
Sigma Bypass UAC via CMSTP test
Elastic Bypass UAC via Event Viewer production
Sigma Bypass UAC via Fodhelper.exe test
Sigma Bypass UAC via WSReset.exe test
Sigma CMSTP UAC Bypass via COM Object Access stable
Splunk ComputerDefaults UAC Bypass (PowerShell)
Splunk ComputerDefaults UAC Bypass (Sysmon)
Splunk ComputerDefaults UAC Bypass (Windows Event Log)
Splunk ConsentPromptBehaviorAdmin Registry Value Modified (PowerShell)
Splunk ConsentPromptBehaviorAdmin Registry Value Modified (Sysmon)
Splunk ConsentPromptBehaviorAdmin Registry Value Modified (Windows Event Log)
Splunk Disable UAC Remote Restriction production
Splunk Disabling Remote User Account Control production
Elastic Disabling User Account Control via Registry Modification production
Splunk EnableLUA Registry Value Modified (PowerShell)
Splunk EnableLUA Registry Value Modified (Sysmon)
Splunk EnableLUA Registry Value Modified (Windows Event Log)
Splunk Eventvwr UAC Bypass production
Sigma Explorer NOUACCHECK Flag test
Splunk FodHelper UAC Bypass production
Sigma Function Call From Undocumented COM Interface EditionUpgradeManager test
Sigma HackTool - Empire PowerShell UAC Bypass stable
Sigma HackTool - UACMe Akagi Execution test
Sigma HackTool - WinPwn Execution test
Sigma HackTool - WinPwn Execution - ScriptBlock test
Elastic Local Account TokenFilter Policy Disabled production
Splunk Mock System Directory - Windows (Sysmon)
Splunk Mock System Directory - Windows (Windows Event Log)
Splunk NET Profiler UAC bypass production
Kusto Potential Fodhelper UAC Bypass available
Kusto Potential Fodhelper UAC Bypass (ASIM Version)
Splunk Potential fodhelper UAC Bypass Attempt (PowerShell)
Splunk Potential fodhelper UAC Bypass Attempt (Sysmon)
Splunk Potential fodhelper UAC Bypass Attempt (Windows Event Log)
Elastic Potential PowerShell HackTool Script by Function Names production
Sigma Potential UAC Bypass Via Sdclt.EXE test
Sigma Potentially Suspicious Event Viewer Child Process test
Kusto Powershell Empire Cmdlets Executed in Command Line available
Sigma PowerShell Web Access Feature Enabled Via DISM test
Splunk PromptOnSecureDesktop Registry Value Modified (PowerShell)
Splunk PromptOnSecureDesktop Registry Value Modified (Sysmon)
Splunk PromptOnSecureDesktop Registry Value Modified (Windows Event Log)
Sigma Registry Modification of MS-settings Protocol Handler test
Sigma Sdclt Child Processes test
Splunk Sdclt UAC Bypass production
Sigma Shell Open Registry Keys Manipulation test
Splunk SilentCleanup UAC Bypass production
Splunk SLUI RunAs Elevated production
Splunk SLUI Spawning a Process production
Splunk Suspicious ComputerDefaults.exe Execution (Sysmon)
Splunk Suspicious ComputerDefaults.exe Execution (Windows Event Log)
Sigma Suspicious Shell Open Command Registry Modification experimental
Sigma Trusted Path Bypass via Windows Directory Spoofing experimental
Sigma TrustedPath UAC Bypass Pattern test
Sigma UAC Bypass Abusing Winsat Path Parsing - File test
Sigma UAC Bypass Abusing Winsat Path Parsing - Process test
Sigma UAC Bypass Abusing Winsat Path Parsing - Registry test
Elastic UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer production
Elastic UAC Bypass Attempt via Privileged IFileOperation COM Interface production
Elastic UAC Bypass Attempt via Windows Directory Masquerading production
Elastic UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface production
Splunk UAC Bypass MMC Load Unsigned Dll production
Sigma UAC Bypass Tools Using ComputerDefaults test
Sigma UAC Bypass Using .NET Code Profiler on MMC test
Sigma UAC Bypass Using ChangePK and SLUI test
Sigma UAC Bypass Using Consent and Comctl32 - File test
Sigma UAC Bypass Using Consent and Comctl32 - Process test
Sigma UAC Bypass Using Disk Cleanup test
Sigma UAC Bypass Using DismHost test
Sigma UAC Bypass Using IDiagnostic Profile test
Sigma UAC Bypass Using IDiagnostic Profile - File test
Sigma UAC Bypass Using IEInstal - File test
Sigma UAC Bypass Using IEInstal - Process test
Sigma UAC Bypass Using Iscsicpl - ImageLoad test
Sigma UAC Bypass Using MSConfig Token Modification - File test
Sigma UAC Bypass Using MSConfig Token Modification - Process test
Sigma UAC Bypass Using NTFS Reparse Point - File test
Sigma UAC Bypass Using NTFS Reparse Point - Process test
Sigma UAC Bypass Using PkgMgr and DISM test
Sigma UAC Bypass Using Windows Media Player - File test
Sigma UAC Bypass Using Windows Media Player - Process test
Sigma UAC Bypass Using Windows Media Player - Registry test
Sigma UAC Bypass Using WOW64 Logger DLL Hijack test
Elastic UAC Bypass via DiskCleanup Scheduled Task Hijack production
Sigma UAC Bypass via Event Viewer test
Sigma UAC Bypass via ICMLuaUtil test
Elastic UAC Bypass via ICMLuaUtil Elevated COM Interface production
Sigma UAC Bypass via Sdclt test
Elastic UAC Bypass via Windows Firewall Snap-In Hijack production
Sigma UAC Bypass Via Wsreset test
Sigma UAC Bypass With Fake DLL test
Sigma UAC Bypass WSReset test
Sigma UAC Disabled stable
Sigma UAC Notification Disabled test
Sigma UAC Secure Desktop Prompt Disabled test
Splunk Windows Bypass UAC via Pkgmgr Tool production
Splunk Windows ComputerDefaults Spawning a Process production
Splunk Windows DISM Install PowerShell Web Access production
Splunk Windows Mock Trusted Directory MSC File Creation production
Splunk Windows UAC Bypass Suspicious Child Process production
Splunk Windows UAC Bypass Suspicious Escalation Behavior production
Splunk WSReset UAC Bypass production

Abuse Elevation Control Mechanism: Sudo and Sudo Caching T1548.003 58 rules

Elastic Deprecated - Sudo Heap-Based Buffer Overflow Attempt production
Panther Kubernetes Privileged Pod Created
Splunk Linux APT Privilege Escalation production
Splunk Linux Auditd Doas Conf File Creation production
Splunk Linux Auditd Doas Tool Execution production
Splunk Linux Auditd Nopasswd Entry In Sudoers File production
Splunk Linux Auditd Possible Access To Sudoers File production
Splunk Linux Auditd Sudo Or Su Execution production
Splunk Linux AWK Privilege Escalation production
Splunk Linux Busybox Privilege Escalation production
Splunk Linux c89 Privilege Escalation production
Splunk Linux c99 Privilege Escalation production
Splunk Linux Composer Privilege Escalation production
Splunk Linux Cpulimit Privilege Escalation production
Splunk Linux Csvtool Privilege Escalation production
Splunk Linux Doas Conf File Creation production
Splunk Linux Doas Tool Execution production
Splunk Linux Emacs Privilege Escalation production
Splunk Linux Find Privilege Escalation production
Splunk Linux GDB Privilege Escalation production
Splunk Linux Gem Privilege Escalation production
Splunk Linux GNU Awk Privilege Escalation production
Splunk Linux Make Privilege Escalation production
Splunk Linux MySQL Privilege Escalation production
Splunk Linux Node Privilege Escalation production
Splunk Linux NOPASSWD Entry In Sudoers File production
Splunk Linux Octave Privilege Escalation production
Splunk Linux OpenVPN Privilege Escalation production
Splunk Linux PHP Privilege Escalation production
Splunk Linux Possible Access To Sudoers File production
Splunk Linux Puppet Privilege Escalation production
Splunk Linux RPM Privilege Escalation production
Splunk Linux Ruby Privilege Escalation production
Splunk Linux Sqlite3 Privilege Escalation production
Splunk Linux Sudo OR Su Execution production
Splunk Linux Sudoers Tmp File Creation production
Splunk Linux Visudo Utility Execution production
Sigma macOS Multiple Failed Sudo Attempts experimental
Sigma macOS Sudo Privilege Escalation Attempts experimental
Elastic Modification of Persistence Relevant Files Detected via Defend for Containers production
Sigma Persistence Via Sudoers.d Files test
Elastic Pod or Container Creation with Suspicious Command-Line production
Elastic Potential CVE-2025-32463 Sudo Chroot Execution Attempt production
Elastic Potential Defense Evasion via Doas production
Elastic Potential Persistence via File Modification production
Elastic Potential Privilege Escalation via Sudoers File Modification production
Elastic Potential Privilege Escalation via SUID/SGID production
Elastic Potential Sudo Hijacking production
Elastic Potential Sudo Privilege Escalation via CVE-2019-14287 production
Elastic Potential Sudo Token Manipulation via Process Injection production
Elastic Potential Suspicious File Edit production
Elastic Sudo Command Enumeration Detected production
Sigma Sudo Privilege Escalation CVE-2019-14287 test
Sigma Sudo Privilege Escalation CVE-2019-14287 - Builtin test
Elastic Sudoers File Activity production
Elastic Suspicious Echo or Printf Execution Detected via Defend for Containers production
Elastic Suspicious SUID Binary Execution production
Elastic Suspicious SUID Binary Execution (Auditd Sequence) production

Abuse Elevation Control Mechanism: Elevated Execution with Prompt T1548.004 2 rules

Elastic Apple Scripting Execution with Administrator Privileges production
Elastic Execution with Explicit Credentials via Scripting production

Abuse Elevation Control Mechanism: Temporary Elevated Cloud Access T1548.005 7 rules

Elastic AWS EC2 Instance Profile Associated with Running Instance production
Elastic AWS IAM Customer Managed Policy Version Created or Default Version Set production
Elastic AWS IAM Customer-Managed Policy Attached to Role by Rare User production
Elastic AWS KMS Key Policy Updated via PutKeyPolicy production
Elastic AWS STS AssumeRoot by Rare User and Member Account production
Elastic AWS STS GetFederationToken with AdministratorAccess in Request production
Elastic AWS STS Role Assumption by Service production

Abuse Elevation Control Mechanism: TCC Manipulation T1548.006 3 rules

Elastic Full Disk Access Permission Check production
Elastic Potential Privacy Control Bypass via TCCDB Modification production
Elastic Suspicious TCC Access Granted for User Folders production

Escape to Host T1611 51 rules

Elastic Chroot Execution Detected via Defend for Containers production
Elastic Chroot Execution in Container Context on Linux production
Splunk Cisco IOS XE Guestshell Activation and Destroy production
Splunk Cisco Isovalent - Potential Escape to Host production
Elastic Container Runtime CLI Execution with Suspicious Arguments production
Sigma Container With A hostPath Mount Created test
Elastic DebugFS Execution Detected via Defend for Containers production
Elastic Docker Release File Creation production
Elastic Egress Connection from Entrypoint in Container production
Elastic File System Debugger Launched Inside a Container production
Panther GCP K8s Pod Attached To Node Host Network Deprecated
Panther GCP K8S Pod Create Or Modify Host Path Volume Mount Deprecated
Panther GCP K8s Pod Using Host PID Namespace Deprecated
Elastic Kernel Load or Unload via Kexec Detected production
Elastic Kubernetes API Server Proxying Request to Kubelet production
Elastic Kubernetes Container Created with Excessive Linux Capabilities production
Elastic Kubernetes Ephemeral Container Added to Pod production
Panther Kubernetes Pod Attached To Host Network
Panther Kubernetes Pod Created in System Namespace Experimental
Elastic Kubernetes Pod Created with a Sensitive hostPath Volume production
Elastic Kubernetes Pod Created With HostIPC production
Elastic Kubernetes Pod Created With HostNetwork production
Elastic Kubernetes Pod Created With HostPID production
Panther Kubernetes Pod Using Host IPC Namespace
Panther Kubernetes Pod Using Host PID Namespace
Panther Kubernetes Pod with Dangerous Linux Capabilities
Panther Kubernetes Pod With HostPath Volume Mount
Elastic Kubernetes Privileged Pod Created production
Splunk Linux Docker Root Directory Mount production
Elastic Mount Execution Detected via Defend for Containers production
Elastic Mount Launched Inside a Container production
Elastic Namespace Manipulation Using Unshare production
Elastic Namespace Manipulation Using Unshare in a Container production
Elastic Nsenter Execution with Target Flag Inside Container production
Elastic Nsenter to PID Namespace via Auditd production
Kusto Oracle suspicious command execution available
Elastic Pod or Container Creation with Suspicious Command-Line production
Elastic Potential Chroot Container Escape via Mount production
Elastic Potential Docker Escape via Nsenter production
Elastic Potential notify_on_release Container Escape Detected via Defend for Containers production
Elastic Potential Privilege Escalation in Container via Runc Init production
Elastic Potential Privilege Escalation through Writable Docker Socket production
Elastic Potential Privilege Escalation via Container Misconfiguration production
Elastic Potential release_agent Container Escape Detected via Defend for Containers production
Elastic Privileged Container Creation with Host Directory Mount production
Sigma Privileged Container Deployed test
Elastic Privileged Docker Container Creation production
Kusto SQL Server spawning suspicious child process
Elastic Suspicious Container Runtime CLI Execution production
Elastic Unusual Process Connection to Docker or Containerd Socket production
Panther Upwind Runtime Detection Passthrough Experimental

No specific technique 48 rules

Sigma ADCS Certificate Template Configuration Vulnerability test
Sigma ADCS Certificate Template Configuration Vulnerability with Risky EKU test
Sigma AWS Glue Development Endpoint Activity test
Sigma AWS New Lambda Layer Attached test
Sigma Certificate Use With No Strong Mapping test
Sigma CodeIntegrity - Blocked Image Load With Revoked Certificate test
Sigma CodeIntegrity - Disallowed File For Protected Processes Has Been Blocked test
Sigma CodeIntegrity - Revoked Image Loaded test
Sigma CodeIntegrity - Revoked Kernel Driver Loaded test
Sigma CodeIntegrity - Unmet WHQL Requirements For Loaded Kernel Module test
Sigma CodeIntegrity - Unsigned Image Loaded test
Sigma CodeIntegrity - Unsigned Kernel Module Loaded test
Sigma DiagTrackEoP Default Login Username test
Sigma Exploitation Indicators Of CVE-2023-20198 test
Sigma FortiGate - User Group Modified experimental
YARA-L Google Cloud identity low and medium alert escalation
Sigma Google Cloud Kubernetes CronJob test
Sigma HackTool - DiagTrackEoP Default Named Pipe test
Sigma HackTool - LocalPotato Execution test
Sigma Kubernetes CronJob/Job Modification test
Sigma Kubernetes Rolebinding Modification test
Sigma Kubernetes Unauthorized or Unauthenticated Access test
Sigma LiveKD Driver Creation test
Sigma LiveKD Driver Creation By Uncommon Process test
Sigma LiveKD Kernel Memory Dump File Created test
Sigma macOS UL Sudo Command Execution experimental
Sigma New AWS Lambda Function URL Configuration Created experimental
Panther Notion Teamspace Owner Added
Sigma Potential CVE-2023-21554 QueueJumper Exploitation test
Sigma Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection test
Sigma Potential KDC RC4-HMAC Downgrade Exploit - CVE-2022-37966 test
Sigma Potential Persistence Via Security Descriptors - ScriptBlock test
Sigma Potential Privilege Escalation Attempt Via .Exe.Local Technique test
Kusto Radiflow - Platform Alert available
Sigma Role Assignment Created test
Kusto SAP LogServ - HANA DB - Assign Admin Authorizations available
Kusto SAP LogServ - HANA DB - User Admin actions available
Sigma Shell Process Spawned by Java.EXE test
Sigma Standard User In High Privileged Group test
Sigma Suspicious Child Process Of Veeam Dabatase test
Sigma Suspicious Processes Spawned by Java.EXE test
Sigma Suspicious RunAs-Like Flag Combination test
Sigma Suspicious Shells Spawn by Java Utility Keytool test
Sigma Triple Cross eBPF Rootkit Execve Hijack test
Sigma UAC Bypass Using Event Viewer RecentViews test
Sigma UAC Bypass Using EventVwr test
Sigma User Added To Root/Sudoers Group Using Usermod test
Sigma Windows Kernel Debugger Execution test

Stealth

Direct Volume Access T1006 8 rules

Elastic DebugFS Execution Detected via Defend for Containers production
Elastic File System Debugger Launched Inside a Container production
Elastic NTDS Dump via Wbadmin production
Sigma Potential Defense Evasion Via Raw Disk Access By Uncommon Tools test
Elastic Potential Suspicious DebugFS Root Device Access production
Elastic PowerShell Invoke-NinjaCopy script production
Elastic Symbolic Link to Shadow Copy Created production
Elastic TCC Bypass via Mounted APFS Snapshot Access production

Rootkit T1014 30 rules

Elastic BPF Program or Map Load via bpftool production
Elastic BPF Program Tampering via bpftool production
Elastic Kernel Driver Load production
Elastic Kernel Driver Load by non-root User production
Elastic Kernel Instrumentation Discovery via kprobes and tracefs production
Elastic Kernel Load or Unload via Kexec Detected production
Elastic Kernel Module Load from Unusual Location production
Elastic Kernel Module Load via Built-in Utility production
Elastic Kernel Object File Creation production
Elastic Kernel Seeking Activity production
Elastic Kernel Unpacking Activity production
Splunk Linux Auditd Kernel Module Enumeration production
Splunk Linux Kernel Module Enumeration production
Splunk Linux Medusa Rootkit production
Elastic Loadable Kernel Module Configuration File Creation production
Elastic Network Activity Detected via Kworker production
Panther OSSEC Rootkit Detected via Osquery
Elastic Potential Persistence via File Modification production
Elastic Suspicious File Creation via Kworker production
Sigma Suspicious Kernel Extension Names experimental
Elastic Suspicious Kworker UID Elevation production
Elastic Suspicious Usage of bpf_probe_write_user Helper production
Elastic Tainted Kernel Module Load production
Elastic Tainted Out-Of-Tree Kernel Module Load production
Sigma Triple Cross eBPF Rootkit Install Commands test
Elastic UID Elevation from Previously Unknown Executable production
Elastic Unusual Execution from Kernel Thread (kthreadd) Parent production
Elastic Unusual Kill Signal production
Splunk Windows Driver Load Non-Standard Path production
Splunk Windows Drivers Loaded by Signature production

Obfuscated Files or Information T1027 242 rules

Elastic Base16 or Base32 Encoding/Decoding Activity production
Elastic Base64 Decoded Payload Piped to Interpreter production
Sigma Base64 Encoded PowerShell Command Detected test
Kusto Base64 encoded Windows process command-lines available
Kusto Base64 encoded Windows process command-lines (Normalized Process Events)
Elastic Binary Content Copy via Cmd.exe production building block
Sigma Binary Padding - Linux test
Sigma Binary Padding - MacOS test
Sigma Certificate Exported Via Certutil.EXE test
Splunk Certutil Execution (Sysmon)
Splunk Certutil Execution (Windows Event Log)
Splunk Certutil File Download (PowerShell)
Splunk Certutil File Download (Sysmon)
Splunk Certutil File Download (Windows Event Log)
Splunk Certutil Obfuscate_Encode Files (EDR)
Splunk Certutil Obfuscate_Encode Files (PowerShell)
Splunk Certutil Obfuscate_Encode Files (Sysmon)
Splunk Certutil Obfuscate_Encode Files (Windows Event Log)
Kusto Cisco Cloud Security - Windows PowerShell User-Agent Detected available
Splunk Cisco Secure Firewall - Lumma Stealer Activity production
Splunk Cisco Secure Firewall - Repeated Malware Downloads production
Splunk Cisco Secure Firewall - Snort Rule Triggered Across Multiple Hosts production
Splunk Command Line Homoglyphs - Windows (PowerShell)
Splunk Command Line Homoglyphs - Windows (Sysmon)
Splunk Command Line Homoglyphs - Windows (Windows Event Log)
Elastic Command Line Obfuscation via Whitespace Padding production
Elastic Command Obfuscation via Unicode Modifier Letters production
Splunk Compressed File Execution (Windows Event Log)
Sigma ConvertTo-SecureString Cmdlet Usage Via CommandLine test
Splunk CSC Execution (EDR)
Splunk CSC Execution (Windows Event Log)
Splunk CSC Net On The Fly Compilation production
Sigma Csc.EXE Execution Form Potentially Suspicious Parent test
Splunk Curl Execution with Percent Encoded URL production
Elastic Data Encrypted via OpenSSL Utility production
Sigma Decode Base64 Encoded Text test
Sigma Decode Base64 Encoded Text -MacOs test
Elastic Decoded Payload Piped to Interpreter Detected via Defend for Containers production
Elastic Deprecated - Encoded Executable Stored in the Registry production
Elastic Deprecated - Potential PowerShell Obfuscated Script production
Splunk DLL Concatenation (PowerShell)
Splunk DLL Concatenation (Sysmon)
Splunk DLL Concatenation (Windows Event Log)
Sigma Dynamic .NET Compilation Via Csc.EXE test
Sigma Dynamic .NET Compilation Via Csc.EXE - Hunting test
Sigma Dynamic CSharp Compile Artefact test
Elastic Dynamic IEX Reconstruction via Method String Access production
Elastic Encoded Payload Detected via Defend for Containers production
Splunk Encoded Powershell Command (PowerShell)
Splunk Encoded Powershell Command (Sysmon)
Splunk Encoded Powershell Command (Windows Event Log)
Sigma Encoded PowerShell payload deployed (PowerShell) experimental
Sigma Encoded PowerShell payload deployed via process execution experimental
Sigma Encoded PowerShell payload deployed via service experimental
Sigma Failed Code Integrity Checks stable
Elastic File Compressed or Archived into Common Format by Unsigned Process production building block
Sigma File Decoded From Base64/Hex Via Certutil.EXE test
Sigma File Encoded To Base64 Via Certutil.EXE test
Sigma File In Suspicious Location Encoded To Base64 Via Certutil.EXE test
Sigma Findstr Launching .lnk File test
Elastic GenAI Process Compiling or Generating Executables production
Elastic GenAI Process Performing Encoding/Chunking Prior to Network Activity production
Panther GitHub Workflow Downloading Artifacts
Sigma HackTool - CrackMapExec PowerShell Obfuscation test
Elastic High Command Line Entropy Detected for Privileged Commands production
Splunk Impacket atexec.py Execution (PowerShell)
Splunk Impacket atexec.py Execution (Sysmon)
Splunk Impacket atexec.py Execution (Windows Event Log)
Splunk Impacket atexec.py Scheduled Task Creation (Windows Event Log)
Splunk Impacket atexec.py Temp File Creation (Sysmon)
Splunk Impacket atexec.py Temp File Creation (Windows Event Log)
Kusto Ingress Tool Transfer - Certutil available
Sigma Invocation Of Crypto-Classes From The "Cryptography" PowerShell Namespace test
Sigma Invoke-Obfuscation CLIP+ Launcher test
Sigma Invoke-Obfuscation CLIP+ Launcher - PowerShell test
Sigma Invoke-Obfuscation CLIP+ Launcher - PowerShell Module test
Sigma Invoke-Obfuscation CLIP+ Launcher - Security test
Sigma Invoke-Obfuscation CLIP+ Launcher - System test
Sigma Invoke-Obfuscation COMPRESS OBFUSCATION test
Sigma Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell test
Sigma Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module test
Sigma Invoke-Obfuscation COMPRESS OBFUSCATION - Security test
Sigma Invoke-Obfuscation COMPRESS OBFUSCATION - System test
Sigma Invoke-Obfuscation Obfuscated IEX Invocation test
Sigma Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell test
Sigma Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module test
Sigma Invoke-Obfuscation Obfuscated IEX Invocation - Security test
Sigma Invoke-Obfuscation Obfuscated IEX Invocation - System test
Sigma Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell test
Sigma Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell Module test
Sigma Invoke-Obfuscation RUNDLL LAUNCHER - Security test
Sigma Invoke-Obfuscation RUNDLL LAUNCHER - System test
Sigma Invoke-Obfuscation STDIN+ Launcher test
Sigma Invoke-Obfuscation STDIN+ Launcher - Powershell test
Sigma Invoke-Obfuscation STDIN+ Launcher - PowerShell Module test
Sigma Invoke-Obfuscation STDIN+ Launcher - Security test
Sigma Invoke-Obfuscation STDIN+ Launcher - System test
Sigma Invoke-Obfuscation VAR+ Launcher test
Sigma Invoke-Obfuscation VAR+ Launcher - PowerShell test
Sigma Invoke-Obfuscation VAR+ Launcher - PowerShell Module test
Sigma Invoke-Obfuscation VAR+ Launcher - Security test
Sigma Invoke-Obfuscation VAR+ Launcher - System test
Sigma Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION test
Sigma Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell test
Sigma Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module test
Sigma Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security test
Sigma Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System test
Sigma Invoke-Obfuscation Via Stdin test
Sigma Invoke-Obfuscation Via Stdin - Powershell test
Sigma Invoke-Obfuscation Via Stdin - PowerShell Module test
Sigma Invoke-Obfuscation Via Stdin - Security test
Sigma Invoke-Obfuscation Via Stdin - System test
Sigma Invoke-Obfuscation Via Use Clip test
Sigma Invoke-Obfuscation Via Use Clip - Powershell test
Sigma Invoke-Obfuscation Via Use Clip - PowerShell Module test
Sigma Invoke-Obfuscation Via Use Clip - Security test
Sigma Invoke-Obfuscation Via Use Clip - System test
Sigma Invoke-Obfuscation Via Use MSHTA test
Sigma Invoke-Obfuscation Via Use MSHTA - PowerShell test
Sigma Invoke-Obfuscation Via Use MSHTA - PowerShell Module test
Sigma Invoke-Obfuscation Via Use MSHTA - Security test
Sigma Invoke-Obfuscation Via Use MSHTA - System test
Sigma Invoke-Obfuscation Via Use Rundll32 - PowerShell test
Sigma Invoke-Obfuscation Via Use Rundll32 - PowerShell Module test
Sigma Invoke-Obfuscation Via Use Rundll32 - Security test
Sigma Invoke-Obfuscation Via Use Rundll32 - System test
Splunk Linux Decode Base64 to Shell production
Splunk Linux Obfuscated Files or Information Base64 Decode production
Elastic Long Base64 Encoded Command via Scripting Interpreter production
Splunk Malicious PowerShell Process - Encoded Command production
Elastic Microsoft Build Engine Started an Unusual Process production
Elastic Multi-Base64 Decoding Attempt from Suspicious Location production
Kusto NRT Base64 Encoded Windows Process Command-lines available
Kusto NRT Process executed from binary hidden in Base64 encoded file available
Sigma Obfuscated payload transfered via service name - Tchopper (command) experimental
Sigma Obfuscated PowerShell MSI Install via WindowsInstaller COM experimental
Splunk Obfuscated Powershell Techniques (PowerShell)
Sigma Operation Wocao Activity test
Sigma Operation Wocao Activity - Security test
Sigma Password Protected ZIP File Opened test
Sigma Password Protected ZIP File Opened (Email Attachment) test
Sigma Password Protected ZIP File Opened (Suspicious Filenames) test
Sigma Ping Hex IP test
Elastic Potential Antimalware Scan Interface Bypass via PowerShell production
Sigma Potential Application Whitelisting Bypass via Dnx.EXE test
Sigma Potential CommandLine Obfuscation Using Unicode Characters test
Sigma Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image test
Elastic Potential Dynamic IEX Reconstruction via Environment Variables production
Sigma Potential Emotet Activity stable
Sigma Potential Encoded PowerShell Patterns In CommandLine test
Elastic Potential Hex Payload Execution via Command-Line production
Elastic Potential Hex Payload Execution via Common Utility production
Sigma Potential Obfuscated Ordinal Call Via Rundll32 test
Sigma Potential PowerShell Command Line Obfuscation test
Elastic Potential PowerShell Obfuscated Script via High Entropy production
Sigma Potential PowerShell Obfuscation Using Alias Cmdlets test
Sigma Potential PowerShell Obfuscation Using Character Join test
Elastic Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion production
Elastic Potential PowerShell Obfuscation via Character Array Reconstruction production
Elastic Potential PowerShell Obfuscation via Concatenated Dynamic Command Invocation production
Elastic Potential PowerShell Obfuscation via High Numeric Character Proportion production
Elastic Potential PowerShell Obfuscation via High Special Character Proportion production building block
Elastic Potential PowerShell Obfuscation via Invalid Escape Sequences production
Elastic Potential PowerShell Obfuscation via Reverse Keywords production
Sigma Potential PowerShell Obfuscation Via Reversed Commands test
Elastic Potential PowerShell Obfuscation via Special Character Overuse production
Elastic Potential PowerShell Obfuscation via String Concatenation production
Elastic Potential PowerShell Obfuscation via String Reordering production
Sigma Potential PowerShell Obfuscation Via WCHAR/CHAR test
Sigma Potential Secure Deletion with SDelete test
Sigma Potential Suspicious Execution From GUID Like Folder Names test
Sigma Potential Winnti Dropper Activity test
Sigma Potentially Suspicious Long Filename Pattern - Linux experimental
Sigma PowerShell Base64 Encoded Invoke Keyword test
Sigma PowerShell Base64 Encoded Reflective Assembly Load test
Sigma PowerShell Base64 Encoded WMI Classes test
Splunk PowerShell CreateDecryptor (PowerShell)
Splunk PowerShell CreateDecryptor (Sysmon)
Splunk PowerShell CreateDecryptor (Windows Event Log)
Splunk Powershell Creating Thread Mutex production
Kusto Powershell Empire Cmdlets Executed in Command Line available
Splunk Powershell Enable SMB1Protocol Feature production
Splunk Powershell Fileless Script Contains Base64 Encoded Content production
Elastic PowerShell Obfuscation via Negative Index String Reversal production
Elastic PowerShell Script with Encryption/Decryption Capabilities production
Elastic PowerShell Suspicious Payload Encoded and Compressed production
Sigma Powershell Token Obfuscation - Powershell test
Sigma Powershell Token Obfuscation - Process Creation test
Splunk PowerShell WebRequest Using Memory Stream production
Kusto Process Creation with Suspicious CommandLine Arguments available
Kusto Process executed from binary hidden in Base64 encoded file available
Sigma PUA - DefenderCheck Execution test
Sigma PUA - Potential PE Metadata Tamper Using Rcedit test
Sigma Python Image Load By Non-Python Process test
Sigma Python One-Liners with Base64 Decoding experimental
Sigma Python One-Liners with Base64 Decoding - Linux experimental
Sigma Registry Set With Crypto-Classes From The "Cryptography" PowerShell Namespace test
Sigma Renamed AutoIt Execution test
Elastic ROT Encoded Python Script Execution production
Sigma Steganography Extract Files with Steghide test
Sigma Steganography Hide Files with Steghide test
Sigma Steganography Hide Zip Information in Picture File test
Sigma Steganography Unzip Hidden Information From Picture File test
Elastic Suspicious .NET Code Compilation production
Elastic Suspicious Content Extracted or Decompressed via Funzip production
Splunk Suspicious csc.exe Source File Folder (Sysmon)
Splunk Suspicious csc.exe Source File Folder (Windows Event Log)
Sigma Suspicious Download Via Certutil.EXE test
YARA-L Suspicious Download Via Certutil.EXE
Sigma Suspicious Encoded And Obfuscated Reflection Assembly Load Function Call test
Elastic Suspicious Execution with NodeJS production
Sigma Suspicious Explorer Process with Whitespace Padding - ClickFix/FileFix experimental
Sigma Suspicious File Downloaded From Direct IP Via Certutil.EXE test
Sigma Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE test
YARA-L Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE
Sigma Suspicious File Encoded To Base64 Via Certutil.EXE test
Sigma Suspicious Filename with Embedded Base64 Commands experimental
Sigma Suspicious Get-Variable.exe Creation test
Elastic Suspicious HTML File Creation production
Elastic Suspicious JavaScript Execution via Deno production
Elastic Suspicious Portable Executable Encoded in Powershell Script production
Elastic Suspicious Powershell Script production
Sigma Suspicious Space Characters in RunMRU Registry Path - ClickFix experimental
Sigma Suspicious Space Characters in TypedPaths Registry Path - FileFix experimental
Sigma Suspicious SYSTEM User Process Creation test
Sigma Suspicious Usage of For Loop with Recursive Directory Search in CMD experimental
Elastic Suspicious Windows Command Shell Arguments production
Elastic Suspicious Windows Powershell Arguments production
Sigma Suspicious XOR Encoded PowerShell Command test
Kusto TEARDROP memory-only dropper available
Sigma Turla Group Commands May 2020 test
Elastic Unusual Base64 Encoding/Decoding Activity production
Sigma Visual Basic Command Line Compiler Usage test
Kusto Votiro - File Blocked in Email
Splunk Wermgr Process Create Executable File production
Splunk Windows Command Obfuscation with Environment Variable Substrings production
Splunk Windows Njrat Fileless Storage via Registry production
Splunk Windows Obfuscated Files or Information via RAR SFX production
Splunk Windows PowerShell Process Implementing Manual Base64 Decoder production
Splunk Windows Registry Payload Injection production
Splunk Windows Snake Malware File Modification Crmlog production
Splunk Windows TinyCC Shellcode Execution production

Obfuscated Files or Information: Binary Padding T1027.001 6 rules

Sigma Binary Padding - Linux test
Sigma Binary Padding - MacOS test
Splunk DLL Concatenation (PowerShell)
Splunk DLL Concatenation (Sysmon)
Splunk DLL Concatenation (Windows Event Log)
Sigma Failed Code Integrity Checks stable

Obfuscated Files or Information: Software Packing T1027.002 1 rule

Sigma Python Image Load By Non-Python Process test

Obfuscated Files or Information: Steganography T1027.003 5 rules

Sigma Findstr Launching .lnk File test
Sigma Steganography Extract Files with Steghide test
Sigma Steganography Hide Files with Steghide test
Sigma Steganography Hide Zip Information in Picture File test
Sigma Steganography Unzip Hidden Information From Picture File test

Obfuscated Files or Information: Compile After Delivery T1027.004 14 rules

Splunk CSC Execution (EDR)
Splunk CSC Execution (Windows Event Log)
Splunk CSC Net On The Fly Compilation production
Sigma Csc.EXE Execution Form Potentially Suspicious Parent test
Sigma Dynamic .NET Compilation Via Csc.EXE test
Sigma Dynamic .NET Compilation Via Csc.EXE - Hunting test
Sigma Dynamic CSharp Compile Artefact test
Elastic GenAI Process Compiling or Generating Executables production
Elastic Microsoft Build Engine Started an Unusual Process production
Sigma Potential Application Whitelisting Bypass via Dnx.EXE test
Elastic Suspicious .NET Code Compilation production
Splunk Suspicious csc.exe Source File Folder (Sysmon)
Splunk Suspicious csc.exe Source File Folder (Windows Event Log)
Sigma Visual Basic Command Line Compiler Usage test

Obfuscated Files or Information: Indicator Removal from Tools T1027.005 6 rules

Sigma HackTool - CrackMapExec PowerShell Obfuscation test
Sigma Potential Secure Deletion with SDelete test
Splunk Powershell Creating Thread Mutex production
Splunk Powershell Enable SMB1Protocol Feature production
Sigma PUA - DefenderCheck Execution test
Sigma PUA - Potential PE Metadata Tamper Using Rcedit test

Obfuscated Files or Information: HTML Smuggling T1027.006 1 rule

Elastic Suspicious HTML File Creation production

Obfuscated Files or Information: Embedded Payloads T1027.009 2 rules

Sigma Powershell Token Obfuscation - Powershell test
Sigma Powershell Token Obfuscation - Process Creation test

Obfuscated Files or Information: Command Obfuscation T1027.010 39 rules

Splunk Command Line Homoglyphs - Windows (PowerShell)
Splunk Command Line Homoglyphs - Windows (Sysmon)
Splunk Command Line Homoglyphs - Windows (Windows Event Log)
Elastic Command Line Obfuscation via Whitespace Padding production
Elastic Command Obfuscation via Unicode Modifier Letters production
Elastic Decoded Payload Piped to Interpreter Detected via Defend for Containers production
Elastic Deprecated - Potential PowerShell Obfuscated Script production
Elastic Dynamic IEX Reconstruction via Method String Access production
Sigma Invocation Of Crypto-Classes From The "Cryptography" PowerShell Namespace test
Elastic Multi-Base64 Decoding Attempt from Suspicious Location production
Sigma Obfuscated PowerShell MSI Install via WindowsInstaller COM experimental
Elastic Potential Antimalware Scan Interface Bypass via PowerShell production
Elastic Potential Dynamic IEX Reconstruction via Environment Variables production
Elastic Potential Hex Payload Execution via Command-Line production
Sigma Potential Obfuscated Ordinal Call Via Rundll32 test
Elastic Potential PowerShell Obfuscated Script via High Entropy production
Elastic Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion production
Elastic Potential PowerShell Obfuscation via Character Array Reconstruction production
Elastic Potential PowerShell Obfuscation via Concatenated Dynamic Command Invocation production
Elastic Potential PowerShell Obfuscation via High Numeric Character Proportion production
Elastic Potential PowerShell Obfuscation via High Special Character Proportion production building block
Elastic Potential PowerShell Obfuscation via Invalid Escape Sequences production
Elastic Potential PowerShell Obfuscation via Reverse Keywords production
Elastic Potential PowerShell Obfuscation via Special Character Overuse production
Elastic Potential PowerShell Obfuscation via String Concatenation production
Elastic Potential PowerShell Obfuscation via String Reordering production
Elastic PowerShell Obfuscation via Negative Index String Reversal production
Sigma Python One-Liners with Base64 Decoding experimental
Sigma Python One-Liners with Base64 Decoding - Linux experimental
Sigma Registry Set With Crypto-Classes From The "Cryptography" PowerShell Namespace test
Elastic Suspicious Execution with NodeJS production
Sigma Suspicious Explorer Process with Whitespace Padding - ClickFix/FileFix experimental
Elastic Suspicious Powershell Script production
Sigma Suspicious Space Characters in RunMRU Registry Path - ClickFix experimental
Sigma Suspicious Space Characters in TypedPaths Registry Path - FileFix experimental
Sigma Suspicious Usage of For Loop with Recursive Directory Search in CMD experimental
Elastic Suspicious Windows Powershell Arguments production
Splunk Windows Command Obfuscation with Environment Variable Substrings production
Splunk Windows PowerShell Process Implementing Manual Base64 Decoder production

Obfuscated Files or Information: Fileless Storage T1027.011 3 rules

Splunk PowerShell WebRequest Using Memory Stream production
Splunk Windows Njrat Fileless Storage via Registry production
Splunk Windows Registry Payload Injection production

Obfuscated Files or Information: Encrypted/Encoded File T1027.013 6 rules

Elastic Data Encrypted via OpenSSL Utility production
Elastic Deprecated - Encoded Executable Stored in the Registry production
Elastic PowerShell Script with Encryption/Decryption Capabilities production
Elastic ROT Encoded Python Script Execution production
Elastic Suspicious Portable Executable Encoded in Powershell Script production
Splunk Windows Obfuscated Files or Information via RAR SFX production

Obfuscated Files or Information: Compression T1027.015 3 rules

Elastic File Compressed or Archived into Common Format by Unsigned Process production building block
Elastic PowerShell Suspicious Payload Encoded and Compressed production
Elastic Suspicious Content Extracted or Decompressed via Funzip production

Masquerading T1036 261 rules

Splunk 1 or 2 Character Executable (Windows Event Log)
Elastic Abnormal Process ID or Lock File Created production
Elastic Agent Spoofing - Multiple Hosts Using Same Agent production
Elastic Archive File with Unusual Extension production building block
Splunk Attacker Tools On Endpoint production
Elastic Binary Executed from Shared Memory Directory production
Kusto Certified Pre-Owned - backup of CA private key - rule 1 available
Kusto Certified Pre-Owned - backup of CA private key - rule 2 available
Kusto Certified Pre-Owned - TGTs requested with certificate authentication available
Splunk Cisco NVM - Non-Network Binary Making Network Connection production
Sigma CodePage Modification Via MODE.COM test
Sigma CodePage Modification Via MODE.COM To Russian Language test
Sigma Computer account renamed without a trailing $ (CVE-2021-42278/42287) experimental
Elastic Conhost Spawned By Suspicious Parent Process production
Sigma CreateDump Process Dump test
Sigma Creation Of Pod In System Namespace test
Kusto CyberArkEPM - Process started from different locations
Kusto CyberArkEPM - Renamed Windows binary
Kusto CyberArkEPM - Uncommon process Internet access
Kusto CyberArkEPM - Uncommon Windows process started from System folder
Kusto CyberArkEPM - Unexpected executable extension
Kusto CyberArkEPM - Unexpected executable location
Kusto Dataverse - New user agent type that was not used before available
Kusto Detect potential presence of a malicious file with a double extension (ASIM Web Session) available
Splunk Detect RTLO In File Name production
Splunk Detect RTLO In Process production
Elastic Directory Creation in /bin directory production
Splunk DLL Concatenation (PowerShell)
Splunk DLL Concatenation (Sysmon)
Splunk DLL Concatenation (Windows Event Log)
Sigma DumpMinitool Execution test
Splunk Email Attachments With Lots Of Spaces experimental
Elastic Executable File Creation with Multiple Extensions production
Elastic Executable File with Unusual Extension production building block
Elastic Executable Masquerading as Kernel Process production
Splunk Executables Or Script Creation In Suspicious Path production
Splunk Executables Or Script Creation In Temp Path production
Elastic Execution from Unusual Directory - Command Line production
Elastic Execution of an Unsigned Service production building block
Splunk Execution of File with Multiple Extensions production
Elastic Execution via Windows Command Debugging Utility production
Elastic Expired or Revoked Driver Loaded production
Sigma Exploit for CVE-2015-1641 stable
Sigma Explorer Process Tree Break test
Sigma File Download Via Bitsadmin test
Sigma File Download Via Bitsadmin To A Suspicious Target Folder test
Elastic File with Right-to-Left Override Character (RTLO) Created/Executed production
Sigma File With Suspicious Extension Downloaded Via Bitsadmin test
Sigma Files With System DLL Name In Unsuspected Locations test
Sigma Files With System Process Name In Unsuspected Locations test
Sigma Findstr Launching .lnk File test
Sigma Flash Player Update from Suspicious Location test
Sigma Forfiles.EXE Child Process Masquerading test
Sigma Greenbug Espionage Group Indicators test
Kusto GWorkspace - Unexpected OS update available
Sigma HackTool - XORDump Execution test
Elastic Host Detected with Suspicious Windows Process(es) production
Elastic Image Loaded with Invalid Signature production building block
Sigma Interactive Bash Suspicious Children test
Sigma Lazarus System Binary Masquerading test
Splunk Linux Kworker Process In Writable Process Path production
Sigma LOL-Binary Copied From System Directory test
Elastic Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score production
Elastic Machine Learning Detected a Suspicious Windows Event with a Low Malicious Probability Score production
Sigma Masquerading as Linux Crond Process test
Kusto Masquerading Renamed executables of interest
Elastic Masquerading Space After Filename production
Kusto Match Legitimate Name or Location - 2 available
Kusto Medium severity malicious activity detected available
Elastic Memory Dump File with Unusual Extension production building block
Elastic Microsoft Build Engine Using an Alternate Name production
Kusto Microsoft Entra ID Rare UserAgent App Sign-in available
Kusto Microsoft Entra ID UserAgent OS Missmatch available
Sigma MMC Executing Files with Reversed Extensions Using RTLO Abuse experimental
Splunk Mock System Directory - Windows (Sysmon)
Splunk Mock System Directory - Windows (Windows Event Log)
Elastic Network Activity Detected via Kworker production
Sigma New or Renamed User Account with '$' Character test
Sigma New Process Created Via Taskmgr.EXE test
Sigma Operation Wocao Activity test
Sigma Operation Wocao Activity - Security test
Splunk Output to File (PowerShell)
Splunk Output to File (Windows Event Log)
Elastic Parent Process Detected with Suspicious Windows Process(es) production
Sigma Password Protected ZIP File Opened (Suspicious Filenames) test
Kusto Pathlock TDnR - Critical File Integrity Changes available
Sigma Potential Binary Impersonating Sysinternals Tools test
Sigma Potential Command Line Path Traversal Evasion Attempt test
Elastic Potential Credential Access via Renamed COM+ Services DLL production
Elastic Potential CVE-2025-33053 Exploitation production
Elastic Potential Data Exfiltration via Rclone production
Sigma Potential Defense Evasion Via Binary Rename test
Sigma Potential Defense Evasion Via Rename Of Highly Relevant Binaries test
Sigma Potential Defense Evasion Via Right-to-Left Override test
Elastic Potential DLL Side-Loading via Trusted Microsoft Programs production
Splunk Potential Executable Masquerading as Document - Windows (Sysmon)
Splunk Potential Executable Masquerading as Document - Windows (Windows Event Log)
Sigma Potential Fake Instance Of Hxtsr.EXE Executed test
Sigma Potential File Extension Spoofing Using Right-to-Left Override test
Sigma Potential Homoglyph Attack Using Lookalike Characters test
Sigma Potential Homoglyph Attack Using Lookalike Characters in Filename test
Elastic Potential Kubectl Masquerading via Unexpected Process production
Sigma Potential LSASS Process Dump Via Procdump stable
Elastic Potential Masquerading as Browser Process production building block
Elastic Potential Masquerading as Business App Installer production
Elastic Potential Masquerading as Communication Apps production
Elastic Potential Masquerading as Svchost production
Elastic Potential Masquerading as System32 DLL production building block
Elastic Potential Masquerading as System32 Executable production building block
Elastic Potential Masquerading as VLC DLL production building block
Elastic Potential Microsoft Office Sandbox Evasion production
Sigma Potential MsiExec Masquerading test
Sigma Potential PendingFileRenameOperations Tampering test
Elastic Potential privilege escalation via CVE-2022-38028 production
Elastic Potential Privilege Escalation via InstallerFileTakeOver production
Elastic Potential Privileged Escalation via SamAccountName Spoofing production
Elastic Potential Process Name Stomping with Prctl production
Kusto Potential re-named sdelete usage available
Kusto Potential re-named sdelete usage (ASIM Version)
Sigma Potential ReflectDebugger Content Execution Via WerFault.EXE test
Sigma Potential SysInternals ProcDump Evasion test
Sigma Potential WerFault ReflectDebugger Registry Value Abuse test
Elastic Potential Windows Error Manager Masquerading production
Sigma Potentially Suspicious Execution From Tmp Folder test
Sigma Procdump Execution test
Elastic Process Backgrounded by Unusual Parent production
Sigma Process Execution From A Potentially Suspicious Folder test
Elastic Process Execution from an Unusual Directory production
Splunk Process Execution From Suspicious Folder (Sysmon)
Splunk Process Execution From Suspicious Folder (Windows Event Log)
Sigma Process Memory Dump Via Comsvcs.DLL test
Elastic Process Started from Process ID (PID) File production
Elastic Processes with Trailing Spaces production
Elastic Program Files Directory Masquerading production
Sigma Ps.exe Renamed SysInternals Tool test
Sigma PUA - Potential PE Metadata Tamper Using Rcedit test
Sigma RedSun - Conhost.exe Spawned by TieringEngineService.exe experimental
Sigma RedSun - TieringEngineService.exe Detected as EICAR Test File experimental
Sigma RedSun - TieringEngineService.exe Staged in RS-Prefixed Temp Dir experimental
Sigma Remote Access Tool - Renamed MeshAgent Execution - MacOS experimental
Sigma Remote Access Tool - Renamed MeshAgent Execution - Windows experimental
Kusto Rename System Utilities available
Splunk Rename System Utilities (Windows Event Log)
Elastic Renamed Automation Script Interpreter production
Sigma Renamed BrowserCore.EXE Execution test
Sigma Renamed CreateDump Utility Execution test
Sigma Renamed Jusched.EXE Execution test
Sigma Renamed Msdt.EXE Execution test
Sigma Renamed Office Binary Execution test
Sigma Renamed Plink Execution test
Sigma Renamed Powershell Under Powershell Channel test
Sigma Renamed ProcDump Execution test
Splunk Renamed Process (Sysmon)
Sigma Renamed Schtasks Execution experimental
Elastic Renamed Utility Executed with Short Program Name production
Sigma Renamed ZOHO Dctask64 Execution test
Sigma Scheduled Task Creation Masquerading as System Processes experimental
Sigma Sdiagnhost Calling Suspicious Child Process test
Sigma SearchIndexer suspicious process activity experimental
Elastic Signed Proxy Execution via MS Work Folders production
Sigma Small Sieve Malware File Indicator Creation test
Sigma Space After Filename - macOS test
Elastic Startup Folder Persistence via Unsigned Process production
Sigma Suspicious Calculator Usage test
Splunk Suspicious Child Process for lsass.exe (Sysmon)
Splunk Suspicious Child Process for lsass.exe (Windows Event Log)
Sigma Suspicious Child Process Of Wermgr.EXE test
Sigma Suspicious CodePage Switch Via CHCP test
Elastic Suspicious Communication App Child Process production
Sigma Suspicious Computer Account Name Change CVE-2021-42287 test
Sigma Suspicious Copy From or To System Directory test
Splunk Suspicious Copy on System32 production
Elastic Suspicious DLL Loaded for Persistence or Privilege Escalation production
Sigma Suspicious Double Extension Files test
Sigma Suspicious Download From Direct IP Via Bitsadmin test
Sigma Suspicious Download From File-Sharing Website Via Bitsadmin test
Sigma Suspicious DumpMinitool Execution test
Elastic Suspicious Endpoint Security Parent Process production
Splunk Suspicious File Created in Public Folder (Sysmon)
Elastic Suspicious File Creation via Kworker production
Sigma Suspicious Files in Default GPO Folder test
Elastic Suspicious Kworker UID Elevation production
Sigma Suspicious LNK Double Extension File Created test
Elastic Suspicious Microsoft Antimalware Service Execution production
Elastic Suspicious Microsoft Diagnostics Wizard Execution production
Splunk Suspicious microsoft workflow compiler rename production
Splunk Suspicious msbuild path production
Splunk Suspicious MSBuild Rename production
Sigma Suspicious MSDT Parent Process test
Elastic Suspicious Outlook Child Process production building block
Sigma Suspicious Parent Double Extension File Execution test
Splunk Suspicious Parent Process for lsass.exe or services.exe (Sysmon)
Splunk Suspicious Parent Process for lsass.exe or services.exe (Windows Event Log)
Splunk Suspicious Parent Process for spoolsv.exe (Sysmon)
Splunk Suspicious Parent Process for spoolsv.exe (Windows Event Log)
Splunk Suspicious Process Executed From Container File production
Elastic Suspicious Process Execution via Renamed PsExec Executable production
Sigma Suspicious Process Masquerading As SvcHost.EXE test
Sigma Suspicious Process Parents test
Sigma Suspicious Process Start Locations test
Elastic Suspicious Renaming of ESXI Files production
Sigma Suspicious Scheduled Task Creation via Masqueraded XML File test
Sigma Suspicious Start-Process PassThru test
Elastic Suspicious WerFault Child Process production
Sigma Suspicious Windows Update Agent Empty Cmdline test
Splunk Suspicious writes to windows Recycle Bin production
Elastic Suspicious Zoom Child Process production
Elastic System Binary Moved or Copied production
Sigma System File Execution Location Anomaly test
Elastic System Path File Creation and Execution Detected via Defend for Containers production
Splunk System Processes Run From Unexpected Locations production
Elastic Tampering with RUNNER_TRACKING_ID in GitHub Actions Runners production
Sigma Taskmgr as LOCAL_SYSTEM test
Elastic UAC Bypass Attempt via Windows Directory Masquerading production
Sigma Uncommon Svchost Command Line Parameter experimental
Sigma Uncommon Svchost Parent Process test
Splunk Unexpected Network Connection from System Process (Sysmon)
Splunk Unexpected Network Connection from System Process (Windows Event Log)
Sigma Unsigned .node File Loaded experimental
Elastic Unsigned BITS Service Client Process production building block
Elastic Unsigned DLL Loaded by Svchost production
Elastic Unsigned DLL Side-Loading from a Suspicious Folder production
Kusto Unsigned Windows System Binary
Elastic Untrusted Driver Loaded production
Elastic Unusual Execution from Kernel Thread (kthreadd) Parent production
Elastic Unusual Network Activity from a Windows System Binary production
Elastic Unusual Parent-Child Relationship production
Elastic Unusual Process Execution on WBEM Path production building block
Elastic Unusual Process Extension production building block
Elastic Unusual Process Spawned by a Parent Process production
Elastic Unusual Process Spawned by a User production
Sigma User account created by a computer account experimental
Elastic User Detected with Suspicious Windows Process(es) production
Kusto Votiro - File Blocked from Connector
Kusto Votiro - File Blocked in Email
Sigma Windows Binaries Write Suspicious Extensions test
Splunk Windows Bluetooth Service Installed From Uncommon Location production
Splunk Windows Debugger Tool Execution production
Splunk Windows DotNet Binary in Non Standard Path production
Splunk Windows Executable Masquerading as Benign File Types production
Splunk Windows InstallUtil in Non Standard Path production
Splunk Windows LOLBAS Executed As Renamed File production
Splunk Windows LOLBAS Executed Outside Expected Path production
Splunk Windows Masquerading Msdtc Process production
Splunk Windows MSC EvilTwin Directory Path Manipulation production
Splunk Windows NetSupport RMM DLL Loaded By Uncommon Process production
Splunk Windows Process Copied from System Folder (PowerShell)
Splunk Windows Process Copied from System Folder (Sysmon)
Splunk Windows Process Copied from System Folder (Windows Event Log)
Splunk Windows Process Execution From ProgramData production
Splunk Windows Process Execution in Temp Dir production
Splunk Windows Process Outside of System Folder (Sysmon)
Splunk Windows Process Outside of System Folder (Windows Event Log)
Sigma Windows Processes Suspicious Parent Directory test
Splunk Windows Renamed Powershell Execution production
Splunk Windows SoftEther VPN Masquerading as Legitimate Binary production
Splunk Windows Suspicious Process File Path production
Splunk Windows Suspicious QEMU Execution production
Splunk Windows Svchost.exe Parent Process Anomaly production
Splunk Windows TinyCC Shellcode Execution production
Splunk Windows Unusual SysWOW64 Process Run System32 Executable production

Masquerading: Invalid Code Signature T1036.001 18 rules

Elastic Execution of an Unsigned Service production building block
Elastic Expired or Revoked Driver Loaded production
Elastic Image Loaded with Invalid Signature production building block
Elastic Potential Masquerading as Browser Process production building block
Elastic Potential Masquerading as Business App Installer production
Elastic Potential Masquerading as Communication Apps production
Elastic Potential Masquerading as System32 DLL production building block
Elastic Potential Masquerading as System32 Executable production building block
Elastic Potential Masquerading as VLC DLL production building block
Elastic Startup Folder Persistence via Unsigned Process production
Elastic Suspicious Communication App Child Process production
Elastic Suspicious DLL Loaded for Persistence or Privilege Escalation production
Elastic Suspicious Outlook Child Process production building block
Elastic Unsigned BITS Service Client Process production building block
Elastic Unsigned DLL Loaded by Svchost production
Elastic Unsigned DLL Side-Loading from a Suspicious Folder production
Kusto Unsigned Windows System Binary
Elastic Untrusted Driver Loaded production

Masquerading: Right-to-Left Override T1036.002 6 rules

Splunk Detect RTLO In File Name production
Splunk Detect RTLO In Process production
Elastic File with Right-to-Left Override Character (RTLO) Created/Executed production
Sigma MMC Executing Files with Reversed Extensions Using RTLO Abuse experimental
Sigma Potential Defense Evasion Via Right-to-Left Override test
Sigma Potential File Extension Spoofing Using Right-to-Left Override test

Masquerading: Rename Legitimate Utilities T1036.003 55 rules

Splunk Execution of File with Multiple Extensions production
Sigma File Download Via Bitsadmin test
Sigma File Download Via Bitsadmin To A Suspicious Target Folder test
Sigma File With Suspicious Extension Downloaded Via Bitsadmin test
Sigma LOL-Binary Copied From System Directory test
Sigma Masquerading as Linux Crond Process test
Kusto Masquerading Renamed executables of interest
Elastic Microsoft Build Engine Using an Alternate Name production
Elastic Potential Credential Access via Renamed COM+ Services DLL production
Elastic Potential Data Exfiltration via Rclone production
Sigma Potential Defense Evasion Via Binary Rename test
Sigma Potential Defense Evasion Via Rename Of Highly Relevant Binaries test
Sigma Potential Homoglyph Attack Using Lookalike Characters test
Sigma Potential Homoglyph Attack Using Lookalike Characters in Filename test
Elastic Potential Kubectl Masquerading via Unexpected Process production
Sigma Potential PendingFileRenameOperations Tampering test
Sigma Potential WerFault ReflectDebugger Registry Value Abuse test
Sigma Ps.exe Renamed SysInternals Tool test
Sigma PUA - Potential PE Metadata Tamper Using Rcedit test
Sigma Remote Access Tool - Renamed MeshAgent Execution - MacOS experimental
Sigma Remote Access Tool - Renamed MeshAgent Execution - Windows experimental
Kusto Rename System Utilities available
Splunk Rename System Utilities (Windows Event Log)
Elastic Renamed Automation Script Interpreter production
Sigma Renamed BrowserCore.EXE Execution test
Sigma Renamed Jusched.EXE Execution test
Sigma Renamed Msdt.EXE Execution test
Sigma Renamed Office Binary Execution test
Sigma Renamed Powershell Under Powershell Channel test
Sigma Renamed ProcDump Execution test
Splunk Renamed Process (Sysmon)
Sigma Renamed Schtasks Execution experimental
Elastic Renamed Utility Executed with Short Program Name production
Sigma Suspicious Copy From or To System Directory test
Splunk Suspicious Copy on System32 production
Sigma Suspicious Download From Direct IP Via Bitsadmin test
Sigma Suspicious Download From File-Sharing Website Via Bitsadmin test
Elastic Suspicious Microsoft Antimalware Service Execution production
Elastic Suspicious Microsoft Diagnostics Wizard Execution production
Splunk Suspicious microsoft workflow compiler rename production
Splunk Suspicious msbuild path production
Splunk Suspicious MSBuild Rename production
Elastic Suspicious Process Execution via Renamed PsExec Executable production
Elastic Suspicious Renaming of ESXI Files production
Sigma Suspicious Start-Process PassThru test
Elastic System Binary Moved or Copied production
Splunk System Processes Run From Unexpected Locations production
Splunk Windows DotNet Binary in Non Standard Path production
Splunk Windows InstallUtil in Non Standard Path production
Splunk Windows LOLBAS Executed As Renamed File production
Splunk Windows Process Copied from System Folder (PowerShell)
Splunk Windows Process Copied from System Folder (Sysmon)
Splunk Windows Process Copied from System Folder (Windows Event Log)
Sigma Windows Processes Suspicious Parent Directory test
Splunk Windows Renamed Powershell Execution production

Masquerading: Masquerade Task or Service T1036.004 17 rules

Elastic Executable Masquerading as Kernel Process production
Splunk Linux Kworker Process In Writable Process Path production
Elastic Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score production
Elastic Machine Learning Detected a Suspicious Windows Event with a Low Malicious Probability Score production
Elastic Network Activity Detected via Kworker production
Sigma Operation Wocao Activity test
Sigma Operation Wocao Activity - Security test
Sigma Scheduled Task Creation Masquerading as System Processes experimental
Splunk Suspicious Child Process for lsass.exe (Sysmon)
Splunk Suspicious Child Process for lsass.exe (Windows Event Log)
Elastic Suspicious Kworker UID Elevation production
Splunk Suspicious Parent Process for lsass.exe or services.exe (Sysmon)
Splunk Suspicious Parent Process for lsass.exe or services.exe (Windows Event Log)
Splunk Suspicious Parent Process for spoolsv.exe (Sysmon)
Splunk Suspicious Parent Process for spoolsv.exe (Windows Event Log)
Splunk Windows Process Outside of System Folder (Sysmon)
Splunk Windows Process Outside of System Folder (Windows Event Log)

Masquerading: Match Legitimate Resource Name or Location T1036.005 62 rules

Elastic Abnormal Process ID or Lock File Created production
Splunk Attacker Tools On Endpoint production
Sigma Creation Of Pod In System Namespace test
Elastic Directory Creation in /bin directory production
Elastic Executable Masquerading as Kernel Process production
Elastic Execution from Unusual Directory - Command Line production
Elastic Execution via Windows Command Debugging Utility production
Sigma Exploit for CVE-2015-1641 stable
Sigma Files With System DLL Name In Unsuspected Locations test
Sigma Files With System Process Name In Unsuspected Locations test
Sigma Flash Player Update from Suspicious Location test
Sigma Greenbug Espionage Group Indicators test
Sigma Lazarus System Binary Masquerading test
Kusto Match Legitimate Name or Location - 2 available
Sigma Potential Binary Impersonating Sysinternals Tools test
Elastic Potential CVE-2025-33053 Exploitation production
Elastic Potential Masquerading as Browser Process production building block
Elastic Potential Masquerading as Business App Installer production
Elastic Potential Masquerading as Communication Apps production
Elastic Potential Masquerading as Svchost production
Elastic Potential Masquerading as System32 DLL production building block
Elastic Potential Masquerading as System32 Executable production building block
Elastic Potential Masquerading as VLC DLL production building block
Elastic Potential Microsoft Office Sandbox Evasion production
Sigma Potential MsiExec Masquerading test
Elastic Potential Privilege Escalation via InstallerFileTakeOver production
Elastic Potential Process Name Stomping with Prctl production
Elastic Potential Windows Error Manager Masquerading production
Elastic Process Execution from an Unusual Directory production
Elastic Process Started from Process ID (PID) File production
Elastic Program Files Directory Masquerading production
Sigma RedSun - Conhost.exe Spawned by TieringEngineService.exe experimental
Sigma RedSun - TieringEngineService.exe Detected as EICAR Test File experimental
Sigma RedSun - TieringEngineService.exe Staged in RS-Prefixed Temp Dir experimental
Sigma Scheduled Task Creation Masquerading as System Processes experimental
Elastic Signed Proxy Execution via MS Work Folders production
Sigma Small Sieve Malware File Indicator Creation test
Elastic Suspicious Communication App Child Process production
Elastic Suspicious Endpoint Security Parent Process production
Splunk Suspicious File Created in Public Folder (Sysmon)
Elastic Suspicious File Creation via Kworker production
Sigma Suspicious Files in Default GPO Folder test
Elastic Suspicious Microsoft Antimalware Service Execution production
Elastic Suspicious Outlook Child Process production building block
Sigma Suspicious Process Masquerading As SvcHost.EXE test
Sigma Suspicious Scheduled Task Creation via Masqueraded XML File test
Elastic System Path File Creation and Execution Detected via Defend for Containers production
Elastic UAC Bypass Attempt via Windows Directory Masquerading production
Sigma Uncommon Svchost Command Line Parameter experimental
Sigma Uncommon Svchost Parent Process test
Sigma Unsigned .node File Loaded experimental
Kusto Unsigned Windows System Binary
Elastic Unusual Network Activity from a Windows System Binary production
Elastic Unusual Process Execution on WBEM Path production building block
Splunk Windows LOLBAS Executed Outside Expected Path production
Splunk Windows MSC EvilTwin Directory Path Manipulation production
Splunk Windows Process Execution From ProgramData production
Splunk Windows Process Execution in Temp Dir production
Splunk Windows Process Outside of System Folder (Sysmon)
Splunk Windows Process Outside of System Folder (Windows Event Log)
Sigma Windows Processes Suspicious Parent Directory test
Splunk Windows Suspicious Process File Path production

Masquerading: Space after Filename T1036.006 3 rules

Elastic Masquerading Space After Filename production
Elastic Processes with Trailing Spaces production
Sigma Space After Filename - macOS test

Masquerading: Double File Extension T1036.007 6 rules

Elastic Executable File Creation with Multiple Extensions production
Splunk Potential Executable Masquerading as Document - Windows (Sysmon)
Splunk Potential Executable Masquerading as Document - Windows (Windows Event Log)
Sigma Suspicious Double Extension Files test
Sigma Suspicious LNK Double Extension File Created test
Sigma Suspicious Parent Double Extension File Execution test

Masquerading: Masquerade File Type T1036.008 8 rules

Elastic Archive File with Unusual Extension production building block
Splunk Email Attachments With Lots Of Spaces experimental
Elastic Executable File with Unusual Extension production building block
Elastic Memory Dump File with Unusual Extension production building block
Elastic Process Started from Process ID (PID) File production
Splunk Suspicious Process Executed From Container File production
Elastic Unusual Process Extension production building block
Splunk Windows Executable Masquerading as Benign File Types production

Masquerading: Break Process Trees T1036.009 6 rules

Elastic Process Backgrounded by Unusual Parent production
Elastic Tampering with RUNNER_TRACKING_ID in GitHub Actions Runners production
Elastic Unusual Execution from Kernel Thread (kthreadd) Parent production
Elastic Unusual Parent-Child Relationship production
Splunk Windows Svchost.exe Parent Process Anomaly production
Splunk Windows Unusual SysWOW64 Process Run System32 Executable production

Process Injection T1055 147 rules

Kusto ADWS Connection from Process Injection Target
Sigma Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection stable
Sigma APT PRIVATELOG Image Load Pattern test
Sigma ASLR Disabled Via Sysctl or Direct Syscall - Linux experimental
Splunk Cisco NVM - Non-Network Binary Making Network Connection production
Splunk Cisco NVM - Suspicious Network Connection From Process With No Args production
Splunk Cisco Secure Firewall - Communication Over Suspicious Ports production
Sigma CobaltStrike Named Pipe test
Sigma CobaltStrike Named Pipe Pattern Regex test
Sigma CobaltStrike Named Pipe Patterns test
Elastic Conhost Spawned By Suspicious Parent Process production
Splunk Create Remote Thread In Shell Application production
Sigma Created Files by Microsoft Sync Center test
Sigma CreateRemoteThread API and LoadLibrary test
Splunk DLLHost with no Command Line Arguments with Network production
Sigma Dllhost.EXE Execution Anomaly test
Sigma DotNet CLR DLL Loaded By Scripting Applications test
Splunk GPUpdate with no Command Line Arguments with Network production
Sigma HackTool - CACTUSTORCH Remote Thread Creation test
Sigma HackTool - CoercedPotato Execution test
Sigma HackTool - CoercedPotato Named Pipe Creation test
Sigma HackTool - DInjector PowerShell Cradle Execution test
Sigma HackTool - EfsPotato Named Pipe Creation test
Sigma HackTool - HollowReaper Execution experimental
Sigma HackTool - LittleCorporal Generated Maldoc Injection test
Sigma HackTool - Potential CobaltStrike Process Injection test
Sigma Injected Browser Process Spawning Rundll32 - GuLoader Activity test
Splunk Known Process Injection Commands (PowerShell)
Splunk Known Process Injection Commands (Sysmon)
Splunk Known Process Injection Commands (Windows Event Log)
Elastic Linux Process Hooking via GDB production
Splunk Loading Of Dynwrapx Module production
Sigma Lummac Stealer Activity - Execution Of More.com And Vbc.exe experimental
Sigma Malicious Named Pipe Created test
Sigma Malware Shellcode in Verclsid Target Process test
Sigma ManageEngine Endpoint Central Dctask64.EXE Potential Abuse test
Splunk Mavinject Execution (EDR)
Splunk Mavinject Execution (Sysmon)
Splunk Mavinject Execution (Windows Event Log)
Sigma Mavinject Inject DLL Into Running Process test
Kusto McAfee ePO - Multiple threats on same host available
Elastic Memory Threat - Detected - Elastic Defend production
Elastic Memory Threat - Prevented- Elastic Defend production
Sigma Microsoft Sync Center Suspicious Network Connections test
Splunk Named Pipe Created (Sysmon)
Sigma Network Connection Initiated Via Notepad.EXE test
Splunk Notepad with no Command Line Arguments production
Splunk Potential CVE-2023-23397 (EDR)
Splunk Potential CVE-2023-23397 (Sysmon)
Splunk Potential CVE-2023-23397 (Windows Event Log)
Sigma Potential DLL Injection Or Execution Using Tracker.exe test
Sigma Potential DLL Sideloading Using Coregen.exe test
Sigma Potential Dridex Activity stable
Sigma Potential Executable Run Itself As Sacrificial Process experimental
Sigma Potential Linux Process Code Injection Via DD Utility test
Sigma Potential Pikabot Hollowing Activity test
Elastic Potential PowerShell HackTool Script by Function Names production
Sigma Potential Process Hollowing Activity test
Elastic Potential Process Injection from Malicious Document production building block
Sigma Potential Process Injection Via Msra.EXE test
Elastic Potential Process Injection via PowerShell production
Sigma Potential Shellcode Injection test
Elastic Potential Sudo Token Manipulation via Process Injection production
Splunk Powershell DLL_EXE Injection (PowerShell)
Kusto Powershell Empire Cmdlets Executed in Command Line available
Splunk Powershell Fileless Process Injection via GetProcAddress production
Splunk PowerShell PInvoke Process Injection API Chain production
Splunk Powershell Remote Thread To Known Windows Process production
Sigma PowerShell ShellCode test
Elastic Privilege Escalation via GDB CAP_SYS_PTRACE production
Sigma Process Creation Using Sysnative Folder test
Splunk Process Executed with Null Command Line (Sysmon)
Splunk Process Executed with Null Command Line (Windows Event Log)
Elastic Process Injection - Detected - Elastic Endgame production
Elastic Process Injection - Prevented - Elastic Endgame production
Elastic Process Injection by the Microsoft Build Engine production
Kusto Process Injection From Untrusted Process
Kusto Process Injection Initiated By MMC
Splunk Rare Remote Thread (Sysmon)
Sigma Rare Remote Thread Creation By Uncommon Source Image test
Sigma RedSun - Named Pipe Created experimental
Sigma RedSun - TieringEngineService.exe Detected as EICAR Test File experimental
Splunk Remote Thread Created by Uncommon Process (Sysmon)
Sigma Remote Thread Created In Shell Application test
Sigma Remote Thread Creation By Uncommon Source Image test
Sigma Remote Thread Creation In Uncommon Target Image test
Splunk Remote Thread from Suspicious Folder (Sysmon)
Sigma Renamed Mavinject.EXE Execution test
Sigma Renamed ZOHO Dctask64 Execution test
Elastic Root Network Connection via GDB CAP_SYS_PTRACE production
Splunk Rundll32 Create Remote Thread To A Process production
Splunk Rundll32 CreateRemoteThread In Browser production
Splunk SearchProtocolHost with no Command Line with Network production
Kusto Solorigate Named Pipe
Sigma Suspect Svchost Activity test
Elastic Suspicious .NET Reflection via PowerShell production
Splunk Suspicious Child Process for lsass.exe (Sysmon)
Splunk Suspicious Child Process for lsass.exe (Windows Event Log)
Sigma Suspicious Child Process Of Wermgr.EXE test
Elastic Suspicious Communication App Child Process production
Splunk Suspicious DLLHost no Command Line Arguments production
Elastic Suspicious Endpoint Security Parent Process production
Splunk Suspicious GPUpdate no Command Line Arguments production
Elastic Suspicious Managed Code Hosting Process production
Kusto Suspicious named pipes available
Elastic Suspicious Outlook Child Process production building block
Splunk Suspicious Parent Process for lsass.exe or services.exe (Sysmon)
Splunk Suspicious Parent Process for lsass.exe or services.exe (Windows Event Log)
Splunk Suspicious Parent Process for spoolsv.exe (Sysmon)
Splunk Suspicious Parent Process for spoolsv.exe (Windows Event Log)
Elastic Suspicious Portable Executable Encoded in Powershell Script production
Elastic Suspicious Process Access via Direct System Call production
Elastic Suspicious Process Creation CallTrace production
Sigma Suspicious Rundll32 Invoking Inline VBScript test
Splunk Suspicious SearchProtocolHost no Command Line Arguments production
Sigma Suspicious Userinit Child Process test
Elastic Suspicious Zoom Child Process production
Sigma TAIDOOR RAT DLL Load test
Splunk Trickbot Named Pipe production
Sigma Uncommon Process Access Rights For Target Image test
Sigma Uncommon Svchost Command Line Parameter experimental
Splunk Unexpected Network Connection from System Process (Sysmon)
Splunk Unexpected Network Connection from System Process (Windows Event Log)
Elastic Unusual Child Process from a System Virtual Process production
Elastic Unusual Linux Network Activity production
Elastic Unusual Parent-Child Relationship production
Elastic Unusual Service Host Child Process - Childless Service production
Splunk Unusual svchost Child Process (Sysmon)
Splunk Unusual svchost Child Process (Windows Event Log)
Elastic Unusual Windows Network Activity production
Splunk Windows List ENV Variables Via SET Command From Uncommon Parent production
Splunk Windows Process Injection In Non-Service SearchIndexer production
Splunk Windows Process Injection into Commonly Abused Processes production
Splunk Windows Process Injection into Notepad production
Splunk Windows Process Injection Of Wermgr to Known Browser production
Splunk Windows Process Injection Remote Thread production
Splunk Windows Process Injection Wermgr Child Process production
Splunk Windows Process Injection With Public Source Path production
Splunk Windows Process With NamedPipe CommandLine production
Splunk Windows PUA Named Pipe production
Splunk Windows Rasautou DLL Execution production
Splunk Windows Remote Assistance Spawning Process production
Splunk Windows RMM Named Pipe production
Splunk Windows Suspicious C2 Named Pipe production
Splunk Windows Suspicious Named Pipe production
Splunk Winhlp32 Spawning a Process production
Splunk Wscript Or Cscript Suspicious Child Process production

Process Injection: Dynamic-link Library Injection T1055.001 21 rules

Sigma CreateRemoteThread API and LoadLibrary test
Sigma HackTool - Potential CobaltStrike Process Injection test
Splunk Loading Of Dynwrapx Module production
Sigma ManageEngine Endpoint Central Dctask64.EXE Potential Abuse test
Splunk Mavinject Execution (EDR)
Splunk Mavinject Execution (Sysmon)
Splunk Mavinject Execution (Windows Event Log)
Sigma Mavinject Inject DLL Into Running Process test
Splunk Potential CVE-2023-23397 (EDR)
Splunk Potential CVE-2023-23397 (Sysmon)
Splunk Potential CVE-2023-23397 (Windows Event Log)
Sigma Potential DLL Injection Or Execution Using Tracker.exe test
Elastic Potential Process Injection via PowerShell production
Splunk Powershell DLL_EXE Injection (PowerShell)
Splunk PowerShell PInvoke Process Injection API Chain production
Sigma Renamed Mavinject.EXE Execution test
Sigma Renamed ZOHO Dctask64 Execution test
Elastic Suspicious .NET Reflection via PowerShell production
Sigma TAIDOOR RAT DLL Load test
Splunk Windows Process Injection Of Wermgr to Known Browser production
Splunk Windows Rasautou DLL Execution production

Process Injection: Portable Executable Injection T1055.002 8 rules

Kusto ADWS Connection from Process Injection Target
Elastic Potential Process Injection via PowerShell production
Kusto Process Injection From Untrusted Process
Elastic Suspicious .NET Reflection via PowerShell production
Splunk Windows Process Injection into Commonly Abused Processes production
Splunk Windows Process Injection into Notepad production
Splunk Windows Process Injection Remote Thread production
Splunk Windows Process Injection With Public Source Path production

Process Injection: Thread Execution Hijacking T1055.003 4 rules

Sigma HackTool - LittleCorporal Generated Maldoc Injection test
Elastic Potential Process Injection via PowerShell production
Splunk PowerShell PInvoke Process Injection API Chain production
Sigma Remote Thread Creation In Uncommon Target Image test

Process Injection: Asynchronous Procedure Call T1055.004 2 rules

Elastic Potential Process Injection via PowerShell production
Splunk PowerShell PInvoke Process Injection API Chain production

Process Injection: Ptrace System Calls T1055.008 4 rules

Elastic Linux Process Hooking via GDB production
Elastic Potential Sudo Token Manipulation via Process Injection production
Elastic Privilege Escalation via GDB CAP_SYS_PTRACE production
Elastic Root Network Connection via GDB CAP_SYS_PTRACE production

Process Injection: Proc Memory T1055.009 2 rules

Sigma ASLR Disabled Via Sysctl or Direct Syscall - Linux experimental
Sigma Potential Linux Process Code Injection Via DD Utility test

Process Injection: Extra Window Memory Injection T1055.011 1 rule

Sigma Uncommon Process Access Rights For Target Image test

Process Injection: Process Hollowing T1055.012 10 rules

Sigma HackTool - CACTUSTORCH Remote Thread Creation test
Sigma HackTool - HollowReaper Execution experimental
Sigma Potential Pikabot Hollowing Activity test
Sigma Potential Process Hollowing Activity test
Splunk PowerShell PInvoke Process Injection API Chain production
Elastic Suspicious Endpoint Security Parent Process production
Elastic Suspicious Process Creation CallTrace production
Sigma Uncommon Svchost Command Line Parameter experimental
Elastic Unusual Parent-Child Relationship production
Elastic Unusual Service Host Child Process - Childless Service production

Process Injection: Process Doppelgänging T1055.013 1 rule

Splunk PowerShell PInvoke Process Injection API Chain production

Indicator Removal T1070 172 rules

Sigma ADS Zone.Identifier Deleted test
Sigma ADS Zone.Identifier Deleted By Uncommon Application test
Elastic Attempt to Clear Kernel Ring Buffer production
Elastic Attempt to Clear Logs via Journalctl production
Panther AWS RDS Snapshot Deleted Experimental
Elastic AWS S3 Bucket Configuration Deletion production
Elastic AWS S3 Bucket Expiration Lifecycle Configuration Added production
Kusto AWSCloudTrail - Changes made to AWS CloudTrail logs available
Panther Azure Automation Runbook Deleted
Sigma Backup Catalog Deleted test
Kusto Bitglass - The SmartEdge endpoint agent was uninstalled available
Kusto BTP - Build Work Zone unauthorized access and role tampering available
Kusto BTP - Cloud Integration tampering with security material available
Splunk Cisco ASA - Logging Message Suppression production
Splunk Cisco ASA - User Account Deleted From Local Database production
Sigma Cisco Clear Logs test
Sigma Cisco File Deletion test
Splunk Cisco IOS XE Log Clearing Sequence With Optional Loopback Removal production
Kusto CiscoISE - Attempt to delete local store logs available
Kusto CiscoISE - Log files deleted available
Sigma Clear PowerShell History - PowerShell test
Sigma Clear PowerShell History - PowerShell Module test
Splunk Clear Unallocated Sector Using Cipher App production
Splunk Clear Windows Event Logs (Windows Event Log)
Kusto Clearing of forensic evidence from event logs using wevtutil available
Sigma Clearing Windows Console History test
Elastic Clearing Windows Console History production
Elastic Clearing Windows Event Logs production
Splunk Create or delete windows shares using net exe production
Panther Crowdstrike API Key Deleted
Panther Crowdstrike Ephemeral User Account
Panther Crowdstrike User Deleted
Panther Databricks Access Token Revoked Experimental
Kusto Dataverse - Audit log data deletion available
Elastic Delete Volume USN Journal with Fsutil production
Sigma Directory Removal Via Rmdir test
Sigma Disable Administrative Share Creation at Startup test
Sigma Disable of ETW Trace - Powershell test
Sigma Disable Powershell Command History test
Elastic Disable Windows Event and Security Logs Using Built-in Tools production
Sigma DLL Load By System Process From Suspicious Locations test
Splunk ESXi Audit Tampering production
Splunk ESXi System Clock Manipulation production
Elastic ESXI Timestomping using Touch Command production
Sigma ETW Trace Evasion Activity test
Splunk ETW Trace Provider Modified - PowerShell (PowerShell)
Sigma Event log clear attempt (command) experimental
Sigma Event log clear attempt (PowerShell) experimental
Sigma Event log clear attempt (wmi) experimental
Sigma Event log cleared (native) experimental
Sigma Event log cleared using Diagnostics (via PowerShell) stable
Sigma EventLog EVTX File Deleted test
Sigma Exchange PowerShell Cmdlet History Deleted test
Sigma File Creation Date Changed to Another Year test
Elastic File Creation in /var/log via Suspicious Process production
Elastic File Creation, Execution and Self-Deletion in Suspicious Directory production
Sigma File Deleted Via Sysinternals SDelete test
Sigma File Deletion stable
Sigma File Deletion Via Del test
Elastic File Deletion via Shred production
Elastic File or Directory Deletion Command production building block
Sigma File Time Attribute Change test
Sigma File Time Attribute Change - Linux test
Sigma Filter Driver Unloaded Via Fltmc.EXE test
Sigma Fsutil Suspicious Invocation stable
Splunk Fsutil Zeroing File production
Sigma Greedy File Deletion Using Del test
Sigma IIS WebServer Access Logs Deleted test
Sigma IIS WebServer Log Deletion via CommandLine Utilities experimental
Elastic Ingress Tool Transfer Followed by Execution and Deletion Detected via Defend for Containers production
Sigma Kubernetes Events Deleted test
Elastic Kubernetes Events Deleted production
Splunk Linux Account Manipulation Of SSH Config and Keys production
Sigma Linux Command History Tampering test
Splunk Linux Deletion Of Cron Jobs production
Splunk Linux Deletion Of Init Daemon Script production
Splunk Linux Deletion Of Services production
Splunk Linux Deletion of SSL Certificate production
Splunk Linux High Frequency Of File Deletion In Boot Folder production
Splunk Linux High Frequency Of File Deletion In Etc Folder production
Splunk Linux Indicator Removal Clear Cache production
Splunk Linux Indicator Removal Service File Deletion production
Sigma Linux Package Uninstall test
Elastic Linux User or Group Deletion production
Elastic M365 Exchange MFA Notification Email Deleted or Moved production
Sigma macOS Data Destruction Tools experimental
Splunk MacOS Log Removal production
Sigma MaxMpxCt Registry Value Changed test
Kusto McAfee ePO - Attempt uninstall McAfee agent available
Kusto McAfee ePO - Error sending alert available
Kusto McAfee ePO - File added to exceptions available
Kusto McAfee ePO - Logging error occurred available
Kusto McAfee ePO - Multiple threats on same host available
Kusto McAfee ePO - Scanning engine disabled available
Kusto McAfee ePO - Task error available
Kusto McAfee ePO - Threat was not blocked available
Kusto McAfee ePO - Unable to clean or delete infected file available
Kusto McAfee ePO - Update failed available
Splunk Network Share Connection Removal (PowerShell)
Splunk NirCmd Execution (Sysmon)
Splunk NirCmd Execution (Windows Event Log)
Kusto NRT Security Event log cleared available
Splunk O365 Email Hard Delete Excessive Volume production
Splunk O365 Email Password and Payroll Compromise Behavior production
Splunk O365 Email Receive and Hard Delete Takeover Behavior production
Splunk O365 Email Send and Hard Delete Exfiltration Behavior production
Splunk O365 Email Send and Hard Delete Suspicious Behavior production
Splunk O365 Email Send Attachments Excessive Volume production
Kusto OCI - Event rule deleted available
Kusto Potential Ransomware activity related to Cobalt Strike available
Sigma Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE test
Elastic Potential REMCOS Trojan Execution production
Sigma Potential Secure Deletion with SDelete test
Elastic Potential Secure File Deletion via SDelete Utility production
Elastic Potential Timestomp in Executable Files production
Sigma Potentially Suspicious Ping/Copy Command Combination test
Sigma PowerShell Console History Logs Deleted test
Sigma PowerShell Deleted Mounted Share test
Kusto Powershell Empire Cmdlets Executed in Command Line available
Elastic PowerShell Script with Log Clear Capabilities production building block
Sigma Powershell Timestomp test
Sigma Prefetch File Deleted test
Splunk Process Deleting Its Process File Path production
Kusto Qakbot Campaign Self Deletion available
Splunk Recursive Delete of Directory In Batch CMD production
Sigma RunMRU Registry Key Deletion experimental
Sigma RunMRU Registry Key Deletion - Registry experimental
Splunk Sdelete Application Execution production
Kusto Security Event log cleared available
Elastic Sensitive Audit Policy Sub-Category Disabled production
Kusto Sentinel One - Agent uninstalled from multiple hosts available
Kusto Sentinel One - Blacklist hash deleted available
Kusto Sentinel One - Exclusion added available
Kusto Sentinel One - Rule deleted available
Kusto Sentinel One - Rule disabled available
Sigma SES Identity Has Been Deleted test
Sigma Shadow Copies Deletion Using Operating Systems Utilities stable
Elastic Shell Command-Line History Deletion Detected via Defend for Containers production
Elastic Shell History Clearing via Environment Variables production
Panther Slack DLP Modified
Elastic SSH Authorized Keys File Deletion production
Elastic SSL Certificate Deletion production
Sigma Suspicious IO.FileStream test
Sigma Suspicious Ping/Del Command Combination test
Elastic Suspicious Print Spooler File Deletion production
Sigma Sysmon Driver Unloaded Via Fltmc.EXE test
Elastic System Log File Deletion production
Sigma System time changed experimental
Sigma System time changed (PowerShell) experimental
Elastic Tampering of Shell Command-Line History production
Sigma TeamViewer Log File Deleted test
Sigma Terminal Server Client Connection History Cleared - Registry test
Splunk Timestamp Manipulation (PowerShell)
Splunk Timestamp Manipulation (Windows Event Log)
Elastic Timestomping using Touch Command production
Sigma Tomcat WebServer Logs Deleted test
Sigma Touch Suspicious Service File test
Sigma Unauthorized System Time Modification test
Sigma Unmount Share Via Net.EXE test
Sigma Use Of Remove-Item to Delete File - ScriptBlock test
Splunk USN Journal Deletion production
Elastic WebServer Access Logs Deleted production
Splunk Windows ConsoleHost History File Deletion production
Splunk Windows Default Rdp File Deletion production
YARA-L Windows Event Log Cleared
Elastic Windows Event Logs Cleared production
Splunk Windows Indicator Removal Via Rmdir production
Sigma Windows Mail App Mailbox Access Via PowerShell Script test
Splunk Windows Powershell History File Deletion production
Splunk Windows Rdp AutomaticDestinations Deletion production
Splunk Windows RDP Cache File Deletion production
Splunk Windows RDP Server Registry Deletion production

Indicator Removal: Clear Windows Event Logs T1070.001 14 rules

Splunk Cisco IOS XE Log Clearing Sequence With Optional Loopback Removal production
Splunk Clear Windows Event Logs (Windows Event Log)
Elastic Clearing Windows Event Logs production
Panther Crowdstrike Systemlog Tampering
Elastic Disable Windows Event and Security Logs Using Built-in Tools production
Sigma Event log clear attempt (command) experimental
Sigma Event log clear attempt (PowerShell) experimental
Sigma Event log clear attempt (wmi) experimental
Sigma Event log cleared (native) experimental
Sigma Event log cleared using Diagnostics (via PowerShell) stable
Elastic PowerShell Script with Log Clear Capabilities production building block
Elastic Sensitive Audit Policy Sub-Category Disabled production
YARA-L Windows Event Log Cleared
Elastic Windows Event Logs Cleared production

Indicator Removal: Clear Linux or Mac System Logs T1070.002 4 rules

Elastic Attempt to Clear Kernel Ring Buffer production
Elastic Attempt to Clear Logs via Journalctl production
Elastic File Creation in /var/log via Suspicious Process production
Elastic System Log File Deletion production

Indicator Removal: Clear Command History T1070.003 15 rules

Sigma Cisco Clear Logs test
Sigma Clear PowerShell History - PowerShell test
Sigma Clear PowerShell History - PowerShell Module test
Sigma Clearing Windows Console History test
Elastic Clearing Windows Console History production
Sigma Disable Powershell Command History test
Sigma Linux Command History Tampering test
Sigma RunMRU Registry Key Deletion experimental
Sigma RunMRU Registry Key Deletion - Registry experimental
Elastic Shell Command-Line History Deletion Detected via Defend for Containers production
Elastic Shell History Clearing via Environment Variables production
Sigma Suspicious IO.FileStream test
Elastic Tampering of Shell Command-Line History production
Splunk Windows ConsoleHost History File Deletion production
Splunk Windows Powershell History File Deletion production

Indicator Removal: File Deletion T1070.004 46 rules

Sigma ADS Zone.Identifier Deleted test
Sigma ADS Zone.Identifier Deleted By Uncommon Application test
Sigma Backup Catalog Deleted test
Sigma Cisco File Deletion test
Kusto CiscoISE - Log files deleted available
Splunk Clear Unallocated Sector Using Cipher App production
Elastic Delete Volume USN Journal with Fsutil production
Sigma Directory Removal Via Rmdir test
Elastic File Creation, Execution and Self-Deletion in Suspicious Directory production
Sigma File Deleted Via Sysinternals SDelete test
Sigma File Deletion stable
Sigma File Deletion Via Del test
Elastic File Deletion via Shred production
Elastic File or Directory Deletion Command production building block
Sigma Greedy File Deletion Using Del test
Elastic Ingress Tool Transfer Followed by Execution and Deletion Detected via Defend for Containers production
Elastic Kubernetes Events Deleted production
Splunk Linux Account Manipulation Of SSH Config and Keys production
Splunk Linux Deletion Of Cron Jobs production
Splunk Linux Deletion Of Init Daemon Script production
Splunk Linux Deletion Of Services production
Splunk Linux Deletion of SSL Certificate production
Splunk Linux High Frequency Of File Deletion In Boot Folder production
Splunk Linux High Frequency Of File Deletion In Etc Folder production
Splunk Linux Indicator Removal Service File Deletion production
Sigma macOS Data Destruction Tools experimental
Sigma macOS ESF Deletion In Sensitive Directories experimental
Elastic Potential REMCOS Trojan Execution production
Sigma Potential Secure Deletion with SDelete test
Elastic Potential Secure File Deletion via SDelete Utility production
Sigma Potentially Suspicious Ping/Copy Command Combination test
Sigma Prefetch File Deleted test
Splunk Recursive Delete of Directory In Batch CMD production
Splunk Sdelete Application Execution production
Elastic SSH Authorized Keys File Deletion production
Elastic SSL Certificate Deletion production
Sigma Suspicious Ping/Del Command Combination test
Elastic Suspicious Print Spooler File Deletion production
Elastic System Log File Deletion production
Sigma TeamViewer Log File Deleted test
Sigma Use Of Remove-Item to Delete File - ScriptBlock test
Elastic WebServer Access Logs Deleted production
Splunk Windows Default Rdp File Deletion production
Splunk Windows Rdp AutomaticDestinations Deletion production
Splunk Windows RDP Cache File Deletion production
Splunk Windows RDP Server Registry Deletion production

Indicator Removal: Network Share Connection Removal T1070.005 6 rules

Splunk Create or delete windows shares using net exe production
Sigma Disable Administrative Share Creation at Startup test
Sigma MaxMpxCt Registry Value Changed test
Splunk Network Share Connection Removal (PowerShell)
Sigma PowerShell Deleted Mounted Share test
Sigma Unmount Share Via Net.EXE test

Indicator Removal: Timestomp T1070.006 15 rules

Splunk ESXi System Clock Manipulation production
Elastic ESXI Timestomping using Touch Command production
Sigma File Creation Date Changed to Another Year test
Sigma File Time Attribute Change test
Sigma File Time Attribute Change - Linux test
Elastic Potential Timestomp in Executable Files production
Kusto Powershell Empire Cmdlets Executed in Command Line available
Sigma Powershell Timestomp test
Sigma System time changed experimental
Sigma System time changed (PowerShell) experimental
Splunk Timestamp Manipulation (PowerShell)
Splunk Timestamp Manipulation (Windows Event Log)
Elastic Timestomping using Touch Command production
Sigma Touch Suspicious Service File test
Sigma Unauthorized System Time Modification test

Indicator Removal: Clear Mailbox Data T1070.008 9 rules

Splunk Cisco ASA - User Account Deleted From Local Database production
Elastic M365 Exchange MFA Notification Email Deleted or Moved production
Splunk O365 Email Hard Delete Excessive Volume production
Splunk O365 Email Password and Payroll Compromise Behavior production
Splunk O365 Email Receive and Hard Delete Takeover Behavior production
Splunk O365 Email Send and Hard Delete Exfiltration Behavior production
Splunk O365 Email Send and Hard Delete Suspicious Behavior production
Splunk O365 Email Send Attachments Excessive Volume production
Sigma Windows Mail App Mailbox Access Via PowerShell Script test

Indicator Removal: Clear Persistence T1070.009 2 rules

Panther Slack App Removed
Panther Wiz User Created Or Deleted

Valid Accounts T1078 728 rules

Panther A Login from Outside the Corporate Office
Elastic Access to a Sensitive LDAP Attribute production
Kusto Account added and removed from privileged groups
Kusto Account Created and Deleted in Short Timeframe available
Sigma Account Created And Deleted Within A Close Time Frame test
Kusto Account created or deleted by non-approved user available
Sigma Account Disabled or Blocked for Sign in Attempts test
Elastic Account Discovery Command via SYSTEM Account production
Kusto Account Elevated to New Role
Sigma Account renamed to admin (or likely) account to evade defense experimental
Splunk Account set to active via Net.exe (EDR)
Splunk Account set to active via Net.exe (Sysmon)
Splunk Account set to active via Net.exe (Windows Event Log)
Sigma Account Tampering - Suspicious Failed Logon Reasons test
Kusto Acronis - Login from Abnormal IP - Low Occurrence
Sigma Activity From Anonymous IP Address test
Kusto Addition of a Temporary Access Pass to a Privileged Account
Kusto Admin promotion after Role Management Application Permission Grant available
Panther Admin Role Assigned
Sigma Admin User Remote Logon test
Elastic AdminSDHolder Backdoor production
Kusto AdminSDHolder Modifications
Elastic AdminSDHolder SDProp Exclusion Added production
Kusto Anomalous login followed by Teams action
Kusto Anomalous sign-in location by user account and authenticating application available
Kusto Anomalous Single Factor Signin
Kusto Anomaly Sign In Event from an IP
Kusto ApexOne - Device access permissions was changed available
Elastic Apple Scripting Execution with Administrator Privileges production
Sigma Application AppID Uri Configuration Changes test
Kusto Application ID URI Changed
Kusto Application Redirect URL Update
Sigma Application URI Configuration Changes test
Sigma Application Using Device Code Authentication Flow test
Sigma Applications That Are Using ROPC Authentication Flow test
Panther AppOmni Alert Passthrough
Splunk ASL AWS Create Policy Version to allow all resources production
Splunk ASL AWS SAML Update identity provider production
Kusto Attempt to bypass conditional access rule in Microsoft Entra ID available
Elastic Attempt to Enable the Root Account production
Sigma Attempt To Get Credentials For Identity experimental
Sigma Attempt To Get Federation Token experimental
Sigma Attempt To Get Signin Token experimental
Kusto Attempts to sign in to disabled accounts available
Sigma Atypical Travel test
Kusto Authentication Attempt from New Country
Kusto Authentications of Privileged Accounts Outside of Expected Controls
Sigma Authentications To Important Apps Using Single Factor Authentication test
Elastic AWS Access Token Used from Multiple Addresses production
YARA-L AWS API Call Outside Of Organization
Elastic AWS AssumeRoleWithWebIdentity from Kubernetes SA and External ASN production
Panther AWS Backdoor Administrative IAM Role Created
Elastic AWS Bedrock Foundation Model Enumeration Followed by Invocation via Long-Term Key production
Splunk AWS Bedrock Invoke Model Access Denied production
Elastic AWS CloudShell Environment Created production
Panther AWS CloudTrail Password Spraying Experimental
YARA-L AWS Console Login Without MFA
Splunk AWS Create Policy Version to allow all resources production
Elastic AWS Credentials Used from GitHub Actions and Non-CI/CD Infrastructure production
Elastic AWS EC2 Instance Console Login via Assumed Role production
Elastic AWS EC2 Instance Interaction with IAM Service production building block
Elastic AWS EC2 Instance Profile Associated with Running Instance production
Elastic AWS EC2 Unauthorized Admin Credential Fetch via Assumed Role production
Panther AWS GuardDuty Critical Severity Finding
YARA-L AWS IAM Administrator Access Policy Attached
Elastic AWS IAM API Calls via Temporary Session Tokens production
Elastic AWS IAM Assume Role Policy Update production
Elastic AWS IAM CompromisedKeyQuarantine Policy Attached to User production
Panther AWS IAM Group Users
Elastic AWS IAM Login Profile Added for Root production
Elastic AWS IAM Login Profile Added to User production building block
Elastic AWS IAM Long-Term Access Key Correlated with Elevated Detection Alerts production
Elastic AWS IAM Long-Term Access Key First Seen from Source IP production
Elastic AWS IAM OIDC Provider Created by Rare User production
Panther AWS IAM Policy Administrative Privileges
Panther AWS IAM Policy Assigned to User
Panther AWS IAM Policy Blocklist
Panther AWS IAM Policy Does Not Grant Any Administrative Access
Panther AWS IAM Policy Does Not Grant Network Admin Access
Panther AWS IAM Resource Does Not Have Inline Policy
Panther AWS IAM Role Restricts Usage
Sigma AWS IAM S3Browser LoginProfile Creation test
Sigma AWS IAM S3Browser Templated S3 Bucket Policy Creation test
Sigma AWS IAM S3Browser User or AccessKey Creation test
Elastic AWS IAM SAML Provider Created production
Elastic AWS IAM Sensitive Operations via Lambda Execution Role production
Panther AWS IAM User Not In Conflicting Groups
Elastic AWS IAM Virtual MFA Device Registration Attempt with Session Token production
Sigma AWS Key Pair Import Activity experimental
Elastic AWS Management Console Root Login production
Panther AWS Potential Backdoor Lambda Function Through Resource-Based Policy Experimental
Elastic AWS Rare Source AS Organization Activity production
Panther AWS Root Account Hardware MFA
Panther AWS Root Account MFA
Sigma AWS Root Credentials test
YARA-L AWS SAML Identity Provider Changes
Sigma AWS SAML Provider Deletion Activity experimental
Splunk AWS SAML Update identity provider production
Kusto AWS Security Hub - Detect IAM Policies allowing full administrative privileges available
Splunk AWS SetDefaultPolicyVersion production
Elastic AWS Sign-In Console Login with Federated User production
Elastic AWS Sign-In Root Password Recovery Requested production
Elastic AWS Sign-In Token Created production building block
Elastic AWS STS AssumeRole with New MFA Device production
Elastic AWS STS AssumeRoot by Rare User and Member Account production
Elastic AWS STS GetSessionToken Usage production building block
Elastic AWS STS Role Assumption by User production
Elastic AWS STS Role Chaining production
Sigma AWS Successful Console Login Without MFA experimental
YARA-L AWS Successful Login After Multiple Failed Attempts
Splunk AWS Successful Single-Factor Authentication production
Sigma AWS Suspicious SAML Activity test
Elastic AWS Suspicious User Agent Fingerprint production
YARA-L AWS User Creates Permanent Access Key
Panther AWS.Administrative.IAM.User.Created
Kusto AWSCloudTrail - Changes to Amazon VPC settings available
Kusto AWSCloudTrail - Login to AWS Management Console without MFA available
Kusto AWSCloudTrail - NRT Login to AWS Management Console without MFA available
Kusto AWSCloudTrail - SAML update identity provider available
Splunk Azure AD Authentication Failed During MFA Challenge production
Splunk Azure AD Multiple AppIDs and UserAgents Authentication Spike production
Splunk Azure AD Multiple Failed MFA Requests For User production
Sigma Azure AD Only Single Factor Authentication Required test
Splunk Azure AD Service Principal Authentication production
Splunk Azure AD Successful PowerShell Authentication production
Splunk Azure AD Successful Single-Factor Authentication production
Sigma Azure AD Threat Intelligence test
Elastic Azure Arc Cluster Credential Access by Identity from Unusual Source production
Elastic Azure Automation Account Created production
Panther Azure Automation Account Created
Panther Azure Device Code Authentication with Broker Client
Sigma Azure Domain Federation Settings Modified test
Panther Azure High-Risk Sign-In
Panther Azure Invite External Users
Sigma Azure Kubernetes Admission Controller test
Elastic Azure Kubernetes Services (AKS) Kubernetes Rolebindings Created production
Sigma Azure Login Bypassing Conditional Access Policies experimental
Kusto Azure Machine Learning Write Operations available
Panther Azure Many Failed SignIns
Panther Azure MFA Disabled
Panther Azure Microsoft Graph Single Session from Multiple IP Addresses Experimental
Panther Azure Protection Multiple Alerts for User
Kusto Azure RBAC (Elevate Access)
Panther Azure RiskLevel Passthrough
Panther Azure ROPC Login Attempt Without MFA Experimental
Splunk Azure Runbook Webhook Created production
Elastic Azure Service Principal Sign-In Followed by Arc Cluster Credential Access production
Elastic Azure Storage Account Keys Accessed by Privileged User production
Sigma Azure Subscription Permission Elevation Via ActivityLogs test
Sigma Azure Subscription Permission Elevation Via AuditLogs test
Sigma Azure Unusual Authentication Interruption test
Sigma Azure Windows virtual machine login via serial console experimental
Sigma Bitbucket User Login Failure test
Kusto Bitglass - Impossible travel distance available
Kusto Bitglass - Login from new device available
Kusto Bitglass - New admin user available
Kusto Bitglass - New risky user available
Kusto Bitglass - User Agent string has changed for user available
Kusto Bitglass - User login from new geo location available
Sigma Bitlocker Key Retrieval test
Kusto Box - Inactive user login available
Kusto Box - New external user available
Kusto Box - User logged in as admin available
Kusto Box - User role changed to owner available
Panther Box New Login
Panther Box Shield Suspicious Alert Triggered
Panther Box Untrusted Device Login
Sigma Brutforce with denied access due to account restrictions policies experimental
Kusto BTP - Build Work Zone unauthorized access and role tampering available
Kusto BTP - User added to Cloud Identity Service privileged Administrators list available
Kusto BTP - User added to sensitive privileged role collection available
Kusto Bulk Changes to Privileged Account Permissions available
Kusto Changes to Application Logout URL
Kusto Changes to Application Ownership
Kusto Changes to PIM Settings
Sigma Changes To PIM Settings test
Kusto Cisco - firewall block but success logon to Microsoft Entra ID
Splunk Cisco ASA - New Local User Account Created production
Splunk Cisco ASA - User Privilege Level Change production
Sigma Cisco BGP Authentication Failures test
Kusto Cisco Duo - Admin password reset available
Kusto Cisco Duo - Admin user created available
Kusto Cisco Duo - Authentication device new location available
Kusto Cisco Duo - Multiple admin 2FA failures available
Kusto Cisco Duo - Multiple user login failures available
Kusto Cisco Duo - New access device available
Kusto Cisco Duo - Unexpected authentication factor available
Splunk Cisco IOS Suspicious Privileged Account Creation production
Splunk Cisco IOS XE WebUI Login From IOSd Local Port production
Splunk Cisco IOS XE WebUI Programmatic Configuration production
Sigma Cisco LDP Authentication Failures test
Splunk Cisco Privileged Account Creation with HTTP Command Execution production
Splunk Cisco Privileged Account Creation with Suspicious SSH Activity production
Splunk Cisco Secure Firewall - High Priority Intrusion Classification production
Splunk Cloud API Calls From Previously Unseen User Roles production
Splunk Cloud Compute Instance Created By Previously Unseen User production
Splunk Cloud Instance Modified By Previously Unseen User production
Splunk Cloud Provisioning Activity From Previously Unseen City production
Splunk Cloud Provisioning Activity From Previously Unseen Country production
Splunk Cloud Provisioning Activity From Previously Unseen IP Address production
Splunk Cloud Provisioning Activity From Previously Unseen Region production
Panther CloudTrail Password Spraying Deprecated
Sigma Commvault QLogin with PublicSharingUser and GUID Password (CVE-2025-57788) experimental
Kusto Conditional Access - A Conditional Access user/group/role exclusion has changed
Kusto Conditional Access Policy Modified by New User
Sigma Console Login With MFA test
Sigma Console Login Without MFA test
Kusto Copilot - Jailbreak Attempt Detected available
Kusto Correlate Unfamiliar sign-in properties & atypical travel alerts available
Kusto Cross-Cloud Suspicious Compute resource creation in GCP
Kusto Cross-Cloud Suspicious user activity observed in GCP Envourment
Kusto Cross-tenant Access Settings Organization Added available
Kusto Cross-tenant Access Settings Organization Deleted available
Kusto Cross-tenant Access Settings Organization Inbound Collaboration Settings Changed available
Kusto Cross-tenant Access Settings Organization Inbound Direct Settings Changed available
Kusto Cross-tenant Access Settings Organization Outbound Collaboration Settings Changed available
Kusto Cross-tenant Access Settings Organization Outbound Direct Settings Changed available
Elastic CyberArk Privileged Access Security Error production
Panther Databricks Attempted Logon From Denied IP Experimental
Panther Databricks Delta Sharing IP Access Failures Experimental
Panther Databricks Employee Logon Experimental
Panther Databricks Non-SSO Login Detected Experimental
Panther Databricks Potential Privilege Escalation Experimental
Panther Databricks Repeated Failed Login Attempts Experimental
Kusto Dataverse - Hierarchy security manipulation available
Kusto Dataverse - Login by a sensitive privileged user available
Kusto Dataverse - Login from IP in the block list available
Kusto Dataverse - Login from IP not in the allow list available
Kusto Dataverse - New Dataverse application user activity type available
Kusto Dataverse - New non-interactive identity granted access available
Kusto Dataverse - New sign-in from an unauthorized domain available
Kusto Dataverse - New user agent type that was not used before available
Kusto Dataverse - Organization settings modified available
Kusto Dataverse - TI map IP to DataverseActivity available
Elastic Delegated Managed Service Account Modification by an Unusual User production
Kusto Detect changes to Connect Sync Application
Kusto Detect credential add to Connect Sync Application
Kusto Detect device code login with user risk
Splunk Detect Excessive Account Lockouts From Endpoint production
Splunk Detect Excessive User Account Lockouts production
Kusto Detect PIM Alert Disabling activity
Kusto Detecting Impossible travel with mailbox permission tampering & Privilege Escalation attempt
Sigma Device Registration or Join Without MFA test
Elastic dMSA Account Creation by an Unusual User production
Sigma DMSA Link Attributes Modified experimental
Sigma DMSA Service Account Created in Specific OUs - PowerShell experimental
Kusto EatonForeseer - Unauthorized Logins available
Kusto Elevation of Privilege attempt detected available
Kusto Email access via active sync
Kusto End-user consent stopped due to risk-based consent
Elastic Entra ID Actor Token User Impersonation Abuse production
YARA-L Entra ID Admin Login Activity to Uncommon MS Cloud Apps
Elastic Entra ID Concurrent Sign-in with Suspicious Properties production
Elastic Entra ID External Guest User Invited production
Elastic Entra ID High Risk Sign-in production
Elastic Entra ID High Risk User Sign-in Heuristic production
Elastic Entra ID Kali365 Default User-Agent Detected production
YARA-L Entra ID Login Activity to Uncommon MS Cloud Apps
Elastic Entra ID Microsoft Authentication Broker Sign-In to Unusual Resource production
Elastic Entra ID Microsoft Authentication Broker Sign-In with Non-Standard User Agent production
Elastic Entra ID OAuth Authorization Code Grant for Unusual User, App, and Resource production
Elastic Entra ID OAuth Device Code Flow with Concurrent Sign-ins production
Elastic Entra ID OAuth Device Code Grant by Microsoft Authentication Broker production
Elastic Entra ID OAuth Device Code Grant by Unusual User production
Elastic Entra ID OAuth Device Code Phishing via AiTM production
Elastic Entra ID OAuth Flow by Microsoft Authentication Broker to Device Registration Service (DRS) production
Elastic Entra ID OAuth Phishing via First-Party Microsoft Application production
Elastic Entra ID OAuth PRT Issuance to Non-Managed Device Detected production
Elastic Entra ID OAuth ROPC Grant Login Detected production
Elastic Entra ID OAuth User Impersonation to Microsoft Graph production
Elastic Entra ID OAuth user_impersonation Scope for Unusual User and Client production
Elastic Entra ID PowerShell Sign-in production
Elastic Entra ID Privileged Identity Management (PIM) Role Modified production
Elastic Entra ID Protection - Risk Detection - Sign-in Risk production
Elastic Entra ID Protection - Risk Detection - User Risk production
Elastic Entra ID Protection Admin Confirmed Compromise production
Elastic Entra ID Protection Alerts for User Detected production
Elastic Entra ID Protection User Alert and Device Registration production
Elastic Entra ID Service Principal Federated Credential Authentication by Unusual Client production
Elastic Entra ID Service Principal with Unusual Source ASN production
Elastic Entra ID Sharepoint or OneDrive Accessed by Unusual Client production
Elastic Entra ID User Added as Service Principal Owner production
Elastic Entra ID User Reported Suspicious Activity production
Elastic Entra ID User Sign-in with Unusual Authentication Type production
Elastic Entra ID User Sign-in with Unusual Client production
Elastic Entra ID User Sign-in with Unusual Non-Managed Device production
Splunk ESXi Account Modified production
Splunk ESXi External Root Login Activity production
Splunk ESXi Shared or Stolen Root Account production
Splunk ESXi User Granted Admin Role production
Elastic Execution with Explicit Credentials via Scripting production
Kusto External guest invitation followed by Microsoft Entra ID PowerShell signin available
Sigma External Remote RDP Logon from Public IP test
Sigma External Remote SMB Logon from Public IP test
Elastic External User Added to Google Workspace Group production
Kusto F&O - Bank account change following network alias reassignment available
Kusto F&O - Non-interactive account mapped to self or sensitive privileged user available
Kusto F&O - Unusual sign-in activity using single factor authentication available
Sigma Failed Authentications From Countries You Do Not Operate Out Of test
Kusto Failed AWS Console logons but success logon to AzureAD
Kusto Failed AzureAD logons but success logon to AWS Console
Kusto Failed AzureAD logons but success logon to host
Kusto Failed host logons but success logon to AzureAD
Sigma Failed Logon From Public IP test
Kusto Failed sign-ins into LastPass due to MFA available
Elastic First Occurrence of GitHub Repo Interaction From a New IP production building block
Elastic First Occurrence of IP Address For GitHub Personal Access Token (PAT) production building block
Elastic First Occurrence of IP Address For GitHub User production building block
Elastic First Occurrence of Okta User Session Started via Proxy production
Elastic First Occurrence of Personal Access Token (PAT) Use For a GitHub User production building block
Elastic First Occurrence of Private Repo Event from Specific GitHub Personal Access Token (PAT) production building block
Elastic First Occurrence of User Agent For a GitHub Personal Access Token (PAT) production building block
Elastic First Occurrence of User-Agent For a GitHub User production building block
Elastic First Time Seen Account Performing DCSync production
Elastic First Time Seen Google Workspace OAuth Login from Third-Party Application production
Elastic First-Time FortiGate Administrator Login production
Elastic FortiGate Administrator Login from Multiple IP Addresses production
Elastic FortiGate FortiCloud SSO Login from Unusual Source production
Elastic FortiGate SSL VPN Login Followed by SIEM Alert by User production
Kusto GCP Audit Logs - Data Access Logging Exemption Added for Principal available
Kusto GCP Audit Logs - Storage Bucket Made Public available
Splunk GCP Authentication Failed During MFA Challenge production
Splunk GCP Detect gcploit framework experimental
Kusto GCP IAM - High privileged role added to service account available
Elastic GCP IAM Custom Role Creation production
Panther GCP IAM Role Has Changed
Splunk GCP Multiple Failed MFA Requests For User production
Splunk GCP Successful Single-Factor Authentication production
YARA-L GCP Workload Identity Pool Disabled Or Deleted
Splunk Geographic Improbable Location experimental
Sigma Get Credentials For Identity experimental
Sigma Get Federation Token experimental
Sigma Get Signin Token experimental
Kusto GitHub - A payment method was removed available
Kusto GitHub - Oauth application - a client secret was removed available
Kusto GitHub - pull request was created available
Kusto GitHub - pull request was merged available
Kusto GitHub - Repository was created available
Kusto GitHub - Repository was destroyed available
Kusto GitHub - User visibility Was changed available
Kusto GitHub - User was added to the organization available
Kusto GitHub - User was blocked available
Kusto GitHub - User was invited to the repository available
Kusto GitHub Activites from a New Country available
Elastic Github Activity on a Private Repository from an Unusual IP production
Sigma Github New Secret Created test
Sigma Github Self Hosted Runner Changes Detected test
Sigma Github SSH Certificate Configuration Changed test
Panther GitHub User Access Key Created
Kusto GitLab - TI - Connection from Malicious IP available
Kusto GitLab - User Impersonation available
Sigma Google Cloud Kubernetes Admission Controller test
Elastic Google Workspace Device Registration Burst for Single User production
YARA-L Google Workspace External User Added To Group
Sigma Google Workspace Government Attack Warning experimental
Elastic Google Workspace Login Flagged Suspicious production building block
YARA-L Google Workspace SAML IDP Configuration Change
Elastic Google Workspace Suspended User Account Renewed production
Elastic Google Workspace User Login with Unusual ASN production
Elastic Google Workspace User Sign-in from Atypical Device Type production
YARA-L Google Workspace User Unsuspended
Kusto Group created then added to built in domain local or global group
Kusto GSA - Detect Connections Outside Operational Hours available
Panther GSuite Login Type
Sigma Guest Account Enabled Via Sysadminctl test
Kusto Guest accounts added in Entra ID Groups other than the ones specified available
Sigma Guest User Invited By Non Approved Inviters test
Kusto Guest Users Invited to Tenant by New Inviters
Sigma Guest Users Invited To Tenant By Non Approved Inviters test
Elastic High Command Line Entropy Detected for Privileged Commands production
Elastic High Number of Okta User Password Reset or Unlock Attempts production
Kusto High risk Office operation conducted by IP Address that recently attempted to log into a disabled account
Kusto High-Risk Cross-Cloud User Impersonation
Sigma Huawei BGP Authentication Failures test
Kusto Hunt for critical credentials on devices with non-critical accounts
Kusto Hunt for privilege escalation paths with high ACLs
Panther IAM Administrator Role Policy Attached
Panther IAM Inline Policy Network Admin
Panther IAM Role Created
Panther IAM Role Policy Updated to Allow Internet Access
Panther IAM User Created
Panther IAM User Policy Attached with Administrator Access
Kusto Illusive Incidents Analytic Rule available
Sigma Impossible Travel test
Panther Impossible Travel for Login Action
Sigma Increased Failed Authentications Of Any Type test
Sigma Invalid PIM License test
Kusto IP with multiple failed Microsoft Entra ID logins successfully logs in to Palo Alto VPN
Kusto Jira - Global permission added available
Kusto Jira - New site admin user available
Kusto Jira - New site admin user available
Kusto Jira - New user created available
Kusto Jira - User's password changed multiple times available
Sigma Juniper BGP Missing MD5 test
Elastic Kerberos Pre-authentication Disabled for User production
Elastic Kubeconfig File Creation or Modification production
Sigma Kubernetes Admission Controller Modification test
Elastic Kubernetes Anonymous Request Authorized by Unusual User Agent production
Elastic Kubernetes Suspicious Assignment of Controller Service Account production
Elastic Kubernetes Unusual Decision by User Agent production
Panther Lambda Code Updated by User Experimental
Panther Lambda Configuration Updated with Layers by User
Sigma Lateral movement detection (based on "special groups" feature) experimental
Sigma Login to Disabled Account test
YARA-L Logins From Terminated Employees
Panther Logins Without MFA
Panther Logins Without SAML
Sigma Logon from a Risky IP Address test
Splunk M365 Copilot Application Usage Pattern Anomalies production
Splunk M365 Copilot Session Origin Anomalies production
Elastic M365 Entra ID Risk Detection Signal production building block
Elastic M365 Identity Login from Atypical Region production
Elastic M365 Identity Login from Impossible Travel Location production
Elastic M365 Identity OAuth Flow by First-Party Microsoft App from Multiple IPs production
Elastic M365 Identity OAuth Phishing via First-Party Microsoft Application production
Elastic M365 Identity Unusual SSO Authentication Errors for User production
Elastic M365 Identity User Account Lockouts production
Elastic M365 or Entra ID Identity Sign-in from a Suspicious Source production
Kusto M365D Alerts Correlation to non-Microsoft Network device network activity involved in successful sign-in Activity
Sigma macOS Authentication Events experimental
Sigma macOS SSH Connection Detection experimental
Sigma macOS Sudo Privilege Escalation Attempts experimental
Kusto Malicious BEC Inbox Rule
Kusto Malicious Inbox Rule available
Sigma Malicious Usage Of IMDS Credentials Outside Of AWS Infrastructure test
Sigma Measurable Increase Of Successful Authentications test
Kusto MFA Rejected by User available
Sigma Microsoft 365 - Impossible Travel Activity test
Kusto Microsoft Entra ID PowerShell accessing non-Entra ID resources available
Kusto Microsoft Entra ID Role Management Permission Grant available
Elastic Microsoft Graph Request User Impersonation by Unusual Client production
Elastic Mounting Hidden or WebDav Remote Shares production
Sigma Multifactor Authentication Denied test
Sigma Multifactor Authentication Interrupted test
Splunk Multiple Host logons (Windows Event Log)
Elastic Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy production
Kusto Multiple Password Reset by user
Kusto Netskope - Impossible Travel Detection (Two Countries in Less Than 1 Hour) available
Sigma Network login performed to multiple targets experimental
Sigma New Country test
Kusto New country signIn with correct password
Kusto New Device/Location sign-in along with critical operation available
Sigma New DMSA Service Account Created in Specific OUs experimental
Elastic New Okta Authentication Behavior Detected production building block
Kusto New PA, PCA, or PCAS added to Azure DevOps available
Kusto New User Assigned to Privileged Role available
Kusto New user created and added to the built-in administrators group
Kusto Non-admin guest available
Kusto NRT Malicious Inbox Rule
Kusto NRT PIM Elevation Request Rejected available
Kusto NRT Privileged Role Assigned Outside PIM available
Kusto NRT User added to Microsoft Entra ID Privileged Groups available
YARA-L O365 Admin Login Activity To Uncommon Microsoft Cloud Apps
YARA-L O365 Login Activity To Azure AD PowerShell App
YARA-L O365 Login Activity To Uncommon Microsoft Cloud Apps
Splunk O365 Multiple AppIDs and UserAgents Authentication Spike production
Splunk O365 Security And Compliance Alert Triggered production
Panther Okta AD Agent Authentication Anomaly - Z-Score Detection Experimental
Elastic Okta Admin Console Login Failure production building block
Panther Okta Admin Role Assigned
Elastic Okta Alerts Following Unusual Proxy Authentication production
Splunk Okta Authentication Failed During MFA Challenge production
Panther Okta Login Without Push
YARA-L Okta Multiple User's Logins With Invalid Credentials From The Same IP
Sigma Okta New Admin Console Behaviours test
YARA-L Okta New API Token Created
Splunk Okta New API Token Created production
Splunk Okta Non-Standard VPN Usage experimental
Splunk Okta Phishing Detection with FastPass Origin Check experimental
Splunk Okta Risk Threshold Exceeded production
Elastic Okta Sign-In Events via Third-Party IdP production
YARA-L Okta Successful High Risk User Logins
Elastic Okta Successful Login After Credential Attack production
Splunk Okta Successful Single Factor Authentication production
Splunk Okta Suspicious Activity Reported production
Panther Okta SWA Bulk Access, New Source, and Credential Extraction - Behavioral Experimental
Panther Okta SWA Off-Hours Credential Access - Behavioral Experimental
Splunk Okta ThreatInsight Threat Detected production
YARA-L Okta User Account Lockout
YARA-L Okta User Login Out Of Hours
YARA-L Okta User Logins From Multiple Cities
Elastic Okta User Session Impersonation production
Elastic Okta User Sessions Started from Different Geolocations production
YARA-L Okta User Suspicious Activity Reported
Panther OneLogin High Risk Failed Login FOLLOWED BY Successful Login
YARA-L OneLogin Multiple Users Login Failures From The Same IP
YARA-L OneLogin Super User Privileges Assigned
YARA-L OneLogin User Logins From Multiple Countries
Panther OpenAI Admin Role Assignment
Panther OpenAI Anomalous API Key Activity
Sigma OpenCanary - SSH Login Attempt test
Sigma OpenCanary - SSH New Connection Attempt test
Sigma OpenCanary - Telnet Login Attempt test
Kusto OracleDBAudit - Connection to database from external IP available
Kusto OracleDBAudit - Connection to database from unknown IP available
Kusto OracleDBAudit - New user account available
Kusto OracleDBAudit - User activity after long inactivity time available
Kusto OracleDBAudit - User connected to database from new IP available
Kusto Palo Alto Prisma Cloud - Access keys are not rotated for 90 days available
Kusto Palo Alto Prisma Cloud - Anomalous access key usage available
Kusto Palo Alto Prisma Cloud - IAM Group with Administrator Access Permissions available
Kusto Palo Alto Prisma Cloud - Inactive user available
Sigma Password Provided In Command Line Of Net.EXE test
Sigma Password Reset By User Account test
Kusto Pathlock TDnR - Emergency User (AdminTrack) Activity available
Kusto Pathlock TDnR - Multiple Login Sessions Detected available
Kusto Pathlock TDnR - SAP Cloud Account Administration Events available
Kusto Pathlock TDnR - SAP HANA Database Audit Trail available
Kusto Pathlock TDnR - User Access Management Password Resets available
Sigma PIM Alert Setting Changes To Disabled test
Sigma PIM Approvals And Deny Elevation test
Kusto PIM Elevation Request Rejected available
Kusto Ping Federate - Abnormal password resets for user available
Kusto Ping Federate - Authentication from new IP. available
Kusto Ping Federate - Forbidden country available
Kusto Ping Federate - New user SSO success login available
Kusto Ping Federate - Password reset request from unexpected source IP address.. available
Kusto Ping Federate - Unexpected authentication URL. available
Kusto Ping Federate - Unexpected country for user available
Kusto Ping Federate - Unusual mail domain. available
Splunk PingID Multiple Failed MFA Requests For User production
Kusto Possible AiTM Phishing Attempt Against Microsoft Entra ID available
Elastic Potential Account Takeover - Logon from New Source IP production
Elastic Potential Account Takeover - Mixed Logon Types production
Elastic Potential Admin Group Account Addition production
Panther Potential Compromised Okta Credentials
Elastic Potential Credential Access via DCSync production
Elastic Potential Hidden Local User Account Creation production
Elastic Potential Impersonation Attempt via Kubectl production
Sigma Potential MFA Bypass Using Legacy Client Authentication test
Elastic Potential Okta MFA Bombing via Push Notifications production
Splunk Potential password in username production
Elastic Potential Privileged Escalation via SamAccountName Spoofing production
Kusto Potential Ransomware activity related to Cobalt Strike available
Elastic Potential Successful SSH Brute Force Attack production
Elastic Potential Suspicious DebugFS Root Device Access production
Elastic Potentially Successful Okta MFA Bombing via Push Notifications production
Kusto Power Apps - App activity from unauthorized geo available
Kusto Power Platform - Account added to privileged Microsoft Entra roles available
Kusto Power Platform - Possibly compromised user accesses Power Platform services available
Sigma Privileged Account Creation test
Kusto Privileged Account Permissions Changed
Kusto Privileged Accounts - Sign in Failure Spikes available
Kusto Privileged Role Assigned Outside PIM available
Kusto Privileged User Logon from new ASN
Kusto ProofpointPOD - Binary file in attachment available
Kusto ProofpointPOD - Email sender in TI list
Kusto ProofpointPOD - Email sender IP in TI list
Kusto ProofpointPOD - Possible data exfiltration to private email available
Elastic Rare User Logon production
Sigma RDP reconnaissance with valid credentials performed on multiple hosts experimental
Kusto RecordedFuture Threat Hunting Url All Actors
Kusto Red Sift - Login from previously unseen IP address available
Sigma Refresh Token Exchange from Excessive Locations experimental
Sigma Refresh Token Exchange from Multiple User Agents experimental
Sigma Refresh Token Reuse Detection experimental
Elastic Remote Computer Account DnsHostName Update production
Sigma Roles Activated Too Frequently test
Sigma Roles Activation Doesn't Require MFA test
Sigma Roles Are Not Being Used test
Sigma Roles Assigned Outside PIM test
Panther Root Account Activity
Sigma Root Account Enable Via Dsenableroot test
Panther Root Console Login
Splunk Rubeus Password Change (Windows Event Log)
Panther Salesforce API Anomaly Detection (RET Passthrough)
YARA-L sap break glass account login
YARA-L sap impossible travel
YARA-L sap multi terminal logon
Kusto Semperis DSP Failed Logons available
Kusto Sentinel One - Admin login from new location available
Kusto Sentinel One - New admin created available
Kusto Service Principal Assigned App Role With Sensitive Access
Kusto Service Principal Assigned Privileged Role
Kusto Service Principal Authentication Attempt from New Country
Kusto Service principal not using client credentials available
Splunk Short Lived Windows Accounts production
Sigma Sign-in Failure Due to Conditional Access Requirements Not Met test
Sigma Sign-ins by Unknown Devices test
Kusto Sign-ins from IPs that attempt sign-ins to disabled accounts available
Kusto Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization)
Sigma Sign-ins from Non-Compliant Devices test
Kusto SlackAudit - User email linked to account changed. available
Kusto SlackAudit - User login after deactivated. available
Kusto SlackAudit - User role changed to admin or owner available
Kusto Snowflake - Multiple login failures by user available
Kusto Snowflake - Multiple login failures from single IP available
Kusto Snowflake - User granted admin privileges available
Panther Snowflake Account Admin Granted
Panther Snowflake Account Admin Granted
Elastic Spike in Group Application Assignment Change Events production
Elastic Spike in Group Lifecycle Change Events production
Elastic Spike in Group Management Events production
Elastic Spike in Group Membership Events production
Elastic Spike in Group Privilege Change Events production
Elastic Spike in Logon Events production
Elastic Spike in Privileged Command Execution by a User production
Elastic Spike in Special Logon Events production
Elastic Spike in Special Privilege Use Events production
Elastic Spike in Successful Logon Events from a Source IP production
Elastic Spike in User Account Management Events production
Elastic Spike in User Lifecycle Management Change Events production
Sigma SQL Server - Connection attempt using a disabled account experimental
Sigma Stale Accounts In A Privileged Role test
Kusto StealthTalk - After hours work available
Kusto StealthTalk - Login outside work zone available
Kusto StealthTalk - Multi new devices registration available
Sigma Success login attempt on a Windows OpenSSH server experimental
Elastic Successful Application SSO from Rare Unknown Client Device production
Sigma Successful Authentications From Countries You Do Not Operate Out Of test
Kusto Successful AWS Console Login from IP Address Observed Conducting Password Spray
Kusto Successful logins to SOC Prime platform from bad IP addresses available
Kusto Successful logon from IP and failure from a different IP available
Elastic Successful SSH Authentication from Unusual IP Address production
Elastic Successful SSH Authentication from Unusual SSH Public Key production
Elastic Successful SSH Authentication from Unusual User production
Elastic Suspicious Activity Reported by Okta User production
Kusto Suspicious AWS console logins by credential access alerts
Sigma Suspicious Browser Activity test
Splunk Suspicious Computer Account Name Change production
Sigma Suspicious Computer Machine Password by PowerShell test
Splunk Suspicious Kerberos Service Ticket Request production
Kusto Suspicious linking of existing user to external User
Sigma Suspicious Login Activity Classified By Google experimental
Kusto Suspicious Login from deleted guest account
Kusto Suspicious modification of Global Administrator user properties
Sigma Suspicious Remote Logon with Explicit Credentials test
Kusto Suspicious Service Principal creation activity available
Kusto Suspicious Sign In by Entra ID Connect Sync Account available
Kusto Suspicious Sign In Followed by MFA Modification available
Sigma Suspicious SignIns From A Non Registered Device test
Splunk Suspicious Ticket Granting Ticket Request production
Kusto Suspicious VM Instance Creation Activity Detected
Sigma Temporary Access Pass Added To An Account test
Kusto Threat Essentials - NRT User added to Microsoft Entra ID Privileged Groups available
Kusto Threat Essentials - User Assigned Privileged Role available
Sigma Too Many Global Admins test
Elastic Unauthorized Access to an Okta Application production
Elastic Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials production
Sigma Unfamiliar Sign-In Properties test
Elastic Unusual AWS Command for a User production
Elastic Unusual AWS S3 Object Encryption with SSE-C production
Elastic Unusual Azure Activity Logs Event for a User production
Elastic Unusual City For a GCP Event production
Elastic Unusual City For an AWS Command production
Elastic Unusual City for an Azure Activity Logs Event production
Elastic Unusual Country For a GCP Event production
Elastic Unusual Country For an AWS Command production
Elastic Unusual Country for an Azure Activity Logs Event production
Elastic Unusual GCP Event for a User production
Elastic Unusual Group Name Accessed by a User production
Elastic Unusual Host Name for Okta Privileged Operations Detected production
Elastic Unusual Host Name for Windows Privileged Operations Detected production
Elastic Unusual Hour for a User to Logon production
Elastic Unusual Interactive Shell Launched from System User production
Elastic Unusual Linux Username production
Elastic Unusual Login via System User production
Splunk Unusual Number of Computer Service Tickets Requested experimental
Splunk Unusual Number of Remote Endpoint Authentication Events experimental
Elastic Unusual Privilege Type assigned to a User production
Elastic Unusual Process Detected for Privileged Commands by a User production
Elastic Unusual Region Name for Okta Privileged Operations Detected production
Elastic Unusual Region Name for Windows Privileged Operations Detected production
Elastic Unusual Source IP for a User to Logon from production
Elastic Unusual Source IP for Okta Privileged Operations Detected production
Elastic Unusual Source IP for Windows Privileged Operations Detected production
Elastic Unusual Spike in Concurrent Active Sessions by a User production
Elastic Unusual Windows Remote User production
Elastic Unusual Windows User Privilege Elevation Activity production
Elastic Unusual Windows Username production
Kusto URL Added to Application from Unknown Domain
Sigma Use of Legacy Authentication Protocols test
Sigma User Access Blocked by Azure Conditional Access test
Kusto User account added to built in domain local or global group
Kusto User account created and deleted within 10 mins
Kusto User account enabled and disabled within 10 mins
Kusto User Accounts - Sign in Failure due to CA Spikes available
Sigma User Added To Admin Group Via Dscl test
Sigma User Added To Admin Group Via DseditGroup test
Sigma User Added To Admin Group Via Sysadminctl test
Kusto User Added to Admin Role
Sigma User Added to an Administrator's Azure AD Role test
Sigma User Added to Local Administrator Group stable
Kusto User added to Microsoft Entra ID Privileged Groups available
Sigma User Added To Privilege Role test
Elastic User Added to the Admin Group production
Kusto User Assigned New Privileged Role available
Kusto User joining Zoom meeting from suspicious timezone
Panther User Logged in wihout MFA
Kusto User Login from Different Countries within 3 hours available
Kusto User login from different countries within 3 hours (Uses Authentication Normalization)
Kusto User Sign in from different countries available
Sigma User State Changed From Guest To Member test
Kusto UserAccountDisabled available
Sigma Users Added to Global or Device Admin Roles test
Sigma Users Authenticating To Other Azure AD Tenants test
Kusto Valimail Enforce - High-Value User Management Event available
Kusto Valimail Enforce - Unusual Rate of Configuration Changes or User Additions available
Kusto vCenter - Root impersonation available
Kusto VMware ESXi - Multiple new VMs started available
Kusto VMware ESXi - New VM started available
Kusto VMware ESXi - Root impersonation available
Kusto VMware ESXi - Root login available
Kusto VMware ESXi - Root password changed available
Kusto VMware ESXi - Shared or stolen root account available
Kusto VMware vCenter - Root login available
Splunk Windows Azure PowerShell Module Installation Via PowerShell Script production
Splunk Windows ConvertTo-AADIntBackdoor Execution Via PowerShell Script production
Splunk Windows Entra User Management Via Azure CLI production
Splunk Windows Group Policy Object Created production
Splunk Windows Guest Account Enabled Via Net.EXE production
Splunk Windows Large Number of Computer Service Tickets Requested production
Splunk Windows Multiple Account Passwords Changed production
Splunk Windows Multiple Accounts Deleted production
Splunk Windows Multiple Accounts Disabled production
Splunk Windows PowerView AD Access Control List Enumeration production
Splunk WMIC Explicit Credentials (Sysmon)
Splunk WMIC Explicit Credentials (Windows Event Log)
Kusto Workspace deletion activity from an infected device
Panther Zendesk Account Owner Changed
Panther Zendesk Mobile App Access Modified
Splunk Zoom High Video Latency experimental
Kusto Zscaler - Connections by dormant user available
Kusto Zscaler - Shared ZPA session available
Kusto Zscaler - Unexpected event count of rejects by policy available
Kusto Zscaler - Unexpected ZPA session duration available
Kusto Zscaler - ZPA connections by new user available
Kusto Zscaler - ZPA connections from new IP available

Valid Accounts: Default Accounts T1078.001 15 rules

Splunk Account set to active via Net.exe (EDR)
Splunk Account set to active via Net.exe (Sysmon)
Splunk Account set to active via Net.exe (Windows Event Log)
Sigma Admin User Remote Logon test
Kusto AWS Security Hub - Detect IAM Policies allowing full administrative privileges available
Sigma Commvault QLogin with PublicSharingUser and GUID Password (CVE-2025-57788) experimental
Sigma Guest Account Enabled Via Sysadminctl test
Elastic Kubernetes Anonymous Request Authorized by Unusual User Agent production
Elastic Kubernetes Suspicious Assignment of Controller Service Account production
Splunk Okta New API Token Created production
Splunk Okta Phishing Detection with FastPass Origin Check experimental
Splunk Okta Suspicious Activity Reported production
Sigma Root Account Enable Via Dsenableroot test
Panther Snowflake Grant to Public Role
Splunk Windows Guest Account Enabled Via Net.EXE production

Valid Accounts: Domain Accounts T1078.002 28 rules

Elastic Access to a Sensitive LDAP Attribute production
Sigma Account renamed to admin (or likely) account to evade defense experimental
Sigma Admin User Remote Logon test
Elastic AdminSDHolder Backdoor production
Elastic AdminSDHolder SDProp Exclusion Added production
Elastic Delegated Managed Service Account Modification by an Unusual User production
Splunk Detect Excessive Account Lockouts From Endpoint production
Elastic dMSA Account Creation by an Unusual User production
Sigma DMSA Link Attributes Modified experimental
Sigma DMSA Service Account Created in Specific OUs - PowerShell experimental
Elastic First Time Seen Account Performing DCSync production
Kusto High-Risk Cross-Cloud User Impersonation
Elastic Kerberos Pre-authentication Disabled for User production
Sigma Malicious Usage Of IMDS Credentials Outside Of AWS Infrastructure test
Sigma New DMSA Service Account Created in Specific OUs experimental
Elastic Potential Credential Access via DCSync production
Elastic Potential Privileged Escalation via SamAccountName Spoofing production
Elastic Rare User Logon production
Elastic Remote Computer Account DnsHostName Update production
Elastic Spike in Special Logon Events production
Elastic Spike in Successful Logon Events from a Source IP production
Splunk Suspicious Computer Account Name Change production
Splunk Suspicious Kerberos Service Ticket Request production
Splunk Suspicious Ticket Granting Ticket Request production
Elastic Unusual Windows User Privilege Elevation Activity production
Elastic Unusual Windows Username production
Splunk Windows Group Policy Object Created production
Splunk Windows PowerView AD Access Control List Enumeration production

Valid Accounts: Local Accounts T1078.003 23 rules

Elastic Account Discovery Command via SYSTEM Account production
Sigma Admin User Remote Logon test
Elastic Attempt to Enable the Root Account production
Splunk Cisco ASA - New Local User Account Created production
Splunk Cisco ASA - User Privilege Level Change production
Splunk Detect Excessive User Account Lockouts production
Elastic Mounting Hidden or WebDav Remote Shares production
Elastic Potential Admin Group Account Addition production
Elastic Potential Hidden Local User Account Creation production
Splunk Potential password in username production
Elastic Potential Suspicious DebugFS Root Device Access production
Elastic Rare User Logon production
Sigma Root Account Enable Via Dsenableroot test
Splunk Short Lived Windows Accounts production
Elastic Spike in Successful Logon Events from a Source IP production
Elastic Unusual Interactive Shell Launched from System User production
Elastic Unusual Login via System User production
Elastic Unusual Windows User Privilege Elevation Activity production
Elastic Unusual Windows Username production
Sigma User Added To Admin Group Via Dscl test
Sigma User Added To Admin Group Via DseditGroup test
Sigma User Added To Admin Group Via Sysadminctl test
Elastic User Added to the Admin Group production

Valid Accounts: Cloud Accounts T1078.004 290 rules

Kusto Account Created and Deleted in Short Timeframe available
Kusto Account created or deleted by non-approved user available
Sigma Account Disabled or Blocked for Sign in Attempts test
Kusto Account Elevated to New Role
Kusto Addition of a Temporary Access Pass to a Privileged Account
Kusto Admin promotion after Role Management Application Permission Grant available
Kusto Anomalous Single Factor Signin
Sigma Application AppID Uri Configuration Changes test
Kusto Application ID URI Changed
Kusto Application Redirect URL Update
Sigma Application URI Configuration Changes test
Splunk ASL AWS Create Policy Version to allow all resources production
Sigma Attempt To Get Credentials For Identity experimental
Sigma Attempt To Get Federation Token experimental
Sigma Attempt To Get Signin Token experimental
Kusto Authentication Attempt from New Country
Kusto Authentications of Privileged Accounts Outside of Expected Controls
Elastic AWS Access Token Used from Multiple Addresses production
YARA-L AWS API Call Outside Of Organization
Elastic AWS AssumeRoleWithWebIdentity from Kubernetes SA and External ASN production
Elastic AWS Bedrock Foundation Model Enumeration Followed by Invocation via Long-Term Key production
Elastic AWS CloudShell Environment Created production
Panther AWS Compromised IAM Key Quarantine
YARA-L AWS Console Login Without MFA
Splunk AWS Create Policy Version to allow all resources production
Elastic AWS Credentials Used from GitHub Actions and Non-CI/CD Infrastructure production
Elastic AWS EC2 Instance Console Login via Assumed Role production
Elastic AWS EC2 Instance Interaction with IAM Service production building block
Elastic AWS EC2 Instance Profile Associated with Running Instance production
Elastic AWS EC2 Unauthorized Admin Credential Fetch via Assumed Role production
YARA-L AWS IAM Administrator Access Policy Attached
Elastic AWS IAM API Calls via Temporary Session Tokens production
Elastic AWS IAM Assume Role Policy Update production
Elastic AWS IAM CompromisedKeyQuarantine Policy Attached to User production
Elastic AWS IAM Login Profile Added for Root production
Elastic AWS IAM Login Profile Added to User production building block
Elastic AWS IAM Long-Term Access Key Correlated with Elevated Detection Alerts production
Elastic AWS IAM Long-Term Access Key First Seen from Source IP production
Elastic AWS IAM OIDC Provider Created by Rare User production
Sigma AWS IAM S3Browser LoginProfile Creation test
Sigma AWS IAM S3Browser Templated S3 Bucket Policy Creation test
Sigma AWS IAM S3Browser User or AccessKey Creation test
Elastic AWS IAM SAML Provider Created production
Elastic AWS IAM Sensitive Operations via Lambda Execution Role production
Elastic AWS IAM Virtual MFA Device Registration Attempt with Session Token production
Panther AWS IMDS Credential Usage Outside Expected Services Experimental
Elastic AWS Management Console Root Login production
Elastic AWS Rare Source AS Organization Activity production
Sigma AWS Root Credentials test
Sigma AWS SAML Provider Deletion Activity experimental
Splunk AWS SetDefaultPolicyVersion production
Elastic AWS Sign-In Console Login with Federated User production
Elastic AWS Sign-In Root Password Recovery Requested production
Elastic AWS Sign-In Token Created production building block
Elastic AWS STS AssumeRole with New MFA Device production
Elastic AWS STS AssumeRoot by Rare User and Member Account production
Elastic AWS STS GetSessionToken Usage production building block
Elastic AWS STS Role Assumption by User production
Elastic AWS STS Role Chaining production
Sigma AWS Successful Console Login Without MFA experimental
Splunk AWS Successful Single-Factor Authentication production
Elastic AWS Suspicious User Agent Fingerprint production
YARA-L AWS User Creates Permanent Access Key
Splunk Azure AD Authentication Failed During MFA Challenge production
Splunk Azure AD Multiple Failed MFA Requests For User production
Sigma Azure AD Only Single Factor Authentication Required test
Splunk Azure AD Service Principal Authentication production
Splunk Azure AD Successful PowerShell Authentication production
Splunk Azure AD Successful Single-Factor Authentication production
Elastic Azure Arc Cluster Credential Access by Identity from Unusual Source production
Panther Azure Automation Runbook Created or Modified
Panther Azure Device Code Authentication with Broker Client
Panther Azure Kubernetes RoleBinding or ClusterRoleBinding Created
Elastic Azure Kubernetes Services (AKS) Kubernetes Rolebindings Created production
Panther Azure Microsoft Graph Single Session from Multiple IP Addresses Experimental
Panther Azure Policy DeployIfNotExists Action Triggered
Panther Azure Privileged or Elevated Role Assignment
Panther Azure Protection Multiple Alerts for User
Panther Azure ROPC Login Attempt Without MFA Experimental
Splunk Azure Runbook Webhook Created production
Elastic Azure Service Principal Sign-In Followed by Arc Cluster Credential Access production
Elastic Azure Storage Account Keys Accessed by Privileged User production
Sigma Azure Subscription Permission Elevation Via ActivityLogs test
Sigma Bitbucket User Login Failure test
Sigma Bitlocker Key Retrieval test
Kusto Bulk Changes to Privileged Account Permissions available
Kusto Changes to Application Logout URL
Kusto Changes to Application Ownership
Kusto Changes to PIM Settings
Sigma Changes To PIM Settings test
Splunk Cloud Compute Instance Created By Previously Unseen User production
Splunk Cloud Instance Modified By Previously Unseen User production
Kusto Conditional Access Policy Modified by New User
Kusto Cross-tenant Access Settings Organization Added available
Kusto Cross-tenant Access Settings Organization Deleted available
Kusto Cross-tenant Access Settings Organization Inbound Collaboration Settings Changed available
Kusto Cross-tenant Access Settings Organization Inbound Direct Settings Changed available
Kusto Cross-tenant Access Settings Organization Outbound Collaboration Settings Changed available
Kusto Cross-tenant Access Settings Organization Outbound Direct Settings Changed available
Kusto Detect changes to Connect Sync Application
Kusto Detect credential add to Connect Sync Application
Kusto Detect device code login with user risk
Sigma Device Registration or Join Without MFA test
Kusto End-user consent stopped due to risk-based consent
Elastic Entra ID Actor Token User Impersonation Abuse production
YARA-L Entra ID Admin Login Activity to Uncommon MS Cloud Apps
Elastic Entra ID Concurrent Sign-in with Suspicious Properties production
Elastic Entra ID High Risk Sign-in production
Elastic Entra ID High Risk User Sign-in Heuristic production
Elastic Entra ID Kali365 Default User-Agent Detected production
YARA-L Entra ID Login Activity to Uncommon MS Cloud Apps
Elastic Entra ID Microsoft Authentication Broker Sign-In to Unusual Resource production
Elastic Entra ID Microsoft Authentication Broker Sign-In with Non-Standard User Agent production
Elastic Entra ID OAuth Authorization Code Grant for Unusual User, App, and Resource production
Elastic Entra ID OAuth Device Code Flow with Concurrent Sign-ins production
Elastic Entra ID OAuth Device Code Grant by Microsoft Authentication Broker production
Elastic Entra ID OAuth Device Code Grant by Unusual User production
Elastic Entra ID OAuth Device Code Phishing via AiTM production
Elastic Entra ID OAuth Flow by Microsoft Authentication Broker to Device Registration Service (DRS) production
Elastic Entra ID OAuth Phishing via First-Party Microsoft Application production
Elastic Entra ID OAuth PRT Issuance to Non-Managed Device Detected production
Elastic Entra ID OAuth ROPC Grant Login Detected production
Elastic Entra ID OAuth User Impersonation to Microsoft Graph production
Elastic Entra ID OAuth user_impersonation Scope for Unusual User and Client production
Elastic Entra ID PowerShell Sign-in production
Elastic Entra ID Protection - Risk Detection - Sign-in Risk production
Elastic Entra ID Protection - Risk Detection - User Risk production
Elastic Entra ID Protection Admin Confirmed Compromise production
Elastic Entra ID Protection Alerts for User Detected production
Elastic Entra ID Protection User Alert and Device Registration production
Elastic Entra ID Service Principal Federated Credential Authentication by Unusual Client production
Elastic Entra ID Service Principal with Unusual Source ASN production
Elastic Entra ID Sharepoint or OneDrive Accessed by Unusual Client production
Elastic Entra ID User Added as Service Principal Owner production
Elastic Entra ID User Reported Suspicious Activity production
Elastic Entra ID User Sign-in with Unusual Authentication Type production
Elastic Entra ID User Sign-in with Unusual Client production
Elastic Entra ID User Sign-in with Unusual Non-Managed Device production
Kusto External guest invitation followed by Microsoft Entra ID PowerShell signin available
Elastic External User Added to Google Workspace Group production
Sigma Failed Authentications From Countries You Do Not Operate Out Of test
Elastic First Occurrence of GitHub Repo Interaction From a New IP production building block
Elastic First Occurrence of IP Address For GitHub Personal Access Token (PAT) production building block
Elastic First Occurrence of IP Address For GitHub User production building block
Elastic First Occurrence of Okta User Session Started via Proxy production
Elastic First Occurrence of Personal Access Token (PAT) Use For a GitHub User production building block
Elastic First Occurrence of Private Repo Event from Specific GitHub Personal Access Token (PAT) production building block
Elastic First Occurrence of User Agent For a GitHub Personal Access Token (PAT) production building block
Elastic First Occurrence of User-Agent For a GitHub User production building block
Elastic First Time Seen Google Workspace OAuth Login from Third-Party Application production
Elastic FortiGate FortiCloud SSO Login from Unusual Source production
Panther GAIA GCPW Credential Theft Attack Chain
Kusto GCP Audit Logs - Data Access Logging Exemption Added for Principal available
Kusto GCP Audit Logs - Storage Bucket Made Public available
Splunk GCP Authentication Failed During MFA Challenge production
Splunk GCP Multiple Failed MFA Requests For User production
Splunk GCP Successful Single-Factor Authentication production
Panther GCP User Added to Privileged Group
YARA-L GCP Workload Identity Pool Disabled Or Deleted
Sigma Get Credentials For Identity experimental
Sigma Get Federation Token experimental
Sigma Get Signin Token experimental
Elastic Github Activity on a Private Repository from an Unusual IP production
Sigma Github New Secret Created test
Sigma Github Self Hosted Runner Changes Detected test
Sigma Github SSH Certificate Configuration Changed test
Elastic Google Workspace Device Registration Burst for Single User production
YARA-L Google Workspace External User Added To Group
Elastic Google Workspace Login Flagged Suspicious production building block
Panther Google Workspace Login Type Anomaly
Panther Google Workspace OAuth Application Authorized with Privileged Scopes Experimental
Panther Google Workspace OAuth Token Requests from New IP
Panther Google Workspace Rapid Multi-IP Authentication
Elastic Google Workspace Suspended User Account Renewed production
Elastic Google Workspace User Login with Unusual ASN production
Elastic Google Workspace User Sign-in from Atypical Device Type production
YARA-L Google Workspace User Unsuspended
Kusto Guest accounts added in Entra ID Groups other than the ones specified available
Sigma Guest User Invited By Non Approved Inviters test
Kusto Guest Users Invited to Tenant by New Inviters
Elastic High Number of Okta User Password Reset or Unlock Attempts production
Kusto High-Risk Cross-Cloud User Impersonation
Panther IAM Role Added to RDS Instance or Cluster
Panther Kubernetes ClusterRoleBinding to Privileged Role
Panther Kubernetes Role With Node Proxy Permissions Created
Panther Kubernetes Role With Pod Exec Permissions Created
Panther Kubernetes Role With Wildcard Permissions Created Experimental
Panther Kubernetes Service Account Token Theft from Pod
Panther Kubernetes System Role Modified or Deleted Experimental
Sigma Login to Disabled Account test
Elastic M365 Entra ID Risk Detection Signal production building block
Elastic M365 Identity Login from Atypical Region production
Elastic M365 Identity Login from Impossible Travel Location production
Elastic M365 Identity OAuth Flow by First-Party Microsoft App from Multiple IPs production
Elastic M365 Identity OAuth Phishing via First-Party Microsoft Application production
Elastic M365 Identity Unusual SSO Authentication Errors for User production
Elastic M365 Identity User Account Lockouts production
Sigma macOS SSH Connection Detection experimental
Kusto MFA Rejected by User available
Kusto Microsoft Entra ID Role Management Permission Grant available
Elastic Microsoft Graph Request User Impersonation by Unusual Client production
Sigma Multifactor Authentication Denied test
Sigma Multifactor Authentication Interrupted test
Elastic Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy production
Elastic New Okta Authentication Behavior Detected production building block
Kusto New PA, PCA, or PCAS added to Azure DevOps available
Kusto New User Assigned to Privileged Role available
Kusto NRT PIM Elevation Request Rejected available
Kusto NRT Privileged Role Assigned Outside PIM available
YARA-L O365 Admin Login Activity To Uncommon Microsoft Cloud Apps
YARA-L O365 Login Activity To Azure AD PowerShell App
YARA-L O365 Login Activity To Uncommon Microsoft Cloud Apps
Splunk O365 Security And Compliance Alert Triggered production
Elastic Okta Admin Console Login Failure production building block
Panther Okta AiTM Phishing Attempt Blocked by FastPass
Elastic Okta Alerts Following Unusual Proxy Authentication production
Splunk Okta Authentication Failed During MFA Challenge production
Sigma Okta New Admin Console Behaviours test
Panther Okta New Behaviors Acessing Admin Console
Panther Okta Org2Org application created of modified
Elastic Okta Sign-In Events via Third-Party IdP production
Elastic Okta Successful Login After Credential Attack production
Splunk Okta Successful Single Factor Authentication production
Splunk Okta ThreatInsight Threat Detected production
Elastic Okta User Session Impersonation production
Elastic Okta User Sessions Started from Different Geolocations production
YARA-L OneLogin Multiple Users Login Failures From The Same IP
YARA-L OneLogin Super User Privileges Assigned
YARA-L OneLogin User Logins From Multiple Countries
Sigma Password Reset By User Account test
Sigma PIM Approvals And Deny Elevation test
Kusto PIM Elevation Request Rejected available
Kusto Possible AiTM Phishing Attempt Against Microsoft Entra ID available
Sigma Potential MFA Bypass Using Legacy Client Authentication test
Elastic Potential Okta MFA Bombing via Push Notifications production
Elastic Potentially Successful Okta MFA Bombing via Push Notifications production
Sigma Privileged Account Creation test
Kusto Privileged Account Permissions Changed
Kusto Privileged Accounts - Sign in Failure Spikes available
Kusto Privileged Role Assigned Outside PIM available
Kusto Privileged User Logon from new ASN
Kusto Service Principal Assigned App Role With Sensitive Access
Kusto Service Principal Assigned Privileged Role
Kusto Service Principal Authentication Attempt from New Country
Panther Sign In from Rogue State
Sigma Sign-in Failure Due to Conditional Access Requirements Not Met test
Sigma Sign-ins by Unknown Devices test
Sigma Sign-ins from Non-Compliant Devices test
Panther Slack Primary Owner Transferred
Kusto SlackAudit - User login after deactivated. available
Elastic Successful Application SSO from Rare Unknown Client Device production
Sigma Successful Authentications From Countries You Do Not Operate Out Of test
Kusto Suspicious linking of existing user to external User
Sigma Suspicious Login Activity Classified By Google experimental
Kusto Suspicious Login from deleted guest account
Kusto Suspicious modification of Global Administrator user properties
Kusto Suspicious Sign In by Entra ID Connect Sync Account available
Kusto Suspicious Sign In Followed by MFA Modification available
Panther Suspicious Snowflake Sessions - Unusual Application
Sigma Temporary Access Pass Added To An Account test
Kusto Threat Essentials - User Assigned Privileged Role available
Elastic Unauthorized Access to an Okta Application production
Elastic Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials production
Elastic Unusual AWS Command for a User production
Elastic Unusual AWS S3 Object Encryption with SSE-C production
Elastic Unusual Azure Activity Logs Event for a User production
Elastic Unusual City For a GCP Event production
Elastic Unusual City For an AWS Command production
Elastic Unusual City for an Azure Activity Logs Event production
Elastic Unusual Country For a GCP Event production
Elastic Unusual Country For an AWS Command production
Elastic Unusual Country for an Azure Activity Logs Event production
Elastic Unusual GCP Event for a User production
Elastic Unusual Host Name for Okta Privileged Operations Detected production
Elastic Unusual Region Name for Okta Privileged Operations Detected production
Elastic Unusual Source IP for Okta Privileged Operations Detected production
Kusto URL Added to Application from Unknown Domain
Sigma Use of Legacy Authentication Protocols test
Sigma User Access Blocked by Azure Conditional Access test
Kusto User Accounts - Sign in Failure due to CA Spikes available
Kusto User Added to Admin Role
Sigma User Added To Privilege Role test
Kusto User Assigned New Privileged Role available
Kusto User Login from Different Countries within 3 hours available
Sigma User State Changed From Guest To Member test
Sigma Users Added to Global or Device Admin Roles test
Sigma Users Authenticating To Other Azure AD Tenants test
Splunk Windows Entra User Management Via Azure CLI production
Panther Wiz Rotate Service Account Secret
Panther Wiz Service Account Change

Redundant Access T1108 3 rules

Panther AWS User API Key Created
Panther AWS User Login Profile Created or Modified
Panther DEPRECATED - AWS User Login Profile Modified

Trusted Developer Utilities Proxy Execution T1127 58 rules

Elastic Anomalous Linux Compiler Activity production
Sigma AspNetCompiler Execution test
Sigma C# IL Code Compilation Via Ilasm.EXE test
Splunk CDB Execution (Sysmon)
Splunk CDB Execution (Windows Event Log)
Kusto CyberArkEPM - MSBuild usage as LOLBin
Elastic Delayed Execution via Ping production
Sigma Detection of PowerShell Execution via Sqlps.exe test
Splunk ETW Registry Disabled production
Elastic Execution of Persistent Suspicious Program production
Elastic Execution via Microsoft DotNet ClickOnce Host production building block
Elastic Execution via MS VisualStudio Pre/Post Build Events production building block
Sigma JScript Compiler Execution test
Sigma Kavremover Dropped Binary LOLBIN Usage test
Elastic Microsoft Build Engine Started an Unusual Process production
Elastic Microsoft Build Engine Started by a Script Process production
Elastic Microsoft Build Engine Started by a System Process production
Elastic Microsoft Build Engine Started by an Office Application production
Splunk Microsoft Build Engine Suspicious Parent Process (Sysmon)
Splunk Microsoft Build Engine Suspicious Parent Process (Windows Event Log)
Elastic Microsoft Build Engine Using an Alternate Name production
Sigma Microsoft Workflow Compiler Execution test
Elastic MsBuild Making Network Connections production
Splunk MSBuild Suspicious Spawned By Script Process production
Elastic Network Activity to a Suspicious Top Level Domain production
Sigma Node Process Executions test
Sigma Potential Arbitrary Code Execution Via Node.EXE test
Sigma Potential Binary Proxy Execution Via Cdb.EXE test
Elastic Potential Credential Access via Trusted Developer Utility production
Sigma Potential Mftrace.EXE Abuse test
Sigma Potentially Suspicious ASP.NET Compilation Via AspNetCompiler test
Kusto Powershell Empire Cmdlets Executed in Command Line available
Elastic Process Injection by the Microsoft Build Engine production
Splunk Proxy Execution via Appcert (PowerShell)
Splunk Proxy Execution via Appcert (Sysmon)
Splunk Proxy Execution via Appcert (Windows Event Log)
Sigma Remote Thread Creation Ttdinject.exe Proxy test
Sigma Silenttrinity Stager Msbuild Activity test
Sigma SQL Client Tools PowerShell Session Detection test
Elastic Suspicious .NET Code Compilation production
Sigma Suspicious Child Process of AspNetCompiler test
Elastic Suspicious Execution from a Mounted Device production
Sigma Suspicious File Created by ArcSOC.exe experimental
Splunk Suspicious microsoft workflow compiler rename production
Splunk Suspicious microsoft workflow compiler usage production
Splunk Suspicious msbuild path production
Splunk Suspicious MSBuild Rename production
Splunk Suspicious MSBuild Spawn production
Sigma Suspicious Use of CSharp Interactive Console test
Kusto Trusted Developer Utilities Proxy Execution available
Splunk Unusual AppCert Child Process (Sysmon)
Splunk Unusual AppCert Child Process (Windows Event Log)
Elastic Unusual Network Activity from a Windows System Binary production
Elastic Unusual Process Network Connection production
Sigma Use of Remote.exe test
Sigma Use of TTDInject.exe test
Sigma Use of VSIISExeLauncher.exe test
Sigma Use of Wfc.exe test

Trusted Developer Utilities Proxy Execution: MSBuild T1127.001 22 rules

Elastic Delayed Execution via Ping production
Elastic Execution of Persistent Suspicious Program production
Elastic Execution via MS VisualStudio Pre/Post Build Events production building block
Elastic Microsoft Build Engine Started an Unusual Process production
Elastic Microsoft Build Engine Started by a Script Process production
Elastic Microsoft Build Engine Started by a System Process production
Elastic Microsoft Build Engine Started by an Office Application production
Splunk Microsoft Build Engine Suspicious Parent Process (Sysmon)
Splunk Microsoft Build Engine Suspicious Parent Process (Windows Event Log)
Elastic Microsoft Build Engine Using an Alternate Name production
Elastic MsBuild Making Network Connections production
Splunk MSBuild Suspicious Spawned By Script Process production
Elastic Network Activity to a Suspicious Top Level Domain production
Elastic Potential Credential Access via Trusted Developer Utility production
Kusto Powershell Empire Cmdlets Executed in Command Line available
Elastic Process Injection by the Microsoft Build Engine production
Sigma Silenttrinity Stager Msbuild Activity test
Elastic Suspicious Execution from a Mounted Device production
Splunk Suspicious msbuild path production
Splunk Suspicious MSBuild Rename production
Splunk Suspicious MSBuild Spawn production
Elastic Unusual Network Activity from a Windows System Binary production

Trusted Developer Utilities Proxy Execution: ClickOnce T1127.002 1 rule

Elastic Execution via Microsoft DotNet ClickOnce Host production building block

Access Token Manipulation T1134 73 rules

Kusto Access Token Manipulation - Create Process with Token available
Sigma Addition of SID History to Active Directory Object stable
Sigma Anonymous login (RottenPotatoNG) experimental
Kusto AWS Security Hub - Detect IAM root user Access Key existence available
Kusto BTP - Cloud Identity Service application configuration monitor available
Kusto BTP - Trust and authorization Identity Provider monitor available
Elastic Credential Manipulation - Detected - Elastic Endgame production
Elastic Credential Manipulation - Prevented - Elastic Endgame production
Elastic First Time Seen NewCredentials Logon Process production
Panther GitHub Artifact Download from Cross-Fork Workflow
Panther GitHub Cross-Fork Workflow Run
Panther GitHub pull_request_target Workflow on Self-Hosted Runner
Panther GitHub pull_request_target Workflow Usage
Panther GitHub pull_request_target Workflow with Checkout Action
Sigma HackTool - Impersonate Execution test
Sigma HackTool - Koh Default Named Pipe test
Sigma HackTool - NoFilter Execution test
Sigma HackTool - PPID Spoofing SelectMyParent Tool Execution test
Sigma HackTool - SharpDPAPI Execution test
Sigma HackTool - SharpImpersonation Execution test
Kusto High-Risk Cross-Cloud User Impersonation
Elastic Interactive Logon by an Unusual Process production
Elastic Kubernetes API Request Impersonating Privileged Identity production
Sigma Meterpreter or Cobalt Strike Getsystem Service Installation - Security test
Sigma Meterpreter or Cobalt Strike Getsystem Service Installation - System test
Sigma New rights granted to an account for privilege escalation experimental
Elastic Parent Process PID Spoofing production
Kusto Pathlock TDnR - Dynamic Access Control Events available
Elastic Permission Theft - Detected - Elastic Endgame production
Elastic Permission Theft - Prevented - Elastic Endgame production
Kusto Ping Federate - Abnormal password resets for user available
Kusto Possible Resource-Based Constrained Delegation Abuse
Sigma Potential Access Token Abuse test
Sigma Potential Meterpreter/CobaltStrike Activity test
Elastic Potential PowerShell HackTool Script by Function Names production
Kusto Powershell Empire Cmdlets Executed in Command Line available
Elastic PowerShell Script with Token Impersonation Capabilities production
Elastic Privilege Escalation via Named Pipe Impersonation production
Elastic Privilege Escalation via Rogue Named Pipe Impersonation production
Sigma Privilege escalation via runas (command) experimental
Sigma Privilege escalation via RunasCS experimental
Elastic Privileges Elevation via Parent Process PID Spoofing production
Elastic Process Created with a Duplicated Token production
Elastic Process Created with an Elevated Token production
Elastic Process Creation via Secondary Logon production
Kusto PRT Credential Stealing
Sigma PUA - AdvancedRun Execution test
Sigma PUA - AdvancedRun Suspicious Execution test
Sigma RedSun - Conhost.exe Spawned by TieringEngineService.exe experimental
Splunk Runas Execution in CommandLine production
Elastic SeDebugPrivilege Enabled by a Suspicious Process production
Kusto Semperis DSP Well-known privileged SIDs in sIDHistory available
Kusto Service Principal Name (SPN) Assigned to User Account
Elastic Spike in Special Privilege Use Events production
Sigma Suspicious Child Process Created as System test
Elastic Suspicious SeIncreaseBasePriorityPrivilege Use production
Sigma Suspicious SYSTEM User Process Creation test
Elastic Unusual Parent-Child Relationship production
Kusto User impersonation by Identity Protection alerts
Kusto User Session Impersonation(Okta) available
Splunk Windows Access Token Manipulation SeDebugPrivilege production
Splunk Windows Access Token Manipulation Winlogon Duplicate Token Handle production
Splunk Windows Access Token Winlogon Duplicate Handle In Uncommon Path production
Splunk Windows AD Cross Domain SID History Addition production
Splunk Windows AD Privileged Account SID History Addition production
Splunk Windows AD Same Domain SID History Addition production
Splunk Windows AD SID History Attribute Modified production
Splunk Windows Handle Duplication in Known UAC-Bypass Binaries production
Splunk Windows Parent PID Spoofing with Explorer production
Splunk Windows Privilege Escalation Suspicious Process Elevation production
Splunk Windows Privilege Escalation System Process Without System Parent production
Splunk Windows Privilege Escalation User Process Spawn System Process production
Splunk Wscript Or Cscript Suspicious Child Process production

Access Token Manipulation: Token Impersonation/Theft T1134.001 23 rules

Sigma Anonymous login (RottenPotatoNG) experimental
Kusto AWS Security Hub - Detect IAM root user Access Key existence available
Elastic First Time Seen NewCredentials Logon Process production
Sigma HackTool - Impersonate Execution test
Sigma HackTool - Koh Default Named Pipe test
Sigma HackTool - NoFilter Execution test
Sigma HackTool - SharpDPAPI Execution test
Sigma HackTool - SharpImpersonation Execution test
Sigma Meterpreter or Cobalt Strike Getsystem Service Installation - Security test
Sigma Meterpreter or Cobalt Strike Getsystem Service Installation - System test
Elastic Permission Theft - Detected - Elastic Endgame production
Elastic Permission Theft - Prevented - Elastic Endgame production
Sigma Potential Access Token Abuse test
Sigma Potential Meterpreter/CobaltStrike Activity test
Elastic PowerShell Script with Token Impersonation Capabilities production
Elastic Privilege Escalation via Named Pipe Impersonation production
Elastic Privilege Escalation via Rogue Named Pipe Impersonation production
Elastic Process Created with a Duplicated Token production
Kusto PRT Credential Stealing
Splunk Runas Execution in CommandLine production
Splunk Windows Access Token Manipulation Winlogon Duplicate Token Handle production
Splunk Windows Access Token Winlogon Duplicate Handle In Uncommon Path production
Splunk Windows Handle Duplication in Known UAC-Bypass Binaries production

Access Token Manipulation: Create Process with Token T1134.002 18 rules

Kusto Access Token Manipulation - Create Process with Token available
Elastic Interactive Logon by an Unusual Process production
Sigma Meterpreter or Cobalt Strike Getsystem Service Installation - Security test
Sigma Meterpreter or Cobalt Strike Getsystem Service Installation - System test
Sigma Potential Meterpreter/CobaltStrike Activity test
Kusto Powershell Empire Cmdlets Executed in Command Line available
Elastic PowerShell Script with Token Impersonation Capabilities production
Sigma Privilege escalation via runas (command) experimental
Sigma Privilege escalation via RunasCS experimental
Elastic Privileges Elevation via Parent Process PID Spoofing production
Elastic Process Created with a Duplicated Token production
Elastic Process Created with an Elevated Token production
Elastic Process Creation via Secondary Logon production
Sigma PUA - AdvancedRun Execution test
Sigma PUA - AdvancedRun Suspicious Execution test
Sigma RedSun - Conhost.exe Spawned by TieringEngineService.exe experimental
Sigma Suspicious Child Process Created as System test
Splunk Windows Access Token Manipulation SeDebugPrivilege production

Access Token Manipulation: Make and Impersonate Token T1134.003 7 rules

Kusto AWS Security Hub - Detect IAM root user Access Key existence available
Sigma HackTool - Impersonate Execution test
Sigma HackTool - SharpDPAPI Execution test
Sigma HackTool - SharpImpersonation Execution test
Elastic Interactive Logon by an Unusual Process production
Elastic Process Creation via Secondary Logon production
Kusto User Session Impersonation(Okta) available

Access Token Manipulation: Parent PID Spoofing T1134.004 6 rules

Sigma HackTool - PPID Spoofing SelectMyParent Tool Execution test
Elastic Parent Process PID Spoofing production
Elastic Privileges Elevation via Parent Process PID Spoofing production
Elastic Unusual Parent-Child Relationship production
Splunk Windows Parent PID Spoofing with Explorer production
Splunk Wscript Or Cscript Suspicious Child Process production

Access Token Manipulation: SID-History Injection T1134.005 6 rules

Sigma Addition of SID History to Active Directory Object stable
Kusto Powershell Empire Cmdlets Executed in Command Line available
Splunk Windows AD Cross Domain SID History Addition production
Splunk Windows AD Privileged Account SID History Addition production
Splunk Windows AD Same Domain SID History Addition production
Splunk Windows AD SID History Attribute Modified production

Deobfuscate/Decode Files or Information T1140 79 rules

Kusto A host is potentially running PowerShell to send HTTP(S) requests (ASIM Web Session schema)
Elastic Base16 or Base32 Encoding/Decoding Activity production
Elastic Base64 Decoded Payload Piped to Interpreter production
Sigma Base64 Encoded PowerShell Command Detected test
Kusto Base64 encoded Windows process command-lines available
Kusto Base64 encoded Windows process command-lines (Normalized Process Events)
Elastic Binary Content Copy via Cmd.exe production building block
Splunk Certutil De-Obfuscate_Decode Files (Sysmon)
Splunk Certutil De-Obfuscate_Decode Files (Windows Event Log)
Splunk Certutil Execution (Sysmon)
Splunk Certutil Execution (Windows Event Log)
Sigma Certutil payload obfuscation (command) experimental
Sigma Certutil payload obfuscation - Tchopper (command) experimental
Splunk CertUtil With Decode Argument production
Elastic Command Line Obfuscation via Whitespace Padding production
Elastic Decoded Payload Piped to Interpreter Detected via Defend for Containers production
Elastic Deprecated - Encoded Executable Stored in the Registry production
Elastic Deprecated - Potential PowerShell Obfuscated Script production
Sigma DNS-over-HTTPS Enabled by Registry test
Elastic Dynamic IEX Reconstruction via Method String Access production
Kusto Dynatrace - Problem detection available
Kusto Dynatrace Application Security - Code-Level runtime vulnerability detection available
Kusto Dynatrace Application Security - Non-critical runtime vulnerability detection available
Kusto Dynatrace Application Security - Third-Party runtime vulnerability detection available
Elastic Encoded Payload Detected via Defend for Containers production
Elastic Execution via OpenClaw Agent production
Kusto Ingress Tool Transfer - Certutil available
Elastic Kernel Unpacking Activity production
Splunk Linux Auditd Base64 Decode Files production
Sigma Linux Base64 Encoded Pipe to Shell test
Sigma Linux Base64 Encoded Shebang In CLI test
Sigma Linux Shell Pipe to Shell test
Elastic Long Base64 Encoded Command via Scripting Interpreter production
YARA-L MITRE ATT&CK T1140 Encoded Powershell Command
Sigma MSHTA Execution with Suspicious File Extensions test
Elastic Multi-Base64 Decoding Attempt from Suspicious Location production
Kusto NRT Base64 Encoded Windows Process Command-lines available
Kusto NRT Process executed from binary hidden in Base64 encoded file available
Sigma Payload Decoded and Decrypted via Built-in Utilities test
Sigma Ping Hex IP test
Sigma Potential Base64 Decoded From Images test
Sigma Potential BlackByte Ransomware Activity test
Sigma Potential Commandline Obfuscation Using Escape Characters test
Elastic Potential Dynamic IEX Reconstruction via Environment Variables production
Elastic Potential Hex Payload Execution via Command-Line production
Elastic Potential Hex Payload Execution via Common Utility production
Elastic Potential PowerShell Obfuscated Script via High Entropy production
Elastic Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion production
Elastic Potential PowerShell Obfuscation via Character Array Reconstruction production
Elastic Potential PowerShell Obfuscation via Concatenated Dynamic Command Invocation production
Elastic Potential PowerShell Obfuscation via High Numeric Character Proportion production
Elastic Potential PowerShell Obfuscation via High Special Character Proportion production building block
Elastic Potential PowerShell Obfuscation via Invalid Escape Sequences production
Elastic Potential PowerShell Obfuscation via Reverse Keywords production
Elastic Potential PowerShell Obfuscation via Special Character Overuse production
Elastic Potential PowerShell Obfuscation via String Concatenation production
Elastic Potential PowerShell Obfuscation via String Reordering production
Sigma PowerShell Base64 Encoded FromBase64String Cmdlet test
Sigma PowerShell Decompress Commands test
Elastic PowerShell Obfuscation via Negative Index String Reversal production
Elastic PowerShell Script with Encryption/Decryption Capabilities production
Elastic PowerShell Suspicious Payload Encoded and Compressed production
Kusto Process executed from binary hidden in Base64 encoded file available
Kusto Qakbot Discovery Activies available
Elastic ROT Encoded Python Script Execution production
Elastic Suspicious .NET Reflection via PowerShell production
Elastic Suspicious CertUtil Commands production
Elastic Suspicious Content Extracted or Decompressed via Funzip production
Elastic Suspicious Echo or Printf Execution Detected via Defend for Containers production
Elastic Suspicious Execution from Foomatic-rip or Cupsd Parent production
Sigma Suspicious Inbox Manipulation Rules test
Elastic Suspicious Interpreter Execution Detected via Defend for Containers production
Elastic Suspicious Windows Powershell Arguments production
Sigma Suspicious XOR Encoded PowerShell Command test
Sigma UNC4841 - Download Compressed Files From Temp.sh Using Wget test
Sigma UNC4841 - Download Tar File From Untrusted Direct IP Via Wget test
Sigma UNC4841 - SSL Certificate Exfiltration Via Openssl test
Elastic Unusual Base64 Encoding/Decoding Activity production
Elastic Web Server Potential Command Injection Request production

BITS Jobs T1197 35 rules

Sigma BITS Client BitsProxy DLL Loaded By Uncommon Process experimental
Splunk BITS Job Persistence production
Sigma BITS payload downloaded via commandline experimental
Sigma BITS payload downloaded via PowerShell experimental
Sigma BITS Transfer Job Download From Direct IP test
Sigma BITS Transfer Job Download From File Sharing Domains test
Sigma BITS Transfer Job Download To Potential Suspicious Folder test
Sigma BITS Transfer Job Downloading File Potential Suspicious Extension test
Sigma BITS Transfer Job With Uncommon Or Suspicious Remote TLD test
Elastic Bitsadmin Activity production building block
Kusto Bitsadmin Activity available
Splunk BITSAdmin Download File production
Splunk BITSadmin Execution (PowerShell)
Splunk BITSadmin Execution (Sysmon)
Splunk BITSadmin Execution (Windows Event Log)
Splunk BitsAdmin NetCat PowerCat File Transfer (EDR)
Splunk BitsAdmin NetCat PowerCat File Transfer (Sysmon)
Splunk BitsAdmin NetCat PowerCat File Transfer (Windows Event Log)
Sigma Bitsadmin to Uncommon IP Server Address test
Sigma Bitsadmin to Uncommon TLD test
Splunk Cisco NVM - Curl Execution With Insecure Flags production
Splunk Cisco NVM - Suspicious Download From File Sharing Website production
Sigma File Download Via Bitsadmin test
Sigma File Download Via Bitsadmin To A Suspicious Target Folder test
Sigma File with high volume downloaded via BITS experimental
Sigma File With Suspicious Extension Downloaded Via Bitsadmin test
Elastic Ingress Transfer via Windows BITS production
Sigma Monitoring For Persistence Via BITS test
Sigma New BITS Job Created Via Bitsadmin test
Sigma New BITS Job Created Via PowerShell test
Elastic Persistence via BITS Job Notify Cmdline production
Splunk PowerShell Start-BitsTransfer production
Sigma Suspicious Download From Direct IP Via Bitsadmin test
Sigma Suspicious Download From File-Sharing Website Via Bitsadmin test
Elastic Unsigned BITS Service Client Process production building block

Indirect Command Execution T1202 69 rules

Sigma Arbitrary Command Execution Using WSL test
Elastic Attempt to Install or Run Kali Linux via WSL production
Elastic Command Execution via ForFiles production
Splunk Conhost.exe Kernel call (Sysmon)
Splunk Conhost.exe Kernel call (Windows Event Log)
Elastic Curl or Wget Egress Network Connection via LoLBin production
Sigma Custom File Open Handler Executes PowerShell test
Sigma Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE test
Elastic Execution via Windows Subsystem for Linux production
Sigma Findstr Launching .lnk File test
Elastic Host File System Changes via Windows Subsystem for Linux production
Splunk Indirect Command Execution (Sysmon)
Splunk Indirect Command Execution (Windows Event Log)
Sigma Indirect Command Execution From Script File Via Bash.EXE test
Elastic Indirect Command Execution via Forfiles/Pcalua production building block
Sigma Indirect Command Execution via SFTP ProxyCommand experimental
Sigma Indirect Inline Command Execution Via Bash.EXE test
Panther Intune Create or Modify Client App
Panther Intune New Device Management Script
Elastic Linux Restricted Shell Breakout via Linux Binary(s) production
Splunk Microsoft Intune Device Health Scripts production
Splunk Microsoft Intune Mobile Apps experimental
Sigma Outlook EnableUnsafeClientMailRules Setting Enabled test
Sigma Potential Arbitrary Command Execution Using Msdt.EXE test
Sigma Potential Arbitrary Command Execution Via FTP.EXE test
Sigma Potential Arbitrary DLL Load Using Winword test
Sigma Potential Arbitrary File Download Using Office Application test
Sigma Potential Arbitrary File Download Via Cmdl32.EXE test
Sigma Potential Binary Impersonating Sysinternals Tools test
Sigma Potentially Suspicious Child Process Of VsCode test
Sigma Potentially Suspicious Child Processes Spawned by ConHost experimental
Sigma Potentially Suspicious Office Document Executed From Trusted Location test
Elastic Proxy Execution via Console Window Host production
Sigma Proxy Execution via Vshadow experimental
Elastic Proxy Execution via Windows OpenSSH production
Sigma Renamed CURL.EXE Execution test
Sigma Renamed FTP.EXE Execution test
Sigma Renamed NirCmd.EXE Execution test
Sigma Renamed PAExec Execution test
Sigma Renamed PingCastle Binary Execution test
Sigma Renamed ZOHO Dctask64 Execution test
Sigma Rundll32 Execution Without CommandLine Parameters test
Splunk ssh.exe Execution (Sysmon)
Splunk ssh.exe Execution (Windows Event Log)
Sigma Suspicious Cabinet File Execution Via Msdt.EXE test
Sigma Suspicious Child Process Of BgInfo.EXE test
Splunk Suspicious Conhost.exe Commands (Sysmon)
Splunk Suspicious Conhost.exe Commands (Windows Event Log)
Elastic Suspicious Execution via Windows Subsystem for Linux production
Sigma Suspicious High IntegrityLevel Conhost Legacy Option test
Sigma Suspicious Remote Child Process From Outlook test
Sigma Suspicious Runscripthelper.exe test
Sigma Suspicious Service Binary Directory test
Sigma Suspicious Splwow64 Without Params test
Sigma Suspicious ZipExec Execution test
Elastic System Binary Symlink to Suspicious Location production
Sigma Troubleshooting Pack Cmdlet Execution test
Sigma Uncommon Child Process Of BgInfo.EXE test
Sigma Uncommon Child Process Of Conhost.EXE test
Sigma Uncommon Child Process Of Setres.EXE test
Sigma Windows Binary Executed From WSL test
Splunk Windows Indirect Command Execution Via forfiles production
Splunk Windows Indirect Command Execution Via pcalua production
Splunk Windows Indirect Command Execution Via Series Of Forfiles production
Splunk Windows RunMRU Command Execution production
Elastic Windows Subsystem for Linux Distribution Installed production
Elastic Windows Subsystem for Linux Enabled via Dism Utility production
Sigma WSL Child Process Anomaly test
Sigma WSL Kali-Linux Usage experimental

Traffic Signaling T1205 1 rule

Elastic Unusual Linux Network Port Activity production

Traffic Signaling: Port Knocking T1205.001 1 rule

Elastic Unusual Linux Network Port Activity production

Exploitation for Stealth T1211 15 rules

Kusto App Gateway WAF - SQLi Detection available
Kusto Application Gateway WAF - SQLi Detection
Kusto ASR Bypassing Writing Executable Content available
Sigma Audit CVE Event test
Splunk Conhost.exe Kernel call (Sysmon)
Splunk Conhost.exe Kernel call (Windows Event Log)
Kusto Front Door Premium WAF - SQLi Detection available
Kusto GitHub Security Vulnerability in Repository
Sigma Microsoft Malware Protection Engine Crash test
Sigma Microsoft Malware Protection Engine Crash - WER test
Elastic Potential Defense Evasion via PRoot production
Splunk Suspicious Conhost.exe Commands (Sysmon)
Splunk Suspicious Conhost.exe Commands (Windows Event Log)
Elastic Unusual Executable File Creation by a System Critical Process production
Sigma Writing Of Malicious Files To The Fonts Folder test

System Script Proxy Execution T1216 19 rules

Sigma Assembly Loading Via CL_LoadAssembly.ps1 test
Sigma AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl test
Sigma AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl - File test
Splunk Bash -c Execution - Windows (Sysmon)
Splunk Bash -c Execution - Windows (Windows Event Log)
Elastic Delayed Execution via Ping production
Sigma Execute Code with Pester.bat test
Sigma Execute Code with Pester.bat as Parent test
Sigma Launch-VsDevShell.PS1 Proxy Execution test
Sigma Potential Manage-bde.wsf Abuse To Proxy Execution test
Sigma Potential Process Execution Proxy Via CL_Invocation.ps1 test
Sigma Potential Script Proxy Execution Via CL_Mutexverifiers.ps1 test
Sigma Pubprn.vbs Proxy Execution test
Sigma Remote Code Execute via Winrm.vbs test
Sigma Suspicious CustomShellHost Execution test
Sigma SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code test
Sigma Uncommon Sigverif.EXE Child Process test
Sigma UtilityFunctions.ps1 Proxy Dll test
Splunk Windows System Script Proxy Execution Syncappvpublishingserver production

System Script Proxy Execution: PubPrn T1216.001 2 rules

Sigma Launch-VsDevShell.PS1 Proxy Execution test
Sigma Pubprn.vbs Proxy Execution test

System Binary Proxy Execution T1218 552 rules

Splunk .msc Executed from Unusual Location (Sysmon)
Splunk .msc Executed from Unusual Location (Windows Event Log)
Splunk 3CXDesktopApp.exe Execution (EDR)
Splunk 3CXDesktopApp.exe Execution (Sysmon)
Splunk 3CXDesktopApp.exe Execution (Windows Event Log)
Sigma Abusing Print Executable test
Sigma AddinUtil.EXE Execution From Uncommon Directory test
Sigma AgentExecutor PowerShell Execution test
Sigma APT29 2018 Phishing Campaign CommandLine Indicators stable
Sigma APT29 2018 Phishing Campaign File Indicators stable
Sigma Arbitrary Command Execution Using WSL test
Sigma Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE test
Sigma Arbitrary File Download Via IMEWDBLD.EXE test
Sigma Arbitrary File Download Via MSEDGE_PROXY.EXE test
Sigma Arbitrary File Download Via MSOHTMED.EXE test
Sigma Arbitrary File Download Via MSPUB.EXE test
Sigma Arbitrary File Download Via PresentationHost.EXE test
Sigma Arbitrary File Download Via Squirrel.EXE test
Sigma Arbitrary MSI Download Via Devinit.EXE test
Sigma Atbroker Registry Change test
Splunk ATBroker.exe Execution (PowerShell)
Splunk ATBroker.exe Execution (Sysmon)
Splunk ATBroker.exe Execution (Windows Event Log)
Sigma BaaUpdate.exe Suspicious DLL Load experimental
Sigma Bad Opsec Defaults Sacrificial Processes With Improper Arguments test
Splunk Bash -c Execution - Windows (Sysmon)
Splunk Bash -c Execution - Windows (Windows Event Log)
Sigma Binary Proxy Execution Via Dotnet-Trace.EXE test
Sigma BitLockerTogo.EXE Execution test
Sigma Bypass UAC via CMSTP test
Splunk Cisco NVM - MSHTML or MSHTA Network Execution Without URL in CLI production
Splunk Cisco NVM - Rundll32 Abuse of MSHTML.DLL for Payload Download production
Splunk Cisco NVM - Suspicious Network Connection From Process With No Args production
Splunk CMLUA Or CMSTPLUA UAC Bypass production
Splunk Cmstp Execution (Sysmon)
Splunk Cmstp Execution (Windows Event Log)
Sigma CMSTP Execution Process Access stable
Sigma CMSTP Execution Process Creation stable
Sigma CMSTP Execution Registry Event stable
Sigma CMSTP UAC Bypass via COM Object Access stable
Sigma CobaltStrike Load by Rundll32 test
Sigma Code Execution via Pcwutl.dll test
Sigma COM Object Execution via Xwizard.EXE test
Elastic Command and Scripting Interpreter via Windows Scripts production
Elastic Command Shell Activity Started via RunDLL32 production
Splunk Control Loading from World Writable Directory production
Splunk Control Panel Abuse (Sysmon)
Splunk Control Panel Abuse (Windows Event Log)
Sigma Control Panel Items test
Elastic Control Panel Process with Unusual Arguments production
Splunk Control_RunDLL Call from Command Line (Sysmon)
Splunk Control_RunDLL Call from Command Line (Windows Event Log)
Sigma Created Files by Microsoft Sync Center test
Elastic Creation of SettingContent-ms Files production building block
Sigma Csc.EXE Execution Form Potentially Suspicious Parent test
Sigma Curl Download And Execute Combination test
Elastic Curl or Wget Egress Network Connection via LoLBin production
Elastic Delayed Execution via Ping production
Splunk Detect HTML Help Renamed production
Splunk Detect HTML Help Spawn Child Process production
Splunk Detect HTML Help URL in Command Line production
Splunk Detect HTML Help Using InfoTech Storage Handlers production
Splunk Detect mshta inline hta execution production
Splunk Detect mshta renamed production
Splunk Detect MSHTA Url in Command Line production
Kusto Detect Msiexec executing DLL network connections
Splunk Detect Regasm Spawning a Process production
Splunk Detect Regasm with Network Connection production
Splunk Detect Regasm with no Command Line Arguments production
Splunk Detect Regsvcs Spawning a Process production
Splunk Detect Regsvcs with Network Connection production
Splunk Detect Regsvcs with No Command Line Arguments production
Splunk Detect Regsvr32 Application Control Bypass production
Splunk Detect Rundll32 Inline HTA Execution production
Sigma DeviceCredentialDeployment Execution test
Sigma Devtoolslauncher.exe Executes Specified Binary test
Sigma Diskshadow Child Process Spawned test
Sigma Diskshadow Script Mode - Execution From Potential Suspicious Location test
Sigma Diskshadow Script Mode - Uncommon Script Extension Execution test
Sigma Diskshadow Script Mode Execution test
Sigma DLL Call by Ordinal Via Rundll32.EXE stable
Splunk DLL Called with RS32 (PowerShell)
Splunk DLL Called with RS32 (Sysmon)
Splunk DLL Called with RS32 (Windows Event Log)
Splunk DLL Called with Uncommon Function (PowerShell)
Splunk DLL Called with Uncommon Function (Sysmon)
Splunk DLL Called with Uncommon Function (Windows Event Log)
Splunk DLL Execution from Uncommon Process (PowerShell)
Splunk DLL Execution from Uncommon Process (Sysmon)
Splunk DLL Execution from Uncommon Process (Windows Event Log)
Sigma DLL Execution via Rasautou.exe test
Sigma DLL Loaded From Suspicious Location Via Cmspt.EXE test
Sigma DLL Loaded via CertOC.EXE test
Sigma Dllhost.EXE Initiated Network Connection To Non-Local IP Address test
Splunk DLLRegisterServer Called from Command Line (PowerShell)
Splunk DLLRegisterServer Called from Command Line (Sysmon)
Splunk DLLRegisterServer Called from Command Line (Windows Event Log)
Sigma DllUnregisterServer Function Call Via Msiexec.EXE test
Sigma DNS Query Request By Regsvr32.EXE test
Splunk DNX.exe Proxy Execution (Windows Event Log)
Splunk Dotnet.exe Execution (Windows Event Log)
Splunk Driver as Command Parameter (Windows Event Log)
Sigma Driver/DLL Installation Via Odbcconf.EXE test
Splunk Dxcap Proxy Execution (Windows Event Log)
Elastic Dynamic Linker (ld.so) Creation production
Sigma Equation Group DLL_U Export Function Load stable
Sigma EvilNum APT Golden Chickens Deployment Via OCX Files test
Splunk Executable Process from Suspicious Folder (PowerShell)
Splunk Executable Process from Suspicious Folder (Sysmon)
Splunk Executable Process from Suspicious Folder (Windows Event Log)
Sigma Execute Files with Msdeploy.exe test
Sigma Execute Pcwrun.EXE To Leverage Follina test
Sigma Execution DLL of Choice Using WAB.EXE test
Elastic Execution from Unusual Directory - Command Line production
Elastic Execution of a Downloaded Windows Script production
Elastic Execution of COM object via Xwizard production
Elastic Execution of Persistent Suspicious Program production
Elastic Execution via GitHub Actions Runner production
Elastic Execution via Microsoft DotNet ClickOnce Host production building block
Elastic Execution via OpenClaw Agent production
Sigma Execution via stordiag.exe test
Elastic Execution via Windows Command Debugging Utility production
Sigma Execution via WorkFolders.exe test
Sigma File Download Using ProtocolHandler.exe test
Sigma File Download Via InstallUtil.EXE test
Sigma File Download Via Windows Defender MpCmpRun.EXE test
Elastic File or Directory Deletion Command production building block
Elastic File with Suspicious Extension Downloaded production building block
Sigma Fireball Archer Install test
Sigma Gpscript Execution test
Splunk Group Policy Editor Execution (PowerShell)
Splunk Group Policy Editor Execution (Sysmon)
Splunk Group Policy Editor Execution (Windows Event Log)
Sigma HackTool - CACTUSTORCH Remote Thread Creation test
Sigma HackTool - F-Secure C3 Load by Rundll32 test
Sigma HackTool - RedMimicry Winnti Playbook Execution test
Sigma HH.EXE Execution test
Splunk hh.exe Execution (PowerShell)
Splunk hh.exe Execution (Sysmon)
Splunk hh.exe Execution (Windows Event Log)
Sigma HH.EXE Initiated HTTP Network Connection test
Splunk hh.exe Remote File Execution (PowerShell)
Splunk hh.exe Remote File Execution (Sysmon)
Splunk hh.exe Remote File Execution (Windows Event Log)
Sigma Hidden Flag Set On File/Directory Via Chflags - MacOS test
Elastic Host Detected with Suspicious Windows Process(es) production
Sigma HTML Help HH.EXE Suspicious Child Process test
Sigma IcedID Malware Suspicious Single Digit DLL Execution Via Rundll32 test
Sigma Ie4uinit Lolbin Use From Invalid Path test
Splunk IIS Worker (W3WP) Spawn Command Line (Windows Event Log)
Elastic ImageLoad via Windows Update Auto Update Client production
Sigma Import LDAP Data Interchange Format File Via Ldifde.EXE test
Elastic Incoming DCOM Lateral Movement via MSHTA production
Elastic Incoming DCOM Lateral Movement with MMC production
Sigma Indirect Command Execution By Program Compatibility Wizard test
Sigma InfDefaultInstall.exe .inf Execution test
Sigma Insensitive Subfolder Search Via Findstr.EXE test
Elastic InstallUtil Activity production building block
Elastic InstallUtil Process Making Network Connections production
Sigma Kapeka Backdoor Execution Via RunDLL32.EXE test
Sigma Kapeka Backdoor Loaded Via Rundll32.EXE test
Sigma Legitimate Application Dropped Archive test
Sigma Legitimate Application Dropped Executable test
Sigma Legitimate Application Dropped Script test
Sigma Legitimate Application Writing Files In Uncommon Location experimental
Splunk LOLBAS With Network Traffic production
Sigma Lolbin Runexehelper Use As Proxy test
Sigma Lolbin Unregmp2.exe Use As Proxy test
Splunk Malicious InProcServer32 Modification production
Sigma Malicious PE Execution by Microsoft Visual Studio Debugger test
Sigma Malicious Windows Script Components File Execution by TAEF Detection test
Splunk Mavinject Execution (EDR)
Splunk Mavinject Execution (Sysmon)
Splunk Mavinject Execution (Windows Event Log)
Sigma Mavinject Inject DLL Into Running Process test
Elastic Microsoft Build Engine Started by a Script Process production
Elastic Microsoft Management Console File from Unusual Path production
Sigma Microsoft Sync Center Suspicious Network Connections test
Sigma Microsoft Workflow Compiler Execution test
Sigma MMC Executing Files with Reversed Extensions Using RTLO Abuse experimental
Sigma MMC Loading Script Engines DLLs experimental
Splunk Mmc LOLBAS Execution Process Spawn production
Sigma MpiExec Lolbin test
Sigma MSDT Execution Via Answer File test
Sigma MSHTA Execution with Suspicious File Extensions test
Elastic Mshta Making Network Connections production
Splunk Mshta spawning Rundll32 OR Regsvr32 Process production
Splunk MSHTA.exe execution (PowerShell)
Splunk MSHTA.exe execution (Sysmon)
Splunk MSHTA.exe execution (Windows Event Log)
Splunk mshta.exe File Download (PowerShell)
Splunk mshta.exe File Download (Sysmon)
Splunk mshta.exe File Download (Windows Event Log)
Sigma MSI Installation From Web test
Splunk MSI Installation via Appcert (PowerShell)
Splunk MSI Installation via Appcert (Sysmon)
Splunk MSI Installation via Appcert (Windows Event Log)
Splunk Msiexec Abuse (Sysmon)
Splunk Msiexec Abuse (Windows Event Log)
Splunk MSIExec Install MSI File (Sysmon)
Splunk MSIExec Install MSI File (Windows Event Log)
Sigma Msiexec Quiet Installation test
Elastic MsiExec Service Child Process With Network Connection production
Sigma MsiExec Web Install test
Splunk MSIExec.exe Execution (Sysmon)
Splunk MSIExec.exe Execution (Windows Event Log)
Sigma Msiexec.EXE Initiated Network Connection Over HTTP test
Elastic Network Activity to a Suspicious Top Level Domain production
Sigma Network Connection Initiated By AddinUtil.EXE test
Sigma Network Connection Initiated By Regsvr32.EXE test
Elastic Network Connection via Certutil production building block
Elastic Network Connection via Compiled HTML File production
Elastic Network Connection via Registration Utility production
Elastic Network Connection via Signed Binary production
Sigma New Capture Session Launched Via DXCap.EXE test
Sigma New DLL Registered Via Odbcconf.EXE test
Sigma New Self Extracting Package Created Via IExpress.EXE test
Sigma NotPetya Ransomware Activity test
Splunk Nslookup Execution (Windows Event Log)
Sigma Obfuscated PowerShell MSI Install via WindowsInstaller COM experimental
Sigma Odbcconf.EXE Suspicious DLL Location test
Sigma OneNote.EXE Execution of Malicious Embedded Scripts test
Sigma OpenWith.exe Executes Specified Binary test
Sigma Outbound Network Connection Initiated By Cmstp.EXE test
Sigma Outbound Network Connection To Public IP Via Winlogon test
Elastic Parent Process Detected with Suspicious Windows Process(es) production
Elastic Persistence via a Windows Installer production
Splunk Possible Lateral Movement PowerShell Spawn production
Sigma Potential Application Whitelisting Bypass via Dnx.EXE test
Sigma Potential APT-C-12 BlueMushroom DLL Load Activity Via Regsvr32 test
Sigma Potential Arbitrary File Download Via Cmdl32.EXE test
Sigma Potential Baby Shark Malware Activity test
Sigma Potential Binary Impersonating Sysinternals Tools test
Sigma Potential Binary Proxy Execution Via Cdb.EXE test
Sigma Potential Binary Proxy Execution Via VSDiagnostics.EXE test
Sigma Potential Bumblebee Remote Thread Creation test
Elastic Potential Command and Control via Internet Explorer production
Sigma Potential Compromised 3CXDesktopApp Execution test
Sigma Potential Compromised 3CXDesktopApp Update Activity test
Elastic Potential Credential Access via Renamed COM+ Services DLL production
Elastic Potential Credential Access via Windows Utilities production
Elastic Potential CVE-2025-33053 Exploitation production
Elastic Potential Defense Evasion via CMSTP.exe production building block
Sigma Potential Devil Bait Malware Reconnaissance test
Sigma Potential DLL Sideloading Activity Via ExtExport.EXE test
Sigma Potential DLL Sideloading Using Coregen.exe test
Sigma Potential Emotet Rundll32 Execution test
Sigma Potential EmpireMonkey Activity test
Elastic Potential Escalation via Vulnerable MSI Repair production
Elastic Potential Execution via FileFix Phishing Attack production
Sigma Potential Exploitation of RCE Vulnerability CVE-2025-33053 experimental
Sigma Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Image Load experimental
Sigma Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Process Access experimental
Elastic Potential Fake CAPTCHA Phishing Attack production
Sigma Potential File Download Via MS-AppInstaller Protocol Handler test
Elastic Potential File Transfer via Certreq production
Sigma Potential LethalHTA Technique Execution test
Elastic Potential Local NTLM Relay via HTTP production
Sigma Potential Mpclient.DLL Sideloading Via OfflineScannerShell.EXE Execution test
Sigma Potential NTLM Coercion Via Certutil.EXE test
Sigma Potential Password Spraying Attempt Using Dsacls.EXE test
Sigma Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXE test
Sigma Potential PowerShell Execution Via DLL test
Elastic Potential Privilege Escalation via SUID/SGID Proxy Execution production
Elastic Potential Protocol Tunneling via Yuze production
Sigma Potential Provisioning Registry Key Abuse For Binary Proxy Execution test
Sigma Potential Provisioning Registry Key Abuse For Binary Proxy Execution - REG test
Sigma Potential Provlaunch.EXE Binary Proxy Execution Abuse test
Sigma Potential Proxy Execution Via Explorer.EXE From Shell Process test
Sigma Potential Raspberry Robin CPL Execution Activity test
Sigma Potential Register_App.Vbs LOLScript Abuse test
Sigma Potential Regsvr32 Commandline Flag Anomaly test
Elastic Potential Remote File Execution via MSIEXEC production
Elastic Potential Remote Install via MsiExec production
Sigma Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell Module test
Sigma Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell ScriptBlock test
Sigma Potential Suspicious Child Process Of 3CXDesktopApp test
Sigma Potential Suspicious Mofcomp Execution test
Splunk Potential Sysinternals Tool Execution (PowerShell)
Splunk Potential Sysinternals Tool Execution (Sysmon)
Splunk Potential Sysinternals Tool Execution (Windows Event Log)
Sigma Potentially Over Permissive Permissions Granted Using Dsacls.EXE test
Sigma Potentially Suspicious Cabinet File Expansion test
Sigma Potentially Suspicious Child Process Of DiskShadow.EXE test
Sigma Potentially Suspicious Child Process Of Regsvr32 test
Sigma Potentially Suspicious Child Process Of VsCode test
Sigma Potentially Suspicious Child Processes Spawned by ConHost experimental
Sigma Potentially Suspicious CMD Shell Output Redirect test
Sigma Potentially Suspicious DLL Registered Via Odbcconf.EXE test
Sigma Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location test
Sigma Potentially Suspicious Execution Of Regasm/Regsvcs With Uncommon Extension test
Elastic Potentially Suspicious Process Started via tmux or screen production
Sigma Potentially Suspicious Regsvr32 HTTP IP Pattern test
Sigma Potentially Suspicious Regsvr32 HTTP/FTP Pattern test
Sigma Potentially Suspicious Rundll32 Activity test
Sigma Potentially Suspicious Rundll32.EXE Execution of UDL File test
Sigma Potentially Suspicious Self Extraction Directive File Created test
Sigma Potentially Suspicious Wuauclt Network Connection test
Sigma PowerShell MSI Install via WindowsInstaller COM From Remote Location experimental
Sigma PowerShell WMI Win32_Product Install MSI test
Sigma Process Access via TrolleyExpress Exclusion test
Elastic Process Activity via Compiled HTML File production
Splunk Process Creation Using Sysnative Folder (Sysmon)
Splunk Process Creation Using Sysnative Folder (Windows Event Log)
Kusto Process Injection Initiated By MMC
Sigma Process Memory Dump Via Dotnet-Dump test
Sigma Process Proxy Execution Via Squirrel.EXE test
Sigma Program Executed Using Proxy/Local Command Via SSH.EXE test
Sigma Proxy Execution Via Wuauclt.EXE test
Elastic Proxy Shell Execution via Busybox production
Elastic Rare Connection to WebDAV Target production
Sigma RegAsm.EXE Execution Without CommandLine Flags or Files experimental
Sigma RegAsm.EXE Initiating Network Connection To Public IP test
Sigma REGISTER_APP.VBS Proxy Execution test
Sigma Regsvr32 DLL Execution With Suspicious File Extension test
Splunk regsvr32 Execution (PowerShell)
Splunk regsvr32 Execution (Sysmon)
Splunk regsvr32 Execution (Windows Event Log)
Sigma Regsvr32 Execution From Highly Suspicious Location test
Sigma Regsvr32 Execution From Potential Suspicious Location test
Splunk regsvr32 Referencing Unusual Paths (Sysmon)
Splunk regsvr32 Referencing Unusual Paths (Windows Event Log)
Kusto Regsvr32 Rundll32 Image Loads Abnormal Extension available
Kusto Regsvr32 Rundll32 with Anomalous Parent Process available
Splunk Regsvr32 Silent and Install Param Dll Loading production
Splunk Regsvr32 with Known Silent Switch Cmdline production
Sigma Regsvr32.EXE Calling of DllRegisterServer Export Function Implicitly test
Splunk Remote .msi Installation (PowerShell)
Splunk Remote .msi Installation (PowerShell)
Splunk Remote .msi Installation (Sysmon)
Splunk Remote .msi Installation (Sysmon)
Splunk Remote .msi Installation (Windows Event Log)
Splunk Remote .msi Installation (Windows Event Log)
Sigma Remote CHM File Download/Execution Via HH.EXE test
Sigma Remote File Download Via Findstr.EXE test
Sigma Remote Thread Creation Via PowerShell In Uncommon Target test
Sigma RemoteFXvGPUDisablement Abuse Via AtomicTestHarnesses test
Sigma Remotely Hosted HTA File Executed Via Mshta.EXE test
Sigma Renamed Mavinject.EXE Execution test
Sigma Renamed MegaSync Execution test
Sigma Renamed ZOHO Dctask64 Execution test
Sigma Response File Execution Via Odbcconf.EXE test
Sigma Rhadamanthys Stealer Module Launch Via Rundll32.EXE test
Splunk RunDLL Loading DLL By Ordinal production
Splunk Rundll32 Command Line (PowerShell)
Splunk Rundll32 Command Line (Sysmon)
Splunk Rundll32 Command Line (Windows Event Log)
Splunk Rundll32 Control RunDLL Hunt production
Splunk Rundll32 Control RunDLL World Writable Directory production
Splunk Rundll32 DNSQuery production
Sigma Rundll32 Execution With Uncommon DLL Extension test
Sigma Rundll32 InstallScreenSaver Execution test
Sigma Rundll32 Internet Connection test
Splunk Rundll32 LockWorkStation production
Splunk Rundll32 Process Creating Exe Dll Files production
Sigma RunDLL32 Spawning Explorer test
Splunk Rundll32 Suspicious Command Line (PowerShell)
Splunk Rundll32 Suspicious Command Line (Sysmon)
Splunk Rundll32 Suspicious Command Line (Windows Event Log)
Splunk rundll32 Suspicious Parent Process (Sysmon)
Splunk rundll32 Suspicious Parent Process (Windows Event Log)
Sigma Rundll32 UNC Path Execution test
Splunk Rundll32 with no Command Line Arguments with Network production
Splunk rundll32 with No DLL in Command Line (Sysmon)
Splunk rundll32 with No DLL in Command Line (Windows Event Log)
Splunk Rundll32.exe as Parent Process (Sysmon)
Splunk Rundll32.exe as Parent Process (Windows Event Log)
Sigma Rundll32.EXE Calling DllRegisterServer Export Function Explicitly test
Splunk rundll32.exe Executing DLL from Non-standard Directory (PowerShell)
Splunk rundll32.exe Executing DLL from Non-standard Directory (Sysmon)
Splunk rundll32.exe Executing DLL from Non-standard Directory (Windows Event Log)
Sigma Scheduled Task Creation with Curl and PowerShell Execution Combo experimental
Sigma SCR File Write Event test
Sigma ScreenSaver Registry Key Set test
Elastic Script Execution via Microsoft HTML Application production
Kusto Script Interpreter Loading DotNet Assembly From Memory
Sigma Scripting/CommandLine Process Spawned Regsvr32 test
Sigma Sdiagnhost Calling Suspicious Child Process test
Sigma Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location test
Sigma Self Extraction Directive File Created In Potentially Suspicious Location test
Sigma Sensitive File Dump Via Print.EXE test
Elastic Service Control Spawned via Script Interpreter production
Splunk Shell Spawned by Web Server - Windows (Windows Event Log)
Sigma Shell32 DLL Execution in Suspicious Directory test
Elastic Signed Proxy Execution via MS Work Folders production
Sigma Sofacy Trojan Loader Activity test
Elastic Suspicious .NET Code Compilation production
Sigma Suspicious AddinUtil.EXE CommandLine Execution test
Sigma Suspicious AgentExecutor PowerShell Execution test
Sigma Suspicious BitLocker Access Agent Update Utility Execution experimental
Splunk Suspicious Child Process for hh.exe (Sysmon)
Splunk Suspicious Child Process for hh.exe (Windows Event Log)
Splunk Suspicious Child Process for mshta.exe (Sysmon)
Splunk Suspicious Child Process for mshta.exe (Windows Event Log)
Sigma Suspicious Child Process Of BgInfo.EXE test
Sigma Suspicious Control Panel DLL Load test
Sigma Suspicious Csi.exe Usage test
Sigma Suspicious DLL Loaded via CertOC.EXE test
Sigma Suspicious DotNET CLR Usage Log Artifact test
Sigma Suspicious Driver/DLL Installation Via Odbcconf.EXE test
Elastic Suspicious Execution from a Mounted Device production
Elastic Suspicious Execution from VS Code Extension production
Splunk Suspicious Execution via Microsoft Common Console (Sysmon)
Splunk Suspicious Execution via Microsoft Common Console (Windows Event Log)
Elastic Suspicious Execution via MSIEXEC production building block
Elastic Suspicious Explorer Child Process production
Sigma Suspicious HH.EXE Execution test
Splunk Suspicious IcedID Rundll32 Cmdline production
Sigma Suspicious JavaScript Execution Via Mshta.EXE test
Elastic Suspicious JetBrains TeamCity Child Process production
Elastic Suspicious Managed Code Hosting Process production
Elastic Suspicious Microsoft Diagnostics Wizard Execution production
Elastic Suspicious Microsoft HTML Application Child Process production
Sigma Suspicious Microsoft Office Child Process test
Elastic Suspicious MS Office Child Process production
Elastic Suspicious MS Outlook Child Process production
Kusto Suspicious MSC File Launched
Sigma Suspicious MSDT Parent Process test
Sigma Suspicious MSHTA Child Process test
Splunk Suspicious mshta child process production
Splunk Suspicious mshta spawn production
Sigma Suspicious MsiExec Embedding Parent test
Sigma Suspicious Msiexec Execute Arbitrary DLL test
Sigma Suspicious Msiexec Quiet Install From Remote Location test
Splunk Suspicious Parent Process for msiexec.exe (Sysmon)
Splunk Suspicious Parent Process for msiexec.exe (Windows Event Log)
Elastic Suspicious PDF Reader Child Process production
Sigma Suspicious Provlaunch.EXE Child Process test
Splunk Suspicious reCAPTCHA Command Line (PowerShell)
Splunk Suspicious reCAPTCHA Command Line (Sysmon)
Sigma Suspicious Regsvr32 Execution From Remote Share test
Splunk Suspicious Regsvr32 Register Suspicious Path production
Sigma Suspicious Response File Execution Via Odbcconf.EXE test
Sigma Suspicious Rundll32 Activity Invoking Sys File test
Splunk Suspicious Rundll32 dllregisterserver production
Sigma Suspicious Rundll32 Execution With Image Extension test
Splunk Suspicious Rundll32 no Command Line Arguments production
Splunk Suspicious Rundll32 PluginInit production
Sigma Suspicious Rundll32 Setupapi.dll Activity test
Splunk Suspicious Rundll32 StartW production
Elastic Suspicious ScreenConnect Client Child Process production
Elastic Suspicious Script Object Execution production
Elastic Suspicious Shell Execution via Velociraptor production
Sigma Suspicious ShellExec_RunDLL Call Via Ordinal test
Elastic Suspicious SolarWinds Web Help Desk Java Module Load or Child Process production
Sigma Suspicious Speech Runtime Binary Child Process experimental
Elastic Suspicious Troubleshooting Pack Cabinet Execution production building block
Kusto Suspicious use of CPL file
Sigma Suspicious Vsls-Agent Command With AgentExtensionPath Load test
Elastic Suspicious Windows Command Shell Arguments production
Sigma Suspicious WMIC Execution Via Office Process test
Elastic Suspicious WMIC XSL Script Execution production
Sigma Suspicious WmiPrvSE Child Process test
Sigma Suspicious ZipExec Execution test
Sigma SyncAppvPublishingServer Bypass Powershell Restriction - PS Module test
Sigma SyncAppvPublishingServer Execute Arbitrary PowerShell Code test
Splunk SyncAppvPublishingServer Execution (Windows Event Log)
Sigma SyncAppvPublishingServer Execution to Bypass Powershell Restriction test
Sigma SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code test
Sigma Time Travel Debugging Utility Usage test
Sigma Time Travel Debugging Utility Usage - Image test
Elastic UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer production
Splunk UAC Bypass MMC Load Unsigned Dll production
Elastic UAC Bypass via Windows Firewall Snap-In Hijack production
Splunk UAC Bypass With Colorui COM Object production
Sigma Uncommon Assistive Technology Applications Execution Via AtBroker.EXE test
Sigma Uncommon AddinUtil.EXE CommandLine Execution test
Sigma Uncommon Child Process Of AddinUtil.EXE test
Sigma Uncommon Child Process Of Appvlp.EXE test
Sigma Uncommon Child Process Of BgInfo.EXE test
Sigma Uncommon Child Process Of Defaultpack.EXE test
Sigma Uncommon Child Process Of Setres.EXE test
Sigma Uncommon Child Process Spawned By Odbcconf.EXE test
Sigma Uncommon Link.EXE Parent Process test
Splunk Uninstall App Using MsiExec production
Sigma Unsigned DLL Loaded by Windows Utility test
Elastic Unusual Child Processes of RunDLL32 production
Elastic Unusual Execution via Microsoft Common Console File production
Elastic Unusual Network Activity from a Windows System Binary production
Elastic Unusual Network Connection via DllHost production
Elastic Unusual Network Connection via RunDLL32 production
Elastic Unusual Process Network Connection production
Elastic Unusual Process Spawned by a Host production
Elastic Unusual Process Spawned by a Parent Process production
Elastic Unusual Process Spawned by a User production
Sigma Use of Scriptrunner.exe test
Sigma Use Of The SFTP.EXE Binary As A LOLBIN test
Sigma Use of VisualUiaVerifyNative.exe test
Elastic User Detected with Suspicious Windows Process(es) production
Splunk Verclsid CLSID Execution production
Sigma Verclsid.exe Runs COM Object test
Sigma Visual Studio NodejsTools PressAnyKey Arbitrary Binary Execution test
Sigma Visual Studio NodejsTools PressAnyKey Renamed Execution test
Splunk Wbemprox COM Object Execution production
Splunk Windows Advanced Installer MSIX with AI_STUBS Execution production
Splunk Windows Application Whitelisting Bypass Attempt via Rundll32 production
Splunk Windows AppLocker Block Events production
Splunk Windows AppLocker Execution from Uncommon Locations production
Splunk Windows AppLocker Privilege Escalation via Unauthorized Bypass production
Splunk Windows AppLocker Rare Application Launch Detection production
Splunk Windows Binary Proxy Execution Mavinject DLL Injection production
Splunk Windows BitLockerToGo Process Execution production
Splunk Windows BitLockerToGo with Network Activity production
Splunk Windows Diskshadow Proxy Execution production
Splunk Windows DotNet Binary in Non Standard Path production
Splunk Windows Execute Arbitrary Commands with MSDT production
Splunk Windows Execution of Microsoft MSC File In Suspicious Path production
Splunk Windows GrimResource - MMC Process Accessing APDS DLL production
Splunk Windows HTTP Network Communication From MSIExec production
Elastic Windows Installer with Suspicious Properties production building block
Splunk Windows InstallUtil Credential Theft production
Splunk Windows InstallUtil in Non Standard Path production
Splunk Windows InstallUtil Remote Network Connection production
Splunk Windows InstallUtil Uninstall Option production
Splunk Windows InstallUtil URL in Command Line production
Splunk Windows IOBit Unlocker Extension DLL Registration via Regsvr32 production
Splunk Windows LOLBAS Executed As Renamed File production
Splunk Windows LOLBAS Executed Outside Expected Path production
Splunk Windows Mock Trusted Directory MSC File Creation production
Splunk Windows MSC EvilTwin Directory Path Manipulation production
Splunk Windows Mshta Execution In Registry production
Splunk Windows MSHTA Writing to World Writable Path production
Splunk Windows MSI Rollback Script Deleted By Non-Msiexec Process production
Splunk Windows MSIExec DLLRegisterServer production
Splunk Windows MsiExec HideWindow Rundll32 Execution production
Splunk Windows MSIExec Remote Download production
Splunk Windows MSIExec Spawn Discovery Command production
Splunk Windows MSIExec Spawn WinDBG production
Splunk Windows MSIExec Unregister DLLRegisterServer production
Sigma Windows MSIX Package Support Framework AI_STUBS Execution experimental
Splunk Windows Odbcconf Hunting production
Splunk Windows Odbcconf Load DLL production
Splunk Windows Odbcconf Load Response File production
Splunk Windows Process Writing File to World Writable Path production
Splunk Windows Proxy Execution of .NET Utilities via Scripts production
Splunk Windows Rasautou DLL Execution production
Splunk Windows Regsvr32 Renamed Binary production
Splunk Windows Rundll32 Apply User Settings Changes production
Splunk Windows Rundll32 Load DLL in Temp Dir production
Splunk Windows Rundll32 with Non-Standard File Extension production
Elastic Windows Server Update Service Spawning Suspicious Processes production
Sigma Windows Shell/Scripting Processes Spawning Suspicious Programs test
Splunk Windows System Binary Proxy Execution Compiled HTML File Decompile production
Splunk Windows System Script Proxy Execution Syncappvpublishingserver production
Splunk Windows Unusual Process Load Mozilla NSS-Mozglue Module production
Sigma Winrs Local Command Execution experimental
Sigma Wlrmdr.EXE Uncommon Argument Or Child Process experimental
Sigma WSL Child Process Anomaly test
Splunk wuauclt.exe Network Connection (Sysmon)
Splunk wuauclt.exe Network Connection (Windows Event Log)
Sigma XBAP Execution From Uncommon Locations Via PresentationHost.EXE test
Sigma ZxShell Malware test

System Binary Proxy Execution: Compiled HTML File T1218.001 22 rules

Splunk Detect HTML Help Renamed production
Splunk Detect HTML Help Spawn Child Process production
Splunk Detect HTML Help URL in Command Line production
Splunk Detect HTML Help Using InfoTech Storage Handlers production
Sigma HH.EXE Execution test
Splunk hh.exe Execution (PowerShell)
Splunk hh.exe Execution (Sysmon)
Splunk hh.exe Execution (Windows Event Log)
Sigma HH.EXE Initiated HTTP Network Connection test
Splunk hh.exe Remote File Execution (PowerShell)
Splunk hh.exe Remote File Execution (Sysmon)
Splunk hh.exe Remote File Execution (Windows Event Log)
Sigma HTML Help HH.EXE Suspicious Child Process test
Elastic Network Connection via Compiled HTML File production
Sigma OneNote.EXE Execution of Malicious Embedded Scripts test
Elastic Process Activity via Compiled HTML File production
Sigma Remote CHM File Download/Execution Via HH.EXE test
Splunk Suspicious Child Process for hh.exe (Sysmon)
Splunk Suspicious Child Process for hh.exe (Windows Event Log)
Sigma Suspicious HH.EXE Execution test
Elastic Suspicious MS Office Child Process production
Splunk Windows System Binary Proxy Execution Compiled HTML File Decompile production

System Binary Proxy Execution: Control Panel T1218.002 10 rules

Splunk Control Loading from World Writable Directory production
Splunk Control Panel Abuse (Sysmon)
Splunk Control Panel Abuse (Windows Event Log)
Sigma Control Panel Items test
Elastic Control Panel Process with Unusual Arguments production
Splunk Control_RunDLL Call from Command Line (Sysmon)
Splunk Control_RunDLL Call from Command Line (Windows Event Log)
Elastic Suspicious MS Office Child Process production
Kusto Suspicious use of CPL file
Elastic Unusual Network Activity from a Windows System Binary production

System Binary Proxy Execution: CMSTP T1218.003 24 rules

Sigma Bypass UAC via CMSTP test
Splunk CMLUA Or CMSTPLUA UAC Bypass production
Splunk Cmstp Execution (Sysmon)
Splunk Cmstp Execution (Windows Event Log)
Sigma CMSTP Execution Process Access stable
Sigma CMSTP Execution Process Creation stable
Sigma CMSTP Execution Registry Event stable
Sigma CMSTP UAC Bypass via COM Object Access stable
Elastic Delayed Execution via Ping production
Sigma DLL Loaded From Suspicious Location Via Cmspt.EXE test
Elastic Execution from Unusual Directory - Command Line production
Sigma Outbound Network Connection Initiated By Cmstp.EXE test
Elastic Potential Defense Evasion via CMSTP.exe production building block
Elastic Suspicious .NET Code Compilation production
Elastic Suspicious JetBrains TeamCity Child Process production
Elastic Suspicious Managed Code Hosting Process production
Elastic Suspicious MS Office Child Process production
Elastic Suspicious MS Outlook Child Process production
Elastic Suspicious PDF Reader Child Process production
Splunk UAC Bypass With Colorui COM Object production
Elastic Unusual Network Activity from a Windows System Binary production
Elastic Unusual Process Network Connection production
Splunk Wbemprox COM Object Execution production
Splunk Windows Unusual Process Load Mozilla NSS-Mozglue Module production

System Binary Proxy Execution: InstallUtil T1218.004 16 rules

Elastic Delayed Execution via Ping production
Elastic Execution from Unusual Directory - Command Line production
Elastic Execution of Persistent Suspicious Program production
Elastic InstallUtil Activity production building block
Elastic InstallUtil Process Making Network Connections production
Elastic Suspicious JetBrains TeamCity Child Process production
Elastic Suspicious MS Office Child Process production
Elastic Suspicious MS Outlook Child Process production
Elastic Suspicious PDF Reader Child Process production
Elastic Unusual Network Activity from a Windows System Binary production
Splunk Windows DotNet Binary in Non Standard Path production
Splunk Windows InstallUtil Credential Theft production
Splunk Windows InstallUtil in Non Standard Path production
Splunk Windows InstallUtil Remote Network Connection production
Splunk Windows InstallUtil Uninstall Option production
Splunk Windows InstallUtil URL in Command Line production

System Binary Proxy Execution: Mshta T1218.005 55 rules

Splunk Cisco NVM - MSHTML or MSHTA Network Execution Without URL in CLI production
Splunk Cisco NVM - Rundll32 Abuse of MSHTML.DLL for Payload Download production
Elastic Command and Scripting Interpreter via Windows Scripts production
Sigma Csc.EXE Execution Form Potentially Suspicious Parent test
Elastic Delayed Execution via Ping production
Splunk Detect mshta inline hta execution production
Splunk Detect mshta renamed production
Splunk Detect MSHTA Url in Command Line production
Splunk Detect Rundll32 Inline HTA Execution production
Elastic Execution from Unusual Directory - Command Line production
Elastic Execution of a Downloaded Windows Script production
Elastic Execution of Persistent Suspicious Program production
Sigma HackTool - CACTUSTORCH Remote Thread Creation test
Elastic Incoming DCOM Lateral Movement via MSHTA production
Elastic Microsoft Build Engine Started by a Script Process production
Sigma MSHTA Execution with Suspicious File Extensions test
Elastic Mshta Making Network Connections production
Splunk Mshta spawning Rundll32 OR Regsvr32 Process production
Splunk MSHTA.exe execution (PowerShell)
Splunk MSHTA.exe execution (Sysmon)
Splunk MSHTA.exe execution (Windows Event Log)
Splunk mshta.exe File Download (PowerShell)
Splunk mshta.exe File Download (Sysmon)
Splunk mshta.exe File Download (Windows Event Log)
Sigma Potential Baby Shark Malware Activity test
Elastic Potential Execution via FileFix Phishing Attack production
Elastic Potential Fake CAPTCHA Phishing Attack production
Sigma Potential LethalHTA Technique Execution test
Elastic Process Activity via Compiled HTML File production
Sigma Remotely Hosted HTA File Executed Via Mshta.EXE test
Elastic Script Execution via Microsoft HTML Application production
Kusto Script Interpreter Loading DotNet Assembly From Memory
Elastic Service Control Spawned via Script Interpreter production
Elastic Suspicious .NET Code Compilation production
Splunk Suspicious Child Process for mshta.exe (Sysmon)
Splunk Suspicious Child Process for mshta.exe (Windows Event Log)
Elastic Suspicious Execution from a Mounted Device production
Elastic Suspicious Execution from VS Code Extension production
Elastic Suspicious Explorer Child Process production
Sigma Suspicious JavaScript Execution Via Mshta.EXE test
Elastic Suspicious JetBrains TeamCity Child Process production
Elastic Suspicious Managed Code Hosting Process production
Elastic Suspicious Microsoft HTML Application Child Process production
Elastic Suspicious MS Office Child Process production
Elastic Suspicious MS Outlook Child Process production
Sigma Suspicious MSHTA Child Process test
Splunk Suspicious mshta child process production
Splunk Suspicious mshta spawn production
Elastic Suspicious PDF Reader Child Process production
Elastic Suspicious ScreenConnect Client Child Process production
Elastic Suspicious Windows Command Shell Arguments production
Elastic Unusual Network Activity from a Windows System Binary production
Splunk Windows Mshta Execution In Registry production
Splunk Windows MSHTA Writing to World Writable Path production
Splunk Windows Process Writing File to World Writable Path production

System Binary Proxy Execution: Msiexec T1218.007 51 rules

Kusto Detect Msiexec executing DLL network connections
Sigma DllUnregisterServer Function Call Via Msiexec.EXE test
Elastic Execution of a Downloaded Windows Script production
Sigma MSI Installation From Web test
Splunk MSI Installation via Appcert (PowerShell)
Splunk MSI Installation via Appcert (Sysmon)
Splunk MSI Installation via Appcert (Windows Event Log)
Splunk Msiexec Abuse (Sysmon)
Splunk Msiexec Abuse (Windows Event Log)
Splunk MSIExec Install MSI File (Sysmon)
Splunk MSIExec Install MSI File (Windows Event Log)
Sigma Msiexec Quiet Installation test
Elastic MsiExec Service Child Process With Network Connection production
Sigma MsiExec Web Install test
Splunk MSIExec.exe Execution (Sysmon)
Splunk MSIExec.exe Execution (Windows Event Log)
Sigma Msiexec.EXE Initiated Network Connection Over HTTP test
Sigma Obfuscated PowerShell MSI Install via WindowsInstaller COM experimental
Elastic Persistence via a Windows Installer production
Elastic Potential Escalation via Vulnerable MSI Repair production
Elastic Potential Remote File Execution via MSIEXEC production
Elastic Potential Remote Install via MsiExec production
Sigma PowerShell WMI Win32_Product Install MSI test
Splunk Remote .msi Installation (PowerShell)
Splunk Remote .msi Installation (PowerShell)
Splunk Remote .msi Installation (Sysmon)
Splunk Remote .msi Installation (Sysmon)
Splunk Remote .msi Installation (Windows Event Log)
Splunk Remote .msi Installation (Windows Event Log)
Elastic Suspicious Execution from a Mounted Device production
Elastic Suspicious Execution from VS Code Extension production
Elastic Suspicious Execution via MSIEXEC production building block
Elastic Suspicious JetBrains TeamCity Child Process production
Elastic Suspicious Microsoft HTML Application Child Process production
Sigma Suspicious MsiExec Embedding Parent test
Sigma Suspicious Msiexec Execute Arbitrary DLL test
Sigma Suspicious Msiexec Quiet Install From Remote Location test
Splunk Suspicious Parent Process for msiexec.exe (Sysmon)
Splunk Suspicious Parent Process for msiexec.exe (Windows Event Log)
Elastic Suspicious ScreenConnect Client Child Process production
Splunk Uninstall App Using MsiExec production
Elastic Unusual Network Activity from a Windows System Binary production
Splunk Windows HTTP Network Communication From MSIExec production
Elastic Windows Installer with Suspicious Properties production building block
Splunk Windows MSI Rollback Script Deleted By Non-Msiexec Process production
Splunk Windows MSIExec DLLRegisterServer production
Splunk Windows MsiExec HideWindow Rundll32 Execution production
Splunk Windows MSIExec Remote Download production
Splunk Windows MSIExec Spawn Discovery Command production
Splunk Windows MSIExec Spawn WinDBG production
Splunk Windows MSIExec Unregister DLLRegisterServer production

System Binary Proxy Execution: Odbcconf T1218.008 17 rules

Sigma Driver/DLL Installation Via Odbcconf.EXE test
Sigma New DLL Registered Via Odbcconf.EXE test
Sigma Odbcconf.EXE Suspicious DLL Location test
Sigma Potentially Suspicious DLL Registered Via Odbcconf.EXE test
Sigma Response File Execution Via Odbcconf.EXE test
Sigma Suspicious Driver/DLL Installation Via Odbcconf.EXE test
Elastic Suspicious JetBrains TeamCity Child Process production
Elastic Suspicious MS Office Child Process production
Elastic Suspicious MS Outlook Child Process production
Elastic Suspicious PDF Reader Child Process production
Sigma Suspicious Response File Execution Via Odbcconf.EXE test
Sigma Uncommon Child Process Spawned By Odbcconf.EXE test
Elastic Unusual Network Activity from a Windows System Binary production
Elastic Unusual Process Network Connection production
Splunk Windows Odbcconf Hunting production
Splunk Windows Odbcconf Load DLL production
Splunk Windows Odbcconf Load Response File production

System Binary Proxy Execution: Regsvcs/Regasm T1218.009 17 rules

Elastic Delayed Execution via Ping production
Splunk Detect Regasm Spawning a Process production
Splunk Detect Regasm with Network Connection production
Splunk Detect Regasm with no Command Line Arguments production
Splunk Detect Regsvcs Spawning a Process production
Splunk Detect Regsvcs with Network Connection production
Splunk Detect Regsvcs with No Command Line Arguments production
Elastic Execution from Unusual Directory - Command Line production
Elastic Execution of Persistent Suspicious Program production
Elastic Network Connection via Registration Utility production
Sigma Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location test
Sigma Potentially Suspicious Execution Of Regasm/Regsvcs With Uncommon Extension test
Sigma RegAsm.EXE Execution Without CommandLine Flags or Files experimental
Sigma RegAsm.EXE Initiating Network Connection To Public IP test
Elastic Suspicious MS Office Child Process production
Elastic Suspicious MS Outlook Child Process production
Elastic Suspicious PDF Reader Child Process production

System Binary Proxy Execution: Regsvr32 T1218.010 50 rules

Elastic Delayed Execution via Ping production
Splunk Detect Regsvr32 Application Control Bypass production
Sigma DNS Query Request By Regsvr32.EXE test
Elastic Execution from Unusual Directory - Command Line production
Elastic Execution of Persistent Suspicious Program production
Sigma HTML Help HH.EXE Suspicious Child Process test
Splunk Malicious InProcServer32 Modification production
Sigma Network Connection Initiated By Regsvr32.EXE test
Elastic Network Connection via Registration Utility production
Sigma Potential APT-C-12 BlueMushroom DLL Load Activity Via Regsvr32 test
Elastic Potential Command and Control via Internet Explorer production
Sigma Potential EmpireMonkey Activity test
Sigma Potential Regsvr32 Commandline Flag Anomaly test
Sigma Potentially Suspicious Child Process Of Regsvr32 test
Sigma Potentially Suspicious Regsvr32 HTTP IP Pattern test
Sigma Potentially Suspicious Regsvr32 HTTP/FTP Pattern test
Sigma Regsvr32 DLL Execution With Suspicious File Extension test
Splunk regsvr32 Execution (PowerShell)
Splunk regsvr32 Execution (Sysmon)
Splunk regsvr32 Execution (Windows Event Log)
Sigma Regsvr32 Execution From Highly Suspicious Location test
Sigma Regsvr32 Execution From Potential Suspicious Location test
Splunk regsvr32 Referencing Unusual Paths (Sysmon)
Splunk regsvr32 Referencing Unusual Paths (Windows Event Log)
Kusto Regsvr32 Rundll32 Image Loads Abnormal Extension available
Kusto Regsvr32 Rundll32 with Anomalous Parent Process available
Splunk Regsvr32 Silent and Install Param Dll Loading production
Splunk Regsvr32 with Known Silent Switch Cmdline production
Sigma Scripting/CommandLine Process Spawned Regsvr32 test
Elastic Service Control Spawned via Script Interpreter production
Elastic Suspicious .NET Code Compilation production
Elastic Suspicious Execution from a Mounted Device production
Elastic Suspicious Explorer Child Process production
Sigma Suspicious HH.EXE Execution test
Elastic Suspicious JetBrains TeamCity Child Process production
Elastic Suspicious Managed Code Hosting Process production
Sigma Suspicious Microsoft Office Child Process test
Elastic Suspicious MS Office Child Process production
Elastic Suspicious MS Outlook Child Process production
Elastic Suspicious PDF Reader Child Process production
Sigma Suspicious Regsvr32 Execution From Remote Share test
Splunk Suspicious Regsvr32 Register Suspicious Path production
Elastic Suspicious Script Object Execution production
Elastic Suspicious Windows Command Shell Arguments production
Sigma Suspicious WMIC Execution Via Office Process test
Sigma Suspicious WmiPrvSE Child Process test
Sigma Unsigned DLL Loaded by Windows Utility test
Elastic Unusual Network Activity from a Windows System Binary production
Splunk Windows IOBit Unlocker Extension DLL Registration via Regsvr32 production
Splunk Windows Regsvr32 Renamed Binary production

System Binary Proxy Execution: Rundll32 T1218.011 124 rules

Sigma APT29 2018 Phishing Campaign CommandLine Indicators stable
Sigma APT29 2018 Phishing Campaign File Indicators stable
Sigma Bad Opsec Defaults Sacrificial Processes With Improper Arguments test
Sigma CobaltStrike Load by Rundll32 test
Sigma Code Execution via Pcwutl.dll test
Elastic Command Shell Activity Started via RunDLL32 production
Splunk Control_RunDLL Call from Command Line (Sysmon)
Splunk Control_RunDLL Call from Command Line (Windows Event Log)
Elastic Delayed Execution via Ping production
Sigma DLL Call by Ordinal Via Rundll32.EXE stable
Splunk DLL Called with RS32 (PowerShell)
Splunk DLL Called with RS32 (Sysmon)
Splunk DLL Called with RS32 (Windows Event Log)
Splunk DLL Called with Uncommon Function (PowerShell)
Splunk DLL Called with Uncommon Function (Sysmon)
Splunk DLL Called with Uncommon Function (Windows Event Log)
Splunk DLL Execution from Uncommon Process (PowerShell)
Splunk DLL Execution from Uncommon Process (Sysmon)
Splunk DLL Execution from Uncommon Process (Windows Event Log)
Splunk DLLRegisterServer Called from Command Line (PowerShell)
Splunk DLLRegisterServer Called from Command Line (Sysmon)
Splunk DLLRegisterServer Called from Command Line (Windows Event Log)
Sigma Equation Group DLL_U Export Function Load stable
Sigma EvilNum APT Golden Chickens Deployment Via OCX Files test
Splunk Executable Process from Suspicious Folder (PowerShell)
Splunk Executable Process from Suspicious Folder (Sysmon)
Splunk Executable Process from Suspicious Folder (Windows Event Log)
Elastic Execution from Unusual Directory - Command Line production
Elastic Execution of Persistent Suspicious Program production
Elastic Execution via GitHub Actions Runner production
Elastic Execution via Microsoft DotNet ClickOnce Host production building block
Elastic Execution via OpenClaw Agent production
Elastic File or Directory Deletion Command production building block
Sigma Fireball Archer Install test
Sigma HackTool - F-Secure C3 Load by Rundll32 test
Sigma HackTool - RedMimicry Winnti Playbook Execution test
Sigma HTML Help HH.EXE Suspicious Child Process test
Sigma IcedID Malware Suspicious Single Digit DLL Execution Via Rundll32 test
Sigma Kapeka Backdoor Execution Via RunDLL32.EXE test
Sigma Kapeka Backdoor Loaded Via Rundll32.EXE test
Sigma NotPetya Ransomware Activity test
Sigma Outbound Network Connection To Public IP Via Winlogon test
Sigma Potential Bumblebee Remote Thread Creation test
Elastic Potential Command and Control via Internet Explorer production
Elastic Potential Credential Access via Renamed COM+ Services DLL production
Elastic Potential Credential Access via Windows Utilities production
Sigma Potential Emotet Rundll32 Execution test
Elastic Potential Local NTLM Relay via HTTP production
Sigma Potential PowerShell Execution Via DLL test
Elastic Potential Protocol Tunneling via Yuze production
Sigma Potential Raspberry Robin CPL Execution Activity test
Sigma Potentially Suspicious Rundll32 Activity test
Sigma Potentially Suspicious Rundll32.EXE Execution of UDL File test
Sigma Process Access via TrolleyExpress Exclusion test
Elastic Rare Connection to WebDAV Target production
Kusto Regsvr32 Rundll32 Image Loads Abnormal Extension available
Kusto Regsvr32 Rundll32 with Anomalous Parent Process available
Sigma Remote Thread Creation Via PowerShell In Uncommon Target test
Sigma Rhadamanthys Stealer Module Launch Via Rundll32.EXE test
Splunk RunDLL Loading DLL By Ordinal production
Splunk Rundll32 Command Line (PowerShell)
Splunk Rundll32 Command Line (Sysmon)
Splunk Rundll32 Command Line (Windows Event Log)
Splunk Rundll32 Control RunDLL Hunt production
Splunk Rundll32 Control RunDLL World Writable Directory production
Splunk Rundll32 DNSQuery production
Sigma Rundll32 Execution With Uncommon DLL Extension test
Sigma Rundll32 InstallScreenSaver Execution test
Sigma Rundll32 Internet Connection test
Splunk Rundll32 LockWorkStation production
Splunk Rundll32 Process Creating Exe Dll Files production
Sigma RunDLL32 Spawning Explorer test
Splunk Rundll32 Suspicious Command Line (PowerShell)
Splunk Rundll32 Suspicious Command Line (Sysmon)
Splunk Rundll32 Suspicious Command Line (Windows Event Log)
Splunk rundll32 Suspicious Parent Process (Sysmon)
Splunk rundll32 Suspicious Parent Process (Windows Event Log)
Sigma Rundll32 UNC Path Execution test
Splunk Rundll32 with no Command Line Arguments with Network production
Splunk rundll32 with No DLL in Command Line (Sysmon)
Splunk rundll32 with No DLL in Command Line (Windows Event Log)
Splunk Rundll32.exe as Parent Process (Sysmon)
Splunk Rundll32.exe as Parent Process (Windows Event Log)
Splunk rundll32.exe Executing DLL from Non-standard Directory (PowerShell)
Splunk rundll32.exe Executing DLL from Non-standard Directory (Sysmon)
Splunk rundll32.exe Executing DLL from Non-standard Directory (Windows Event Log)
Sigma SCR File Write Event test
Sigma ScreenSaver Registry Key Set test
Elastic Script Execution via Microsoft HTML Application production
Elastic Service Control Spawned via Script Interpreter production
Sigma Shell32 DLL Execution in Suspicious Directory test
Sigma Sofacy Trojan Loader Activity test
Elastic Suspicious .NET Code Compilation production
Sigma Suspicious Control Panel DLL Load test
Elastic Suspicious Execution from a Mounted Device production
Elastic Suspicious Execution from VS Code Extension production
Elastic Suspicious Explorer Child Process production
Sigma Suspicious HH.EXE Execution test
Splunk Suspicious IcedID Rundll32 Cmdline production
Elastic Suspicious JetBrains TeamCity Child Process production
Elastic Suspicious Microsoft HTML Application Child Process production
Elastic Suspicious MS Office Child Process production
Sigma Suspicious Rundll32 Activity Invoking Sys File test
Splunk Suspicious Rundll32 dllregisterserver production
Sigma Suspicious Rundll32 Execution With Image Extension test
Splunk Suspicious Rundll32 no Command Line Arguments production
Splunk Suspicious Rundll32 PluginInit production
Sigma Suspicious Rundll32 Setupapi.dll Activity test
Splunk Suspicious Rundll32 StartW production
Elastic Suspicious ScreenConnect Client Child Process production
Elastic Suspicious Shell Execution via Velociraptor production
Sigma Suspicious ShellExec_RunDLL Call Via Ordinal test
Elastic Suspicious SolarWinds Web Help Desk Java Module Load or Child Process production
Sigma Unsigned DLL Loaded by Windows Utility test
Elastic Unusual Child Processes of RunDLL32 production
Elastic Unusual Network Connection via RunDLL32 production
Splunk Windows Application Whitelisting Bypass Attempt via Rundll32 production
Splunk Windows LOLBAS Executed As Renamed File production
Splunk Windows LOLBAS Executed Outside Expected Path production
Splunk Windows Rundll32 Apply User Settings Changes production
Splunk Windows Rundll32 Load DLL in Temp Dir production
Splunk Windows Rundll32 with Non-Standard File Extension production
Elastic Windows Server Update Service Spawning Suspicious Processes production
Sigma ZxShell Malware test

System Binary Proxy Execution: Verclsid T1218.012 1 rule

Splunk Verclsid CLSID Execution production

System Binary Proxy Execution: Mavinject T1218.013 3 rules

Sigma Mavinject Inject DLL Into Running Process test
Sigma Renamed Mavinject.EXE Execution test
Splunk Windows Binary Proxy Execution Mavinject DLL Injection production

System Binary Proxy Execution: MMC T1218.014 22 rules

Splunk .msc Executed from Unusual Location (Sysmon)
Splunk .msc Executed from Unusual Location (Windows Event Log)
Splunk Group Policy Editor Execution (PowerShell)
Splunk Group Policy Editor Execution (Sysmon)
Splunk Group Policy Editor Execution (Windows Event Log)
Elastic Incoming DCOM Lateral Movement with MMC production
Elastic Microsoft Management Console File from Unusual Path production
Sigma MMC Executing Files with Reversed Extensions Using RTLO Abuse experimental
Sigma MMC Loading Script Engines DLLs experimental
Splunk Mmc LOLBAS Execution Process Spawn production
Splunk Possible Lateral Movement PowerShell Spawn production
Kusto Process Injection Initiated By MMC
Kusto Script Interpreter Loading DotNet Assembly From Memory
Splunk Suspicious Execution via Microsoft Common Console (Sysmon)
Splunk Suspicious Execution via Microsoft Common Console (Windows Event Log)
Kusto Suspicious MSC File Launched
Splunk UAC Bypass MMC Load Unsigned Dll production
Elastic UAC Bypass via Windows Firewall Snap-In Hijack production
Elastic Unusual Execution via Microsoft Common Console File production
Splunk Windows Execution of Microsoft MSC File In Suspicious Path production
Splunk Windows GrimResource - MMC Process Accessing APDS DLL production
Splunk Windows Mock Trusted Directory MSC File Creation production

XSL Script Processing T1220 15 rules

Splunk Cisco NVM - Suspicious Network Connection Initiated via MsXsl production
Elastic Delayed Execution via Ping production
Splunk Msxsl Execution (EDR)
Splunk Msxsl Execution (Sysmon)
Splunk Msxsl Execution (Windows Event Log)
Sigma Msxsl.EXE Execution test
Elastic Network Connection via MsXsl production
Sigma Potential Remote SquiblyTwo Technique Execution test
Sigma Remote XSL Execution Via Msxsl.EXE test
Elastic Remote XSL Script Execution via COM production
Elastic Suspicious WMIC XSL Script Execution production
Sigma WMIC Loading Scripting Libraries test
Splunk WMIC XSL Execution via URL production
Sigma XSL Script Execution Via WMIC.EXE test
Splunk XSL Script Execution With WMIC production

Template Injection T1221 2 rules

Sigma Server Side Template Injection Strings test
Sigma Suspicious Set Value of MSDT in Registry (CVE-2022-30190) test

Execution Guardrails T1480 2 rules

Splunk Linux Auditd AI CLI Permission Override Activated production
Kusto Power Platform - DLP policy updated or removed available

Virtualization/Sandbox Evasion T1497 20 rules

Splunk Common Recon Commands in Short Burst (Sysmon)
Splunk Common Recon Commands in Short Burst (Windows Event Log)
Elastic Delayed Execution via Ping production
Splunk Headless Browser Usage production
Splunk Ping Sleep Batch Command production
Elastic Potential Microsoft Office Sandbox Evasion production
Sigma Powershell Detect Virtualization Environment test
Elastic Suspicious SIP Check by macOS Application production
Sigma System Information Discovery Using System_Profiler test
Sigma System Information Discovery Via Sysctl - MacOS test
Elastic Virtual Machine Fingerprinting production
Elastic Virtual Machine Fingerprinting via Grep production
Splunk Windows Chromium Browser Launched with Small Window Size production
Splunk Windows Chromium Browser No Security Sandbox Process production
Splunk Windows Chromium Browser with Custom User Data Directory production
Splunk Windows Chromium process Launched with Disable Popup Blocking production
Splunk Windows Chromium Process Launched with Logging Disabled production
Splunk Windows Chromium Process with Disabled Extensions production
Splunk Windows Time Based Evasion production
Splunk Windows Time Based Evasion via Choice Exec production

Virtualization/Sandbox Evasion: System Checks T1497.001 8 rules

Splunk Common Recon Commands in Short Burst (Sysmon)
Splunk Common Recon Commands in Short Burst (Windows Event Log)
Sigma Powershell Detect Virtualization Environment test
Elastic Suspicious SIP Check by macOS Application production
Sigma System Information Discovery Using System_Profiler test
Sigma System Information Discovery Via Sysctl - MacOS test
Elastic Virtual Machine Fingerprinting production
Elastic Virtual Machine Fingerprinting via Grep production

Virtualization/Sandbox Evasion: Time Based Checks T1497.003 4 rules

Elastic Delayed Execution via Ping production
Splunk Ping Sleep Batch Command production
Splunk Windows Time Based Evasion production
Splunk Windows Time Based Evasion via Choice Exec production

Unused/Unsupported Cloud Regions T1535 10 rules

Panther AWS Cloudtrail Region Enabled
Panther AWS ECR Events
YARA-L AWS Enable Or Disable Region
Splunk AWS Successful Console Authentication From Multiple IPs production
Splunk Cloud Compute Instance Created In Previously Unused Region production
Splunk Detect AWS Console Login by User from New City production
Splunk Detect AWS Console Login by User from New Country production
Splunk Detect AWS Console Login by User from New Region production
Panther GCP Resource in Unused Region
Panther Unused AWS Region

Pre-OS Boot T1542 17 rules

Elastic Boot File Copy production
Splunk Detect Software Download To Network Device experimental
Elastic Dracut Module Creation production
Elastic GRUB Configuration File Creation production
Elastic GRUB Configuration Generation through Built-in Utilities production
Elastic Initramfs Extraction via CPIO production
Elastic Initramfs Unpacking via unmkinitramfs production
Elastic Manual Dracut Execution production
Sigma Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE test
Sigma UEFI Persistence Via Wpbbin - FileCreation test
Sigma UEFI Persistence Via Wpbbin - ProcessCreation test
Splunk Windows BootLoader Inventory experimental
Splunk Windows EFI Bootloader File Modification production
Splunk Windows EFI Volume Mount Attempt Via Mountvol production
Splunk Windows Registry BootExecute Modification production
Splunk Windows Suspicious File in EFI Volume production
Splunk Windows WinLogon with Public Network Connection production

Pre-OS Boot: System Firmware T1542.001 4 rules

Sigma UEFI Persistence Via Wpbbin - FileCreation test
Sigma UEFI Persistence Via Wpbbin - ProcessCreation test
Splunk Windows BootLoader Inventory experimental
Splunk Windows Suspicious File in EFI Volume production

Pre-OS Boot: Bootkit T1542.003 4 rules

Elastic Initramfs Unpacking via unmkinitramfs production
Sigma Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE test
Splunk Windows EFI Bootloader File Modification production
Splunk Windows WinLogon with Public Network Connection production

Pre-OS Boot: TFTP Boot T1542.005 1 rule

Splunk Detect Software Download To Network Device experimental

Impair Defenses T1562 421 rules

Panther A User from the company domain(s) Logged in without SAML
Panther Account Security Configuration Changed
Panther Anthropic MCP Server Deleted
Panther Anthropic Organization Settings Updated
Elastic AppArmor Policy Interface Access production
Elastic AppArmor Policy Violation Detected production
Elastic AppArmor Profile Compilation via apparmor_parser production
Elastic Application Removed from Blocklist in Google Workspace production
Panther AppOmni Alert Passthrough
Sigma Attack protection features manipulation - some attack protection features have been disabled. experimental
Elastic Attempt to Clear Kernel Ring Buffer production
Elastic Attempt to Clear Logs via Journalctl production
Elastic Attempt to Deactivate an Okta Network Zone production
Elastic Attempt to Deactivate an Okta Policy production
Elastic Attempt to Deactivate an Okta Policy Rule production
Sigma Attempt To Delete A CloudTrail Log test
Elastic Attempt to Delete an Okta Network Zone production
Elastic Attempt to Delete an Okta Policy production
Elastic Attempt to Delete an Okta Policy Rule production
Elastic Attempt to Disable Auditd Service production
Elastic Attempt to Disable IPTables or Firewall production
Elastic Attempt to Disable Syslog Service production
Elastic Attempt to Modify an Okta Network Zone production
Elastic Attempt to Modify an Okta Policy production
Elastic Attempt to Modify an Okta Policy Rule production
Sigma Attempt To Modify CloudTrail Log Settings test
Sigma Attempt To Stop CloudTrail Logging test
Elastic Attempt to Unload Elastic Endpoint Security Kernel Extension production
Sigma Audit policy disabled by command line experimental
Sigma Audit policy disabled by command line experimental
Panther Auth0 Attack Protection Monitoring Disabled
Panther Auth0 Bot Detection Policy Disabled
YARA-L AWS Account Leaving Or Removed From The Organization
Panther AWS ACM Secure Algorithms
Elastic AWS Bedrock Automated Reasoning Safety Policy Tampering production
Elastic AWS Bedrock Guardrail Deleted or Weakened production
Elastic AWS Bedrock Model Invocation Logging Disabled or Modified production
Panther AWS CloudTrail CloudWatch Logs
Panther AWS CloudTrail Least Privilege Access
Elastic AWS CloudTrail Log Created production
Elastic AWS CloudTrail Log Deleted production
Elastic AWS CloudTrail Log Evasion production
Elastic AWS CloudTrail Log Suspended production
Elastic AWS CloudTrail Log Updated production
Panther AWS CloudTrail Log Validation
YARA-L AWS CloudTrail Logging Tampered
Panther AWS CloudTrail Management Events Enabled
Elastic AWS CloudWatch Alarm Deletion production
Elastic AWS CloudWatch Log Group Deletion production
Elastic AWS CloudWatch Log Stream Deletion production
Elastic AWS Config Resource Deletion production
Panther AWS Config Service Disabled
YARA-L AWS Config Service Modified
Elastic AWS Configuration Recorder Stopped production
YARA-L AWS Delete CloudWatch Log Group
YARA-L AWS Delete VPC Flow Logs
Panther AWS EC2 Instance Detailed Monitoring
Panther AWS EC2 Manual Security Group Change
Elastic AWS EC2 Network Access Control List Creation production
Elastic AWS EC2 Network Access Control List Deletion production
Elastic AWS EC2 Security Group Configuration Change production
Elastic AWS EC2 Serial Console Access Enabled production
Elastic AWS EKS Control Plane Logging Disabled production
Elastic AWS EventBridge Rule Disabled or Deleted production
Elastic AWS GuardDuty Detector Deletion production
YARA-L AWS GuardDuty Disabled
Panther AWS GuardDuty Enabled
Panther AWS GuardDuty Master Account
Elastic AWS GuardDuty Member Account Manipulation production
YARA-L AWS GuardDuty Publishing Destination Deleted
YARA-L AWS GuardDuty Trusted Or Threat IP Lists Tampered
YARA-L AWS IAM Access Analyzer Deleted
Elastic AWS KMS Key Policy Updated via PutKeyPolicy production
Panther AWS Macie Disabled/Updated
Panther AWS RDS Deletion Protection Disabled
Panther AWS Redshift Cluster Logging
Elastic AWS Route 53 Domain Transfer Lock Disabled production
Elastic AWS Route 53 Resolver Query Log Configuration Deleted production
Elastic AWS S3 Bucket Configuration Deletion production
Elastic AWS S3 Bucket Expiration Lifecycle Configuration Added production
Panther AWS S3 Bucket Logging
YARA-L AWS S3 Bucket Made Public By ACL
Elastic AWS S3 Bucket Server Access Logging Disabled production
YARA-L AWS S3 Public Access Block Removed
Panther AWS S3 Security Control Disabling Experimental
Panther AWS S3 Security Controls Disabled Deprecated
YARA-L AWS Security Group Open To The World
Kusto AWS Security Hub - Detect CloudTrail trails lacking KMS encryption available
Panther AWS SecurityHub Finding Evasion
Elastic AWS SQS Queue Purge production
Panther AWS Trusted IPSet Modified
Panther AWS VPC Flow Logs
Elastic AWS VPC Flow Logs Deletion production
Elastic AWS WAF Access Control List Deletion production
Panther AWS WAF Logging Configured
Elastic AWS WAF Rule or Rule Group Deletion production
Kusto AWSCloudTrail - Amazon ECR image scanning disabled available
Kusto AWSCloudTrail - AWS GuardDuty detector disabled or suspended available
Kusto AWSCloudTrail - Changes to Amazon VPC settings available
Kusto AWSCloudTrail - Changes to AWS Elastic Load Balancer security groups available
Kusto AWSCloudTrail - Changes to AWS Security Group ingress and egress settings available
Kusto AWSCloudTrail - Changes to internet facing AWS RDS Database instances available
Kusto AWSCloudTrail - Config Service Resource Deletion Attempts available
Kusto AWSCloudTrail - Network ACL with all the open ports to a specified CIDR available
Kusto AWSCloudTrail - Tampering to AWS CloudTrail logs available
Panther Azure Alert Suppression Rule Created or Modified
Kusto Azure DevOps Audit Stream Disabled available
Elastic Azure Diagnostic Settings Alert Suppression Rule Created or Modified production
Elastic Azure Diagnostic Settings Deleted production
Kusto Azure Diagnostic settings removed from a resource
Elastic Azure Event Hub Deleted production
Elastic Azure Kubernetes Services (AKS) Kubernetes Events Deleted production
Panther Azure Recovery Services Protection Container Deleted
Elastic Azure Resource Group Deleted production
Panther Azure Resource Lock Deleted
Panther Azure Storage Immutability Policy Deleted
Elastic Azure VNet Firewall Front Door WAF Policy Deleted production
Elastic Azure VNet Firewall Policy Deleted production
Elastic Azure VNet Network Watcher Deleted production
Sigma Bot detection - the feature is turned off completely or some policies. experimental
Elastic BPF filter applied using TC production
Elastic BPF Program Tampering via bpftool production
Sigma Breached Password Detection - critical settings manipulated experimental
Sigma Brute Force Protection - critical settings manipulated experimental
Kusto BTP - Audit log service unavailable available
Kusto Check Point Exposure Management - Alert Ingestion Anomaly available
Splunk Cisco IOS XE Log Clearing Sequence With Optional Loopback Removal production
Splunk Cisco IOS XE VTY Access Class Tampering production
Kusto Cisco SE - Policy update failure available
Kusto CiscoISE - Log collector was suspended available
Elastic Clearing Windows Event Logs production
Panther CloudTrail Event Selectors Disabled
Sigma CloudTrail Log Deleted test
Sigma CloudTrail Log Settings Modified test
Sigma CloudTrail Logging Stopped test
Panther CloudTrail Stopped
Kusto Conditional Access - A Conditional Access Device platforms condition has changed (the Device platforms condition can be spoofed)
Kusto Conditional Access - A Conditional Access policy was deleted
Kusto Conditional Access - A Conditional Access policy was disabled
Kusto Conditional Access - A Conditional Access policy was put into report-only mode
Kusto Conditional Access - A Conditional Access policy was updated
Kusto Conditional Access - A new Conditional Access policy was created
Kusto Copilot - File Uploads Disabled available
Kusto Copilot - Plugin Tampering (Enable and Disable Within 5 Minutes) available
Kusto Critical or High Severity Detections by User available
Kusto CTERA Mass Access Denied Detection Analytic available
Panther Databricks Delta Sharing Recipient Without IP ACLs Experimental
Kusto Dataverse - Audit logging disabled available
Elastic Decline in host-based traffic production
Splunk Defender Registry Values Modified (Sysmon)
Splunk Defender Registry Values Modified (Windows Event Log)
Kusto Deleted a Custom Field Mapping profile available
Kusto Deleted a Tenant available
Elastic Deprecated - M365 Exchange DLP Policy Deleted production
Elastic Deprecated - M365 Teams External Access Enabled production
Kusto Detect Windows Allow Firewall Rule Addition/Modification available
Kusto Detect Windows Update Disabled from Registry available
Panther Detection content has been deleted from Panther
Kusto Dev-0270 Malicious Powershell usage available
Kusto Disable or Modify Windows Defender available
Elastic Disable Windows Event and Security Logs Using Built-in Tools production
Elastic Disable Windows Firewall Rules via Netsh production
Elastic Disabling Lsa Protection via Registry Modification production
Kusto Disabling Security Services via Registry available
Elastic Disabling User Account Control via Registry Modification production
Elastic Disabling Windows Defender Security Settings via PowerShell production
Elastic DNS Global Query Block List Modified or Disabled production
Elastic DNS-over-HTTPS Enabled via Registry production
Elastic Domain Added to Google Workspace Trusted Domains production
Kusto Doppelpaymer Stop Services available
Panther EC2 Network ACL Modified
Panther EC2 Network Gateway Modified
Panther EC2 Security Group Modified
Panther EC2 VPC Modified
Elastic Elastic Agent Service Terminated production
Elastic Elastic Defend Alert Followed by Telemetry Loss production
Elastic Enable Host Network Discovery via Netsh production
Splunk ETW Trace Provider Modified - PowerShell (PowerShell)
Sigma Event log deactivation or size reduction (command) experimental
Kusto Excessive Denied Proxy Traffic available
Sigma Excessive or unexpected Management API scope grants on applications experimental
Kusto Exchange AuditLog Disabled available
Sigma Firewall deactivation (deprecated command) experimental
Sigma Firewall deactivation (firewall) experimental
Sigma Firewall deactivation (modern command) experimental
Sigma Firewall deactivation (PowerShell) experimental
Sigma Firewall Disabled experimental
Sigma Firewall rule added using PowerShell or CMD experimental
Sigma Firewall rule any/any created experimental
Sigma Firewall rule creation (command) experimental
Kusto Firewall rule manipulation attempts stateful anomaly on database available
Elastic Gatekeeper Override and Execution production
Kusto GCP Audit Logs - Data Access Logging Exemption Added for Principal available
Kusto GCP Audit Logs - Detect Bulk VM Snapshot Deletion available
Kusto GCP Audit Logs - Detect Organization Policy Deletion or Updation available
Kusto GCP Audit Logs - DNSSEC Disabled on Managed DNS Zone available
Kusto GCP Audit Logs - Open Firewall Rule Created or Modified available
Kusto GCP Audit Logs - VPC Flow Logs Disabled available
YARA-L GCP BigQuery Datasets Opened To Public
YARA-L GCP Cloud Audit Logging Removed From All Services
Panther GCP Cloud Storage Buckets Modified Or Deleted
YARA-L GCP Exempt Principals From Audit Log
Elastic GCP Firewall Rule Creation production
Elastic GCP Firewall Rule Deletion production
Elastic GCP Firewall Rule Modification production
YARA-L GCP Firewall Rule Opened To The World
Kusto GCP IAM - Disable Data Access Logging available
Panther GCP KMS Key Granted to GCS Service Account
Panther GCP KMS Key Version Disabled or Destroyed Experimental
Elastic GCP Logging Bucket Deletion production
Elastic GCP Logging Sink Deletion production
Elastic GCP Logging Sink Modification production
Elastic GCP Pub/Sub Subscription Deletion production
Elastic GCP Pub/Sub Topic Deletion production
Kusto GCP Security Command Center - Detect DNSSEC disabled for DNS zones available
Kusto GCP Security Command Center - Detect Resources with Logging Disabled available
YARA-L GCP Security Command Center Service Disabled
YARA-L GCP Storage Bucket Opened To Public
Elastic GCP Virtual Private Cloud Network Deletion production
Elastic GCP Virtual Private Cloud Route Creation production
Elastic GCP Virtual Private Cloud Route Deletion production
Elastic GitHub App Deleted production
YARA-L GitHub Dependabot Vulnerability Alerts Disabled
YARA-L GitHub Enterprise Audit Log Stream Destroyed
YARA-L GitHub Enterprise Audit Log Stream Modified
YARA-L GitHub Personal Access Token Auto Approve Policy Modified
Elastic GitHub Protected Branch Settings Changed production
YARA-L GitHub Repository Branch Protection Rules Disabled
Panther GitHub Repository Ruleset Modified
Elastic GitHub Secret Scanning Disabled production
YARA-L GitHub Secret Scanning Disabled Or Bypassed
Panther GitHub Security Change, includes GitHub Advanced Security
YARA-L GitHub SSO Configuration Modified
Kusto GitHub Two Factor Auth Disable available
YARA-L GitHub Two-Factor Authentication Requirement Disabled
Elastic Google Workspace Bitlocker Setting Disabled production
YARA-L Google Workspace Marketplace Allowlist Configuration
YARA-L Google Workspace New Trusted Domain Added
Elastic Google Workspace Restrictions for Marketplace Modified to Allow Any App production
Panther GSuite User Advanced Protection Change
Elastic High Number of Process and/or Service Terminations production
Elastic High Number of Process Terminations production
Elastic IIS HTTP Logging Disabled production
Kusto Illumio Enforcement Change Analytic Rule available
Kusto Illumio Firewall Tampering Analytic Rule available
Kusto Illumio VEN Clone Detection Rule available
Kusto Illumio VEN Deactivated Detection Rule available
Kusto Illumio VEN Offline Detection Rule available
Kusto Illumio VEN Suspend Detection Rule available
Kusto Imminent Ransomware available
Elastic Insecure AWS EC2 VPC Security Group Ingress Rule Added production
Sigma Insecure OAuth2.x flows have been enabled for some applications experimental
Elastic Kerberos Pre-authentication Disabled for User production
Elastic Kernel Module Removal production
Elastic Kill Command Execution production
Elastic Kubernetes Admission Webhook Created or Modified production
Panther Kubernetes Pod Using Host IPC Namespace
Sigma Loaded LiquidJS error page template contains XSS vulnerabilities experimental
Elastic Local Account TokenFilter Policy Disabled production
Elastic M365 Exchange Anti-Phish Policy Deleted production
Elastic M365 Exchange Anti-Phish Rule Modification production
Elastic M365 Exchange DKIM Signing Configuration Disabled production
Elastic M365 Exchange Email Safe Attachment Rule Disabled production
Elastic M365 Exchange Email Safe Link Policy Disabled production
Elastic M365 Exchange Mail Flow Transport Rule Modified production
Elastic M365 Exchange Mailbox Audit Logging Bypass Added production
Elastic M365 Exchange Malware Filter Policy Deleted production
Elastic M365 Exchange Malware Filter Rule Modified production
Elastic M365 Security Compliance Admin Signal production building block
Elastic M365 SharePoint Site Sharing Policy Weakened production
Elastic M365 Teams Custom Application Interaction Enabled production
Panther MacOS ALF is misconfigured
Sigma macOS System Integrity Protection Modification Attempt experimental
Sigma macOS TCC Database Modification experimental
Kusto McAfee ePO - Agent Handler down available
Kusto McAfee ePO - Attempt uninstall McAfee agent available
Kusto McAfee ePO - Deployment failed available
Kusto McAfee ePO - Error sending alert available
Kusto McAfee ePO - File added to exceptions available
Kusto McAfee ePO - Firewall disabled available
Kusto McAfee ePO - Logging error occurred available
Kusto McAfee ePO - Multiple threats on same host available
Kusto McAfee ePO - Scanning engine disabled available
Kusto McAfee ePO - Task error available
Kusto McAfee ePO - Threat was not blocked available
Kusto McAfee ePO - Unable to clean or delete infected file available
Kusto McAfee ePO - Update failed available
Sigma MFA downgrade - adaptive MFA risk assessment disabled experimental
Sigma MFA downgrade - disable MFA policies by modifying the policies experimental
Sigma MFA downgrade - disable strong factors experimental
Sigma Microsoft Defender critical security components disabled (command) experimental
Sigma Microsoft Defender critical security components disabled (PowerShell) experimental
Sigma Microsoft Defender default action changed to allow any threat (command) experimental
Sigma Microsoft Defender default action changed to allow any threat (PowerShell) experimental
Sigma Microsoft Defender real time protection failure (native) experimental
Sigma Microsoft Defender security components disabled (command) experimental
Sigma Microsoft Defender security components disabled (PowerShell) experimental
Sigma Microsoft Defender service components status disabled (Registry via Sysmon) experimental
Sigma Microsoft Defender service deactivation attempt (command) experimental
Sigma Microsoft Defender threat exclusion added (native) experimental
Sigma Microsoft Defender threat exclusion added (PowerShell) experimental
Elastic Microsoft Windows Defender Tampering production
Elastic Modification of AmsiEnable Registry Key production
Elastic Modification of Safari Settings via Defaults Command production
Splunk Modify Windows Defender (EDR)
Splunk Modify Windows Defender (PowerShell)
Splunk Modify Windows Defender (Sysmon)
Splunk Modify Windows Defender (Windows Event Log)
Kusto MosaicLoader available
Kusto Netskope - Repeated or Critical Policy Violations available
Elastic Network-Level Authentication (NLA) Disabled production
Kusto NRT Azure DevOps Audit Stream Disabled available
Kusto NRT GitHub Two Factor Auth Disable
Sigma NTLM downgrade attack (Reg via SYSMON) experimental
Sigma OCSP responder auditing settings changed or disabled experimental
YARA-L Office 365 logging has been enabled
YARA-L Office 365 logging is disabled
Kusto Office Policy Tampering available
Sigma OpenSSH server firewall configuration on Windows (command) experimental
Sigma OpenSSH server firewall configuration on Windows (firewall) experimental
Sigma OpenSSH server firewall configuration on Windows (PowerShell) experimental
Panther OSQuery Reports Application Firewall Disabled
Panther Panther SAML configuration has been modified
Kusto Pathlock TDnR - ABAP Source Code Changes available
Kusto Pathlock TDnR - Authorization Check Value Changes (SU24) available
Kusto Pathlock TDnR - Critical File Integrity Changes available
Kusto Pathlock TDnR - DDIC Table Utility Changes (SE14) available
Kusto Pathlock TDnR - Generic SAP Change Documents available
Kusto Pathlock TDnR - Generic Table Content Changes available
Kusto Pathlock TDnR - Global System Change Setting Events available
Kusto Pathlock TDnR - ICM Security Events available
Kusto Pathlock TDnR - SAP Client Configuration Changes available
Kusto Pathlock TDnR - SAP HANA Parameter Changes available
Kusto Pathlock TDnR - SAP Instance Profile Changes available
Kusto Pathlock TDnR - SAP Security Audit Log Events available
Kusto Pathlock TDnR - SE16N Direct Table Change Documents available
Kusto Pathlock TDnR - SU24 Table USOBT_C Changes available
Kusto Pathlock TDnR - SU24 Table USOBX_C Changes available
Kusto Pathlock TDnR - Switchable Authorization Design Changes available
Kusto Pathlock TDnR - Switchable Authorization Runtime Changes available
Kusto Pathlock TDnR - System Security Policy Changes available
Kusto Pathlock TDnR - Table Parameter Setting Changes available
Kusto Pathlock TDnR - User Authorization Buffer Manipulation available
Elastic Potential Antimalware Scan Interface Bypass via PowerShell production
Elastic Potential Disabling of AppArmor production
Elastic Potential Disabling of SELinux production
Elastic Potential Evasion via Filter Manager production
Elastic Potential Evasion via Windows Filtering Platform production
Elastic Potential HTTP Downgrade Attack production
Elastic Potential NetNTLMv1 Downgrade Attack production
Elastic Potential Privacy Control Bypass via TCCDB Modification production
Elastic Potential RemoteMonologue Attack production
Kusto Power Automate - Unusual bulk deletion of flow resources available
Elastic PowerShell Script Block Logging Disabled production
Elastic PowerShell Script with Windows Defender Tampering Capabilities production
Elastic Quarantine Attrib Removed by Unsigned or Untrusted Process production
YARA-L Reg Add Suspicious Paths
Elastic Remote Desktop Enabled in Windows Firewall by Netsh production
Sigma Risk for misconfiguration - use of Auth0 tenant name URL. experimental
Panther S3 Bucket Encryption Deleted Experimental
Panther S3 Bucket Logging Disabled
Panther S3 Bucket Replication Deleted
Panther S3 Bucket Versioning Suspended
Panther S3 MFA Delete Disabled
Panther S3 Public Access Block Deleted Experimental
YARA-L sap deactivation of security audit log
YARA-L sap hanadb audit trail policy changes
YARA-L sap hanadb deactivation of audit trail
YARA-L sap security audit log configuration change
YARA-L sap system or client configuration change
Kusto Scheduled Task Hide available
Elastic Scheduled Tasks AT Command Enabled production
Kusto Security Service Registry ACL Modification
Elastic SELinux Configuration Creation or Renaming production
Panther Sensitive API Calls Via VPC Endpoint
Elastic Sensitive Audit Policy Sub-Category Disabled production
Elastic Service Disabled via Registry Modification production building block
Splunk Service Stop Commands (PowerShell)
Splunk Service Stop Commands (Sysmon)
Splunk Service Stop Commands (Windows Event Log)
Sigma SIGKILL Sent to Security Tools experimental
Sigma SMB insecure guest authentication activated (native) experimental
Elastic SoftwareUpdate Preferences Modification production
Elastic SolarWinds Process Disabling Services via Registry production
Sigma SQL Server auditing deactivated experimental
Sigma SQL Server database auditing deactivated experimental
Kusto Starting or Stopping HealthService to Avoid Detection available
Kusto Stopping multiple processes using taskkill available
Elastic Suspicious Antimalware Scan Interface DLL production
Sigma Suspicious IP Throttling - critical settings manipulated experimental
Elastic Suspicious Kernel Feature Activity production
Elastic Suspicious Sysctl File Event production building block
Elastic Suspicious Write Attempt to AppArmor Policy Management Files production
Elastic Tampering with RUNNER_TRACKING_ID in GitHub Actions Runners production
Kusto Trend Micro CAS - Threat detected and not blocked available
Sigma Unauthorized or Unexpected Enabling of Cross-Origin Authentication (CORS) experimental
Sigma Unrecognized IP in attack protection allowlists experimental
Panther Upwind Posture Detection Passthrough Experimental
Kusto Valimail Enforce - DMARC Policy Weakened to None available
Kusto Valimail Enforce - Email Authentication Key Deleted available
Kusto Valimail Enforce - Unusual Rate of Configuration Changes or User Additions available
Elastic WDAC Policy File by an Unusual Process production
Sigma Wdigest authentication enabled (Reg via command) experimental
Sigma Wdigest authentication enabled (registry) experimental
Splunk WFP Blocked Connection from EDR Agent (Windows Event Log)
Splunk WFP Filter and Provider Changed (Windows Event Log)
Splunk Windows - Service Stop (PowerShell)
Splunk Windows - Service Stop (Windows Event Log)
Splunk Windows Defender Disabled Detection (EDR)
Splunk Windows Defender Disabled Detection (PowerShell)
Splunk Windows Defender Disabled Detection (Sysmon)
Splunk Windows Defender Disabled Detection (Windows Event Log)
Elastic Windows Defender Disabled via Registry Modification production
Elastic Windows Defender Exclusions Added via PowerShell production
Splunk Windows Firewall Disabled (PowerShell)
Splunk Windows Firewall Disabled (Sysmon)
Splunk Windows Firewall Disabled (Windows Event Log)
Elastic Windows Firewall Disabled via PowerShell production
Splunk Windows Firewall Rule Creation (PowerShell)
Splunk Windows Firewall Rule Creation (Windows Event Log)
Kusto Zero Networks Segement - Machine Removed from protection available

Impair Defenses: Disable or Modify Tools T1562.001 158 rules

Panther Anthropic IP Restriction Deleted
Panther Anthropic SSO Disabled
Elastic AppArmor Policy Interface Access production
Elastic AppArmor Policy Violation Detected production
Elastic AppArmor Profile Compilation via apparmor_parser production
Elastic Application Removed from Blocklist in Google Workspace production
Elastic Attempt to Clear Kernel Ring Buffer production
Elastic Attempt to Clear Logs via Journalctl production
Elastic Attempt to Disable Auditd Service production
Elastic Attempt to Disable IPTables or Firewall production
Elastic Attempt to Disable Syslog Service production
Elastic Attempt to Unload Elastic Endpoint Security Kernel Extension production
Elastic AWS Bedrock Automated Reasoning Safety Policy Tampering production
Elastic AWS Bedrock Guardrail Deleted or Weakened production
Panther AWS Bedrock Guardrail Updated or Deleted
Elastic AWS CloudTrail Log Deleted production
Elastic AWS CloudTrail Log Suspended production
Elastic AWS CloudWatch Alarm Deletion production
Elastic AWS CloudWatch Log Group Deletion production
Elastic AWS CloudWatch Log Stream Deletion production
Elastic AWS Config Resource Deletion production
Elastic AWS Configuration Recorder Stopped production
Elastic AWS EC2 Serial Console Access Enabled production
Elastic AWS EventBridge Rule Disabled or Deleted production
Elastic AWS GuardDuty Detector Deletion production
Elastic AWS GuardDuty Member Account Manipulation production
Elastic AWS S3 Bucket Configuration Deletion production
Kusto AWSCloudTrail - Amazon ECR image scanning disabled available
Elastic Azure Diagnostic Settings Alert Suppression Rule Created or Modified production
Elastic Azure Diagnostic Settings Deleted production
Elastic Azure Kubernetes Services (AKS) Kubernetes Events Deleted production
Panther Azure Network Watcher Deleted
Elastic Azure Resource Group Deleted production
Panther Azure Resource Lock Deleted
Panther Azure Storage Immutability Policy Deleted
Elastic Azure VNet Network Watcher Deleted production
Elastic BPF filter applied using TC production
Elastic BPF Program Tampering via bpftool production
Kusto Copilot - File Uploads Disabled available
Splunk Defender Registry Values Modified (Sysmon)
Splunk Defender Registry Values Modified (Windows Event Log)
Kusto Deleted a Custom Field Mapping profile available
Kusto Deleted a Tenant available
Elastic Deprecated - M365 Exchange DLP Policy Deleted production
Kusto Disable or Modify Windows Defender available
Elastic Disabling Lsa Protection via Registry Modification production
Elastic Disabling User Account Control via Registry Modification production
Elastic Disabling Windows Defender Security Settings via PowerShell production
Elastic DNS Global Query Block List Modified or Disabled production
Elastic Elastic Agent Service Terminated production
Elastic Elastic Defend Alert Followed by Telemetry Loss production
Elastic Gatekeeper Override and Execution production
Kusto GCP Audit Logs - Detect Bulk VM Snapshot Deletion available
Kusto GCP Audit Logs - Detect Organization Policy Deletion or Updation available
Kusto GCP Audit Logs - DNSSEC Disabled on Managed DNS Zone available
Kusto GCP Audit Logs - Open Firewall Rule Created or Modified available
Kusto GCP Audit Logs - VPC Flow Logs Disabled available
Kusto GCP Security Command Center - Detect DNSSEC disabled for DNS zones available
Panther GitHub Advanced Security Change WITHOUT Repo Archived
Elastic GitHub App Deleted production
YARA-L GitHub Dependabot Vulnerability Alerts Disabled
YARA-L GitHub Personal Access Token Auto Approve Policy Modified
Elastic GitHub Protected Branch Settings Changed production
YARA-L GitHub Repository Branch Protection Rules Disabled
Elastic GitHub Secret Scanning Disabled production
YARA-L GitHub Secret Scanning Disabled Or Bypassed
YARA-L GitHub SSO Configuration Modified
YARA-L GitHub Two-Factor Authentication Requirement Disabled
Elastic Google Workspace Bitlocker Setting Disabled production
YARA-L Google Workspace Marketplace Allowlist Configuration
Elastic Google Workspace Restrictions for Marketplace Modified to Allow Any App production
Elastic High Number of Process and/or Service Terminations production
Elastic High Number of Process Terminations production
Elastic Kernel Module Removal production
Elastic Kill Command Execution production
Panther Kubernetes Role With Node Proxy Permissions Created
Elastic M365 Exchange Anti-Phish Policy Deleted production
Elastic M365 Exchange Anti-Phish Rule Modification production
Elastic M365 Exchange DKIM Signing Configuration Disabled production
Elastic M365 Exchange Email Safe Attachment Rule Disabled production
Elastic M365 Exchange Email Safe Link Policy Disabled production
Elastic M365 Exchange Mail Flow Transport Rule Modified production
Elastic M365 Exchange Mailbox Audit Logging Bypass Added production
Elastic M365 Exchange Malware Filter Policy Deleted production
Elastic M365 Exchange Malware Filter Rule Modified production
Elastic M365 Security Compliance Admin Signal production building block
Elastic M365 SharePoint Site Sharing Policy Weakened production
Sigma macOS System Integrity Protection Modification Attempt experimental
Sigma macOS TCC Database Modification experimental
Sigma Microsoft Defender critical security components disabled (command) experimental
Sigma Microsoft Defender critical security components disabled (PowerShell) experimental
Sigma Microsoft Defender default action changed to allow any threat (command) experimental
Sigma Microsoft Defender default action changed to allow any threat (PowerShell) experimental
Sigma Microsoft Defender real time protection failure (native) experimental
Sigma Microsoft Defender security components disabled (command) experimental
Sigma Microsoft Defender security components disabled (PowerShell) experimental
Sigma Microsoft Defender service components status disabled (Registry via Sysmon) experimental
Sigma Microsoft Defender service deactivation attempt (command) experimental
Sigma Microsoft Defender threat exclusion added (native) experimental
Sigma Microsoft Defender threat exclusion added (PowerShell) experimental
Elastic Microsoft Windows Defender Tampering production
Elastic Modification of AmsiEnable Registry Key production
Elastic Modification of Safari Settings via Defaults Command production
Splunk Modify Windows Defender (EDR)
Splunk Modify Windows Defender (PowerShell)
Splunk Modify Windows Defender (Sysmon)
Splunk Modify Windows Defender (Windows Event Log)
Panther MongoDB security alerts disabled or deleted
Panther OpenAI IP Allowlist Configuration Changes
Panther OpenAI SCIM Configuration Change
Elastic Potential Antimalware Scan Interface Bypass via PowerShell production
Elastic Potential Disabling of AppArmor production
Elastic Potential Disabling of SELinux production
Elastic Potential Evasion via Filter Manager production
Elastic Potential Evasion via Windows Filtering Platform production
Elastic Potential Privacy Control Bypass via TCCDB Modification production
Elastic PowerShell Script with Windows Defender Tampering Capabilities production
Elastic Quarantine Attrib Removed by Unsigned or Untrusted Process production
YARA-L Reg Add Suspicious Paths
YARA-L sap hanadb deactivation of audit trail
YARA-L sap system or client configuration change
Elastic Scheduled Tasks AT Command Enabled production
Elastic SELinux Configuration Creation or Renaming production
Elastic Service Disabled via Registry Modification production building block
Splunk Service Stop Commands (PowerShell)
Splunk Service Stop Commands (Sysmon)
Splunk Service Stop Commands (Windows Event Log)
Sigma SIGKILL Sent to Security Tools experimental
Panther Slack DLP Modified
Panther Slack Information Barrier Modified
Panther Slack Legal Hold Policy Modified
Panther Slack Microsoft Intune Mobile Device Management Disabled
Elastic SoftwareUpdate Preferences Modification production
Elastic SolarWinds Process Disabling Services via Registry production
Kusto Starting or Stopping HealthService to Avoid Detection available
Panther Sublime Mailbox Deactivated
Panther Sublime Message Source Deleted Or Deactivated
Panther Sublime Rules Deleted Or Deactivated
Elastic Suspicious Antimalware Scan Interface DLL production
Elastic Suspicious Kernel Feature Activity production
Elastic Suspicious Write Attempt to AppArmor Policy Management Files production
Elastic Tampering with RUNNER_TRACKING_ID in GitHub Actions Runners production
Elastic WDAC Policy File by an Unusual Process production
Splunk Windows - Service Stop (PowerShell)
Splunk Windows - Service Stop (Windows Event Log)
Splunk Windows Defender Disabled Detection (EDR)
Splunk Windows Defender Disabled Detection (PowerShell)
Splunk Windows Defender Disabled Detection (Sysmon)
Splunk Windows Defender Disabled Detection (Windows Event Log)
Elastic Windows Defender Disabled via Registry Modification production
Elastic Windows Defender Exclusions Added via PowerShell production
Panther Wiz CICD Scan Policy Updated Or Deleted
Panther Wiz Connector Updated Or Deleted
Panther Wiz Data Classifier Updated Or Deleted
Panther Wiz Image Integrity Validator Updated Or Deleted
Panther Wiz Integration Updated Or Deleted
Panther Wiz Rule Change
Panther Wiz Update Scanner Settings

Impair Defenses: Disable Windows Event Logging T1562.002 12 rules

Sigma Audit policy disabled by command line experimental
Sigma Audit policy disabled by command line experimental
Kusto CiscoISE - Log collector was suspended available
Elastic Clearing Windows Event Logs production
Elastic Disable Windows Event and Security Logs Using Built-in Tools production
Sigma Event log deactivation or size reduction (command) experimental
Elastic IIS HTTP Logging Disabled production
Sigma OCSP responder auditing settings changed or disabled experimental
Elastic PowerShell Script Block Logging Disabled production
Elastic Sensitive Audit Policy Sub-Category Disabled production
Sigma SQL Server auditing deactivated experimental
Sigma SQL Server database auditing deactivated experimental

Impair Defenses: Impair Command History Logging T1562.003 1 rule

Panther AWS Bedrock Model Invocation Logging Configuration Deleted

Impair Defenses: Disable or Modify System Firewall T1562.004 25 rules

Elastic Attempt to Disable IPTables or Firewall production
Panther AWS WAF Disassociation
Panther Azure Firewall Policy Deleted
Elastic Disable Windows Firewall Rules via Netsh production
Elastic Enable Host Network Discovery via Netsh production
Sigma Firewall deactivation (deprecated command) experimental
Sigma Firewall deactivation (firewall) experimental
Sigma Firewall deactivation (modern command) experimental
Sigma Firewall deactivation (PowerShell) experimental
Sigma Firewall Disabled experimental
Sigma Firewall rule added using PowerShell or CMD experimental
Sigma Firewall rule any/any created experimental
Sigma Firewall rule creation (command) experimental
Kusto GCP Audit Logs - Open Firewall Rule Created or Modified available
Sigma OpenSSH server firewall configuration on Windows (command) experimental
Sigma OpenSSH server firewall configuration on Windows (firewall) experimental
Sigma OpenSSH server firewall configuration on Windows (PowerShell) experimental
Elastic Potential Evasion via Windows Filtering Platform production
Elastic Remote Desktop Enabled in Windows Firewall by Netsh production
Splunk Windows Firewall Disabled (PowerShell)
Splunk Windows Firewall Disabled (Sysmon)
Splunk Windows Firewall Disabled (Windows Event Log)
Elastic Windows Firewall Disabled via PowerShell production
Splunk Windows Firewall Rule Creation (PowerShell)
Splunk Windows Firewall Rule Creation (Windows Event Log)

Impair Defenses: Indicator Blocking T1562.006 8 rules

Elastic AWS CloudWatch Alarm Deletion production
Elastic Disable Windows Event and Security Logs Using Built-in Tools production
Splunk ETW Trace Provider Modified - PowerShell (PowerShell)
Elastic Kill Command Execution production
Elastic Sensitive Audit Policy Sub-Category Disabled production
Elastic Suspicious Kernel Feature Activity production
Elastic Windows Defender Disabled via Registry Modification production
Elastic Windows Defender Exclusions Added via PowerShell production

Impair Defenses: Disable or Modify Cloud Firewall T1562.007 53 rules

Sigma Attack protection features manipulation - some attack protection features have been disabled. experimental
Elastic Attempt to Deactivate an Okta Network Zone production
Elastic Attempt to Deactivate an Okta Policy production
Elastic Attempt to Deactivate an Okta Policy Rule production
Elastic Attempt to Delete an Okta Network Zone production
Elastic Attempt to Delete an Okta Policy production
Elastic Attempt to Delete an Okta Policy Rule production
Elastic Attempt to Modify an Okta Network Zone production
Elastic Attempt to Modify an Okta Policy production
Elastic Attempt to Modify an Okta Policy Rule production
Elastic AWS EC2 Network Access Control List Creation production
Elastic AWS EC2 Network Access Control List Deletion production
Elastic AWS EC2 Security Group Configuration Change production
Panther AWS RDS Instance Modified to be Publicly Accessible
Panther AWS RDS Security Group Ingress Authorized
Elastic AWS WAF Access Control List Deletion production
Elastic AWS WAF Rule or Rule Group Deletion production
Kusto AWSCloudTrail - Changes to Amazon VPC settings available
Kusto AWSCloudTrail - Changes to AWS Elastic Load Balancer security groups available
Kusto AWSCloudTrail - Changes to AWS Security Group ingress and egress settings available
Kusto AWSCloudTrail - Changes to internet facing AWS RDS Database instances available
Kusto AWSCloudTrail - Network ACL with all the open ports to a specified CIDR available
Panther Azure Network Security Configuration Modified or Deleted Experimental
Elastic Azure VNet Firewall Front Door WAF Policy Deleted production
Elastic Azure VNet Firewall Policy Deleted production
Sigma Bot detection - the feature is turned off completely or some policies. experimental
Sigma Breached Password Detection - critical settings manipulated experimental
Sigma Brute Force Protection - critical settings manipulated experimental
Kusto Conditional Access - A Conditional Access Device platforms condition has changed (the Device platforms condition can be spoofed)
Kusto Conditional Access - A Conditional Access policy was deleted
Kusto Conditional Access - A Conditional Access policy was disabled
Kusto Conditional Access - A Conditional Access policy was put into report-only mode
Kusto Conditional Access - A new Conditional Access policy was created
Elastic Domain Added to Google Workspace Trusted Domains production
Sigma Excessive or unexpected Management API scope grants on applications experimental
Elastic GCP Firewall Rule Creation production
Elastic GCP Firewall Rule Deletion production
Elastic GCP Firewall Rule Modification production
Elastic GCP Virtual Private Cloud Network Deletion production
Elastic GCP Virtual Private Cloud Route Creation production
Elastic GCP Virtual Private Cloud Route Deletion production
YARA-L Google Workspace New Trusted Domain Added
Elastic Insecure AWS EC2 VPC Security Group Ingress Rule Added production
Sigma Insecure OAuth2.x flows have been enabled for some applications experimental
Sigma Loaded LiquidJS error page template contains XSS vulnerabilities experimental
Sigma MFA downgrade - adaptive MFA risk assessment disabled experimental
Sigma MFA downgrade - disable MFA policies by modifying the policies experimental
Sigma MFA downgrade - disable strong factors experimental
Panther OpenAI IP Allowlist Configuration Changes
Sigma Risk for misconfiguration - use of Auth0 tenant name URL. experimental
Sigma Suspicious IP Throttling - critical settings manipulated experimental
Sigma Unauthorized or Unexpected Enabling of Cross-Origin Authentication (CORS) experimental
Sigma Unrecognized IP in attack protection allowlists experimental

Impair Defenses: Disable or Modify Cloud Logs T1562.008 67 rules

Sigma Attempt To Delete A CloudTrail Log test
Sigma Attempt To Modify CloudTrail Log Settings test
Sigma Attempt To Stop CloudTrail Logging test
Elastic AWS Bedrock Model Invocation Logging Disabled or Modified production
Panther AWS CloudTrail Attempt To Leave Org
Elastic AWS CloudTrail Log Created production
Elastic AWS CloudTrail Log Deleted production
Elastic AWS CloudTrail Log Evasion production
Elastic AWS CloudTrail Log Suspended production
Elastic AWS CloudTrail Log Updated production
YARA-L AWS CloudTrail Logging Tampered
Panther AWS CloudTrail Retention Lifecycle Too Short
Elastic AWS CloudWatch Log Group Deletion production
Elastic AWS CloudWatch Log Stream Deletion production
Elastic AWS Config Resource Deletion production
YARA-L AWS Config Service Modified
Elastic AWS Configuration Recorder Stopped production
YARA-L AWS Delete CloudWatch Log Group
YARA-L AWS Delete VPC Flow Logs
Panther AWS DNS Logs Deleted
Elastic AWS EKS Control Plane Logging Disabled production
YARA-L AWS IAM Access Analyzer Deleted
Panther AWS RDS Activity Stream Stopped
Elastic AWS Route 53 Resolver Query Log Configuration Deleted production
Elastic AWS S3 Bucket Configuration Deletion production
Elastic AWS S3 Bucket Expiration Lifecycle Configuration Added production
Elastic AWS S3 Bucket Server Access Logging Disabled production
Kusto AWS Security Hub - Detect CloudTrail trails lacking KMS encryption available
Elastic AWS SQS Queue Purge production
Elastic AWS VPC Flow Logs Deletion production
Panther AWS VPC Flow Logs Removed Experimental
Kusto AWSCloudTrail - Config Service Resource Deletion Attempts available
Kusto AWSCloudTrail - Tampering to AWS CloudTrail logs available
Panther Azure Action Groups Deleted
Panther Azure Alert Rules Deleted
Kusto Azure DevOps Audit Stream Disabled available
Elastic Azure Diagnostic Settings Deleted production
Panther Azure Diagnostic Settings Deleted
Kusto Azure Diagnostic settings removed from a resource
Elastic Azure Event Hub Deleted production
Panther Azure Event Hub Deleted
Elastic Azure Kubernetes Services (AKS) Kubernetes Events Deleted production
Panther Azure Log Analytics Workspace Deleted
Elastic Azure VNet Network Watcher Deleted production
Kusto BTP - Audit log service unavailable available
Panther Carbon Black Data Forwarder Stopped
Sigma CloudTrail Log Deleted test
Sigma CloudTrail Log Settings Modified test
Sigma CloudTrail Logging Stopped test
Panther Databricks High Priority Configuration Changes Experimental
Panther Databricks Verbose Audit Logging Disabled Experimental
Kusto GCP Audit Logs - Data Access Logging Exemption Added for Principal available
YARA-L GCP Cloud Audit Logging Removed From All Services
YARA-L GCP Exempt Principals From Audit Log
Elastic GCP Logging Bucket Deletion production
Elastic GCP Logging Sink Deletion production
Elastic GCP Logging Sink Modification production
YARA-L GitHub Enterprise Audit Log Stream Destroyed
YARA-L GitHub Enterprise Audit Log Stream Modified
Panther MongoDB logging toggled
Kusto NRT Azure DevOps Audit Stream Disabled available
YARA-L Office 365 logging has been enabled
YARA-L Office 365 logging is disabled
Panther Slack EKM Config Changed
Panther ZIA Backup Deleted
Panther ZIA Golden Restore Point Dropped
Panther ZIA Log Streaming Disabled

Impair Defenses: Downgrade Attack T1562.010 5 rules

Elastic Network-Level Authentication (NLA) Disabled production
Sigma NTLM downgrade attack (Reg via SYSMON) experimental
Elastic Potential HTTP Downgrade Attack production
Elastic Potential NetNTLMv1 Downgrade Attack production
Sigma SMB insecure guest authentication activated (native) experimental

Hide Artifacts T1564 137 rules

Elastic Adding Hidden File Attribute via Attrib production
Elastic Alternate Data Stream Creation/Execution at Volume Root Directory production
Panther AppOmni Alert Passthrough
Sigma Atomic MacOS Stealer - Persistence Indicators experimental
Splunk Attrib.exe Metasploit File Dropper (EDR)
Splunk Attrib.exe Metasploit File Dropper (Sysmon)
Splunk Attrib.exe Metasploit File Dropper (Windows Event Log)
Kusto Azure DevOps Retention Reduced available
Panther Azure Policy DeployIfNotExists Action Triggered
Sigma Browser Execution In Headless Mode test
Sigma Cmd Launched with Hidden Start Flags to Suspicious Targets experimental
Sigma CrashControl CrashDump Disabled test
Elastic Creation of a Hidden Local User Account production
Elastic Creation of Hidden Files and Directories via CommandLine production
Elastic Creation of Hidden Launch Agent or Daemon production
Elastic Creation of Hidden Shared Object File production
Sigma Detection of default a Windows host name in login attempts experimental
Elastic Directory Creation in /bin directory production
Splunk Disable Show Hidden Files production
Sigma Displaying Hidden Files Feature Disabled test
Splunk Esentutl Execution (PowerShell)
Splunk Esentutl Execution (Sysmon)
Splunk Esentutl Execution (Windows Event Log)
Elastic Executable Masquerading as Kernel Process production
Sigma Execute From Alternate Data Streams test
Splunk Expand.exe Execution (PowerShell)
Splunk Expand.exe Execution (Sysmon)
Splunk Expand.exe Execution (Windows Event Log)
Sigma Exports Registry Key To an Alternate Data Stream test
Sigma Extended rights backdoor obfuscation (via localizationDisplayId attribute) experimental
Kusto Fake computer account created
Elastic File Creation in /var/log via Suspicious Process production
Sigma File Download with Headless Browser test
Elastic File Staged in Root Folder of Recycle Bin production building block
Sigma HackTool - Covenant PowerShell Launcher test
Sigma HackTool Named File Stream Created test
Splunk Headless Browser Mockbin or Mocky Request production
Splunk Headless Browser Usage production
Elastic Hidden Directory Creation via Unusual Parent production
Sigma Hidden Executable In NTFS Alternate Data Stream test
Sigma Hidden Files and Directories test
Elastic Hidden Files and Directories via Hidden Flag production
Sigma Hidden Flag Set On File/Directory Via Chflags - MacOS test
Splunk Hidden User Created - Windows (Sysmon)
Splunk Hidden User Created - Windows (Windows Event Log)
Sigma Hidden User Creation test
Sigma Hiding Files with Attrib.exe test
Sigma Hiding User Account Via SpecialAccounts Registry Key test
Sigma Hiding User Account Via SpecialAccounts Registry Key - CommandLine test
Elastic High Number of Egress Network Connections from Unusual Executable production
Sigma Inbox Rules Creation Or Update Activity in O365 experimental
Sigma Inbox Rules Creation Or Update Activity Via ExchangePowerShell Cmdlet experimental
Kusto Ingress Tool Transfer - Certutil available
Sigma Insensitive Subfolder Search Via Findstr.EXE test
Elastic Kill Command Execution production
Elastic M365 Exchange Inbox Phishing Evasion Rule Created production
Elastic M365 Exchange Inbox Rule with Obfuscated Name production
Splunk MacOS Hidden Files and Directories production
Sigma Mail Forwarding/Redirecting Activity In O365 test
Sigma Mail Forwarding/Redirecting Activity Via ExchangePowerShell Cmdlet experimental
Kusto Malware in the recycle bin available
Kusto Malware in the recycle bin (Normalized Process Events)
Kusto Missing Domain Controller Heartbeat
Sigma Mount Execution With Hidepid Parameter test
Sigma NTFS Alternate Data Stream test
Splunk O365 BEC Email Hiding Rule Created production
Splunk O365 Email New Inbox Rule Created production
Splunk O365 Email Transport Rule Changed production
Splunk Parent in Public Folder Suspicious Process (Sysmon)
Splunk Parent in Public Folder Suspicious Process (Windows Event Log)
Elastic Persistence via a Hidden Plist Filename production
Elastic Persistence via Hidden Run Key Detected production
Sigma Potential Data Stealing Via Chromium Headless Debugging test
Sigma Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream test
Sigma Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI test
Elastic Potential Hidden Local User Account Creation production
Elastic Potential Hidden Process via Mount Hidepid production
Elastic Potential Kubectl Masquerading via Unexpected Process production
Sigma Potential Rundll32 Execution With DLL Stored In ADS test
Sigma Potential Suspicious Activity Using SeCEdit test
Sigma Potentially Suspicious Execution From Parent Process In Public Folder test
Sigma Powershell Executed From Headless ConHost Process test
Splunk PowerShell Hidden Window (PowerShell)
Splunk PowerShell Hidden Window (Windows Event Log)
Sigma PowerShell Logging Disabled Via Registry Key Tampering test
Sigma Powershell Store File In Alternate Data Stream test
Sigma PrintBrm ZIP Creation of Extraction test
Elastic Process Backgrounded by Unusual Parent production
Sigma PUA - AdvancedRun Execution test
Sigma PUA - Process Hacker Execution test
Sigma PUA - System Informer Execution test
Sigma Registry Persistence via Service in Safe Mode test
Sigma Remote File Download Via Findstr.EXE test
Sigma Run PowerShell Script from ADS test
YARA-L sap data changed during debugging
Elastic Service DACL Modification via sc.exe production
Sigma Set Files as System Files Using Attrib.EXE test
Sigma Set Suspicious Files as System Files Using Attrib.EXE test
Sigma Suspicious Creation with Colorcpl test
Sigma Suspicious Diantz Alternate Data Stream Execution test
Sigma Suspicious Executable File Creation test
Sigma Suspicious Extrac32 Alternate Data Stream Execution test
Sigma Suspicious File Download From File Sharing Websites - File Stream test
Elastic Suspicious Hidden Child Process of Launchd production
Sigma Suspicious Hyper-V Cmdlets test
Elastic Suspicious Path Invocation from Command Line production
Elastic Suspicious Path Mounted production
Sigma Suspicious PowerShell WindowStyle Option test
Elastic Suspicious Process Execution Detected via Defend for Containers production
Sigma Sysmon Configuration Error test
Sigma Sysmon Configuration Modification test
Elastic System Binary Moved or Copied production
Elastic System Binary Symlink to Suspicious Location production
Elastic Unusual File Creation - Alternate Data Stream production
Sigma Unusual File Download from Direct IP Address test
Sigma Unusual File Download From File Sharing Websites - File Stream test
Elastic Unusual Interactive Shell Launched from System User production
Elastic Unusual Login via System User production
Elastic Unusual Process Execution Path - Alternate Data Stream production
Sigma Use Icacls to Hide File to Everyone test
Sigma Use NTFS Short Name in Command Line test
Sigma Use NTFS Short Name in Image test
Sigma Use Short Name Path in Command Line test
Sigma Use Short Name Path in Image test
Sigma Virtualbox Driver Installation or Starting of VMs test
Splunk Windows Alternate DataStream - Base64 Content production
Splunk Windows Alternate DataStream - Executable Content production
Splunk Windows Alternate DataStream - Process Execution production
Splunk Windows ConHost with Headless Argument production
Splunk Windows New Deny Permission Set On Service SD Via Sc.EXE production
Splunk Windows New Service Security Descriptor Set Via Sc.EXE production
Elastic Windows Sandbox with Sensitive Configuration production
Sigma Windows Subsystem for Linux (WSL) installation (command) experimental
Sigma Windows Subsystem for Linux (WSL) installation (PowerShell) experimental
Sigma Windows Subsystem for Linux (WSL) package turned on (native) experimental
Splunk Windows Suspicious QEMU Execution production
Splunk Windows SymbolicLink-Testing-Tools Utility Execution production

Hide Artifacts: Hidden Files and Directories T1564.001 28 rules

Elastic Adding Hidden File Attribute via Attrib production
Sigma Atomic MacOS Stealer - Persistence Indicators experimental
Elastic Creation of Hidden Files and Directories via CommandLine production
Elastic Creation of Hidden Launch Agent or Daemon production
Elastic Creation of Hidden Shared Object File production
Elastic Directory Creation in /bin directory production
Splunk Disable Show Hidden Files production
Sigma Displaying Hidden Files Feature Disabled test
Elastic File Creation in /var/log via Suspicious Process production
Elastic File Staged in Root Folder of Recycle Bin production building block
Elastic Hidden Directory Creation via Unusual Parent production
Sigma Hidden Files and Directories test
Elastic Hidden Files and Directories via Hidden Flag production
Sigma Hiding Files with Attrib.exe test
Elastic High Number of Egress Network Connections from Unusual Executable production
Elastic Kill Command Execution production
Sigma macOS ESF Rename To Hidden Dotfile experimental
Splunk MacOS Hidden Files and Directories production
Elastic Persistence via a Hidden Plist Filename production
Elastic Potential Hidden Process via Mount Hidepid production
Elastic Potential Kubectl Masquerading via Unexpected Process production
Sigma PowerShell Logging Disabled Via Registry Key Tampering test
Sigma Registry Persistence via Service in Safe Mode test
Sigma Set Files as System Files Using Attrib.EXE test
Sigma Set Suspicious Files as System Files Using Attrib.EXE test
Elastic Suspicious Hidden Child Process of Launchd production
Elastic Suspicious Process Execution Detected via Defend for Containers production
Sigma Use Icacls to Hide File to Everyone test

Hide Artifacts: Hidden Users T1564.002 10 rules

Elastic Creation of a Hidden Local User Account production
Splunk Hidden User Created - Windows (Sysmon)
Splunk Hidden User Created - Windows (Windows Event Log)
Sigma Hidden User Creation test
Sigma Hiding User Account Via SpecialAccounts Registry Key test
Sigma Hiding User Account Via SpecialAccounts Registry Key - CommandLine test
Elastic Potential Hidden Local User Account Creation production
Sigma Potential Suspicious Activity Using SeCEdit test
Elastic Unusual Interactive Shell Launched from System User production
Elastic Unusual Login via System User production

Hide Artifacts: Hidden Window T1564.003 13 rules

Sigma Browser Execution In Headless Mode test
Sigma Cmd Launched with Hidden Start Flags to Suspicious Targets experimental
Sigma File Download with Headless Browser test
Sigma HackTool - Covenant PowerShell Launcher test
Splunk Headless Browser Mockbin or Mocky Request production
Splunk Headless Browser Usage production
Sigma Potential Data Stealing Via Chromium Headless Debugging test
Sigma Powershell Executed From Headless ConHost Process test
Splunk PowerShell Hidden Window (PowerShell)
Splunk PowerShell Hidden Window (Windows Event Log)
Sigma PUA - AdvancedRun Execution test
Sigma Suspicious PowerShell WindowStyle Option test
Splunk Windows ConHost with Headless Argument production

Hide Artifacts: NTFS File Attributes T1564.004 34 rules

Elastic Alternate Data Stream Creation/Execution at Volume Root Directory production
Sigma Execute From Alternate Data Streams test
Splunk Expand.exe Execution (PowerShell)
Splunk Expand.exe Execution (Sysmon)
Splunk Expand.exe Execution (Windows Event Log)
Sigma Exports Registry Key To an Alternate Data Stream test
Sigma HackTool Named File Stream Created test
Sigma Hidden Executable In NTFS Alternate Data Stream test
Sigma Hidden Flag Set On File/Directory Via Chflags - MacOS test
Kusto Ingress Tool Transfer - Certutil available
Sigma Insensitive Subfolder Search Via Findstr.EXE test
Sigma NTFS Alternate Data Stream test
Sigma Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream test
Sigma Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI test
Sigma Potential Rundll32 Execution With DLL Stored In ADS test
Sigma Powershell Store File In Alternate Data Stream test
Sigma PrintBrm ZIP Creation of Extraction test
Sigma Remote File Download Via Findstr.EXE test
Sigma Run PowerShell Script from ADS test
Sigma Suspicious Diantz Alternate Data Stream Execution test
Sigma Suspicious Extrac32 Alternate Data Stream Execution test
Sigma Suspicious File Download From File Sharing Websites - File Stream test
Elastic Unusual File Creation - Alternate Data Stream production
Sigma Unusual File Download from Direct IP Address test
Sigma Unusual File Download From File Sharing Websites - File Stream test
Elastic Unusual Process Execution Path - Alternate Data Stream production
Sigma Use NTFS Short Name in Command Line test
Sigma Use NTFS Short Name in Image test
Sigma Use Short Name Path in Command Line test
Sigma Use Short Name Path in Image test
Splunk Windows Alternate DataStream - Base64 Content production
Splunk Windows Alternate DataStream - Executable Content production
Splunk Windows Alternate DataStream - Process Execution production
Splunk Windows SymbolicLink-Testing-Tools Utility Execution production

Hide Artifacts: Run Virtual Instance T1564.006 9 rules

Sigma Detection of default a Windows host name in login attempts experimental
Sigma Suspicious Hyper-V Cmdlets test
Sigma Virtualbox Driver Installation or Starting of VMs test
Splunk Windows ConHost with Headless Argument production
Elastic Windows Sandbox with Sensitive Configuration production
Sigma Windows Subsystem for Linux (WSL) installation (command) experimental
Sigma Windows Subsystem for Linux (WSL) installation (PowerShell) experimental
Sigma Windows Subsystem for Linux (WSL) package turned on (native) experimental
Splunk Windows Suspicious QEMU Execution production

Hide Artifacts: Email Hiding Rules T1564.008 9 rules

Sigma Inbox Rules Creation Or Update Activity in O365 experimental
Sigma Inbox Rules Creation Or Update Activity Via ExchangePowerShell Cmdlet experimental
Elastic M365 Exchange Inbox Phishing Evasion Rule Created production
Elastic M365 Exchange Inbox Rule with Obfuscated Name production
Sigma Mail Forwarding/Redirecting Activity In O365 test
Sigma Mail Forwarding/Redirecting Activity Via ExchangePowerShell Cmdlet experimental
Splunk O365 BEC Email Hiding Rule Created production
Splunk O365 Email New Inbox Rule Created production
Splunk O365 Email Transport Rule Changed production

Hijack Execution Flow T1574 246 rules

Sigma Abuse of Service Permissions to Hide Services Via Set-Service test
Sigma Abuse of Service Permissions to Hide Services Via Set-Service - PS test
Elastic APT Package Manager Configuration File Creation production
Sigma APT27 - Emissary Panda Activity test
Sigma Aruba Network Service Potential DLL Sideloading test
Elastic Boot File Copy production
Sigma Changing Existing Service ImagePath Value Via Reg.EXE test
Sigma Code Injection by ld.so Preload test
Kusto COM Registry Key Modified to Point to File in Color Profile Folder
Sigma Creation Of Non-Existent System DLL test
Sigma Creation of WerFault.exe/Wer.dll in Unusual Folder test
Kusto Dataverse - TI map URL to DataverseActivity available
Elastic Deprecated - Adobe Hijack Persistence production
Elastic Deprecated - Suspicious PrintSpooler Service Executable File Creation production
Splunk Detect Path Interception By Creation Of program exe production
Kusto Detect Suspicious Commands Initiated by Webserver Processes available
Sigma DHCP Callout DLL Installation test
Sigma DHCP Server Error Failed Loading the CallOut DLL test
Sigma DHCP Server Loaded the CallOut DLL test
Sigma Diamond Sleet APT DLL Sideloading Indicators test
Sigma DLL Execution Via Register-cimprovider.exe test
Kusto DLL Hijacking: Loading from an Unusual Directory
Sigma DLL Names Used By SVR For GraphicalProton Backdoor test
Sigma DLL Search Order Hijackig Via Additional Space in Path test
Sigma DLL ServerLevelPluginDll command installation experimental
Sigma DLL ServerLevelPluginDll registration ("serverlevelplugindll" feature abuse) experimental
Sigma DLL ServerLevelPluginDll registration (Reg via Sysmon) experimental
Sigma DLL Sideloading by VMware Xfer Utility test
Sigma DLL Sideloading Of ShellChromeAPI.DLL test
Elastic DNF Package Manager Plugin File Creation production
Sigma DNS Server Error Failed Loading the ServerLevelPluginDLL test
Elastic DPKG Package Installed by Unusual Parent Process production
Elastic Dracut Module Creation production
Elastic Dylib Injection via Process Environment Variables production
Elastic Dynamic Linker (ld.so) Creation production
Elastic Dynamic Linker Copy production
Elastic Dynamic Linker Creation production
Elastic Dynamic Linker Modification Detected via Defend for Containers production
Sigma Enabling COR Profiler Environment Variables test
Elastic Execution via local SxS Shared Module production
Sigma Exploiting SetupComplete.cmd CVE-2019-1378 test
Sigma Fax Service DLL Search Order Hijack test
Elastic Git Hook Child Process production
Elastic Git Hook Command Execution production
Elastic Git Hook Created or Modified production
Elastic Git Hook Egress Network Connection production
Splunk GitHub Workflow File Creation or Modification production
Elastic GRUB Configuration File Creation production
Elastic GRUB Configuration Generation through Built-in Utilities production
Sigma HackTool - Powerup Write Hijack DLL test
Sigma HackTool - SharpUp PrivEsc Tool Execution test
Kusto Hijack Execution Flow - DLL Side-Loading available
Elastic Initramfs Extraction via CPIO production
Elastic Initramfs Unpacking via unmkinitramfs production
Splunk iphlpapi.dll File Write to Appdata_Local_Microsoft (Sysmon)
Sigma Lazarus APT DLL Sideloading Activity test
Splunk Linux Auditd Preload Hijack Library Calls production
Splunk Linux Auditd Preload Hijack Via Preload File production
Splunk Linux Preload Hijack Library Calls production
Sigma Malicious DLL File Dropped in the Teams or OneDrive Folder test
Sigma Microsoft Defender Blocked from Loading Unsigned DLL test
Sigma Microsoft Office DLL Sideload test
Sigma Mimispool printer driver installation (PrintNightmare vulnerability - CVE-2021-36958) experimental
Elastic Modification of Dynamic Linker Preload Shared Object production
Elastic Modification of Environment Variable via Unsigned or Untrusted Parent production
Sigma Modification of ld.so.preload test
Splunk MSI Module Loaded by Non-System Binary production
Splunk Msmpeng Application DLL Side Loading production
Elastic NetworkManager Dispatcher Script Creation production
Sigma New DNS ServerLevelPluginDll Installed test
Sigma New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE test
Elastic Node.js Pre or Post-Install Script Execution production
Elastic Persistence via DirectoryService Plugin Modification production
Elastic Persistence via TelemetryController Scheduled Task Hijack production
Elastic Persistence via Update Orchestrator Service Hijack production
Sigma Pingback Backdoor Activity test
Sigma Pingback Backdoor DLL Loading Activity test
Sigma Pingback Backdoor File Indicators test
Elastic Pod or Container Creation with Suspicious Command-Line production
Sigma Possible impact of 'SMOKEDHAM backdoor' with MSDTC service privilege escalation via command line production
Sigma Possible Privilege Escalation via Weak Service Permissions test
Sigma Potential 7za.DLL Sideloading test
Sigma Potential Antivirus Software DLL Sideloading test
Sigma Potential appverifUI.DLL Sideloading test
Sigma Potential AVKkid.DLL Sideloading test
Sigma Potential Azure Browser SSO Abuse test
Sigma Potential CCleanerDU.DLL Sideloading test
Sigma Potential CCleanerReactivator.DLL Sideloading test
Sigma Potential Chrome Frame Helper DLL Sideloading test
Elastic Potential CVE-2025-32463 Nsswitch File Creation production
Elastic Potential CVE-2025-41244 vmtoolsd LPE Exploitation Attempt production
Elastic Potential DLL Side-Loading via Trusted Microsoft Programs production
Sigma Potential DLL Sideloading Of DBGCORE.DLL test
Sigma Potential DLL Sideloading Of DBGHELP.DLL test
Sigma Potential DLL Sideloading Of DbgModel.DLL test
Sigma Potential DLL Sideloading Of KeyScramblerIE.DLL Via KeyScrambler.EXE test
Sigma Potential DLL Sideloading Of Libcurl.DLL Via GUP.EXE test
Sigma Potential DLL Sideloading Of MpSvc.DLL test
Sigma Potential DLL Sideloading Of MsCorSvc.DLL test
Sigma Potential DLL Sideloading Of Non-Existent DLLs From System Folders test
Sigma Potential DLL Sideloading Via ClassicExplorer32.dll test
Sigma Potential DLL Sideloading Via comctl32.dll test
Sigma Potential DLL Sideloading Via DeviceEnroller.EXE test
Sigma Potential DLL Sideloading Via JsSchHlp test
Sigma Potential DLL Sideloading Via VMware Xfer test
Sigma Potential EACore.DLL Sideloading test
Sigma Potential Edputil.DLL Sideloading test
Elastic Potential Exploitation of an Unquoted Service Path Vulnerability production
Sigma Potential Goopdate.DLL Sideloading test
Sigma Potential Initial Access via DLL Search Order Hijacking test
Sigma Potential Iviewers.DLL Sideloading test
Sigma Potential JLI.dll Side-Loading experimental
Sigma Potential Libvlc.DLL Sideloading test
Elastic Potential Masquerading as System32 DLL production building block
Sigma Potential Mfdetours.DLL Sideloading test
Sigma Potential Mpclient.DLL Sideloading test
Sigma Potential Mpclient.DLL Sideloading Via Defender Binaries test
Sigma Potential Notepad++ CVE-2025-49144 Exploitation experimental
Sigma Potential Persistence Attempt Via Existing Service Tampering test
Elastic Potential Persistence via File Modification production
Sigma Potential PlugX Activity test
Sigma Potential PrintNightmare Exploitation Attempt test
Elastic Potential privilege escalation via CVE-2022-38028 production
Elastic Potential Privilege Escalation via InstallerFileTakeOver production
Elastic Potential Privilege Escalation via PKEXEC production
Elastic Potential Privilege Escalation via Service ImagePath Modification production
Sigma Potential Privilege Escalation via Service Permissions Weakness test
Sigma Potential Python DLL SideLoading test
Sigma Potential Raspberry Robin Aclui Dll SideLoading test
Sigma Potential Rcdll.DLL Sideloading test
Sigma Potential Registry Persistence Attempt Via DbgManagedDebugger test
Sigma Potential RjvPlatform.DLL Sideloading From Default Location test
Sigma Potential RjvPlatform.DLL Sideloading From Non-Default Location test
Sigma Potential RoboForm.DLL Sideloading test
Sigma Potential ShellDispatch.DLL Sideloading test
Sigma Potential SmadHook.DLL Sideloading test
Elastic Potential snap-confine Privilege Escalation via CVE-2026-3888 production
Sigma Potential SolidPDFCreator.DLL Sideloading test
Elastic Potential Sudo Hijacking production
Sigma Potential Suspicious Activity Using SeCEdit test
Elastic Potential Suspicious File Edit production
Sigma Potential System DLL Sideloading From Non System Locations test
Sigma Potential Vcruntime140 DLL Sideloading experimental
Sigma Potential Vivaldi_elf.DLL Sideloading test
Sigma Potential Waveedit.DLL Sideloading test
Sigma Potential Wazuh Security Platform DLL Sideloading test
Elastic Potential Windows Session Hijacking via CcmExec production
Sigma Potential WWlib.DLL Sideloading test
Sigma Potentially Suspicious Child Process of KeyScrambler.exe test
Kusto Powershell Empire Cmdlets Executed in Command Line available
Elastic Privilege Escalation via Windir Environment Variable production
Elastic Python Path File (pth) Creation production
Elastic Python Site or User Customize File Creation production
Splunk Reg exe Manipulating Windows Services Registry Keys production
Sigma Registry Modification for OCI DLL Redirection experimental
Sigma Registry-Free Process Scope COR_PROFILER test
Sigma Regsvr32 DLL Execution With Uncommon Extension test
Sigma Renamed Vmnat.exe Execution test
Elastic RPM Package Installed by Unusual Parent Process production
Sigma Service abuse with malicious ImagePath (Reg via command) experimental
Sigma Service DACL Abuse To Hide Services Via Sc.EXE test
Sigma Service permissions hijacked for privileges abuse (PowerShell) experimental
Sigma Service permissions hijacked for privileges abuse (reg via command) experimental
Sigma Service permissions hijacked for privileges abuse (Reg via PowerShell) experimental
Sigma Service permissions hijacked for privileges abuse (service) experimental
Sigma Service Registry Key Read Access Request test
Sigma Service Registry Permissions Weakness Check test
Sigma Service Security Descriptor Tampering Via Sc.EXE test
Sigma Setup16.EXE Execution With Custom .Lst File test
Splunk Shai-Hulud Workflow File Creation or Modification production
Elastic Shared Object Created by Previously Unknown Process production
Elastic Signed Proxy Execution via MS Work Folders production
Sigma Small Sieve Malware CommandLine Indicator test
Sigma Spool process spawned a CMD shell (PrintNightmare vulnerability - CVE-2021-36958) experimental
Elastic Suspicious Antimalware Scan Interface DLL production
Elastic Suspicious APT Package Manager Execution production
Elastic Suspicious APT Package Manager Network Connection production
Elastic Suspicious DLL Loaded for Persistence or Privilege Escalation production
Elastic Suspicious Dynamic Linker Discovery via od production
Elastic Suspicious Echo or Printf Execution Detected via Defend for Containers production
Sigma Suspicious GUP Usage test
Elastic Suspicious Kworker UID Elevation production
Elastic Suspicious Microsoft Antimalware Service Execution production
Elastic Suspicious Network Connection via systemd production
Elastic Suspicious Path Invocation from Command Line production
Elastic Suspicious Print Spooler Point and Print DLL production
Sigma Suspicious Printer Driver Empty Manufacturer test
Sigma Suspicious Service DACL Modification Via Set-Service Cmdlet - PS test
Elastic Suspicious Symbolic Link Created production
Sigma Suspicious Unsigned Thor Scanner Execution stable
Elastic System Binary Symlink to Suspicious Location production
Sigma System Control Panel Item Loaded From Uncommon Location test
Sigma SystemNightmare by GentilKiwi - External printer mapped (CVE-2021-1675 / CVE-2021-34527) experimental
Sigma SystemNightmare by GentilKiwi - New external device added (CVE-2021-1675 / CVE-2021-34527) experimental
Sigma Tasks Folder Evasion test
Sigma Third Party Software DLL Sideloading test
Sigma Trusted Path Bypass via Windows Directory Spoofing experimental
Elastic UAC Bypass Attempt via Privileged IFileOperation COM Interface production
Sigma UAC Bypass With Fake DLL test
Elastic UID Elevation from Previously Unknown Executable production
Sigma Unsigned .node File Loaded experimental
Sigma Unsigned Binary Loaded From Suspicious Location test
Elastic Unsigned DLL Loaded by a Trusted Process production building block
Elastic Unsigned DLL Loaded by Svchost production
Elastic Unsigned DLL Side-Loading from a Suspicious Folder production
Sigma Unsigned Mfdetours.DLL Sideloading test
Sigma Unsigned Module Loaded by ClickOnce Application test
Elastic Untrusted DLL Loaded by Azure AD Connect Authentication Agent production
Elastic Unusual DPKG Execution production
Elastic Unusual LD_PRELOAD/LD_LIBRARY_PATH Command Line Arguments production
Elastic Unusual Persistence via Services Registry production
Elastic Unusual Preload Environment Variable Process Execution production
Elastic Unusual Process Modifying GenAI Configuration File production
Sigma Use Of Hidden Paths Or Files test
Sigma Using SettingSyncHost.exe as LOLBin test
Sigma VMGuestLib DLL Sideload test
Sigma VMMap Signed Dbghelp.DLL Potential Sideloading test
Sigma VMMap Unsigned Dbghelp.DLL Potential Sideloading test
Splunk Windows BitDefender Submission Wizard DLL Sideloading experimental
Splunk Windows DLL Search Order Hijacking Hunt with Sysmon production
Splunk Windows DLL Search Order Hijacking with iscsicpl production
Splunk Windows DLL Side-Loading In Calc production
Splunk Windows DLL Side-Loading Process Child Of Calc production
Splunk Windows Get-Variable.EXE Execution from WindowsApps Folder production
Splunk Windows Hijack Execution Flow Version Dll Side Load production
Splunk Windows Known Abused DLL Created production
Splunk Windows Known Abused DLL Loaded Suspiciously production
Splunk Windows Known GraphicalProton Loaded Modules production
Splunk Windows Masquerading Explorer As Child Process production
Splunk Windows Mock Trusted Directory MSC File Creation production
Splunk Windows Mustang Panda USB Tool Execution production
Splunk Windows Potential AppDomainManager Hijack Artifacts Creation production
Splunk Windows PowerShell Module File Created production
Splunk Windows Rundll32 Execution With Log.DLL production
Splunk Windows Service Creation Using Registry Entry production
Splunk Windows Set Custom DNS ServerLevelPlugin Via Dnscmd production
Sigma Windows Spooler Service Suspicious Binary Load test
Splunk Windows SqlWriter SQLDumper DLL Sideload production
Splunk Windows Unsigned DLL Side-Loading production
Splunk Windows Unsigned DLL Side-Loading In Same Process Path production
Splunk Windows Unsigned MS DLL Side-Loading production
Sigma Winnti Malware HK University Campaign test
Sigma Winnti Pipemon Characteristics stable
Elastic WPS Office Exploitation via DLL Hijack production
Sigma Xwizard.EXE Execution From Non-Default Location test
Elastic Yum Package Manager Plugin File Creation production

Hijack Execution Flow: DLL T1574.001 123 rules

Sigma APT27 - Emissary Panda Activity test
Sigma Aruba Network Service Potential DLL Sideloading test
Sigma Creation Of Non-Existent System DLL test
Sigma Creation of WerFault.exe/Wer.dll in Unusual Folder test
Elastic Deprecated - Suspicious PrintSpooler Service Executable File Creation production
Sigma DHCP Callout DLL Installation test
Sigma DHCP Server Error Failed Loading the CallOut DLL test
Sigma DHCP Server Loaded the CallOut DLL test
Sigma Diamond Sleet APT DLL Sideloading Indicators test
Kusto DLL Hijacking: Loading from an Unusual Directory
Sigma DLL Names Used By SVR For GraphicalProton Backdoor test
Sigma DLL Search Order Hijackig Via Additional Space in Path test
Sigma DLL Sideloading by VMware Xfer Utility test
Sigma DLL Sideloading Of ShellChromeAPI.DLL test
Sigma DNS Server Error Failed Loading the ServerLevelPluginDLL test
Elastic Execution via local SxS Shared Module production
Sigma Fax Service DLL Search Order Hijack test
Sigma HackTool - Powerup Write Hijack DLL test
Sigma Lazarus APT DLL Sideloading Activity test
Sigma Malicious DLL File Dropped in the Teams or OneDrive Folder test
Sigma Microsoft Defender Blocked from Loading Unsigned DLL test
Sigma Microsoft Office DLL Sideload test
Splunk MSI Module Loaded by Non-System Binary production
Splunk Msmpeng Application DLL Side Loading production
Sigma New DNS ServerLevelPluginDll Installed test
Sigma New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE test
Sigma Pingback Backdoor Activity test
Sigma Pingback Backdoor DLL Loading Activity test
Sigma Pingback Backdoor File Indicators test
Sigma Potential 7za.DLL Sideloading test
Sigma Potential Antivirus Software DLL Sideloading test
Sigma Potential appverifUI.DLL Sideloading test
Sigma Potential AVKkid.DLL Sideloading test
Sigma Potential Azure Browser SSO Abuse test
Sigma Potential CCleanerDU.DLL Sideloading test
Sigma Potential CCleanerReactivator.DLL Sideloading test
Sigma Potential Chrome Frame Helper DLL Sideloading test
Elastic Potential DLL Side-Loading via Trusted Microsoft Programs production
Sigma Potential DLL Sideloading Of DBGCORE.DLL test
Sigma Potential DLL Sideloading Of DBGHELP.DLL test
Sigma Potential DLL Sideloading Of DbgModel.DLL test
Sigma Potential DLL Sideloading Of KeyScramblerIE.DLL Via KeyScrambler.EXE test
Sigma Potential DLL Sideloading Of Libcurl.DLL Via GUP.EXE test
Sigma Potential DLL Sideloading Of MpSvc.DLL test
Sigma Potential DLL Sideloading Of MsCorSvc.DLL test
Sigma Potential DLL Sideloading Of Non-Existent DLLs From System Folders test
Sigma Potential DLL Sideloading Via ClassicExplorer32.dll test
Sigma Potential DLL Sideloading Via comctl32.dll test
Sigma Potential DLL Sideloading Via DeviceEnroller.EXE test
Sigma Potential DLL Sideloading Via JsSchHlp test
Sigma Potential DLL Sideloading Via VMware Xfer test
Sigma Potential EACore.DLL Sideloading test
Sigma Potential Edputil.DLL Sideloading test
Sigma Potential Goopdate.DLL Sideloading test
Sigma Potential Initial Access via DLL Search Order Hijacking test
Sigma Potential Iviewers.DLL Sideloading test
Sigma Potential JLI.dll Side-Loading experimental
Sigma Potential Libvlc.DLL Sideloading test
Elastic Potential Masquerading as System32 DLL production building block
Sigma Potential Mfdetours.DLL Sideloading test
Sigma Potential Mpclient.DLL Sideloading test
Sigma Potential Mpclient.DLL Sideloading Via Defender Binaries test
Sigma Potential PlugX Activity test
Sigma Potential Python DLL SideLoading test
Sigma Potential Raspberry Robin Aclui Dll SideLoading test
Sigma Potential Rcdll.DLL Sideloading test
Sigma Potential RjvPlatform.DLL Sideloading From Default Location test
Sigma Potential RjvPlatform.DLL Sideloading From Non-Default Location test
Sigma Potential RoboForm.DLL Sideloading test
Sigma Potential ShellDispatch.DLL Sideloading test
Sigma Potential SmadHook.DLL Sideloading test
Sigma Potential SolidPDFCreator.DLL Sideloading test
Sigma Potential System DLL Sideloading From Non System Locations test
Sigma Potential Vcruntime140 DLL Sideloading experimental
Sigma Potential Vivaldi_elf.DLL Sideloading test
Sigma Potential Waveedit.DLL Sideloading test
Sigma Potential Wazuh Security Platform DLL Sideloading test
Elastic Potential Windows Session Hijacking via CcmExec production
Sigma Potential WWlib.DLL Sideloading test
Sigma Potentially Suspicious Child Process of KeyScrambler.exe test
Kusto Powershell Empire Cmdlets Executed in Command Line available
Sigma Registry Modification for OCI DLL Redirection experimental
Sigma Renamed Vmnat.exe Execution test
Sigma Small Sieve Malware CommandLine Indicator test
Elastic Suspicious Antimalware Scan Interface DLL production
Elastic Suspicious DLL Loaded for Persistence or Privilege Escalation production
Sigma Suspicious GUP Usage test
Elastic Suspicious Microsoft Antimalware Service Execution production
Sigma Suspicious Unsigned Thor Scanner Execution stable
Sigma System Control Panel Item Loaded From Uncommon Location test
Sigma Tasks Folder Evasion test
Sigma Third Party Software DLL Sideloading test
Elastic UAC Bypass Attempt via Privileged IFileOperation COM Interface production
Sigma UAC Bypass With Fake DLL test
Sigma Unsigned .node File Loaded experimental
Sigma Unsigned Binary Loaded From Suspicious Location test
Elastic Unsigned DLL Loaded by a Trusted Process production building block
Elastic Unsigned DLL Side-Loading from a Suspicious Folder production
Sigma Unsigned Mfdetours.DLL Sideloading test
Sigma Unsigned Module Loaded by ClickOnce Application test
Elastic Untrusted DLL Loaded by Azure AD Connect Authentication Agent production
Sigma Use Of Hidden Paths Or Files test
Sigma VMGuestLib DLL Sideload test
Sigma VMMap Signed Dbghelp.DLL Potential Sideloading test
Sigma VMMap Unsigned Dbghelp.DLL Potential Sideloading test
Splunk Windows DLL Search Order Hijacking Hunt with Sysmon production
Splunk Windows DLL Search Order Hijacking with iscsicpl production
Splunk Windows DLL Side-Loading In Calc production
Splunk Windows DLL Side-Loading Process Child Of Calc production
Splunk Windows Hijack Execution Flow Version Dll Side Load production
Splunk Windows Known Abused DLL Created production
Splunk Windows Known Abused DLL Loaded Suspiciously production
Splunk Windows Known GraphicalProton Loaded Modules production
Splunk Windows Masquerading Explorer As Child Process production
Splunk Windows Mustang Panda USB Tool Execution production
Splunk Windows SqlWriter SQLDumper DLL Sideload production
Splunk Windows Unsigned DLL Side-Loading production
Splunk Windows Unsigned DLL Side-Loading In Same Process Path production
Splunk Windows Unsigned MS DLL Side-Loading production
Sigma Winnti Malware HK University Campaign test
Sigma Winnti Pipemon Characteristics stable
Elastic WPS Office Exploitation via DLL Hijack production
Sigma Xwizard.EXE Execution From Non-Default Location test

Hijack Execution Flow: DLL Side-Loading T1574.002 11 rules

Kusto DLL Hijacking: Loading from an Unusual Directory
Sigma DLL ServerLevelPluginDll command installation experimental
Sigma DLL ServerLevelPluginDll registration ("serverlevelplugindll" feature abuse) experimental
Sigma DLL ServerLevelPluginDll registration (Reg via Sysmon) experimental
Kusto Hijack Execution Flow - DLL Side-Loading available
Splunk iphlpapi.dll File Write to Appdata_Local_Microsoft (Sysmon)
Sigma Mimispool printer driver installation (PrintNightmare vulnerability - CVE-2021-36958) experimental
Sigma Possible impact of 'SMOKEDHAM backdoor' with MSDTC service privilege escalation via command line production
Sigma Spool process spawned a CMD shell (PrintNightmare vulnerability - CVE-2021-36958) experimental
Sigma SystemNightmare by GentilKiwi - External printer mapped (CVE-2021-1675 / CVE-2021-34527) experimental
Sigma SystemNightmare by GentilKiwi - New external device added (CVE-2021-1675 / CVE-2021-34527) experimental

Hijack Execution Flow: Dylib Hijacking T1574.004 1 rule

Kusto Powershell Empire Cmdlets Executed in Command Line available

Hijack Execution Flow: Executable Installer File Permissions Weakness T1574.005 2 rules

Sigma HackTool - SharpUp PrivEsc Tool Execution test
Sigma Setup16.EXE Execution With Custom .Lst File test

Hijack Execution Flow: Dynamic Linker Hijacking T1574.006 24 rules

Sigma Code Injection by ld.so Preload test
Elastic Dylib Injection via Process Environment Variables production
Elastic Dynamic Linker (ld.so) Creation production
Elastic Dynamic Linker Copy production
Elastic Dynamic Linker Creation production
Elastic Dynamic Linker Modification Detected via Defend for Containers production
Splunk GitHub Workflow File Creation or Modification production
Splunk Linux Auditd Preload Hijack Library Calls production
Splunk Linux Auditd Preload Hijack Via Preload File production
Splunk Linux Preload Hijack Library Calls production
Elastic Modification of Dynamic Linker Preload Shared Object production
Elastic Modification of Environment Variable via Unsigned or Untrusted Parent production
Sigma Modification of ld.so.preload test
Elastic Pod or Container Creation with Suspicious Command-Line production
Elastic Potential CVE-2025-32463 Nsswitch File Creation production
Elastic Potential Persistence via File Modification production
Elastic Potential Privilege Escalation via PKEXEC production
Elastic Potential Suspicious File Edit production
Splunk Shai-Hulud Workflow File Creation or Modification production
Elastic Shared Object Created by Previously Unknown Process production
Elastic Suspicious Dynamic Linker Discovery via od production
Elastic Suspicious Echo or Printf Execution Detected via Defend for Containers production
Elastic Unusual LD_PRELOAD/LD_LIBRARY_PATH Command Line Arguments production
Elastic Unusual Preload Environment Variable Process Execution production

Hijack Execution Flow: Path Interception by PATH Environment Variable T1574.007 9 rules

Kusto DLL Hijacking: Loading from an Unusual Directory
Elastic Modification of Environment Variable via Unsigned or Untrusted Parent production
Elastic Potential CVE-2025-41244 vmtoolsd LPE Exploitation Attempt production
Elastic Potential Privilege Escalation via PKEXEC production
Sigma Potential Suspicious Activity Using SeCEdit test
Kusto Powershell Empire Cmdlets Executed in Command Line available
Elastic Privilege Escalation via Windir Environment Variable production
Elastic Suspicious Path Invocation from Command Line production
Sigma Trusted Path Bypass via Windows Directory Spoofing experimental

Hijack Execution Flow: Path Interception by Search Order Hijacking T1574.008 6 rules

Kusto DLL Hijacking: Loading from an Unusual Directory
Sigma Potential Notepad++ CVE-2025-49144 Exploitation experimental
Kusto Powershell Empire Cmdlets Executed in Command Line available
Elastic Signed Proxy Execution via MS Work Folders production
Sigma Using SettingSyncHost.exe as LOLBin test
Splunk Windows Get-Variable.EXE Execution from WindowsApps Folder production

Hijack Execution Flow: Path Interception by Unquoted Path T1574.009 4 rules

Splunk Detect Path Interception By Creation Of program exe production
Kusto DLL Hijacking: Loading from an Unusual Directory
Elastic Potential Exploitation of an Unquoted Service Path Vulnerability production
Kusto Powershell Empire Cmdlets Executed in Command Line available

Hijack Execution Flow: Services File Permissions Weakness T1574.010 7 rules

Elastic Deprecated - Adobe Hijack Persistence production
Elastic Potential privilege escalation via CVE-2022-38028 production
Sigma Service abuse with malicious ImagePath (Reg via command) experimental
Sigma Service permissions hijacked for privileges abuse (PowerShell) experimental
Sigma Service permissions hijacked for privileges abuse (reg via command) experimental
Sigma Service permissions hijacked for privileges abuse (Reg via PowerShell) experimental
Sigma Service permissions hijacked for privileges abuse (service) experimental

Hijack Execution Flow: Services Registry Permissions Weakness T1574.011 17 rules

Sigma Abuse of Service Permissions to Hide Services Via Set-Service test
Sigma Abuse of Service Permissions to Hide Services Via Set-Service - PS test
Sigma Changing Existing Service ImagePath Value Via Reg.EXE test
Elastic Persistence via Update Orchestrator Service Hijack production
Sigma Possible Privilege Escalation via Weak Service Permissions test
Sigma Potential Persistence Attempt Via Existing Service Tampering test
Elastic Potential Privilege Escalation via Service ImagePath Modification production
Sigma Potential Privilege Escalation via Service Permissions Weakness test
Splunk Reg exe Manipulating Windows Services Registry Keys production
Sigma Service DACL Abuse To Hide Services Via Sc.EXE test
Sigma Service Registry Key Read Access Request test
Sigma Service Registry Permissions Weakness Check test
Sigma Service Security Descriptor Tampering Via Sc.EXE test
Sigma Suspicious Service DACL Modification Via Set-Service Cmdlet - PS test
Elastic Unsigned DLL Loaded by Svchost production
Elastic Unusual Persistence via Services Registry production
Splunk Windows Service Creation Using Registry Entry production

Hijack Execution Flow: COR_PROFILER T1574.012 2 rules

Sigma Enabling COR Profiler Environment Variables test
Sigma Registry-Free Process Scope COR_PROFILER test

Hijack Execution Flow: KernelCallbackTable T1574.013 2 rules

Elastic Suspicious Kworker UID Elevation production
Elastic UID Elevation from Previously Unknown Executable production

Hijack Execution Flow: AppDomainManager T1574.014 1 rule

Splunk Windows Potential AppDomainManager Hijack Artifacts Creation production

Reflective Code Loading T1620 12 rules

Elastic Memory Threat - Detected - Elastic Defend production
Elastic Memory Threat - Prevented- Elastic Defend production
Elastic Network Connection from Binary with RWX Memory Region production
Sigma Potential In-Memory Execution Using Reflection.Assembly test
Sigma PowerShell Base64 Encoded Reflective Assembly Load test
Splunk PowerShell PInvoke Process Injection API Chain production
Elastic Process Started with Executable Stack production
Elastic Suspicious .NET Reflection via PowerShell production
Elastic Suspicious Managed Code Hosting Process production
Elastic Suspicious Process Execution Detected via Defend for Containers production
Elastic Unknown Execution of Binary with RWX Memory Region production
Splunk Windows MMC Loaded Script Engine DLL production

Debugger Evasion T1622 2 rules

Panther GitHub Commits Skipping Workflows
Sigma PUA - Process Hacker Execution test

Impersonation T1656 1 rule

Elastic Entra ID OAuth user_impersonation Scope for Unusual User and Client production

No specific technique 142 rules

Sigma .RDP File Created By Uncommon Application test
Sigma AppX Located in Known Staging Directory Added to Deployment Pipeline test
Sigma AppX Located in Uncommon Directory Added to Deployment Pipeline test
Sigma AppX Package Deployment Failed Due to Signing Requirements test
Kusto ASR Rare and Untrusted Executables
Sigma AWS Bucket Deleted experimental
Sigma AWS VPC Flow Logs Deleted experimental
Sigma Azure Owner Removed From Application or Service Principal test
Sigma Azure Service Principal Created test
Sigma Azure Service Principal Removed test
Sigma Cisco Duo Successful MFA Authentication Via Bypass Code test
Kusto Cisco Umbrella - Windows PowerShell User-Agent Detected
Sigma ClickOnce Deployment Execution - Dfsvc.EXE Child Process test
Sigma COLDSTEEL Persistence Service Creation test
Sigma COLDSTEEL RAT Anonymous User Process Execution test
Sigma COLDSTEEL RAT Cleanup Command Execution test
Sigma COLDSTEEL RAT Service Persistence Execution test
Sigma Creation Of a Suspicious ADS File Outside a Browser Download test
Sigma Deployment AppX Package Was Blocked By AppLocker test
Sigma DMP/HDMP File Creation test
Sigma Driver Added To Disallowed Images In HVCI - Registry test
Sigma Drop Binaries Into Spool Drivers Color Folder test
Sigma Enable BPF Kprobes Tracing test
Sigma Enable Local Manifest Installation With Winget test
Sigma Execution Of Non-Existing File test
Sigma Execution of Suspicious File Type Extension test
Sigma Forest Blizzard APT - Process Creation Activity experimental
Sigma Goofy Guineapig Backdoor IOC test
YARA-L Google Cloud identity low and medium alert escalation
Sigma HackTool - GMER Rootkit Detector and Remover Execution test
Sigma HackTool - LocalPotato Execution test
Sigma HackTool - Wmiexec Default Powershell Command test
Sigma IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols test
Sigma IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols Via CLI test
Sigma ImagingDevices Unusual Parent/Child Processes test
Sigma Important Windows Service Terminated Unexpectedly test
Sigma Important Windows Service Terminated With Error test
Sigma Kernel Memory Dump Via LiveKD test
Sigma LiveKD Driver Creation test
Sigma LiveKD Driver Creation By Uncommon Process test
Sigma LiveKD Kernel Memory Dump File Created test
Sigma LOLBIN Execution From Abnormal Drive test
Sigma macOS ESF Suspicious W+X Memory Mapping experimental
Sigma Malicious DLL Load By Compromised 3CXDesktopApp test
Kusto Microsoft Recommended Driver Block List
Sigma Mshtml.DLL RunHTMLApplication Suspicious Usage test
Sigma New File Association Using Exefile test
Sigma Nslookup PowerShell Download Cradle - ProcessCreation test
Sigma Office Application Initiated Network Connection Over Uncommon Ports test
Sigma Old TLS1.0/TLS1.1 Protocol Version Enabled test
Sigma OneNote Attachment File Dropped In Suspicious Location test
Sigma PDF File Created By RegEdit.EXE test
Sigma Pikabot Fake DLL Extension Execution Via Rundll32.EXE test
Sigma Potential COLDSTEEL Persistence Service DLL Creation test
Sigma Potential COLDSTEEL Persistence Service DLL Load test
Sigma Potential COLDSTEEL RAT File Indicators test
Sigma Potential CVE-2023-36884 Exploitation Dropped File test
Sigma Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection test
Sigma Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 1 test
Sigma Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 2 test
Sigma Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 3 test
Sigma Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 4 test
Sigma Potential Devil Bait Related Indicator test
Sigma Potential Exploitation Attempt From Office Application test
Sigma Potential File Override/Append Via SET Command test
Sigma Potential Goofy Guineapig GoolgeUpdate Process Anomaly test
Sigma Potential Kapeka Decrypted Backdoor Indicator test
Sigma Potential Malicious AppX Package Installation Attempts test
Sigma Potential Memory Dumping Activity Via LiveKD test
Sigma Potential MuddyWater APT Activity test
Sigma Potential Privilege Escalation Attempt Via .Exe.Local Technique test
Sigma Potential Qakbot Rundll32 Execution test
Sigma Potential ShellDispatch.DLL Functionality Abuse test
Sigma Potential Signing Bypass Via Windows Developer Features test
Sigma Potential Signing Bypass Via Windows Developer Features - Registry test
Sigma Potential Suspicious BPF Activity - Linux test
Sigma Potential Suspicious Windows Feature Enabled test
Sigma Potential Suspicious Windows Feature Enabled - ProcCreation test
Sigma Potential Suspicious Winget Package Installation test
Sigma Potentially Suspicious Child Process Of ClickOnce Application test
Sigma Potentially Suspicious DMP/HDMP File Creation test
Sigma Potentially Suspicious File Download From ZIP TLD test
Sigma Potentially Suspicious GoogleUpdate Child Process test
Sigma Potentially Suspicious Windows App Activity test
Sigma PowerShell Core DLL Loaded Via Office Application test
Sigma PowerShell Script Change Permission Via Set-Acl test
Sigma PowerShell Set-Acl On Windows Folder test
Sigma Process Deletion of Its Own Executable test
Sigma Process Launched Without Image Name test
Sigma PSScriptPolicyTest Creation By Uncommon Process test
Sigma Publisher Attachment File Dropped In Suspicious Location test
Sigma Qakbot Regsvr32 Calc Pattern test
Sigma Qakbot Rundll32 Exports Execution test
Sigma Qakbot Rundll32 Fake DLL Extension Execution test
Sigma Remote Access Tool - NetSupport Execution From Unusual Location test
Sigma Remote Access Tool - RURAT Execution From Unusual Location test
Sigma Remote AppX Package Downloaded from File Sharing or CDN Domain test
Sigma Remove Scheduled Cron Task/Job test
Sigma Renamed AutoHotkey.EXE Execution test
Sigma Renamed Microsoft Teams Execution test
Sigma Renamed NetSupport RAT Execution test
Sigma Renamed Remote Utilities RAT (RURAT) Execution test
Sigma Rundll32 Spawned Via Explorer.EXE test
Kusto SAP LogServ - HANA DB - Audit Trail Policy Changes available
Kusto SAP LogServ - HANA DB - Deactivation of Audit Trail available
Sigma ScreenConnect - SlashAndGrab Exploitation Indicators test
Sigma Start of NT Virtual DOS Machine test
Sigma Suspicious Advpack Call Via Rundll32.EXE test
Sigma Suspicious Digital Signature Of AppX Package test
Kusto Suspicious Driver Load
Sigma Suspicious Environment Variable Has Been Registered test
Sigma Suspicious Execution of InstallUtil Without Log test
Sigma Suspicious File Created Via OneNote Application test
Sigma Suspicious File Creation Activity From Fake Recycle.Bin Folder test
Sigma Suspicious File Creation In Uncommon AppData Folder test
Sigma Suspicious IIS URL GlobalRules Rewrite Via AppCmd test
Sigma Suspicious Msbuild Execution By Uncommon Parent Process test
Sigma Suspicious Network Connection Binary No CommandLine test
Sigma Suspicious New Instance Of An Office COM Object test
Sigma Suspicious Obfuscated PowerShell Code test
Sigma Suspicious Powercfg Execution To Change Lock Screen Timeout test
Sigma Suspicious PowerShell Invocations - Specific - ProcessCreation test
Sigma Suspicious Process Execution From Fake Recycle.Bin Folder test
Sigma Suspicious Usage Of ShellExec_RunDLL test
Sigma Suspicious Wordpad Outbound Connections test
Sigma Suspicious Workstation Locking via Rundll32 test
Sigma Sysinternals Tools AppX Versions Execution test
Sigma Triple Cross eBPF Rootkit Default LockFile test
Sigma Triple Cross eBPF Rootkit Execve Hijack test
Sigma UAC Bypass Using Event Viewer RecentViews test
Sigma UAC Bypass Using EventVwr test
Sigma UNC4841 - Barracuda ESG Exploitation Indicators test
Sigma UNC4841 - Email Exfiltration File Pattern test
Sigma Uncommon File Creation By Mysql Daemon Process test
Sigma Uncommon FileSystem Load Attempt By Format.com test
Sigma Unsigned AppX Installation Attempt Using Add-AppxPackage test
Sigma Unsigned AppX Installation Attempt Using Add-AppxPackage - PsScript test
Sigma Wab Execution From Non Default Location test
Sigma Wab/Wabmig Unusual Parent Or Child Processes test
Sigma Weak or Abused Passwords In CLI test
Sigma Windows Kernel Debugger Execution test
Sigma Windows Service Terminated With Error test

Defense Impairment

Modify Registry T1112 254 rules

Sigma Activate Suppression of Windows Security Center Notifications test
Sigma Add DisallowRun Execution to Registry test
Sigma Allow RDP Remote Assistance Feature test
Sigma Backdoor introduction via registry permission change through WMI (DAMP) experimental
Sigma Blackbyte Ransomware Registry test
YARA-L Blackbyte Ransomware Registry
Sigma Blue Mockingbird test
Sigma Blue Mockingbird - Registry test
Sigma Change the Fax Dll test
Sigma Change User Account Associated with the FAX Service test
Sigma ClickOnce Trust Prompt Tampering test
Elastic Code Signing Policy Modification Through Registry production
Elastic Component Object Model Hijacking production
Sigma CrashControl CrashDump Disabled test
Sigma CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry test
Splunk Defender Registry Values Modified (Sysmon)
Splunk Defender Registry Values Modified (Windows Event Log)
Elastic Deprecated - Encoded Executable Stored in the Registry production
Kusto Detect Registry Run Key Creation/Modification available
Sigma DHCP Callout DLL Installation test
Sigma Disable Internal Tools or Feature in Registry test
YARA-L Disable Internal Tools or Feature in Registry
Splunk Disable Registry Tool production
Sigma Disable Security Events Logging Adding Reg Key MiniNt test
Splunk Disable Security Logs Using MiniNt Registry production
Splunk Disable Show Hidden Files production
Splunk Disable Windows App Hotkeys production
Sigma Disable Windows Security Center Notifications test
Splunk Disabling CMD Application production
Splunk Disabling ControlPanel production
Elastic Disabling Lsa Protection via Registry Modification production
Splunk Disabling NoRun Windows App production
Elastic Disabling User Account Control via Registry Modification production
Elastic DNS Global Query Block List Modified or Disabled production
Sigma DNS-over-HTTPS Enabled by Registry test
Elastic DNS-over-HTTPS Enabled via Registry production
Sigma Enable LM Hash Storage test
Sigma Enable LM Hash Storage - ProcCreation test
Splunk Enable WDigest UseLogonCredential Registry production
Sigma ETW Logging Disabled For rpcrt4.dll test
Sigma ETW Logging Disabled For SCM test
Sigma ETW Logging Disabled In .NET Processes - Registry test
Sigma ETW Logging Disabled In .NET Processes - Sysmon Registry test
Elastic File or Directory Deletion Command production building block
Sigma FlowCloud Registry Markers test
Splunk FodHelper UAC Bypass production
Elastic Full User-Mode Dumps Enabled System-Wide production
Splunk HTTP_HTTPS Default Security Zone Modified to Local Machine (PowerShell)
Splunk HTTP_HTTPS Default Security Zone Modified to Local Machine (Windows Event Log)
Elastic Image File Execution Options Injection production
Sigma Impacket SMBexec service creation (registry) experimental
Sigma Impacket SMBexec service registration (native) experimental
Sigma Imports Registry Key From a File test
Sigma Imports Registry Key From an ADS test
Elastic Installation of Security Support Provider production
Elastic Local Account TokenFilter Policy Disabled production
Splunk LocalAccountTokenFilterPolicy Registry Value Modified (PowerShell)
Splunk LocalAccountTokenFilterPolicy Registry Value Modified (Sysmon)
Splunk LocalAccountTokenFilterPolicy Registry Value Modified (Windows Event Log)
Sigma Macro Enabled In A Potentially Suspicious Document test
Splunk Malicious InProcServer32 Modification production
Sigma Microsoft Office Trusted Location Updated test
Elastic Microsoft Windows Defender Tampering production
Elastic Modification of AmsiEnable Registry Key production
Sigma Modification of IE Registry Settings test
Elastic Modification of WDigest Security Provider production
Splunk Modify Registry Key (Windows Event Log)
Elastic MS Office Macro Security Registry Modifications production
Sigma NET NGenAssemblyUsageLog Registry Key Tamper test
Sigma NetNTLM Downgrade Attack test
Sigma NetNTLM Downgrade Attack - Registry test
Elastic Netsh Helper DLL production
Elastic Network-Level Authentication (NLA) Disabled production
Sigma New BgInfo.EXE Custom DB Path Registry Configuration test
Sigma New BgInfo.EXE Custom VBScript Registry Configuration test
Sigma New BgInfo.EXE Custom WMI Query Registry Configuration test
Sigma New DNS ServerLevelPluginDll Installed test
Sigma New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE test
Sigma Non-privileged Usage of Reg or Powershell test
Elastic NullSessionPipe Registry Modification production
Sigma OceanLotus Registry Activity test
Sigma Office Macros Warning Disabled test
Elastic Office Test Registry Persistence production
Sigma OilRig APT Activity test
Sigma OilRig APT Registry Persistence test
Sigma OilRig APT Schedule Task Persistence - Security test
Sigma OilRig APT Schedule Task Persistence - System test
Sigma Outlook EnableUnsafeClientMailRules Setting Enabled - Registry test
Elastic Outlook Home Page Registry Modification production
Elastic Persistence via Hidden Run Key Detected production
Elastic Port Forwarding Rule Addition production
Splunk Possible Credential Dumping via Windows Network Providers (PowerShell)
Splunk Possible Credential Dumping via Windows Network Providers (Windows Event Log)
Elastic Potential NetNTLMv1 Downgrade Attack production
Sigma Potential NetWire RAT Activity - Registry test
Sigma Potential Persistence Via Custom Protocol Handler test
Sigma Potential Persistence Via Event Viewer Events.asp test
Elastic Potential Persistence via Mandatory User Profile production
Sigma Potential Persistence Via Outlook Home Page test
Sigma Potential Persistence Via Outlook Today Page test
Elastic Potential Privilege Escalation via Service ImagePath Modification production
Sigma Potential Qakbot Registry Activity test
Sigma Potential Raspberry Robin Registry Set Internet Settings ZoneMap test
Elastic Potential RemoteMonologue Attack production
Sigma Potential Suspicious Registry File Imported Via Reg.EXE test
Sigma Potential Tampering With RDP Related Registry Keys Via Reg.EXE test
YARA-L Potential Tampering With RDP Related Registry Keys Via Reg.EXE
Sigma Potential Ursnif Malware Activity - Registry test
Sigma Potentially Suspicious Desktop Background Change Using Reg.EXE test
Sigma Potentially Suspicious Desktop Background Change Via Registry test
Sigma PowerShell Logging Disabled Via Registry Key Tampering test
Splunk PowerShell Modifying Registry Values (PowerShell)
Splunk PowerShell Modifying Registry Values (Sysmon)
Splunk PowerShell Modifying Registry Values (Windows Event Log)
Elastic PowerShell Script Block Logging Disabled production
Elastic Privilege Escalation via Windir Environment Variable production
Splunk RDP Enabled (PowerShell)
Splunk RDP Enabled (Sysmon)
Splunk RDP Enabled (Windows Event Log)
Elastic RDP Enabled via Registry production
Sigma RDP Sensitive Settings Changed test
YARA-L RDP Sensitive Settings Changed
Sigma RDP Sensitive Settings Changed to Zero test
YARA-L RDP Sensitive Settings Changed to Zero
Sigma RedMimicry Winnti Playbook Registry Manipulation test
Sigma Reg Add Suspicious Paths test
Splunk Reg.exe Process Execution (Sysmon)
Splunk Reg.exe Process Execution (Windows Event Log)
Splunk Regini.exe Execution (Sysmon)
Splunk Regini.exe Execution (Windows Event Log)
Sigma Registry Entries For Azorult Malware test
Splunk Registry Entry Created - PowerShell (PowerShell)
Sigma Registry Explorer Policy Modification test
Sigma Registry Hide Function from User test
Splunk Registry key added with reg.exe (Sysmon)
Splunk Registry key added with reg.exe (Windows Event Log)
Sigma Registry Manipulation via WMI Stdregprov experimental
Sigma Registry Modification Attempt Via VBScript experimental
Sigma Registry Modification Attempt Via VBScript - PowerShell experimental
Sigma Registry Modification for OCI DLL Redirection experimental
Sigma Registry Modification of MS-settings Protocol Handler test
Sigma Registry Modification Via Regini.EXE test
Elastic Registry Persistence via AppInit DLL production
Sigma Registry Tampering by Potentially Suspicious Processes experimental
Splunk Remcos client registry install entry production
Sigma Remote Registry Lateral Movement test
Sigma Removal of Potential COM Hijacking Registry Keys test
Sigma RestrictedAdminMode Registry Value Tampering test
YARA-L RestrictedAdminMode Registry Value Tampering
Sigma RestrictedAdminMode Registry Value Tampering - ProcCreation test
Splunk Revil Registry Entry production
Sigma Run Once Task Configuration in Registry test
Sigma Run Once Task Execution as Configured in Registry test
Splunk Rundll32 Shimcache Flush production
Sigma Security Event Logging Disabled via MiniNt Registry Key - Process experimental
Sigma Security Event Logging Disabled via MiniNt Registry Key - Registry Set experimental
Sigma Service Binary in Suspicious Folder test
Sigma Service Binary in User Controlled Folder test
Elastic Service Disabled via Registry Modification production building block
Elastic Service Path Modification production building block
Elastic Service Path Modification via sc.exe production building block
Sigma ShimCache Flush stable
YARA-L ShimCache Flush
Elastic SolarWinds Process Disabling Services via Registry production
Elastic Startup or Run Key Registry Modification production
Elastic Suspicious ImagePath Service Creation production
Elastic Suspicious Print Spooler Point and Print DLL production
Splunk Suspicious Reg exe Process production
Sigma Suspicious Registry Modification From ADS Via Regini.EXE test
Elastic Suspicious Startup Shell Folder Modification production
Sigma Suspicious VBoxDrvInst.exe Parameters test
Sigma Sysmon Channel Reference Deletion test
Sigma Terminal Server Client Connection History Cleared - Registry test
Sigma Trust Access Disable For VBApplications test
Sigma Uncommon Microsoft Office Trusted Location Added test
Elastic Uncommon Registry Persistence Change production
Elastic Unusual Persistence via Services Registry production
Sigma User Shell Folders Registry Modification via CommandLine experimental
Sigma Wdigest CredGuard Registry Modification test
Sigma Wdigest Enable UseLogonCredential test
YARA-L Wdigest Enable UseLogonCredential
Splunk WDigest Forced Credential Caching (PowerShell)
Splunk WDigest Forced Credential Caching (Sysmon)
Splunk WDigest Forced Credential Caching (Windows Event Log)
Elastic Werfault ReflectDebugger Persistence production
Splunk Windows Anomalous Registry Value Length in Environment Key production
Splunk Windows Defender ASR Registry Modification production
Splunk Windows Defender ASR Rule Disabled production
Elastic Windows Defender Disabled via Registry Modification production
Splunk Windows Deleted Registry By A Non Critical Process File Path production
Splunk Windows Disable Change Password Through Registry production
Splunk Windows Disable Lock Workstation Feature Through Registry production
Splunk Windows Disable LogOff Button Through Registry production
Splunk Windows Disable Notification Center production
Splunk Windows Disable Shutdown Button Through Registry production
Splunk Windows Disable Windows Group Policy Features Through Registry production
Splunk Windows Downdate Registry Activity production
Sigma Windows Event Log Access Tampering Via Registry experimental
Splunk Windows Hide Notification Features Through Registry production
Splunk Windows Impair Defenses Disable AV AutoStart via Registry production
Splunk Windows InProcServer32 New Outlook Form production
Splunk Windows Modify Registry AuthenticationLevelOverride production
Splunk Windows Modify Registry Auto Minor Updates production
Splunk Windows Modify Registry Auto Update Notif production
Splunk Windows Modify Registry Configure BitLocker production
Splunk Windows Modify Registry Default Icon Setting production
Splunk Windows Modify Registry Delete Firewall Rules production
Splunk Windows Modify Registry Disable RDP production
Splunk Windows Modify Registry Disable Restricted Admin production
Splunk Windows Modify Registry Disable Toast Notifications production
Splunk Windows Modify Registry Disable Win Defender Raw Write Notif production
Splunk Windows Modify Registry Disable WinDefender Notifications production
Splunk Windows Modify Registry Disable Windows Security Center Notif production
Splunk Windows Modify Registry DisableRemoteDesktopAntiAlias production
Splunk Windows Modify Registry DisableSecuritySettings production
Splunk Windows Modify Registry Disabling WER Settings production
Splunk Windows Modify Registry DisAllow Windows App production
Splunk Windows Modify Registry Do Not Connect To Win Update production
Splunk Windows Modify Registry DontShowUI production
Splunk Windows Modify Registry EnableLinkedConnections production
Splunk Windows Modify Registry LongPathsEnabled production
Splunk Windows Modify Registry MaxConnectionPerServer production
Splunk Windows Modify Registry No Auto Reboot With Logon User production
Splunk Windows Modify Registry No Auto Update production
Splunk Windows Modify Registry NoChangingWallPaper production
Splunk Windows Modify Registry on Smart Card Group Policy production
Splunk Windows Modify Registry ProxyEnable production
Splunk Windows Modify Registry ProxyServer production
Splunk Windows Modify Registry Qakbot Binary Data Registry production
Splunk Windows Modify Registry Regedit Silent Reg Import production
Splunk Windows Modify Registry Risk Behavior production
Splunk Windows Modify Registry Suppress Win Defender Notif production
Splunk Windows Modify Registry Tamper Protection production
Splunk Windows Modify Registry to Add or Modify Firewall Rule production
Splunk Windows Modify Registry UpdateServiceUrlAlternate production
Splunk Windows Modify Registry USeWuServer production
Splunk Windows Modify Registry Utilize ProgIDs production
Splunk Windows Modify Registry ValleyRAT C2 Config production
Splunk Windows Modify Registry ValleyRat PWN Reg Entry production
Splunk Windows Modify Registry With MD5 Reg Key Name production
Splunk Windows Modify Registry WuServer production
Splunk Windows Modify Registry wuStatusServer production
Splunk Windows Modify Show Compress Color And Info Tip Registry production
Splunk Windows New InProcServer32 Added production
Splunk Windows Outlook Dialogs Disabled from Unusual Process production
Splunk Windows Outlook LoadMacroProviderOnBoot Persistence production
Splunk Windows Outlook WebView Registry Modification production
Splunk Windows Routing and Remote Access Service Registry Key Change production
Splunk Windows RunMRU Registry Key or Value Deleted production
Splunk Windows Set Network Profile Category to Private via Registry production
Splunk Windows Snake Malware Registry Modification wav OpenWithProgIds production
Splunk Windows SnappyBee Create Test Registry production
Elastic Windows Subsystem for Linux Distribution Installed production
Sigma Winlogon AllowMultipleTSSessions Enable test

Rogue Domain Controller T1207 13 rules

Sigma Account accessed to attributes related to DCshadow experimental
Sigma Add or Remove Computer from DC test
Kusto Alsid DCShadow available
Sigma Possible DC Shadow Attack test
Kusto Semperis DSP Mimikatz's DCShadow Alert available
Kusto Tenable.ad DCShadow
Kusto TIE DCShadow
Splunk Windows AD DCShadow Privileges ACL Addition production
Splunk Windows AD Domain Controller Promotion production
Splunk Windows AD Replication Service Traffic experimental
Splunk Windows AD Rogue Domain Controller Network Activity experimental
Splunk Windows AD Short Lived Domain Controller SPN Attribute production
Splunk Windows AD Short Lived Server Object production

File and Directory Permissions Modification T1222 79 rules

Elastic Access Control List Modification via setfacl production
Sigma AD Object WriteDAC Access test
Elastic Adding Hidden File Attribute via Attrib production
Elastic Azure Blob Storage Container Access Level Modified production
Elastic Azure Blob Storage Permissions Modified production
Panther Azure Storage Blob Container Permissions Modified
Kusto BTP - Cloud Integration access policy tampering available
Sigma Chmod Targeting Sensitive Directories test
Sigma Computer account modifying Active Directory permissions experimental
Sigma Computer account modifying Active Directory permissions (PrivExchange) experimental
Splunk Excessive Usage Of Cacls App production
Elastic Executable Bit Set for Potential Persistence Script production
Elastic File and Directory Permissions Modification production building block
Elastic File Creation in World-Writable Directory by Unusual Process production
Elastic File Execution Permission Modification Detected via Defend for Containers production
Elastic File made Immutable by Chattr production
Sigma File or Folder Permissions Change test
Sigma File or Folder Permissions Modifications test
Elastic File Permission Modification in Writable Directory production
Splunk File_Folder Hidden - Windows (PowerShell)
Splunk File_Folder Hidden - Windows (Sysmon)
Splunk File_Folder Hidden - Windows (Windows Event Log)
Splunk Full Control Permissions Granted to Everyone - Windows (Sysmon)
Splunk Full Control Permissions Granted to Everyone - Windows (Windows Event Log)
Elastic GCP Storage Bucket Permissions Modification production
Splunk Hiding Files And Directories With Attrib exe production
Splunk Icacls Deny Command production
Splunk ICACLS Grant Command production
Panther Kubernetes Role With Write Permissions Created Experimental
Panther Kubernetes System Role Modified or Deleted Experimental
Splunk Linux Auditd Change File Owner To Root production
Splunk Linux Auditd File Permission Modification Via Chmod production
Splunk Linux Auditd File Permissions Modification Via Chattr production
Splunk Linux Change File Owner To Root production
Sigma macOS Code Signature Invalidation experimental
Sigma macOS TCC Database Modification experimental
Splunk Modify ACL permission To Files Or Folder production
Sigma OCSP responder security settings changed experimental
Splunk Permission Modification using Takeown App production
Splunk Permissions Replaced by icacls - Windows (PowerShell)
Splunk Permissions Replaced by icacls - Windows (Sysmon)
Splunk Permissions Replaced by icacls - Windows (Windows Event Log)
Elastic Potential Unauthorized Access via Wildcard Injection Detected production
Sigma Potentially Suspicious NTFS Symlink Behavior Modification test
Sigma PowerShell Script Change Permission Via Set-Acl - PsScript test
Sigma PowerShell Set-Acl On Windows Folder - PsScript test
Elastic Privilege Escalation via CAP_CHOWN/CAP_FOWNER Capabilities production
Splunk Read-Only Attribute Removed - Windows (PowerShell)
Splunk Read-Only Attribute Removed - Windows (Sysmon)
Splunk Read-Only Attribute Removed - Windows (Windows Event Log)
Sigma Remove Immutable File Attribute test
Sigma Remove Immutable File Attribute - Auditd test
Sigma Replication privileges granted to perform DCSync attack experimental
Panther Slack Private Channel Made Public
Elastic Suspicious File Made Executable via Chmod Inside A Container production
Sigma Suspicious permissions modification on a network share experimental
Sigma Suspicious Recursive Takeown test
Elastic System Binary Path File Permission Modification production
Elastic System File Ownership Change production
Sigma WannaCry Ransomware Activity test
Splunk Windows AD Dangerous Deny ACL Modification production
Splunk Windows AD Dangerous Group ACL Modification production
Splunk Windows AD Dangerous User ACL Modification production
Splunk Windows AD DCShadow Privileges ACL Addition production
Splunk Windows AD Domain Root ACL Deletion production
Splunk Windows AD Domain Root ACL Modification production
Splunk Windows AD GPO New CSE Addition production
Splunk Windows AD Hidden OU Creation production
Splunk Windows AD Object Owner Updated production
Splunk Windows AD Suspicious Attribute Modification production
Splunk Windows Common Abused Cmd Shell Risk Behavior production
Splunk Windows File and Directory Enable ReadOnly Permissions production
Splunk Windows File and Directory Permissions Enable Inheritance production
Splunk Windows File and Directory Permissions Remove Inheritance production
Splunk Windows Files and Dirs Access Rights Modification Via Icacls production
Splunk Windows SubInAcl Execution production
Splunk Windows SymbolicLink-Testing-Tools Utility Execution production
Splunk Windows Symlink Evaluation Change via Fsutil production
Elastic WRITEDAC Access on Active Directory Object production building block

File and Directory Permissions Modification: Windows Permissions T1222.001 41 rules

Sigma AD Object WriteDAC Access test
Elastic Adding Hidden File Attribute via Attrib production
Sigma Computer account modifying Active Directory permissions experimental
Sigma Computer account modifying Active Directory permissions (PrivExchange) experimental
Elastic File and Directory Permissions Modification production building block
Sigma File or Folder Permissions Modifications test
Splunk File_Folder Hidden - Windows (PowerShell)
Splunk File_Folder Hidden - Windows (Sysmon)
Splunk File_Folder Hidden - Windows (Windows Event Log)
Splunk Full Control Permissions Granted to Everyone - Windows (Sysmon)
Splunk Full Control Permissions Granted to Everyone - Windows (Windows Event Log)
Splunk Hiding Files And Directories With Attrib exe production
Splunk Permissions Replaced by icacls - Windows (PowerShell)
Splunk Permissions Replaced by icacls - Windows (Sysmon)
Splunk Permissions Replaced by icacls - Windows (Windows Event Log)
Sigma Potentially Suspicious NTFS Symlink Behavior Modification test
Splunk Read-Only Attribute Removed - Windows (PowerShell)
Splunk Read-Only Attribute Removed - Windows (Sysmon)
Splunk Read-Only Attribute Removed - Windows (Windows Event Log)
Sigma Replication privileges granted to perform DCSync attack experimental
Sigma Suspicious permissions modification on a network share experimental
Sigma Suspicious Recursive Takeown test
Elastic System File Ownership Change production
Sigma WannaCry Ransomware Activity test
Splunk Windows AD Dangerous Deny ACL Modification production
Splunk Windows AD Dangerous Group ACL Modification production
Splunk Windows AD Dangerous User ACL Modification production
Splunk Windows AD DCShadow Privileges ACL Addition production
Splunk Windows AD Domain Root ACL Deletion production
Splunk Windows AD Domain Root ACL Modification production
Splunk Windows AD GPO New CSE Addition production
Splunk Windows AD Hidden OU Creation production
Splunk Windows AD Object Owner Updated production
Splunk Windows AD Suspicious Attribute Modification production
Splunk Windows File and Directory Enable ReadOnly Permissions production
Splunk Windows File and Directory Permissions Enable Inheritance production
Splunk Windows File and Directory Permissions Remove Inheritance production
Splunk Windows Files and Dirs Access Rights Modification Via Icacls production
Splunk Windows SubInAcl Execution production
Splunk Windows Symlink Evaluation Change via Fsutil production
Elastic WRITEDAC Access on Active Directory Object production building block

File and Directory Permissions Modification: Linux and Mac Permissions T1222.002 18 rules

Elastic Access Control List Modification via setfacl production
Sigma Chmod Targeting Sensitive Directories test
Elastic Executable Bit Set for Potential Persistence Script production
Elastic File Creation in World-Writable Directory by Unusual Process production
Elastic File Execution Permission Modification Detected via Defend for Containers production
Elastic File made Immutable by Chattr production
Sigma File or Folder Permissions Change test
Elastic File Permission Modification in Writable Directory production
Splunk Linux Auditd Change File Owner To Root production
Splunk Linux Auditd File Permission Modification Via Chmod production
Splunk Linux Auditd File Permissions Modification Via Chattr production
Splunk Linux Change File Owner To Root production
Elastic Potential Unauthorized Access via Wildcard Injection Detected production
Elastic Privilege Escalation via CAP_CHOWN/CAP_FOWNER Capabilities production
Sigma Remove Immutable File Attribute test
Sigma Remove Immutable File Attribute - Auditd test
Elastic Suspicious File Made Executable via Chmod Inside A Container production
Elastic System Binary Path File Permission Modification production

Domain or Tenant Policy Modification T1484 85 rules

Splunk Active Directory Privilege Escalation Identified experimental
Elastic AdminSDHolder SDProp Exclusion Added production
Elastic Application Removed from Blocklist in Google Workspace production
Panther AppOmni Alert Passthrough
Elastic Attempt to Deactivate an Okta Network Zone production
Elastic Attempt to Delete an Okta Policy Rule production
Elastic Attempt to Modify an Okta Network Zone production
Elastic Attempt to Modify an Okta Policy production
Elastic Attempt to Modify an Okta Policy Rule production
Elastic AWS IAM OIDC Provider Created by Rare User production
Elastic AWS IAM SAML Provider Created production
Elastic AWS IAM SAML Provider Updated production
Kusto AWSCloudTrail - CloudFormation policy created then used for privilege escalation available
Kusto AWSCloudTrail - Created CRUD S3 policy and then privilege escalation available
Kusto AWSCloudTrail - Creation of CRUD DynamoDB policy and then privilege escalation available
Kusto AWSCloudTrail - Creation of CRUD KMS policy and then privilege escalation available
Kusto AWSCloudTrail - Creation of CRUD Lambda policy and then privilege escalation available
Kusto AWSCloudTrail - Creation of DataPipeline policy and then privilege escalation available
Kusto AWSCloudTrail - Creation of EC2 policy and then privilege escalation available
Kusto AWSCloudTrail - Creation of Glue policy and then privilege escalation available
Kusto AWSCloudTrail - Creation of Lambda policy and then privilege escalation available
Kusto AWSCloudTrail - Creation of new CRUD IAM policy and then privilege escalation available
Kusto AWSCloudTrail - Creation of SSM policy and then privilege escalation available
Kusto AWSCloudTrail - Full Admin policy created and then attached to Roles, Users or Groups available
Splunk Azure AD New Custom Domain Added production
Splunk Azure AD New Federated Domain Added production
Sigma Changes to Device Registration Policy test
Kusto Conditional Access - Dynamic Group Exclusion Changes
Elastic Creation or Modification of a new GPO Scheduled Task or Service production
Elastic Deprecated - M365 Teams External Access Enabled production
Elastic Deprecated - M365 Teams Guest Access Enabled production
Elastic Domain Added to Google Workspace Trusted Domains production
YARA-L Entra ID conditional access policy modification
Elastic Entra ID Domain Federation Configuration Change production
Elastic Entra ID Federated Identity Credential Issuer Modified production
Elastic Google Workspace Admin Role Deletion production
Elastic Google Workspace Bitlocker Setting Disabled production
Elastic Google Workspace Password Policy Modified production
Elastic Google Workspace Restrictions for Marketplace Modified to Allow Any App production
Sigma Group Policy Abuse for Privilege Addition test
Elastic Group Policy Abuse for Privilege Addition production
Elastic M365 Exchange Anti-Phish Policy Deleted production
Elastic M365 Exchange DKIM Signing Configuration Disabled production
Elastic M365 Exchange Email Safe Link Policy Disabled production
Elastic M365 Exchange Federated Domain Created or Modified production
Elastic M365 Exchange Malware Filter Rule Modified production
Elastic M365 SharePoint Site Sharing Policy Weakened production
Elastic M365 Teams Custom Application Interaction Enabled production
Sigma macOS MDM Profile Manipulation experimental
Splunk Microsoft Intune DeviceManagementConfigurationPolicies production
Splunk Modify Group Policy (Windows Event Log)
Sigma Modify Group Policy Settings test
Sigma Modify Group Policy Settings - ScriptBlockLogging test
Sigma New Federated Domain Added test
Elastic New Okta Identity Provider (IdP) Added by Admin production
Splunk O365 Cross-Tenant Access Change production
Sigma Permissions changed on a Group Policy (GPO) experimental
Kusto Powershell Empire Cmdlets Executed in Command Line available
Elastic Scheduled Task Execution at Scale via GPO production
Kusto Shadow Credentials Added to Account
Kusto Shadow Credentials Added to Account (Alternative)
Sigma Startup/Logon Script Added to Group Policy Object test
Elastic Startup/Logon Script added to Group Policy Object production
Sigma Suspicious modification of a sensitive Group Policy (GPO) experimental
Splunk Windows AD Dangerous Deny ACL Modification production
Splunk Windows AD Dangerous Group ACL Modification production
Splunk Windows AD Dangerous User ACL Modification production
Splunk Windows AD DCShadow Privileges ACL Addition production
Splunk Windows AD Domain Replication ACL Addition production
Splunk Windows AD Domain Root ACL Deletion production
Splunk Windows AD Domain Root ACL Modification production
Splunk Windows AD GPO Deleted production
Splunk Windows AD GPO Disabled production
Splunk Windows AD GPO New CSE Addition production
Splunk Windows AD Hidden OU Creation production
Splunk Windows AD Object Owner Updated production
Splunk Windows AD Self DACL Assignment production
Splunk Windows Admon Default Group Policy Object Modified production
Splunk Windows Admon Group Policy Object Created production
Sigma Windows Default Domain GPO Modification experimental
Sigma Windows Default Domain GPO Modification via GPME experimental
Splunk Windows Default Group Policy Object Modified production
Splunk Windows Default Group Policy Object Modified with GPME production
Splunk Windows Group Policy Object Created production
Splunk Windows Scheduled Task Created in a Group Policy Object production

Domain or Tenant Policy Modification: Group Policy Modification T1484.001 24 rules

Elastic Creation or Modification of a new GPO Scheduled Task or Service production
Panther GCP User Added to Privileged Group
Sigma Group Policy Abuse for Privilege Addition test
Elastic Group Policy Abuse for Privilege Addition production
Splunk Modify Group Policy (Windows Event Log)
Sigma Modify Group Policy Settings test
Sigma Modify Group Policy Settings - ScriptBlockLogging test
Sigma Permissions changed on a Group Policy (GPO) experimental
Kusto Powershell Empire Cmdlets Executed in Command Line available
Elastic Scheduled Task Execution at Scale via GPO production
Sigma Startup/Logon Script Added to Group Policy Object test
Elastic Startup/Logon Script added to Group Policy Object production
Sigma Suspicious modification of a sensitive Group Policy (GPO) experimental
Splunk Windows AD GPO Deleted production
Splunk Windows AD GPO Disabled production
Splunk Windows AD GPO New CSE Addition production
Splunk Windows Admon Default Group Policy Object Modified production
Splunk Windows Admon Group Policy Object Created production
Sigma Windows Default Domain GPO Modification experimental
Sigma Windows Default Domain GPO Modification via GPME experimental
Splunk Windows Default Group Policy Object Modified production
Splunk Windows Default Group Policy Object Modified with GPME production
Splunk Windows Group Policy Object Created production
Splunk Windows Scheduled Task Created in a Group Policy Object production

Domain or Tenant Policy Modification: Trust Modification T1484.002 15 rules

Elastic Attempt to Deactivate an Okta Network Zone production
Elastic AWS IAM OIDC Provider Created by Rare User production
Elastic AWS IAM SAML Provider Created production
Elastic AWS IAM SAML Provider Updated production
Splunk Azure AD New Custom Domain Added production
Splunk Azure AD New Federated Domain Added production
Elastic Domain Added to Google Workspace Trusted Domains production
Elastic Entra ID Domain Federation Configuration Change production
Elastic Entra ID Federated Identity Credential Issuer Modified production
Elastic M365 Exchange Federated Domain Created or Modified production
Sigma New Federated Domain Added test
Elastic New Okta Identity Provider (IdP) Added by Admin production
Splunk O365 Cross-Tenant Access Change production
Panther Wiz SAML Identity Provider Change
Panther ZIA Trust Modification

Subvert Trust Controls T1553 59 rules

Sigma Active Directory Certificate Services Denied Certificate Enrollment Request test
Elastic Attempt to Disable Gatekeeper production
Elastic Attempt to Install Root Certificate production
Splunk Certutil Root Certificate Install (Windows Event Log)
Sigma Certutil root certificate installation experimental
Sigma Cisco Crypto Commands test
Elastic Code Signing Policy Modification Through Built-in tools production
Elastic Code Signing Policy Modification Through Registry production
Elastic Creation or Modification of Root Certificate production
Elastic Expired or Revoked Driver Loaded production
Sigma Gatekeeper Bypass via Xattr test
Elastic Gatekeeper Override and Execution production
Sigma Install Root Certificate test
Splunk ISO Image Mounted - Windows (PowerShell)
Splunk ISO Image Mounted - Windows (Windows Event Log)
Sigma Kapeka Backdoor Configuration Persistence test
Sigma macOS Code Signature Invalidation experimental
Splunk MacOS Gatekeeper Bypass production
Sigma macOS Gatekeeper User Override experimental
Sigma New Root Certificate Installed Via CertMgr.EXE test
Sigma New Root Certificate Installed Via Certutil.EXE test
Kusto Pathlock TDnR - STRUST PSE Certificate Changes available
Sigma Persistence Via New SIP Provider test
Sigma Potential BOINC Software Execution (UC-Berkeley Signature) test
Elastic Potential Masquerading as System32 DLL production building block
Elastic Potential Masquerading as System32 Executable production building block
Sigma Potential Secure Deletion with SDelete test
Elastic Quarantine Attrib Removed by Unsigned or Untrusted Process production
Sigma Renamed BOINC Client Execution test
Elastic Root Certificate Installation production
Sigma Root Certificate Installed - PowerShell test
Sigma Root Certificate Installed From Susp Locations test
Elastic SIP Provider Modification production
Elastic SSL Certificate Deletion production
Elastic Suspicious Curl from macOS Application production
Sigma Suspicious Execution via macOS Script Editor test
Sigma Suspicious Invoke-Item From Mount-DiskImage test
Elastic Suspicious Kernel Feature Activity production
Sigma Suspicious Mount-DiskImage test
Elastic Suspicious Outbound Network Connection via Unsigned Binary production
Sigma Suspicious Package Installed - Linux test
Sigma Suspicious RazerInstaller Explorer Subprocess test
Sigma Suspicious SIP or trust provider registration experimental
Sigma Suspicious Unblock-File test
Sigma Suspicious X509Enrollment - Process Creation test
Sigma Suspicious X509Enrollment - Ps Script test
Splunk Windows Advanced Installer MSIX with AI_STUBS Execution production
Sigma Windows AppX Deployment Full Trust Package Installation experimental
Splunk Windows AppX Deployment Full Trust Package Installation production
Sigma Windows AppX Deployment Unsigned Package Installation experimental
Splunk Windows AppX Deployment Unsigned Package Installation production
Elastic Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall) production
Splunk Windows Developer-Signed MSIX Package Installation production
Splunk Windows Mark Of The Web Bypass production
Sigma Windows MSIX Package Support Framework AI_STUBS Execution experimental
Splunk Windows Registry Certificate Added production
Splunk Windows Registry SIP Provider Modification production
Splunk Windows SIP Provider Inventory production
Splunk Windows SIP WinVerifyTrust Failed Trust Validation production

Subvert Trust Controls: Gatekeeper Bypass T1553.001 8 rules

Elastic Attempt to Disable Gatekeeper production
Sigma Gatekeeper Bypass via Xattr test
Elastic Gatekeeper Override and Execution production
Splunk MacOS Gatekeeper Bypass production
Sigma macOS Gatekeeper User Override experimental
Elastic Quarantine Attrib Removed by Unsigned or Untrusted Process production
Elastic Suspicious Curl from macOS Application production
Elastic Suspicious Outbound Network Connection via Unsigned Binary production

Subvert Trust Controls: Code Signing T1553.002 6 rules

Elastic Expired or Revoked Driver Loaded production
Sigma macOS Code Signature Invalidation experimental
Elastic Potential Masquerading as System32 DLL production building block
Elastic Potential Masquerading as System32 Executable production building block
Sigma Potential Secure Deletion with SDelete test
Elastic Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall) production

Subvert Trust Controls: SIP and Trust Provider Hijacking T1553.003 7 rules

Sigma Kapeka Backdoor Configuration Persistence test
Sigma Persistence Via New SIP Provider test
Elastic SIP Provider Modification production
Sigma Suspicious SIP or trust provider registration experimental
Splunk Windows Registry SIP Provider Modification production
Splunk Windows SIP Provider Inventory production
Splunk Windows SIP WinVerifyTrust Failed Trust Validation production

Subvert Trust Controls: Install Root Certificate T1553.004 17 rules

Sigma Active Directory Certificate Services Denied Certificate Enrollment Request test
Elastic Attempt to Install Root Certificate production
Splunk Certutil Root Certificate Install (Windows Event Log)
Sigma Certutil root certificate installation experimental
Sigma Cisco Crypto Commands test
Elastic Creation or Modification of Root Certificate production
Panther CrowdStrike MacOS Added Trusted Cert
Sigma Install Root Certificate test
Sigma New Root Certificate Installed Via CertMgr.EXE test
Sigma New Root Certificate Installed Via Certutil.EXE test
Elastic Root Certificate Installation production
Sigma Root Certificate Installed - PowerShell test
Sigma Root Certificate Installed From Susp Locations test
Sigma Suspicious Package Installed - Linux test
Sigma Suspicious X509Enrollment - Process Creation test
Sigma Suspicious X509Enrollment - Ps Script test
Splunk Windows Registry Certificate Added production

Subvert Trust Controls: Mark-of-the-Web Bypass T1553.005 13 rules

Splunk ISO Image Mounted - Windows (PowerShell)
Splunk ISO Image Mounted - Windows (Windows Event Log)
Sigma Suspicious Invoke-Item From Mount-DiskImage test
Sigma Suspicious Mount-DiskImage test
Sigma Suspicious Unblock-File test
Splunk Windows Advanced Installer MSIX with AI_STUBS Execution production
Sigma Windows AppX Deployment Full Trust Package Installation experimental
Splunk Windows AppX Deployment Full Trust Package Installation production
Sigma Windows AppX Deployment Unsigned Package Installation experimental
Splunk Windows AppX Deployment Unsigned Package Installation production
Splunk Windows Developer-Signed MSIX Package Installation production
Splunk Windows Mark Of The Web Bypass production
Sigma Windows MSIX Package Support Framework AI_STUBS Execution experimental

Subvert Trust Controls: Code Signing Policy Modification T1553.006 2 rules

Elastic Code Signing Policy Modification Through Built-in tools production
Elastic Code Signing Policy Modification Through Registry production

Modify Authentication Process T1556 145 rules

Panther AppOmni Alert Passthrough
Splunk ASL AWS Multi-Factor Authentication Disabled production
Splunk ASL AWS New MFA Method Registered For User production
Elastic Attempt to Deactivate an Okta Policy production
Elastic Attempt to Deactivate an Okta Policy Rule production
Elastic Attempt to Delete an Okta Policy production
Elastic Attempt to Modify an Okta Policy production
Elastic Attempt to Reset MFA Factors for an Okta User Account production
Elastic Authentication via Unusual PAM Grantor production
Elastic Authorization Plugin Modification production
Elastic AWS IAM Deactivation of MFA Device production
Elastic AWS IAM Roles Anywhere Trust Anchor Created with External CA production
Elastic AWS IAM Virtual MFA Device Registration Attempt with Session Token production
Sigma AWS Identity Center Identity Provider Change test
Splunk AWS Multi-Factor Authentication Disabled production
YARA-L AWS MultiFactor Authentication Disabled
YARA-L AWS New MFA Method Registered For User
Splunk AWS New MFA Method Registered For User production
Elastic AWS RDS DB Instance Made Public production
Kusto AWS Security Hub - Detect root user lacking MFA available
Elastic AWS STS AssumeRole with New MFA Device production
Splunk Azure AD Multi-Factor Authentication Disabled production
Splunk Azure AD New MFA Method Registered For User production
Sigma Azure AD Only Single Factor Authentication Required test
Panther Azure Authentication Methods Policy OIDC Discovery URL Changed
Panther Azure Domain Federation Settings Modified
Panther Azure MFA Disabled
Kusto Azure secure score block legacy authentication available
Kusto BTP - Cloud Identity Service application configuration monitor available
Kusto BTP - Trust and authorization Identity Provider monitor available
Sigma CA Policy Removed by Non Approved Actor test
Sigma CA Policy Updated by Non Approved Actor test
Sigma Certificate-Based Authentication Enabled test
Sigma Change to Authentication Method test
Splunk Cisco ASA - AAA Policy Tampering production
Sigma Cisco Dot1x Disabled experimental
Splunk Cisco Duo Admin Login Unusual Browser production
Splunk Cisco Duo Admin Login Unusual Country production
Splunk Cisco Duo Admin Login Unusual Os production
Splunk Cisco Duo Bulk Policy Deletion production
Splunk Cisco Duo Bypass Code Generation production
Splunk Cisco Duo Policy Allow Devices Without Screen Lock production
Splunk Cisco Duo Policy Allow Network Bypass 2FA production
Splunk Cisco Duo Policy Allow Old Flash production
Splunk Cisco Duo Policy Allow Old Java production
Splunk Cisco Duo Policy Allow Tampered Devices production
Splunk Cisco Duo Policy Bypass 2FA production
Splunk Cisco Duo Policy Deny Access production
Splunk Cisco Duo Policy Skip 2FA for Other Countries production
Splunk Cisco Duo Set User Status to Bypass 2FA production
Splunk Cisco Network Interface Modifications production
Kusto Cross-Cloud Unauthorized Credential Access Detection From AWS RDS Login
Panther Databricks MFA Key Change Experimental
Panther Databricks SSO Configuration Changed Experimental
Kusto Detect changes to Connect Sync Application
Kusto Detect credential add to Connect Sync Application
Kusto Detect suspicious conditional access policy modifications
Sigma Directory Service Restore Mode(DSRM) Registry Value Tampering test
Sigma Disabled MFA to Bypass Authentication Mechanisms test
Sigma Disabling Multi Factor Authentication test
Splunk Disabling Windows Local Security Authority Defences via Registry production
Sigma Dropping Of Password Filter DLL test
Elastic Entra ID Conditional Access Policy (CAP) Modified production
Elastic Entra ID Domain Federation Configuration Change production
Elastic Entra ID External Authentication Methods (EAM) Modified production
Elastic Entra ID MFA Disabled for User production
Elastic Entra ID Protection - Risk Detection - Sign-in Risk production
Elastic Entra ID Protection - Risk Detection - User Risk production
Elastic Entra ID User Sign-in with Unusual Authentication Type production
Kusto Excessive number of HTTP authentication failures from a source (ASIM Web Session schema)
Kusto External User Access Enabled
Kusto F&O - Bank account change following network alias reassignment available
Kusto F&O - Non-interactive account mapped to self or sensitive privileged user available
Splunk GCP Multi-Factor Authentication Disabled production
Sigma Github High Risk Configuration Disabled test
Kusto GitLab - Repository visibility to Public available
Elastic Google Workspace 2SV Policy Disabled production
YARA-L Google Workspace MFA Disabled
Elastic Google Workspace MFA Enforcement Disabled production
Panther GSuite User Two Step Verification Change
Kusto Keeper Security - Password Changed available
Kusto Keeper Security - User MFA Changed available
Sigma macOS Configuration Profile Installation experimental
Elastic MFA Deactivation with no Re-Activation for Okta User Account production
Panther MFA Disabled
Elastic MFA Disabled for Google Workspace Organization production
Panther Microsoft365 MFA Disabled
Elastic Mimikatz Memssp Log File Detected production
Elastic Modification or Removal of an Okta Application Sign-On Policy production
Kusto Multi-Factor Authentication Disabled for a User available
Elastic Network Logon Provider Registry Modification production
Kusto New Device/Location sign-in along with critical operation available
Elastic New Okta Identity Provider (IdP) Added by Admin production
Sigma New Root Certificate Authority Added test
Splunk O365 Disable MFA production
Splunk O365 Excessive SSO logon errors production
Panther Okta AiTM Phishing Attempt Blocked by FastPass
Panther Okta Authentication Bypass via Skeleton Key Injection - Behavioral Experimental
Panther Okta Cleartext Passwords Extracted via SCIM Application
Panther Okta Identity Provider Created or Modified
Panther Okta MFA Globally Disabled
Sigma Okta MFA Reset or Deactivated test
Splunk Okta Multi-Factor Authentication Disabled production
Panther Okta Org2Org application created of modified
Splunk Okta Phishing Detection with FastPass Origin Check experimental
Panther Okta Sign-In from VPN Anonymizer
YARA-L Okta User Password and MFA Factor Reset or Deactivated
Panther OneLogin Authentication Factor Removed
YARA-L OneLogin User Authentication Factor Removed
Splunk PingID Mismatch Auth Source and Verification Response production
Splunk PingID New MFA Method After Credential Reset production
Splunk PingID New MFA Method Registered For User production
Elastic Pluggable Authentication Module (PAM) Creation in Unusual Directory production
Elastic Pluggable Authentication Module (PAM) Source Download production
Elastic Pluggable Authentication Module (PAM) Version Discovery production
Elastic Pluggable Authentication Module or Configuration Creation production
Elastic Polkit Policy Creation production
Sigma Possible Shadow Credentials Added test
Elastic Potential Backdoor Execution Through PAM_EXEC production
Elastic Potential Execution via SSH Backdoor production
Splunk Potential LSA password filter (PowerShell)
Splunk Potential LSA password filter (Windows Event Log)
Elastic Potential OpenSSH Backdoor Logging Activity production
Elastic Potential Persistence via File Modification production
Elastic Potential Shadow Credentials added to AD Object production
Elastic Potential SSH Password Grabbing via strace production
Sigma Potential Suspicious Activity Using SeCEdit test
Sigma Powershell Install a DLL in System Directory test
Kusto Red Sift - MFA disabled on account available
Elastic Renaming of OpenSSH Binaries production
Kusto Rouge RDP: Suspicious File Creation
Panther Slack IDP Configuration Changed
Panther Slack SSO Settings Changed
Panther Snowflake Login Without MFA
Panther Snowflake Login Without MFA
Elastic Stolen Credentials Used to Login to Okta Account After MFA Reset production
Splunk Suspicious Certificate Authentication (Windows Event Log)
Splunk Suspicious Certificate Modification (Windows Event Log)
Kusto Suspicious Sign In Followed by MFA Modification available
Elastic Untrusted DLL Loaded by Azure AD Connect Authentication Agent production
Elastic Unusual Process Modifying GenAI Configuration File production
Sigma User Added To Group With CA Policy Modification Access test
Sigma User Removed From Group With CA Policy Modification Access test
Kusto VMware ESXi - Root password changed available
Panther Wiz Update Login Settings

Modify Authentication Process: Password Filter DLL T1556.002 5 rules

Sigma Dropping Of Password Filter DLL test
Splunk Potential LSA password filter (PowerShell)
Splunk Potential LSA password filter (Windows Event Log)
Sigma Potential Suspicious Activity Using SeCEdit test
Sigma Powershell Install a DLL in System Directory test

Modify Authentication Process: Pluggable Authentication Modules T1556.003 5 rules

Elastic Authentication via Unusual PAM Grantor production
Elastic Pluggable Authentication Module (PAM) Creation in Unusual Directory production
Elastic Pluggable Authentication Module (PAM) Source Download production
Elastic Pluggable Authentication Module or Configuration Creation production
Elastic Potential Backdoor Execution Through PAM_EXEC production

Modify Authentication Process: Network Device Authentication T1556.004 2 rules

Splunk Cisco ASA - AAA Policy Tampering production
Sigma Cisco Dot1x Disabled experimental

Modify Authentication Process: Multi-Factor Authentication T1556.006 33 rules

Splunk ASL AWS Multi-Factor Authentication Disabled production
Splunk ASL AWS New MFA Method Registered For User production
Elastic Attempt to Deactivate an Okta Policy production
Elastic Attempt to Delete an Okta Policy production
Elastic Attempt to Reset MFA Factors for an Okta User Account production
Elastic AWS IAM Deactivation of MFA Device production
Elastic AWS IAM Virtual MFA Device Registration Attempt with Session Token production
Splunk AWS Multi-Factor Authentication Disabled production
YARA-L AWS MultiFactor Authentication Disabled
YARA-L AWS New MFA Method Registered For User
Splunk AWS New MFA Method Registered For User production
Kusto AWS Security Hub - Detect root user lacking MFA available
Elastic AWS STS AssumeRole with New MFA Device production
Splunk Azure AD Multi-Factor Authentication Disabled production
Splunk Azure AD New MFA Method Registered For User production
Sigma Azure AD Only Single Factor Authentication Required test
Panther Azure Domain Federation Settings Modified
Sigma Disabling Multi Factor Authentication test
Elastic Entra ID MFA Disabled for User production
Elastic Entra ID User Sign-in with Unusual Authentication Type production
Splunk GCP Multi-Factor Authentication Disabled production
Elastic Google Workspace MFA Enforcement Disabled production
Elastic MFA Deactivation with no Re-Activation for Okta User Account production
Sigma Okta MFA Reset or Deactivated test
Splunk Okta Multi-Factor Authentication Disabled production
YARA-L Okta User Password and MFA Factor Reset or Deactivated
YARA-L OneLogin User Authentication Factor Removed
Splunk PingID Mismatch Auth Source and Verification Response production
Splunk PingID New MFA Method After Credential Reset production
Splunk PingID New MFA Method Registered For User production
Panther Slack MFA Settings Changed
Elastic Stolen Credentials Used to Login to Okta Account After MFA Reset production
Kusto Suspicious Sign In Followed by MFA Modification available

Modify Authentication Process: Hybrid Identity T1556.007 6 rules

Kusto Detect changes to Connect Sync Application
Kusto Detect credential add to Connect Sync Application
Elastic Entra ID Domain Federation Configuration Change production
Panther MongoDB Identity Provider Activity
Elastic New Okta Identity Provider (IdP) Added by Admin production
Elastic Untrusted DLL Loaded by Azure AD Connect Authentication Agent production

Modify Authentication Process: Network Provider DLL T1556.008 1 rule

Elastic Network Logon Provider Registry Modification production

Modify Authentication Process: Conditional Access Policies T1556.009 13 rules

Elastic AWS RDS DB Instance Made Public production
Panther Azure Authentication Methods Policy OIDC Discovery URL Changed
Panther Crowdstrike IP Allowlist Changed
Panther Crowdstrike Single IP Allowlisted
Kusto Detect suspicious conditional access policy modifications
Elastic Entra ID Conditional Access Policy (CAP) Modified production
Elastic Entra ID External Authentication Methods (EAM) Modified production
Panther GCP Org or Folder Policy Was Changed Manually
Elastic Modification or Removal of an Okta Application Sign-On Policy production
Panther MongoDB access allowed from anywhere
Panther MongoDB org membership restriction disabled
Panther Wiz Update IP Restrictions
Panther ZIA Insecure Password Settings

Modify Cloud Compute Infrastructure T1578 31 rules

Elastic AWS EC2 EBS Snapshot Access Removed production
Elastic AWS EC2 Encryption Disabled production
Elastic AWS EC2 Network Access Control List Creation production
Elastic AWS EC2 Route Table Created production
Elastic AWS EC2 Route Table Modified or Deleted production
Elastic AWS EC2 Security Group Configuration Change production
Elastic AWS EC2 Serial Console Access Enabled production
Elastic AWS EC2 Stop, Start, and User Data Modification Correlation production
Elastic AWS Lambda Function Policy Updated to Allow Public Invocation production
Elastic AWS Lambda Layer Added to Existing Function production
Panther AWS Modify Cloud Compute Infrastructure
Elastic AWS RDS DB Instance or Cluster Deletion Protection Disabled production
Elastic AWS RDS DB Instance Restored production
Elastic AWS RDS DB Snapshot Created production building block
Sigma Azure Active Directory Hybrid Health AD FS New Server test
Sigma Azure Active Directory Hybrid Health AD FS Service Delete test
Kusto Azure DevOps Agent Pool Created Then Deleted available
Kusto Azure DevOps Build Variable Modified by New User available
Kusto Azure DevOps Pipeline modified by a new user available
Elastic Azure Key Vault Modified production
Elastic Azure VM Extension Deployment by User production
Splunk Cloud Compute Instance Created With Previously Unseen Instance Type production
Splunk Cloud Security Groups Modifications by User production
Kusto Creation of expensive computes in Azure available
Elastic GCP Storage Bucket Configuration Modification production
Elastic GCP Virtual Private Cloud Route Creation production
Elastic GCP Virtual Private Cloud Route Deletion production
Kusto Microsoft Entra ID Hybrid Health AD FS New Server available
Kusto Microsoft Entra ID Hybrid Health AD FS Service Delete available
Kusto NRT Creation of expensive computes in Azure available
Kusto NRT Microsoft Entra ID Hybrid Health AD FS New Server available

Modify Cloud Compute Infrastructure: Create Snapshot T1578.001 1 rule

Elastic AWS RDS DB Snapshot Created production building block

Modify Cloud Compute Infrastructure: Create Cloud Instance T1578.002 5 rules

Elastic AWS RDS DB Instance Restored production
Kusto Azure DevOps Agent Pool Created Then Deleted available
Elastic Azure VM Extension Deployment by User production
Splunk Cloud Compute Instance Created With Previously Unseen Instance Type production
Panther Kubernetes Pod Created in System Namespace Experimental

Modify Cloud Compute Infrastructure: Delete Cloud Instance T1578.003 2 rules

Sigma Azure Active Directory Hybrid Health AD FS Service Delete test
Kusto Microsoft Entra ID Hybrid Health AD FS Service Delete available

Modify Cloud Compute Infrastructure: Revert Cloud Instance T1578.004 1 rule

Elastic AWS RDS DB Instance Restored production

Modify Cloud Compute Infrastructure: Modify Cloud Compute Configurations T1578.005 15 rules

Elastic AWS EC2 EBS Snapshot Access Removed production
Elastic AWS EC2 Encryption Disabled production
Elastic AWS EC2 Network Access Control List Creation production
Elastic AWS EC2 Route Table Created production
Elastic AWS EC2 Route Table Modified or Deleted production
Elastic AWS EC2 Security Group Configuration Change production
Elastic AWS EC2 Serial Console Access Enabled production
Elastic AWS Lambda Function Policy Updated to Allow Public Invocation production
Elastic AWS Lambda Layer Added to Existing Function production
Elastic AWS RDS DB Instance or Cluster Deletion Protection Disabled production
Elastic Azure Key Vault Modified production
Splunk Cloud Security Groups Modifications by User production
Elastic GCP Storage Bucket Configuration Modification production
Elastic GCP Virtual Private Cloud Route Creation production
Elastic GCP Virtual Private Cloud Route Deletion production

Network Boundary Bridging T1599 6 rules

Panther External Principal Accessing AWS Resources Via VPC Endpoint
Panther Sensitive API Calls Via VPC Endpoint
Kusto VMware SD-WAN Edge - Network Anomaly Detection - Potential Fragmentation Attack
Panther VPC DNS Tunneling
Panther VPC Endpoint Access Denied
Sigma WinDivert Driver Load test

Network Boundary Bridging: Network Address Translation Traversal T1599.001 1 rule

Sigma WinDivert Driver Load test

Weaken Encryption T1600 3 rules

YARA-L AWS Application Load Balancer Insecure SSL Policy
YARA-L AWS CloudFront Insecure SSL Policy
Panther Slack Enterprise Key Management Unenrolled

Weaken Encryption: Reduce Key Space T1600.001 2 rules

YARA-L AWS Application Load Balancer Insecure SSL Policy
YARA-L AWS CloudFront Insecure SSL Policy

Modify System Image T1601 2 rules

Splunk ESXi Download Errors production
Elastic Kernel Load or Unload via Kexec Detected production

Modify System Image: Patch System Image T1601.001 2 rules

Splunk ESXi Download Errors production
Elastic Kernel Load or Unload via Kexec Detected production

Plist File Modification T1647 6 rules

Elastic Creation of Hidden Login Item via Apple Script production
Splunk MacOS plutil production
Elastic Modification of Safari Settings via Defaults Command production
Elastic Potential Persistence via Login Hook production
Elastic SoftwareUpdate Preferences Modification production
Elastic Suspicious Apple Mail Rule Plist Modification production

Modify Cloud Resource Hierarchy T1666 1 rule

Panther AWS CloudTrail Attempt To Leave Org

Disable or Modify Tools T1685 359 rules

Splunk Add or Set Windows Defender Exclusion production
Sigma Add SafeBoot Keys Via Reg Utility test
Sigma AMSI Bypass Pattern Assembly GetType test
Sigma AMSI Disabled via Registry Modification experimental
Sigma Antivirus Filter Driver Disallowed On Dev Drive - Registry test
Splunk ASL AWS Defense Evasion Delete Cloudtrail production
Splunk ASL AWS Defense Evasion Delete CloudWatch Log Group production
Splunk ASL AWS Defense Evasion Impair Security Services production
Splunk ASL AWS Defense Evasion PutBucketLifecycle production
Splunk ASL AWS Defense Evasion Stop Logging Cloudtrail production
Splunk ASL AWS Defense Evasion Update Cloudtrail production
Sigma ASLR Disabled Via Sysctl or Direct Syscall - Linux experimental
Sigma Audit Policy Tampering Via Auditpol test
Sigma Audit Policy Tampering Via NT Resource Kit Auditpol test
Sigma Audit Rules Deleted Via Auditctl experimental
Sigma Auditing Configuration Changes on Linux Host test
Splunk AWS Bedrock Delete GuardRails production
Splunk AWS Bedrock Delete Model Invocation Logging Configuration production
Sigma AWS CloudTrail Important Change test
Sigma AWS Config Disabling Channel/Recorder test
Splunk AWS Defense Evasion Delete Cloudtrail production
Splunk AWS Defense Evasion Delete CloudWatch Log Group production
Splunk AWS Defense Evasion Impair Security Services production
Splunk AWS Defense Evasion PutBucketLifecycle production
Splunk AWS Defense Evasion Stop Logging Cloudtrail production
Splunk AWS Defense Evasion Update Cloudtrail production
Sigma AWS GuardDuty Detector Deleted Or Updated experimental
Sigma AWS GuardDuty Important Change test
Sigma AWS SecurityHub Findings Evasion stable
Splunk Azure AD Block User Consent For Risky Apps Disabled production
Sigma Azure Kubernetes Events Deleted test
Sigma Bitbucket Audit Log Configuration Updated test
Sigma Bitbucket Global Secret Scanning Rule Deleted test
Sigma Bitbucket Global SSH Settings Changed test
Sigma Bitbucket Project Secret Scanning Allowlist Added test
Sigma Bitbucket Secret Scanning Exempt Repository Added test
Sigma Bitbucket Secret Scanning Rule Deleted test
Sigma Change Winevt Channel Access Permission Via Registry test
Splunk Cisco ASA - Core Syslog Message Volume Drop production
Splunk Cisco ASA - Logging Disabled via CLI production
Splunk Cisco ASA - Logging Filters Configuration Tampering production
Splunk Cisco ASA - Logging Message Suppression production
Splunk Cisco Configuration Archive Logging Analysis production
Sigma Cisco Disabling Logging test
Sigma Cisco Dot1x Disabled experimental
Splunk Cisco SNMP Community String Configuration Changes production
Sigma Clear or Disable Kernel Ring Buffer Logs via Syslog Syscall experimental
Sigma Devcon Execution Disabling VMware VMCI Device experimental
Sigma Diamond Sleet APT Scheduled Task Creation - Registry test
Splunk Disable AMSI Through Registry production
Splunk Disable Defender AntiVirus Registry production
Splunk Disable Defender BlockAtFirstSeen Feature production
Splunk Disable Defender Enhanced Notification production
Splunk Disable Defender MpEngine Registry production
Splunk Disable Defender Spynet Reporting production
Splunk Disable Defender Submit Samples Consent Feature production
Splunk Disable ETW Through Registry production
Sigma Disable Exploit Guard Network Protection on Windows Defender test
Splunk Disable Logs Using WevtUtil production
Sigma Disable of ETW Trace - Powershell test
Sigma Disable Or Stop Services test
Sigma Disable Privacy Settings Experience in Registry test
Sigma Disable PUA Protection on Windows Defender test
Splunk Disable Registry Tool production
Splunk Disable Schedule Task production
Sigma Disable Security Events Logging Adding Reg Key MiniNt test
Sigma Disable Security Tools test
Splunk Disable Show Hidden Files production
Sigma Disable Tamper Protection on Windows Defender test
Splunk Disable Windows App Hotkeys production
Splunk Disable Windows Behavior Monitoring production
Sigma Disable Windows Defender AV Security Monitoring test
Sigma Disable Windows Defender Functionalities Via Registry Keys test
Sigma Disable Windows Event Logging Via Registry test
Sigma Disable Windows IIS HTTP Logging test
Splunk Disable Windows SmartScreen Protection production
Sigma Disable-WindowsOptionalFeature Command PowerShell test
Sigma Disabled IE Security Features test
Sigma Disabled Volume Snapshots test
Sigma Disabled Windows Defender Eventlog test
Splunk Disabling CMD Application production
Splunk Disabling ControlPanel production
Splunk Disabling Defender Services production
Splunk Disabling Firewall with Netsh production
Splunk Disabling FolderOptions Windows Feature production
Splunk Disabling NoRun Windows App production
Splunk Disabling Task Manager production
Sigma Disabling Windows Defender WMI Autologger Session via Reg.exe experimental
Sigma Dism Remove Online Package test
Sigma Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallback test
Splunk ESXi Download Errors production
Splunk ESXi Encryption Settings Modified production
Splunk ESXi Lockdown Mode Disabled production
Splunk ESXi Loghost Config Tampering production
Sigma ESXi Syslog Configuration Change Via ESXCLI test
Splunk ESXi VIB Acceptance Level Tampering production
Sigma ETW Logging Disabled For rpcrt4.dll test
Sigma ETW Logging Disabled For SCM test
Sigma ETW Logging Disabled In .NET Processes - Registry test
Sigma ETW Logging Disabled In .NET Processes - Sysmon Registry test
Sigma ETW Logging Tamper In .NET Processes Via CommandLine test
Sigma ETW Logging/Processing Option Disabled On IIS Server test
Splunk ETW Registry Disabled production
Sigma ETW Trace Evasion Activity test
Sigma Eventlog Cleared test
Sigma EVTX Created In Uncommon Location test
Splunk Excessive number of service control start as disabled production
Splunk Excessive Usage Of Taskkill production
Sigma Filter Driver Unloaded Via Fltmc.EXE test
Sigma Folder Removed From Exploit Guard ProtectedFolders List - Registry test
Sigma Forest Blizzard APT - File Creation Activity test
Sigma Forest Blizzard APT - JavaScript Constrained File Creation test
Sigma FortiGate - Firewall Address Object Added experimental
Sigma FortiGate - New Firewall Policy Added experimental
Splunk GitHub Enterprise Delete Branch Ruleset production
Splunk GitHub Enterprise Disable 2FA Requirement production
Splunk GitHub Enterprise Disable Audit Log Event Stream production
Splunk GitHub Enterprise Disable Classic Branch Protection Rule production
Splunk GitHub Enterprise Disable Dependabot production
Splunk GitHub Enterprise Disable IP Allow List production
Splunk GitHub Enterprise Modify Audit Log Event Stream production
Splunk GitHub Enterprise Pause Audit Log Event Stream production
Splunk GitHub Enterprise Register Self Hosted Runner production
Splunk GitHub Organizations Delete Branch Ruleset production
Splunk GitHub Organizations Disable 2FA Requirement production
Splunk GitHub Organizations Disable Classic Branch Protection Rule production
Splunk GitHub Organizations Disable Dependabot production
Sigma Github Push Protection Bypass Detected test
Sigma Github Push Protection Disabled test
Sigma Github Secret Scanning Feature Disabled test
Sigma Google Cloud Firewall Modified or Deleted test
Sigma HackTool - CobaltStrike BOF Injection Pattern test
Sigma Hacktool - EDR-Freeze Execution experimental
Sigma HackTool - EDRSilencer Execution test
Sigma HackTool - EDRSilencer Execution - Filter Added test
Sigma HackTool - PowerTool Execution test
Sigma HackTool - SharpEvtMute DLL Load test
Sigma HackTool - SharpEvtMute Execution test
Sigma HackTool - Stracciatella Execution test
Sigma HackTool - SysmonEnte Execution test
Sigma Hide Schedule Task Via Index Value Tamper test
Splunk Hide User Account From Sign-In Screen production
Sigma HTTP Logging Disabled On IIS Server test
Sigma Hypervisor Enforced Paging Translation Disabled test
Sigma Hypervisor-protected Code Integrity (HVCI) Related Registry Tampering Via CommandLine experimental
Sigma Important Windows Event Auditing Disabled test
Sigma Important Windows Eventlog Cleared test
Sigma Indicator Removal on Host - Clear Mac System Logs test
Sigma Kaspersky Endpoint Security Stopped Via CommandLine - Linux experimental
Splunk Linux Auditd Auditd Daemon Abort production
Splunk Linux Auditd Auditd Daemon Shutdown production
Splunk Linux Auditd Auditd Daemon Start production
Splunk Linux Impair Defenses Process Kill production
Sigma Linux Logs Clearing Attempts stable
Sigma Load Of RstrtMgr.DLL By A Suspicious Process test
Sigma Load Of RstrtMgr.DLL By An Uncommon Process test
Sigma Logging Configuration Changes on Linux Host test
Splunk M365 Copilot Agentic Jailbreak Attack experimental
Splunk M365 Copilot Impersonation Jailbreak Attack experimental
Splunk M365 Copilot Information Extraction Jailbreak Attack experimental
Splunk M365 Copilot Jailbreak Attempts experimental
Splunk M365 Copilot Non Compliant Devices Accessing M365 Copilot production
Sigma Microsoft Defender Tamper Protection Trigger stable
Splunk Microsoft Intune DeviceManagementConfigurationPolicies production
Sigma Microsoft Malware Protection Engine Crash test
Sigma Microsoft Malware Protection Engine Crash - WER test
Sigma Microsoft Office Protected View Disabled test
Sigma NetNTLM Downgrade Attack test
Sigma NetNTLM Downgrade Attack - Registry test
Sigma New Module Module Added To IIS Server test
Sigma NotPetya Ransomware Activity test
Splunk O365 Advanced Audit Disabled production
Splunk O365 Block User Consent For Risky Apps Disabled production
Splunk O365 Email Security Feature Changed production
Sigma Obfuscated PowerShell OneLiner Execution test
Sigma Okta User Session Start Via An Anonymising Proxy Service test
Sigma Potential AMSI Bypass Script Using NULL Bits test
Sigma Potential AMSI Bypass Using NULL Bits test
Sigma Potential AMSI Bypass Via .NET Reflection test
Sigma Potential AMSI COM Server Hijacking test
Sigma Potential AutoLogger Sessions Tampering test
Sigma Potential EventLog File Location Tampering test
Sigma Potential Ke3chang/TidePool Malware Activity test
Sigma Potential Privileged System Service Operation - SeLoadDriverPrivilege test
Sigma Potential Suspicious Activity Using SeCEdit test
Sigma Potential Tampering With Security Products Via WMIC test
Sigma Potential Windows Defender Tampering Via Wmic.EXE test
Sigma Powershell Base64 Encoded MpPreference Cmdlet test
Sigma Powershell Defender Disable Scan Feature test
Sigma Powershell Defender Exclusion test
Sigma PowerShell Defender Threat Severity Default Action Set to 'Allow' or 'NoAction' experimental
Splunk Powershell Disable Security Monitoring production
Splunk Powershell Remove Windows Defender Directory production
Splunk Powershell Windows Defender Exclusion Commands production
Sigma PPL Tampering Via WerFaultSecure experimental
Sigma Previously Installed IIS Module Was Removed test
Splunk Process Kill Base On File Path production
Sigma PUA - CleanWipe Execution test
Sigma Python Function Execution Security Warning Disabled In Excel test
Sigma Python Function Execution Security Warning Disabled In Excel - Registry test
Sigma Raccine Uninstall test
Sigma RedSun - Named Pipe Created experimental
Sigma RedSun - TieringEngineService.exe Detected as EICAR Test File experimental
Sigma Reg Add Suspicious Paths test
Sigma Removal Of AMSI Provider Registry Keys test
Sigma Removal Of Index Value to Hide Schedule Task - Registry test
Sigma Removal Of SD Value to Hide Schedule Task - Registry test
Sigma SafeBoot Registry Key Deleted Via Reg.EXE test
Sigma Scripted Diagnostics Turn Off Check Enabled - Registry test
Sigma Security Event Logging Disabled via MiniNt Registry Key - Process experimental
Sigma Security Event Logging Disabled via MiniNt Registry Key - Registry Set experimental
Sigma Security Eventlog Cleared test
Sigma Security Service Disabled Via Reg.EXE test
Sigma Service Registry Key Deleted Via Reg.EXE test
Sigma Service Startup Type Change Via Wmic.EXE experimental
Sigma Service StartupType Change Via PowerShell Set-Service test
Sigma Service StartupType Change Via Sc.EXE test
Sigma Suspicious Application Allowed Through Exploit Guard test
Sigma Suspicious Eventlog Clear test
Sigma Suspicious Eventlog Clearing or Configuration Change Activity stable
Sigma Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location experimental
Sigma Suspicious Path In Keyboard Layout IME File Registry Value test
Sigma Suspicious Process Access of MsMpEng by WerFaultSecure - EDR-Freeze experimental
Sigma Suspicious Process Access to LSASS with Dbgcore/Dbghelp DLLs experimental
Sigma Suspicious PROCEXP152.sys File Created In TMP test
Sigma Suspicious Service Installed test
Sigma Suspicious Svchost Process Access test
Sigma Suspicious Uninstall of Windows Defender Feature via PowerShell experimental
Splunk Suspicious wevtutil Usage production
Sigma Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE test
Sigma Suspicious Windows Defender Registry Key Tampering Via Reg.EXE test
Sigma Suspicious Windows Service Tampering test
Sigma Suspicious Windows Trace ETW Session Tamper Via Logman.EXE test
Sigma Sysinternals PsSuspend Suspicious Execution test
Sigma Syslog Clearing or Removal Via System Utilities test
Sigma Sysmon Application Crashed test
Sigma Sysmon Configuration Update test
Sigma Sysmon Driver Altitude Change test
Sigma Sysmon Driver Unloaded Via Fltmc.EXE test
Sigma Tamper Windows Defender - PSClassic test
Sigma Tamper Windows Defender - ScriptBlockLogging test
Sigma Tamper Windows Defender Remove-MpPreference test
Sigma Tamper Windows Defender Remove-MpPreference - ScriptBlockLogging test
Sigma Tamper With Sophos AV Registry Keys test
Sigma Taskkill Symantec Endpoint Protection test
Sigma Terminate Linux Process Via Kill test
Sigma Uncommon Extension In Keyboard Layout IME File Registry Value test
Sigma Uninstall Crowdstrike Falcon Sensor test
Sigma Uninstall Sysinternals Sysmon test
Splunk Unload Sysmon Filter Driver production
Splunk Unloading AMSI via Reflection production
Sigma Vulnerable Driver Blocklist Registry Tampering Via CommandLine experimental
Sigma WDAC Policy File Creation In CodeIntegrity Folder experimental
Sigma Weak Encryption Enabled and Kerberoast test
Sigma WerFaultSecure Loading DbgCore or DbgHelp - EDR-Freeze experimental
Sigma WFP Filter Added via Registry experimental
Sigma Win Defender Restored Quarantine File test
Splunk Windows AD Domain Controller Audit Policy Disabled production
Splunk Windows AD GPO Deleted production
Splunk Windows AD GPO Disabled production
Sigma Windows AMSI Related Registry Tampering Via CommandLine experimental
Splunk Windows Attempt To Stop Security Service production
Splunk Windows Audit Policy Auditing Option Disabled via Auditpol production
Splunk Windows Audit Policy Cleared via Auditpol production
Splunk Windows Audit Policy Disabled via Auditpol production
Splunk Windows Audit Policy Disabled via Legacy Auditpol production
Splunk Windows Audit Policy Excluded Category via Auditpol production
Splunk Windows Audit Policy Restored via Auditpol production
Splunk Windows Audit Policy Security Descriptor Tampering via Auditpol production
Splunk Windows Cisco Secure Endpoint Stop Immunet Service Via Sfc production
Splunk Windows Cisco Secure Endpoint Unblock File Via Sfc production
Splunk Windows Cisco Secure Endpoint Uninstall Immunet Service Via Sfc production
Sigma Windows Credential Guard Disabled - Registry experimental
Sigma Windows Credential Guard Registry Tampering Via CommandLine experimental
Sigma Windows Credential Guard Related Registry Value Deleted - Registry experimental
Splunk Windows CrowdStrike Agent Registry Key Removal production
Splunk Windows Defender ASR or Threat Configuration Tamper production
Sigma Windows Defender Configuration Changes stable
Sigma Windows Defender Context Menu Removed experimental
Sigma Windows Defender Definition Files Removed test
Sigma Windows Defender Exclusion List Modified test
Splunk Windows Defender Exclusion Registry Entry production
Sigma Windows Defender Exclusion Registry Key - Write Access Requested test
Sigma Windows Defender Exclusions Added stable
Sigma Windows Defender Exclusions Added - PowerShell test
Sigma Windows Defender Exclusions Added - Registry test
Sigma Windows Defender Exploit Guard Tamper test
Sigma Windows Defender Grace Period Expired stable
Sigma Windows Defender Malware And PUA Scanning Disabled stable
Sigma Windows Defender Real-time Protection Disabled stable
Sigma Windows Defender Real-Time Protection Failure/Restart stable
Sigma Windows Defender Service Disabled - Registry test
Sigma Windows Defender Submit Sample Feature Disabled stable
Sigma Windows Defender Threat Detection Service Disabled stable
Sigma Windows Defender Threat Severity Default Action Modified experimental
Sigma Windows Defender Virus Scanning Feature Disabled stable
Splunk Windows Disable or Modify Tools Via Taskkill production
Splunk Windows Disable or Stop Browser Process production
Splunk Windows Disable Windows Event Logging Disable HTTP Logging production
Splunk Windows DisableAntiSpyware Registry production
Splunk Windows DISM Remove Defender production
Splunk Windows EDRSilencer Execution production
Sigma Windows Event Auditing Disabled test
Splunk Windows Event For Service Disabled production
Splunk Windows Event Log Cleared production
Splunk Windows Event Logging Service Has Shutdown production
Sigma Windows EventLog Autologger Session Registry Modification Via CommandLine experimental
Splunk Windows Eventlog Cleared Via Wevtutil production
Splunk Windows Excessive Disabled Services Event production
Sigma Windows Filtering Platform Blocked Connection From EDR Agent Binary test
Splunk Windows Filtering Platform Policy Added to Block EDR Process production
Sigma Windows Firewall Disabled via PowerShell test
Splunk Windows Global Object Access Audit List Cleared Via Auditpol production
Sigma Windows Hypervisor Enforced Code Integrity Disabled test
Splunk Windows Impair Defense Add Xml Applocker Rules production
Splunk Windows Impair Defense Change Win Defender Health Check Intervals production
Splunk Windows Impair Defense Change Win Defender Quick Scan Interval production
Splunk Windows Impair Defense Change Win Defender Throttle Rate production
Splunk Windows Impair Defense Change Win Defender Tracing Level production
Splunk Windows Impair Defense Configure App Install Control production
Splunk Windows Impair Defense Define Win Defender Threat Action production
Splunk Windows Impair Defense Delete Win Defender Context Menu production
Splunk Windows Impair Defense Delete Win Defender Profile Registry production
Splunk Windows Impair Defense Deny Security Software With Applocker production
Splunk Windows Impair Defense Disable Controlled Folder Access production
Splunk Windows Impair Defense Disable Defender Firewall And Network production
Splunk Windows Impair Defense Disable Defender Protocol Recognition production
Splunk Windows Impair Defense Disable PUA Protection production
Splunk Windows Impair Defense Disable Realtime Signature Delivery production
Splunk Windows Impair Defense Disable Web Evaluation production
Splunk Windows Impair Defense Disable Win Defender App Guard production
Splunk Windows Impair Defense Disable Win Defender Compute File Hashes production
Splunk Windows Impair Defense Disable Win Defender Gen reports production
Splunk Windows Impair Defense Disable Win Defender Network Protection production
Splunk Windows Impair Defense Disable Win Defender Report Infection production
Splunk Windows Impair Defense Disable Win Defender Scan On Update production
Splunk Windows Impair Defense Disable Win Defender Signature Retirement production
Splunk Windows Impair Defense Overide Win Defender Phishing Filter production
Splunk Windows Impair Defense Override SmartScreen Prompt production
Splunk Windows Impair Defense Set Win Defender Smart Screen Level To Warn production
Splunk Windows Impair Defenses Disable Auto Logger Session production
Splunk Windows Impair Defenses Disable HVCI production
Splunk Windows Impair Defenses Disable Win Defender Auto Logging production
Splunk Windows Important Audit Policy Disabled production
Splunk Windows Increase in Group or Object Modification Activity production
Splunk Windows Increase in User Modification Activity production
Splunk Windows MpCmdRun RemoveDefinitions Execution production
Splunk Windows New Custom Security Descriptor Set On EventLog Channel production
Splunk Windows New EventLog ChannelAccess Registry Value Set production
Splunk Windows Outlook Dialogs Disabled from Unusual Process production
Splunk Windows PowerShell Disable HTTP Logging production
Splunk Windows Powershell Import Applocker Policy production
Splunk Windows Raccine Scheduled Task Deletion production
Splunk Windows Registry Delete Task SD production
Splunk Windows Registry Dotnet ETW Disabled Via ENV Variable production
Splunk Windows Terminating Lsass Process production
Sigma Windows Vulnerable Driver Blocklist Disabled experimental
Splunk Wmic NonInteractive App Uninstallation production
Sigma Write Protect For Storage Disabled test

Disable or Modify Tools: Disable or Modify Windows Event Log T1685.001 41 rules

Sigma Audit Policy Tampering Via Auditpol test
Sigma Audit Policy Tampering Via NT Resource Kit Auditpol test
Sigma Change Winevt Channel Access Permission Via Registry test
Splunk Cisco ASA - Logging Message Suppression production
Sigma Disable Security Events Logging Adding Reg Key MiniNt test
Sigma Disable Windows Event Logging Via Registry test
Sigma Disable Windows IIS HTTP Logging test
Sigma ETW Logging/Processing Option Disabled On IIS Server test
Sigma EVTX Created In Uncommon Location test
Sigma Filter Driver Unloaded Via Fltmc.EXE test
Sigma Forest Blizzard APT - File Creation Activity test
Sigma Forest Blizzard APT - JavaScript Constrained File Creation test
Sigma HackTool - SharpEvtMute DLL Load test
Sigma HackTool - SharpEvtMute Execution test
Sigma HackTool - SysmonEnte Execution test
Sigma HTTP Logging Disabled On IIS Server test
Sigma Important Windows Event Auditing Disabled test
Sigma New Module Module Added To IIS Server test
Sigma Potential AutoLogger Sessions Tampering test
Sigma Potential EventLog File Location Tampering test
Sigma Potential Suspicious Activity Using SeCEdit test
Sigma Previously Installed IIS Module Was Removed test
Sigma Security Event Logging Disabled via MiniNt Registry Key - Process experimental
Sigma Security Event Logging Disabled via MiniNt Registry Key - Registry Set experimental
Sigma Suspicious Eventlog Clearing or Configuration Change Activity stable
Sigma Suspicious Svchost Process Access test
Sigma Sysmon Driver Unloaded Via Fltmc.EXE test
Splunk Windows Audit Policy Auditing Option Disabled via Auditpol production
Splunk Windows Audit Policy Cleared via Auditpol production
Splunk Windows Audit Policy Disabled via Auditpol production
Splunk Windows Audit Policy Disabled via Legacy Auditpol production
Splunk Windows Audit Policy Excluded Category via Auditpol production
Splunk Windows Audit Policy Restored via Auditpol production
Splunk Windows Audit Policy Security Descriptor Tampering via Auditpol production
Splunk Windows Disable Windows Event Logging Disable HTTP Logging production
Sigma Windows Event Auditing Disabled test
Sigma Windows EventLog Autologger Session Registry Modification Via CommandLine experimental
Splunk Windows Global Object Access Audit List Cleared Via Auditpol production
Splunk Windows New Custom Security Descriptor Set On EventLog Channel production
Splunk Windows New EventLog ChannelAccess Registry Value Set production
Splunk Windows PowerShell Disable HTTP Logging production

Disable or Modify Tools: Disable or Modify Cloud Log T1685.002 22 rules

Splunk ASL AWS Defense Evasion Delete Cloudtrail production
Splunk ASL AWS Defense Evasion Delete CloudWatch Log Group production
Splunk ASL AWS Defense Evasion Impair Security Services production
Splunk ASL AWS Defense Evasion PutBucketLifecycle production
Splunk ASL AWS Defense Evasion Stop Logging Cloudtrail production
Splunk ASL AWS Defense Evasion Update Cloudtrail production
Splunk AWS Bedrock Delete GuardRails production
Splunk AWS Bedrock Delete Model Invocation Logging Configuration production
Sigma AWS CloudTrail Important Change test
Sigma AWS Config Disabling Channel/Recorder test
Splunk AWS Defense Evasion Delete Cloudtrail production
Splunk AWS Defense Evasion Delete CloudWatch Log Group production
Splunk AWS Defense Evasion Impair Security Services production
Splunk AWS Defense Evasion PutBucketLifecycle production
Splunk AWS Defense Evasion Stop Logging Cloudtrail production
Splunk AWS Defense Evasion Update Cloudtrail production
Sigma AWS GuardDuty Detector Deleted Or Updated experimental
Splunk GitHub Enterprise Disable Audit Log Event Stream production
Splunk GitHub Enterprise Modify Audit Log Event Stream production
Splunk GitHub Enterprise Pause Audit Log Event Stream production
Splunk O365 Advanced Audit Disabled production
Splunk O365 Email Security Feature Changed production

Disable or Modify Tools: Disable or Modify Linux Audit System Log T1685.004 4 rules

Sigma Audit Rules Deleted Via Auditctl experimental
Splunk Linux Auditd Auditd Daemon Abort production
Splunk Linux Auditd Auditd Daemon Shutdown production
Splunk Linux Auditd Auditd Daemon Start production

Disable or Modify Tools: Clear Windows Event Logs T1685.005 12 rules

Splunk Disable Logs Using WevtUtil production
Sigma Eventlog Cleared test
Sigma Important Windows Eventlog Cleared test
Sigma NotPetya Ransomware Activity test
Sigma Security Eventlog Cleared test
Sigma Suspicious Eventlog Clear test
Sigma Suspicious Eventlog Clearing or Configuration Change Activity stable
Splunk Suspicious wevtutil Usage production
Sigma Suspicious Windows Trace ETW Session Tamper Via Logman.EXE test
Splunk Windows Event Log Cleared production
Splunk Windows Event Logging Service Has Shutdown production
Splunk Windows Eventlog Cleared Via Wevtutil production

Disable or Modify Tools: Clear Linux or Mac System Logs T1685.006 4 rules

Sigma Clear or Disable Kernel Ring Buffer Logs via Syslog Syscall experimental
Sigma Indicator Removal on Host - Clear Mac System Logs test
Sigma Linux Logs Clearing Attempts stable
Sigma Syslog Clearing or Removal Via System Utilities test

Disable or Modify System Firewall T1686 50 rules

Sigma A Rule Has Been Deleted From The Windows Firewall Exception List test
Sigma All Rules Have Been Deleted From The Windows Firewall Configuration test
Splunk Allow File And Printing Sharing In Firewall production
Splunk Allow Network Discovery In Firewall production
Splunk ASL AWS Network Access Control List Created with All Open Ports production
Splunk ASL AWS Network Access Control List Deleted production
Splunk AWS Network Access Control List Created with All Open Ports production
Splunk AWS Network Access Control List Deleted production
Sigma Azure Firewall Modified or Deleted test
Sigma Azure Firewall Rule Collection Modified or Deleted test
Sigma Azure Network Firewall Policy Modified or Deleted test
Sigma Bpfdoor TCP Ports Redirect test
Sigma Disable Microsoft Defender Firewall via Registry test
Sigma Disable System Firewall test
Sigma Disable Windows Firewall by Registry test
Sigma Disabling Security Tools test
Sigma Disabling Security Tools - Builtin test
Splunk ESXi Firewall Disabled production
Splunk Firewall Allowed Program Enable production
Sigma Firewall Disabled via Netsh.EXE test
Sigma Firewall Rule Deleted Via Netsh.EXE test
Sigma Firewall Rule Modified In The Windows Firewall Exception List test
Sigma Flush Iptables Ufw Chain test
Splunk Linux Auditd Disable Or Modify System Firewall production
Splunk Linux Iptables Firewall Modification production
Splunk Linux Stdout Redirection To Dev Null File production
Splunk Microsoft Intune DeviceManagementConfigurationPolicies production
Sigma Modify System Firewall test
Sigma Netsh Allow Group Policy on Microsoft Defender Firewall test
Sigma New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application test
Sigma New Firewall Rule Added In Windows Firewall Exception List Via WmiPrvSE.EXE test
Sigma New Firewall Rule Added Via Netsh.EXE test
Sigma New Network ACL Entry Added test
Sigma New Network Route Added test
Sigma New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet test
Sigma New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet - ScriptBlock test
Splunk O365 Bypass MFA via Trusted IP production
Sigma RDP Connection Allowed Via Netsh.EXE test
Sigma Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE test
Sigma The Windows Defender Firewall Service Failed To Load Group Policy test
Sigma UFW Disable Attempt test
Sigma Uncommon New Firewall Rule Added In Windows Firewall Exception List test
Sigma Windows Defender Firewall Has Been Reset To Its Default Configuration test
Splunk Windows Delete or Modify System Firewall production
Sigma Windows Firewall Profile Disabled test
Splunk Windows Firewall Rule Added production
Splunk Windows Firewall Rule Deletion production
Splunk Windows Firewall Rule Modification production
Sigma Windows Firewall Settings Have Been Changed test
Splunk Windows Modify System Firewall with Notable Process Path production

Disable or Modify System Firewall: Cloud Firewall T1686.001 12 rules

Splunk Allow File And Printing Sharing In Firewall production
Splunk Allow Network Discovery In Firewall production
Splunk ASL AWS Network Access Control List Created with All Open Ports production
Splunk ASL AWS Network Access Control List Deleted production
Splunk AWS Network Access Control List Created with All Open Ports production
Splunk AWS Network Access Control List Deleted production
Sigma Azure Firewall Modified or Deleted test
Sigma Azure Firewall Rule Collection Modified or Deleted test
Sigma Azure Network Firewall Policy Modified or Deleted test
Sigma New Network ACL Entry Added test
Sigma New Network Route Added test
Splunk O365 Bypass MFA via Trusted IP production

Disable or Modify System Firewall: Windows Host Firewall T1686.003 20 rules

Sigma A Rule Has Been Deleted From The Windows Firewall Exception List test
Sigma All Rules Have Been Deleted From The Windows Firewall Configuration test
Sigma Disable Microsoft Defender Firewall via Registry test
Sigma Disable Windows Firewall by Registry test
Sigma Firewall Disabled via Netsh.EXE test
Sigma Firewall Rule Deleted Via Netsh.EXE test
Sigma Firewall Rule Modified In The Windows Firewall Exception List test
Sigma Netsh Allow Group Policy on Microsoft Defender Firewall test
Sigma New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application test
Sigma New Firewall Rule Added In Windows Firewall Exception List Via WmiPrvSE.EXE test
Sigma New Firewall Rule Added Via Netsh.EXE test
Sigma New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet test
Sigma New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet - ScriptBlock test
Sigma RDP Connection Allowed Via Netsh.EXE test
Sigma Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE test
Sigma The Windows Defender Firewall Service Failed To Load Group Policy test
Sigma Uncommon New Firewall Rule Added In Windows Firewall Exception List test
Sigma Windows Defender Firewall Has Been Reset To Its Default Configuration test
Sigma Windows Firewall Profile Disabled test
Sigma Windows Firewall Settings Have Been Changed test

Safe Mode Boot T1688 1 rule

Splunk Windows EFI Volume Mount Attempt Via Mountvol production

Downgrade Attack T1689 2 rules

Sigma LSA PPL Protection Setting Modification via CommandLine test
Splunk Windows Downdate Registry Activity production

Prevent Command History Logging T1690 3 rules

Splunk ESXi Audit Tampering production
Splunk ESXi Syslog Config Change production
Sigma ESXi Syslog Configuration Change Via ESXCLI test

No specific technique 26 rules

Sigma Amsi.DLL Loaded Via LOLBIN Process test
Sigma Delete Defender Scan ShellEx Context Menu Registry Key experimental
Sigma Deployment Of The AppX Package Was Blocked By The Policy test
Sigma Disable Macro Runtime Scan Scope test
Sigma DumpStack.log Defender Evasion test
Sigma Firewall Rule Update Via Netsh.EXE test
Sigma GitHub Repository Archive Status Changed experimental
Sigma Internet Explorer DisableFirstRunCustomize Enabled test
Sigma MSSQL Disable Audit Settings test
Sigma NtdllPipe Like Activity Execution test
Sigma Potential Attachment Manager Settings Associations Tamper test
Sigma Potential Attachment Manager Settings Attachments Tamper test
Sigma Potential Persistence Via Security Descriptors - ScriptBlock test
Sigma Potential PowerShell Execution Policy Tampering test
Sigma Potential PowerShell Execution Policy Tampering - ProcCreation test
Sigma Potentially Suspicious Call To Win32_NTEventlogFile Class test
Sigma Potentially Suspicious Call To Win32_NTEventlogFile Class - PSScript test
Sigma Potentially Suspicious WDAC Policy File Creation experimental
Sigma PowerShell Write-EventLog Usage test
Sigma ScreenConnect User Database Modification - Security test
Sigma Sysmon Blocked Executable test
Sigma Sysmon Blocked File Shredding test
Sigma Sysmon Configuration Change test
Sigma Sysmon File Executable Creation Detected test
Sigma Windows Defender Malware Detection History Deletion test
Sigma Winget Admin Settings Modification test

Credential Access

OS Credential Dumping T1003 389 rules

Splunk Access LSASS Memory for Dump Creation production
Elastic Access to a Sensitive LDAP Attribute production
Sigma Active Directory Replication from Non Machine Account test
Splunk ADExplorer Execution (Sysmon)
Splunk ADExplorer Execution (Windows Event Log)
Splunk ADExplorer Snapshot Creation (Sysmon)
Splunk ADExplorer Snapshot Creation (Windows Event Log)
Kusto Alsid DCSync available
Kusto Alsid LSASS Memory available
Sigma Antivirus Password Dumper Detection stable
Sigma APT31 Judgement Panda Activity test
Splunk Attacker Tools On Endpoint production
Splunk Azure AD Privileged Authentication Administrator Role Assigned production
Splunk Azure AD Privileged Graph API Permission Assigned production
Kusto Azure Key Vault access TimeSeries anomaly available
Sigma Backdoor introduction via registry permission change through WMI (DAMP) experimental
Splunk Browser Credential File Accessed - Windows (Windows Event Log)
Sigma Capture Credentials with Rpcping.exe test
Splunk Cisco Secure Firewall - High Priority Intrusion Classification production
Splunk Cisco Secure Firewall - Veeam CVE-2023-27532 Exploitation Activity production
Splunk Command Line lsass request (PowerShell)
Splunk Command Line lsass request (Sysmon)
Splunk Command Line lsass request (Windows Event Log)
Splunk Common LSASS Memory Dump Behavior (Windows Event Log)
Splunk comsvcs.dll Lsass Memory Dump (Sysmon)
Splunk comsvcs.dll Lsass Memory Dump (Windows Event Log)
Sigma Copying Sensitive Files with Credential Data test
Sigma Crash Dump Created By Operating System experimental
Splunk Create Remote Thread into LSASS production
Sigma Create Volume Shadow Copy with Powershell test
Sigma CreateDump Process Dump test
YARA-L CreateDump Process Dump
Splunk Creation of lsass Dump with Taskmgr production
Splunk Creation of Shadow Copy production
Splunk Creation of Shadow Copy with wmic and powershell production
Elastic Creation or Modification of Domain Backup DPAPI private key production
Sigma Cred Dump Tools Dropped Files test
YARA-L Cred Dump Tools Dropped Files
Elastic Credential Access via TruffleHog Execution production
Elastic Credential Acquisition via Registry Hive Dumping production
Elastic Credential Dumping - Detected - Elastic Endgame production
Elastic Credential Dumping - Prevented - Elastic Endgame production
Sigma Credential Dumping Activity By Python Based Tool stable
Sigma Credential Dumping Attempt Via WerFault test
YARA-L Credential Dumping Attempt Via WerFault
Kusto Credential Dumping Tools - File Artifacts available
Kusto Credential Dumping Tools - Service Installation available
Sigma Credential Dumping Tools Service Execution - Security test
Sigma Credential Dumping Tools Service Execution - System test
Splunk Credential Dumping via Copy Command from Shadow Copy production
Splunk Credential Dumping via Symlink to Shadow Copy production
Sigma Critical Hive In Suspicious Location Access Bits Cleared test
Panther Crowdstrike Credential Dumping Tool
Sigma Dbghelp/Dbgcore DLL Loaded By Uncommon/Suspicious Process test
Splunk Detect Copy of ShadowCopy with Script Block Logging production
Splunk Detect Credential Dumping through LSASS access production
Splunk Detect Mimikatz With PowerShell Script Block Logging production
Kusto Dev-0228 File Path Hashes November 2021
Kusto Dev-0228 File Path Hashes November 2021 (ASIM Version)
Elastic Disabling Lsa Protection via Registry Modification production
Sigma Diskshadow command abuse to expose VSS backup experimental
Kusto DopplePaymer Procdump available
Sigma DPAPI Domain Backup Key Extraction test
Sigma DPAPI Domain Master Key Backup Attempt test
Splunk Dump File Identified (PowerShell)
Splunk Dump File Identified (Sysmon)
Splunk Dump File Identified (Windows Event Log)
Splunk Dump LSASS via comsvcs DLL production
Splunk Dump LSASS via procdump production
Kusto DumpGuard NTLM challenge detected
Elastic Dumping Account Hashes via Built-In Commands production
Kusto Dumping LSASS Process Into a File available
Sigma Dumping of Sensitive Hives Via Reg.EXE test
Sigma Dumping Process via Sqldumper.exe test
Sigma DumpMinitool Execution test
Splunk Enable WDigest UseLogonCredential Registry production
Splunk Esentutl Execution (PowerShell)
Splunk Esentutl Execution (Sysmon)
Splunk Esentutl Execution (Windows Event Log)
Sigma Esentutl Gather Credentials test
Splunk Esentutl SAM Copy production
Sigma Esentutl Volume Shadow Copy Service Keys test
Splunk ESXi Sensitive Files Accessed production
Kusto Europium - Hash and IP IOCs - September 2022
Splunk Excessive DRSGetNCChanges Requests (Windows Event Log)
Sigma Exchange group membership change to perform DCsync attack experimental
Sigma File Access Of Signal Desktop Sensitive Data experimental
Elastic First Time Seen Account Performing DCSync production
Elastic Full User-Mode Dumps Enabled System-Wide production
Panther GAIA GCPW Credential Theft Attack Chain
Sigma Group Managed Service Accounts password dump - GoldenGMSA experimental
Sigma HackTool - CrackMapExec File Indicators test
Sigma HackTool - CrackMapExec Process Patterns test
Sigma HackTool - CreateMiniDump Execution test
Sigma HackTool - Credential Dumping Tools Named Pipe Created test
Sigma HackTool - Doppelanger LSASS Dumper Execution experimental
Sigma HackTool - Dumpert Process Dumper Default File test
YARA-L HackTool - Dumpert Process Dumper Default File
Sigma HackTool - Dumpert Process Dumper Execution test
YARA-L HackTool - Dumpert Process Dumper Execution
Sigma HackTool - Generic Process Access test
YARA-L HackTool - Generic Process Access
Sigma HackTool - HandleKatz Duplicating LSASS Handle test
Sigma HackTool - HandleKatz LSASS Dumper Execution test
Sigma HackTool - Impacket File Indicators experimental
Sigma HackTool - Inveigh Execution test
Sigma HackTool - Mimikatz Execution test
YARA-L HackTool - Mimikatz Execution
Sigma HackTool - Potential Remote Credential Dumping Activity Via CrackMapExec Or Impacket-Secretsdump test
Sigma HackTool - Pypykatz Credentials Dumping Activity test
Sigma HackTool - Quarks PwDump Execution test
Sigma HackTool - QuarksPwDump Dump File test
Sigma HackTool - Rubeus Execution stable
Sigma HackTool - Rubeus Execution - ScriptBlock test
Sigma HackTool - SafetyKatz Dump Indicator test
Sigma HackTool - SafetyKatz Execution test
Sigma HackTool - Windows Credential Editor (WCE) Execution test
Sigma HackTool - WSASS Execution experimental
Sigma HackTool - XORDump Execution test
Sigma Hacktool Execution - Imphash test
Sigma Hacktool Execution - PE Metadata test
Kusto High severity malicious activity detected available
Sigma IFM creation detected from commandline (installation from media) experimental
Sigma IFM detected - ESENT (installation from media) experimental
Sigma IIS Application Pool credential dumping experimental
Sigma Interesting Service Enumeration Via Sc.EXE test
Sigma Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) test
Elastic Kerberos Cached Credentials Dumping production
Sigma Kerberos key list attack for credential dumping experimental
Elastic Kirbi File Creation production
Kusto LaZagne Credential Theft available
Splunk Linux Auditd Possible Access To Credential Files production
Elastic Linux init (PID 1) Secret Dump via GDB production
Sigma Linux Keylogging with Pam.d test
Splunk Linux Possible Access To Credential Files production
Elastic Linux Process Hooking via GDB production
Sigma Live Memory Dump Using Powershell test
Sigma Loaded Module Enumeration Via Tasklist.EXE test
Sigma LSASS Access Detected via Attack Surface Reduction test
Sigma LSASS Access From Non System Account test
Sigma LSASS Access From Potentially White-Listed Processes test
Sigma LSASS Access From Program In Potentially Suspicious Folder test
Sigma LSASS credential dump with LSASSY (admin share) experimental
Sigma LSASS credential dump with LSASSY (kernel access) experimental
Sigma LSASS credential dump with LSASSY (PowerShell) experimental
Sigma LSASS credential dump with LSASSY (process) experimental
Kusto LSASS Credential Dumping with Procdump available
Sigma LSASS credentials dump via Task Manager (file) experimental
Sigma LSASS Dump Keyword In CommandLine test
YARA-L LSASS Dump Keyword In CommandLine
Sigma LSASS dump via process access experimental
Kusto LSASS Dumping using Debug Privileges
Sigma Lsass Full Dump Request Via DumpType Registry Settings test
Splunk LSASS Handle request (Windows Event Log)
Sigma LSASS Memory Access by Tool With Dump Keyword In Name test
YARA-L LSASS Memory Access by Tool With Dump Keyword In Name
Elastic LSASS Memory Dump Creation production
Elastic LSASS Memory Dump Handle Access production
Sigma Lsass Memory Dump via Comsvcs DLL test
YARA-L Lsass Memory Dump via Comsvcs DLL
Elastic LSASS Process Access via Windows API production
Sigma LSASS Process Crashed - Application experimental
Sigma LSASS Process Dump Artefact In CrashDumps Folder test
Sigma LSASS process dump by a non system account experimental
Sigma LSASS Process Memory Dump Creation Via Taskmgr.EXE test
YARA-L LSASS Process Memory Dump Creation Via Taskmgr.exe
Sigma LSASS Process Memory Dump Files test
YARA-L LSASS Process Memory Dump Files
Elastic Manual Memory Dumping via Proc Filesystem production
Kusto Mass secret retrieval from Azure Key Vault available
Elastic Memory Dump File with Unusual Extension production building block
Sigma Microsoft IIS Connection Strings Decryption test
Elastic Microsoft IIS Connection Strings Decryption production
Sigma Microsoft IIS Service Account Password Dumped test
Elastic Microsoft IIS Service Account Password Dumped production
Splunk Mimikatz (Sysmon)
Splunk Mimikatz (Windows Event Log)
Sigma Mimikatz DC Sync test
Splunk Mimikatz Execution (Windows Event Log)
Sigma Mimikatz malicious Security package (SSP) exfiltrates cleartext passwords in file experimental
Elastic Mimikatz Memssp Log File Detected production
Sigma Mimikatz Use test
YARA-L MITRE ATT&CK T1003 RW Mimikatz
YARA-L MITRE ATT&CK T1003.003 RW Utilities Associated With Ntds.dit
YARA-L MITRE ATT&CK T1003.003 WMIC Ntds.dit CISA Report
Elastic Modification of WDigest Security Provider production
Splunk MultiDump.exe Execution (Sysmon)
Splunk MultiDump.exe Execution (Windows Event Log)
Elastic Multiple Vault Web Credentials Read production
Sigma NetSYnc attack experimental
Sigma New Generic Credentials Added Via Cmdkey.EXE test
Kusto Non Domain Controller Active Directory Replication available
Sigma NotPetya Ransomware Activity test
Elastic NTDS Dump via Wbadmin production
Sigma NTDS Exfiltration Filename Patterns test
Elastic NTDS or SAM Database File Copied production
Splunk ntds.dit Access from Unexpected Location (Sysmon)
Splunk ntds.dit Access from Unexpected Location (Windows Event Log)
Splunk ntds.dit Command Line (PowerShell)
Splunk ntds.dit Command Line (Sysmon)
Splunk ntds.dit Command Line (Windows Event Log)
Sigma NTDS.DIT Created test
Sigma NTDS.DIT Creation By Uncommon Parent Process test
Sigma NTDS.DIT Creation By Uncommon Process test
Sigma Ntdsutil Abuse test
Splunk Ntdsutil Export NTDS production
Splunk NTDSUtil.exe execution (Sysmon)
Splunk NTDSUtil.exe execution (Windows Event Log)
Splunk O365 Privileged Graph API Permission Assigned production
Sigma OpenCanary - MSSQL Login Attempt Via SQLAuth test
Sigma OpenCanary - MSSQL Login Attempt Via Windows Authentication test
Sigma OpenCanary - MySQL Login Attempt test
Sigma OpenCanary - REDIS Action Command Attempt test
Sigma Password Dumper Activity on LSASS test
Sigma Password Dumper Remote Thread in LSASS stable
Splunk PetitPotam Suspicious Kerberos TGT Request production
Splunk Possible Credential Dumping via Windows Network Providers (PowerShell)
Splunk Possible Credential Dumping via Windows Network Providers (Windows Event Log)
Sigma Possible Impacket SecretDump Remote Activity test
Sigma Possible Impacket SecretDump Remote Activity - Zeek test
Elastic Potential Active Directory Replication Account Backdoor production
Sigma Potential Adplus.EXE Abuse test
Elastic Potential Credential Access via DCSync production
Elastic Potential Credential Access via DuplicateHandle in LSASS production
Elastic Potential Credential Access via LSASS Memory Dump production
Elastic Potential Credential Access via Memory Dump File Creation production building block
Elastic Potential Credential Access via Renamed COM+ Services DLL production
Elastic Potential Credential Access via Trusted Developer Utility production
Elastic Potential Credential Access via Windows Utilities production
Sigma Potential Credential Dumping Activity Via LSASS test
YARA-L Potential Credential Dumping Activity Via LSASS
Sigma Potential Credential Dumping Attempt Using New NetworkProvider - CLI test
Sigma Potential Credential Dumping Attempt Using New NetworkProvider - REG test
Sigma Potential Credential Dumping Attempt Via PowerShell test
Sigma Potential Credential Dumping Attempt Via PowerShell Remote Thread test
Splunk Potential Credential Dumping of LSASS (Windows Event Log)
Sigma Potential Credential Dumping Via LSASS Process Clone test
Sigma Potential Credential Dumping Via LSASS SilentProcessExit Technique test
YARA-L Potential Credential Dumping Via LSASS SilentProcessExit Technique
Sigma Potential Credential Dumping Via WER test
Splunk Potential DCSync (Windows Event Log)
Sigma Potential Exploitation of CVE-2025-5054 or CVE-2025-4598 experimental
Sigma Potential Invoke-Mimikatz PowerShell Script test
Elastic Potential Invoke-Mimikatz PowerShell Script production
Elastic Potential Linux Credential Dumping via Proc Filesystem production
Elastic Potential Linux Credential Dumping via Unshadow production
Elastic Potential LSASS Clone Creation via PssCaptureSnapShot production
Elastic Potential LSASS Memory Dump via PssCaptureSnapShot production
Sigma Potential LSASS Process Dump Via Procdump stable
YARA-L potential lsass process dump via procdump
Splunk Potential nanodump execution (Windows Event Log)
Elastic Potential PowerShell HackTool Script by Function Names production
Elastic Potential Privilege Escalation via Linux DAC permissions production
Sigma Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE test
Elastic Potential Remote Credential Access via Registry production
Sigma Potential Russian APT Credential Theft Activity stable
Sigma Potential SAM Database Dump test
Sigma Potential SAM database user credentials dumped with DCshadow experimental
Elastic Potential Secret Scanning via Gitleaks production
Elastic Potential Shadow File Read via Command Line Utilities production
Elastic Potential Suspicious File Edit production
Sigma Potential SysInternals ProcDump Evasion test
Elastic Potential Unauthorized Access via Wildcard Injection Detected production
Elastic Potential Veeam Credential Access Command production
Sigma Potential Windows Defender AV Bypass Via Dump64.EXE Rename test
Sigma Potentially Suspicious AccessMask Requested From LSASS test
Sigma Potentially Suspicious GrantedAccess Flags On LSASS test
Sigma Potentially Suspicious ODBC Driver Registered test
Kusto Powershell Empire Cmdlets Executed in Command Line available
Sigma PowerShell Get-Process LSASS in ScriptBlock test
Elastic PowerShell Invoke-NinjaCopy script production
Elastic PowerShell Kerberos Ticket Dump production
Elastic PowerShell MiniDump Script production
Sigma PowerShell SAM Copy test
Elastic PowerShell Script with Veeam Credential Access Capabilities production
Sigma PPL Tampering Via WerFaultSecure experimental
Splunk ProcDump Credential Harvest (Sysmon)
Splunk ProcDump Credential Harvest (Windows Event Log)
Sigma Procdump Execution test
Sigma Process Access via TrolleyExpress Exclusion test
Sigma Process Memory Dump Via Comsvcs.DLL test
YARA-L Process Memory Dump Via Comsvcs.DLL
Sigma Process Memory Dump via RdrLeakDiag.EXE test
YARA-L Process Memory Dump via RdrLeakDiag.exe
Kusto PRT Credential Stealing
Sigma PUA - AWS TruffleHog Execution experimental
Sigma PUA - DIT Snapshot Viewer test
Sigma PUA - Memory Dump Mount Via MemProcFS experimental
Splunk pypykatz commands (Windows Event Log)
Kusto Rare subscription-level operations in Azure available
Sigma Rare Subscription-level Operations In Azure test
Splunk RdrLeakDiag.exe Memory Dump (PowerShell)
Splunk RdrLeakDiag.exe Memory Dump (Sysmon)
Splunk RdrLeakDiag.exe Memory Dump (Windows Event Log)
Sigma Remote LSASS Process Access Through Windows Remote Management stable
Sigma Renamed CreateDump Utility Execution test
YARA-L Renamed CreateDump Utility Execution
Sigma Replication privileges accessed to perform DCSync attack experimental
Splunk SAM Database File Access Attempt production
Sigma SAM database user credentials dump with Mimikatz experimental
Splunk SAM, System, Security Files Accessed (Windows Event Log)
Elastic Searching for Saved Credentials via VaultCmd production
Sigma Secretdump password dumping via SMB admin share experimental
Splunk SecretDumps Offline NTDS Dumping Tool production
Splunk SecretsDump Credential Harvest (Windows Event Log)
Elastic Segfault from Sensitive Process Detected production
Sigma Sensitive File Dump Via Print.EXE test
Sigma Sensitive File Dump Via Wbadmin.EXE test
Sigma Sensitive File Recovery From Backup Via Wbadmin.EXE test
Elastic Sensitive Registry Hive Access via RegBack production
Sigma Shadow Copies Creation Using Operating Systems Utilities test
Splunk Shadow Copy Created (Windows Event Log)
Kusto SonicWall - Allowed SSH, Telnet, and RDP Connections experimental
Elastic Suspicious /proc/maps Discovery production
Sigma Suspicious DumpMinitool Execution test
Elastic Suspicious Execution from Foomatic-rip or Cupsd Parent production
Elastic Suspicious Execution via Windows Subsystem for Linux production
Sigma Suspicious Get-ADDBAccount Usage test
Sigma Suspicious Get-ADReplAccount test
Sigma Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location experimental
Sigma Suspicious LSASS Access Via MalSecLogon test
Elastic Suspicious LSASS Access via MalSecLogon production
Elastic Suspicious Lsass Process Access production
Elastic Suspicious Module Loaded by LSASS production
Splunk Suspicious ntds.dit Commands (PowerShell)
Splunk Suspicious ntds.dit Commands (Sysmon)
Splunk Suspicious ntds.dit Commands (Windows Event Log)
Sigma Suspicious Process Access to LSASS with Dbgcore/Dbghelp DLLs experimental
Sigma Suspicious Process Patterns NTDS.DIT Exfil test
Elastic Suspicious Remote Registry Access via SeBackupPrivilege production
Sigma Suspicious Renamed Comsvcs DLL Loaded By Rundll32 test
Kusto Suspicious SPN logon from workstation (DumpGuard)
Elastic Suspicious Symbolic Link Created production
Sigma Suspicious SYSTEM User Process Creation test
Sigma Suspicious Unsigned Dbghelp/Dbgcore DLL Loaded test
Sigma Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe) test
Elastic Symbolic Link to Shadow Copy Created production
Sigma Task Manager access indicator for potential LSASS dump experimental
Splunk Task Manager lsass Dump (Windows Event Log)
Sigma Task Manager used for LSASS dump (kernel) experimental
Kusto Tenable.ad DCSync
Kusto Tenable.ad LSASS Memory
Kusto TIE DCSync
Kusto TIE LSASS Memory
Sigma Time Travel Debugging Utility Usage test
Sigma Time Travel Debugging Utility Usage - Image test
Sigma Transferring Files with Credential Data via Network Shares test
Sigma Transferring Files with Credential Data via Network Shares - Zeek test
Sigma Uncommon GrantedAccess Flags On LSASS test
Sigma Unsigned Image Loaded Into LSASS Process test
Elastic Untrusted DLL Loaded by Azure AD Connect Authentication Agent production
Kusto Vectra Account's Behaviors available
Kusto Vectra AI Detect - Detections with High Severity available
Kusto Vectra AI Detect - Suspected Compromised Account available
Kusto Vectra AI Detect - Suspected Compromised Host available
Kusto Vectra AI Detect - Suspicious Behaviors by Category available
Kusto Vectra Host's Behaviors available
Elastic Veeam Backup Library Loaded by Unusual Process production
Sigma Volume Shadow Copy Mount test
Sigma VolumeShadowCopy Symlink Creation Via Mklink stable
Sigma VSSAudit Security Event Source Registration test
Sigma WCE wceaux.dll Access test
Sigma Wdigest authentication enabled (Reg via command) experimental
Sigma Wdigest authentication enabled (registry) experimental
Kusto WDigest downgrade attack available
Splunk WDigest Forced Credential Caching (PowerShell)
Splunk WDigest Forced Credential Caching (Sysmon)
Splunk WDigest Forced Credential Caching (Windows Event Log)
Elastic Web Server Potential Command Injection Request production
Sigma WerFault LSASS Process Memory Dump test
Splunk Windows AD Replication Request Initiated by User Account production
Splunk Windows AD Replication Request Initiated from Unsanctioned Location production
Splunk Windows AD Replication Service Traffic experimental
Splunk Windows Cached Domain Credentials Reg Query production
Splunk Windows Credential Dumping LSASS Memory Createdump production
Panther Windows Credential Dumping Tool
Sigma Windows Credential Editor Registry test
Splunk Windows Hunting System Account Targeting Lsass production
Splunk Windows LAPS Password Gathering Via PowerShell Script production
Splunk Windows LSA Secrets NoLMhash Registry production
Splunk Windows Mimikatz Binary Execution production
Splunk Windows Non-System Account Targeting Lsass production
Splunk Windows Possible Credential Dumping production
Splunk Windows Post Exploitation Risk Behavior production
Splunk Windows Rapid Authentication On Multiple Hosts production
Elastic Windows Registry File Creation in SMB Share production
Splunk Windows Remote Access Software BRC4 Loaded Dll production
Splunk Windows Sensitive Registry Hive Dump Via CommandLine production
Elastic Wireless Credential Dumping using Netsh Command production

OS Credential Dumping: LSASS Memory T1003.001 168 rules

Splunk Access LSASS Memory for Dump Creation production
Kusto Alsid LSASS Memory available
Sigma Antivirus Password Dumper Detection stable
Sigma APT31 Judgement Panda Activity test
Splunk Cisco Secure Firewall - Veeam CVE-2023-27532 Exploitation Activity production
Splunk Common LSASS Memory Dump Behavior (Windows Event Log)
Splunk comsvcs.dll Lsass Memory Dump (Sysmon)
Splunk comsvcs.dll Lsass Memory Dump (Windows Event Log)
Splunk Create Remote Thread into LSASS production
Sigma CreateDump Process Dump test
YARA-L CreateDump Process Dump
Splunk Creation of lsass Dump with Taskmgr production
Sigma Cred Dump Tools Dropped Files test
YARA-L Cred Dump Tools Dropped Files
Elastic Credential Dumping - Detected - Elastic Endgame production
Elastic Credential Dumping - Prevented - Elastic Endgame production
Sigma Credential Dumping Activity By Python Based Tool stable
Sigma Credential Dumping Attempt Via WerFault test
YARA-L Credential Dumping Attempt Via WerFault
Kusto Credential Dumping Tools - File Artifacts available
Kusto Credential Dumping Tools - Service Installation available
Sigma Credential Dumping Tools Service Execution - Security test
Sigma Credential Dumping Tools Service Execution - System test
Panther Crowdstrike Credential Dumping Tool
Sigma Dbghelp/Dbgcore DLL Loaded By Uncommon/Suspicious Process test
Splunk Detect Credential Dumping through LSASS access production
Elastic Disabling Lsa Protection via Registry Modification production
Splunk Dump LSASS via comsvcs DLL production
Splunk Dump LSASS via procdump production
Kusto Dumping LSASS Process Into a File available
Sigma Dumping Process via Sqldumper.exe test
Sigma DumpMinitool Execution test
Elastic Full User-Mode Dumps Enabled System-Wide production
Panther GAIA GCPW Credential Theft Attack Chain
Sigma HackTool - CrackMapExec File Indicators test
Sigma HackTool - CrackMapExec Process Patterns test
Sigma HackTool - CreateMiniDump Execution test
Sigma HackTool - Credential Dumping Tools Named Pipe Created test
Sigma HackTool - Doppelanger LSASS Dumper Execution experimental
Sigma HackTool - Dumpert Process Dumper Default File test
YARA-L HackTool - Dumpert Process Dumper Default File
Sigma HackTool - Dumpert Process Dumper Execution test
YARA-L HackTool - Dumpert Process Dumper Execution
Sigma HackTool - Generic Process Access test
YARA-L HackTool - Generic Process Access
Sigma HackTool - HandleKatz Duplicating LSASS Handle test
Sigma HackTool - HandleKatz LSASS Dumper Execution test
Sigma HackTool - Impacket File Indicators experimental
Sigma HackTool - Inveigh Execution test
Sigma HackTool - Mimikatz Execution test
YARA-L HackTool - Mimikatz Execution
Sigma HackTool - SafetyKatz Dump Indicator test
Sigma HackTool - SafetyKatz Execution test
Sigma HackTool - Windows Credential Editor (WCE) Execution test
Sigma HackTool - WSASS Execution experimental
Sigma HackTool - XORDump Execution test
Sigma LSASS Access Detected via Attack Surface Reduction test
Sigma LSASS Access From Non System Account test
Sigma LSASS Access From Potentially White-Listed Processes test
Sigma LSASS Access From Program In Potentially Suspicious Folder test
Sigma LSASS credential dump with LSASSY (admin share) experimental
Sigma LSASS credential dump with LSASSY (kernel access) experimental
Sigma LSASS credential dump with LSASSY (PowerShell) experimental
Sigma LSASS credential dump with LSASSY (process) experimental
Sigma LSASS credentials dump via Task Manager (file) experimental
Sigma LSASS Dump Keyword In CommandLine test
YARA-L LSASS Dump Keyword In CommandLine
Sigma LSASS dump via process access experimental
Kusto LSASS Dumping using Debug Privileges
Sigma Lsass Full Dump Request Via DumpType Registry Settings test
Splunk LSASS Handle request (Windows Event Log)
Sigma LSASS Memory Access by Tool With Dump Keyword In Name test
YARA-L LSASS Memory Access by Tool With Dump Keyword In Name
Elastic LSASS Memory Dump Creation production
Elastic LSASS Memory Dump Handle Access production
Sigma Lsass Memory Dump via Comsvcs DLL test
YARA-L Lsass Memory Dump via Comsvcs DLL
Elastic LSASS Process Access via Windows API production
Sigma LSASS Process Crashed - Application experimental
Sigma LSASS Process Dump Artefact In CrashDumps Folder test
Sigma LSASS process dump by a non system account experimental
Sigma LSASS Process Memory Dump Creation Via Taskmgr.EXE test
YARA-L LSASS Process Memory Dump Creation Via Taskmgr.exe
Sigma LSASS Process Memory Dump Files test
YARA-L LSASS Process Memory Dump Files
Elastic Memory Dump File with Unusual Extension production building block
Splunk Mimikatz (Sysmon)
Splunk Mimikatz (Windows Event Log)
Sigma Mimikatz Use test
Elastic Modification of WDigest Security Provider production
Splunk MultiDump.exe Execution (Sysmon)
Splunk MultiDump.exe Execution (Windows Event Log)
Sigma NotPetya Ransomware Activity test
Sigma Password Dumper Activity on LSASS test
Sigma Password Dumper Remote Thread in LSASS stable
Sigma Potential Adplus.EXE Abuse test
Elastic Potential Credential Access via DuplicateHandle in LSASS production
Elastic Potential Credential Access via LSASS Memory Dump production
Elastic Potential Credential Access via Memory Dump File Creation production building block
Elastic Potential Credential Access via Renamed COM+ Services DLL production
Elastic Potential Credential Access via Windows Utilities production
Sigma Potential Credential Dumping Activity Via LSASS test
YARA-L Potential Credential Dumping Activity Via LSASS
Sigma Potential Credential Dumping Attempt Via PowerShell test
Sigma Potential Credential Dumping Attempt Via PowerShell Remote Thread test
Sigma Potential Credential Dumping Via LSASS Process Clone test
Sigma Potential Credential Dumping Via LSASS SilentProcessExit Technique test
YARA-L Potential Credential Dumping Via LSASS SilentProcessExit Technique
Sigma Potential Credential Dumping Via WER test
Elastic Potential Invoke-Mimikatz PowerShell Script production
Elastic Potential LSASS Clone Creation via PssCaptureSnapShot production
Elastic Potential LSASS Memory Dump via PssCaptureSnapShot production
Sigma Potential LSASS Process Dump Via Procdump stable
YARA-L potential lsass process dump via procdump
Elastic Potential PowerShell HackTool Script by Function Names production
Sigma Potential SAM database user credentials dumped with DCshadow experimental
Sigma Potential SysInternals ProcDump Evasion test
Sigma Potential Windows Defender AV Bypass Via Dump64.EXE Rename test
Sigma Potentially Suspicious AccessMask Requested From LSASS test
Sigma Potentially Suspicious GrantedAccess Flags On LSASS test
Kusto Powershell Empire Cmdlets Executed in Command Line available
Sigma PowerShell Get-Process LSASS in ScriptBlock test
Elastic PowerShell Kerberos Ticket Dump production
Elastic PowerShell MiniDump Script production
Sigma PPL Tampering Via WerFaultSecure experimental
Splunk ProcDump Credential Harvest (Sysmon)
Splunk ProcDump Credential Harvest (Windows Event Log)
Sigma Procdump Execution test
Sigma Process Access via TrolleyExpress Exclusion test
Sigma Process Memory Dump Via Comsvcs.DLL test
YARA-L Process Memory Dump Via Comsvcs.DLL
Sigma Process Memory Dump via RdrLeakDiag.EXE test
YARA-L Process Memory Dump via RdrLeakDiag.exe
Sigma PUA - Memory Dump Mount Via MemProcFS experimental
Splunk pypykatz commands (Windows Event Log)
Splunk RdrLeakDiag.exe Memory Dump (PowerShell)
Splunk RdrLeakDiag.exe Memory Dump (Sysmon)
Splunk RdrLeakDiag.exe Memory Dump (Windows Event Log)
Sigma Remote LSASS Process Access Through Windows Remote Management stable
Sigma Renamed CreateDump Utility Execution test
YARA-L Renamed CreateDump Utility Execution
Sigma SAM database user credentials dump with Mimikatz experimental
Sigma Suspicious DumpMinitool Execution test
Sigma Suspicious LSASS Access Via MalSecLogon test
Elastic Suspicious LSASS Access via MalSecLogon production
Elastic Suspicious Lsass Process Access production
Elastic Suspicious Module Loaded by LSASS production
Sigma Suspicious Process Access to LSASS with Dbgcore/Dbghelp DLLs experimental
Sigma Suspicious Renamed Comsvcs DLL Loaded By Rundll32 test
Sigma Suspicious Unsigned Dbghelp/Dbgcore DLL Loaded test
Sigma Task Manager access indicator for potential LSASS dump experimental
Splunk Task Manager lsass Dump (Windows Event Log)
Sigma Task Manager used for LSASS dump (kernel) experimental
Kusto Tenable.ad LSASS Memory
Kusto TIE LSASS Memory
Sigma Time Travel Debugging Utility Usage test
Sigma Time Travel Debugging Utility Usage - Image test
Sigma Transferring Files with Credential Data via Network Shares test
Sigma Transferring Files with Credential Data via Network Shares - Zeek test
Sigma Uncommon GrantedAccess Flags On LSASS test
Sigma Unsigned Image Loaded Into LSASS Process test
Sigma WerFault LSASS Process Memory Dump test
Splunk Windows Credential Dumping LSASS Memory Createdump production
Panther Windows Credential Dumping Tool
Sigma Windows Credential Editor Registry test
Splunk Windows Hunting System Account Targeting Lsass production
Splunk Windows Non-System Account Targeting Lsass production
Splunk Windows Possible Credential Dumping production

OS Credential Dumping: Security Account Manager T1003.002 58 rules

Sigma Antivirus Password Dumper Detection stable
Splunk Azure AD Privileged Authentication Administrator Role Assigned production
Splunk Azure AD Privileged Graph API Permission Assigned production
Sigma Backdoor introduction via registry permission change through WMI (DAMP) experimental
Sigma Copying Sensitive Files with Credential Data test
Sigma Crash Dump Created By Operating System experimental
Sigma Cred Dump Tools Dropped Files test
Elastic Credential Acquisition via Registry Hive Dumping production
Sigma Credential Dumping Tools Service Execution - Security test
Sigma Credential Dumping Tools Service Execution - System test
Sigma Critical Hive In Suspicious Location Access Bits Cleared test
Splunk Detect Copy of ShadowCopy with Script Block Logging production
Sigma Dumping of Sensitive Hives Via Reg.EXE test
Splunk Esentutl Execution (PowerShell)
Splunk Esentutl Execution (Sysmon)
Splunk Esentutl Execution (Windows Event Log)
Splunk Esentutl SAM Copy production
Sigma Esentutl Volume Shadow Copy Service Keys test
Sigma HackTool - Credential Dumping Tools Named Pipe Created test
Sigma HackTool - Mimikatz Execution test
Sigma HackTool - Pypykatz Credentials Dumping Activity test
Sigma HackTool - Quarks PwDump Execution test
Sigma HackTool - QuarksPwDump Dump File test
Splunk Mimikatz (Sysmon)
Splunk Mimikatz (Windows Event Log)
Sigma Mimikatz Use test
Splunk MultiDump.exe Execution (Sysmon)
Splunk MultiDump.exe Execution (Windows Event Log)
Elastic NTDS Dump via Wbadmin production
Elastic NTDS or SAM Database File Copied production
Sigma NTDS.DIT Creation By Uncommon Process test
Splunk O365 Privileged Graph API Permission Assigned production
Sigma Possible Impacket SecretDump Remote Activity test
Sigma Possible Impacket SecretDump Remote Activity - Zeek test
Elastic Potential Credential Access via Trusted Developer Utility production
Elastic Potential Invoke-Mimikatz PowerShell Script production
Elastic Potential Remote Credential Access via Registry production
Sigma Potential SAM Database Dump test
Elastic PowerShell Invoke-NinjaCopy script production
Sigma PowerShell SAM Copy test
Sigma PUA - Memory Dump Mount Via MemProcFS experimental
Splunk SAM Database File Access Attempt production
Splunk SAM, System, Security Files Accessed (Windows Event Log)
Sigma Secretdump password dumping via SMB admin share experimental
Splunk SecretsDump Credential Harvest (Windows Event Log)
Sigma Sensitive File Dump Via Print.EXE test
Elastic Sensitive Registry Hive Access via RegBack production
Sigma Shadow Copies Creation Using Operating Systems Utilities test
Elastic Suspicious Remote Registry Access via SeBackupPrivilege production
Elastic Symbolic Link to Shadow Copy Created production
Sigma Transferring Files with Credential Data via Network Shares test
Sigma Transferring Files with Credential Data via Network Shares - Zeek test
Sigma Volume Shadow Copy Mount test
Sigma VolumeShadowCopy Symlink Creation Via Mklink stable
Sigma VSSAudit Security Event Source Registration test
Splunk Windows Rapid Authentication On Multiple Hosts production
Elastic Windows Registry File Creation in SMB Share production
Splunk Windows Sensitive Registry Hive Dump Via CommandLine production

OS Credential Dumping: NTDS T1003.003 58 rules

Splunk ADExplorer Execution (Sysmon)
Splunk ADExplorer Execution (Windows Event Log)
Splunk ADExplorer Snapshot Creation (Sysmon)
Splunk ADExplorer Snapshot Creation (Windows Event Log)
Sigma Copying Sensitive Files with Credential Data test
Sigma Create Volume Shadow Copy with Powershell test
Splunk Creation of Shadow Copy production
Splunk Creation of Shadow Copy with wmic and powershell production
Elastic Creation or Modification of Domain Backup DPAPI private key production
Sigma Cred Dump Tools Dropped Files test
Splunk Credential Dumping via Copy Command from Shadow Copy production
Splunk Credential Dumping via Symlink to Shadow Copy production
Splunk Esentutl Execution (PowerShell)
Splunk Esentutl Execution (Sysmon)
Splunk Esentutl Execution (Windows Event Log)
Sigma Esentutl Gather Credentials test
Sigma IFM creation detected from commandline (installation from media) experimental
Sigma IFM detected - ESENT (installation from media) experimental
Sigma Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) test
YARA-L MITRE ATT&CK T1003.003 RW Utilities Associated With Ntds.dit
YARA-L MITRE ATT&CK T1003.003 WMIC Ntds.dit CISA Report
Elastic NTDS Dump via Wbadmin production
Sigma NTDS Exfiltration Filename Patterns test
Elastic NTDS or SAM Database File Copied production
Splunk ntds.dit Access from Unexpected Location (Sysmon)
Splunk ntds.dit Access from Unexpected Location (Windows Event Log)
Splunk ntds.dit Command Line (PowerShell)
Splunk ntds.dit Command Line (Sysmon)
Splunk ntds.dit Command Line (Windows Event Log)
Sigma NTDS.DIT Created test
Sigma NTDS.DIT Creation By Uncommon Parent Process test
Sigma NTDS.DIT Creation By Uncommon Process test
Sigma Ntdsutil Abuse test
Splunk Ntdsutil Export NTDS production
Splunk NTDSUtil.exe execution (Sysmon)
Splunk NTDSUtil.exe execution (Windows Event Log)
Sigma Possible Impacket SecretDump Remote Activity test
Sigma Possible Impacket SecretDump Remote Activity - Zeek test
Elastic Potential Credential Access via Windows Utilities production
Sigma Potential Russian APT Credential Theft Activity stable
Elastic PowerShell Invoke-NinjaCopy script production
Sigma PUA - DIT Snapshot Viewer test
Splunk SecretDumps Offline NTDS Dumping Tool production
Sigma Sensitive File Dump Via Print.EXE test
Sigma Sensitive File Dump Via Wbadmin.EXE test
Sigma Sensitive File Recovery From Backup Via Wbadmin.EXE test
Sigma Shadow Copies Creation Using Operating Systems Utilities test
Splunk Shadow Copy Created (Windows Event Log)
Sigma Suspicious Get-ADDBAccount Usage test
Splunk Suspicious ntds.dit Commands (PowerShell)
Splunk Suspicious ntds.dit Commands (Sysmon)
Splunk Suspicious ntds.dit Commands (Windows Event Log)
Sigma Suspicious Process Patterns NTDS.DIT Exfil test
Sigma Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe) test
Elastic Symbolic Link to Shadow Copy Created production
Sigma Transferring Files with Credential Data via Network Shares test
Sigma Transferring Files with Credential Data via Network Shares - Zeek test
Sigma VolumeShadowCopy Symlink Creation Via Mklink stable

OS Credential Dumping: LSA Secrets T1003.004 23 rules

Sigma Backdoor introduction via registry permission change through WMI (DAMP) experimental
Sigma Cred Dump Tools Dropped Files test
Elastic Credential Acquisition via Registry Hive Dumping production
Sigma Credential Dumping Tools Service Execution - Security test
Sigma Credential Dumping Tools Service Execution - System test
Sigma DPAPI Domain Backup Key Extraction test
Sigma DPAPI Domain Master Key Backup Attempt test
Kusto DumpGuard NTLM challenge detected
Sigma Dumping of Sensitive Hives Via Reg.EXE test
Sigma HackTool - Credential Dumping Tools Named Pipe Created test
Sigma HackTool - Mimikatz Execution test
Splunk Mimikatz (Sysmon)
Splunk Mimikatz (Windows Event Log)
Sigma Mimikatz Use test
Sigma Possible Impacket SecretDump Remote Activity test
Sigma Possible Impacket SecretDump Remote Activity - Zeek test
Elastic Potential Invoke-Mimikatz PowerShell Script production
Elastic PowerShell Invoke-NinjaCopy script production
Sigma PUA - Memory Dump Mount Via MemProcFS experimental
Elastic Sensitive Registry Hive Access via RegBack production
Elastic Suspicious Remote Registry Access via SeBackupPrivilege production
Kusto Suspicious SPN logon from workstation (DumpGuard)
Splunk Windows LSA Secrets NoLMhash Registry production

OS Credential Dumping: Cached Domain Credentials T1003.005 16 rules

Sigma Backdoor introduction via registry permission change through WMI (DAMP) experimental
Sigma Cred Dump Tools Dropped Files test
Sigma Credential Dumping Tools Service Execution - Security test
Sigma Credential Dumping Tools Service Execution - System test
Sigma Dumping of Sensitive Hives Via Reg.EXE test
Sigma HackTool - Credential Dumping Tools Named Pipe Created test
Sigma HackTool - Mimikatz Execution test
Sigma New Generic Credentials Added Via Cmdkey.EXE test
Elastic Potential Invoke-Mimikatz PowerShell Script production
Sigma Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE test
Elastic PowerShell Invoke-NinjaCopy script production
Elastic Sensitive Registry Hive Access via RegBack production
Splunk WDigest Forced Credential Caching (PowerShell)
Splunk WDigest Forced Credential Caching (Sysmon)
Splunk WDigest Forced Credential Caching (Windows Event Log)
Splunk Windows Cached Domain Credentials Reg Query production

OS Credential Dumping: DCSync T1003.006 26 rules

Sigma Active Directory Replication from Non Machine Account test
Kusto Alsid DCSync available
Sigma Credential Dumping Tools Service Execution - Security test
Sigma Credential Dumping Tools Service Execution - System test
Splunk Excessive DRSGetNCChanges Requests (Windows Event Log)
Sigma Exchange group membership change to perform DCsync attack experimental
Elastic First Time Seen Account Performing DCSync production
Sigma HackTool - Mimikatz Execution test
Splunk Mimikatz (Sysmon)
Splunk Mimikatz (Windows Event Log)
Sigma Mimikatz DC Sync test
Sigma Mimikatz Use test
Sigma NetSYnc attack experimental
Kusto Non Domain Controller Active Directory Replication available
Elastic Potential Active Directory Replication Account Backdoor production
Elastic Potential Credential Access via DCSync production
Splunk Potential DCSync (Windows Event Log)
Elastic Potential Invoke-Mimikatz PowerShell Script production
Elastic Potential PowerShell HackTool Script by Function Names production
Sigma Replication privileges accessed to perform DCSync attack experimental
Sigma Suspicious Get-ADReplAccount test
Kusto Tenable.ad DCSync
Kusto TIE DCSync
Splunk Windows AD Replication Request Initiated by User Account production
Splunk Windows AD Replication Request Initiated from Unsanctioned Location production
Splunk Windows AD Replication Service Traffic experimental

OS Credential Dumping: Proc Filesystem T1003.007 5 rules

Elastic Linux init (PID 1) Secret Dump via GDB production
Elastic Linux Process Hooking via GDB production
Elastic Manual Memory Dumping via Proc Filesystem production
Elastic Potential Linux Credential Dumping via Proc Filesystem production
Elastic Suspicious /proc/maps Discovery production

OS Credential Dumping: /etc/passwd and /etc/shadow T1003.008 13 rules

Elastic Dumping Account Hashes via Built-In Commands production
Splunk ESXi Sensitive Files Accessed production
Splunk Linux Auditd Possible Access To Credential Files production
Splunk Linux Possible Access To Credential Files production
Elastic Potential Linux Credential Dumping via Unshadow production
Elastic Potential Privilege Escalation via Linux DAC permissions production
Elastic Potential Shadow File Read via Command Line Utilities production
Elastic Potential Suspicious File Edit production
Elastic Potential Unauthorized Access via Wildcard Injection Detected production
Elastic Suspicious Execution from Foomatic-rip or Cupsd Parent production
Elastic Suspicious Execution via Windows Subsystem for Linux production
Elastic Suspicious Symbolic Link Created production
Elastic Web Server Potential Command Injection Request production

Network Sniffing T1040 24 rules

Elastic AWS EC2 Full Network Packet Capture Detected production
Panther AWS EC2 Traffic Mirroring
Panther Azure Network Packet Capture Enabled
Kusto Azure secure score PW age policy new available
Elastic Azure VNet Full Network Packet Capture Enabled production
Splunk Cisco ASA - Packet Capture Activity production
Sigma Cisco Sniffing test
Splunk Cisco SNMP Community String Configuration Changes production
Sigma Harvesting Of Wifi Credentials Via Netsh.EXE test
Panther Kubernetes Ingress Created Without TLS
Sigma Network Sniffing - Linux test
Sigma Network Sniffing - MacOs test
Elastic Network Traffic Capture via CAP_NET_RAW production building block
Sigma New Network Trace Capture Started Via Netsh.EXE test
Sigma PktMon.EXE Execution test
Sigma Potential Network Sniffing Activity Using Network Tools test
Sigma Potential Packet Capture Activity Via Start-NetEventSession - ScriptBlock test
Kusto Powershell Empire Cmdlets Executed in Command Line available
Elastic Suspicious Network Tool Launch Detected via Defend for Containers production
Elastic Suspicious Network Tool Launched Inside A Container production
Sigma Windows native Pktmon sniffer abuse experimental
Sigma Windows Pcap Drivers test
Sigma Windows traffic capture abuse experimental
Kusto Zoom E2E Encryption Disabled

Input Capture T1056 20 rules

Kusto Azure secure score MFA registration V2 available
Sigma CredUI.DLL Loaded By Uncommon Process test
Sigma DNS Query Request To OneLaunch Update Service test
Sigma GUI Input Capture - macOS test
Sigma Linux Keylogging with Pam.d test
Panther MacOS Keyboard Events
Splunk Mavinject Execution (EDR)
Splunk Mavinject Execution (Sysmon)
Splunk Mavinject Execution (Windows Event Log)
Sigma Potential Keylogger Activity test
Elastic Potential SSH Password Grabbing via strace production
Elastic Potential Sudo Hijacking production
Kusto Powershell Empire Cmdlets Executed in Command Line available
Sigma Powershell Keylogging test
Elastic PowerShell Keylogging Script production
Elastic Prompt for Credentials with Osascript production
Sigma PUA - Mouse Lock Execution test
Sigma Suspicious Network Communication With IPFS test
Elastic Suspicious pbpaste High Volume Activity production
Splunk Windows Input Capture Using Credential UI Dll production

Input Capture: Keylogging T1056.001 5 rules

Sigma Linux Keylogging with Pam.d test
Sigma Potential Keylogger Activity test
Kusto Powershell Empire Cmdlets Executed in Command Line available
Sigma Powershell Keylogging test
Elastic PowerShell Keylogging Script production

Input Capture: GUI Input Capture T1056.002 5 rules

Sigma CredUI.DLL Loaded By Uncommon Process test
Sigma GUI Input Capture - macOS test
Elastic Prompt for Credentials with Osascript production
Sigma PUA - Mouse Lock Execution test
Splunk Windows Input Capture Using Credential UI Dll production

Input Capture: Credential API Hooking T1056.004 4 rules

Splunk Mavinject Execution (EDR)
Splunk Mavinject Execution (Sysmon)
Splunk Mavinject Execution (Windows Event Log)
Kusto Powershell Empire Cmdlets Executed in Command Line available

Brute Force T1110 296 rules

Kusto [Deprecated] Explicit MFA Deny available
Sigma Account Lockout test
Panther Admin logged out because of successive login failures
Kusto Alsid Active Directory attacks pathways available
Kusto Alsid Indicators of Attack available
Kusto Alsid Indicators of Exposures available
Kusto Alsid Password Guessing available
Kusto Alsid Password issues available
Kusto Alsid Password Spraying available
Kusto Alsid privileged accounts issues available
Kusto Alsid user accounts issues available
Panther Anthropic SSO Login Failed
Kusto API - Account Takeover available
Kusto API - Password Cracking available
Kusto API - Suspicious Login available
Panther AppOmni Alert Passthrough
Splunk ASL AWS Credential Access GetPasswordData production
Splunk ASL AWS Credential Access RDS Password reset production
Splunk ASL AWS IAM Assume Role Policy Brute Force production
Elastic Attempts to Brute Force an Okta User Account production
Sigma AWS ConsoleLogin Failed Authentication experimental
Splunk AWS Credential Access Failed Login production
Splunk AWS Credential Access GetPasswordData production
Splunk AWS Credential Access RDS Password reset production
YARA-L AWS GuardDuty Bruteforce Activity Detected
Splunk AWS High Number Of Failed Authentications From Ip production
YARA-L AWS High Number Of Unknown User Authentication Attempts
Splunk AWS IAM Assume Role Policy Brute Force production
Elastic AWS IAM Principal Enumeration via UpdateAssumeRolePolicy production
Panther AWS IAM User MFA
Elastic AWS Management Console Brute Force of Root User Identity production
Splunk AWS Multiple Users Failing To Authenticate From Ip production
Panther AWS Password Policy Complexity Guidelines
Panther AWS Password Policy Password Age Limit
Panther AWS Password Policy Password Reuse
Kusto AWS Security Hub - Detect root user lacking MFA available
YARA-L AWS Unusual Number Of Failed Authentication Attempts From The Same IP
Splunk AWS Unusual Number of Failed Authentications From Ip production
Kusto AWSCloudTrail - Successful brute force attack on S3 Bucket available
Splunk Azure Active Directory High Risk Sign-in production
Splunk Azure AD High Number Of Failed Authentications For User production
Splunk Azure AD High Number Of Failed Authentications From Ip production
Splunk Azure AD Multi-Source Failed Authentications Spike production
Splunk Azure AD Multiple Users Failing To Authenticate From Ip production
Splunk Azure AD Successful Authentication From Different Ips production
Splunk Azure AD Unusual Number of Failed Authentications From Ip production
Panther Azure Excessive Account Lockouts Experimental
Panther Azure Many Failed SignIns
Panther Azure RiskLevel Passthrough
Sigma Bitbucket User Login Failure test
Sigma Bitbucket User Login Failure Via SSH test
Kusto Bitglass - Multiple failed logins available
Kusto Brute force attack against an Entra-authenticated Windows device available
Kusto Brute force attack against Azure Portal available
Kusto Brute Force Attack against GitHub Account available
Kusto Brute force attack against user credentials available
Kusto Brute force attack against user credentials (Uses Authentication Normalization)
Panther Brute Force By IP
Panther Brute Force By User
Sigma Bruteforce via password reset experimental
Sigma Brutforce enumeration on Windows OpenSSH server with non existing user experimental
Sigma Brutforce enumeration with non existing users (login) experimental
Sigma Brutforce enumeration with unexisting users (Kerberos) experimental
Sigma Brutforce on Windows OpenSSH server with valid users experimental
Panther Carbon Black Log Entry Flagged
Splunk Cisco ASA - User Account Lockout Threshold Exceeded production
Sigma Cisco BGP Authentication Failures test
Sigma Cisco LDP Authentication Failures test
Splunk Cisco Secure Firewall - Blocked Connection production
Splunk Cisco Secure Firewall - Repeated Blocked Connections production
Kusto Claroty - Multiple failed logins by user available
Kusto ClientDeniedAccess available
Kusto Copilot - Jailbreak Attempt Detected available
Kusto Credential errors stateful anomaly on database available
Sigma Credential stuffing sttack risk experimental
Kusto Cross-Cloud Password Spray detection
Kusto Cross-Cloud Unauthorized Credential Access Detection From AWS RDS Login
Splunk Crowdstrike Admin Weak Password Policy production
Splunk Crowdstrike Admin With Duplicate Password production
Splunk Crowdstrike High Identity Risk Severity production
Splunk Crowdstrike Medium Identity Risk Severity production
Splunk Crowdstrike Medium Severity Alert production
Splunk Crowdstrike Multiple LOW Severity Alerts production
Splunk Crowdstrike Privilege Escalation For Non-Admin User production
Splunk Crowdstrike User Weak Password Policy production
Splunk Crowdstrike User with Duplicate Password production
Splunk CrushFTP Max Simultaneous Users From IP production
Panther Databricks Repeated Failed Login Attempts Experimental
Splunk Detect Distributed Password Spray Attempts production
Splunk Detect Password Spray Attack Behavior From Source production
Splunk Detect Password Spray Attack Behavior On User production
Splunk Detect Password Spray Attempts production
Kusto Detect potential file enumeration activity (ASIM Web Session) available
Kusto Distributed Password cracking attempts in Microsoft Entra ID available
Kusto Elevation of Privilege attempt detected available
Elastic Entra ID Excessive Account Lockouts Detected production
Elastic Entra ID MFA TOTP Brute Force Attempted production
Elastic Entra ID Protection - Risk Detection - Sign-in Risk production
Elastic Entra ID Protection - Risk Detection - User Risk production
Elastic Entra ID Sign-in Brute Force Attempted (Microsoft 365) production
Elastic Entra ID Sign-in TeamFiltration User-Agent Detected production
Elastic Entra ID User Sign-in Brute Force Attempted production
Elastic Entra ID User Sign-in with Unusual Authentication Type production
Splunk ESXi SSH Brute Force production
Kusto Excessive Failed Authentication from Invalid Inputs available
Kusto Excessive number of HTTP authentication failures from a source (ASIM Web Session schema)
Kusto Excessive Windows Logon Failures available
Sigma External Remote RDP Logon from Public IP test
Sigma External Remote SMB Logon from Public IP test
Sigma Failed Authentications From Countries You Do Not Operate Out Of test
Kusto Failed AWS Console logons but success logon to AzureAD
Kusto Failed AzureAD logons but success logon to AWS Console
Kusto Failed AzureAD logons but success logon to host
Kusto Failed host logons but success logon to AzureAD
Kusto Failed login attempts to Azure Portal available
Kusto Failed Logins from Unknown or Invalid User available
Kusto Failed logon attempts by valid accounts within 10 mins
Kusto Failed logon attempts in authpriv
Panther Failed Root Console Login
Splunk GCP Multiple Users Failing To Authenticate From Ip production
Splunk GCP Unusual Number of Failed Authentications From Ip production
Kusto GitHub Signin Burst from Multiple Locations available
Kusto GitLab - Brute-force Attempts available
Kusto GitLab - Local Auth - No MFA available
Kusto GitLab - SSO - Sign-Ins Burst available
Panther GSuite User Device Unlock Failures
Panther GSuite Workspace Password Reuse Has Been Enabled
Panther GSuite Workspace Strong Password Enforcement Has Been Disabled
Kusto GWorkspace - Possible brute force attack available
Sigma Hack Tool User Agent test
Sigma HackTool - CrackMapExec Execution test
Sigma HackTool - Hashcat Password Cracker Execution test
Sigma HackTool - Hydra Password Bruteforce Execution test
Kusto High count of failed attempts from same client IP
Kusto High count of failed logons by a user
Splunk High Number of Login Failures from a single source production
Sigma Huawei BGP Authentication Failures test
Kusto IP with multiple failed Microsoft Entra ID logins successfully logs in to Palo Alto VPN
Sigma Juniper BGP Missing MD5 test
Sigma Kerberos enumeration with existing/unexisting users (Kerbrute) experimental
Splunk M365 Copilot Failed Authentication Patterns production
Elastic M365 Entra ID Risk Detection Signal production building block
Elastic M365 Identity User Account Lockouts production
Elastic M365 Identity User Brute Force Attempted production
Sigma macOS Multiple Failed Sudo Attempts experimental
Kusto MFA Spamming followed by Successful login available
Panther Microsoft365 Brute Force Login by User
Kusto Mimecast Audit - Logon Authentication Failed
Kusto Mimecast Audit - Logon Authentication Failed
YARA-L MITRE ATT&CK T1110.001 Windows Repeated Authentication Failures Before Successful One
YARA-L MITRE ATT&CK T1110.001 Windows Repeated Authentication Failures Before Successful One With User Entity
YARA-L MITRE ATT&CK T1110.003 RW Windows Password Spray
Sigma MSSQL Server Failed Logon test
Sigma MSSQL Server Failed Logon From External Network test
Sigma Multifactor Authentication Denied test
Sigma Multifactor Authentication Interrupted test
Splunk Multiple Failed Network Logon Attempts from Host (Windows Event Log)
Elastic Multiple Logon Failure Followed by Logon Success production
Elastic Multiple Logon Failure from the same Source Address production
Elastic Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy production
Elastic Multiple Okta User Authentication Events with Same Device Token Hash production
Kusto Multiple Password Reset by user
Panther Netskope Many Unauthorized API Calls
Kusto New country signIn with correct password
Sigma NTLM Brute Force test
Splunk O365 Excessive Authentication Failures Alert production
Splunk O365 High Number Of Failed Authentications for User production
Splunk O365 Multi-Source Failed Authentications Spike production
Splunk O365 Multiple OS Vendors Authenticating From User production
Splunk O365 Multiple Users Failing To Authenticate From Ip production
Panther Okta AD Agent Authentication Anomaly - Z-Score Detection Experimental
Elastic Okta Admin Console Login Failure production building block
YARA-L Okta MFA Bruteforce Attack
Splunk Okta MFA Exhaustion Hunt production
Splunk Okta Multiple Accounts Locked Out production
Splunk Okta Multiple Users Failing To Authenticate From Ip production
Panther Okta Rate Limits
Splunk Okta Risk Threshold Exceeded production
Elastic Okta Successful Login After Credential Attack production
YARA-L Okta ThreatInsight Login Failure With High Unknown Users
YARA-L Okta ThreatInsight Suspected Bruteforce Attack
YARA-L Okta ThreatInsight Suspected Password Spray Attack
YARA-L Okta ThreatInsight Targeted Bruteforce Attack
YARA-L Okta User Rejected Multiple Push Notifications
YARA-L OneLogin OTP Bruteforce Attack
Panther OneLogin User Locked
Panther OpenAI Brute Force Login Success
Kusto Palo Alto Prisma Cloud - Multiple failed logins for user available
Sigma Password Spray Activity test
Kusto Password spray attack against ADFSSignInLogs available
Kusto Password spray attack against Microsoft Entra ID application available
Kusto Password spray attack against Microsoft Entra ID Seamless SSO available
Kusto Password Spraying available
Splunk Password Spraying Windows (Windows Event Log)
Kusto Pathlock TDnR - Multiple Login Sessions Detected available
Kusto Ping Federate - Abnormal password reset attempts available
Splunk PingID Multiple Failed MFA Requests For User production
Elastic Potential External Linux SSH Brute Force Detected production
Elastic Potential Internal Linux SSH Brute Force Detected production
Elastic Potential Linux Hack Tool Launched production
Elastic Potential Linux Local Account Brute Force Detected production
Elastic Potential macOS SSH Brute Force Detected production
Elastic Potential Malware-Driven SSH Brute Force Attempt production
Sigma Potential MFA Bypass Using Legacy Client Authentication test
Elastic Potential Okta Brute Force (Device Token Rotation) production
Elastic Potential Okta Brute Force (Multi-Source) production
Elastic Potential Okta Credential Stuffing (Single Source) production
Elastic Potential Okta Password Spray (Multi-Source) production
Elastic Potential Okta Password Spray (Single Source) production
Kusto Potential Password Spray Attack available
Kusto Potential Password Spray Attack available
Kusto Potential Password Spray Attack (Uses Authentication Normalization)
Elastic Potential Password Spraying Attack via SSH production
Elastic Potential Successful SSH Brute Force Attack production
Elastic Privileged Accounts Brute Force production
Kusto PulseConnectSecure - Large Number of Distinct Failed User Logins available
Kusto PulseConnectSecure - Potential Brute Force Attempts available
Splunk RDP Brute-force Detection (Windows Event Log)
Sigma RDP discovery performed on multiple hosts experimental
Kusto Remote Desktop Network Brute force (ASIM Network Session schema) available
Panther Salesforce API Anomaly Detection (RET Passthrough)
Panther Salesforce OAuth Credential Abuse Detection
YARA-L sap brute force rfc logon
Kusto SecurityEvent - Multiple authentication failures followed by a success available
Kusto Semperis DSP Failed Logons available
Kusto Semperis DSP Operations Critical Notifications available
Sigma Sign-in Failure Due to Conditional Access Requirements Not Met test
Kusto Silverfort - UserBruteForce Incident
Kusto SlackAudit - Multiple failed logins for user available
Panther Snowflake Brute Force Attacks by IP
Panther Snowflake Brute Force Attacks by IP
Panther Snowflake Brute Force Attacks by User
Panther Snowflake Brute Force Attacks by Username
Kusto SonicWall - Allowed SSH, Telnet, and RDP Connections experimental
Elastic Spike in Failed Logon Events production
Elastic Spike in Logon Events production
Elastic Spike in Successful Logon Events from a Source IP production
Sigma SQL Server - Brutforce enumeration with non existing users (login) experimental
Kusto SSH - Potential Brute Force
Kusto StealthTalk - Password brute force available
Sigma Successful Authentications From Countries You Do Not Operate Out Of test
Kusto Successful AWS Console Login from IP Address Observed Conducting Password Spray
Sigma Successful login correlated with suspicious JA4/JA3 TLS fingerprint experimental
Kusto Successful logon from IP and failure from a different IP available
Sigma Suspicious Connection to Remote Account test
Splunk Suspicious Login Failures (Windows Event Log)
Sigma Suspicious Rejected SMB Guest Logon From IP test
Panther Teleport SSH Auth Errors
Kusto Tenable.ad Active Directory attacks pathways
Kusto Tenable.ad Indicators of Attack
Kusto Tenable.ad Indicators of Exposures
Kusto Tenable.ad Password Guessing
Kusto Tenable.ad Password issues
Kusto Tenable.ad Password Spraying
Kusto Tenable.ad privileged accounts issues
Kusto Tenable.ad user accounts issues
Kusto TIE Active Directory attacks pathways
Kusto TIE Indicators of Attack
Kusto TIE Indicators of Exposures
Kusto TIE Password Guessing
Kusto TIE Password issues
Kusto TIE Password Spraying
Kusto TIE privileged accounts issues
Kusto TIE user accounts issues
Sigma Too many failed authorization requests due to wrong parameters experimental
Kusto Unauthorized user access across AWS and Azure
Elastic Unusual Login Activity production
Sigma Use of Legacy Authentication Protocols test
Sigma User Access Blocked by Azure Conditional Access test
Kusto Versasec CMS - Multiple Failed Login Attempts available
Kusto VMware ESXi - Multiple Failed Shell Login via SSH available
Kusto Wazuh - Large Number of Web errors from an IP
Elastic Web Server Suspicious User Agent Requests production
Splunk Windows Local Administrator Credential Stuffing production
Splunk Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos production
Splunk Windows Multiple Invalid Users Fail To Authenticate Using Kerberos production
Splunk Windows Multiple Invalid Users Failed To Authenticate Using NTLM production
Splunk Windows Multiple NTLM Null Domain Authentications production
Splunk Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials production
Splunk Windows Multiple Users Failed To Authenticate From Host Using NTLM production
Splunk Windows Multiple Users Failed To Authenticate From Process production
Splunk Windows Multiple Users Failed To Authenticate Using Kerberos production
Splunk Windows Multiple Users Remotely Failed To Authenticate From Host production
Splunk Windows Remote Desktop Network Bruteforce Attempt production
Splunk Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos production
Splunk Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos production
Splunk Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM production
Splunk Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials production
Splunk Windows Unusual Count Of Users Failed To Auth Using Kerberos production
Splunk Windows Unusual Count Of Users Failed To Authenticate From Process production
Splunk Windows Unusual Count Of Users Failed To Authenticate Using NTLM production
Splunk Windows Unusual Count Of Users Remotely Failed To Auth From Host production
Splunk Windows Unusual NTLM Authentication Destinations By Source production
Splunk Windows Unusual NTLM Authentication Destinations By User production
Splunk Windows Unusual NTLM Authentication Users By Destination production
Splunk Windows Unusual NTLM Authentication Users By Source production

Brute Force: Password Guessing T1110.001 44 rules

Splunk ASL AWS Credential Access GetPasswordData production
Elastic Attempts to Brute Force an Okta User Account production
Splunk AWS Credential Access Failed Login production
Splunk AWS Credential Access GetPasswordData production
Elastic AWS Management Console Brute Force of Root User Identity production
Splunk Azure AD High Number Of Failed Authentications For User production
Splunk Azure AD High Number Of Failed Authentications From Ip production
Splunk Azure AD Successful Authentication From Different Ips production
Panther Azure Excessive Account Lockouts Experimental
Sigma Bruteforce via password reset experimental
Splunk Cisco ASA - User Account Lockout Threshold Exceeded production
Kusto Credential errors stateful anomaly on database available
Splunk CrushFTP Max Simultaneous Users From IP production
Elastic Entra ID Excessive Account Lockouts Detected production
Elastic Entra ID MFA TOTP Brute Force Attempted production
Elastic Entra ID Sign-in Brute Force Attempted (Microsoft 365) production
Elastic Entra ID User Sign-in Brute Force Attempted production
Sigma HackTool - Hydra Password Bruteforce Execution test
Splunk High Number of Login Failures from a single source production
Elastic M365 Identity User Account Lockouts production
Elastic M365 Identity User Brute Force Attempted production
YARA-L MITRE ATT&CK T1110.001 Windows Repeated Authentication Failures Before Successful One
YARA-L MITRE ATT&CK T1110.001 Windows Repeated Authentication Failures Before Successful One With User Entity
Elastic Multiple Logon Failure Followed by Logon Success production
Elastic Multiple Logon Failure from the same Source Address production
Splunk O365 High Number Of Failed Authentications for User production
Elastic Okta Successful Login After Credential Attack production
YARA-L Okta ThreatInsight Suspected Bruteforce Attack
Panther OpenAI Brute Force Login Success
Elastic Potential External Linux SSH Brute Force Detected production
Elastic Potential Internal Linux SSH Brute Force Detected production
Elastic Potential Linux Hack Tool Launched production
Elastic Potential Linux Local Account Brute Force Detected production
Elastic Potential Okta Brute Force (Device Token Rotation) production
Elastic Potential Okta Brute Force (Multi-Source) production
Elastic Potential Password Spraying Attack via SSH production
Elastic Potential Successful SSH Brute Force Attack production
Elastic Privileged Accounts Brute Force production
Splunk RDP Brute-force Detection (Windows Event Log)
Elastic Spike in Failed Logon Events production
Sigma Suspicious Connection to Remote Account test
Splunk Suspicious Login Failures (Windows Event Log)
Sigma Suspicious Rejected SMB Guest Logon From IP test
Splunk Windows Remote Desktop Network Bruteforce Attempt production

Brute Force: Password Cracking T1110.002 3 rules

Kusto Credential errors stateful anomaly on database available
Sigma HackTool - Hashcat Password Cracker Execution test
Elastic Potential Linux Hack Tool Launched production

Brute Force: Password Spraying T1110.003 81 rules

Kusto Alsid Password Spraying available
Elastic Attempts to Brute Force an Okta User Account production
Splunk AWS High Number Of Failed Authentications From Ip production
Splunk AWS Multiple Users Failing To Authenticate From Ip production
Splunk AWS Unusual Number of Failed Authentications From Ip production
Splunk Azure Active Directory High Risk Sign-in production
Splunk Azure AD High Number Of Failed Authentications From Ip production
Splunk Azure AD Multi-Source Failed Authentications Spike production
Splunk Azure AD Multiple Users Failing To Authenticate From Ip production
Splunk Azure AD Successful Authentication From Different Ips production
Splunk Azure AD Unusual Number of Failed Authentications From Ip production
Panther Azure Excessive Account Lockouts Experimental
Sigma Bruteforce via password reset experimental
Splunk Cisco ASA - User Account Lockout Threshold Exceeded production
Kusto Cross-Cloud Unauthorized Credential Access Detection From AWS RDS Login
Splunk Detect Distributed Password Spray Attempts production
Splunk Detect Password Spray Attack Behavior From Source production
Splunk Detect Password Spray Attack Behavior On User production
Splunk Detect Password Spray Attempts production
Elastic Entra ID Excessive Account Lockouts Detected production
Elastic Entra ID Protection - Risk Detection - Sign-in Risk production
Elastic Entra ID Protection - Risk Detection - User Risk production
Elastic Entra ID Sign-in Brute Force Attempted (Microsoft 365) production
Elastic Entra ID Sign-in TeamFiltration User-Agent Detected production
Elastic Entra ID User Sign-in Brute Force Attempted production
Elastic Entra ID User Sign-in with Unusual Authentication Type production
Splunk GCP Multiple Users Failing To Authenticate From Ip production
Splunk GCP Unusual Number of Failed Authentications From Ip production
Elastic M365 Entra ID Risk Detection Signal production building block
Elastic M365 Identity User Account Lockouts production
Elastic M365 Identity User Brute Force Attempted production
YARA-L MITRE ATT&CK T1110.003 RW Windows Password Spray
Splunk Multiple Failed Network Logon Attempts from Host (Windows Event Log)
Elastic Multiple Logon Failure Followed by Logon Success production
Elastic Multiple Logon Failure from the same Source Address production
Elastic Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy production
Elastic Multiple Okta User Authentication Events with Same Device Token Hash production
Splunk O365 Multi-Source Failed Authentications Spike production
Splunk O365 Multiple Users Failing To Authenticate From Ip production
Splunk Okta Multiple Users Failing To Authenticate From Ip production
Elastic Okta Successful Login After Credential Attack production
YARA-L Okta ThreatInsight Suspected Password Spray Attack
Panther OpenAI Brute Force Login Success
Kusto Password Spraying available
Splunk Password Spraying Windows (Windows Event Log)
Elastic Potential External Linux SSH Brute Force Detected production
Elastic Potential Internal Linux SSH Brute Force Detected production
Elastic Potential Okta Password Spray (Multi-Source) production
Elastic Potential Okta Password Spray (Single Source) production
Kusto Potential Password Spray Attack available
Elastic Potential Password Spraying Attack via SSH production
Elastic Potential Successful SSH Brute Force Attack production
Elastic Privileged Accounts Brute Force production
Panther Snowflake Password Spray Experimental
Elastic Spike in Failed Logon Events production
Elastic Spike in Logon Events production
Elastic Spike in Successful Logon Events from a Source IP production
Kusto Tenable.ad Password Spraying
Kusto TIE Password Spraying
Kusto Unauthorized user access across AWS and Azure
Splunk Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos production
Splunk Windows Multiple Invalid Users Fail To Authenticate Using Kerberos production
Splunk Windows Multiple Invalid Users Failed To Authenticate Using NTLM production
Splunk Windows Multiple NTLM Null Domain Authentications production
Splunk Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials production
Splunk Windows Multiple Users Failed To Authenticate From Host Using NTLM production
Splunk Windows Multiple Users Failed To Authenticate From Process production
Splunk Windows Multiple Users Failed To Authenticate Using Kerberos production
Splunk Windows Multiple Users Remotely Failed To Authenticate From Host production
Splunk Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos production
Splunk Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos production
Splunk Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM production
Splunk Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials production
Splunk Windows Unusual Count Of Users Failed To Auth Using Kerberos production
Splunk Windows Unusual Count Of Users Failed To Authenticate From Process production
Splunk Windows Unusual Count Of Users Failed To Authenticate Using NTLM production
Splunk Windows Unusual Count Of Users Remotely Failed To Auth From Host production
Splunk Windows Unusual NTLM Authentication Destinations By Source production
Splunk Windows Unusual NTLM Authentication Destinations By User production
Splunk Windows Unusual NTLM Authentication Users By Destination production
Splunk Windows Unusual NTLM Authentication Users By Source production

Brute Force: Credential Stuffing T1110.004 31 rules

Splunk AWS High Number Of Failed Authentications From Ip production
YARA-L AWS High Number Of Unknown User Authentication Attempts
Splunk AWS Multiple Users Failing To Authenticate From Ip production
YARA-L AWS Unusual Number Of Failed Authentication Attempts From The Same IP
Splunk AWS Unusual Number of Failed Authentications From Ip production
Splunk Azure AD Multi-Source Failed Authentications Spike production
Splunk Azure AD Multiple Users Failing To Authenticate From Ip production
Splunk Azure AD Unusual Number of Failed Authentications From Ip production
Panther Azure Excessive Account Lockouts Experimental
Sigma Credential stuffing sttack risk experimental
Kusto Cross-Cloud Unauthorized Credential Access Detection From AWS RDS Login
Splunk CrushFTP Max Simultaneous Users From IP production
Elastic Entra ID Excessive Account Lockouts Detected production
Elastic Entra ID Sign-in Brute Force Attempted (Microsoft 365) production
Elastic Entra ID User Sign-in Brute Force Attempted production
Splunk GCP Multiple Users Failing To Authenticate From Ip production
Splunk GCP Unusual Number of Failed Authentications From Ip production
Elastic M365 Identity User Account Lockouts production
Elastic M365 Identity User Brute Force Attempted production
Elastic Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy production
Elastic Multiple Okta User Authentication Events with Same Device Token Hash production
Splunk O365 Multi-Source Failed Authentications Spike production
Splunk O365 Multiple Users Failing To Authenticate From Ip production
Elastic Okta Successful Login After Credential Attack production
YARA-L Okta ThreatInsight Login Failure With High Unknown Users
Panther OpenAI Brute Force Login Success
Panther OpenAI Credential Stuffing
Elastic Potential Okta Credential Stuffing (Single Source) production
Sigma Successful login correlated with suspicious JA4/JA3 TLS fingerprint experimental
Kusto Unauthorized user access across AWS and Azure
Splunk Windows Local Administrator Credential Stuffing production

Multi-Factor Authentication Interception T1111 4 rules

Panther AppOmni Alert Passthrough
Elastic Attempted Bypass of Okta MFA production
Kusto GWorkspace - Two-step authentification disabled for a user available
Kusto Possible AiTM Phishing Attempt Against Microsoft Entra ID available

Forced Authentication T1187 29 rules

Elastic Active Directory Forced Authentication from Linux Host - SMB Named Pipes production
Kusto API - Password Cracking available
Sigma Attempts of Kerberos Coercion Via DNS SPN Spoofing experimental
Kusto Corelight - Forced External Outbound SMB available
Splunk DNS Kerberos Coercion production
Kusto Google DNS - Exchange online autodiscover abuse
Sigma NTLM Hash Leak Via Curl NTLM Authentication test
Kusto NTLM Relay Attack
Splunk PetitPotam Network Share Access Request production
Sigma PetitPotam Suspicious Kerberos TGT Request test
Sigma Possible PetitPotam Coerce Authentication Attempt test
Elastic Potential Computer Account NTLM Relay Activity production
Sigma Potential CVE-2026-33829 Exploitation - Windows Snipping Tool Remote File Path URI test
Elastic Potential Kerberos Coercion via DNS-Based SPN Spoofing production
Elastic Potential Kerberos Relay Attack against a Computer Account production
Elastic Potential Kerberos SPN Spoofing via Suspicious DNS Query production
Elastic Potential Local NTLM Relay via HTTP production
Elastic Potential Machine Account Relay Attack via SMB production
Elastic Potential NTLM Relay Attack against a Computer Account production
Sigma Potential PetitPotam Attack Via EFS RPC Calls test
Elastic Rare Connection to WebDAV Target production
Elastic Rare SMB Connection to the Internet production
Sigma Suspicious Creation of .library-ms File — Potential CVE-2025-24054 Exploit experimental
Sigma Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing experimental
Sigma Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing - Network experimental
Splunk Windows Credential Target Information Structure in Commandline production
Splunk Windows Kerberos Coercion via DNS production
Splunk Windows Short Lived DNS Record production
Splunk Windows Theme File Creation in Unusual Location production

Exploitation for Credential Access T1212 20 rules

Sigma Audit CVE Event test
Kusto Azure secure score block legacy authentication available
Kusto Azure VM Run Command operation executed during suspicious login window
Kusto Dataverse - Login by a sensitive privileged user available
Kusto Detect device token stealing with WDAC
Sigma GALLIUM IOCs test
Kusto GitHub Security Vulnerability in Repository
Sigma Guacamole Two Users Sharing Session Anomaly test
Sigma Kerberos Manipulation test
Splunk Kubernetes Nginx Ingress LFI production
Splunk Kubernetes Nginx Ingress RFI production
Elastic Manual Memory Dumping via Proc Filesystem production
Elastic Potential Linux Credential Dumping via Proc Filesystem production
Elastic Potential Local NTLM Relay via HTTP production
Kusto Pure Failed Login
Elastic Segfault from Sensitive Process Detected production
Sigma Suspicious NTLM Authentication on the Printer Spooler Service test
Kusto Threats detected by Eset available
Kusto Unauthorized user access across AWS and Azure
Splunk Windows ConvertTo-AADIntBackdoor Execution Via PowerShell Script production

Steal Application Access Token T1528 73 rules

Sigma Anomalous Token test
Sigma Anonymous IP Address test
Kusto API - JWT validation available
Sigma App Granted Microsoft Permissions test
Sigma Application URI Configuration Changes test
Panther AppOmni Alert Passthrough
Panther Auth0 Refresh Token Reused
Panther AWS Potentially Stolen Service Role
Splunk Azure AD Device Code Authentication production
Splunk Azure AD OAuth Application Consent Granted By User production
Splunk Azure AD User Consent Blocked for Risky Application production
Splunk Azure AD User Consent Denied for OAuth Application production
Kusto Azure DevOps PAT used with Browser available
Elastic Azure Service Principal Sign-In Followed by Arc Cluster Credential Access production
Panther Azure VS Code OAuth Phishing Experimental
Kusto Dataverse - Anomalous application user activity available
Sigma Delegated Permissions Granted For All Users test
Kusto Detect device token stealing with WDAC
Sigma End User Consent test
Sigma End User Consent Blocked test
Elastic Entra ID Concurrent Sign-in with Suspicious Properties production
Elastic Entra ID Illicit Consent Grant via Registered Application production
Elastic Entra ID Kali365 Default User-Agent Detected production
Elastic Entra ID OAuth Authorization Code Grant for Unusual User, App, and Resource production
Elastic Entra ID OAuth Device Code Flow with Concurrent Sign-ins production
Elastic Entra ID OAuth Flow by Microsoft Authentication Broker to Device Registration Service (DRS) production
Elastic Entra ID OAuth Phishing via First-Party Microsoft Application production
Elastic Entra ID OAuth PRT Issuance to Non-Managed Device Detected production
Elastic Entra ID User Added as Registered Application Owner production
Elastic Entra ID User Sign-in with Unusual Client production
Kusto Expired access credentials being used in Azure available
Elastic GitHub Authentication Token Access via Node.js production
Elastic Google Workspace Login Flagged Suspicious production building block
Elastic Google Workspace User Login with Unusual ASN production
Sigma HackTool - Koh Default Named Pipe test
Sigma High Risk Actions - copying of the most powerful token through API Explorer experimental
Sigma High risk event - risk of copying client credentials experimental
Kusto Identify instances where a single source is observed using multiple user agents (ASIM Web Session) available
Elastic Kubernetes and Cloud Credential Path Access via Process Arguments production
Elastic Kubernetes Service Account Secret Access production
Panther Kubernetes System Principal Accessed from Non-Cloud Public IP Experimental
Elastic M365 Identity OAuth Flow by First-Party Microsoft App from Multiple IPs production
Elastic M365 Identity OAuth Flow by User Sign-in to Device Registration production
Elastic M365 Identity OAuth Illicit Consent Grant by Rare Client and User production
Elastic M365 Identity Unusual SSO Authentication Errors for User production
Kusto Microsoft Entra ID Hybrid Health AD FS Suspicious Application available
Elastic Microsoft Graph Request User Impersonation by Unusual Client production
Elastic Multi-Cloud CLI Token and Credential Access Commands production
Elastic New GitHub Personal Access Token (PAT) Added production
Splunk O365 File Permissioned Application Consent Granted by User production
Splunk O365 Mail Permissioned Application Consent Granted by User production
Splunk O365 User Consent Blocked for Risky Application production
Splunk O365 User Consent Denied for OAuth Application production
Panther Okta AD Agent Authentication Anomaly - Z-Score Detection Experimental
Panther Okta AD Agent Token Abuse - Behavioral Experimental
Panther Okta API Key Created
Elastic Potential Impersonation Attempt via Kubectl production
Sigma Potentially Suspicious Command Targeting Teams Sensitive Files test
Sigma Potentially Suspicious JWT Token Search Via CLI test
Sigma Primary Refresh Token Access Attempt test
Sigma Renamed BrowserCore.EXE Execution test
Panther Salesforce OAuth Credential Abuse Detection
Panther Salesforce Third-Party Integration Monitoring
Elastic Service Account Token or Certificate Access Followed by Kubernetes API Request production
Kusto Suspicious application consent for offline access available
Kusto Suspicious application consent similar to O365 Attack Toolkit available
Kusto Suspicious application consent similar to PwnAuth available
Kusto Suspicious Entra ID Joined Device Update available
Kusto Suspicious Service Principal creation activity available
Sigma Suspicious Teams Application Related ObjectAcess Event test
Kusto Trust Monitor Event
Panther Zendesk API Token Created
Kusto Zero Networks Segment - New API Token created available

Steal Web Session Cookie T1539 21 rules

Panther AppOmni Alert Passthrough
Elastic Browser Process Spawned from an Unusual Parent production
Kusto Detect device token stealing with WDAC
Elastic Entra ID Microsoft Authentication Broker Sign-In with Non-Standard User Agent production
Elastic Entra ID Potential AiTM Sign-In via OfficeHome (Tycoon2FA) production
Elastic First Time Python Accessed Sensitive Credential Files production
Elastic M365 Potential AiTM UserLoggedIn via Office App (Tycoon2FA) production
Elastic Manual Loading of a Suspicious Chromium Extension production
Elastic Multiple Device Token Hashes for Single Okta Session production
Elastic Okta AiTM Session Cookie Replay production
Panther Okta Login Without Push
Elastic Okta Multiple OS Names Detected for a Single DT Hash production
Panther Okta Potentially Stolen Session
YARA-L Okta Suspicious Use Of A Session Cookie
Splunk Okta Suspicious Use of a Session Cookie production
Panther Potential Compromised Okta Credentials
Elastic Potential Cookies Theft via Browser Debugging production
Sigma SQLite Chromium Profile Data DB Access test
Sigma SQLite Firefox Profile Data DB Access test
Elastic Suspicious Web Browser Sensitive File Access production
Elastic WebProxy Settings Modification production

Unsecured Credentials T1552 210 rules

Elastic Access to a Sensitive LDAP Attribute production
Kusto AD FS Abnormal EKU object identifier attribute
Splunk Add DefaultUser And Password In Registry production
Sigma Added Owner To Application test
Splunk ADExplorer Execution (Sysmon)
Splunk ADExplorer Execution (Windows Event Log)
Splunk ADExplorer Snapshot Creation (Sysmon)
Splunk ADExplorer Snapshot Creation (Windows Event Log)
YARA-L ADFS DKM Key Access
Sigma Application AppID Uri Configuration Changes test
Panther AppOmni Alert Passthrough
Elastic Attempted Private Key Access production building block
Splunk Attempted Veeam Database Credential Dump (PowerShell)
Splunk Attempted Veeam Database Credential Dump (Sysmon)
Splunk Attempted Veeam Database Credential Dump (Windows Event Log)
Splunk Auto Admin Logon Registry Entry production
Sigma Automated Collection Command Prompt test
Panther AWS Access Key Rotation
Elastic AWS Credentials Searched For Inside A Container production
Elastic AWS EC2 CreateKeyPair by New Principal from Non-Cloud AS Organization production
Elastic AWS EC2 Instance Console Login via Assumed Role production
Elastic AWS EC2 Unauthorized Admin Credential Fetch via Assumed Role production
Elastic AWS EC2 User Data Retrieval for EC2 Instance production
Panther AWS IAM Access Key Compromise Detection
YARA-L AWS IAM Compromised Key Quarantine Policy Attached
Elastic AWS IAM CompromisedKeyQuarantine Policy Attached to User production
Elastic AWS IAM Long-Term Access Key Correlated with Elevated Detection Alerts production
Elastic AWS IAM Long-Term Access Key First Seen from Source IP production
Panther AWS KMS CMK Key Rotation
Panther AWS KMS Key Restricts Usage
Elastic AWS S3 Credential File Retrieved from Bucket production
Panther AWS Secrets Manager Batch Retrieve Secrets Experimental
Panther AWS Secrets Manager Batch Retrieve Secrets Catch-All Experimental
Panther AWS Secrets Manager Retrieve Secrets Multi-Region
Elastic Azure Arc Cluster Credential Access by Identity from Unusual Source production
Kusto Azure DevOps Variable Secret Not Secured available
Elastic Azure Event Hub Authorization Rule Created or Updated production
Sigma Azure Key Vault Modified or Deleted test
Sigma Azure Keyvault Key Modified or Deleted test
Sigma Azure Keyvault Secrets Modified or Deleted test
Sigma Azure Kubernetes Admission Controller test
Elastic Azure Service Principal Sign-In Followed by Arc Cluster Credential Access production
Elastic Azure Storage Account Key Regenerated production
Panther Azure Storage Account Keys Listed Experimental
Panther BETA - Sensitive 1Password Item Accessed Experimental
Kusto BTP - Cloud Integration JDBC data source changes available
Kusto BTP - Cloud Integration tampering with security material available
Sigma Certificate Exported Via PowerShell test
Sigma Certificate Exported Via PowerShell - ScriptBlock test
Sigma Cisco Collect Data test
Sigma Cisco Crypto Commands test
Splunk Cisco Isovalent - Access To Cloud Metadata Service production
Sigma Cisco Show Commands Input test
Splunk Cisco SNMP Community String Configuration Changes production
Kusto CiscoISE - Certificate has expired available
Elastic Cloud Credential Search Detected via Defend for Containers production
Elastic Cloud Instance Metadata Credential Path HTTP Request production
Elastic Command Shell Activity Started via RunDLL32 production
Panther Configuration Required - Sensitive 1Password Item Accessed
Sigma Copy Passwd Or Shadow From TMP Path test
Elastic Creation or Modification of Domain Backup DPAPI private key production
Elastic Credential Access via TruffleHog Execution production
Sigma Credentials In Files test
Sigma Credentials In Files - Linux test
Splunk Credentials in Registry (Windows Event Log)
Kusto Cross-Cloud Suspicious Compute resource creation in GCP
Kusto Cross-Cloud Suspicious user activity observed in GCP Envourment
Kusto Cynerio - IoT - Default password
Kusto Cynerio - IoT - Weak password
Panther Databricks TruffleHog Scan Detected Experimental
Splunk Detect AWS Console Login by New User production
Sigma DPAPI Backup Keys And Certificate Export Activity IOC test
Panther EC2 Secrets Manager Retrieve Secrets Experimental
Sigma Enumeration for 3rd Party Creds From CLI test
Sigma Enumeration for Credentials in Registry test
Sigma EventLog Query Requests By Builtin Utilities test
Sigma Extracting Information with PowerShell test
Kusto F&O - Unusual sign-in activity using single factor authentication available
Sigma Findstr GPP Passwords test
Elastic First Time Python Accessed Sensitive Credential Files production
Kusto GCP Security Command Center - Detect Open/Unrestricted API Keys available
Kusto GCP Security Command Center - Detect projects with API Keys present available
YARA-L GCP Service Account Key Used From Multiple Countries
Elastic GenAI Process Accessing Sensitive Files production
Elastic GitHub Authentication Token Access via Node.js production
YARA-L GitHub Secret Scanning Alert
Panther GitHub Secret Scanning Alert Created
Sigma Google Cloud Kubernetes Admission Controller test
Elastic Google Workspace Drive Encryption Key(s) Accessed from Anonymous User production
YARA-L Google Workspace Encryption Key File Accessed By An Anonymous User
Panther GSuite User Password Leaked
Sigma HackTool - Typical HiveNightmare SAM File Export test
Sigma HackTool - WinPwn Execution test
Sigma HackTool - WinPwn Execution - ScriptBlock test
Sigma Hidden Flag Set On File/Directory Via Chflags - MacOS test
Sigma Insensitive Subfolder Search Via Findstr.EXE test
Elastic Kubeconfig File Creation or Modification production
Elastic Kubeconfig File Discovery production
Elastic Kubectl Secrets Enumeration Across All Namespaces production
Elastic Kubelet Certificate File Access Detected via Defend for Containers production
Splunk Kubernetes Abuse of Secret by Unusual Location production
Splunk Kubernetes Abuse of Secret by Unusual User Agent production
Splunk Kubernetes Abuse of Secret by Unusual User Group production
Splunk Kubernetes Abuse of Secret by Unusual User Name production
Sigma Kubernetes Admission Controller Modification test
Panther Kubernetes Admission Controller Webhook Created
Elastic Kubernetes and Cloud Credential Path Access via Process Arguments production
Panther Kubernetes Client Certificate Credential Created
Panther Kubernetes Data Copy via kubectl cp
Elastic Kubernetes Direct API Request via Curl or Wget production
Panther Kubernetes Long-Lived Service Account Token Created Experimental
Elastic Kubernetes Pod Exec Cloud Instance Metadata Access production
Elastic Kubernetes Pod Exec Sensitive File or Credential Path Access production
Elastic Kubernetes Rapid Secret GET Activity Against Multiple Objects production
Elastic Kubernetes Secret Access via Unusual User Agent production
Elastic Kubernetes Secret get or list from Node or Pod Service Account production
Elastic Kubernetes Secret get or list with Suspicious User Agent production
Elastic Kubernetes Secret or ConfigMap Access via Azure Arc Proxy production
Sigma Kubernetes Secrets Enumeration test
Elastic Kubernetes Secrets List Across Cluster or Sensitive Namespaces production
Elastic Kubernetes Service Account Secret Access production
Elastic Kubernetes Service Account Token Created via TokenRequest API production
Splunk Linux Auditd Find Ssh Private Keys production
Splunk Linux Auditd Private Keys and Certificate Enumeration production
Sigma Linux Recon Indicators test
Splunk Locate Credentials (PowerShell)
Splunk Locate Credentials (Sysmon)
Splunk Locate Credentials (Windows Event Log)
Sigma LSASS Process Reconnaissance Via Findstr.EXE test
Splunk MCP Github Suspicious Operation production
Splunk MCP Sensitive System File Search production
Elastic Microsoft IIS Connection Strings Decryption production
Elastic Microsoft IIS Service Account Password Dumped production
Splunk Mimikatz (Sysmon)
Splunk Mimikatz (Windows Event Log)
Splunk Mimikatz Execution (Windows Event Log)
Elastic Multi-Cloud CLI Token and Credential Access Commands production
Splunk O365 Email Suspicious Search Behavior production
Splunk O365 SharePoint Suspicious Search Behavior production
Panther Okta Password Accessed
YARA-L OneLogin Application Password Revealed
Panther OneLogin Password Access
Kusto Pathlock TDnR - LDAP Synchronization Application Log Events available
Kusto Pathlock TDnR - STRUST PSE Certificate Changes available
Sigma Permission Misconfiguration Reconnaissance Via Findstr.EXE test
Sigma PFX File Creation test
Elastic Potential Credential Discovery via Recursive Grep production
Elastic Potential Impersonation Attempt via Kubectl production
Elastic Potential Kerberos Attack via Bifrost production
Sigma Potential Okta Password in AlternateID Field test
Splunk Potential password in username production
Sigma Potential Password Reconnaissance Via Findstr.EXE test
Sigma Potential PowerShell Console History Access Attempt via History File experimental
Elastic Potential PowerShell HackTool Script by Function Names production
Elastic Potential Privilege Escalation via Linux DAC permissions production
Sigma Potential Russian APT Credential Theft Activity stable
Elastic Potential Secret Scanning via Gitleaks production
Sigma Potentially Suspicious EventLog Recon Activity Using Log Query Utilities test
Sigma Potentially Suspicious JWT Token Search Via CLI test
Kusto Powershell Empire Cmdlets Executed in Command Line available
Sigma PowerShell Get-Process LSASS test
Elastic PowerShell Script with Password Policy Discovery Capabilities production building block
Elastic Private Key Searching Activity production
Sigma Private Keys Reconnaissance Via CommandLine Tools test
Sigma PUA - TruffleHog Execution experimental
Sigma PUA - TruffleHog Execution - Linux experimental
Sigma Registry Export of Third-Party Credentials experimental
Sigma Remote File Download Via Findstr.EXE test
Sigma SAM Registry Hive Handle Request test
Sigma Script Interpreter Spawning Credential Scanner - Linux experimental
Sigma Script Interpreter Spawning Credential Scanner - Windows experimental
Elastic Security File Access via Common Utilities production
Elastic Sensitive File Compression Detected via Defend for Containers production
Elastic Sensitive Files Compression production
Elastic Sensitive Files Compression Inside A Container production
Elastic Sensitive Identity File Open by Suspicious Process via Auditd production
Elastic Sensitive Keys Or Passwords Search Detected via Defend for Containers production
Elastic Sensitive Keys Or Passwords Searched For Inside A Container production
Elastic Service Account Token or Certificate Access Followed by Kubernetes API Request production
Elastic Service Account Token or Certificate Read Detected via Defend for Containers production
Splunk Shai-Hulud 2 Exfiltration Artifact Files production
Sigma Shai-Hulud Malicious GitHub Workflow Creation experimental
Elastic Suspicious CertUtil Commands production
Sigma Suspicious History File Operations test
Sigma Suspicious History File Operations - Linux test
Elastic Suspicious Instance Metadata Service (IMDS) API Command Line Execution production
Elastic Suspicious Instance Metadata Service (IMDS) API Request production
Sigma Suspicious SYSVOL Domain Group Policy Access test
Elastic Unusual Linux Process Calling the Metadata Service production
Elastic Unusual Linux User Calling the Metadata Service production
Elastic Unusual Web Config File Access production
Elastic Unusual Windows Process Calling the Metadata Service production
Elastic Unusual Windows User Calling the Metadata Service production
Elastic Web Server Exploitation Detected via Defend for Containers production
Elastic Web Server Local File Inclusion Activity production
Elastic Web Server Potential Command Injection Request production
Splunk Windows Credentials in Registry Reg Query production
Splunk Windows Export Certificate production
Splunk Windows Findstr GPP Discovery production
Splunk Windows LAPS Password Gathering Via PowerShell Script production
Splunk Windows Post Exploitation Risk Behavior production
Splunk Windows PowerShell Export Certificate production
Splunk Windows PowerShell Export PfxCertificate production
Splunk Windows PowerSploit GPP Discovery production
Splunk Windows Private Keys Discovery production
Splunk Windows SharePoint Spinstall0 GET Request production
Splunk Windows Unsecured Outlook Credentials Access In Registry production
Splunk Windows Unusual FileZilla XML Config Access production
Splunk Windows Unusual Intelliform Storage Registry Access production
Elastic Wireless Credential Dumping using Netsh Command production

Unsecured Credentials: Credentials In Files T1552.001 76 rules

Splunk ADExplorer Execution (Sysmon)
Splunk ADExplorer Execution (Windows Event Log)
Splunk ADExplorer Snapshot Creation (Sysmon)
Splunk ADExplorer Snapshot Creation (Windows Event Log)
Splunk Attempted Veeam Database Credential Dump (PowerShell)
Splunk Attempted Veeam Database Credential Dump (Sysmon)
Splunk Attempted Veeam Database Credential Dump (Windows Event Log)
Sigma Automated Collection Command Prompt test
Panther AWS Compromised IAM Key Quarantine
Elastic AWS Credentials Searched For Inside A Container production
Panther AWS RDS Log File Downloaded Experimental
Elastic AWS S3 Credential File Retrieved from Bucket production
Sigma Azure Key Vault Modified or Deleted test
Sigma Azure Keyvault Key Modified or Deleted test
Sigma Azure Keyvault Secrets Modified or Deleted test
Panther Azure Storage SAS Token Access from External IP
Sigma Cisco Collect Data test
Elastic Cloud Credential Search Detected via Defend for Containers production
Sigma Copy Passwd Or Shadow From TMP Path test
Elastic Credential Access via TruffleHog Execution production
Sigma Credentials In Files test
Sigma Credentials In Files - Linux test
Sigma Extracting Information with PowerShell test
Elastic First Time Python Accessed Sensitive Credential Files production
Elastic GenAI Process Accessing Sensitive Files production
Sigma HackTool - Typical HiveNightmare SAM File Export test
Sigma HackTool - WinPwn Execution test
Sigma HackTool - WinPwn Execution - ScriptBlock test
Sigma Hidden Flag Set On File/Directory Via Chflags - MacOS test
Sigma Insensitive Subfolder Search Via Findstr.EXE test
Elastic Kubeconfig File Creation or Modification production
Elastic Kubeconfig File Discovery production
Elastic Kubernetes and Cloud Credential Path Access via Process Arguments production
Elastic Kubernetes Pod Exec Sensitive File or Credential Path Access production
Elastic Kubernetes Service Account Secret Access production
Sigma Linux Recon Indicators test
Splunk Locate Credentials (PowerShell)
Splunk Locate Credentials (Sysmon)
Splunk Locate Credentials (Windows Event Log)
Splunk MCP Github Suspicious Operation production
Splunk MCP Sensitive System File Search production
Elastic Microsoft IIS Connection Strings Decryption production
Elastic Microsoft IIS Service Account Password Dumped production
Elastic Multi-Cloud CLI Token and Credential Access Commands production
Elastic Potential Credential Discovery via Recursive Grep production
Elastic Potential Kerberos Attack via Bifrost production
Splunk Potential password in username production
Sigma Potential Password Reconnaissance Via Findstr.EXE test
Sigma Potential PowerShell Console History Access Attempt via History File experimental
Sigma Potential Russian APT Credential Theft Activity stable
Elastic Potential Secret Scanning via Gitleaks production
Sigma Potentially Suspicious JWT Token Search Via CLI test
Kusto Powershell Empire Cmdlets Executed in Command Line available
Elastic Private Key Searching Activity production
Sigma PUA - TruffleHog Execution experimental
Sigma PUA - TruffleHog Execution - Linux experimental
Sigma Remote File Download Via Findstr.EXE test
Panther Secret Exposed and not Quarantined
Elastic Security File Access via Common Utilities production
Elastic Sensitive File Compression Detected via Defend for Containers production
Elastic Sensitive Files Compression production
Elastic Sensitive Files Compression Inside A Container production
Elastic Sensitive Identity File Open by Suspicious Process via Auditd production
Elastic Sensitive Keys Or Passwords Search Detected via Defend for Containers production
Elastic Sensitive Keys Or Passwords Searched For Inside A Container production
Elastic Service Account Token or Certificate Access Followed by Kubernetes API Request production
Elastic Service Account Token or Certificate Read Detected via Defend for Containers production
Splunk Shai-Hulud 2 Exfiltration Artifact Files production
Sigma Shai-Hulud Malicious GitHub Workflow Creation experimental
Elastic Unusual Web Config File Access production
Elastic Web Server Exploitation Detected via Defend for Containers production
Elastic Web Server Local File Inclusion Activity production
Elastic Web Server Potential Command Injection Request production
Splunk Windows Unusual FileZilla XML Config Access production
Splunk Windows Unusual Intelliform Storage Registry Access production
Elastic Wireless Credential Dumping using Netsh Command production

Unsecured Credentials: Credentials in Registry T1552.002 10 rules

Splunk Add DefaultUser And Password In Registry production
Splunk Auto Admin Logon Registry Entry production
Splunk Credentials in Registry (Windows Event Log)
Sigma Enumeration for 3rd Party Creds From CLI test
Sigma Enumeration for Credentials in Registry test
Splunk Mimikatz (Sysmon)
Splunk Mimikatz (Windows Event Log)
Sigma Registry Export of Third-Party Credentials experimental
Sigma SAM Registry Hive Handle Request test
Splunk Windows Credentials in Registry Reg Query production

Unsecured Credentials: Shell History T1552.003 3 rules

Sigma Cisco Show Commands Input test
Sigma Suspicious History File Operations test
Sigma Suspicious History File Operations - Linux test

Unsecured Credentials: Private Keys T1552.004 28 rules

Elastic Access to a Sensitive LDAP Attribute production
YARA-L ADFS DKM Key Access
Elastic Attempted Private Key Access production building block
Elastic AWS EC2 CreateKeyPair by New Principal from Non-Cloud AS Organization production
Sigma Certificate Exported Via PowerShell test
Sigma Certificate Exported Via PowerShell - ScriptBlock test
Sigma Cisco Crypto Commands test
Elastic Creation or Modification of Domain Backup DPAPI private key production
Sigma DPAPI Backup Keys And Certificate Export Activity IOC test
YARA-L GCP Service Account Key Used From Multiple Countries
Elastic Google Workspace Drive Encryption Key(s) Accessed from Anonymous User production
YARA-L Google Workspace Encryption Key File Accessed By An Anonymous User
Elastic Kubelet Certificate File Access Detected via Defend for Containers production
Panther Kubernetes Ingress Created Without TLS
Splunk Linux Auditd Find Ssh Private Keys production
Splunk Linux Auditd Private Keys and Certificate Enumeration production
Sigma PFX File Creation test
Elastic Potential Privilege Escalation via Linux DAC permissions production
Kusto Powershell Empire Cmdlets Executed in Command Line available
Sigma PowerShell Get-Process LSASS test
Elastic Private Key Searching Activity production
Sigma Private Keys Reconnaissance Via CommandLine Tools test
Elastic Sensitive Keys Or Passwords Search Detected via Defend for Containers production
Elastic Suspicious CertUtil Commands production
Splunk Windows Export Certificate production
Splunk Windows PowerShell Export Certificate production
Splunk Windows PowerShell Export PfxCertificate production
Splunk Windows Private Keys Discovery production

Unsecured Credentials: Cloud Instance Metadata API T1552.005 14 rules

Elastic AWS EC2 Instance Console Login via Assumed Role production
Elastic AWS EC2 Unauthorized Admin Credential Fetch via Assumed Role production
Elastic AWS EC2 User Data Retrieval for EC2 Instance production
Elastic Azure Event Hub Authorization Rule Created or Updated production
Elastic Azure Storage Account Key Regenerated production
Splunk Cisco Isovalent - Access To Cloud Metadata Service production
Elastic Cloud Instance Metadata Credential Path HTTP Request production
Elastic Kubernetes Pod Exec Cloud Instance Metadata Access production
Elastic Suspicious Instance Metadata Service (IMDS) API Command Line Execution production
Elastic Suspicious Instance Metadata Service (IMDS) API Request production
Elastic Unusual Linux Process Calling the Metadata Service production
Elastic Unusual Linux User Calling the Metadata Service production
Elastic Unusual Windows Process Calling the Metadata Service production
Elastic Unusual Windows User Calling the Metadata Service production

Unsecured Credentials: Group Policy Preferences T1552.006 8 rules

Sigma Findstr GPP Passwords test
Sigma LSASS Process Reconnaissance Via Findstr.EXE test
Sigma Permission Misconfiguration Reconnaissance Via Findstr.EXE test
Elastic Potential PowerShell HackTool Script by Function Names production
Elastic PowerShell Script with Password Policy Discovery Capabilities production building block
Sigma Suspicious SYSVOL Domain Group Policy Access test
Splunk Windows Findstr GPP Discovery production
Splunk Windows PowerSploit GPP Discovery production

Unsecured Credentials: Container API T1552.007 24 rules

Elastic Azure Arc Cluster Credential Access by Identity from Unusual Source production
Sigma Azure Kubernetes Admission Controller test
Elastic Azure Service Principal Sign-In Followed by Arc Cluster Credential Access production
Sigma Google Cloud Kubernetes Admission Controller test
Splunk Kubernetes Abuse of Secret by Unusual Location production
Splunk Kubernetes Abuse of Secret by Unusual User Agent production
Splunk Kubernetes Abuse of Secret by Unusual User Group production
Splunk Kubernetes Abuse of Secret by Unusual User Name production
Sigma Kubernetes Admission Controller Modification test
Panther Kubernetes All Secrets Dumped Across Namespaces Experimental
Elastic Kubernetes Direct API Request via Curl or Wget production
Elastic Kubernetes Pod Exec Sensitive File or Credential Path Access production
Elastic Kubernetes Rapid Secret GET Activity Against Multiple Objects production
Panther Kubernetes Secret Access Denied Experimental
Elastic Kubernetes Secret Access via Unusual User Agent production
Panther Kubernetes Secret Enumeration by a User Experimental
Elastic Kubernetes Secret get or list from Node or Pod Service Account production
Elastic Kubernetes Secret get or list with Suspicious User Agent production
Elastic Kubernetes Secret or ConfigMap Access via Azure Arc Proxy production
Sigma Kubernetes Secrets Enumeration test
Elastic Kubernetes Secrets List Across Cluster or Sensitive Namespaces production
Elastic Kubernetes Service Account Token Created via TokenRequest API production
Panther Kubernetes Service Account Token Theft from Pod
Elastic Sensitive Identity File Open by Suspicious Process via Auditd production

Credentials from Password Stores T1555 98 rules

Sigma Access To Browser Credential Files By Uncommon Applications - Security test
Sigma Access to Browser Login Data test
Kusto API - Password Cracking available
YARA-L AWS API Gateway Keys Accessed
Panther AWS Decrypt SSM Parameters Experimental
YARA-L AWS EC2 Get Windows Admin Password
Panther AWS EC2 Many Password Read Attempts
Elastic AWS Lateral Movement from Kubernetes SA via AssumeRoleWithWebIdentity production
Elastic AWS Secrets Manager Rapid Secrets Retrieval production
Elastic AWS Systems Manager SecureString Parameter Request with Decryption Flag production
Sigma Azure Active Directory Connect credentials dump via network share experimental
Panther Azure Key Vault Certificate Accessed
Elastic Azure Key Vault Excessive Secret or Key Retrieved production
Panther Azure Key Vault Key Accessed or Recovered
Panther Azure Key Vault Secret Accessed or Recovered
Elastic Azure Key Vault Unusual Secret Key Usage production
Kusto Azure secure score PW age policy new available
Elastic Azure Storage Account Keys Accessed by Privileged User production
Splunk Browser Credential File Accessed - Windows (Windows Event Log)
Elastic Browser Process Spawned from an Unusual Parent production
Elastic Creation or Modification of Domain Backup DPAPI private key production
Elastic Credential Access via TruffleHog Execution production
Kusto Credential added after admin consented to Application available
Sigma Credentials (protected by DPAPI) dump via network share experimental
Sigma Credentials from Password Stores - Keychain test
Panther Databricks Repeated Access to Secrets Experimental
Kusto Detect Suspicious ncrypt.dll usage by CLI tool or unknown process
Kusto Detect Suspicious ncrypt.dll usage by process requesting Entra ID Nonce
Kusto Detect Suspicious ncrypt.dll usage on admin device with RDP connections to non TPM protected device
Kusto Detect Suspicious ncrypt.dll usage with RDP connections to unmanaged or non TPM protected device
Sigma DPAPI Backup Keys And Certificate Export Activity IOC test
Sigma Dump Credentials from Windows Credential Manager With PowerShell test
Elastic Dumping of Keychain Content via Security Command production
Sigma EC2 Password Data Retrieved test
Sigma Enumerate Credentials from Windows Credential Manager With PowerShell test
Elastic First Time Python Accessed Sensitive Credential Files production
Elastic First Time Seen AWS Secret Value Accessed in Secrets Manager production
YARA-L GCP Service API Key Retrieved
Elastic GenAI Process Accessing Sensitive Files production
Sigma HackTool - SecurityXploded Execution stable
Sigma HackTool - WinPwn Execution test
Sigma HackTool - WinPwn Execution - ScriptBlock test
Kusto Highly Sensitive Password Accessed available
Elastic Keychain CommandLine Interaction via Unsigned or Untrusted Process production
Elastic Keychain Password Retrieval via Command Line production
Splunk Linux Auditd Find Credentials From Password Managers production
Splunk Linux Auditd Find Credentials From Password Stores production
Sigma macOS Authentication Events experimental
Splunk MacOS Keychains Dumped production
Sigma macOS Suspicious Keychain Access experimental
Splunk MCP Postgres Suspicious Query production
Kusto Modified domain federation trust settings available
Elastic Multiple Cloud Secrets Accessed by Source Address production
Elastic Multiple Vault Web Credentials Read production
Splunk Non Chrome Process Accessing Chrome Default Dir production
Splunk Non Firefox Process Access Firefox Profile Dir production
Kusto NRT Modified domain federation trust settings available
Panther Okta SWA Bulk Access, New Source, and Credential Extraction - Behavioral Experimental
Panther Okta SWA Off-Hours Credential Access - Behavioral Experimental
Splunk Possible Browser Pass View Parameter production
Sigma Potential Browser Data Stealing test
Elastic Potential Credential Access via Trusted Developer Utility production
Elastic Potential Invoke-Mimikatz PowerShell Script production
Elastic Potential Secret Scanning via Gitleaks production
Elastic Potential Veeam Credential Access Command production
Kusto Powershell Empire Cmdlets Executed in Command Line available
Elastic PowerShell Script with Veeam Credential Access Capabilities production
Kusto PRT Credential Stealing
Sigma PUA - AWS TruffleHog Execution experimental
Sigma PUA - WebBrowserPassView Execution test
YARA-L Recon Credential Theft CISA Report
Sigma Remote Thread Created In KeePass.EXE test
Elastic Searching for Saved Credentials via VaultCmd production
Kusto Sentinel One - User viewed agent's passphrase available
Sigma SQLite Chromium Profile Data DB Access test
Splunk Stored Credentials from Web Browsers - Windows (PowerShell)
Sigma Suspicious Active Directory DPAPI attributes accessed (Mimikatz, DCSync, RiskySPN) experimental
Sigma Suspicious Key Manager Access test
Sigma Suspicious Serv-U Process Pattern test
Elastic Suspicious Web Browser Sensitive File Access production
Elastic SystemKey Access via Command Line production
Kusto Trust Monitor Event
Panther Unusual 1Password Client Detected
Sigma User application credentials dump via network share (DonPapi, Lazagne) experimental
Sigma User browser credentials dump via network share (DonPapi, Lazagne) experimental
Sigma User files dump via network share (DonPapi, Lazagne) experimental
Sigma Vault credentials manager accessed experimental
Sigma Vault credentials manager accessed experimental
Elastic Veeam Backup Library Loaded by Unusual Process production
Sigma Windows Credential Manager Access via VaultCmd test
Splunk Windows Credentials Access via VaultCli Module production
Splunk Windows Credentials from Password Stores Chrome Copied in TEMP Dir production
Splunk Windows Credentials from Password Stores Creation production
Splunk Windows Credentials from Password Stores Deletion production
Splunk Windows Credentials from Password Stores Query production
Splunk Windows Credentials from Web Browsers Saved in TEMP Folder production
Splunk Windows Password Managers Discovery production
Elastic Wireless Credential Dumping using Netsh Command production

Credentials from Password Stores: Keychain T1555.001 8 rules

Sigma Credentials from Password Stores - Keychain test
Elastic Dumping of Keychain Content via Security Command production
Elastic First Time Python Accessed Sensitive Credential Files production
Elastic Keychain CommandLine Interaction via Unsigned or Untrusted Process production
Elastic Keychain Password Retrieval via Command Line production
Splunk MacOS Keychains Dumped production
Sigma macOS Suspicious Keychain Access experimental
Elastic SystemKey Access via Command Line production

Credentials from Password Stores: Credentials from Web Browsers T1555.003 19 rules

Sigma Access To Browser Credential Files By Uncommon Applications - Security test
Sigma Access to Browser Login Data test
Splunk Browser Credential File Accessed - Windows (Windows Event Log)
Elastic Browser Process Spawned from an Unusual Parent production
Sigma HackTool - WinPwn Execution test
Sigma HackTool - WinPwn Execution - ScriptBlock test
Elastic Keychain Password Retrieval via Command Line production
Splunk Non Chrome Process Accessing Chrome Default Dir production
Splunk Non Firefox Process Access Firefox Profile Dir production
Splunk Possible Browser Pass View Parameter production
Sigma Potential Browser Data Stealing test
Kusto Powershell Empire Cmdlets Executed in Command Line available
Sigma PUA - WebBrowserPassView Execution test
Sigma SQLite Chromium Profile Data DB Access test
Splunk Stored Credentials from Web Browsers - Windows (PowerShell)
Elastic Suspicious Web Browser Sensitive File Access production
Sigma User browser credentials dump via network share (DonPapi, Lazagne) experimental
Splunk Windows Credentials from Password Stores Chrome Copied in TEMP Dir production
Splunk Windows Credentials from Web Browsers Saved in TEMP Folder production

Credentials from Password Stores: Windows Credential Manager T1555.004 15 rules

Sigma Credentials (protected by DPAPI) dump via network share experimental
Kusto Detect Suspicious ncrypt.dll usage by CLI tool or unknown process
Kusto Detect Suspicious ncrypt.dll usage by process requesting Entra ID Nonce
Kusto Detect Suspicious ncrypt.dll usage on admin device with RDP connections to non TPM protected device
Kusto Detect Suspicious ncrypt.dll usage with RDP connections to unmanaged or non TPM protected device
Elastic Multiple Vault Web Credentials Read production
Elastic Potential Credential Access via Trusted Developer Utility production
Elastic Potential Invoke-Mimikatz PowerShell Script production
Elastic Searching for Saved Credentials via VaultCmd production
Sigma Suspicious Active Directory DPAPI attributes accessed (Mimikatz, DCSync, RiskySPN) experimental
Sigma Suspicious Key Manager Access test
Sigma Vault credentials manager accessed experimental
Sigma Vault credentials manager accessed experimental
Sigma Windows Credential Manager Access via VaultCmd test
Splunk Windows Credentials Access via VaultCli Module production

Credentials from Password Stores: Password Managers T1555.005 4 rules

Splunk Linux Auditd Find Credentials From Password Managers production
Splunk Linux Auditd Find Credentials From Password Stores production
Sigma Remote Thread Created In KeePass.EXE test
Splunk Windows Password Managers Discovery production

Credentials from Password Stores: Cloud Secrets Management Stores T1555.006 8 rules

Elastic AWS Lateral Movement from Kubernetes SA via AssumeRoleWithWebIdentity production
Elastic AWS Secrets Manager Rapid Secrets Retrieval production
Elastic AWS Systems Manager SecureString Parameter Request with Decryption Flag production
Elastic Azure Key Vault Excessive Secret or Key Retrieved production
Elastic Azure Key Vault Unusual Secret Key Usage production
Elastic Azure Storage Account Keys Accessed by Privileged User production
Elastic First Time Seen AWS Secret Value Accessed in Secrets Manager production
Elastic Multiple Cloud Secrets Accessed by Source Address production

Modify Authentication Process T1556 145 rules

Panther AppOmni Alert Passthrough
Splunk ASL AWS Multi-Factor Authentication Disabled production
Splunk ASL AWS New MFA Method Registered For User production
Elastic Attempt to Deactivate an Okta Policy production
Elastic Attempt to Deactivate an Okta Policy Rule production
Elastic Attempt to Delete an Okta Policy production
Elastic Attempt to Modify an Okta Policy production
Elastic Attempt to Reset MFA Factors for an Okta User Account production
Elastic Authentication via Unusual PAM Grantor production
Elastic Authorization Plugin Modification production
Elastic AWS IAM Deactivation of MFA Device production
Elastic AWS IAM Roles Anywhere Trust Anchor Created with External CA production
Elastic AWS IAM Virtual MFA Device Registration Attempt with Session Token production
Sigma AWS Identity Center Identity Provider Change test
Splunk AWS Multi-Factor Authentication Disabled production
YARA-L AWS MultiFactor Authentication Disabled
YARA-L AWS New MFA Method Registered For User
Splunk AWS New MFA Method Registered For User production
Elastic AWS RDS DB Instance Made Public production
Kusto AWS Security Hub - Detect root user lacking MFA available
Elastic AWS STS AssumeRole with New MFA Device production
Splunk Azure AD Multi-Factor Authentication Disabled production
Splunk Azure AD New MFA Method Registered For User production
Sigma Azure AD Only Single Factor Authentication Required test
Panther Azure Authentication Methods Policy OIDC Discovery URL Changed
Panther Azure Domain Federation Settings Modified
Panther Azure MFA Disabled
Kusto Azure secure score block legacy authentication available
Kusto BTP - Cloud Identity Service application configuration monitor available
Kusto BTP - Trust and authorization Identity Provider monitor available
Sigma CA Policy Removed by Non Approved Actor test
Sigma CA Policy Updated by Non Approved Actor test
Sigma Certificate-Based Authentication Enabled test
Sigma Change to Authentication Method test
Splunk Cisco ASA - AAA Policy Tampering production
Sigma Cisco Dot1x Disabled experimental
Splunk Cisco Duo Admin Login Unusual Browser production
Splunk Cisco Duo Admin Login Unusual Country production
Splunk Cisco Duo Admin Login Unusual Os production
Splunk Cisco Duo Bulk Policy Deletion production
Splunk Cisco Duo Bypass Code Generation production
Splunk Cisco Duo Policy Allow Devices Without Screen Lock production
Splunk Cisco Duo Policy Allow Network Bypass 2FA production
Splunk Cisco Duo Policy Allow Old Flash production
Splunk Cisco Duo Policy Allow Old Java production
Splunk Cisco Duo Policy Allow Tampered Devices production
Splunk Cisco Duo Policy Bypass 2FA production
Splunk Cisco Duo Policy Deny Access production
Splunk Cisco Duo Policy Skip 2FA for Other Countries production
Splunk Cisco Duo Set User Status to Bypass 2FA production
Splunk Cisco Network Interface Modifications production
Kusto Cross-Cloud Unauthorized Credential Access Detection From AWS RDS Login
Panther Databricks MFA Key Change Experimental
Panther Databricks SSO Configuration Changed Experimental
Kusto Detect changes to Connect Sync Application
Kusto Detect credential add to Connect Sync Application
Kusto Detect suspicious conditional access policy modifications
Sigma Directory Service Restore Mode(DSRM) Registry Value Tampering test
Sigma Disabled MFA to Bypass Authentication Mechanisms test
Sigma Disabling Multi Factor Authentication test
Splunk Disabling Windows Local Security Authority Defences via Registry production
Sigma Dropping Of Password Filter DLL test
Elastic Entra ID Conditional Access Policy (CAP) Modified production
Elastic Entra ID Domain Federation Configuration Change production
Elastic Entra ID External Authentication Methods (EAM) Modified production
Elastic Entra ID MFA Disabled for User production
Elastic Entra ID Protection - Risk Detection - Sign-in Risk production
Elastic Entra ID Protection - Risk Detection - User Risk production
Elastic Entra ID User Sign-in with Unusual Authentication Type production
Kusto Excessive number of HTTP authentication failures from a source (ASIM Web Session schema)
Kusto External User Access Enabled
Kusto F&O - Bank account change following network alias reassignment available
Kusto F&O - Non-interactive account mapped to self or sensitive privileged user available
Splunk GCP Multi-Factor Authentication Disabled production
Sigma Github High Risk Configuration Disabled test
Kusto GitLab - Repository visibility to Public available
Elastic Google Workspace 2SV Policy Disabled production
YARA-L Google Workspace MFA Disabled
Elastic Google Workspace MFA Enforcement Disabled production
Panther GSuite User Two Step Verification Change
Kusto Keeper Security - Password Changed available
Kusto Keeper Security - User MFA Changed available
Sigma macOS Configuration Profile Installation experimental
Elastic MFA Deactivation with no Re-Activation for Okta User Account production
Panther MFA Disabled
Elastic MFA Disabled for Google Workspace Organization production
Panther Microsoft365 MFA Disabled
Elastic Mimikatz Memssp Log File Detected production
Elastic Modification or Removal of an Okta Application Sign-On Policy production
Kusto Multi-Factor Authentication Disabled for a User available
Elastic Network Logon Provider Registry Modification production
Kusto New Device/Location sign-in along with critical operation available
Elastic New Okta Identity Provider (IdP) Added by Admin production
Sigma New Root Certificate Authority Added test
Splunk O365 Disable MFA production
Splunk O365 Excessive SSO logon errors production
Panther Okta AiTM Phishing Attempt Blocked by FastPass
Panther Okta Authentication Bypass via Skeleton Key Injection - Behavioral Experimental
Panther Okta Cleartext Passwords Extracted via SCIM Application
Panther Okta Identity Provider Created or Modified
Panther Okta MFA Globally Disabled
Sigma Okta MFA Reset or Deactivated test
Splunk Okta Multi-Factor Authentication Disabled production
Panther Okta Org2Org application created of modified
Splunk Okta Phishing Detection with FastPass Origin Check experimental
Panther Okta Sign-In from VPN Anonymizer
YARA-L Okta User Password and MFA Factor Reset or Deactivated
Panther OneLogin Authentication Factor Removed
YARA-L OneLogin User Authentication Factor Removed
Splunk PingID Mismatch Auth Source and Verification Response production
Splunk PingID New MFA Method After Credential Reset production
Splunk PingID New MFA Method Registered For User production
Elastic Pluggable Authentication Module (PAM) Creation in Unusual Directory production
Elastic Pluggable Authentication Module (PAM) Source Download production
Elastic Pluggable Authentication Module (PAM) Version Discovery production
Elastic Pluggable Authentication Module or Configuration Creation production
Elastic Polkit Policy Creation production
Sigma Possible Shadow Credentials Added test
Elastic Potential Backdoor Execution Through PAM_EXEC production
Elastic Potential Execution via SSH Backdoor production
Splunk Potential LSA password filter (PowerShell)
Splunk Potential LSA password filter (Windows Event Log)
Elastic Potential OpenSSH Backdoor Logging Activity production
Elastic Potential Persistence via File Modification production
Elastic Potential Shadow Credentials added to AD Object production
Elastic Potential SSH Password Grabbing via strace production
Sigma Potential Suspicious Activity Using SeCEdit test
Sigma Powershell Install a DLL in System Directory test
Kusto Red Sift - MFA disabled on account available
Elastic Renaming of OpenSSH Binaries production
Kusto Rouge RDP: Suspicious File Creation
Panther Slack IDP Configuration Changed
Panther Slack SSO Settings Changed
Panther Snowflake Login Without MFA
Panther Snowflake Login Without MFA
Elastic Stolen Credentials Used to Login to Okta Account After MFA Reset production
Splunk Suspicious Certificate Authentication (Windows Event Log)
Splunk Suspicious Certificate Modification (Windows Event Log)
Kusto Suspicious Sign In Followed by MFA Modification available
Elastic Untrusted DLL Loaded by Azure AD Connect Authentication Agent production
Elastic Unusual Process Modifying GenAI Configuration File production
Sigma User Added To Group With CA Policy Modification Access test
Sigma User Removed From Group With CA Policy Modification Access test
Kusto VMware ESXi - Root password changed available
Panther Wiz Update Login Settings

Modify Authentication Process: Password Filter DLL T1556.002 5 rules

Sigma Dropping Of Password Filter DLL test
Splunk Potential LSA password filter (PowerShell)
Splunk Potential LSA password filter (Windows Event Log)
Sigma Potential Suspicious Activity Using SeCEdit test
Sigma Powershell Install a DLL in System Directory test

Modify Authentication Process: Pluggable Authentication Modules T1556.003 5 rules

Elastic Authentication via Unusual PAM Grantor production
Elastic Pluggable Authentication Module (PAM) Creation in Unusual Directory production
Elastic Pluggable Authentication Module (PAM) Source Download production
Elastic Pluggable Authentication Module or Configuration Creation production
Elastic Potential Backdoor Execution Through PAM_EXEC production

Modify Authentication Process: Network Device Authentication T1556.004 2 rules

Splunk Cisco ASA - AAA Policy Tampering production
Sigma Cisco Dot1x Disabled experimental

Modify Authentication Process: Multi-Factor Authentication T1556.006 33 rules

Splunk ASL AWS Multi-Factor Authentication Disabled production
Splunk ASL AWS New MFA Method Registered For User production
Elastic Attempt to Deactivate an Okta Policy production
Elastic Attempt to Delete an Okta Policy production
Elastic Attempt to Reset MFA Factors for an Okta User Account production
Elastic AWS IAM Deactivation of MFA Device production
Elastic AWS IAM Virtual MFA Device Registration Attempt with Session Token production
Splunk AWS Multi-Factor Authentication Disabled production
YARA-L AWS MultiFactor Authentication Disabled
YARA-L AWS New MFA Method Registered For User
Splunk AWS New MFA Method Registered For User production
Kusto AWS Security Hub - Detect root user lacking MFA available
Elastic AWS STS AssumeRole with New MFA Device production
Splunk Azure AD Multi-Factor Authentication Disabled production
Splunk Azure AD New MFA Method Registered For User production
Sigma Azure AD Only Single Factor Authentication Required test
Panther Azure Domain Federation Settings Modified
Sigma Disabling Multi Factor Authentication test
Elastic Entra ID MFA Disabled for User production
Elastic Entra ID User Sign-in with Unusual Authentication Type production
Splunk GCP Multi-Factor Authentication Disabled production
Elastic Google Workspace MFA Enforcement Disabled production
Elastic MFA Deactivation with no Re-Activation for Okta User Account production
Sigma Okta MFA Reset or Deactivated test
Splunk Okta Multi-Factor Authentication Disabled production
YARA-L Okta User Password and MFA Factor Reset or Deactivated
YARA-L OneLogin User Authentication Factor Removed
Splunk PingID Mismatch Auth Source and Verification Response production
Splunk PingID New MFA Method After Credential Reset production
Splunk PingID New MFA Method Registered For User production
Panther Slack MFA Settings Changed
Elastic Stolen Credentials Used to Login to Okta Account After MFA Reset production
Kusto Suspicious Sign In Followed by MFA Modification available

Modify Authentication Process: Hybrid Identity T1556.007 6 rules

Kusto Detect changes to Connect Sync Application
Kusto Detect credential add to Connect Sync Application
Elastic Entra ID Domain Federation Configuration Change production
Panther MongoDB Identity Provider Activity
Elastic New Okta Identity Provider (IdP) Added by Admin production
Elastic Untrusted DLL Loaded by Azure AD Connect Authentication Agent production

Modify Authentication Process: Network Provider DLL T1556.008 1 rule

Elastic Network Logon Provider Registry Modification production

Modify Authentication Process: Conditional Access Policies T1556.009 13 rules

Elastic AWS RDS DB Instance Made Public production
Panther Azure Authentication Methods Policy OIDC Discovery URL Changed
Panther Crowdstrike IP Allowlist Changed
Panther Crowdstrike Single IP Allowlisted
Kusto Detect suspicious conditional access policy modifications
Elastic Entra ID Conditional Access Policy (CAP) Modified production
Elastic Entra ID External Authentication Methods (EAM) Modified production
Panther GCP Org or Folder Policy Was Changed Manually
Elastic Modification or Removal of an Okta Application Sign-On Policy production
Panther MongoDB access allowed from anywhere
Panther MongoDB org membership restriction disabled
Panther Wiz Update IP Restrictions
Panther ZIA Insecure Password Settings

Adversary-in-the-Middle T1557 61 rules

Kusto A host is potentially running a hacking tool (ASIM Web Session schema)
Sigma Attempts of Kerberos Coercion Via DNS SPN Spoofing experimental
Elastic AWS Route 53 Private Hosted Zone Associated With a VPC production
Sigma Azure Sign-In With Axios User Agent experimental
Splunk Cisco ASA - Packet Capture Activity production
Sigma Cisco BGP Authentication Failures test
Kusto Cisco Cloud Security - Hack Tool User-Agent Detected available
Sigma Cisco LDP Authentication Failures test
Elastic Creation of a DNS-Named Record production
Elastic Creation or Modification of Root Certificate production
Kusto Cross-Cloud Unauthorized Credential Access Detection From AWS RDS Login
Splunk Detect ARP Poisoning experimental
Splunk Detect IPv6 Network Infrastructure Threats experimental
Splunk Detect Port Security Violation experimental
Splunk Detect Rogue DHCP Server experimental
Sigma Discovery for print spooler bug abuse (NTLM hash retrivial) via named pipe experimental
Elastic DNS Global Query Block List Modified or Disabled production
Splunk DNS Kerberos Coercion production
Sigma Exchange server impersonation via PrivExchange relay attack experimental
Kusto GCP Security Command Center - Detect DNSSEC disabled for DNS zones available
Elastic Google Workspace Device Registration Burst for Single User production
Elastic Google Workspace Login Flagged Suspicious production building block
Elastic Google Workspace User Login with Unusual ASN production
Sigma HackTool - ADCSPwn Execution test
Sigma HackTool - Impacket Tools Execution test
Sigma Huawei BGP Authentication Failures test
Sigma ISATAP Router Address Was Set experimental
Sigma Juniper BGP Missing MD5 test
Sigma Local Privilege Escalation Indicator TabTip test
Sigma Notepad++ Updater DNS Query to Uncommon Domains experimental
Kusto NTLM Relay Attack
Kusto Possible AiTM Phishing Attempt Against Microsoft Entra ID available
Elastic Potential ADIDNS Poisoning via Wildcard Record Creation production
Elastic Potential Computer Account NTLM Relay Activity production
Sigma Potential Kerberos Coercion by Spoofing SPNs via DNS Manipulation experimental
Elastic Potential Kerberos Coercion via DNS-Based SPN Spoofing production
Elastic Potential Kerberos Relay Attack against a Computer Account production
Elastic Potential Kerberos SPN Spoofing via Suspicious DNS Query production
Elastic Potential Local NTLM Relay via HTTP production
Elastic Potential Machine Account Relay Attack via SMB production
Elastic Potential NTLM Relay Attack against a Computer Account production
Sigma Potential PetitPotam Attack Via EFS RPC Calls test
Elastic Potential PowerShell Pass-the-Hash/Relay Script production
Sigma Potential SMB Relay Attack Tool Execution test
Sigma Potential Suspicious Activity Using SeCEdit test
Elastic Potential WPAD Spoofing via DNS Record Creation production
Kusto Powershell Empire Cmdlets Executed in Command Line available
Sigma RottenPotato Like Attack Pattern test
Elastic Service Creation via Local Kerberos Authentication production
Sigma Suspicious Child Process of Notepad++ Updater - GUP.Exe experimental
Sigma Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing experimental
Sigma Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing - Network experimental
Splunk Suspicious Spool Authentication (Windows Event Log)
Kusto Unauthorized user access across AWS and Azure
Sigma Uncommon File Created by Notepad++ Updater Gup.EXE experimental
Elastic WebProxy Settings Modification production
Sigma WinDivert Driver Load test
Splunk Windows Credential Target Information Structure in Commandline production
Splunk Windows Kerberos Coercion via DNS production
Splunk Windows Short Lived DNS Record production
Splunk Windows Theme File Creation in Unusual Location production

Adversary-in-the-Middle: Name Resolution Poisoning and SMB Relay T1557.001 28 rules

Sigma Attempts of Kerberos Coercion Via DNS SPN Spoofing experimental
Elastic Creation of a DNS-Named Record production
Sigma Discovery for print spooler bug abuse (NTLM hash retrivial) via named pipe experimental
Splunk DNS Kerberos Coercion production
Sigma Exchange server impersonation via PrivExchange relay attack experimental
Sigma HackTool - ADCSPwn Execution test
Sigma HackTool - Impacket Tools Execution test
Sigma Local Privilege Escalation Indicator TabTip test
Kusto NTLM Relay Attack
Elastic Potential Computer Account NTLM Relay Activity production
Elastic Potential Kerberos Coercion via DNS-Based SPN Spoofing production
Elastic Potential Kerberos Relay Attack against a Computer Account production
Elastic Potential Kerberos SPN Spoofing via Suspicious DNS Query production
Elastic Potential Machine Account Relay Attack via SMB production
Elastic Potential NTLM Relay Attack against a Computer Account production
Sigma Potential PetitPotam Attack Via EFS RPC Calls test
Elastic Potential PowerShell Pass-the-Hash/Relay Script production
Sigma Potential SMB Relay Attack Tool Execution test
Kusto Powershell Empire Cmdlets Executed in Command Line available
Sigma RottenPotato Like Attack Pattern test
Sigma Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing experimental
Sigma Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing - Network experimental
Splunk Suspicious Spool Authentication (Windows Event Log)
Sigma WinDivert Driver Load test
Splunk Windows Credential Target Information Structure in Commandline production
Splunk Windows Kerberos Coercion via DNS production
Splunk Windows Short Lived DNS Record production
Splunk Windows Theme File Creation in Unusual Location production

Adversary-in-the-Middle: ARP Cache Poisoning T1557.002 3 rules

Splunk Detect ARP Poisoning experimental
Splunk Detect IPv6 Network Infrastructure Threats experimental
Splunk Detect Port Security Violation experimental

Adversary-in-the-Middle: DHCP Spoofing T1557.003 1 rule

Sigma Potential Kerberos Coercion by Spoofing SPNs via DNS Manipulation experimental

Steal or Forge Kerberos Tickets T1558 84 rules

Sigma Administrator login impersonation with forged Golden ticket stable
Kusto Alsid Golden Ticket available
Sigma Antivirus Password Dumper Detection stable
Kusto Detect Potential Kerberoast Activities available
Splunk Disabled Kerberos Pre-Authentication Discovery With Get-ADUser production
Splunk Disabled Kerberos Pre-Authentication Discovery With PowerView production
Elastic First Time Python Accessed Sensitive Credential Files production
Sigma HackTool - KrbRelay Execution test
Sigma HackTool - KrbRelayUp Execution test
Sigma HackTool - Mimikatz Kirbi File Creation test
Sigma HackTool - RemoteKrbRelay Execution test
Sigma HackTool - Rubeus Execution stable
Sigma HackTool - Rubeus Execution - ScriptBlock test
Sigma Kerberoast ticket request detected experimental
Sigma Kerberoasting Activity - Initial Query test
Splunk Kerberoasting spn request with RC4 encryption production
Sigma Kerberos AS-REP Roasting ticket request detected experimental
Elastic Kerberos Cached Credentials Dumping production
Sigma Kerberos key list attack for credential dumping experimental
Sigma Kerberos Network Traffic RC4 Ticket Encryption test
Elastic Kerberos Pre-authentication Disabled for User production
Splunk Kerberos Pre-Authentication Flag Disabled in UserAccountControl production
Splunk Kerberos Pre-Authentication Flag Disabled with PowerShell production
Splunk Kerberos Service Ticket Request Using RC4 Encryption production
Sigma Kerberos TGS ticket request related to a potential Golden ticket experimental
Sigma Kerberos ticket without a trailing $ (CVE-2021-42278/42287) experimental
Elastic Kerberos Traffic from Unusual Process production
Elastic Kirbi File Creation production
Elastic KRBTGT Delegation Backdoor production
Splunk Mimikatz (Sysmon)
Splunk Mimikatz (Windows Event Log)
Sigma No Suitable Encryption Key Found For Generating Kerberos Ticket test
Kusto Pathlock TDnR - Kerberos Keytab Changes available
Sigma Potential CVE-2021-42278 Exploitation Attempt test
Sigma Potential CVE-2021-42287 Exploitation Attempt test
Elastic Potential Invoke-Mimikatz PowerShell Script production
Kusto Potential Kerberoasting
Elastic Potential Kerberos Attack via Bifrost production
Elastic Potential PowerShell HackTool Script by Function Names production
Sigma Potential SPN Enumeration Via Setspn.EXE test
Sigma Potential Unconstrained Delegation Discovery Via Get-ADComputer - ScriptBlock experimental
Kusto Powershell Empire Cmdlets Executed in Command Line available
Elastic PowerShell Kerberos Ticket Dump production
Elastic PowerShell Kerberos Ticket Request production
Sigma Register new Logon Process by Rubeus test
Sigma Replay Attack Detected test
Splunk Rubeus Command Line Parameters production
Splunk Rubeus Commands (PowerShell)
Splunk Rubeus Commands (Sysmon)
Splunk Rubeus Commands (Windows Event Log)
Sigma Rubeus Kerberos constrained delegation abuse (S4U2Proxy) experimental
Sigma Rubeus Kerberos unconstrained delegation abuse experimental
Splunk Rubeus Password Change (Windows Event Log)
Kusto Semperis DSP Kerberos krbtgt account with old password available
Elastic Sensitive Privilege SeEnableDelegationPrivilege assigned to a Principal production
Elastic Service Creation via Local Kerberos Authentication production
Splunk ServicePrincipalNames Discovery with PowerShell production
Splunk ServicePrincipalNames Discovery with SetSPN production
Sigma Shared folder access with forged Golden ticket stable
Elastic Suspicious Kerberos Authentication Ticket Request production
Sigma Suspicious Kerberos password account reset to issue potential Golden ticket experimental
Sigma Suspicious Kerberos proxiable/S4U2self ticket (CVE-2021-42278/42287) experimental
Sigma Suspicious Kerberos RC4 Ticket Encryption test
Sigma Suspicious Kerberos Ticket Request via CLI experimental
Sigma Suspicious Kerberos Ticket Request via PowerShell Script - ScriptBlock test
Sigma Suspicious SPN enumeration previous to Kerberoasting attack (PowerShell) experimental
Kusto T1558.003 - Kerberoasting
Kusto Tenable.ad Golden Ticket
Kusto TIE Golden Ticket
Sigma Uncommon Outbound Kerberos Connection test
Sigma Uncommon Outbound Kerberos Connection - Security test
Kusto UnPAC the hash
Splunk Unusual Number of Kerberos Service Tickets Requested production
Elastic User account exposed to Kerberoasting production
Sigma User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess' test
Splunk Windows Computer Account Created by Computer Account production
Splunk Windows Computer Account Requesting Kerberos Ticket production
Splunk Windows Computer Account With SPN production
Splunk Windows Domain Admin Impersonation Indicator production
Splunk Windows Kerberos Local Successful Logon production
Splunk Windows PowerView Kerberos Service Ticket Request production
Splunk Windows PowerView SPN Discovery production
Splunk Windows Process With NetExec Command Line Parameters production
Splunk Windows Steal or Forge Kerberos Tickets Klist production

Steal or Forge Kerberos Tickets: Golden Ticket T1558.001 14 rules

Sigma Administrator login impersonation with forged Golden ticket stable
Kusto Alsid Golden Ticket available
Splunk Kerberos Service Ticket Request Using RC4 Encryption production
Sigma Kerberos TGS ticket request related to a potential Golden ticket experimental
Splunk Mimikatz (Sysmon)
Splunk Mimikatz (Windows Event Log)
Splunk Rubeus Commands (PowerShell)
Splunk Rubeus Commands (Sysmon)
Splunk Rubeus Commands (Windows Event Log)
Kusto Semperis DSP Kerberos krbtgt account with old password available
Sigma Shared folder access with forged Golden ticket stable
Sigma Suspicious Kerberos password account reset to issue potential Golden ticket experimental
Kusto Tenable.ad Golden Ticket
Kusto TIE Golden Ticket

Steal or Forge Kerberos Tickets: Silver Ticket T1558.002 7 rules

Splunk Mimikatz (Sysmon)
Splunk Mimikatz (Windows Event Log)
Kusto Powershell Empire Cmdlets Executed in Command Line available
Splunk Rubeus Commands (PowerShell)
Splunk Rubeus Commands (Sysmon)
Splunk Rubeus Commands (Windows Event Log)
Kusto UnPAC the hash

Steal or Forge Kerberos Tickets: Kerberoasting T1558.003 40 rules

Kusto Detect Potential Kerberoast Activities available
Sigma HackTool - KrbRelay Execution test
Sigma HackTool - KrbRelayUp Execution test
Sigma HackTool - RemoteKrbRelay Execution test
Sigma HackTool - Rubeus Execution stable
Sigma HackTool - Rubeus Execution - ScriptBlock test
Sigma Kerberoast ticket request detected experimental
Sigma Kerberoasting Activity - Initial Query test
Splunk Kerberoasting spn request with RC4 encryption production
Elastic Kerberos Cached Credentials Dumping production
Sigma Kerberos Network Traffic RC4 Ticket Encryption test
Elastic Kerberos Traffic from Unusual Process production
Sigma No Suitable Encryption Key Found For Generating Kerberos Ticket test
Sigma Potential CVE-2021-42278 Exploitation Attempt test
Sigma Potential CVE-2021-42287 Exploitation Attempt test
Elastic Potential Kerberos Attack via Bifrost production
Elastic Potential PowerShell HackTool Script by Function Names production
Sigma Potential SPN Enumeration Via Setspn.EXE test
Kusto Powershell Empire Cmdlets Executed in Command Line available
Elastic PowerShell Kerberos Ticket Request production
Sigma Register new Logon Process by Rubeus test
Splunk Rubeus Command Line Parameters production
Splunk Rubeus Commands (PowerShell)
Splunk Rubeus Commands (Sysmon)
Splunk Rubeus Commands (Windows Event Log)
Splunk ServicePrincipalNames Discovery with PowerShell production
Splunk ServicePrincipalNames Discovery with SetSPN production
Elastic Suspicious Kerberos Authentication Ticket Request production
Sigma Suspicious Kerberos RC4 Ticket Encryption test
Sigma Suspicious Kerberos Ticket Request via CLI experimental
Sigma Suspicious Kerberos Ticket Request via PowerShell Script - ScriptBlock test
Sigma Suspicious SPN enumeration previous to Kerberoasting attack (PowerShell) experimental
Kusto T1558.003 - Kerberoasting
Sigma Uncommon Outbound Kerberos Connection - Security test
Splunk Unusual Number of Kerberos Service Tickets Requested production
Elastic User account exposed to Kerberoasting production
Sigma User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess' test
Splunk Windows PowerView Kerberos Service Ticket Request production
Splunk Windows PowerView SPN Discovery production
Splunk Windows Process With NetExec Command Line Parameters production

Steal or Forge Kerberos Tickets: AS-REP Roasting T1558.004 10 rules

Splunk Disabled Kerberos Pre-Authentication Discovery With Get-ADUser production
Splunk Disabled Kerberos Pre-Authentication Discovery With PowerView production
Sigma Kerberos AS-REP Roasting ticket request detected experimental
Elastic Kerberos Pre-authentication Disabled for User production
Splunk Kerberos Pre-Authentication Flag Disabled in UserAccountControl production
Splunk Kerberos Pre-Authentication Flag Disabled with PowerShell production
Sigma Potential AS-REP Roasting via Kerberos TGT Requests experimental
Splunk Rubeus Command Line Parameters production
Elastic Suspicious Kerberos Authentication Ticket Request production
Splunk Windows Process With NetExec Command Line Parameters production

Steal or Forge Kerberos Tickets: Ccache Files T1558.005 3 rules

Elastic First Time Python Accessed Sensitive Credential Files production
Elastic Kerberos Cached Credentials Dumping production
Elastic Potential Kerberos Attack via Bifrost production

Forge Web Credentials T1606 16 rules

Kusto Azure secure score PW age policy new available
Kusto BTP - Cloud Identity Service application configuration monitor available
Kusto BTP - Trust and authorization Identity Provider monitor available
Kusto Cross-Cloud Unauthorized Credential Access Detection From AWS RDS Login
Kusto Detect device token stealing with WDAC
Kusto Detect entra token request via specific BOF (IOC based)
Kusto Detect Multiple Hello for Business PRT tokens being used simultaneously for one device.
Kusto Detect suspicious foci token logins
Kusto Detect suspicious foci token logins V2
Kusto Detect Suspicious ncrypt.dll usage by CLI tool or unknown process
Kusto Detect Suspicious ncrypt.dll usage by process requesting Entra ID Nonce
Kusto Detect Suspicious ncrypt.dll usage on admin device with RDP connections to non TPM protected device
Kusto Detect Suspicious ncrypt.dll usage with RDP connections to unmanaged or non TPM protected device
Elastic FortiGate FortiCloud SSO Login from Unusual Source production
Elastic M365 Identity Unusual SSO Authentication Errors for User production
Sigma SAML Token Issuer Anomaly test

Forge Web Credentials: Web Cookies T1606.001 1 rule

Kusto Detect device token stealing with WDAC

Forge Web Credentials: SAML Tokens T1606.002 2 rules

Elastic FortiGate FortiCloud SSO Login from Unusual Source production
Elastic M365 Identity Unusual SSO Authentication Errors for User production

Multi-Factor Authentication Request Generation T1621 31 rules

Splunk ASL AWS Multi-Factor Authentication Disabled production
Panther Auth0 Push Notification Fatigue
Splunk AWS Console Login Failed During MFA Challenge production
Splunk AWS Multi-Factor Authentication Disabled production
Splunk AWS Multiple Failed MFA Requests For User production
Panther AWS Unsuccessful MFA attempt
Splunk Azure AD Authentication Failed During MFA Challenge production
Splunk Azure AD Multiple Denied MFA Requests For User production
Splunk Azure AD Multiple Failed MFA Requests For User production
Elastic Entra ID User Reported Suspicious Activity production
Splunk GCP Authentication Failed During MFA Challenge production
Splunk GCP Multiple Failed MFA Requests For User production
Kusto MFA Fatigue (OKTA) available
Sigma MFA Push Fatigue - detects when a user is repeatedly prompted for MFA push. experimental
Sigma Multifactor Authentication Denied test
Sigma Multifactor Authentication Interrupted test
Splunk O365 Multiple Failed MFA Requests For User production
Splunk Okta Authentication Failed During MFA Challenge production
Panther Okta Login Without Push
YARA-L Okta Mismatch Between Source And Response For Verify Push Request
Splunk Okta Mismatch Between Source and Response for Verify Push Request production
Splunk Okta Multiple Failed MFA Requests For User production
Splunk Okta Successful Single Factor Authentication production
YARA-L Okta User Failed Number Challenge During Push Notification
Splunk PingID Mismatch Auth Source and Verification Response production
Splunk PingID Multiple Failed MFA Requests For User production
Splunk PingID New MFA Method After Credential Reset production
Splunk PingID New MFA Method Registered For User production
Panther Potential Compromised Okta Credentials
Elastic Potential Okta MFA Bombing via Push Notifications production
Elastic Potentially Successful Okta MFA Bombing via Push Notifications production

Steal or Forge Authentication Certificates T1649 27 rules

Elastic Access to a Sensitive LDAP Attribute production
Splunk Certificate Abuse - Windows (Sysmon)
Splunk Certificate Abuse - Windows (Windows Event Log)
Splunk Certificate Enumeration - Windows (Windows Event Log)
Sigma Certificate Exported From Local Certificate Store test
Sigma Certificate Private Key Acquired test
Splunk Certutil exe certificate extraction production
Splunk Detect Certify Command Line Arguments production
Splunk Detect Certify With PowerShell Script Block Logging production
Splunk Detect Certipy File Modifications production
Sigma HackTool - Certify Execution test
Sigma HackTool - Certipy Execution test
Elastic Potential Invoke-Mimikatz PowerShell Script production
Splunk Steal or Forge Authentication Certificates Behavior Identified production
Splunk Windows Export Certificate production
Splunk Windows Mimikatz Crypto Export File Extensions production
Splunk Windows PowerShell Export Certificate production
Splunk Windows PowerShell Export PfxCertificate production
Splunk Windows Steal Authentication Certificates - ESC1 Abuse production
Splunk Windows Steal Authentication Certificates - ESC1 Authentication production
Splunk Windows Steal Authentication Certificates Certificate Issued production
Splunk Windows Steal Authentication Certificates Certificate Request production
Splunk Windows Steal Authentication Certificates CertUtil Backup production
Splunk Windows Steal Authentication Certificates CryptoAPI production
Splunk Windows Steal Authentication Certificates CS Backup production
Splunk Windows Steal Authentication Certificates Export Certificate production
Splunk Windows Steal Authentication Certificates Export PfxCertificate production

No specific technique 34 rules

Sigma AADInternals PowerShell Cmdlets Execution - ProccessCreation test
Sigma AADInternals PowerShell Cmdlets Execution - PsScript test
Sigma ADCS Certificate Template Configuration Vulnerability test
Sigma ADCS Certificate Template Configuration Vulnerability with Risky EKU test
Sigma Cisco Duo Successful MFA Authentication Via Bypass Code test
Sigma Cleartext Protocol Usage stable
Sigma Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE test
Sigma Creation of large amount of unverified accounts experimental
Sigma CVE-2023-23397 Exploitation Attempt test
Sigma Google Cloud Kubernetes RoleBinding test
Sigma Google Cloud Kubernetes Secrets Modified or Deleted test
Sigma HackTool - LaZagne Execution experimental
Sigma HackTool - NPPSpy Hacktool Usage test
Sigma Kubernetes Secrets Modified or Deleted test
Elastic M365 Purview Security Compliance Signal production building block
Sigma Multi Factor Authentication Disabled For User Account test
Sigma New Okta User Created test
Sigma Okta 2023 Breach Indicator Of Compromise test
Sigma Okta Admin Functions Access Through Proxy test
Sigma Okta Password Health Report Query test
Kusto Password Spray
Kusto Potential Kerberos Relaying Activity - MDE
Kusto Potential NTLM Relay Attack to Domain Controller
Kusto Potentially Relayed NTLM Authentication - Microsoft Defender for Endpoint
Kusto Potentially Relayed NTLM Authentication - Microsoft Sentinel
Kusto Potentially Relayed NTLM Authentication - Microsoft Sentinel
Panther Query.Okta.SWABulkAccessBehavioral
Panther Query.Okta.SWAOffHoursAccessBehavioral
Sigma Remote Thread Creation In Mstsc.Exe From Suspicious Location test
Kusto RSA ID Plus - Locked Administrator Account Detected available
Sigma Standard User In High Privileged Group test
Sigma Successful Logins and Signups from Flagged IPs experimental
Kusto Suspicious TGT Request with a DC Account
Sigma Veeam Backup Servers Credential Dumping Script Execution test

Discovery

System Service Discovery T1007 25 rules

Splunk Common Active Directory Commands (PowerShell)
Splunk Common Active Directory Commands (Sysmon)
Splunk Common Active Directory Commands (Windows Event Log)
Splunk Common Recon Commands in Short Burst (Sysmon)
Splunk Common Recon Commands in Short Burst (Windows Event Log)
Splunk Common Reconnaissance Commands (PowerShell)
Splunk Common Reconnaissance Commands (Sysmon)
Splunk Common Reconnaissance Commands (Windows Event Log)
Sigma Crontab Enumeration test
Elastic Deprecated - PowerShell Script with Discovery Capabilities production building block
Elastic Enumeration Command Spawned via WMIPrvSE production
Sigma ESXi Network Configuration Discovery Via ESXCLI test
Sigma ESXi Storage Information Discovery Via ESXCLI test
Sigma ESXi System Information Discovery Via ESXCLI test
Sigma ESXi VM List Discovery Via ESXCLI test
Sigma ESXi VSAN Information Discovery Via ESXCLI test
Sigma HackTool - PCHunter Execution test
Sigma Net.EXE Execution test
Sigma Potential Configuration And Service Reconnaissance Via Reg.EXE test
Sigma Potential Registry Reconnaissance Via PowerShell Script test
Elastic PowerShell Suspicious Discovery Related Windows API Functions production
Sigma SC.EXE Query Execution test
Elastic System Service Discovery through built-in Windows Utilities production building block
Splunk Windows Net System Service Discovery production
Splunk Windows WinPEAS PowerShell Script Execution production

Application Window Discovery T1010 2 rules

Kusto Qakbot Discovery Activies available
Sigma SCM Database Handle Failure test

Query Registry T1012 34 rules

Sigma Azure AD Health Monitoring Agent Registry Keys Access test
Sigma Azure AD Health Service Agents Registry Keys Access test
Elastic Deprecated - PowerShell Script with Discovery Capabilities production building block
Elastic Enumeration Command Spawned via WMIPrvSE production
Sigma Exports Critical Registry Keys To a File test
Sigma Exports Registry Key To a File test
Sigma HackTool - PCHunter Execution test
Kusto Microsoft Entra ID Local Device Join Information and Transport Key Registry Keys Access available
Sigma Operation Wocao Activity test
Sigma Operation Wocao Activity - Security test
Sigma Potential Baby Shark Malware Activity test
Sigma Potential Configuration And Service Reconnaissance Via Reg.EXE test
Sigma Potential Registry Reconnaissance Via PowerShell Script test
Splunk Query Registry (PowerShell)
Splunk Query Registry (Windows Event Log)
Elastic Query Registry using Built-in Tools production building block
Splunk Reg.exe Process Execution (Sysmon)
Splunk Reg.exe Process Execution (Windows Event Log)
Sigma Registry Manipulation via WMI Stdregprov experimental
Sigma SAM Registry Hive Handle Request test
Sigma SysKey Registry Keys Access test
Splunk Windows Credential Access From Browser Password Store production
Splunk Windows Credentials from Password Stores Chrome Extension Access production
Splunk Windows Credentials from Password Stores Chrome LocalState Access production
Splunk Windows Credentials from Password Stores Chrome Login Data Access production
Splunk Windows Hosts File Access production
Splunk Windows Non Discord App Access Discord LevelDB production
Splunk Windows Post Exploitation Risk Behavior production
Splunk Windows Product Key Registry Query production
Splunk Windows Query Registry Browser List Application production
Splunk Windows Query Registry UnInstall Program List production
Splunk Windows Registry Entries Exported Via Reg production
Splunk Windows Registry Entries Restored Via Reg production
Splunk Windows Software Discovery Via PowerShell production

System Network Configuration Discovery T1016 70 rules

Elastic Active Directory Discovery using AdExplorer production
Elastic AdFind Command Activity production
Splunk Adfind Commands (PowerShell)
Splunk Adfind Commands (Sysmon)
Splunk Adfind Commands (Windows Event Log)
Splunk Adfind Execution (EDR)
Splunk Adfind Execution (PowerShell)
Splunk Adfind Execution (Sysmon)
Splunk Adfind Execution (Windows Event Log)
Sigma Cisco Discovery test
Splunk Cisco IOS XE Reconnaissance Command Activity production
Splunk Cisco NVM - Suspicious Network Connection to IP Lookup Service API production
Elastic Deprecated - PowerShell Script with Discovery Capabilities production building block
Elastic Discovery Command Output Written to Suspicious File production
Elastic Discovery of Internet Capabilities via Built-in Tools production building block
Elastic DNS Enumeration Detected via Defend for Containers production
Elastic DNS Request for IP Lookup Service via Unsigned Binary production
Splunk Domain Controller Enumeration via nltest (PowerShell)
Splunk Domain Controller Enumeration via nltest (Sysmon)
Splunk Domain Controller Enumeration via nltest (Windows Event Log)
Elastic Enumeration Command Spawned via WMIPrvSE production
Elastic External IP Address Discovery via Curl production
Elastic External IP Lookup from Non-Browser Process production building block
Sigma Failed DNS server zone transfer for enumeration purposes experimental
Sigma Firewall Configuration Discovery Via Netsh.EXE test
Sigma Firewall configuration enumerated (command) experimental
Sigma Firewall configuration enumerated (PowerShell) experimental
Splunk Linux Auditd System Network Configuration Discovery production
Splunk Linux System Network Discovery production
Sigma Local Firewall Rules Enumeration Via NetFirewallRule Cmdlet test
Splunk MacOS List Firewall Rules production
Splunk Multiple nslookup commands (Sysmon)
Splunk Multiple nslookup commands (Windows Event Log)
Splunk Network Discovery Using Route Windows App production
Sigma Nltest.EXE Execution test
Splunk Nslookup Execution (Windows Event Log)
Sigma OpenCanary - SNMP OID Request test
Elastic Potential Meterpreter Reverse Shell production
Sigma Potential Pikabot Discovery Activity test
Sigma Potential Recon Activity Via Nltest.EXE test
Splunk Potential System Network Configuration Discovery Activity production
Kusto Powershell Empire Cmdlets Executed in Command Line available
Elastic PowerShell Suspicious Discovery Related Windows API Functions production
Kusto Probable AdFind Recon Tool Usage available
YARA-L Recon Environment Enumeration Network CISA Report
Elastic Remote System Discovery Commands production building block
Sigma Scheduled task enumerated experimental
Elastic Suspicious Instance Metadata Service (IMDS) API Command Line Execution production
Elastic Suspicious Instance Metadata Service (IMDS) API Request production
Elastic Suspicious JetBrains TeamCity Child Process production
Elastic Suspicious MS Office Child Process production
Sigma Suspicious Network Command test
Sigma Suspicious Network Connection to IP Lookup Service APIs test
Elastic Suspicious PDF Reader Child Process production
Elastic Suspicious System Commands Executed by Previously Unknown Executable production
Elastic System and Network Configuration Check production
Elastic System Hosts File Access production building block
Elastic System Network Connections Discovery production building block
Sigma System Network Discovery - Linux test
Sigma System Network Discovery - macOS test
Elastic System Public IP Discovery via DNS Query production
Elastic Unusual Linux Network Configuration Discovery production
Splunk Windows Common Abused Cmd Shell Risk Behavior production
Splunk Windows Post Exploitation Risk Behavior production
Splunk Windows PowerShell Invoke-RestMethod IP Information Collection production
Splunk Windows System Network Config Discovery Display DNS production
Elastic Windows System Network Connections Discovery production building block
Splunk Windows WinPEAS PowerShell Script Execution production
Sigma Winlogon process contact to C2 - Blacklotus (Sysmon) experimental
Elastic Wireless Credential Dumping using Netsh Command production

System Network Configuration Discovery: Internet Connection Discovery T1016.001 8 rules

Elastic Discovery of Internet Capabilities via Built-in Tools production building block
Elastic DNS Request for IP Lookup Service via Unsigned Binary production
Elastic Enumeration Command Spawned via WMIPrvSE production
Elastic External IP Address Discovery via Curl production
Elastic External IP Lookup from Non-Browser Process production building block
Splunk Network Discovery Using Route Windows App production
Elastic Suspicious PDF Reader Child Process production
Elastic System Public IP Discovery via DNS Query production

Remote System Discovery T1018 85 rules

Sigma Active Directory Computers Enumeration With Get-AdComputer test
Elastic Active Directory Discovery using AdExplorer production
Elastic AdFind Command Activity production
Splunk Adfind Commands (PowerShell)
Splunk Adfind Commands (Sysmon)
Splunk Adfind Commands (Windows Event Log)
Splunk Adfind Execution (EDR)
Splunk Adfind Execution (PowerShell)
Splunk Adfind Execution (Sysmon)
Splunk Adfind Execution (Windows Event Log)
Panther Azure Excessive IP and VM Discovery
Sigma Chopper Webshell Process Pattern test
Sigma Cisco Discovery test
Splunk Cisco IOS XE Remote Access Probe Burst production
Splunk Cisco Secure Firewall - Blocked Connection production
Splunk Cisco Secure Firewall - Repeated Blocked Connections production
Kusto Claroty - Policy violation available
Kusto Claroty - Suspicious activity available
Kusto Claroty - Suspicious file transfer available
Kusto Claroty - Threat detected available
Sigma DirectorySearcher Powershell Exploitation test
Elastic DNS Enumeration Detected via Defend for Containers production
Sigma DNS hosts file accessed via network share experimental
Splunk Domain Controller Discovery with Nltest production
Splunk Domain Controller Discovery with Wmic production
Splunk Domain Controller Enumeration via nltest (PowerShell)
Splunk Domain Controller Enumeration via nltest (Sysmon)
Splunk Domain Controller Enumeration via nltest (Windows Event Log)
Elastic Enumerating Domain Trusts via DSQUERY.EXE production
Elastic Enumerating Domain Trusts via NLTEST.EXE production
Elastic Enumeration Command Spawned via WMIPrvSE production
Splunk FScan.exe Network Scan (Sysmon)
Splunk FScan.exe Network Scan (Windows Event Log)
Splunk GetAdComputer with PowerShell production
Splunk GetAdComputer with PowerShell Script Block production
Splunk GetDomainComputer with PowerShell production
Splunk GetDomainComputer with PowerShell Script Block production
Splunk GetDomainController with PowerShell production
Splunk GetDomainController with PowerShell Script Block production
Splunk GetWmiObject Ds Computer with PowerShell production
Splunk GetWmiObject Ds Computer with PowerShell Script Block production
Sigma HackTool - NetExec Execution experimental
Kusto Hunt for ADWS requests from unknown devices
Kusto LDAP reconnaissance via search filters
Sigma Linux Remote System Discovery test
Sigma Macos Remote System Discovery test
Splunk Multiple nslookup commands (Sysmon)
Splunk Multiple nslookup commands (Windows Event Log)
Sigma Net.EXE Execution test
Sigma Nltest.EXE Execution test
Splunk NMAP Execution (EDR)
Splunk NMAP Execution (PowerShell)
Splunk NMAP Execution (Windows Event Log)
Elastic Potential Enumeration via Active Directory Web Service production
Elastic Potential Network Scan Executed From Host production
Elastic Potential Network Sweep Detected production
Splunk Potential Ping Sweep (Windows Event Log)
Elastic Potential Subnet Scanning Activity from Compromised Host production
Sigma Potential Unconstrained Delegation Discovery Via Get-ADComputer - ScriptBlock experimental
Splunk PowerHuntShares Commands (PowerShell)
Splunk PowerHuntShares Commands (Sysmon)
Splunk PowerHuntShares Commands (Windows Event Log)
Kusto Probable AdFind Recon Tool Usage available
Kusto Probable AdFind Recon Tool Usage (Normalized Process Events)
Sigma PUA - AdFind Suspicious Execution test
Sigma PUA - Adidnsdump Execution test
Elastic Remote System Discovery Commands production building block
Splunk Remote System Discovery with Adsisearcher production
Splunk Remote System Discovery with Dsquery production
Splunk Remote System Discovery with Wmic production
Sigma Renamed AdFind Execution test
Sigma Share And Session Enumeration Using Net.EXE stable
Kusto SonicWall - Allowed SSH, Telnet, and RDP Connections experimental
Elastic Spike in Firewall Denies production
Sigma Suspicious Scan Loop Network test
Elastic System Hosts File Access production building block
Sigma Webshell Detection With Command Line Keywords test
Sigma Webshell Hacking Activity Patterns test
Splunk Windows AdFind Exe production
Splunk Windows Get-AdComputer Unconstrained Delegation Discovery production
Splunk Windows Netspy Network Scanner Execution production
Elastic Windows Network Enumeration production building block
Splunk Windows PowerView Constrained Delegation Discovery production
Splunk Windows PowerView Unconstrained Delegation Discovery production
Splunk Windows PsTools Recon Usage production

System Owner/User Discovery T1033 78 rules

Elastic Account Discovery Command via SYSTEM Account production
Elastic AWS STS GetCallerIdentity API Called for the First Time production
Splunk Check Elevated CMD using whoami production
Sigma Chopper Webshell Process Pattern test
Sigma Cisco Discovery test
Splunk Common Recon Commands in Short Burst (Sysmon)
Splunk Common Recon Commands in Short Burst (Windows Event Log)
Splunk Common Reconnaissance Commands (PowerShell)
Splunk Common Reconnaissance Commands (Sysmon)
Splunk Common Reconnaissance Commands (Windows Event Log)
Sigma Computer Discovery And Export Via Get-ADComputer Cmdlet test
Sigma Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell test
Elastic Discovery Command Output Written to Suspicious File production
Sigma Enumerate All Information With Whoami.EXE test
Elastic Enumeration Command Spawned via WMIPrvSE production
Sigma ESXi Network Configuration Discovery Via ESXCLI test
Sigma ESXi Storage Information Discovery Via ESXCLI test
Sigma ESXi System Information Discovery Via ESXCLI test
Sigma ESXi VM List Discovery Via ESXCLI test
Sigma ESXi VSAN Information Discovery Via ESXCLI test
Sigma Get-ADUser Enumeration Using UserAccountControl Flags test
Splunk GetCurrent User with PowerShell production
Splunk GetCurrent User with PowerShell Script Block production
Sigma Group Membership Reconnaissance Via Whoami.EXE test
Sigma HackTool - SharpLdapWhoami Execution test
Sigma HackTool - SharpView Execution test
Elastic Interactive Privilege Boundary Enumeration Detected via Defend for Containers production
Kusto LDAP reconnaissance via search filters
Splunk Linux Auditd Whoami User Discovery production
Sigma Local Accounts Discovery test
YARA-L Local Accounts Discovery
YARA-L MITRE ATT&CK T1033 Recon Successful Logon Enumeration Powershell CISA Report
Elastic Passwordless Sudo Probing production
Sigma Possible DCSync Attack test
Sigma Potential Dridex Activity stable
Elastic Potentially Suspicious Process Started via tmux or screen production
Elastic PowerShell Suspicious Discovery Related Windows API Functions production
Splunk PowerView_SharpView Commands (PowerShell)
Sigma Renamed Whoami Execution test
Sigma Security Privileges Enumeration Via Whoami.EXE test
Sigma SharpHound Recon Sessions test
Elastic Sudo Command Enumeration Detected production
Elastic Suspicious JetBrains TeamCity Child Process production
Elastic Suspicious MS Office Child Process production
Elastic Suspicious PDF Reader Child Process production
Sigma Suspicious PowerShell Get Current User test
Elastic Suspicious React Server Child Process production
Elastic Suspicious System Commands Executed by Previously Unknown Executable production
Sigma System Owner or User Discovery - Linux test
Elastic System Owner/User Discovery Linux production building block
Splunk System Owner_User Discovery - Windows (PowerShell)
Splunk System Owner_User Discovery - Windows (Sysmon)
Splunk System Owner_User Discovery - Windows (Windows Event Log)
Splunk System User Discovery With Query production
Splunk System User Discovery With Whoami production
Elastic Unusual Linux User Discovery Activity production
Elastic Unusual User Privilege Enumeration via id production
Sigma User Discovery And Export Via Get-ADUser Cmdlet test
Sigma User Discovery And Export Via Get-ADUser Cmdlet - PowerShell test
Splunk User Discovery via Environment Variables - PowerShell (PowerShell)
Splunk User Discovery With Env Vars PowerShell production
Splunk User Discovery With Env Vars PowerShell Script Block production
Sigma Webshell Detection With Command Line Keywords test
Sigma Webshell Hacking Activity Patterns test
Sigma WhoAmI as Parameter test
YARA-L Whoami Execution
Elastic Whoami Process Activity production
Sigma Whoami.EXE Execution Anomaly test
Sigma Whoami.EXE Execution From Privileged Process test
Sigma Whoami.EXE Execution With Output Option test
Elastic Windows Account or Group Discovery production building block
Splunk Windows Common Abused Cmd Shell Risk Behavior production
Splunk Windows System Discovery Using ldap Nslookup production
Splunk Windows System Discovery Using Qwinsta production
Splunk Windows System Remote Discovery With Query production
Splunk Windows System User Discovery Via Quser production
Splunk Windows System User Privilege Discovery production
Splunk Windows WinPEAS PowerShell Script Execution production

Network Sniffing T1040 24 rules

Elastic AWS EC2 Full Network Packet Capture Detected production
Panther AWS EC2 Traffic Mirroring
Panther Azure Network Packet Capture Enabled
Kusto Azure secure score PW age policy new available
Elastic Azure VNet Full Network Packet Capture Enabled production
Splunk Cisco ASA - Packet Capture Activity production
Sigma Cisco Sniffing test
Splunk Cisco SNMP Community String Configuration Changes production
Sigma Harvesting Of Wifi Credentials Via Netsh.EXE test
Panther Kubernetes Ingress Created Without TLS
Sigma Network Sniffing - Linux test
Sigma Network Sniffing - MacOs test
Elastic Network Traffic Capture via CAP_NET_RAW production building block
Sigma New Network Trace Capture Started Via Netsh.EXE test
Sigma PktMon.EXE Execution test
Sigma Potential Network Sniffing Activity Using Network Tools test
Sigma Potential Packet Capture Activity Via Start-NetEventSession - ScriptBlock test
Kusto Powershell Empire Cmdlets Executed in Command Line available
Elastic Suspicious Network Tool Launch Detected via Defend for Containers production
Elastic Suspicious Network Tool Launched Inside A Container production
Sigma Windows native Pktmon sniffer abuse experimental
Sigma Windows Pcap Drivers test
Sigma Windows traffic capture abuse experimental
Kusto Zoom E2E Encryption Disabled

Network Service Discovery T1046 96 rules

Kusto A host is potentially running a hacking tool (ASIM Web Session schema)
Kusto Abnormal Deny Rate for Source IP available
Splunk Advanced IP or Port Scanner Execution production
Sigma Advanced IP Scanner - File Event test
Splunk Advanced IP Scanner Execution (Sysmon)
Splunk Advanced IP Scanner Execution (Windows Event Log)
Splunk Advanced Port Scanner Execution (Sysmon)
Splunk Advanced Port Scanner Execution (Windows Event Log)
Kusto Anomaly found in Network Session Traffic (ASIM Network Session schema) available
Sigma Anonymous access performed to multiple targets experimental
Kusto App Gateway WAF - Scanner Detection available
Kusto AWS Security Hub - Detect EC2 Security groups allowing unrestricted high-risk ports available
Panther Azure Excessive IP and VM Discovery
Panther Azure Excessive Network Security Group Read
Kusto Cisco ASA - average attack detection rate increase available
Kusto Cisco ASA - threat detection message fired available
Kusto Cisco Cloud Security - Hack Tool User-Agent Detected available
Splunk Cisco IOS XE Remote Access Probe Burst production
Splunk Cisco Secure Firewall - Blocked Connection production
Splunk Cisco Secure Firewall - Repeated Blocked Connections production
Kusto CloudNGFW By Palo Alto Networks - possible internal to external port scanning available
Kusto CloudNGFW By Palo Alto Networks - Threat signatures from Unusual IP addresses available
Kusto Cross-Cloud Suspicious user activity observed in GCP Envourment
Elastic DNS Enumeration Detected via Defend for Containers production
Splunk FScan.exe Network Scan (Sysmon)
Splunk FScan.exe Network Scan (Windows Event Log)
Kusto GCP Security Command Center - Detect Firewall rules allowing unrestricted high-risk ports available
Sigma Grixba Malware Reconnaissance Activity experimental
Kusto GSA - Detect Source IP Scanning Multiple Open Ports available
Sigma HackTool - winPEAS Execution test
Sigma HackTool - WinPwn Execution test
Sigma HackTool - WinPwn Execution - ScriptBlock test
Elastic Hping Process Activity production
Splunk Internal Horizontal Port Scan production
Splunk Internal Horizontal Port Scan NMAP Top 20 production
Splunk Internal Port Scan - Critical Ports (Windows Event Log)
Splunk Internal Vertical Port Scan production
Splunk Internal Vulnerability Scan experimental
Splunk Kubernetes Access Scanning production
Splunk Kubernetes Scanning by Unauthenticated IP Address production
Sigma Linux Network Service Scanning - Auditd test
Sigma Linux Network Service Scanning Tools Execution test
Sigma MacOS Network Service Scanning test
Splunk masscan Execution - Windows (PowerShell)
Splunk masscan Execution - Windows (Sysmon)
Splunk masscan Execution - Windows (Windows Event Log)
Kusto Netskope - Suspicious Network Context (Unusual IPs/Geo/Ports) available
Sigma Network login performed to multiple targets experimental
Kusto Network Port Sweep from External Network (ASIM Network Session schema) available
Elastic Nping Process Activity production
Sigma OpenCanary - Host Port Scan (SYN Scan) experimental
Sigma OpenCanary - NMAP FIN Scan experimental
Sigma OpenCanary - NMAP NULL Scan experimental
Sigma OpenCanary - NMAP OS Scan experimental
Sigma OpenCanary - NMAP XMAS Scan experimental
Kusto Palo Alto - possible internal to external port scanning available
Kusto Palo Alto Threat signatures from Unusual IP addresses available
Sigma Pnscan Binary Data Transmission Activity test
Kusto Port Scan available
Kusto Port Scan Detected available
Kusto Port scan detected (ASIM Network Session schema) available
Kusto Port Sweep available
Elastic Potential Linux Hack Tool Launched production
Elastic Potential Network Scan Detected production
Elastic Potential Network Scan Executed From Host production
Elastic Potential Network Sweep Detected production
Elastic Potential Port Scanning Activity from Compromised Host production
Elastic Potential PowerShell HackTool Script by Function Names production
Elastic Potential Subnet Scanning Activity from Compromised Host production
Elastic Potential SYN-Based Port Scan Detected production
Elastic Potentially Suspicious Process Started via tmux or screen production
Kusto Powershell Empire Cmdlets Executed in Command Line available
Sigma PUA - Advanced IP Scanner Execution test
Sigma PUA - Advanced Port Scanner Execution test
Sigma PUA - NimScan Execution test
Sigma PUA - Nmap/Zenmap Execution test
Sigma PUA - SoftPerfect Netscan Execution test
Sigma Python Initiated Connection test
Kusto Rare client observed with high reverse DNS lookup count available
Sigma RDP discovery performed on multiple hosts experimental
Kusto Several deny actions registered available
Splunk SoftPerfect Network Scanner Execution (Sysmon)
Splunk SoftPerfect Network Scanner Execution (Windows Event Log)
Elastic Spike in Firewall Denies production
Elastic Spike in host-based traffic production
Elastic Spike in Network Traffic production
Elastic Spike in Network Traffic To a Country production
Elastic Suricata and Elastic Defend Network Correlation production
Sigma Suspicious anonymous login (domain specified) experimental
Elastic Suspicious Network Tool Launch Detected via Defend for Containers production
Elastic Suspicious Network Tool Launched Inside A Container production
Panther Teleport Network Scan Initiated
Panther Upwind Network Detection Passthrough Experimental
Panther VPC Flow Port Scanning Deprecated
Panther VPC Flow Port Scanning Experimental
Splunk Windows PsTools Recon Usage production

System Network Connections Discovery T1049 33 rules

Sigma Cisco Discovery test
Splunk Common Recon Commands in Short Burst (Sysmon)
Splunk Common Recon Commands in Short Burst (Windows Event Log)
Elastic Deprecated - PowerShell Script with Discovery Capabilities production building block
Elastic DNS Enumeration Detected via Defend for Containers production
Elastic Enumeration Command Spawned via WMIPrvSE production
Splunk GetNetTcpconnection with PowerShell production
Splunk GetNetTcpconnection with PowerShell Script Block production
Sigma HackTool - SharpView Execution test
Sigma Net.EXE Execution test
Splunk Network Connection Discovery With Arp production
Splunk Network Connection Discovery With Netstat production
Sigma Potential Pikabot Discovery Activity test
Kusto Powershell Empire Cmdlets Executed in Command Line available
Splunk PowerView_SharpView Commands (PowerShell)
Elastic Suspicious JetBrains TeamCity Child Process production
Elastic Suspicious MS Office Child Process production
Elastic Suspicious System Commands Executed by Previously Unknown Executable production
Elastic System Network Connections Discovery production building block
Sigma System Network Connections Discovery - Linux test
Sigma System Network Connections Discovery - MacOs test
Splunk System Network Connections Discovery - Windows (PowerShell)
Splunk System Network Connections Discovery - Windows (Sysmon)
Splunk System Network Connections Discovery - Windows (Windows Event Log)
Sigma System Network Connections Discovery Via Net.EXE test
Elastic Unusual Linux Network Connection Discovery production
Sigma Use Get-NetTCPConnection test
Sigma Use Get-NetTCPConnection - PowerShell Module test
Splunk Windows Common Abused Cmd Shell Risk Behavior production
Splunk Windows Network Connection Discovery Via Net production
Splunk Windows Post Exploitation Risk Behavior production
Elastic Windows System Network Connections Discovery production building block
Splunk Windows System Network Connections Discovery Netsh production

Process Discovery T1057 33 rules

Sigma Cisco Discovery test
Splunk Common Recon Commands in Short Burst (Sysmon)
Splunk Common Recon Commands in Short Burst (Windows Event Log)
Splunk Common Reconnaissance Commands (PowerShell)
Splunk Common Reconnaissance Commands (Sysmon)
Splunk Common Reconnaissance Commands (Windows Event Log)
Elastic Deprecated - PowerShell Script with Discovery Capabilities production building block
Elastic Enumeration Command Spawned via WMIPrvSE production
Sigma HackTool - PCHunter Execution test
Elastic Potential Linux Credential Dumping via Proc Filesystem production
Elastic Potential Linux Hack Tool Launched production
Elastic Potential Memory Seeking Activity production building block
Kusto Powershell Empire Cmdlets Executed in Command Line available
Elastic Process Capability Enumeration production
Sigma Process Discovery stable
Elastic Process Discovery Using Built-in Tools production building block
Elastic Process Discovery via Built-In Applications production building block
Sigma Recon Command Output Piped To Findstr.EXE test
Elastic Suspicious /proc/maps Discovery production
Elastic Suspicious Dynamic Linker Discovery via od production
Elastic Suspicious JetBrains TeamCity Child Process production
Elastic Suspicious Memory grep Activity production
Elastic Suspicious MS Office Child Process production
Elastic Suspicious PDF Reader Child Process production
Elastic Suspicious Proc Pseudo File System Enumeration production building block
Sigma Suspicious Process Discovery With Get-Process test
Elastic Suspicious System Commands Executed by Previously Unknown Executable production
Sigma Suspicious Tasklist Discovery Command test
Sigma System Info Discovery via Sysinfo Syscall experimental
Elastic System Service Discovery through built-in Windows Utilities production building block
Elastic Unusual Linux Process Discovery Activity production
Kusto Votiro - File Blocked from Connector
Splunk Windows Process Commandline Discovery production

Permission Groups Discovery T1069 124 rules

Elastic Account or Group Discovery via Built-In Tools production building block
Sigma Active Directory Database Snapshot Via ADExplorer test
Elastic Active Directory Discovery using AdExplorer production
Sigma Active Directory Group Enumeration With Get-AdGroup test
Sigma AD Groups Or Users Enumeration Using PowerShell - PoshModule test
Sigma AD Groups Or Users Enumeration Using PowerShell - ScriptBlock test
Sigma ADExplorer Writing Complete AD Snapshot Into .dat File experimental
Elastic AdFind Command Activity production
Splunk Adfind Commands (PowerShell)
Splunk Adfind Commands (Sysmon)
Splunk Adfind Commands (Windows Event Log)
Splunk Adfind Execution (EDR)
Splunk Adfind Execution (PowerShell)
Splunk Adfind Execution (Sysmon)
Splunk Adfind Execution (Windows Event Log)
Splunk ASL AWS IAM Successful Group Deletion production
Panther AWS IAM Group Read Only Events
Elastic AWS IAM Principal Enumeration via UpdateAssumeRolePolicy production
Splunk AWS IAM Successful Group Deletion production
Sigma BloodHound Collection Files test
Kusto Cross-Cloud Suspicious Compute resource creation in GCP
Kusto Cross-Cloud Suspicious user activity observed in GCP Envourment
Elastic Deprecated - PowerShell Script with Discovery Capabilities production building block
Splunk Detect AzureHound Command-Line Arguments production
Splunk Detect AzureHound File Modifications production
Splunk Detect SharpHound Command-Line Arguments production
Splunk Detect SharpHound File Modifications production
Splunk Detect SharpHound Usage production
Elastic Direct Interactive Kubernetes API Request by Unusual Utilities production
Elastic Discovery of Domain Groups production building block
Splunk Domain Group Discovery with Adsisearcher production
Splunk Domain Group Discovery With Dsquery production
Splunk Domain Group Discovery With Wmic production
Sigma Domain group enumeration experimental
Splunk Elevated Group Discovery with PowerView production
Splunk Elevated Group Discovery With Wmic production
Elastic Entra ID Sign-in BloodHound Suite User-Agent Detected production
Elastic Entra ID Sign-in TeamFiltration User-Agent Detected production
Elastic Enumeration of Administrator Accounts production
Elastic Enumeration of Privileged Local Groups Membership production
Elastic Enumeration of Users or Groups via Built-in Commands production
Kusto GCP IAM - Privileges Enumeration available
Kusto GCP IAM - Publicly exposed storage bucket available
Kusto GCP IAM - Service Account Keys Enumeration available
Splunk Get WMIObject Group Discovery production
Splunk Get WMIObject Group Discovery with Script Block Logging production
Splunk GetAdGroup with PowerShell production
Splunk GetAdGroup with PowerShell Script Block production
Splunk GetDomainGroup with PowerShell production
Splunk GetDomainGroup with PowerShell Script Block production
Splunk GetWmiObject Ds Group with PowerShell production
Splunk GetWmiObject Ds Group with PowerShell Script Block production
Sigma Group discovery (command)
Sigma Group discovery (PowerShell)
Sigma HackTool - Bloodhound/Sharphound Execution test
Sigma HackTool - SharpView Execution test
Kusto Hunt for ADWS requests from unknown devices
Splunk IcedID Discovery Commands (EDR)
Splunk IcedID Discovery Commands (Sysmon)
Splunk IcedID Discovery Commands (Windows Event Log)
Elastic Kubectl Permission Discovery production
Elastic Kubectl Workload and Cluster Discovery production building block
Elastic Kubernetes Direct API Request via Curl or Wget production
Elastic Kubernetes Suspicious Self-Subject Review via Unusual User Agent production
Kusto LDAP reconnaissance via search filters
Sigma Local domain group enumeration experimental
Sigma Local group enumeration triggered by Azure Virtual machine recovery tool stable
Sigma Local Groups Discovery - Linux test
Sigma Local Groups Discovery - MacOs test
Sigma Local Groups Reconnaissance Via Wmic.EXE test
Sigma Malicious PowerShell Commandlets - PoshModule test
Sigma Malicious PowerShell Commandlets - ProcessCreation test
Sigma Malicious PowerShell Commandlets - ScriptBlock test
Sigma Massive SAM users/groups enumeration (native) experimental
Sigma Net.EXE Execution test
Splunk Network Traffic to Active Directory Web Services Protocol production
Kusto OCI - Insecure metadata endpoint available
Kusto OCI - Instance metadata access available
Sigma Permission Check Via Accesschk.EXE test
Splunk Permission Groups Discovery: Domain Groups (PowerShell)
Splunk Permission Groups Discovery: Domain Groups (Sysmon)
Splunk Permission Groups Discovery: Domain Groups (Windows Event Log)
Splunk Permission Groups Discovery: Local Groups (PowerShell)
Splunk Permission Groups Discovery: Local Groups (Sysmon)
Splunk Permission Groups Discovery: Local Groups (Windows Event Log)
Sigma Potential Active Directory Reconnaissance/Enumeration Via LDAP test
Elastic Potential Enumeration via Active Directory Web Service production
Splunk PowerShell Get LocalGroup Discovery production
Splunk Powershell Get LocalGroup Discovery with Script Block Logging production
Elastic PowerShell Suspicious Discovery Related Windows API Functions production
Splunk PowerView_SharpView Commands (PowerShell)
Kusto Probable AdFind Recon Tool Usage available
Sigma PUA - AdFind Suspicious Execution test
Sigma RBAC Permission Enumeration Attempt test
YARA-L Recon Environment Enumeration Active Directory CISA Report
Sigma Reconnaissance Activity test
Sigma Remote local admin group enumeration via SharpHound experimental
Elastic Remote System Discovery Commands production building block
Sigma Renamed AdFind Execution test
Sigma Sensitive SAM domain user & groups discovery (native) experimental
Splunk SharpHound Enumeration (Windows Event Log)
Sigma SharpHound host enumeration over Kerberos experimental
Splunk SharpHound Keywords (PowerShell)
Elastic Sudo Command Enumeration Detected production
Elastic Suspicious Access to LDAP Attributes production
Sigma Suspicious Active Directory Database Snapshot Via ADExplorer test
Sigma Suspicious Get Information for SMB Share test
Sigma Suspicious Get Information for SMB Share - PowerShell Module test
Sigma Suspicious Get Local Groups Information test
Sigma Suspicious Get Local Groups Information - PowerShell test
Elastic System Owner/User Discovery Linux production building block
Elastic Unusual Group Name Accessed by a User production
Elastic Unusual User Privilege Enumeration via id production
Elastic Whoami Process Activity production
Elastic Windows Account or Group Discovery production building block
Splunk Windows Admin Permission Discovery production
Splunk Windows Azure PowerShell Module Installation Via PowerShell Script production
Splunk Windows Group Discovery Via Net production
Splunk Windows Ldifde Directory Object Behavior production
Splunk Windows Post Exploitation Risk Behavior production
Splunk Windows PowerView AD Access Control List Enumeration production
Splunk Windows Sensitive Group Discovery With Net production
Splunk Windows SOAPHound Binary Execution production
Splunk Wmic Group Discovery production

Permission Groups Discovery: Local Groups T1069.001 46 rules

Elastic Account or Group Discovery via Built-In Tools production building block
Sigma AD Groups Or Users Enumeration Using PowerShell - PoshModule test
Sigma AD Groups Or Users Enumeration Using PowerShell - ScriptBlock test
Sigma BloodHound Collection Files test
Elastic Deprecated - PowerShell Script with Discovery Capabilities production building block
Splunk Detect AzureHound Command-Line Arguments production
Splunk Detect AzureHound File Modifications production
Splunk Detect SharpHound Command-Line Arguments production
Splunk Detect SharpHound File Modifications production
Splunk Detect SharpHound Usage production
Elastic Enumeration of Administrator Accounts production
Elastic Enumeration of Privileged Local Groups Membership production
Elastic Enumeration of Users or Groups via Built-in Commands production
Splunk Get WMIObject Group Discovery production
Splunk Get WMIObject Group Discovery with Script Block Logging production
Sigma Group discovery (command)
Sigma Group discovery (PowerShell)
Sigma HackTool - Bloodhound/Sharphound Execution test
Sigma Local domain group enumeration experimental
Sigma Local group enumeration triggered by Azure Virtual machine recovery tool stable
Sigma Local Groups Discovery - Linux test
Sigma Local Groups Discovery - MacOs test
Sigma Local Groups Reconnaissance Via Wmic.EXE test
Sigma Malicious PowerShell Commandlets - PoshModule test
Sigma Malicious PowerShell Commandlets - ProcessCreation test
Sigma Malicious PowerShell Commandlets - ScriptBlock test
Sigma Net.EXE Execution test
Splunk Network Traffic to Active Directory Web Services Protocol production
Sigma Permission Check Via Accesschk.EXE test
Splunk PowerShell Get LocalGroup Discovery production
Splunk Powershell Get LocalGroup Discovery with Script Block Logging production
Elastic PowerShell Suspicious Discovery Related Windows API Functions production
Sigma Remote local admin group enumeration via SharpHound experimental
Splunk SharpHound Enumeration (Windows Event Log)
Splunk SharpHound Keywords (PowerShell)
Elastic Sudo Command Enumeration Detected production
Sigma Suspicious Get Information for SMB Share test
Sigma Suspicious Get Information for SMB Share - PowerShell Module test
Sigma Suspicious Get Local Groups Information test
Sigma Suspicious Get Local Groups Information - PowerShell test
Elastic Unusual User Privilege Enumeration via id production
Elastic Windows Account or Group Discovery production building block
Splunk Windows Admin Permission Discovery production
Splunk Windows Group Discovery Via Net production
Splunk Windows SOAPHound Binary Execution production
Splunk Wmic Group Discovery production

Permission Groups Discovery: Domain Groups T1069.002 74 rules

Elastic Account or Group Discovery via Built-In Tools production building block
Sigma Active Directory Database Snapshot Via ADExplorer test
Elastic Active Directory Discovery using AdExplorer production
Sigma Active Directory Group Enumeration With Get-AdGroup test
Sigma ADExplorer Writing Complete AD Snapshot Into .dat File experimental
Elastic AdFind Command Activity production
Splunk Adfind Commands (PowerShell)
Splunk Adfind Commands (Sysmon)
Splunk Adfind Commands (Windows Event Log)
Splunk Adfind Execution (EDR)
Splunk Adfind Execution (PowerShell)
Splunk Adfind Execution (Sysmon)
Splunk Adfind Execution (Windows Event Log)
Sigma BloodHound Collection Files test
Elastic Deprecated - PowerShell Script with Discovery Capabilities production building block
Splunk Detect AzureHound Command-Line Arguments production
Splunk Detect AzureHound File Modifications production
Splunk Detect SharpHound Command-Line Arguments production
Splunk Detect SharpHound File Modifications production
Splunk Detect SharpHound Usage production
Elastic Discovery of Domain Groups production building block
Splunk Domain Group Discovery with Adsisearcher production
Splunk Domain Group Discovery With Dsquery production
Splunk Domain Group Discovery With Wmic production
Sigma Domain group enumeration experimental
Splunk Elevated Group Discovery with PowerView production
Splunk Elevated Group Discovery With Wmic production
Elastic Enumeration of Administrator Accounts production
Elastic Enumeration of Users or Groups via Built-in Commands production
Splunk GetAdGroup with PowerShell production
Splunk GetAdGroup with PowerShell Script Block production
Splunk GetDomainGroup with PowerShell production
Splunk GetDomainGroup with PowerShell Script Block production
Splunk GetWmiObject Ds Group with PowerShell production
Splunk GetWmiObject Ds Group with PowerShell Script Block production
Sigma Group discovery (command)
Sigma Group discovery (PowerShell)
Sigma HackTool - Bloodhound/Sharphound Execution test
Sigma HackTool - SharpView Execution test
Kusto Hunt for ADWS requests from unknown devices
Splunk IcedID Discovery Commands (EDR)
Splunk IcedID Discovery Commands (Sysmon)
Splunk IcedID Discovery Commands (Windows Event Log)
Kusto LDAP reconnaissance via search filters
Sigma Malicious PowerShell Commandlets - PoshModule test
Sigma Malicious PowerShell Commandlets - ProcessCreation test
Sigma Malicious PowerShell Commandlets - ScriptBlock test
Sigma Massive SAM users/groups enumeration (native) experimental
Sigma Net.EXE Execution test
Splunk Network Traffic to Active Directory Web Services Protocol production
Splunk Permission Groups Discovery: Domain Groups (PowerShell)
Splunk Permission Groups Discovery: Domain Groups (Sysmon)
Splunk Permission Groups Discovery: Domain Groups (Windows Event Log)
Sigma Potential Active Directory Reconnaissance/Enumeration Via LDAP test
Elastic Potential Enumeration via Active Directory Web Service production
Elastic PowerShell Suspicious Discovery Related Windows API Functions production
Splunk PowerView_SharpView Commands (PowerShell)
Kusto Probable AdFind Recon Tool Usage available
Sigma PUA - AdFind Suspicious Execution test
YARA-L Recon Environment Enumeration Active Directory CISA Report
Sigma Reconnaissance Activity test
Elastic Remote System Discovery Commands production building block
Sigma Renamed AdFind Execution test
Sigma Sensitive SAM domain user & groups discovery (native) experimental
Splunk SharpHound Enumeration (Windows Event Log)
Sigma SharpHound host enumeration over Kerberos experimental
Splunk SharpHound Keywords (PowerShell)
Elastic Suspicious Access to LDAP Attributes production
Sigma Suspicious Active Directory Database Snapshot Via ADExplorer test
Elastic Windows Account or Group Discovery production building block
Splunk Windows Group Discovery Via Net production
Splunk Windows Ldifde Directory Object Behavior production
Splunk Windows Sensitive Group Discovery With Net production
Splunk Windows SOAPHound Binary Execution production

Permission Groups Discovery: Cloud Groups T1069.003 8 rules

Splunk ASL AWS IAM Successful Group Deletion production
Elastic AWS IAM Principal Enumeration via UpdateAssumeRolePolicy production
Splunk AWS IAM Successful Group Deletion production
Elastic Entra ID Sign-in BloodHound Suite User-Agent Detected production
Elastic Entra ID Sign-in TeamFiltration User-Agent Detected production
Elastic Kubernetes Suspicious Self-Subject Review via Unusual User Agent production
Sigma RBAC Permission Enumeration Attempt test
Splunk Windows Azure PowerShell Module Installation Via PowerShell Script production

System Information Discovery T1082 158 rules

Sigma Audit policy enumerated experimental
Kusto Azure Security Benchmark Posture Changed
Sigma Bitbucket User Details Export Attempt Detected test
Sigma Bitbucket User Permissions Export Attempt test
Kusto CDM_ContinuousDiagnostics&Mitigation_PostureChanged available
Splunk Cisco ASA - Reconnaissance Command Activity production
Sigma Cisco Discovery test
Splunk Cisco IOS XE Reconnaissance Command Activity production
Kusto Claroty - New Asset available
Sigma CMD Shell Output Redirect test
Kusto CMMC 2.0 Level 1 (Foundational) Readiness Posture available
Kusto CMMC 2.0 Level 2 (Advanced) Readiness Posture available
Splunk Common Recon Commands in Short Burst (Sysmon)
Splunk Common Recon Commands in Short Burst (Windows Event Log)
Splunk Common Reconnaissance Commands (PowerShell)
Splunk Common Reconnaissance Commands (Sysmon)
Splunk Common Reconnaissance Commands (Windows Event Log)
Sigma Container Residence Discovery Via Proc Virtual FS test
Kusto Datawiza - massive errors detected
Elastic Deprecated - PowerShell Script with Discovery Capabilities production building block
Splunk Detect attackers scanning for vulnerable JBoss servers experimental
Kusto Detect Suspicious Commands Initiated by Webserver Processes available
Elastic Discovery Command Output Written to Suspicious File production
Sigma Docker Container Discovery Via Dockerenv Listing test
Elastic Entra ID Sign-in BloodHound Suite User-Agent Detected production
Elastic Entra ID Sign-in TeamFiltration User-Agent Detected production
Elastic Enumeration Command Spawned via WMIPrvSE production
Elastic Enumeration of Kernel Modules via Proc production building block
Elastic Environment Variable Enumeration Detected via Defend for Containers production
Splunk ESXi System Information Discovery production
Splunk Event Logs Queried for RDP Sessions (PowerShell)
Splunk Event Logs Queried for RDP Sessions (Sysmon)
Splunk Event Logs Queried for RDP Sessions (Windows Event Log)
Sigma HackTool - PCHunter Execution test
Sigma HackTool - winPEAS Execution test
YARA-L Hacktool - WinPEAS Execution Patterns
Sigma HackTool - WinPwn Execution test
Sigma HackTool - WinPwn Execution - ScriptBlock test
Elastic Hping Process Activity production
Splunk IcedID Discovery Commands (EDR)
Splunk IcedID Discovery Commands (Sysmon)
Splunk IcedID Discovery Commands (Windows Event Log)
Elastic Interactive Privilege Boundary Enumeration Detected via Defend for Containers production
Elastic Kernel Instrumentation Discovery via kprobes and tracefs production
Elastic Kernel Seeking Activity production
Elastic Kernel Unpacking Activity production
Splunk Linux Auditd Kernel Module Enumeration production
Splunk Linux Kernel Module Enumeration production
Elastic Linux System Information Discovery production building block
Elastic Linux System Information Discovery via Getconf production building block
Kusto M2131_AssetStoppedLogging available
Kusto M2131_DataConnectorAddedChangedRemoved available
Kusto M2131_EventLogManagementPostureChanged_EL0 available
Kusto M2131_EventLogManagementPostureChanged_EL1 available
Kusto M2131_EventLogManagementPostureChanged_EL2 available
Kusto M2131_EventLogManagementPostureChanged_EL3 available
Kusto M2131_LogRetentionLessThan1Year available
Kusto M2131_RecommendedDatatableUnhealthy available
Elastic Manual Mount Discovery via /etc/exports or /etc/fstab production
Sigma Network Reconnaissance Activity test
Kusto NIST SP 800-53 Posture Changed available
Sigma OS Architecture Discovery Via Grep test
Elastic Passwordless Sudo Probing production
Kusto Pathlock TDnR - ABAP Runtime Dumps available
Kusto Pathlock TDnR - Database Cockpit Audit Events available
Kusto Pathlock TDnR - J2EE Security Audit Events available
Kusto Pathlock TDnR - J2EE Security Events available
Kusto Pathlock TDnR - Missing SAP Security Notes available
Kusto Pathlock TDnR - Pathlock Security Radar Internal Events available
Kusto Pathlock TDnR - RiskTrack Audit Results available
Kusto Pathlock TDnR - SAP BTP Cloud Foundry Events available
Kusto Pathlock TDnR - SAP HANA Database Audit Trail available
Kusto Pathlock TDnR - SAP Public Cloud Security Audit Events available
Kusto Pathlock TDnR - SAP Security Audit Log Events available
Kusto Pathlock TDnR - SAP System Log Events available
Kusto Pathlock TDnR - Transaction and Report Statistics available
Elastic Pluggable Authentication Module (PAM) Version Discovery production
Elastic Polkit Version Discovery production
Sigma Potential Container Discovery Via Inodes Listing test
Sigma Potential GobRAT File Discovery Via Grep test
Elastic Potential Linux Hack Tool Launched production
Elastic Potential Meterpreter Reverse Shell production
Splunk Potential PowerShell Post-Exploitation Activity (Sysmon)
Splunk Potential PowerShell Post-Exploitation Activity (Windows Event Log)
Sigma Potential Product Class Reconnaissance Via Wmic.EXE test
Sigma Potential Suspicious Activity Using SeCEdit test
Splunk Potential Target Discovery via PowerShell Event Log Queries (PowerShell)
Kusto Powershell Empire Cmdlets Executed in Command Line available
Elastic PowerShell Suspicious Discovery Related Windows API Functions production
Sigma PUA - System Informer Execution test
YARA-L Recon Environment Enumeration System CISA Report
YARA-L sap gateway ufo table access
Elastic Service Account Namespace Read Detected via Defend for Containers production
Splunk SharpHound Enumeration (Windows Event Log)
Splunk SharpHound Keywords (PowerShell)
Kusto Snowflake - Multiple failed queries available
Sigma Suspicious Execution of Hostname test
Sigma Suspicious Execution of Systeminfo test
Elastic Suspicious Instance Metadata Service (IMDS) API Command Line Execution production
Elastic Suspicious Instance Metadata Service (IMDS) API Request production
Elastic Suspicious JetBrains TeamCity Child Process production
Sigma Suspicious Kernel Dump Using Dtrace test
Elastic Suspicious Kernel Feature Activity production
Elastic Suspicious Modprobe File Event production building block
Elastic Suspicious MS Office Child Process production
Elastic Suspicious PDF Reader Child Process production
Elastic Suspicious Proc Pseudo File System Enumeration production building block
Sigma Suspicious Query of MachineGUID test
Elastic Suspicious React Server Child Process production
Elastic Suspicious SIP Check by macOS Application production
Elastic Suspicious Sysctl File Event production building block
Elastic Suspicious System Commands Executed by Previously Unknown Executable production
Elastic Suspicious which Enumeration production
Sigma System and Hardware Information Discovery stable
Elastic System and Network Configuration Check production
Sigma System Disk And Volume Reconnaissance Via Wmic.EXE test
Splunk System Enumeration with WMIC (Sysmon)
Splunk System Enumeration with WMIC (Windows Event Log)
Sigma System Info Discovery via Sysinfo Syscall experimental
Sigma System Information Discovery stable
Sigma System Information Discovery - Auditd test
Splunk System Information Discovery - Windows (PowerShell)
Splunk System Information Discovery - Windows (Sysmon)
Splunk System Information Discovery - Windows (Windows Event Log)
Splunk System Information Discovery Detection production
Sigma System Information Discovery Using Ioreg test
Sigma System Information Discovery Using sw_vers test
Sigma System Information Discovery Using System_Profiler test
Elastic System Information Discovery via dmidecode from Parent Shell production
Sigma System Information Discovery via Registry Queries experimental
Sigma System Information Discovery Via Sysctl - MacOS test
Elastic System Information Discovery via Windows Command Shell production building block
Sigma System Information Discovery Via Wmic.EXE test
Sigma Uncommon System Information Discovery Via Wmic.EXE test
Elastic Unusual Kernel Module Enumeration production
Elastic Unusual Linux System Information Discovery Activity production
Elastic Virtual Machine Fingerprinting production
Elastic Virtual Machine Fingerprinting via Grep production
Kusto Votiro - File Blocked from Connector
Splunk Web Servers Executing Suspicious Processes experimental
Splunk Windows Information Discovery Fsutil production
Splunk Windows Post Exploitation Risk Behavior production
Splunk Windows PowerShell Invoke-RestMethod IP Information Collection production
Splunk Windows PsTools Recon Usage production
Elastic Windows System Information Discovery production building block
Elastic Windows System Network Connections Discovery production building block
Splunk Windows WinPEAS PowerShell Script Execution production
Splunk Windows Wmic CPU Discovery production
Splunk Windows Wmic DiskDrive Discovery production
Splunk Windows Wmic Memory Chip Discovery production
Splunk Windows Wmic Network Discovery production
Splunk Windows Wmic Systeminfo Discovery production
Elastic Wireless Credential Dumping using Netsh Command production
Splunk WMIC Host Reconniassance (PowerShell)
Splunk WMIC Host Reconniassance (Sysmon)
Splunk WMIC Host Reconniassance (Windows Event Log)
Elastic Yum/DNF Plugin Status Discovery production
Kusto ZeroTrust(TIC3.0) Control Assessment Posture Change available

File and Directory Discovery T1083 67 rules

Kusto API - Kiterunner detection available
Elastic AWS Credentials Searched For Inside A Container production
Panther AWS WAF Managed Admin Protection Passthrough Rule
Kusto AWSCloudTrail - ECR image scan findings high or critical available
Sigma Capabilities Discovery - Linux test
Sigma Cisco Discovery test
Elastic Cloud Credential Search Detected via Defend for Containers production
Elastic Deprecated - PowerShell Script with Discovery Capabilities production building block
Kusto Detect potential file enumeration activity (ASIM Web Session) available
Sigma DirLister Execution test
Elastic ESXI Discovery via Find production
Elastic ESXI Discovery via Grep production
Sigma File and Directory Discovery - Linux test
Sigma File and Directory Discovery - MacOS test
Splunk File and Directory Discovery Output to File - Windows (PowerShell)
Splunk File and Directory Discovery Output to File - Windows (Sysmon)
Splunk File and Directory Discovery Output to File - Windows (Windows Event Log)
Elastic Full Disk Access Permission Check production
Sigma HackTool - PCHunter Execution test
Elastic Kernel Instrumentation Discovery via kprobes and tracefs production
Elastic Kubeconfig File Discovery production
Elastic Kubelet Pod Discovery Detected via Defend for Containers production
Splunk Linux Auditd Database File And Directory Discovery production
Splunk Linux Auditd File And Directory Discovery production
Splunk Linux Auditd Hidden Files And Directories Creation production
Splunk Linux Auditd Virtual Disk File And Directory Discovery production
Sigma Linux Capabilities Discovery test
Kusto Mimecast Secure Email Gateway - Spam Event Thread available
Kusto Mimecast Secure Email Gateway - Spam Event Thread
Sigma Notepad Password Files Discovery experimental
Elastic Potential Credential Discovery via Recursive Grep production
Sigma Potential Discovery Activity Using Find - Linux test
Sigma Potential Discovery Activity Using Find - MacOS test
Sigma Powershell Directory Enumeration test
Kusto Powershell Empire Cmdlets Executed in Command Line available
Sigma Powershell Sensitive File Discovery test
Elastic Private Key Searching Activity production
Elastic Process Capability Enumeration production
Sigma PUA - Seatbelt Execution test
Sigma PUA - TruffleHog Execution experimental
Sigma PUA - TruffleHog Execution - Linux experimental
Splunk Remote Share Directory Listing - Windows (PowerShell)
Splunk Remote Share Directory Listing - Windows (Sysmon)
Splunk Remote Share Directory Listing - Windows (Windows Event Log)
Elastic Security File Access via Common Utilities production
Elastic Sensitive Keys Or Passwords Search Detected via Defend for Containers production
Elastic Sensitive Keys Or Passwords Searched For Inside A Container production
Sigma Shell Execution GCC - Linux test
Sigma Shell Execution via Find - Linux test
Sigma Shell Execution via Flock - Linux test
Sigma Shell Execution via Nice - Linux test
Sigma Shell Invocation via Apt - Linux test
Sigma Source Code Enumeration Detection by Keyword test
Elastic SUID/SGUID Enumeration Detected production
Elastic Suspicious Dynamic Linker Discovery via od production
Elastic Suspicious Memory grep Activity production
Elastic Suspicious Modprobe File Event production building block
Elastic Suspicious System Commands Executed by Previously Unknown Executable production
Elastic Suspicious which Enumeration production
Elastic System Information Discovery via Windows Command Shell production building block
Sigma Turla Group Lateral Movement test
Sigma Vim GTFOBin Abuse - Linux test
Kusto Votiro - File Blocked from Connector
Sigma WannaCry Ransomware Activity test
Elastic Web Server Local File Inclusion Activity production
Elastic Web Server Potential Remote File Inclusion Activity production
Elastic Yum/DNF Plugin Status Discovery production

Account Discovery T1087 197 rules

Elastic Account Discovery Command via SYSTEM Account production
Elastic Account or Group Discovery via Built-In Tools production building block
Sigma Active Directory Computers Enumeration With Get-AdComputer test
Sigma Active Directory Database Snapshot Via ADExplorer test
Elastic Active Directory Discovery using AdExplorer production
Sigma Active Directory honeypot enumerated by a suspicious host (Bloodhound) experimental
Sigma Active Directory PowerShell module called from a non administrative host experimental
Sigma Active Directory Structure Export Via Csvde.EXE test
Sigma AD Privileged Users or Groups Reconnaissance test
Sigma ADExplorer Writing Complete AD Snapshot Into .dat File experimental
Elastic AdFind Command Activity production
Splunk Adfind Commands (PowerShell)
Splunk Adfind Commands (Sysmon)
Splunk Adfind Commands (Windows Event Log)
Splunk Adfind Execution (EDR)
Splunk Adfind Execution (PowerShell)
Splunk Adfind Execution (Sysmon)
Splunk Adfind Execution (Windows Event Log)
Splunk AdsiSearcher Account Discovery production
Kusto ADWS Connection from Process Injection Target
Kusto ADWS Connection from Unexpected Binary
Kusto AFD WAF - Path Traversal Attack available
Panther Anthropic Excessive Chat Access Failures
Kusto API - Account Takeover available
Kusto API - Rate limiting available
Kusto App GW WAF - Path Traversal Attack available
Panther AppOmni Alert Passthrough
Elastic AWS Account Discovery By Rare User production
Panther AWS CloudTrail Account Discovery
Elastic AWS Discovery API Calls via CLI from a Single Resource production
Elastic AWS EC2 Role GetCallerIdentity from New Source AS Organization production
Elastic AWS IAM Principal Enumeration via UpdateAssumeRolePolicy production
Elastic AWS STS GetCallerIdentity API Called for the First Time production
Sigma AWS STS GetCallerIdentity Enumeration Via TruffleHog experimental
Splunk Azure AD AzureHound UserAgent Detected production
Splunk Azure AD Service Principal Enumeration production
Sigma BloodHound Collection Files test
Sigma Chopper Webshell Process Pattern test
Sigma Cisco Collect Data test
Splunk Common Active Directory Commands (PowerShell)
Splunk Common Active Directory Commands (Sysmon)
Splunk Common Active Directory Commands (Windows Event Log)
Splunk Common Exchange Recon cmdlets (PowerShell)
Splunk Common Recon Commands in Short Burst (Sysmon)
Splunk Common Recon Commands in Short Burst (Windows Event Log)
Splunk Common Reconnaissance Commands (PowerShell)
Splunk Common Reconnaissance Commands (Sysmon)
Splunk Common Reconnaissance Commands (Windows Event Log)
Kusto Copilot - Plugin Tampering (Enable and Disable Within 5 Minutes) available
Kusto Cross-tenant Access Settings Organization Added available
Kusto Cross-tenant Access Settings Organization Deleted available
Kusto Cross-tenant Access Settings Organization Inbound Collaboration Settings Changed available
Kusto Cross-tenant Access Settings Organization Inbound Direct Settings Changed available
Kusto Cross-tenant Access Settings Organization Outbound Collaboration Settings Changed available
Kusto Cross-tenant Access Settings Organization Outbound Direct Settings Changed available
Splunk CSVDE Export Active Directory (PowerShell)
Splunk CSVDE Export Active Directory (Sysmon)
Splunk CSVDE Export Active Directory (Windows Event Log)
Panther Databricks Repeated Unauthorized Unity Catalog Requests Experimental
Elastic Deprecated - PowerShell Script with Discovery Capabilities production building block
Splunk Detect AzureHound Command-Line Arguments production
Splunk Detect AzureHound File Modifications production
Splunk Detect SharpHound Command-Line Arguments production
Splunk Detect SharpHound File Modifications production
Splunk Detect SharpHound Usage production
Kusto Detect Suspicious Commands Initiated by Webserver Processes available
Elastic Direct Interactive Kubernetes API Request by Unusual Utilities production
Splunk Disabled Pre-Authentication Accounts Discovery - PowerShell (PowerShell)
Splunk Disabled Pre-Authentication Accounts Discovery - PowerShell (Sysmon)
Splunk Disabled Pre-Authentication Accounts Discovery - PowerShell (Windows Event Log)
Sigma Discovery Using AzureHound test
Splunk Domain Account Discovery with Dsquery production
Splunk Domain Account Discovery with Wmic production
Sigma Domain group enumeration experimental
Elastic Entra ID Sign-in BloodHound Suite User-Agent Detected production
Elastic Entra ID Sign-in TeamFiltration User-Agent Detected production
Splunk Enumerate Users Local Group Using Telegram production
Elastic Enumeration Command Spawned via WMIPrvSE production
Elastic Enumeration of Administrator Accounts production
Elastic Enumeration of Users or Groups via Built-in Commands production
Kusto External guest invitation followed by Microsoft Entra ID PowerShell signin available
Kusto GCP IAM - Service Account Enumeration available
Splunk Get ADUser with PowerShell production
Splunk Get ADUser with PowerShell Script Block production
Splunk Get DomainUser with PowerShell production
Splunk Get DomainUser with PowerShell Script Block production
Splunk GetLocalUser with PowerShell production
Splunk GetLocalUser with PowerShell Script Block production
Splunk GetWmiObject DS User with PowerShell production
Splunk GetWmiObject DS User with PowerShell Script Block production
Splunk GetWmiObject User Account with PowerShell production
Splunk GetWmiObject User Account with PowerShell Script Block production
Sigma Group discovery (command)
Panther GSuite Calendar Has Been Made Public
Panther GSuite Workspace Calendar External Sharing Setting Change
Kusto Guest accounts added in Entra ID Groups other than the ones specified available
Sigma HackTool - Bloodhound/Sharphound Execution test
Sigma HackTool - SOAPHound Execution test
Sigma HackTool - winPEAS Execution test
Sigma Hacktool Ruler test
Kusto Highly Sensitive Password Accessed available
Kusto Hunt for ADWS requests from unknown devices
Splunk IcedID Discovery Commands (EDR)
Splunk IcedID Discovery Commands (Sysmon)
Splunk IcedID Discovery Commands (Windows Event Log)
Kusto Large number of AD objects accessed by user
Kusto LDAP reconnaissance via search filters
Splunk Local Account Discovery With Wmic production
Sigma Local Accounts Discovery test
Sigma Local domain group enumeration experimental
Sigma Local System Accounts Discovery - Linux test
Sigma Local System Accounts Discovery - MacOs test
Sigma Malicious PowerShell Commandlets - PoshModule test
Sigma Malicious PowerShell Commandlets - ProcessCreation test
Sigma Malicious PowerShell Commandlets - ScriptBlock test
Elastic Microsoft Graph Multi-Category Reconnaissance Burst production
Elastic Mounting Hidden or WebDav Remote Shares production
Sigma Net.EXE Execution test
Sigma Network Reconnaissance Activity test
Splunk Network Traffic to Active Directory Web Services Protocol production
Splunk Okta IDP Lifecycle Modifications production
Splunk Okta Unauthorized Access to Application production
Sigma Potential Active Directory Reconnaissance/Enumeration Via LDAP test
Sigma Potential AD User Enumeration From Non-Machine Account test
Elastic Potential Enumeration via Active Directory Web Service production
Elastic Potential Meterpreter Reverse Shell production
Sigma Potential Pikabot Discovery Activity test
Elastic Potential PowerShell HackTool Script by Function Names production
Splunk Potential PowerShell Post-Exploitation Activity (Sysmon)
Splunk Potential PowerShell Post-Exploitation Activity (Windows Event Log)
Sigma Potentially Suspicious EventLog Recon Activity Using Log Query Utilities test
Splunk PowerHuntShares Commands (PowerShell)
Splunk PowerHuntShares Commands (Sysmon)
Splunk PowerHuntShares Commands (Windows Event Log)
Kusto Powershell Empire Cmdlets Executed in Command Line available
Elastic PowerShell Suspicious Discovery Related Windows API Functions production
Kusto Probable AdFind Recon Tool Usage available
Sigma PUA - AdFind Suspicious Execution test
Sigma PUA - AdFind.EXE Execution experimental
Sigma PUA - Seatbelt Execution test
Sigma PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE test
YARA-L Purple Knight Tool Execution Detected
Sigma RBAC Permission Enumeration Attempt test
Sigma Reconnaissance Activity test
Sigma Renamed AdFind Execution test
Sigma Role Enumeration test
Splunk SchCache Change By App Connect And Create ADSI Object production
Kusto Sensitive Data Discovered in the Last 24 Hours
Kusto Sensitive Data Discovered in the Last 24 Hours - Customized
Splunk SharpHound Enumeration (Windows Event Log)
Sigma SharpHound host enumeration over Kerberos experimental
Splunk SharpHound Keywords (PowerShell)
Sigma SharpHound Recon Account Discovery test
Kusto Snowflake - Possible privileges discovery activity available
Kusto SonicWall - Allowed SSH, Telnet, and RDP Connections experimental
Elastic Suspicious Access to LDAP Attributes production
Sigma Suspicious Active Directory Database Snapshot Via ADExplorer test
Sigma Suspicious Group And Account Reconnaissance Activity Using Net.EXE test
Elastic Suspicious JetBrains TeamCity Child Process production
Sigma Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet test
Sigma Suspicious SPN enumeration previous to Kerberoasting attack (native commands) experimental
Sigma Suspicious SPN enumeration previous to Kerberoasting attack (PowerShell) experimental
Sigma Suspicious Use of PsLogList test
Kusto Unauthorized user access across AWS and Azure
Sigma Uncommon Connection to Active Directory Web Services test
Elastic Unusual User Privilege Enumeration via id production
Sigma User Enumeration test
Sigma User properties enumeration via commandline
Splunk User_Domain Enumeration Tool - Windows (PowerShell)
Splunk User_Domain Enumeration Tool - Windows (Sysmon)
Splunk User_Domain Enumeration Tool - Windows (Windows Event Log)
Kusto Vectra Account's Behaviors available
Kusto Vectra AI Detect - Detections with High Severity available
Kusto Vectra AI Detect - Suspected Compromised Account available
Kusto Vectra AI Detect - Suspected Compromised Host available
Kusto Vectra AI Detect - Suspicious Behaviors by Category available
Kusto Vectra Host's Behaviors available
Sigma Webshell Detection With Command Line Keywords test
Sigma Webshell Hacking Activity Patterns test
Splunk Windows Account Discovery for None Disable User Account production
Splunk Windows Account Discovery for Sam Account Name production
Splunk Windows Account Discovery With NetUser PreauthNotRequire production
Elastic Windows Account or Group Discovery production building block
Splunk Windows AD Abnormal Object Access Activity production
Splunk Windows AD Privileged Object Access Activity production
Splunk Windows Domain Account Discovery Via Get-NetComputer production
Splunk Windows Find Domain Organizational Units with GetDomainOU production
Splunk Windows Find Interesting ACL with FindInterestingDomainAcl production
Splunk Windows Forest Discovery with GetForestDomain production
Splunk Windows Get Local Admin with FindLocalAdminAccess production
Splunk Windows Linked Policies In ADSI Discovery production
Splunk Windows Root Domain linked policies Discovery production
Splunk Windows SOAPHound Binary Execution production
Splunk Windows Special Privileged Logon On Multiple Hosts production
Splunk Windows Suspect Process With Authentication Traffic production
Elastic Windows System Network Connections Discovery production building block
Splunk Windows User Discovery Via Net production

Account Discovery: Local Account T1087.001 47 rules

Elastic Account or Group Discovery via Built-In Tools production building block
Sigma BloodHound Collection Files test
Sigma Cisco Collect Data test
Splunk Common Reconnaissance Commands (PowerShell)
Splunk Common Reconnaissance Commands (Sysmon)
Splunk Common Reconnaissance Commands (Windows Event Log)
Splunk CSVDE Export Active Directory (PowerShell)
Splunk CSVDE Export Active Directory (Sysmon)
Splunk CSVDE Export Active Directory (Windows Event Log)
Elastic Deprecated - PowerShell Script with Discovery Capabilities production building block
Splunk Detect AzureHound Command-Line Arguments production
Splunk Detect AzureHound File Modifications production
Splunk Detect SharpHound Command-Line Arguments production
Splunk Detect SharpHound File Modifications production
Splunk Detect SharpHound Usage production
Elastic Enumeration of Administrator Accounts production
Elastic Enumeration of Users or Groups via Built-in Commands production
Splunk GetLocalUser with PowerShell production
Splunk GetLocalUser with PowerShell Script Block production
Splunk GetWmiObject User Account with PowerShell production
Splunk GetWmiObject User Account with PowerShell Script Block production
Sigma HackTool - Bloodhound/Sharphound Execution test
Splunk Local Account Discovery With Wmic production
Sigma Local Accounts Discovery test
Sigma Local domain group enumeration experimental
Sigma Local System Accounts Discovery - Linux test
Sigma Local System Accounts Discovery - MacOs test
Sigma Malicious PowerShell Commandlets - PoshModule test
Sigma Malicious PowerShell Commandlets - ProcessCreation test
Sigma Malicious PowerShell Commandlets - ScriptBlock test
Elastic Mounting Hidden or WebDav Remote Shares production
Sigma Net.EXE Execution test
Splunk Network Traffic to Active Directory Web Services Protocol production
Elastic Potential Meterpreter Reverse Shell production
Kusto Powershell Empire Cmdlets Executed in Command Line available
Elastic PowerShell Suspicious Discovery Related Windows API Functions production
Splunk SharpHound Enumeration (Windows Event Log)
Splunk SharpHound Keywords (PowerShell)
Sigma Suspicious Group And Account Reconnaissance Activity Using Net.EXE test
Sigma Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet test
Sigma Suspicious Use of PsLogList test
Elastic Unusual User Privilege Enumeration via id production
Sigma User properties enumeration via commandline
Splunk Windows Account Discovery for None Disable User Account production
Elastic Windows Account or Group Discovery production building block
Splunk Windows SOAPHound Binary Execution production
Splunk Windows User Discovery Via Net production

Account Discovery: Domain Account T1087.002 91 rules

Elastic Account or Group Discovery via Built-In Tools production building block
Sigma Active Directory Computers Enumeration With Get-AdComputer test
Sigma Active Directory Database Snapshot Via ADExplorer test
Elastic Active Directory Discovery using AdExplorer production
Sigma Active Directory PowerShell module called from a non administrative host experimental
Sigma Active Directory Structure Export Via Csvde.EXE test
Sigma AD Privileged Users or Groups Reconnaissance test
Sigma ADExplorer Writing Complete AD Snapshot Into .dat File experimental
Elastic AdFind Command Activity production
Splunk Adfind Commands (PowerShell)
Splunk Adfind Commands (Sysmon)
Splunk Adfind Commands (Windows Event Log)
Splunk Adfind Execution (EDR)
Splunk Adfind Execution (PowerShell)
Splunk Adfind Execution (Sysmon)
Splunk Adfind Execution (Windows Event Log)
Splunk AdsiSearcher Account Discovery production
Kusto ADWS Connection from Process Injection Target
Kusto ADWS Connection from Unexpected Binary
Sigma BloodHound Collection Files test
Splunk Common Active Directory Commands (PowerShell)
Splunk Common Active Directory Commands (Sysmon)
Splunk Common Active Directory Commands (Windows Event Log)
Splunk CSVDE Export Active Directory (PowerShell)
Splunk CSVDE Export Active Directory (Sysmon)
Splunk CSVDE Export Active Directory (Windows Event Log)
Elastic Deprecated - PowerShell Script with Discovery Capabilities production building block
Splunk Detect AzureHound Command-Line Arguments production
Splunk Detect AzureHound File Modifications production
Splunk Detect SharpHound Command-Line Arguments production
Splunk Detect SharpHound File Modifications production
Splunk Detect SharpHound Usage production
Splunk Domain Account Discovery with Dsquery production
Splunk Domain Account Discovery with Wmic production
Sigma Domain group enumeration experimental
Elastic Enumeration of Administrator Accounts production
Elastic Enumeration of Users or Groups via Built-in Commands production
Splunk Get ADUser with PowerShell production
Splunk Get ADUser with PowerShell Script Block production
Splunk Get DomainUser with PowerShell production
Splunk Get DomainUser with PowerShell Script Block production
Splunk GetWmiObject DS User with PowerShell production
Splunk GetWmiObject DS User with PowerShell Script Block production
Sigma Group discovery (command)
Sigma HackTool - Bloodhound/Sharphound Execution test
Kusto Hunt for ADWS requests from unknown devices
Kusto Large number of AD objects accessed by user
Kusto LDAP reconnaissance via search filters
Sigma Malicious PowerShell Commandlets - PoshModule test
Sigma Malicious PowerShell Commandlets - ProcessCreation test
Sigma Malicious PowerShell Commandlets - ScriptBlock test
Elastic Mounting Hidden or WebDav Remote Shares production
Sigma Net.EXE Execution test
Splunk Network Traffic to Active Directory Web Services Protocol production
Sigma Potential Active Directory Reconnaissance/Enumeration Via LDAP test
Sigma Potential AD User Enumeration From Non-Machine Account test
Elastic Potential Enumeration via Active Directory Web Service production
Kusto Powershell Empire Cmdlets Executed in Command Line available
Elastic PowerShell Suspicious Discovery Related Windows API Functions production
Kusto Probable AdFind Recon Tool Usage available
Sigma PUA - AdFind Suspicious Execution test
Sigma PUA - AdFind.EXE Execution experimental
Sigma PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE test
Sigma Reconnaissance Activity test
Sigma Renamed AdFind Execution test
Splunk SchCache Change By App Connect And Create ADSI Object production
Splunk SharpHound Enumeration (Windows Event Log)
Sigma SharpHound host enumeration over Kerberos experimental
Splunk SharpHound Keywords (PowerShell)
Elastic Suspicious Access to LDAP Attributes production
Sigma Suspicious Active Directory Database Snapshot Via ADExplorer test
Sigma Suspicious Group And Account Reconnaissance Activity Using Net.EXE test
Sigma Suspicious SPN enumeration previous to Kerberoasting attack (native commands) experimental
Sigma Suspicious SPN enumeration previous to Kerberoasting attack (PowerShell) experimental
Sigma Suspicious Use of PsLogList test
Sigma User properties enumeration via commandline
Splunk User_Domain Enumeration Tool - Windows (PowerShell)
Splunk User_Domain Enumeration Tool - Windows (Sysmon)
Splunk User_Domain Enumeration Tool - Windows (Windows Event Log)
Elastic Windows Account or Group Discovery production building block
Splunk Windows AD Abnormal Object Access Activity production
Splunk Windows AD Privileged Object Access Activity production
Splunk Windows Domain Account Discovery Via Get-NetComputer production
Splunk Windows Find Domain Organizational Units with GetDomainOU production
Splunk Windows Find Interesting ACL with FindInterestingDomainAcl production
Splunk Windows Forest Discovery with GetForestDomain production
Splunk Windows Get Local Admin with FindLocalAdminAccess production
Splunk Windows Linked Policies In ADSI Discovery production
Splunk Windows Root Domain linked policies Discovery production
Splunk Windows SOAPHound Binary Execution production
Splunk Windows Suspect Process With Authentication Traffic production

Account Discovery: Email Account T1087.003 1 rule

Splunk Common Exchange Recon cmdlets (PowerShell)

Account Discovery: Cloud Account T1087.004 26 rules

Elastic AWS Account Discovery By Rare User production
Elastic AWS Discovery API Calls via CLI from a Single Resource production
Elastic AWS EC2 Role GetCallerIdentity from New Source AS Organization production
Elastic AWS IAM Principal Enumeration via UpdateAssumeRolePolicy production
Elastic AWS STS GetCallerIdentity API Called for the First Time production
Sigma AWS STS GetCallerIdentity Enumeration Via TruffleHog experimental
Panther AWS STS GetCallerIdentity via TruffleHog
Splunk Azure AD AzureHound UserAgent Detected production
Splunk Azure AD Service Principal Enumeration production
Panther Azure Key Vault Key Accessed or Recovered
Kusto Cross-tenant Access Settings Organization Added available
Kusto Cross-tenant Access Settings Organization Deleted available
Kusto Cross-tenant Access Settings Organization Inbound Collaboration Settings Changed available
Kusto Cross-tenant Access Settings Organization Inbound Direct Settings Changed available
Kusto Cross-tenant Access Settings Organization Outbound Collaboration Settings Changed available
Kusto Cross-tenant Access Settings Organization Outbound Direct Settings Changed available
Sigma Discovery Using AzureHound test
Elastic Entra ID Sign-in BloodHound Suite User-Agent Detected production
Elastic Entra ID Sign-in TeamFiltration User-Agent Detected production
Kusto External guest invitation followed by Microsoft Entra ID PowerShell signin available
Kusto Guest accounts added in Entra ID Groups other than the ones specified available
Splunk Okta IDP Lifecycle Modifications production
Splunk Okta Unauthorized Access to Application production
Sigma RBAC Permission Enumeration Attempt test
Sigma Role Enumeration test
Sigma User Enumeration test

Peripheral Device Discovery T1120 6 rules

Sigma Fsutil Drive Enumeration test
Splunk Fsutil fsinfo execution (EDR)
Splunk Fsutil fsinfo execution (Windows Event Log)
Elastic Peripheral Device Discovery production
Elastic PowerShell Suspicious Script with Audio Capture Capabilities production
Sigma Powershell Suspicious Win32_PnPEntity test

System Time Discovery T1124 6 rules

Sigma Cisco Discovery test
Sigma Discovery of a System Time test
Elastic System Time Discovery production building block
Splunk System Time enumeration (Windows Event Log)
Sigma Use of W32tm as Timer test
Splunk Windows System Time Discovery W32tm Delay production

Network Share Discovery T1135 36 rules

Splunk Advanced IP or Port Scanner Execution production
Kusto Claroty - Policy violation available
Elastic Deprecated - PowerShell Script with Discovery Capabilities production building block
Kusto Excessive share permissions available
Sigma File Explorer Folder Opened Using Explorer Folder Shortcut Via Shell test
Sigma HackTool - SharpView Execution test
Kusto Hunt for ADWS requests from unknown devices
Splunk IcedID Discovery Commands (EDR)
Splunk IcedID Discovery Commands (Sysmon)
Splunk IcedID Discovery Commands (Windows Event Log)
Splunk MacOS Network Share Discovery production
Elastic Manual Mount Discovery via /etc/exports or /etc/fstab production
Sigma Net.EXE Execution test
Sigma Network share discovery and/or connection via commandline
Splunk Network Share Discovery Via Dir Command production
Sigma Potential Dridex Activity stable
Elastic Potential Network Share Discovery production building block
Splunk PowerHuntShares Commands (PowerShell)
Splunk PowerHuntShares Commands (Sysmon)
Splunk PowerHuntShares Commands (Windows Event Log)
Kusto Powershell Empire Cmdlets Executed in Command Line available
Elastic PowerShell Share Enumeration Script production
Elastic PowerShell Suspicious Discovery Related Windows API Functions production
Splunk PowerView_SharpView Commands (PowerShell)
Sigma PUA - Advanced IP Scanner Execution test
Sigma PUA - Advanced Port Scanner Execution test
Sigma SharpHound enumeration via SMB named pipes experimental
Elastic System Service Discovery through built-in Windows Utilities production building block
Sigma Turla Group Lateral Movement test
Kusto vArmour AppController - SMB Realm Traversal available
Splunk Windows Administrative Shares Accessed On Multiple Hosts production
Splunk Windows File Share Discovery With Powerview production
Splunk Windows Large Number of Computer Service Tickets Requested production
Elastic Windows Network Enumeration production building block
Splunk Windows Network Share Interaction Via Net production
Splunk Windows Special Privileged Logon On Multiple Hosts production

Password Policy Discovery T1201 30 rules

Panther AWS CloudTrail Password Policy Discovery
Splunk AWS High Number Of Failed Authentications For User production
YARA-L AWS Password Policy Change
Splunk AWS Password Policy Changes production
Sigma Cisco Discovery test
Elastic Deprecated - PowerShell Script with Discovery Capabilities production building block
Sigma Domain password policy enumeration experimental
Elastic Entra ID Sign-in BloodHound Suite User-Agent Detected production
Elastic Entra ID Sign-in TeamFiltration User-Agent Detected production
Splunk Get ADDefaultDomainPasswordPolicy with Powershell production
Splunk Get ADDefaultDomainPasswordPolicy with Powershell Script Block production
Splunk Get ADUserResultantPasswordPolicy with Powershell production
Splunk Get ADUserResultantPasswordPolicy with Powershell Script Block production
Splunk Get DomainPolicy with Powershell production
Splunk Get DomainPolicy with Powershell Script Block production
Sigma HackTool - CrackMapExec Execution test
Kusto Hunt for ADWS requests from unknown devices
Kusto LDAP reconnaissance via search filters
Sigma Net.EXE Execution test
Sigma Password Policy Discovery - Linux stable
Sigma Password policy discovery via commandline
Sigma Password Policy Discovery With Get-AdDefaultDomainPasswordPolicy test
Sigma Password Policy Enumerated test
Elastic PowerShell Script with Password Policy Discovery Capabilities production building block
Elastic PowerShell Suspicious Discovery Related Windows API Functions production
Splunk SharpHound Enumeration (Windows Event Log)
Splunk SharpHound Keywords (PowerShell)
Elastic Windows Account or Group Discovery production building block
Splunk Windows Password Policy Discovery with Net production
Panther ZIA Password Expiration

Browser Information Discovery T1217 4 rules

Sigma Automated Collection Bookmarks Using Get-ChildItem PowerShell test
Sigma File And SubFolder Enumeration Via Dir Command test
Kusto Powershell Empire Cmdlets Executed in Command Line available
Sigma Suspicious Where Execution test

Domain Trust Discovery T1482 57 rules

Sigma Active Directory Database Snapshot Via ADExplorer test
Elastic Active Directory Discovery using AdExplorer production
Sigma Active Directory Forest PowerShell class called from a non administrative host experimental
Sigma ADExplorer Writing Complete AD Snapshot Into .dat File experimental
Elastic AdFind Command Activity production
Splunk Adfind Commands (PowerShell)
Splunk Adfind Commands (Sysmon)
Splunk Adfind Commands (Windows Event Log)
Splunk Adfind Execution (EDR)
Splunk Adfind Execution (PowerShell)
Splunk Adfind Execution (Sysmon)
Splunk Adfind Execution (Windows Event Log)
Sigma BloodHound Collection Files test
Elastic Deprecated - PowerShell Script with Discovery Capabilities production building block
Splunk Detect AzureHound Command-Line Arguments production
Splunk Detect AzureHound File Modifications production
Splunk Detect SharpHound Command-Line Arguments production
Splunk Detect SharpHound File Modifications production
Splunk Detect SharpHound Usage production
Kusto Dev-0270 WMIC Discovery available
Sigma DNS Server Discovery Via LDAP Query test
Splunk Domain Trust Discovery Commands - Windows (PowerShell)
Splunk Domain Trust Discovery Commands - Windows (Windows Event Log)
Sigma Domain Trust Discovery Via Dsquery test
Splunk DSQuery Domain Discovery production
Elastic Enumerating Domain Trusts via DSQUERY.EXE production
Elastic Enumerating Domain Trusts via NLTEST.EXE production
Splunk Get-DomainTrust with PowerShell production
Splunk Get-DomainTrust with PowerShell Script Block production
Splunk Get-ForestTrust with PowerShell production
Splunk Get-ForestTrust with PowerShell Script Block production
Sigma HackTool - Bloodhound/Sharphound Execution test
Sigma HackTool - SharpView Execution test
Sigma HackTool - TruffleSnout Execution test
Kusto Hunt for ADWS requests from unknown devices
Kusto LDAP reconnaissance via search filters
Sigma Malicious PowerShell Commandlets - PoshModule test
Sigma Malicious PowerShell Commandlets - ProcessCreation test
Sigma Malicious PowerShell Commandlets - ScriptBlock test
Splunk Network Traffic to Active Directory Web Services Protocol production
Splunk NLTest Domain Trust Discovery production
Sigma Nltest.EXE Execution test
Sigma Potential Active Directory Reconnaissance/Enumeration Via LDAP test
Elastic Potential PowerShell HackTool Script by Function Names production
Sigma Potential Recon Activity Via Nltest.EXE test
Kusto Powershell Empire Cmdlets Executed in Command Line available
Elastic PowerShell Suspicious Discovery Related Windows API Functions production
Kusto Probable AdFind Recon Tool Usage available
Sigma PUA - AdFind Suspicious Execution test
Sigma Renamed AdFind Execution test
Splunk SharpHound Enumeration (Windows Event Log)
Splunk SharpHound Keywords (PowerShell)
Elastic Suspicious Access to LDAP Attributes production
Sigma Suspicious Active Directory Database Snapshot Via ADExplorer test
Elastic Suspicious JetBrains TeamCity Child Process production
Splunk Windows ConvertTo-AADIntBackdoor Execution Via PowerShell Script production
Splunk Windows SOAPHound Binary Execution production

Virtualization/Sandbox Evasion T1497 20 rules

Splunk Common Recon Commands in Short Burst (Sysmon)
Splunk Common Recon Commands in Short Burst (Windows Event Log)
Elastic Delayed Execution via Ping production
Splunk Headless Browser Usage production
Splunk Ping Sleep Batch Command production
Elastic Potential Microsoft Office Sandbox Evasion production
Sigma Powershell Detect Virtualization Environment test
Elastic Suspicious SIP Check by macOS Application production
Sigma System Information Discovery Using System_Profiler test
Sigma System Information Discovery Via Sysctl - MacOS test
Elastic Virtual Machine Fingerprinting production
Elastic Virtual Machine Fingerprinting via Grep production
Splunk Windows Chromium Browser Launched with Small Window Size production
Splunk Windows Chromium Browser No Security Sandbox Process production
Splunk Windows Chromium Browser with Custom User Data Directory production
Splunk Windows Chromium process Launched with Disable Popup Blocking production
Splunk Windows Chromium Process Launched with Logging Disabled production
Splunk Windows Chromium Process with Disabled Extensions production
Splunk Windows Time Based Evasion production
Splunk Windows Time Based Evasion via Choice Exec production

Virtualization/Sandbox Evasion: System Checks T1497.001 8 rules

Splunk Common Recon Commands in Short Burst (Sysmon)
Splunk Common Recon Commands in Short Burst (Windows Event Log)
Sigma Powershell Detect Virtualization Environment test
Elastic Suspicious SIP Check by macOS Application production
Sigma System Information Discovery Using System_Profiler test
Sigma System Information Discovery Via Sysctl - MacOS test
Elastic Virtual Machine Fingerprinting production
Elastic Virtual Machine Fingerprinting via Grep production

Virtualization/Sandbox Evasion: Time Based Checks T1497.003 4 rules

Elastic Delayed Execution via Ping production
Splunk Ping Sleep Batch Command production
Splunk Windows Time Based Evasion production
Splunk Windows Time Based Evasion via Choice Exec production

Software Discovery T1518 42 rules

Splunk Application Discovery - Windows (PowerShell)
Splunk Application Discovery - Windows (Sysmon)
Splunk Application Discovery - Windows (Windows Event Log)
Panther AppOmni Alert Passthrough
Panther AWS Software Discovery
Elastic AWS SSM Inventory Reconnaissance by Rare User production
Elastic Deprecated - PowerShell Script with Discovery Capabilities production building block
Sigma Detected Windows Software Discovery test
Sigma Detected Windows Software Discovery - PowerShell test
Elastic Enumeration Command Spawned via WMIPrvSE production
Elastic Enumeration of Kernel Modules via Proc production building block
Elastic ESXI Discovery via Find production
Elastic ESXI Discovery via Grep production
Sigma HackTool - WinPwn Execution test
Sigma HackTool - WinPwn Execution - ScriptBlock test
Sigma Local Firewall Rules Enumeration Via NetFirewallRule Cmdlet test
Elastic Pluggable Authentication Module (PAM) Version Discovery production
Elastic Polkit Version Discovery production
Kusto Powershell Empire Cmdlets Executed in Command Line available
Elastic Process Discovery via Built-In Applications production building block
Sigma Security Software Discovery - Linux test
Sigma Security Software Discovery - MacOs test
Elastic Security Software Discovery using WMIC production building block
Splunk Security Software Discovery via Findstr.exe (PowerShell)
Splunk Security Software Discovery via Findstr.exe (Sysmon)
Splunk Security Software Discovery via Findstr.exe (Windows Event Log)
Elastic Security Software Discovery via Grep production
Sigma Security Software Discovery Via Powershell Script test
Splunk Security Software Discovery via WMI (PowerShell)
Splunk Security Software Discovery via WMI (Sysmon)
Splunk Security Software Discovery via WMI (Windows Event Log)
Sigma Security Tools Keyword Lookup Via Findstr.EXE test
Kusto Snowflake - Multiple failed queries available
Sigma SQL Server database's table enumeration experimental
Elastic Suspicious which Enumeration production
Sigma Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE test
Sigma System Integrity Protection (SIP) Disabled test
Sigma System Integrity Protection (SIP) Enumeration test
Elastic Tool Enumeration Detected via Defend for Containers production
Elastic Unusual Kernel Module Enumeration production
Splunk Windows Software Discovery Via PowerShell production
Elastic Yum/DNF Plugin Status Discovery production

Software Discovery: Security Software Discovery T1518.001 19 rules

Elastic Deprecated - PowerShell Script with Discovery Capabilities production building block
Sigma Local Firewall Rules Enumeration Via NetFirewallRule Cmdlet test
Kusto Powershell Empire Cmdlets Executed in Command Line available
Elastic Process Discovery via Built-In Applications production building block
Sigma Security Software Discovery - Linux test
Sigma Security Software Discovery - MacOs test
Elastic Security Software Discovery using WMIC production building block
Splunk Security Software Discovery via Findstr.exe (PowerShell)
Splunk Security Software Discovery via Findstr.exe (Sysmon)
Splunk Security Software Discovery via Findstr.exe (Windows Event Log)
Elastic Security Software Discovery via Grep production
Sigma Security Software Discovery Via Powershell Script test
Splunk Security Software Discovery via WMI (PowerShell)
Splunk Security Software Discovery via WMI (Sysmon)
Splunk Security Software Discovery via WMI (Windows Event Log)
Sigma Security Tools Keyword Lookup Via Findstr.EXE test
Sigma Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE test
Sigma System Integrity Protection (SIP) Disabled test
Sigma System Integrity Protection (SIP) Enumeration test

Cloud Service Discovery T1526 44 rules

Splunk Amazon EKS Kubernetes cluster scan detection experimental
Splunk Amazon EKS Kubernetes Pod scan detection experimental
Elastic AWS Bedrock Foundation Model Enumeration Followed by Invocation via Long-Term Key production
Panther AWS CloudTrail Log Encryption
Panther AWS Config Service Created
Elastic AWS Discovery API Calls from VPN ASN for the First Time by Identity production
Elastic AWS Discovery API Calls via CLI from a Single Resource production
Panther AWS EC2 Discovery Commands Executed
Splunk AWS Excessive Security Scanning production
Elastic AWS Lateral Movement from Kubernetes SA via AssumeRoleWithWebIdentity production
Elastic AWS S3 Rapid Bucket Posture API Calls from a Single Principal production
Elastic AWS Service Quotas Multi-Region GetServiceQuota Requests production
Kusto AWSCloudTrail - SSM document is publicly exposed available
Splunk Azure AD AzureHound UserAgent Detected production
Splunk Azure AD Service Principal Enumeration production
Panther Azure Policy Changed
Kusto BTP - Failed access attempts across multiple BAS subaccounts available
Kusto Dataverse - Honeypot instance activity available
Kusto Dataverse - Suspicious use of Web API available
Kusto Dataverse - TI map IP to DataverseActivity available
Panther Detect Reconnaissance from IAM Users
Sigma Discovery Using AzureHound test
Elastic Entra ID Sign-in BloodHound Suite User-Agent Detected production
Elastic Entra ID Sign-in TeamFiltration User-Agent Detected production
Panther External Principal Accessing AWS Resources Via VPC Endpoint
Splunk GCP Kubernetes cluster pod scan detection experimental
Sigma Github Self Hosted Runner Changes Detected test
Splunk Kubernetes Scanner Image Pulling production
Splunk Kubernetes Suspicious Image Pulling production
Elastic Microsoft Graph Multi-Category Reconnaissance Burst production
Panther Monitor Unauthorized API Calls
Kusto Netskope - New Risky App Access vs 7-Day Baseline available
Sigma PUA - Seatbelt Execution test
Elastic Rare AWS Error Code production
Elastic Rare Azure Activity Logs Event Failures production
Elastic Rare GCP Audit Failure Event Code production
Panther Sensitive API Calls Via VPC Endpoint
Kusto Snowflake - Possible discovery activity available
Kusto SOCRadar Unsynced Closed Incident available
Elastic Spike in AWS Error Messages production
Elastic Spike in Azure Activity Logs Failed Messages production
Elastic Spike in GCP Audit Failed Messages production
Kusto Suspicious VM Instance Creation Activity Detected
Panther VPC Endpoint Access Denied

Cloud Service Dashboard T1538 4 rules

Panther A CloudTrail Was Created or Updated
Elastic AWS SSM Inventory Reconnaissance by Rare User production
Kusto Dataverse - Honeypot instance activity available
Splunk Okta Multiple Failed Requests to Access Applications experimental

Cloud Infrastructure Discovery T1580 42 rules

Kusto API - Kiterunner detection available
Splunk ASL AWS IAM AccessDenied Discovery Events production
Splunk ASL AWS IAM Assume Role Policy Brute Force production
Elastic AWS Account Discovery By Rare User production
Splunk AWS Bedrock High Number List Foundation Model Failures production
Panther AWS CloudTrail SES Enumeration
Elastic AWS Discovery API Calls from VPN ASN for the First Time by Identity production
Elastic AWS Discovery API Calls via CLI from a Single Resource production
Elastic AWS EC2 Deprecated AMI Discovery production
Panther AWS EC2 Download Instance User Data
YARA-L AWS EC2 High Number Of API Calls
Elastic AWS EC2 Multi-Region DescribeInstances API Calls production building block
Elastic AWS EC2 User Data Retrieval for EC2 Instance production
YARA-L AWS Excessive Successful Discovery Events
YARA-L AWS IAM Access Denied Discovery Events
Splunk AWS IAM AccessDenied Discovery Events production
Splunk AWS IAM Assume Role Policy Brute Force production
Panther AWS RDS Snapshot Enumeration with Public or Shared Flag Experimental
Elastic AWS S3 Bucket Enumeration or Brute Force production
Elastic AWS S3 Rapid Bucket Posture API Calls from a Single Principal production
Elastic AWS Service Quotas Multi-Region GetServiceQuota Requests production
Elastic AWS SSM Inventory Reconnaissance by Rare User production
Kusto AWSCloudTrail - Monitor AWS Credential abuse or hijacking available
Kusto AWSCloudTrail - User IAM Enumeration available
Kusto Dataverse - Suspicious use of Web API available
Kusto Dataverse - TI map IP to DataverseActivity available
Elastic Entra ID Sign-in BloodHound Suite User-Agent Detected production
Elastic Entra ID Sign-in TeamFiltration User-Agent Detected production
YARA-L GCP Excessive Permission Denied Events
Sigma Many AccessDenied Errors from Single Source test
Kusto OCI - Discovery activity available
Sigma Potential Bucket Enumeration on AWS test
Elastic Rare AWS Error Code production
Elastic Rare Azure Activity Logs Event Failures production
Elastic Rare GCP Audit Failure Event Code production
Elastic Spike in AWS Error Messages production
Elastic Spike in Azure Activity Logs Failed Messages production
Elastic Spike in GCP Audit Failed Messages production
Elastic Suspicious Instance Metadata Service (IMDS) API Command Line Execution production
Elastic Suspicious Instance Metadata Service (IMDS) API Request production
Kusto Unauthorized user access across AWS and Azure
Elastic Unusual Windows Process Calling the Metadata Service production

Container and Resource Discovery T1613 43 rules

Elastic Container Management Utility Execution Detected via Defend for Containers production
Elastic Container Management Utility Run Inside A Container production
Elastic Direct Interactive Kubernetes API Request by Common Utilities production
Elastic Direct Interactive Kubernetes API Request by Unusual Utilities production
Elastic Direct Interactive Kubernetes API Request Detected via Defend for Containers production
Elastic DNS Enumeration Detected via Defend for Containers production
Elastic Docker Socket Enumeration production
Panther EKS Audit Log based single sourceIP is generating multiple 403s
Elastic Environment Variable Enumeration Detected via Defend for Containers production
Elastic Forbidden Direct Interactive Kubernetes API Request production
Elastic GitHub Authentication Token Access via Node.js production
Elastic Interactive Privilege Boundary Enumeration Detected via Defend for Containers production
Elastic Kubeconfig File Discovery production
Elastic Kubectl Configuration Discovery production building block
Elastic Kubectl Permission Discovery production
Elastic Kubectl Secrets Enumeration Across All Namespaces production
Elastic Kubectl Workload and Cluster Discovery production building block
Elastic Kubelet API Connection Attempt to Internal IP production
Elastic Kubelet Certificate File Access Detected via Defend for Containers production
Elastic Kubelet Pod Discovery Detected via Defend for Containers production
Panther Kubernetes API Multiple 403 Responses from Single Public IP Experimental
Elastic Kubernetes API Server Proxying Request to Kubelet production
Elastic Kubernetes Denied Service Account Request via Unusual User Agent production
Elastic Kubernetes Direct API Request via Curl or Wget production
Elastic Kubernetes Forbidden Request from Unusual User Agent production
Elastic Kubernetes Multi-Resource Discovery production
Elastic Kubernetes Potential Endpoint Permission Enumeration Attempt by Anonymous User Detected production
Elastic Kubernetes Potential Endpoint Permission Enumeration Attempt Detected production
Sigma Kubernetes Potential Enumeration Activity experimental
Panther Kubernetes Secret Access Denied Experimental
Elastic Kubernetes Secrets List Across Cluster or Sensitive Namespaces production
Elastic Kubernetes Service Account Secret Access production
Elastic Kubernetes Suspicious Self-Subject Review via Unusual User Agent production
Elastic Potential Cluster Enumeration via jq Detected via Defend for Containers production
Elastic Potential Direct Kubelet Access via Process Arguments production
Elastic Potential Direct Kubelet Access via Process Arguments Detected via Defend for Containers production
Elastic Potential Kubectl Masquerading via Unexpected Process production
Elastic Potential Kubeletctl Execution production
Elastic Potential Kubeletctl Execution Detected via Defend for Containers production
Elastic Service Account Namespace Read Detected via Defend for Containers production
Elastic Service Account Token or Certificate Access Followed by Kubernetes API Request production
Elastic Tool Enumeration Detected via Defend for Containers production
Elastic Unusual Process Connection to Docker or Containerd Socket production

System Location Discovery T1614 6 rules

Sigma Console CodePage Lookup Via CHCP test
Splunk Discovery using CHCP (Sysmon)
Splunk Discovery using CHCP (Windows Event Log)
Elastic External IP Lookup from Non-Browser Process production building block
Sigma System Language Discovery via Reg.Exe experimental
Elastic System Time Discovery production building block

System Location Discovery: System Language Discovery T1614.001 4 rules

Sigma Console CodePage Lookup Via CHCP test
Splunk Discovery using CHCP (Sysmon)
Splunk Discovery using CHCP (Windows Event Log)
Sigma System Language Discovery via Reg.Exe experimental

Group Policy Discovery T1615 10 rules

Elastic Deprecated - PowerShell Script with Discovery Capabilities production building block
Elastic Enumeration Command Spawned via WMIPrvSE production
Sigma Gpresult Display Group Policy Information test
Elastic Group Policy Discovery via Microsoft GPResult Utility production
Sigma HackTool - SharpUp PrivEsc Tool Execution test
Sigma Potential Reconnaissance Activity Via GatherNetworkInfo.VBS test
Kusto Powershell Empire Cmdlets Executed in Command Line available
Sigma Suspicious GPO Discovery With Get-GPO test
Sigma Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS test
Splunk Windows WinPEAS PowerShell Script Execution production

Cloud Storage Object Discovery T1619 7 rules

Panther AWS S3 Access Error
Elastic AWS S3 Bucket Enumeration or Brute Force production
Elastic AWS S3 Rapid Bucket Posture API Calls from a Single Principal production
Elastic AWS S3 Unauthenticated Bucket Access by Rare Source production
Elastic Azure Blob Storage Container Access Level Modified production
Elastic M365 SharePoint Search for Sensitive Content production
Sigma Potential Bucket Enumeration on AWS test

Debugger Evasion T1622 2 rules

Panther GitHub Commits Skipping Workflows
Sigma PUA - Process Hacker Execution test

Device Driver Discovery T1652 1 rule

Panther Intune Device Not Compliant

Log Enumeration T1654 2 rules

Splunk Windows EventLog Recon Activity Using Log Query Utilities production
Panther ZIA Logs Downloaded

Virtual Machine Discovery T1673 4 rules

Elastic Entra ID Sign-in BloodHound Suite User-Agent Detected production
Elastic Entra ID Sign-in TeamFiltration User-Agent Detected production
Splunk ESXi Bulk VM Termination production
Splunk ESXi VM Discovery production

No specific technique 26 rules

Sigma AADInternals PowerShell Cmdlets Execution - ProccessCreation test
Sigma AADInternals PowerShell Cmdlets Execution - PsScript test
Panther AWS EC2 Discovery Commands Executed
Elastic Deprecated - Unusual Discovery Activity by User production building block
Sigma DriverQuery.EXE Execution test
Sigma GatherNetworkInfo.VBS Reconnaissance Script Output test
Sigma Get Caller Identity test
Sigma Google Cloud Storage Buckets Enumeration test
Sigma HackTool - SharpLDAPmonitor Execution test
Sigma macOS ESF Sensitive File Access experimental
Sigma Obfuscated IP Download Activity test
Sigma Obfuscated IP Via CLI test
Sigma Potential Active Directory Enumeration Using AD Module - ProcCreation test
Sigma Potential Active Directory Enumeration Using AD Module - PsModule test
Sigma Potential Active Directory Enumeration Using AD Module - PsScript test
Sigma Potential Discovery Activity Via Dnscmd.EXE test
Sigma Potential Recon Activity Using DriverQuery.EXE test
Sigma PowerShell Hotfix Enumeration test
Sigma Recon Activity via SASec test
Sigma Remote Event Log Recon test
Sigma Remote Registry Recon test
Sigma Remote Schedule Task Recon via AtScv test
Sigma Remote Schedule Task Recon via ITaskSchedulerService test
Sigma Renamed Remote Utilities RAT (RURAT) Execution test
Elastic Unusual Discovery Signal Alert with Unusual Process Command Line production
Elastic Unusual Discovery Signal Alert with Unusual Process Executable production

Lateral Movement

Remote Services T1021 378 rules

Kusto A host is potentially running a hacking tool (ASIM Web Session schema)
Elastic Accepted Default Telnet Port Connection production
Sigma Access To ADMIN$ Network Share test
Sigma Active Directory honeypot used for lateral movement experimental
Splunk Allow Inbound Traffic By Firewall Rule Registry production
Splunk Allow Inbound Traffic In Firewall Rule production
Kusto Anomaly in SMB Traffic(ASIM Network Session schema) available
Kusto ApexOne - Inbound remote access connection available
Elastic At.exe Command Lateral Movement production building block
Elastic Attempt to Mount SMB Share via Command Line production
Sigma AWS Console GetSigninToken Potential Abuse test
Elastic AWS EC2 CreateKeyPair by New Principal from Non-Cloud AS Organization production
Elastic AWS EC2 Instance Connect SSH Public Key Uploaded production
Elastic AWS EC2 Instance Console Login via Assumed Role production
Elastic AWS Lateral Movement from Kubernetes SA via AssumeRoleWithWebIdentity production
Panther AWS Network ACL Restricts SSH
Kusto AWS Security Hub - Detect EC2 Security groups allowing unrestricted high-risk ports available
Elastic AWS SSM Session Started to EC2 Instance production
Sigma BaaUpdate.exe Suspicious DLL Load experimental
Sigma Bitbucket Global SSH Settings Changed test
Sigma Bitbucket User Login Failure Via SSH test
Kusto BTP - Cloud Integration JDBC data source changes available
Kusto Cisco Cloud Security - Hack Tool User-Agent Detected available
Splunk Cisco IOS XE Remote Access Probe Burst production
Splunk Cisco IOS XE VTY Access Class Tampering production
Splunk Cisco Network Interface Modifications production
Splunk Cisco Privileged Account Creation with HTTP Command Execution production
Splunk Cisco Privileged Account Creation with Suspicious SSH Activity production
Splunk Cisco Secure Firewall - Communication Over Suspicious Ports production
Splunk Cisco Secure Firewall - SSH Connection to Non-Standard Port production
Splunk Cisco Secure Firewall - SSH Connection to sshd_operns production
Sigma CobaltStrike Service Installations - Security test
Sigma CobaltStrike Service Installations - System test
Elastic Connection to External Network via Telnet production
Elastic Connection to Internal Network via Telnet production
Sigma Copy From Or To Admin Share Or Sysvol Folder test
YARA-L Copy From Or To Admin Share Or Sysvol Folder
Panther Databricks Access to Multiple Workspaces Experimental
Panther Databricks Mount Point Creation Experimental
Kusto Dataverse - TI map IP to DataverseActivity available
Sigma DCERPC SMB Spoolss Named Pipe test
Sigma DCOM InternetExplorer.Application Iertutil DLL Hijack - Security test
Kusto DCOM Lateral Movement available
Sigma DCOM lateral movement (via MMC20) experimental
Sigma Denied Access To Remote Desktop test
Sigma Denied RDP login with valid credentials experimental
Elastic Deprecated - PowerShell Script with Remote Execution Capabilities via WinRM production building block
Kusto Detect Custom Script or Run Command deployment by risky user
Kusto Detect executable drops via Azure custom script extension
Kusto Detect first time Azure Custom Script or Run Command deployment
Kusto Detect process drops via Azure Custom Script Extension performing lateral movement
Splunk Detect PsExec With accepteula Flag production
Kusto Detect service account login on new device
Kusto Detect Suspicious ncrypt.dll usage on admin device with RDP connections to non TPM protected device
Kusto Detect Suspicious ncrypt.dll usage with RDP connections to unmanaged or non TPM protected device
Kusto Detect Unknown process launched via WinRM
Kusto Detect Unknown process using SMB or WinRM
Kusto Detecting Macro Invoking ShellBrowserWindow COM Objects available
Splunk Enable RDP In Other Port Number production
Sigma Enable Windows Remote Management test
Splunk ESXi Shell Access Enabled production
Splunk ESXi SSH Enabled production
Kusto Excessive Blocked Traffic Events Generated by User available
Splunk Executable File Written in Administrative SMB Share production
Sigma Execute Invoke-command on Remote Host test
Elastic Execution via TSClient Mountpoint production
Sigma First Time Seen Remote Named Pipe test
Sigma First Time Seen Remote Named Pipe - Zeek test
Kusto GCP Security Command Center - Detect Firewall rules allowing unrestricted high-risk ports available
Panther GitHub pull_request_target Workflow on Self-Hosted Runner
Panther GitHub Workflow Using Self-Hosted Runner
Sigma HackTool - NetExec Execution experimental
Sigma HackTool - NetExec File Indicators experimental
Sigma HackTool - Potential Impacket Lateral Movement Activity stable
Sigma HackTool - SharpMove Tool Execution test
Sigma HackTool - WinRM Access Via Evil-WinRM test
Sigma Hermetic Wiper TG Process Patterns test
Elastic High Mean of Process Arguments in an RDP Session production
Elastic High Mean of RDP Session Duration production
Elastic High Variance in RDP Session Duration production
Kusto Hunt for ADWS requests from unknown devices
Kusto Hunt for devices doing first RDP session
Kusto Hunt for RDP sessions to unmanaged and non TPM devices
Kusto Illusive Incidents Analytic Rule available
Sigma Impacket DCOMexec privilege abuse via MMC experimental
Sigma Impacket DCOMexec process abuse via MMC experimental
Splunk Impacket Lateral Movement Activity (Sysmon)
Splunk Impacket Lateral Movement Activity (Windows Event Log)
Splunk Impacket Lateral Movement Commandline Parameters production
Splunk Impacket Lateral Movement smbexec CommandLine Parameters production
Splunk Impacket Lateral Movement WMIExec Commandline Parameters production
Splunk Impacket PSexec (Windows Event Log)
Sigma Impacket PsExec Execution test
Splunk Impacket SMBexec (Windows Event Log)
Sigma Impacket WMIexec execution via SMB admin share experimental
Elastic Incoming DCOM Lateral Movement via MSHTA production
Elastic Incoming DCOM Lateral Movement with MMC production
Elastic Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows production
Elastic Incoming Execution via PowerShell Remoting production
Elastic Incoming Execution via WinRM Remote Shell production
Splunk Interactive Session on Remote Endpoint with PowerShell production
Splunk Invoke-DCOM.ps1 - PowerShell (PowerShell)
Splunk Invoke-DCOM.ps1 - PowerShell (Sysmon)
Splunk Invoke-DCOM.ps1 - PowerShell (Windows Event Log)
Elastic Kubelet API Connection Attempt to Internal IP production
Panther Kubernetes Role With Pod Exec Permissions Created
Sigma Lateral movement by mounting a network share - net use (command) experimental
Sigma Lateral movement detection (based on "special groups" feature) experimental
Kusto Lateral Movement via DCOM available
Elastic Lateral Movement via Startup Folder production
Splunk Linux SSH Remote Services Script Execute production
Elastic Linux SSH X11 Forwarding production
Sigma macOS File Transfer Tool Execution experimental
Sigma macOS Network Share Access experimental
Sigma macOS Remote Execution Tools experimental
Sigma macOS Screen Sharing Session experimental
Sigma macOS SSH Connection Detection experimental
Sigma Metasploit Or Impacket Service Installation Via SMB PsExec test
Sigma Metasploit SMB Authentication test
Splunk Microsoft Intune Device Health Scripts production
Splunk Microsoft Intune DeviceManagementConfigurationPolicies production
Splunk Microsoft Intune Manual Device Management production
Splunk Microsoft Intune Mobile Apps experimental
YARA-L MITRE ATT&CK T1021.002 Windows Admin Share Basic
YARA-L MITRE ATT&CK T1021.002 Windows Admin Share With Asset Entity
YARA-L MITRE ATT&CK T1021.002 Windows Admin Share With User Enrichment
YARA-L MITRE ATT&CK T1021.002 Windows Admin Share With User Entity
Splunk Mmc LOLBAS Execution Process Spawn production
Sigma MMC Spawning Windows Shell test
Sigma MMC20 Lateral Movement test
Elastic Mounting Hidden or WebDav Remote Shares production
Splunk MSTSC Execution (EDR)
Splunk MSTSC Execution (Windows Event Log)
Kusto Multiple RDP connections from Single System
Sigma Net.EXE Execution test
Splunk Net.exe Use with URL (Sysmon)
Splunk Net.exe Use with URL (Windows Event Log)
Elastic Network Connection Initiated by Suspicious SSHD Child Process production
Sigma Network share manipulation via commandline
Elastic Network-Level Authentication (NLA) Disabled production
Sigma New network file share created experimental
Sigma New Remote Desktop Connection Initiated Via Mstsc.EXE test
Elastic NullSessionPipe Registry Modification production
Sigma Number of oustanding SMB requests increased experimental
YARA-L O365 Persistent Login Activity To Azure AD PowerShell App
Sigma OMIGOD HTTP No Authentication RCE - CVE-2021-38647 stable
Sigma OpenCanary - FTP Login Attempt test
Sigma OpenCanary - RDP New Connection Attempt experimental
Sigma OpenCanary - SMB File Open Request test
Sigma OpenCanary - SNMP OID Request test
Sigma OpenCanary - SSH Login Attempt test
Sigma OpenCanary - SSH New Connection Attempt test
Sigma OpenCanary - VNC Connection Attempt test
Sigma OpenEDR Spawning Command Shell experimental
Sigma OpenSSH native server feature installation experimental
Sigma OpenSSH Server Listening On Socket test
Sigma OpenSSH server listening on socket experimental
Sigma OpenSSH service activation on Windows experimental
Panther OSQuery Detected SSH Listener
Sigma Outbound RDP Connections Over Non-Standard Tools test
Elastic Outbound Scheduled Task Activity via PowerShell production
Sigma Password Provided In Command Line Of Net.EXE test
Kusto Pathlock TDnR - HANA Standalone DB Connection Events available
Kusto Pathlock TDnR - RFC Connection Changes available
Kusto Pathlock TDnR - SAP Cloud Connector Events available
Kusto Pathlock TDnR - SAP RFC Gateway Events available
Kusto Pathlock TDnR - SAP Router Log Events available
Sigma Port Forwarding Activity Via SSH.EXE test
Splunk Possible Lateral Movement PowerShell Spawn production
Sigma Potential CobaltStrike Service Installations - Registry test
Sigma Potential DCOM InternetExplorer.Application DLL Hijack test
Sigma Potential DCOM InternetExplorer.Application DLL Hijack - Image Load test
Elastic Potential Direct Kubelet Access via Process Arguments production
Elastic Potential Direct Kubelet Access via Process Arguments Detected via Defend for Containers production
Splunk Potential EternalBlue via Metasploit (Windows Event Log)
Sigma Potential Excel.EXE DCOM Lateral Movement Via ActivateMicrosoftApp test
Elastic Potential Execution via SSH Backdoor production
Elastic Potential Internal Linux SSH Brute Force Detected production
Sigma Potential Lateral Movement via Windows Remote Shell experimental
Elastic Potential Lateral Tool Transfer via SMB Share production
Elastic Potential Machine Account Relay Attack via SMB production
Elastic Potential Network Share Discovery production building block
Elastic Potential Outgoing RDP Connection by Unusual Process production building block
Elastic Potential PowerShell HackTool Script by Function Names production
Elastic Potential Ransomware Behavior - Note Files by System production
Elastic Potential Ransomware Note File Dropped via SMB production
Elastic Potential Remote Credential Access via Registry production
Elastic Potential Remote Desktop Shadowing Activity production
Sigma Potential Remote Desktop Tunneling test
Elastic Potential Remote Desktop Tunneling Detected production
Sigma Potential Remote PowerShell Session Initiated test
YARA-L Potential Remote PowerShell Session Initiated
Elastic Potential SharpRDP Behavior production
Sigma Potential Tampering With RDP Related Registry Keys Via Reg.EXE test
Elastic Potential THC Tool Downloaded production
Kusto Powershell Empire Cmdlets Executed in Command Line available
Splunk Powershell Remote Services Add TrustedHost production
Sigma Privilege Escalation via Named Pipe Impersonation test
Sigma Protected Storage Service Access test
Sigma Psexec Execution test
Sigma PSexec execution over SMB share experimental
Elastic PsExec Network Connection production
Sigma PUA - CSExec Default Named Pipe test
Sigma PUA - RemCom Default Named Pipe test
Sigma Publicly Accessible RDP Service test
Kusto Rare RDP Connections
Elastic RDP (Remote Desktop Protocol) from the Internet production
Sigma RDP BlueeKeep connection closed (CVE-2019-0708) experimental
Splunk RDP Connection (Sysmon)
Splunk RDP Connection (Windows Event Log)
Sigma RDP discovery performed on multiple hosts experimental
Sigma RDP Enable or Disable via Win32_TerminalServiceSetting WMI Class experimental
Splunk RDP Enabled (PowerShell)
Splunk RDP Enabled (Sysmon)
Splunk RDP Enabled (Windows Event Log)
Elastic RDP Enabled via Registry production
Splunk RDP File Executed from Outlook Temp Directory (Sysmon)
Splunk RDP File Executed from Outlook Temp Directory (Windows Event Log)
Splunk RDP File Written by Outlook (Sysmon)
Splunk RDP File Written by Outlook (Windows Event Log)
Sigma RDP Login from Localhost test
Splunk RDP Logon_Logoff Event (Windows Event Log)
Kusto RDP Nesting
Sigma RDP Over Reverse SSH Tunnel test
Sigma RDP over Reverse SSH Tunnel WFP test
Sigma RDP reconnaissance with valid credentials performed on multiple hosts experimental
Sigma RDP shadow session configuration enabled (registry) experimental
Sigma RDP shadow session started (command) experimental
Sigma RDP shadow session started (native) experimental
Sigma RDP to HTTP or HTTPS Target Ports test
Sigma RDP tunneling configuration enabled for port forwarding experimental
Sigma RDP tunneling detected experimental
Sigma RDP tunneling via ngrok detected experimental
Splunk Remote Admin Tools (EDR)
Splunk Remote Admin Tools (PowerShell)
Splunk Remote Admin Tools (Sysmon)
Splunk Remote Admin Tools (Windows Event Log)
Sigma Remote DCOM/WMI Lateral Movement test
Elastic Remote Desktop Enabled in Windows Firewall by Netsh production
Splunk Remote Desktop Network Traffic production
Splunk Remote Desktop Process Running On System experimental
Kusto Remote Desktop Protocol - SharpRDP available
Elastic Remote Execution via File Shares production
Elastic Remote File Copy to a Hidden Share production
Elastic Remote File Creation in World Writeable Directory production
Sigma Remote LSASS Process Access Through Windows Remote Management stable
Sigma Remote PowerShell Session (PS Classic) test
Sigma Remote PowerShell Session (PS Module) test
Sigma Remote PowerShell Session Host Process (WinRM) test
Splunk Remote Process Instantiation via DCOM and PowerShell production
Splunk Remote Process Instantiation via DCOM and PowerShell Script Block production
Splunk Remote Process Instantiation via WinRM and PowerShell production
Splunk Remote Process Instantiation via WinRM and PowerShell Script Block production
Splunk Remote Process Instantiation via WinRM and Winrs production
Elastic Remote Scheduled Task Creation production
Elastic Remote Scheduled Task Creation via RPC production
Sigma Remote Service Activity via SVCCTL Named Pipe test
Sigma Remote shell execution via SMB admin share experimental
Elastic Remote SSH Login Enabled via systemsetup Command production
Elastic Remote Windows Service Installed production
Elastic Remotely Started Services via RPC production
Elastic Renaming of OpenSSH Binaries production
Elastic RPC (Remote Procedure Call) to the Internet production
Sigma Rundll32 Execution Without Parameters test
Sigma Rundll32 UNC Path Execution test
Elastic Service Command Lateral Movement production
Sigma Shared printer creation (PrintNightmare vulnerability - CVE-2021-36958) experimental
Sigma SMB admin share accessed experimental
Elastic SMB Connections via LOLBin or Untrusted Process production
Sigma SMB Create Remote File Admin Share test
Sigma SMB insecure guest authentication activated (native) experimental
Sigma SMB Spoolss Name Piped Usage test
Splunk SMB Traffic Spike experimental
Splunk SMB Write Access on Administrative Share (Windows Event Log)
Kusto SMB/Windows Admin Shares available
Sigma smbexec.py Service Installation test
Kusto SonicWall - Allowed SSH, Telnet, and RDP Connections experimental
Elastic Spike in Number of Connections Made from a Source IP production
Elastic Spike in Number of Connections Made to a Destination IP production
Elastic Spike in Number of Processes in an RDP Session production
Elastic SSH Authorized Key File Activity Detected via Defend for Containers production
Elastic SSH Authorized Keys File Activity production
Elastic SSH Key Generated via ssh-keygen production
Elastic Successful SSH Authentication from Unusual IP Address production
Elastic Successful SSH Authentication from Unusual SSH Public Key production
Elastic Successful SSH Authentication from Unusual User production
Sigma Suspicious BitLocker Access Agent Update Utility Execution experimental
Elastic Suspicious Cmd Execution via WMI production
Elastic Suspicious Execution from a WebDav Share production
Elastic Suspicious File Renamed via SMB production
Sigma Suspicious New-PSDrive to Admin Share test
Sigma Suspicious permissions modification on a network share experimental
Sigma Suspicious Plink Port Forwarding test
Elastic Suspicious Process Execution via Renamed PsExec Executable production
Sigma Suspicious PsExec Execution test
Sigma Suspicious PsExec Execution - Zeek test
Elastic Suspicious RDP ActiveX Client Loaded production
Sigma Suspicious RDP Redirect Using TSCON test
Elastic Suspicious Remote Registry Access via SeBackupPrivilege production
Sigma Suspicious Speech Runtime Binary Child Process experimental
Sigma Suspicious UltraVNC Execution test
Sigma Suspicious WSMAN Provider Image Loads test
Sigma T1047 Wmiprvse Wbemcomn DLL Hijack test
Sigma Turla Group Lateral Movement test
Sigma Unsigned or Unencrypted SMB Connection to Share Established experimental
Elastic Unusual AWS Command for a User production
Elastic Unusual Azure Activity Logs Event for a User production
Elastic Unusual GCP Event for a User production
Elastic Unusual Remote File Creation production
Elastic Unusual Source IP for a User to Logon from production
Elastic Unusual SSHD Child Process production
Elastic Unusual Time or Day for an RDP Session production
Elastic Unusual Windows Network Activity production
Elastic Unusual Windows Remote User production
Sigma User Added to Remote Desktop Users Group test
Kusto Vectra Account's Behaviors available
Kusto Vectra AI Detect - Detections with High Severity available
Kusto Vectra AI Detect - New Campaign Detected available
Kusto Vectra AI Detect - Suspected Compromised Account available
Kusto Vectra AI Detect - Suspected Compromised Host available
Kusto Vectra AI Detect - Suspicious Behaviors by Category available
Kusto Vectra Host's Behaviors available
Elastic Virtual Private Network Connection Attempt production
Kusto VMware ESXi - SSH Enable on ESXi Host available
Elastic VNC (Virtual Network Computing) to the Internet production
Sigma Windows Admin Share Mount Via Net.EXE test
Splunk Windows Admin$ Share Access (Sysmon)
Splunk Windows Admin$ Share Access (Windows Event Log)
Splunk Windows Azure PowerShell Module Installation Via PowerShell Script production
Splunk Windows C$ Share Access (EDR)
Splunk Windows C$ Share Access (Sysmon)
Splunk Windows C$ Share Access (Windows Event Log)
Splunk Windows Default RDP File Creation By Non MSTSC Process production
Splunk Windows Default Rdp File Unhidden production
Splunk Windows Excel Spawning Microsoft Project Application production
Sigma Windows Internet Hosted WebDav Share Mount Via Net.EXE test
Splunk Windows IPC$ Share Access (Sysmon)
Splunk Windows IPC$ Share Access (Windows Event Log)
Splunk Windows MSTSC RDP Commandline production
Splunk Windows Process Execution From RDP Share production
Splunk Windows Protocol Tunneling with Plink production
Splunk Windows PUA Named Pipe production
Splunk Windows PuTTY Suite Utility Execution production
Splunk Windows RDP Bitmap Cache File Creation production
Splunk Windows RDP Client Launched with Admin Session production
Splunk Windows RDP File Execution production
Splunk Windows RDP Login Session Was Established production
Splunk Windows RDP Server Registry Entry Created production
Elastic Windows Registry File Creation in SMB Share production
Splunk Windows Remote Host Computer Management Access production
Splunk Windows Remote Management Execute Shell production
Splunk Windows Remote Service Rdpwinst Tool Execution production
Splunk Windows Remote Services Allow Rdp In Firewall production
Splunk Windows Remote Services Allow Remote Assistance production
Splunk Windows Remote Services Rdp Enable production
Splunk Windows RMM Named Pipe production
Sigma Windows Share Mount Via Net.EXE test
Splunk Windows Share Multiple File Access (Windows Event Log)
Splunk Windows Special Privileged Logon On Multiple Hosts production
Splunk Windows SpeechRuntime COM Hijacking DLL Load production
Splunk Windows SpeechRuntime Suspicious Child Process production
Splunk Windows Suspicious C2 Named Pipe production
Splunk Windows Suspicious Named Pipe production
Splunk Windows Theme File Creation in Unusual Location production
Sigma WinRM listening service reconnaissance (process) experimental
Sigma WinRM listening service reconnaissance (WS-Management) experimental
Kusto WinRM Plugin Lateral Movement
Splunk WinRM Tools (PowerShell)
Splunk WinRM Tools (Sysmon)
Splunk WinRM Tools (Windows Event Log)
Sigma Winrs Local Command Execution experimental
Sigma WinRS usage for remote execution
Elastic WMI Incoming Lateral Movement production
Elastic WMIC Remote Command production building block
Sigma Wmiprvse Wbemcomn DLL Hijack test
Sigma Wmiprvse Wbemcomn DLL Hijack - File test
Splunk Wsmprovhost LOLBAS Execution Process Spawn production
Kusto Zero Networks Segment - Rare JIT Rule Creation available

Remote Services: Remote Desktop Protocol T1021.001 80 rules

Splunk Allow Inbound Traffic By Firewall Rule Registry production
Splunk Allow Inbound Traffic In Firewall Rule production
Sigma Denied Access To Remote Desktop test
Sigma Denied RDP login with valid credentials experimental
Kusto Detect service account login on new device
Kusto Detect Suspicious ncrypt.dll usage on admin device with RDP connections to non TPM protected device
Kusto Detect Suspicious ncrypt.dll usage with RDP connections to unmanaged or non TPM protected device
Elastic Execution via TSClient Mountpoint production
Sigma Hermetic Wiper TG Process Patterns test
Elastic High Mean of Process Arguments in an RDP Session production
Elastic High Mean of RDP Session Duration production
Elastic High Variance in RDP Session Duration production
Kusto Hunt for devices doing first RDP session
Kusto Hunt for RDP sessions to unmanaged and non TPM devices
Elastic Lateral Movement via Startup Folder production
Splunk MSTSC Execution (EDR)
Splunk MSTSC Execution (Windows Event Log)
Elastic Network-Level Authentication (NLA) Disabled production
Sigma New Remote Desktop Connection Initiated Via Mstsc.EXE test
Sigma OpenCanary - RDP New Connection Attempt experimental
Sigma Outbound RDP Connections Over Non-Standard Tools test
Sigma Port Forwarding Activity Via SSH.EXE test
Elastic Potential Outgoing RDP Connection by Unusual Process production building block
Elastic Potential Remote Desktop Shadowing Activity production
Elastic Potential Remote Desktop Tunneling Detected production
Elastic Potential SharpRDP Behavior production
Sigma Potential Tampering With RDP Related Registry Keys Via Reg.EXE test
Sigma Publicly Accessible RDP Service test
Elastic RDP (Remote Desktop Protocol) from the Internet production
Sigma RDP BlueeKeep connection closed (CVE-2019-0708) experimental
Splunk RDP Connection (Sysmon)
Splunk RDP Connection (Windows Event Log)
Sigma RDP discovery performed on multiple hosts experimental
Sigma RDP Enable or Disable via Win32_TerminalServiceSetting WMI Class experimental
Splunk RDP Enabled (PowerShell)
Splunk RDP Enabled (Sysmon)
Splunk RDP Enabled (Windows Event Log)
Elastic RDP Enabled via Registry production
Splunk RDP File Executed from Outlook Temp Directory (Sysmon)
Splunk RDP File Executed from Outlook Temp Directory (Windows Event Log)
Splunk RDP File Written by Outlook (Sysmon)
Splunk RDP File Written by Outlook (Windows Event Log)
Sigma RDP Login from Localhost test
Splunk RDP Logon_Logoff Event (Windows Event Log)
Sigma RDP Over Reverse SSH Tunnel test
Sigma RDP over Reverse SSH Tunnel WFP test
Sigma RDP reconnaissance with valid credentials performed on multiple hosts experimental
Sigma RDP shadow session configuration enabled (registry) experimental
Sigma RDP shadow session started (command) experimental
Sigma RDP shadow session started (native) experimental
Sigma RDP to HTTP or HTTPS Target Ports test
Sigma RDP tunneling configuration enabled for port forwarding experimental
Sigma RDP tunneling detected experimental
Sigma RDP tunneling via ngrok detected experimental
Elastic Remote Desktop Enabled in Windows Firewall by Netsh production
Splunk Remote Desktop Network Traffic production
Splunk Remote Desktop Process Running On System experimental
Kusto Remote Desktop Protocol - SharpRDP available
Elastic Spike in Number of Connections Made from a Source IP production
Elastic Spike in Number of Connections Made to a Destination IP production
Elastic Spike in Number of Processes in an RDP Session production
Sigma Suspicious Plink Port Forwarding test
Elastic Suspicious RDP ActiveX Client Loaded production
Sigma Suspicious RDP Redirect Using TSCON test
Elastic Unusual Time or Day for an RDP Session production
Elastic Unusual Windows Remote User production
Sigma User Added to Remote Desktop Users Group test
Splunk Windows Default RDP File Creation By Non MSTSC Process production
Splunk Windows Default Rdp File Unhidden production
Splunk Windows MSTSC RDP Commandline production
Splunk Windows Process Execution From RDP Share production
Splunk Windows RDP Bitmap Cache File Creation production
Splunk Windows RDP Client Launched with Admin Session production
Splunk Windows RDP File Execution production
Splunk Windows RDP Login Session Was Established production
Splunk Windows RDP Server Registry Entry Created production
Splunk Windows Remote Service Rdpwinst Tool Execution production
Splunk Windows Remote Services Allow Rdp In Firewall production
Splunk Windows Remote Services Allow Remote Assistance production
Splunk Windows Remote Services Rdp Enable production

Remote Services: SMB/Windows Admin Shares T1021.002 108 rules

Sigma Access To ADMIN$ Network Share test
Kusto Anomaly in SMB Traffic(ASIM Network Session schema) available
Elastic Attempt to Mount SMB Share via Command Line production
Sigma CobaltStrike Service Installations - Security test
Sigma CobaltStrike Service Installations - System test
Sigma Copy From Or To Admin Share Or Sysvol Folder test
YARA-L Copy From Or To Admin Share Or Sysvol Folder
Sigma DCERPC SMB Spoolss Named Pipe test
Sigma DCOM InternetExplorer.Application Iertutil DLL Hijack - Security test
Splunk Detect PsExec With accepteula Flag production
Kusto Detect service account login on new device
Kusto Detect Unknown process using SMB or WinRM
Splunk Executable File Written in Administrative SMB Share production
Sigma First Time Seen Remote Named Pipe test
Sigma First Time Seen Remote Named Pipe - Zeek test
Sigma HackTool - NetExec File Indicators experimental
Sigma HackTool - SharpMove Tool Execution test
Kusto Hunt for ADWS requests from unknown devices
Splunk Impacket Lateral Movement Activity (Sysmon)
Splunk Impacket Lateral Movement Activity (Windows Event Log)
Splunk Impacket Lateral Movement Commandline Parameters production
Splunk Impacket Lateral Movement smbexec CommandLine Parameters production
Splunk Impacket Lateral Movement WMIExec Commandline Parameters production
Sigma Impacket PsExec Execution test
Sigma Impacket WMIexec execution via SMB admin share experimental
Sigma Lateral movement by mounting a network share - net use (command) experimental
Sigma Lateral movement detection (based on "special groups" feature) experimental
Elastic Lateral Movement via Startup Folder production
Sigma macOS Network Share Access experimental
Sigma Metasploit Or Impacket Service Installation Via SMB PsExec test
Sigma Metasploit SMB Authentication test
YARA-L MITRE ATT&CK T1021.002 Windows Admin Share Basic
YARA-L MITRE ATT&CK T1021.002 Windows Admin Share With Asset Entity
YARA-L MITRE ATT&CK T1021.002 Windows Admin Share With User Enrichment
YARA-L MITRE ATT&CK T1021.002 Windows Admin Share With User Entity
Elastic Mounting Hidden or WebDav Remote Shares production
Sigma Net.EXE Execution test
Splunk Net.exe Use with URL (Sysmon)
Splunk Net.exe Use with URL (Windows Event Log)
Sigma Network share manipulation via commandline
Sigma New network file share created experimental
Elastic NullSessionPipe Registry Modification production
Sigma Number of oustanding SMB requests increased experimental
Sigma Password Provided In Command Line Of Net.EXE test
Sigma Potential CobaltStrike Service Installations - Registry test
Sigma Potential DCOM InternetExplorer.Application DLL Hijack test
Sigma Potential DCOM InternetExplorer.Application DLL Hijack - Image Load test
Splunk Potential EternalBlue via Metasploit (Windows Event Log)
Elastic Potential Lateral Tool Transfer via SMB Share production
Elastic Potential Machine Account Relay Attack via SMB production
Elastic Potential Network Share Discovery production building block
Elastic Potential PowerShell HackTool Script by Function Names production
Elastic Potential Ransomware Behavior - Note Files by System production
Elastic Potential Ransomware Note File Dropped via SMB production
Sigma Protected Storage Service Access test
Sigma PSexec execution over SMB share experimental
Elastic PsExec Network Connection production
Sigma PUA - CSExec Default Named Pipe test
Sigma PUA - RemCom Default Named Pipe test
Elastic Remote Execution via File Shares production
Elastic Remote File Copy to a Hidden Share production
Sigma Remote Service Activity via SVCCTL Named Pipe test
Sigma Remote shell execution via SMB admin share experimental
Elastic Remote Windows Service Installed production
Sigma Rundll32 Execution Without Parameters test
Sigma Rundll32 UNC Path Execution test
Elastic Service Command Lateral Movement production
Sigma Shared printer creation (PrintNightmare vulnerability - CVE-2021-36958) experimental
Sigma SMB admin share accessed experimental
Elastic SMB Connections via LOLBin or Untrusted Process production
Sigma SMB Create Remote File Admin Share test
Sigma SMB insecure guest authentication activated (native) experimental
Sigma SMB Spoolss Name Piped Usage test
Splunk SMB Traffic Spike experimental
Splunk SMB Write Access on Administrative Share (Windows Event Log)
Kusto SMB/Windows Admin Shares available
Sigma smbexec.py Service Installation test
Elastic Suspicious Execution from a WebDav Share production
Elastic Suspicious File Renamed via SMB production
Sigma Suspicious New-PSDrive to Admin Share test
Sigma Suspicious permissions modification on a network share experimental
Elastic Suspicious Process Execution via Renamed PsExec Executable production
Sigma Suspicious PsExec Execution test
Sigma Suspicious PsExec Execution - Zeek test
Elastic Suspicious Remote Registry Access via SeBackupPrivilege production
Sigma T1047 Wmiprvse Wbemcomn DLL Hijack test
Sigma Turla Group Lateral Movement test
Sigma Unsigned or Unencrypted SMB Connection to Share Established experimental
Sigma Windows Admin Share Mount Via Net.EXE test
Splunk Windows Admin$ Share Access (Sysmon)
Splunk Windows Admin$ Share Access (Windows Event Log)
Splunk Windows C$ Share Access (EDR)
Splunk Windows C$ Share Access (Sysmon)
Splunk Windows C$ Share Access (Windows Event Log)
Sigma Windows Internet Hosted WebDav Share Mount Via Net.EXE test
Splunk Windows IPC$ Share Access (Sysmon)
Splunk Windows IPC$ Share Access (Windows Event Log)
Splunk Windows PUA Named Pipe production
Elastic Windows Registry File Creation in SMB Share production
Splunk Windows RMM Named Pipe production
Sigma Windows Share Mount Via Net.EXE test
Splunk Windows Share Multiple File Access (Windows Event Log)
Splunk Windows Special Privileged Logon On Multiple Hosts production
Splunk Windows Suspicious C2 Named Pipe production
Splunk Windows Suspicious Named Pipe production
Splunk Windows Theme File Creation in Unusual Location production
Sigma Wmiprvse Wbemcomn DLL Hijack test
Sigma Wmiprvse Wbemcomn DLL Hijack - File test

Remote Services: Distributed Component Object Model T1021.003 42 rules

Sigma BaaUpdate.exe Suspicious DLL Load experimental
Sigma DCOM InternetExplorer.Application Iertutil DLL Hijack - Security test
Kusto DCOM Lateral Movement available
Sigma DCOM lateral movement (via MMC20) experimental
Kusto Detect service account login on new device
Kusto Detecting Macro Invoking ShellBrowserWindow COM Objects available
Sigma HackTool - Potential Impacket Lateral Movement Activity stable
Sigma Impacket DCOMexec privilege abuse via MMC experimental
Sigma Impacket DCOMexec process abuse via MMC experimental
Splunk Impacket Lateral Movement Commandline Parameters production
Splunk Impacket Lateral Movement smbexec CommandLine Parameters production
Splunk Impacket Lateral Movement WMIExec Commandline Parameters production
Elastic Incoming DCOM Lateral Movement via MSHTA production
Elastic Incoming DCOM Lateral Movement with MMC production
Elastic Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows production
Splunk Invoke-DCOM.ps1 - PowerShell (PowerShell)
Splunk Invoke-DCOM.ps1 - PowerShell (Sysmon)
Splunk Invoke-DCOM.ps1 - PowerShell (Windows Event Log)
Kusto Lateral Movement via DCOM available
Splunk Mmc LOLBAS Execution Process Spawn production
Sigma MMC Spawning Windows Shell test
Sigma MMC20 Lateral Movement test
Elastic Outbound Scheduled Task Activity via PowerShell production
Splunk Possible Lateral Movement PowerShell Spawn production
Sigma Potential DCOM InternetExplorer.Application DLL Hijack test
Sigma Potential DCOM InternetExplorer.Application DLL Hijack - Image Load test
Sigma Potential Excel.EXE DCOM Lateral Movement Via ActivateMicrosoftApp test
Elastic Potential PowerShell HackTool Script by Function Names production
Kusto Powershell Empire Cmdlets Executed in Command Line available
Sigma Remote DCOM/WMI Lateral Movement test
Splunk Remote Process Instantiation via DCOM and PowerShell production
Splunk Remote Process Instantiation via DCOM and PowerShell Script Block production
Elastic RPC (Remote Procedure Call) to the Internet production
Sigma Suspicious BitLocker Access Agent Update Utility Execution experimental
Elastic Suspicious Cmd Execution via WMI production
Sigma Suspicious Speech Runtime Binary Child Process experimental
Sigma Suspicious WSMAN Provider Image Loads test
Splunk Windows Excel Spawning Microsoft Project Application production
Splunk Windows SpeechRuntime COM Hijacking DLL Load production
Splunk Windows SpeechRuntime Suspicious Child Process production
Elastic WMI Incoming Lateral Movement production
Elastic WMIC Remote Command production building block

Remote Services: SSH T1021.004 41 rules

Elastic AWS EC2 CreateKeyPair by New Principal from Non-Cloud AS Organization production
Elastic AWS EC2 Instance Connect SSH Public Key Uploaded production
Sigma Bitbucket Global SSH Settings Changed test
Sigma Bitbucket User Login Failure Via SSH test
Splunk Cisco IOS XE Remote Access Probe Burst production
Splunk Cisco Privileged Account Creation with HTTP Command Execution production
Splunk Cisco Privileged Account Creation with Suspicious SSH Activity production
Splunk Cisco Secure Firewall - SSH Connection to Non-Standard Port production
Splunk Cisco Secure Firewall - SSH Connection to sshd_operns production
Splunk ESXi SSH Enabled production
Splunk Linux SSH Remote Services Script Execute production
Elastic Linux SSH X11 Forwarding production
Sigma macOS File Transfer Tool Execution experimental
Sigma macOS SSH Connection Detection experimental
Elastic Network Connection Initiated by Suspicious SSHD Child Process production
Sigma OpenEDR Spawning Command Shell experimental
Sigma OpenSSH native server feature installation experimental
Sigma OpenSSH Server Listening On Socket test
Sigma OpenSSH server listening on socket experimental
Sigma OpenSSH service activation on Windows experimental
Sigma Port Forwarding Activity Via SSH.EXE test
Elastic Potential Execution via SSH Backdoor production
Elastic Potential Internal Linux SSH Brute Force Detected production
Elastic Potential Remote Desktop Tunneling Detected production
Elastic Potential THC Tool Downloaded production
Kusto Powershell Empire Cmdlets Executed in Command Line available
Elastic Remote File Creation in World Writeable Directory production
Elastic Remote SSH Login Enabled via systemsetup Command production
Elastic Renaming of OpenSSH Binaries production
Panther Signal - VPC Flow Logs Allowed SSH
Elastic SSH Authorized Key File Activity Detected via Defend for Containers production
Elastic SSH Authorized Keys File Activity production
Elastic SSH Key Generated via ssh-keygen production
Elastic Successful SSH Authentication from Unusual IP Address production
Elastic Successful SSH Authentication from Unusual SSH Public Key production
Elastic Successful SSH Authentication from Unusual User production
Elastic Unusual Remote File Creation production
Elastic Unusual SSHD Child Process production
Splunk Windows Protocol Tunneling with Plink production
Splunk Windows PuTTY Suite Utility Execution production
Panther Wiz Issue Followed By SSH to EC2 Instance

Remote Services: VNC T1021.005 4 rules

Panther AWS EC2 Multi Instance Connect Experimental
Sigma macOS Screen Sharing Session experimental
Sigma Suspicious UltraVNC Execution test
Elastic VNC (Virtual Network Computing) to the Internet production

Remote Services: Windows Remote Management T1021.006 37 rules

Elastic Deprecated - PowerShell Script with Remote Execution Capabilities via WinRM production building block
Kusto Detect service account login on new device
Kusto Detect Unknown process launched via WinRM
Kusto Detect Unknown process using SMB or WinRM
Sigma Enable Windows Remote Management test
Sigma Execute Invoke-command on Remote Host test
Sigma HackTool - WinRM Access Via Evil-WinRM test
Splunk Impacket SMBexec (Windows Event Log)
Elastic Incoming Execution via PowerShell Remoting production
Elastic Incoming Execution via WinRM Remote Shell production
Splunk Interactive Session on Remote Endpoint with PowerShell production
Sigma OMIGOD HTTP No Authentication RCE - CVE-2021-38647 stable
Splunk Possible Lateral Movement PowerShell Spawn production
Sigma Potential Lateral Movement via Windows Remote Shell experimental
Elastic Potential PowerShell HackTool Script by Function Names production
Sigma Potential Remote PowerShell Session Initiated test
YARA-L Potential Remote PowerShell Session Initiated
Splunk Powershell Remote Services Add TrustedHost production
Sigma Remote LSASS Process Access Through Windows Remote Management stable
Sigma Remote PowerShell Session (PS Classic) test
Sigma Remote PowerShell Session (PS Module) test
Sigma Remote PowerShell Session Host Process (WinRM) test
Splunk Remote Process Instantiation via WinRM and PowerShell production
Splunk Remote Process Instantiation via WinRM and PowerShell Script Block production
Splunk Remote Process Instantiation via WinRM and Winrs production
Splunk Windows Remote Host Computer Management Access production
Splunk Windows Remote Management Execute Shell production
Sigma WinRM listening service reconnaissance (process) experimental
Sigma WinRM listening service reconnaissance (WS-Management) experimental
Kusto WinRM Plugin Lateral Movement
Splunk WinRM Tools (PowerShell)
Splunk WinRM Tools (Sysmon)
Splunk WinRM Tools (Windows Event Log)
Sigma Winrs Local Command Execution experimental
Sigma WinRS usage for remote execution
Elastic WMIC Remote Command production building block
Splunk Wsmprovhost LOLBAS Execution Process Spawn production

Remote Services: Cloud Services T1021.007 19 rules

Sigma AWS Console GetSigninToken Potential Abuse test
Panther AWS Console GetSigninToken Potential Abuse Experimental
Elastic AWS EC2 Instance Console Login via Assumed Role production
Elastic AWS Lateral Movement from Kubernetes SA via AssumeRoleWithWebIdentity production
Elastic AWS SSM Session Started to EC2 Instance production
Panther EKS Audit Log Reporting system Namespace is Used From A Public IP
Panther Intune Create or Modify Client App
Panther Intune New Device Management Script
Panther Kubernetes System Principal Accessed from Non-Cloud Public IP Experimental
Splunk Microsoft Intune Device Health Scripts production
Splunk Microsoft Intune DeviceManagementConfigurationPolicies production
Splunk Microsoft Intune Manual Device Management production
Splunk Microsoft Intune Mobile Apps experimental
Panther MongoDB access allowed from anywhere
YARA-L O365 Persistent Login Activity To Azure AD PowerShell App
Elastic Unusual AWS Command for a User production
Elastic Unusual Azure Activity Logs Event for a User production
Elastic Unusual GCP Event for a User production
Splunk Windows Azure PowerShell Module Installation Via PowerShell Script production

Remote Services: Direct Cloud VM Connections T1021.008 4 rules

Software Deployment Tools T1072 31 rules

Kusto Azure DevOps Pipeline Created and Deleted on the Same Day available
Kusto BTP - Malware detected in BAS dev space available
Splunk Detection of tools built by NirSoft experimental
Panther GitHub Artifact Download from Cross-Fork Workflow
Panther GitHub Cross-Fork Workflow Run
Panther GitHub Malicious Issue/Pages Content
Panther GitHub Malicious Pull Request Content
Panther GitHub pull_request_target Workflow on Self-Hosted Runner
Panther GitHub pull_request_target Workflow Usage
Panther GitHub pull_request_target Workflow with Checkout Action
Panther GitHub Workflow Contains Checkout Action
Panther GitHub Workflow Using Self-Hosted Runner
Panther Intune Create or Modify Client App
Panther Intune New Device Management Script
Splunk Microsoft Intune Device Health Scripts production
Splunk Microsoft Intune DeviceManagementConfigurationPolicies production
Splunk Microsoft Intune Manual Device Management production
Splunk Microsoft Intune Mobile Apps experimental
Kusto New EXE deployed via Default Domain or Default Domain Controller Policies available
Kusto New EXE deployed via Default Domain or Default Domain Controller Policies (ASIM Version)
Elastic New GitHub App Installed production
Sigma PDQ Deploy Remote Adminstartion Tool Execution test
Elastic Potential WSUS Abuse for Lateral Movement production
Sigma PUA - Radmin Viewer Utility Execution test
Splunk Radmin execution (EDR)
Splunk Radmin execution (Sysmon)
Splunk Radmin execution (Windows Event Log)
Sigma Restricted Software Access By SRP test
Sigma Suspicious Csi.exe Usage test
Elastic Suspicious Curl to Jamf Endpoint production
Elastic Tool Installation Detected via Defend for Containers production

Taint Shared Content T1080 4 rules

Elastic M365 OneDrive Malware File Upload production
Elastic M365 SharePoint Malware File Detected production
Splunk Temporary File Executed from Public Folder (Sysmon)
Splunk Temporary File Executed from Public Folder (Windows Event Log)

Replication Through Removable Media T1091 9 rules

Elastic Execution from a Removable Media with Network Connection production
Sigma External Disk Drive Or USB Storage Device Was Recognized By The System test
Elastic First Time Seen Removable Device production
Elastic New USB Storage Device Mounted production
Splunk Removable Media Detected (Windows Event Log)
Splunk Windows Process Executed From Removable Media production
Splunk Windows Replication Through Removable Media production
Splunk Windows USBSTOR Registry Key Modification production
Splunk Windows WPDBusEnum Registry Key Modification production

Exploitation of Remote Services T1210 69 rules

Elastic Abnormally Large DNS Response production
Splunk Active Directory Lateral Movement Identified production
Kusto Anomaly found in Network Session Traffic (ASIM Network Session schema) available
Kusto Apache - Apache 2.4.49 flaw CVE-2021-41773 available
Sigma Apache Threading Error test
Sigma Audit CVE Event test
Panther AWS Security Group Restricts Inter-SG Traffic
Splunk Cisco Secure Firewall - Lumma Stealer Activity production
Splunk Cisco Secure Firewall - Static Tundra Smart Install Abuse production
Splunk Cisco Secure Firewall - Veeam CVE-2023-27532 Exploitation Activity production
Kusto Dataverse - TI map IP to DataverseActivity available
Splunk Detect Computer Changed with Anonymous Account production
Kusto Detect CVE exploits on network for which a device is vulnerable
Sigma DNS Query Request By QuickAssist.EXE experimental
Kusto Dynatrace - Problem detection available
Kusto Dynatrace Application Security - Code-Level runtime vulnerability detection available
Kusto Dynatrace Application Security - Non-critical runtime vulnerability detection available
Kusto Dynatrace Application Security - Third-Party runtime vulnerability detection available
Sigma Exploitation Attempt Of CVE-2020-1472 - Execution of ZeroLogon PoC test
Sigma Exploitation Attempt Of CVE-2023-46214 Using Public POC Code test
Kusto Gain Code Execution on ADFS Server via Remote WMI Execution
Kusto Gain Code Execution on ADFS Server via SMB + Remote Service or Scheduled Task available
Kusto GitHub Security Vulnerability in Repository
Sigma HackTool - SharpWSUS/WSUSpendu Execution test
Elastic High Mean of Process Arguments in an RDP Session production
Elastic High Mean of RDP Session Duration production
Elastic High Variance in RDP Session Duration production
Splunk Impacket Lateral Movement Activity (Sysmon)
Splunk Impacket Lateral Movement Activity (Windows Event Log)
Elastic Microsoft Exchange Server UM Spawning Suspicious Processes production
Elastic Microsoft Exchange Server UM Writing Suspicious Files production
Kusto NRT GravityZone Incident Alerts available
Sigma OMIGOD HTTP No Authentication RCE - CVE-2021-38647 stable
Kusto Oracle suspicious command execution available
Sigma Possible Exploitation of Exchange RCE CVE-2021-42321 test
Sigma Potential CVE-2023-46214 Exploitation Attempt test
Splunk Potential network connection with CVE-2023-21554 (Sysmon)
Splunk Potential network connection with CVE-2023-21554 (Windows Event Log)
Sigma Potential RDP Exploit CVE-2019-0708 test
Elastic Potential Telnet Authentication Bypass (CVE-2026-24061) production
Elastic Potential WSUS Abuse for Lateral Movement production
Kusto Power Platform - Possibly compromised user accesses Power Platform services available
Kusto Powershell Empire Cmdlets Executed in Command Line available
Sigma Remote domain controller password reset (Zerologon) experimental
Sigma Scanner PoC for CVE-2019-0708 RDP RCE Vuln test
Kusto Sentinel One - Same custom rule triggered on different hosts available
Kusto Service Accounts Performing Remote PS available
Kusto Several deny actions registered available
YARA-L SharePoint CVE-2025-49706 Exploitation
Elastic Spike in Number of Connections Made from a Source IP production
Elastic Spike in Number of Connections Made to a Destination IP production
Elastic Spike in Number of Processes in an RDP Session production
Elastic Spike in Remote File Transfers production
Sigma Suspicious SysAidServer Child test
Elastic Telnet Authentication Bypass via User Environment Variable production
Sigma Terminal Service Process Spawn test
Elastic Unusual Child Process of dns.exe production
Elastic Unusual File Operation by dns.exe production
Elastic Unusual Process For MSSQL Service Accounts production building block
Elastic Unusual Remote File Directory production
Elastic Unusual Remote File Extension production
Elastic Unusual Remote File Size production
Elastic Unusual Time or Day for an RDP Session production
Splunk VMWare Aria Operations Exploit Attempt production
Kusto VMware SD-WAN Edge - IDS/IPS Alert triggered (Search API)
Kusto VMware SD-WAN Edge - IDS/IPS Alert triggered (Syslog)
Sigma WannaCry Ransomware Activity test
Splunk ZeroLogon CVE-2020-1472 (Windows Event Log)
Sigma Zerologon Exploitation Using Well-known Tools stable

Internal Spearphishing T1534 4 rules

Elastic AWS SNS Topic Message Publish by Rare User production
Kusto Mimecast Secure Email Gateway - Internal Email Protect available
Kusto Mimecast Secure Email Gateway - Internal Email Protect
Kusto Power Apps - Bulk sharing of Power Apps to newly created guest users available

Use Alternate Authentication Material T1550 123 rules

Panther AppOmni Alert Passthrough
Splunk AWS Bedrock Invoke Model Access Denied production
Sigma AWS Console GetSigninToken Potential Abuse test
Elastic AWS Credentials Used from GitHub Actions and Non-CI/CD Infrastructure production
Elastic AWS EC2 Instance Console Login via Assumed Role production
Elastic AWS First Occurrence of STS GetFederationToken Request by User production
Elastic AWS Lateral Movement from Kubernetes SA via AssumeRoleWithWebIdentity production
YARA-L AWS Lateral Movement Using IAM Session Token
Elastic AWS Sign-In Token Created production building block
Sigma AWS STS AssumeRole Misuse test
Elastic AWS STS AssumeRole with New MFA Device production
Elastic AWS STS GetFederationToken with AdministratorAccess in Request production
Sigma AWS STS GetSessionToken Misuse test
Elastic AWS STS GetSessionToken Usage production building block
Elastic AWS STS Role Assumption by Service production
Elastic AWS STS Role Assumption by User production
Elastic AWS STS Role Chaining production
Sigma AWS Suspicious SAML Activity test
Panther AWS User API Key Created
Panther AWS User Login Profile Created or Modified
Panther Azure Device Code Authentication with Broker Client
Panther Azure Microsoft Graph Single Session from Multiple IP Addresses Experimental
Panther Databricks Long-Lifetime Token Generated Experimental
Panther DEPRECATED - AWS User Login Profile Modified
Elastic Direct Interactive Kubernetes API Request Detected via Defend for Containers production
Panther Enabled Zendesk Support to Assume Users
Elastic Entra ID Actor Token User Impersonation Abuse production
Elastic Entra ID ADRS Token Request by Microsoft Authentication Broker production
Elastic Entra ID Concurrent Sign-in with Suspicious Properties production
Elastic Entra ID Kali365 Default User-Agent Detected production
Elastic Entra ID Microsoft Authentication Broker DRS Sign-In from Suspicious ASN production
Elastic Entra ID Microsoft Authentication Broker Sign-In to Unusual Resource production
Elastic Entra ID OAuth Authorization Code Grant for Unusual User, App, and Resource production
Elastic Entra ID OAuth Device Code Grant by Microsoft Authentication Broker production
Elastic Entra ID OAuth Device Code Grant by Unusual User production
Elastic Entra ID OAuth Device Code Phishing via AiTM production
Elastic Entra ID OAuth Flow by Microsoft Authentication Broker to Device Registration Service (DRS) production
Elastic Entra ID OAuth Phishing via First-Party Microsoft Application production
Elastic Entra ID OAuth PRT Issuance to Non-Managed Device Detected production
Elastic Entra ID OAuth User Impersonation to Microsoft Graph production
Elastic Entra ID OAuth user_impersonation Scope for Unusual User and Client production
Elastic Entra ID Service Principal Federated Credential Authentication by Unusual Client production
Elastic Entra ID User Sign-in with Unusual Authentication Type production
Elastic Entra ID User Sign-in with Unusual Client production
Kusto First access credential added to Application or Service Principal where no credential was present available
Elastic First Occurrence GitHub Event for a Personal Access Token (PAT) production building block
Elastic First Occurrence of IP Address For GitHub Personal Access Token (PAT) production building block
Elastic First Occurrence of User Agent For a GitHub Personal Access Token (PAT) production building block
Elastic First Time Seen Google Workspace OAuth Login from Third-Party Application production
Kusto full_access_as_app Granted To Application available
Panther GAIA GCPW Credential Theft Attack Chain
Kusto GCP IAM - Empty user agent available
Kusto GCP IAM - New Authentication Token for Service Account available
Kusto GCP IAM - New Service Account Key available
YARA-L GCP_Uunauthorized_GKE_Pod_Token_Endpoint_Usage
Panther Google Workspace Login Type Anomaly
Panther Google Workspace OAuth Token Requests from New IP
Panther Google Workspace Rapid Multi-IP Authentication
Kusto GWorkspace - API Access Granted available
Sigma HackTool - KrbRelayUp Execution test
Sigma HackTool - Rubeus Execution stable
Sigma HackTool - Rubeus Execution - ScriptBlock test
Sigma Hacktool Ruler test
YARA-L Hunt for Expired Tokens Attempting to sign-in to Entra ID
Splunk Kerberos TGT Request Using RC4 Encryption production
Elastic Kerberos Traffic from Unusual Process production
Elastic Kubeconfig File Creation or Modification production
Elastic Kubernetes API Server Proxying Request to Kubelet production
Elastic Local Account TokenFilter Policy Disabled production
Splunk LocalAccountTokenFilterPolicy Registry Value Modified (PowerShell)
Splunk LocalAccountTokenFilterPolicy Registry Value Modified (Sysmon)
Splunk LocalAccountTokenFilterPolicy Registry Value Modified (Windows Event Log)
Elastic M365 Identity OAuth Flow by First-Party Microsoft App from Multiple IPs production
Kusto Microsoft Entra ID Hybrid Health AD FS Suspicious Application available
Elastic Microsoft Graph Request Email Access by Unusual User and Client production
Elastic Microsoft Graph Request User Impersonation by Unusual Client production
Sigma Mimikatz Pass-the-hash login experimental
Splunk Mimikatz PassTheTicket CommandLine Parameters production
Elastic Multiple Device Token Hashes for Single Okta Session production
Elastic Multiple Okta Sessions Detected for a Single User production
Kusto New access credential added to Application or Service Principal available
Kusto NRT First access credential added to Application or Service Principal where no credential was present
Kusto NRT New access credential added to Application or Service Principal available
Sigma NTLM Logon test
Sigma NTLMv1 Logon Between Client and Server test
Elastic Okta AiTM Session Cookie Replay production
YARA-L Okta Multiple Failed Requests To Access Applications
Splunk Okta Multiple Failed Requests to Access Applications experimental
Panther OneLogin Active Login Activity
YARA-L OneLogin Multiple Users Assumed
Panther OneLogin Unauthorized Access
Panther OneLogin User Assumed Another User
Panther OpenAI Anomalous API Key Activity
Sigma Outgoing Logon with New Credentials test
Sigma Pass the Hash Activity 2 stable
Splunk Pass-the-Hash (Windows Event Log)
Elastic Potential Impersonation Attempt via Kubectl production
Elastic Potential Invoke-Mimikatz PowerShell Script production
Elastic Potential Kerberos Attack via Bifrost production
Elastic Potential Kerberos Relay Attack against a Computer Account production
Elastic Potential Pass-the-Hash (PtH) Attempt production
Elastic Potential PowerShell Pass-the-Hash/Relay Script production
Kusto Powershell Empire Cmdlets Executed in Command Line available
Sigma Refresh Token Exchange from Excessive Locations experimental
Sigma Refresh Token Exchange from Multiple User Agents experimental
Sigma Refresh Token Reuse Detection experimental
Splunk Rubeus Command Line Parameters production
Splunk Rubeus Kerberos Ticket Exports Through Winlogon Access production
Panther Salesforce OAuth Credential Abuse Detection
Panther Salesforce Third-Party Integration Monitoring
Elastic Service Account Token or Certificate Access Followed by Kubernetes API Request production
Sigma Successful Overpass the Hash Attempt test
Kusto Suspicious application consent similar to O365 Attack Toolkit available
Kusto Suspicious application consent similar to PwnAuth available
Elastic Suspicious Kerberos Authentication Ticket Request production
Elastic Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials production
Sigma Uncommon Outbound Kerberos Connection test
Splunk Unknown Process Using The Kerberos Protocol production
Kusto UnPAC the hash
Elastic Unusual Process Connection to Docker or Containerd Socket production
Splunk Windows AD Suspicious Attribute Modification production
Splunk Windows Process With NetExec Command Line Parameters production
Splunk Windows Steal Authentication Certificates - ESC1 Authentication production

Use Alternate Authentication Material: Application Access Token T1550.001 55 rules

Sigma AWS Console GetSigninToken Potential Abuse test
Panther AWS Console GetSigninToken Potential Abuse Experimental
Elastic AWS Credentials Used from GitHub Actions and Non-CI/CD Infrastructure production
Elastic AWS EC2 Instance Console Login via Assumed Role production
Elastic AWS First Occurrence of STS GetFederationToken Request by User production
Elastic AWS Lateral Movement from Kubernetes SA via AssumeRoleWithWebIdentity production
Elastic AWS Sign-In Token Created production building block
Sigma AWS STS AssumeRole Misuse test
Elastic AWS STS AssumeRole with New MFA Device production
Elastic AWS STS GetFederationToken with AdministratorAccess in Request production
Panther AWS STS GetSessionToken by IAM User Experimental
Sigma AWS STS GetSessionToken Misuse test
Elastic AWS STS GetSessionToken Usage production building block
Elastic AWS STS Role Assumption by Service production
Elastic AWS STS Role Assumption by User production
Elastic AWS STS Role Chaining production
Sigma AWS Suspicious SAML Activity test
Panther Azure Device Code Authentication with Broker Client
Panther Azure Microsoft Graph Single Session from Multiple IP Addresses Experimental
Elastic Direct Interactive Kubernetes API Request Detected via Defend for Containers production
Elastic Entra ID Actor Token User Impersonation Abuse production
Elastic Entra ID Concurrent Sign-in with Suspicious Properties production
Elastic Entra ID Kali365 Default User-Agent Detected production
Elastic Entra ID Microsoft Authentication Broker DRS Sign-In from Suspicious ASN production
Elastic Entra ID Microsoft Authentication Broker Sign-In to Unusual Resource production
Elastic Entra ID OAuth Authorization Code Grant for Unusual User, App, and Resource production
Elastic Entra ID OAuth Device Code Grant by Microsoft Authentication Broker production
Elastic Entra ID OAuth Device Code Grant by Unusual User production
Elastic Entra ID OAuth Device Code Phishing via AiTM production
Elastic Entra ID OAuth Flow by Microsoft Authentication Broker to Device Registration Service (DRS) production
Elastic Entra ID OAuth Phishing via First-Party Microsoft Application production
Elastic Entra ID OAuth PRT Issuance to Non-Managed Device Detected production
Elastic Entra ID OAuth User Impersonation to Microsoft Graph production
Elastic Entra ID OAuth user_impersonation Scope for Unusual User and Client production
Elastic Entra ID Service Principal Federated Credential Authentication by Unusual Client production
Elastic Entra ID User Sign-in with Unusual Client production
Kusto First access credential added to Application or Service Principal where no credential was present available
Elastic First Occurrence GitHub Event for a Personal Access Token (PAT) production building block
Elastic First Occurrence of IP Address For GitHub Personal Access Token (PAT) production building block
Elastic First Occurrence of User Agent For a GitHub Personal Access Token (PAT) production building block
Elastic First Time Seen Google Workspace OAuth Login from Third-Party Application production
Kusto full_access_as_app Granted To Application available
YARA-L GCP_Uunauthorized_GKE_Pod_Token_Endpoint_Usage
YARA-L Hunt for Expired Tokens Attempting to sign-in to Entra ID
Elastic Kubernetes API Server Proxying Request to Kubelet production
Panther Kubernetes Service Account Token Theft from Pod
Elastic M365 Identity OAuth Flow by First-Party Microsoft App from Multiple IPs production
Elastic Microsoft Graph Request Email Access by Unusual User and Client production
Elastic Microsoft Graph Request User Impersonation by Unusual Client production
Kusto New access credential added to Application or Service Principal available
Kusto NRT First access credential added to Application or Service Principal where no credential was present
Elastic Potential Impersonation Attempt via Kubectl production
Sigma Refresh Token Reuse Detection experimental
Elastic Service Account Token or Certificate Access Followed by Kubernetes API Request production
Elastic Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials production

Use Alternate Authentication Material: Pass the Hash T1550.002 16 rules

Sigma Hacktool Ruler test
Elastic Local Account TokenFilter Policy Disabled production
Splunk LocalAccountTokenFilterPolicy Registry Value Modified (PowerShell)
Splunk LocalAccountTokenFilterPolicy Registry Value Modified (Sysmon)
Splunk LocalAccountTokenFilterPolicy Registry Value Modified (Windows Event Log)
Sigma Mimikatz Pass-the-hash login experimental
Sigma NTLM Logon test
Sigma NTLMv1 Logon Between Client and Server test
Sigma Pass the Hash Activity 2 stable
Splunk Pass-the-Hash (Windows Event Log)
Elastic Potential Invoke-Mimikatz PowerShell Script production
Elastic Potential Kerberos Attack via Bifrost production
Elastic Potential Pass-the-Hash (PtH) Attempt production
Elastic Potential PowerShell Pass-the-Hash/Relay Script production
Kusto Powershell Empire Cmdlets Executed in Command Line available
Sigma Successful Overpass the Hash Attempt test

Use Alternate Authentication Material: Pass the Ticket T1550.003 13 rules

Sigma HackTool - KrbRelayUp Execution test
Sigma HackTool - Rubeus Execution stable
Sigma HackTool - Rubeus Execution - ScriptBlock test
Elastic Kerberos Traffic from Unusual Process production
Splunk Mimikatz PassTheTicket CommandLine Parameters production
Elastic Potential Invoke-Mimikatz PowerShell Script production
Elastic Potential Kerberos Attack via Bifrost production
Splunk Rubeus Command Line Parameters production
Splunk Rubeus Kerberos Ticket Exports Through Winlogon Access production
Elastic Suspicious Kerberos Authentication Ticket Request production
Sigma Uncommon Outbound Kerberos Connection test
Kusto UnPAC the hash
Splunk Windows Process With NetExec Command Line Parameters production

Use Alternate Authentication Material: Web Session Cookie T1550.004 8 rules

Elastic Entra ID OAuth User Impersonation to Microsoft Graph production
Elastic Multiple Device Token Hashes for Single Okta Session production
Elastic Multiple Okta Sessions Detected for a Single User production
Elastic Okta AiTM Session Cookie Replay production
YARA-L Okta Multiple Failed Requests To Access Applications
Splunk Okta Multiple Failed Requests to Access Applications experimental
Sigma Refresh Token Exchange from Excessive Locations experimental
Sigma Refresh Token Exchange from Multiple User Agents experimental

Remote Service Session Hijacking T1563 18 rules

Sigma macOS Remote Execution Tools experimental
Sigma macOS Screen Sharing Session experimental
Elastic Network Connection Initiated by Suspicious SSHD Child Process production
Elastic Potential Execution via SSH Backdoor production
Sigma Potential MSTSC Shadowing Activity test
Elastic Potential Remote Desktop Shadowing Activity production
Elastic Potential THC Tool Downloaded production
Splunk RDP Hijacking (Windows Event Log)
Sigma RDP session hijack via service creation abuse experimental
Sigma RDP session hijack via TSCON abuse command experimental
Elastic Renaming of OpenSSH Binaries production
Elastic SSH Authorized Key File Activity Detected via Defend for Containers production
Elastic SSH Authorized Keys File Activity production
Elastic SSH Key Generated via ssh-keygen production
Sigma Suspicious RDP Redirect Using TSCON test
Elastic Unusual SSHD Child Process production
Splunk Windows RDP Connection Successful production
Splunk Windows Service Create with Tscon production

Remote Service Session Hijacking: SSH Hijacking T1563.001 8 rules

Elastic Network Connection Initiated by Suspicious SSHD Child Process production
Elastic Potential Execution via SSH Backdoor production
Elastic Potential THC Tool Downloaded production
Elastic Renaming of OpenSSH Binaries production
Elastic SSH Authorized Key File Activity Detected via Defend for Containers production
Elastic SSH Authorized Keys File Activity production
Elastic SSH Key Generated via ssh-keygen production
Elastic Unusual SSHD Child Process production

Remote Service Session Hijacking: RDP Hijacking T1563.002 8 rules

Sigma Potential MSTSC Shadowing Activity test
Elastic Potential Remote Desktop Shadowing Activity production
Splunk RDP Hijacking (Windows Event Log)
Sigma RDP session hijack via service creation abuse experimental
Sigma RDP session hijack via TSCON abuse command experimental
Sigma Suspicious RDP Redirect Using TSCON test
Splunk Windows RDP Connection Successful production
Splunk Windows Service Create with Tscon production

Lateral Tool Transfer T1570 46 rules

Kusto Azure VM Run Command operation executed during suspicious login window
Kusto Azure VM Run Command operations executing a unique PowerShell script
Sigma BITS payload downloaded via commandline experimental
Sigma BITS payload downloaded via PowerShell experimental
Splunk BITSadmin Execution (PowerShell)
Splunk BITSadmin Execution (Sysmon)
Splunk BITSadmin Execution (Windows Event Log)
Splunk Esentutl Execution (PowerShell)
Splunk Esentutl Execution (Sysmon)
Splunk Esentutl Execution (Windows Event Log)
Elastic Execution via TSClient Mountpoint production
Sigma File with high volume downloaded via BITS experimental
Kusto Identify Mango Sandstorm powershell commands
Elastic Lateral Movement via Startup Folder production
Sigma macOS File Transfer Tool Execution experimental
Sigma Metasploit Or Impacket Service Installation Via SMB PsExec test
Splunk Meterpreter Reverse Shell (Windows Event Log)
YARA-L MITRE ATT&CK T1570 Suspicious Command PSExec
Kusto New EXE deployed via Default Domain or Default Domain Controller Policies available
Kusto New EXE deployed via Default Domain or Default Domain Controller Policies (ASIM Version)
Kusto New executable via Office FileUploaded Operation available
Elastic Potential Lateral Tool Transfer via SMB Share production
Elastic Potential Ransomware Behavior - Note Files by System production
Sigma Potentially Suspicious File Creation by OpenEDR's ITSMService experimental
Elastic PsExec Network Connection production
Sigma PSEXEC Remote Execution File Artefact test
Splunk Remote Admin Tools (EDR)
Splunk Remote Admin Tools (PowerShell)
Splunk Remote Admin Tools (Sysmon)
Splunk Remote Admin Tools (Windows Event Log)
Elastic Remote Execution via File Shares production
Elastic Remote File Copy to a Hidden Share production
Elastic Remote File Creation in World Writeable Directory production
Kusto Remote File Creation with PsExec available
Sigma Rundll32 Execution Without Parameters test
Elastic Scheduled Task Execution at Scale via GPO production
Sigma SMB over QUIC Via Net.EXE test
Sigma SMB over QUIC Via PowerShell Script test
Elastic Spike in Remote File Transfers production
Elastic Suspicious Execution from a WebDav Share production
Elastic Unusual Remote File Creation production
Elastic Unusual Remote File Directory production
Elastic Unusual Remote File Extension production
Elastic Unusual Remote File Size production
Kusto vArmour AppController - SMB Realm Traversal available
Elastic Web Server Spawned via Python production

No specific technique 12 rules

Sigma HackTool - Evil-WinRm Execution - PowerShell Module test
Sigma HackTool - Wmiexec Default Powershell Command test
Elastic Lateral Movement Alerts from a Newly Observed Source Address production
Elastic Lateral Movement Alerts from a Newly Observed User production
Sigma Mstsc.EXE Execution From Uncommon Parent test
Kusto Potential Lateral Movement via MSI ODBC Driver Install over DCOM
Kusto Radiflow - Platform Alert available
Sigma Remote Encrypting File System Abuse test
Sigma Remote Printing Abuse for Lateral Movement test
Sigma Remote Server Service Abuse test
Kusto SAP LogServ - HANA DB - Audit Trail Policy Changes available
Kusto SAP LogServ - HANA DB - Deactivation of Audit Trail available

Collection

Data from Local System T1005 70 rules

Elastic Accessing Outlook Data Files production building block
Kusto AD FS Remote Auth Sync Connection available
Kusto AD FS Remote HTTP Network Connection available
Kusto ADFS Database Named Pipe Connection available
Sigma ADFS Database Named Pipe Connection By Uncommon Tool test
Kusto ADFS DKM Master Key Export
Elastic Attempted Private Key Access production building block
Panther AWS CDE EC2 Volume Encryption
Elastic AWS Credentials Searched For Inside A Container production
Elastic AWS EC2 Export Task production
Sigma AWS EC2 VM Export Failure test
Panther AWS EC2 Volume Encryption
Splunk Cisco ASA - Device File Copy Activity production
Splunk Cisco ASA - Device File Copy to Remote Location production
Sigma Cisco Collect Data test
Splunk Cisco TFTP Server Configuration for Data Exfiltration production
Sigma Crash Dump Created By Operating System experimental
Elastic Credential Access via TruffleHog Execution production
Kusto Deimos Component Execution available
Elastic Encrypting Files with WinRar or 7z production
Sigma Esentutl Steals Browser Information test
Splunk Esentutl.exe Collecting Browser Data (Sysmon)
Splunk ESXi Sensitive Files Accessed production
Splunk ESXi VM Exported via Remote Tool production
Elastic Exchange Mailbox Export via PowerShell production
Elastic Exporting Exchange Mailbox via PowerShell production
Elastic GenAI Process Accessing Sensitive Files production
Elastic Kernel Seeking Activity production
Elastic Kubernetes Service Account Secret Access production
Elastic Linux init (PID 1) Secret Dump via GDB production
Elastic M365 Purview DLP Signal production building block
Elastic Manual Memory Dumping via Proc Filesystem production
Kusto Microsoft Entra ID Health Monitoring Agent Registry Keys Access
Kusto Microsoft Entra ID Health Service Agents Registry Keys Access
Sigma OpenCanary - SMB File Open Request test
Kusto OracleDBAudit - Query on Sensitive Table available
Sigma Potential Conti Ransomware Database Dumping Activity Via SQLCmd test
Elastic Potential Data Exfiltration Through Wget production
Elastic Potential Linux Credential Dumping via Unshadow production
Elastic Potential Memory Seeking Activity production building block
Elastic Potential Privacy Control Bypass via Localhost Secure Copy production
Elastic Potential Suspicious DebugFS Root Device Access production
Kusto SailPointIdentityNowAlertForTriggers available
YARA-L sap sensitive tables direct access by rfc logon data table
YARA-L sap sensitive tables direct access by rfc logon static list
Sigma Script Interpreter Spawning Credential Scanner - Linux experimental
Sigma Script Interpreter Spawning Credential Scanner - Windows experimental
Elastic Sensitive File Access followed by Compression production
Elastic Sensitive File Compression Detected via Defend for Containers production
Elastic Sensitive Files Compression production
Elastic Sensitive Files Compression Inside A Container production
Elastic Sensitive Keys Or Passwords Search Detected via Defend for Containers production
Elastic Service Account Namespace Read Detected via Defend for Containers production
Elastic Service Account Token or Certificate Read Detected via Defend for Containers production
Sigma Shai-Hulud NPM Package Malicious Exfiltration via Curl experimental
Kusto SonicWall - Allowed SSH, Telnet, and RDP Connections experimental
Sigma SQLite Chromium Profile Data DB Access test
Sigma SQLite Firefox Profile Data DB Access test
Splunk Sqlite Module In Temp Folder production
Elastic Suspicious TCC Access Granted for User Folders production
Elastic Suspicious Web Browser Sensitive File Access production
Elastic SystemKey Access via Command Line production
Elastic TCC Bypass via Mounted APFS Snapshot Access production
Elastic Unusual Web Config File Access production
Sigma Veeam Backup Database Suspicious Query test
Sigma VeeamBackup Database Credentials Dump Via Sqlcmd.EXE test
Elastic Web Server Local File Inclusion Activity production
Splunk Windows Copy Files (PowerShell)
Splunk Windows Copy Files (Sysmon)
Splunk Windows Copy Files (Windows Event Log)

Data from Removable Media T1025 5 rules

Splunk Removable Media Detected (Windows Event Log)
Kusto Removable storage ONLINE event from secRMM
Splunk Windows Process Executed From Removable Media production
Splunk Windows USBSTOR Registry Key Modification production
Splunk Windows WPDBusEnum Registry Key Modification production

Data from Network Shared Drive T1039 14 rules

Sigma Copy From Or To Admin Share Or Sysvol Folder test
Kusto Excessive share permissions available
Sigma macOS Network Share Access experimental
Panther Microsoft365 External Document Sharing
Elastic Potential Network Share Discovery production building block
Elastic PowerShell Share Enumeration Script production
Elastic PowerShell Suspicious Discovery Related Windows API Functions production
Sigma Suspicious Access to Sensitive File Extensions test
Elastic Unusual Remote File Size production
Splunk Windows Copy Files (PowerShell)
Splunk Windows Copy Files (Sysmon)
Splunk Windows Copy Files (Windows Event Log)
Elastic Windows Network Enumeration production building block
Splunk Windows Network Share Interaction Via Net production

Input Capture T1056 20 rules

Kusto Azure secure score MFA registration V2 available
Sigma CredUI.DLL Loaded By Uncommon Process test
Sigma DNS Query Request To OneLaunch Update Service test
Sigma GUI Input Capture - macOS test
Sigma Linux Keylogging with Pam.d test
Panther MacOS Keyboard Events
Splunk Mavinject Execution (EDR)
Splunk Mavinject Execution (Sysmon)
Splunk Mavinject Execution (Windows Event Log)
Sigma Potential Keylogger Activity test
Elastic Potential SSH Password Grabbing via strace production
Elastic Potential Sudo Hijacking production
Kusto Powershell Empire Cmdlets Executed in Command Line available
Sigma Powershell Keylogging test
Elastic PowerShell Keylogging Script production
Elastic Prompt for Credentials with Osascript production
Sigma PUA - Mouse Lock Execution test
Sigma Suspicious Network Communication With IPFS test
Elastic Suspicious pbpaste High Volume Activity production
Splunk Windows Input Capture Using Credential UI Dll production

Input Capture: Keylogging T1056.001 5 rules

Sigma Linux Keylogging with Pam.d test
Sigma Potential Keylogger Activity test
Kusto Powershell Empire Cmdlets Executed in Command Line available
Sigma Powershell Keylogging test
Elastic PowerShell Keylogging Script production

Input Capture: GUI Input Capture T1056.002 5 rules

Sigma CredUI.DLL Loaded By Uncommon Process test
Sigma GUI Input Capture - macOS test
Elastic Prompt for Credentials with Osascript production
Sigma PUA - Mouse Lock Execution test
Splunk Windows Input Capture Using Credential UI Dll production

Input Capture: Credential API Hooking T1056.004 4 rules

Splunk Mavinject Execution (EDR)
Splunk Mavinject Execution (Sysmon)
Splunk Mavinject Execution (Windows Event Log)
Kusto Powershell Empire Cmdlets Executed in Command Line available

Data Staged T1074 32 rules

Elastic AWS EC2 Full Network Packet Capture Detected production
Elastic AWS RDS DB Instance Restored production
Sigma Cisco Stage Data test
Splunk Command Output Redirected to Localhost (Windows Event Log)
Elastic Data Encrypted via OpenSSL Utility production
Splunk Data Staged to File (PowerShell)
Splunk Data Staged to File (Sysmon)
Splunk Data Staged to File (Windows Event Log)
Panther Databricks Mount Point Creation Experimental
Elastic Discovery Command Output Written to Suspicious File production
Elastic Exchange Mailbox Export via PowerShell production
Elastic File Compressed or Archived into Common Format by Unsigned Process production building block
Elastic File Staged in Root Folder of Recycle Bin production building block
Sigma Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet test
Sigma Google Full Network Traffic Packet Capture test
Elastic Google Workspace Drive Data Transfer or Takeout Export Initiated production
YARA-L Google Workspace Ownership Transferred On Google Drive
Splunk Native Archive Commands (PowerShell)
Splunk Native Archive Commands (Sysmon)
Splunk Native Archive Commands (Windows Event Log)
Kusto Netskope - Anomalous User Behavior (High Volume from Unmanaged Device) available
Kusto Netskope - Data Movement Tracking (Upload/Download Monitoring) available
Kusto Netskope - Excessive Downloads Detection (Spike vs Baseline) available
Splunk Output to File (PowerShell)
Splunk Output to File (Windows Event Log)
Elastic Potential OpenSSH Backdoor Logging Activity production
Elastic Remote File Copy to a Hidden Share production
Elastic Sensitive File Access followed by Compression production
Splunk Shai-Hulud 2 Exfiltration Artifact Files production
Splunk Suspicious SQLite3 LSQuarantine Behavior experimental
Sigma Zip A Folder With PowerShell For Staging In Temp - PowerShell Module test
Sigma Zip A Folder With PowerShell For Staging In Temp - PowerShell Script test

Data Staged: Local Data Staging T1074.001 19 rules

Elastic Data Encrypted via OpenSSL Utility production
Splunk Data Staged to File (PowerShell)
Splunk Data Staged to File (Sysmon)
Splunk Data Staged to File (Windows Event Log)
Elastic Discovery Command Output Written to Suspicious File production
Elastic Exchange Mailbox Export via PowerShell production
Elastic File Compressed or Archived into Common Format by Unsigned Process production building block
Elastic File Staged in Root Folder of Recycle Bin production building block
Sigma Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet test
Splunk Native Archive Commands (PowerShell)
Splunk Native Archive Commands (Sysmon)
Splunk Native Archive Commands (Windows Event Log)
Splunk Output to File (PowerShell)
Splunk Output to File (Windows Event Log)
Elastic Potential OpenSSH Backdoor Logging Activity production
Elastic Sensitive File Access followed by Compression production
Splunk Shai-Hulud 2 Exfiltration Artifact Files production
Sigma Zip A Folder With PowerShell For Staging In Temp - PowerShell Module test
Sigma Zip A Folder With PowerShell For Staging In Temp - PowerShell Script test

Data Staged: Remote Data Staging T1074.002 4 rules

Elastic AWS RDS DB Instance Restored production
Elastic Google Workspace Drive Data Transfer or Takeout Export Initiated production
YARA-L Google Workspace Ownership Transferred On Google Drive
Elastic Remote File Copy to a Hidden Share production

Screen Capture T1113 24 rules

Elastic Linux Video Recording or Screenshot Activity Detected production
Splunk NirCmd Execution (Sysmon)
Splunk NirCmd Execution (Windows Event Log)
Sigma Periodic Backup For System Registry Hives Enabled test
Elastic Potential Remote Desktop Shadowing Activity production
Kusto Powershell Empire Cmdlets Executed in Command Line available
Elastic PowerShell Suspicious Script with Screenshot Capabilities production
Sigma RDP shadow session configuration enabled (registry) experimental
Sigma RDP shadow session started (command) experimental
Sigma RDP shadow session started (native) experimental
Splunk Remcos RAT File Creation in Remcos Folder production
Sigma Screen Capture - macOS test
Sigma Screen Capture Activity Via Psr.EXE test
Sigma Screen Capture with Import Tool test
Sigma Screen Capture with Xwd test
Splunk Suspicious Image Creation In Appdata Folder production
Splunk Suspicious WAV file in Appdata Folder production
Sigma System Drawing DLL Load test
Sigma Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted test
Sigma Windows Recall Feature Enabled - Registry test
Sigma Windows Recall Feature Enabled Via Reg.EXE test
Splunk Windows Screen Capture in TEMP folder production
Splunk Windows Screen Capture Via Powershell production
Sigma Windows Screen Capture with CopyFromScreen test

Email Collection T1114 68 rules

Elastic Accessing Outlook Data Files production building block
Panther AppOmni Alert Passthrough
Splunk Email files written outside of the Outlook directory experimental
Splunk Email servers sending high volume traffic to hosts experimental
Elastic Exchange Mailbox Export via PowerShell production
Splunk Exchange New Export Request (PowerShell)
Sigma Exchange PowerShell Snap-Ins Usage test
Kusto Exchange workflow MailItemsAccessed operation anomaly available
Elastic Exporting Exchange Mailbox via PowerShell production
Elastic Google Workspace Custom Gmail Route Created or Modified production
Sigma Google Workspace Out Of Domain Email Forwarding experimental
Panther Gsuite Mail forwarded to external domain
Kusto GWorkspace - An Outbound Relay has been added to a G Suite Domain available
Sigma Hacktool Ruler test
Kusto High risk Office operation conducted by IP Address that recently attempted to log into a disabled account
Splunk Hosts receiving high volume of network traffic from email server experimental
Sigma Inbox Rules Creation Or Update Activity in O365 experimental
Sigma Inbox Rules Creation Or Update Activity Via ExchangePowerShell Cmdlet experimental
Elastic M365 Exchange Inbox Forwarding Rule Created production
Elastic M365 Exchange Mail Flow Transport Rule Created production
Elastic M365 Exchange Mailbox Accessed by Unusual Client production
Elastic M365 Exchange Mailbox Items Accessed Excessively production
Elastic M365 Purview DLP Signal production building block
Sigma Mail Forwarding/Redirecting Activity In O365 test
Sigma Mail Forwarding/Redirecting Activity Via ExchangePowerShell Cmdlet experimental
Kusto Mail redirect via ExO transport rule available
Splunk Mailsniper Invoke functions production
Elastic Microsoft Graph Request Email Access by Unusual User and Client production
Kusto Mimecast Secure Email Gateway - Attachment Protect available
Kusto Mimecast Secure Email Gateway - Attachment Protect
Kusto Mimecast Secure Email Gateway - Impersonation Protect available
Kusto Mimecast Secure Email Gateway - Impersonation Protect
Kusto Mimecast Targeted Threat Protection - Impersonation Protect available
Kusto Multiple users email forwarded to same destination available
Elastic New ActiveSyncAllowedDeviceID Added via PowerShell production
Kusto NRT Multiple users email forwarded to same destination
Splunk O365 Compliance Content Search Exported production
Splunk O365 Compliance Content Search Started production
Splunk O365 Email Access By Security Administrator production
Splunk O365 Email New Inbox Rule Created production
Splunk O365 Email Password and Payroll Compromise Behavior production
Splunk O365 Email Receive and Hard Delete Takeover Behavior production
Splunk O365 Email Send and Hard Delete Exfiltration Behavior production
Splunk O365 Email Send and Hard Delete Suspicious Behavior production
Splunk O365 Email Suspicious Behavior Alert production
Splunk O365 Email Suspicious Search Behavior production
Splunk O365 Email Transport Rule Changed production
Splunk O365 Mailbox Email Forwarding Enabled production
Splunk O365 Mailbox Inbox Folder Shared with All Users production
Splunk O365 Mailbox Read Access Granted to Application production
Splunk O365 Multiple Mailboxes Accessed via API production
Splunk O365 New Email Forwarding Rule Created production
Splunk O365 New Email Forwarding Rule Enabled production
Splunk O365 New Forwarding Mailflow Rule Created production
Splunk O365 OAuth App Mailbox Access via EWS production
Splunk O365 OAuth App Mailbox Access via Graph API production
Splunk O365 PST export alert production
Kusto Powershell Empire Cmdlets Executed in Command Line available
Sigma Powershell Local Email Collection test
Elastic PowerShell Mailbox Collection Script production
Sigma PST Export Alert Using eDiscovery Alert test
Sigma PST Export Alert Using New-ComplianceSearchAction test
Kusto Rare and potentially high-risk Office operations available
Kusto Server Oriented Cmdlet And User Oriented Cmdlet used available
Sigma Suspicious Inbox Forwarding Identity Protection test
Elastic Suspicious Inter-Process Communication via Outlook production
Kusto Threat Essentials - Mail redirect via ExO transport rule available
Kusto VIP Mailbox manipulation available

Email Collection: Local Email Collection T1114.001 14 rules

Elastic Accessing Outlook Data Files production building block
Splunk Email files written outside of the Outlook directory experimental
Elastic Exchange Mailbox Export via PowerShell production
Splunk Exchange New Export Request (PowerShell)
Elastic Exporting Exchange Mailbox via PowerShell production
Splunk Mailsniper Invoke functions production
Splunk O365 Email Password and Payroll Compromise Behavior production
Splunk O365 Email Receive and Hard Delete Takeover Behavior production
Splunk O365 Email Send and Hard Delete Exfiltration Behavior production
Splunk O365 Email Send and Hard Delete Suspicious Behavior production
Kusto Powershell Empire Cmdlets Executed in Command Line available
Sigma Powershell Local Email Collection test
Elastic PowerShell Mailbox Collection Script production
Elastic Suspicious Inter-Process Communication via Outlook production

Email Collection: Remote Email Collection T1114.002 19 rules

Splunk Email servers sending high volume traffic to hosts experimental
Elastic Exchange Mailbox Export via PowerShell production
Splunk Exchange New Export Request (PowerShell)
Elastic Exporting Exchange Mailbox via PowerShell production
Splunk Hosts receiving high volume of network traffic from email server experimental
Elastic M365 Exchange Mailbox Accessed by Unusual Client production
Elastic M365 Exchange Mailbox Items Accessed Excessively production
Elastic Microsoft Graph Request Email Access by Unusual User and Client production
Elastic New ActiveSyncAllowedDeviceID Added via PowerShell production
Splunk O365 Compliance Content Search Exported production
Splunk O365 Compliance Content Search Started production
Splunk O365 Email Access By Security Administrator production
Splunk O365 Email Suspicious Search Behavior production
Splunk O365 Mailbox Inbox Folder Shared with All Users production
Splunk O365 Mailbox Read Access Granted to Application production
Splunk O365 Multiple Mailboxes Accessed via API production
Splunk O365 OAuth App Mailbox Access via EWS production
Splunk O365 OAuth App Mailbox Access via Graph API production
Elastic PowerShell Mailbox Collection Script production

Email Collection: Email Forwarding Rule T1114.003 16 rules

Elastic Google Workspace Custom Gmail Route Created or Modified production
Sigma Google Workspace Out Of Domain Email Forwarding experimental
Sigma Inbox Rules Creation Or Update Activity in O365 experimental
Sigma Inbox Rules Creation Or Update Activity Via ExchangePowerShell Cmdlet experimental
Elastic M365 Exchange Inbox Forwarding Rule Created production
Elastic M365 Exchange Mail Flow Transport Rule Created production
Sigma Mail Forwarding/Redirecting Activity In O365 test
Sigma Mail Forwarding/Redirecting Activity Via ExchangePowerShell Cmdlet experimental
Panther Microsoft Exchange External Forwarding
Splunk O365 Email New Inbox Rule Created production
Splunk O365 Email Suspicious Behavior Alert production
Splunk O365 Email Transport Rule Changed production
Splunk O365 Mailbox Email Forwarding Enabled production
Splunk O365 New Email Forwarding Rule Created production
Splunk O365 New Email Forwarding Rule Enabled production
Sigma Suspicious Inbox Forwarding Identity Protection test

Clipboard Data T1115 20 rules

Sigma Clipboard Access Via OSAScript test
Sigma Clipboard Collection of Image Data with Xclip Tool test
Sigma Clipboard Collection with Xclip Tool test
Sigma Clipboard Collection with Xclip Tool - Auditd test
Sigma Clipboard Data Collection Via Pbpaste test
Sigma Data Copied To Clipboard Via Clip.EXE test
Splunk Linux Auditd Clipboard Data Copy production
Elastic Linux Clipboard Activity Detected production
Splunk Linux Clipboard Data Copy production
Elastic Pbpaste Execution via Unusual Parent Process production
Kusto Powershell Empire Cmdlets Executed in Command Line available
Sigma PowerShell Get Clipboard test
Sigma PowerShell Get-Clipboard Cmdlet Via CLI test
Elastic PowerShell Suspicious Script with Clipboard Retrieval Capabilities production
Elastic Suspicious pbpaste High Volume Activity production
Splunk Suspicious PowerShell Clipboard Activity (PowerShell)
Splunk Suspicious PowerShell Clipboard Activity (Sysmon)
Splunk Suspicious PowerShell Clipboard Activity (Windows Event Log)
Splunk Windows ClipBoard Data via Get-ClipBoard production
Splunk Windows Post Exploitation Risk Behavior production

Automated Collection T1119 35 rules

Kusto ADWS Connection from Process Injection Target
Kusto ADWS Connection from Unexpected Binary
Kusto API - API Scraping available
Sigma Automated Collection Command PowerShell test
Sigma Automated Collection Command Prompt test
Elastic AWS EC2 Export Task production
Splunk AWS Exfiltration via Anomalous GetObject API Activity production
Splunk AWS Exfiltration via Batch Service production
Splunk AWS Exfiltration via DataSync Task production
Kusto Azure DevOps Audit Detection for known malicious tooling available
Splunk Executable Create Script Process (PowerShell)
Splunk Executable Create Script Process (Sysmon)
Splunk Executable Create Script Process (Windows Event Log)
Elastic GCP Pub/Sub Subscription Creation production
Kusto Hunt for ADWS requests from unknown devices
Splunk IcedID Discovery Commands (EDR)
Splunk IcedID Discovery Commands (Sysmon)
Splunk IcedID Discovery Commands (Windows Event Log)
Kusto Large number of AD objects accessed by user
Kusto OracleDBAudit - Connection to database from external IP available
Kusto OracleDBAudit - Unusual user activity on multiple tables available
Elastic Potential Database Dumping Activity production
Sigma Recon Information for Export with Command Prompt test
Sigma Recon Information for Export with PowerShell test
Sigma Shai-Hulud Malicious GitHub Workflow Creation experimental
Kusto Snowflake - Query on sensitive or restricted table available
Kusto Snowflake - Unusual query available
Kusto Vectra Account's Behaviors available
Kusto Vectra AI Detect - Detections with High Severity available
Kusto Vectra AI Detect - Suspected Compromised Account available
Kusto Vectra AI Detect - Suspected Compromised Host available
Kusto Vectra AI Detect - Suspicious Behaviors by Category available
Kusto Vectra Host's Behaviors available
Splunk Windows File Collection Via Copy Utilities production
Splunk Windows Process Accessing Windows Recall Directory production

Audio Capture T1123 11 rules

Sigma Audio Capture test
Sigma Audio Capture via PowerShell test
Sigma Audio Capture via SoundRecorder test
Elastic Linux Audio Recording Activity Detected production
Sigma OpenCanary - SIP Request test
Elastic PowerShell Suspicious Script with Audio Capture Capabilities production
Sigma Processes Accessing the Microphone and Webcam test
Sigma Suspicious Camera and Microphone Access test
Splunk Zoom Rare Audio Devices experimental
Splunk Zoom Rare Input Devices experimental
Splunk Zoom Rare Video Devices experimental

Video Capture T1125 8 rules

Elastic Linux Video Recording or Screenshot Activity Detected production
Kusto Powershell Empire Cmdlets Executed in Command Line available
Elastic PowerShell Script with Webcam Video Capture Capabilities production
Sigma RDP shadow session configuration enabled (registry) experimental
Sigma RDP shadow session started (command) experimental
Sigma RDP shadow session started (native) experimental
Sigma Suspicious Camera and Microphone Access test
Panther Zoom Meeting Passcode Disabled

Browser Session Hijacking T1185 17 rules

Splunk ASL AWS Concurrent Sessions From Different Ips production
Splunk AWS Concurrent Sessions From Different Ips production
Splunk Azure AD Concurrent Sessions From Different Ips production
Elastic Browser Process Spawned from an Unusual Parent production
Sigma Browser Started with Remote Debugging test
Splunk Browser Started with Remote Debugging - Windows (PowerShell)
Splunk Browser Started with Remote Debugging - Windows (Sysmon)
Splunk Browser Started with Remote Debugging - Windows (Windows Event Log)
Kusto GWorkspace - Multiple user agents for single source available
Elastic Manual Loading of a Suspicious Chromium Extension production
Splunk O365 Concurrent Sessions From Different Ips production
Sigma Potential Data Stealing Via Chromium Headless Debugging test
Splunk Windows Browser Process Launched with Unusual Flags production
Splunk Windows Chrome Auto-Update Disabled via Registry production
Splunk Windows Chrome Enable Extension Loading via Command-Line production
Splunk Windows Chrome Extension Allowed Registry Modification production
Splunk Windows Chromium Process Loaded Extension via Command-Line production

Data from Information Repositories T1213 54 rules

Elastic Access to a Sensitive LDAP Attribute production
Panther AppOmni Alert Passthrough
Elastic AWS DynamoDB Scan by Unusual User production
Elastic AWS DynamoDB Table Exported to S3 production
Elastic AWS RDS Snapshot Export production
Elastic AWS Secrets Manager Rapid Secrets Retrieval production
Elastic Azure Key Vault Excessive Secret or Key Retrieved production
Sigma Bitbucket Full Data Export Triggered test
Sigma Bitbucket Unauthorized Full Data Export Triggered test
Sigma Bitbucket User Details Export Attempt Detected test
Sigma Bitbucket User Permissions Export Attempt test
Panther Databricks TruffleHog Scan Detected Experimental
Elastic Entra ID Sharepoint or OneDrive Accessed by Unusual Client production
Panther External GSuite File Share
Elastic First Occurrence of GitHub Repo Interaction From a New IP production building block
Elastic First Occurrence of GitHub User Interaction with Private Repo production building block
YARA-L GitHub Access Granted To Personal Access Token Followed By High Number Of Cloned Non Public Repositories
Elastic Github Activity on a Private Repository from an Unusual IP production
Sigma Github Delete Action Invoked test
Elastic GitHub Exfiltration via High Number of Repository Clones by User production
YARA-L GitHub High Number Of Non Public GitHub Repositories Cloned
YARA-L GitHub High Number Of Non Public GitHub Repositories Downloaded
Sigma Github Outside Collaborator Detected test
Sigma Github Self Hosted Runner Changes Detected test
Kusto GitLab - Personal Access Tokens creation over time available
Panther GSuite Document External Ownership Transfer
Panther GSuite External Drive Document
Panther GSuite Overly Visible Drive Document
Elastic High Number of Cloned GitHub Repos From PAT production
Kusto Jira - Workflow scheme copied available
Elastic Kubernetes Secret or ConfigMap Access via Azure Arc Proxy production
Elastic M365 SharePoint Search for Sensitive Content production
Elastic M365 SharePoint/OneDrive File Access via PowerShell production
Splunk O365 SharePoint Suspicious Search Behavior production
Panther Okta SWA Bulk Access, New Source, and Credential Extraction - Behavioral Experimental
Sigma OpenCanary - GIT Clone Request test
Sigma OpenCanary - MSSQL Login Attempt Via SQLAuth test
Sigma OpenCanary - MSSQL Login Attempt Via Windows Authentication test
Sigma OpenCanary - MySQL Login Attempt test
Sigma OpenCanary - REDIS Action Command Attempt test
Kusto Pathlock TDnR - HR User Master Change Requests available
Kusto Pathlock TDnR - OData Application Log Events available
Kusto Pathlock TDnR - SAP Read Access Logging Audit available
Kusto Pathlock TDnR - SAP Read Access Logging Data available
Kusto Pathlock TDnR - Spool Job Changes available
Elastic Potential Database Dumping Activity production
Elastic Potential Secret Scanning via Gitleaks production
Elastic Potential Veeam Credential Access Command production
Elastic PowerShell Script with Veeam Credential Access Capabilities production
Kusto Response rows stateful anomaly on database available
Panther Snowflake Data Exfiltration
Panther Snowflake Data Exfiltration
Kusto Users searching for VIP user activity
Panther Zendesk Credit Card Redaction Off

Data from Information Repositories: Sharepoint T1213.002 4 rules

Elastic Entra ID Sharepoint or OneDrive Accessed by Unusual Client production
Elastic M365 SharePoint Search for Sensitive Content production
Elastic M365 SharePoint/OneDrive File Access via PowerShell production
Splunk O365 SharePoint Suspicious Search Behavior production

Data from Information Repositories: Code Repositories T1213.003 14 rules

Sigma Bitbucket Full Data Export Triggered test
Sigma Bitbucket Unauthorized Full Data Export Triggered test
Elastic First Occurrence of GitHub Repo Interaction From a New IP production building block
Elastic First Occurrence of GitHub User Interaction with Private Repo production building block
YARA-L GitHub Access Granted To Personal Access Token Followed By High Number Of Cloned Non Public Repositories
Elastic Github Activity on a Private Repository from an Unusual IP production
Sigma Github Delete Action Invoked test
Elastic GitHub Exfiltration via High Number of Repository Clones by User production
YARA-L GitHub High Number Of Non Public GitHub Repositories Cloned
YARA-L GitHub High Number Of Non Public GitHub Repositories Downloaded
Sigma Github Outside Collaborator Detected test
Sigma Github Self Hosted Runner Changes Detected test
Elastic High Number of Cloned GitHub Repos From PAT production
Elastic Potential Secret Scanning via Gitleaks production

Data from Information Repositories: Databases T1213.006 3 rules

Elastic AWS RDS Snapshot Export production
Elastic AWS Secrets Manager Rapid Secrets Retrieval production
Kusto Response rows stateful anomaly on database available

Data from Cloud Storage T1530 80 rules

Panther Anthropic Integration Connected
Panther AppOmni Alert Passthrough
Elastic AWS API Activity from Uncommon S3 Client by Rare User production
Elastic AWS CloudTrail Log Created production
Elastic AWS CloudTrail Log Updated production
Panther AWS CloudTrail S3 Bucket Access Logging
Panther AWS CloudTrail S3 Bucket Public
Elastic AWS DynamoDB Scan by Unusual User production
Panther AWS DynamoDB Table TTL
Elastic AWS EC2 Export Task production
Panther AWS EC2 Volume Snapshot Encryption
Panther AWS RDS Instance Encryption
Panther AWS Redshift Cluster Encryption
Panther AWS S3 Access IP Allowlist
Panther AWS S3 Bucket Encryption
Elastic AWS S3 Bucket Enumeration or Brute Force production
Elastic AWS S3 Bucket Policy Added to Allow Public Access production
Elastic AWS S3 Bucket Policy Added to Share with External Account production
Panther AWS S3 Bucket Policy Allow With Not Principal
Panther AWS S3 Bucket Principal Restrictions
Panther AWS S3 Bucket Public Access Block
Panther AWS S3 Bucket Public Read
Panther AWS S3 Bucket Secure Access
Elastic AWS S3 Credential File Retrieved from Bucket production
Panther AWS S3 Insecure Access
Elastic AWS S3 Rapid Bucket Posture API Calls from a Single Principal production
Panther AWS S3 Unauthenticated Access
Elastic AWS S3 Unauthenticated Bucket Access by Rare Source production
Panther AWS S3 Unknown Requester
Kusto AWS Security Hub - Detect SQS Queue policy allowing public access available
Elastic AWS SNS Rare Protocol Subscription by User production
Kusto AWSCloudTrail - S3 Object Exfiltration from Anonymous User available
Panther Azure Key Vault Certificate Accessed
Panther Azure Key Vault Secret Accessed or Recovered
Elastic Azure Storage Account Blob Public Access Enabled production
Panther Azure Storage Account Keys Listed Experimental
Panther Azure Storage Blob Anonymous Access Enabled
Panther Azure Storage Blob Bulk Extraction
Elastic Azure Storage Blob Retrieval via AzCopy production
Panther Azure Storage File Share Created or Modified
Panther Azure VM Disk SAS URI Generated
Kusto Box - Abmormal user activity available
Splunk Cisco ASA - Device File Copy Activity production
Panther Databricks Repeated Unauthorized UC Data Requests Experimental
Splunk Detect GCP Storage access from a new IP experimental
Splunk Detect New Open GCP Storage Buckets experimental
Splunk Detect New Open S3 buckets production
Splunk Detect New Open S3 Buckets over AWS CLI production
Splunk Detect S3 access from a new IP experimental
Splunk Detect Spike in S3 Bucket deletion experimental
Kusto GCP Audit Logs - Storage Bucket Made Public available
Panther GCP GCS Bulk Object Rewrite Operation
Panther GCP GCS IAM Permission Changes
Elastic GCP Pub/Sub Subscription Creation production
Elastic GCP Pub/Sub Topic Creation production
Panther GCS Bucket Made Public
Elastic Google Workspace Drive Encryption Key(s) Accessed from Anonymous User production
Panther Kubernetes Admission Controller Webhook Created
Panther Kubernetes All Secrets Dumped Across Namespaces Experimental
Panther Kubernetes Data Copy via kubectl cp
Elastic Kubernetes Secret or ConfigMap Access via Azure Arc Proxy production
Elastic M365 OneDrive/SharePoint Excessive File Downloads production
Elastic M365 Purview DLP Signal production building block
Elastic M365 SharePoint Search for Sensitive Content production
Elastic M365 SharePoint/OneDrive File Access via PowerShell production
Kusto Netskope - Excessive Downloads Detection (Spike vs Baseline) available
Kusto Netskope - Heavy Personal Cloud Storage Usage (Shadow IT) available
Splunk O365 Exfiltration via File Access production
Splunk O365 Exfiltration via File Download production
Splunk O365 Exfiltration via File Sync Download production
Kusto Pathlock TDnR - Credit Card Data Changes available
Panther Salesforce API Anomaly Detection (RET Passthrough)
Panther Salesforce Bulk API Data Exfiltration
Panther Slack Enterprise Key Management Unenrolled
Panther Snowflake Data Exfiltration
Panther Snowflake Data Exfiltration
Kusto Suspicious access of BEC related documents
Kusto Suspicious access of BEC related documents in AWS S3 buckets
Panther Upwind Posture Detection Passthrough Experimental
Kusto Users searching for VIP user activity

Adversary-in-the-Middle T1557 61 rules

Kusto A host is potentially running a hacking tool (ASIM Web Session schema)
Sigma Attempts of Kerberos Coercion Via DNS SPN Spoofing experimental
Elastic AWS Route 53 Private Hosted Zone Associated With a VPC production
Sigma Azure Sign-In With Axios User Agent experimental
Splunk Cisco ASA - Packet Capture Activity production
Sigma Cisco BGP Authentication Failures test
Kusto Cisco Cloud Security - Hack Tool User-Agent Detected available
Sigma Cisco LDP Authentication Failures test
Elastic Creation of a DNS-Named Record production
Elastic Creation or Modification of Root Certificate production
Kusto Cross-Cloud Unauthorized Credential Access Detection From AWS RDS Login
Splunk Detect ARP Poisoning experimental
Splunk Detect IPv6 Network Infrastructure Threats experimental
Splunk Detect Port Security Violation experimental
Splunk Detect Rogue DHCP Server experimental
Sigma Discovery for print spooler bug abuse (NTLM hash retrivial) via named pipe experimental
Elastic DNS Global Query Block List Modified or Disabled production
Splunk DNS Kerberos Coercion production
Sigma Exchange server impersonation via PrivExchange relay attack experimental
Kusto GCP Security Command Center - Detect DNSSEC disabled for DNS zones available
Elastic Google Workspace Device Registration Burst for Single User production
Elastic Google Workspace Login Flagged Suspicious production building block
Elastic Google Workspace User Login with Unusual ASN production
Sigma HackTool - ADCSPwn Execution test
Sigma HackTool - Impacket Tools Execution test
Sigma Huawei BGP Authentication Failures test
Sigma ISATAP Router Address Was Set experimental
Sigma Juniper BGP Missing MD5 test
Sigma Local Privilege Escalation Indicator TabTip test
Sigma Notepad++ Updater DNS Query to Uncommon Domains experimental
Kusto NTLM Relay Attack
Kusto Possible AiTM Phishing Attempt Against Microsoft Entra ID available
Elastic Potential ADIDNS Poisoning via Wildcard Record Creation production
Elastic Potential Computer Account NTLM Relay Activity production
Sigma Potential Kerberos Coercion by Spoofing SPNs via DNS Manipulation experimental
Elastic Potential Kerberos Coercion via DNS-Based SPN Spoofing production
Elastic Potential Kerberos Relay Attack against a Computer Account production
Elastic Potential Kerberos SPN Spoofing via Suspicious DNS Query production
Elastic Potential Local NTLM Relay via HTTP production
Elastic Potential Machine Account Relay Attack via SMB production
Elastic Potential NTLM Relay Attack against a Computer Account production
Sigma Potential PetitPotam Attack Via EFS RPC Calls test
Elastic Potential PowerShell Pass-the-Hash/Relay Script production
Sigma Potential SMB Relay Attack Tool Execution test
Sigma Potential Suspicious Activity Using SeCEdit test
Elastic Potential WPAD Spoofing via DNS Record Creation production
Kusto Powershell Empire Cmdlets Executed in Command Line available
Sigma RottenPotato Like Attack Pattern test
Elastic Service Creation via Local Kerberos Authentication production
Sigma Suspicious Child Process of Notepad++ Updater - GUP.Exe experimental
Sigma Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing experimental
Sigma Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing - Network experimental
Splunk Suspicious Spool Authentication (Windows Event Log)
Kusto Unauthorized user access across AWS and Azure
Sigma Uncommon File Created by Notepad++ Updater Gup.EXE experimental
Elastic WebProxy Settings Modification production
Sigma WinDivert Driver Load test
Splunk Windows Credential Target Information Structure in Commandline production
Splunk Windows Kerberos Coercion via DNS production
Splunk Windows Short Lived DNS Record production
Splunk Windows Theme File Creation in Unusual Location production

Adversary-in-the-Middle: Name Resolution Poisoning and SMB Relay T1557.001 28 rules

Sigma Attempts of Kerberos Coercion Via DNS SPN Spoofing experimental
Elastic Creation of a DNS-Named Record production
Sigma Discovery for print spooler bug abuse (NTLM hash retrivial) via named pipe experimental
Splunk DNS Kerberos Coercion production
Sigma Exchange server impersonation via PrivExchange relay attack experimental
Sigma HackTool - ADCSPwn Execution test
Sigma HackTool - Impacket Tools Execution test
Sigma Local Privilege Escalation Indicator TabTip test
Kusto NTLM Relay Attack
Elastic Potential Computer Account NTLM Relay Activity production
Elastic Potential Kerberos Coercion via DNS-Based SPN Spoofing production
Elastic Potential Kerberos Relay Attack against a Computer Account production
Elastic Potential Kerberos SPN Spoofing via Suspicious DNS Query production
Elastic Potential Machine Account Relay Attack via SMB production
Elastic Potential NTLM Relay Attack against a Computer Account production
Sigma Potential PetitPotam Attack Via EFS RPC Calls test
Elastic Potential PowerShell Pass-the-Hash/Relay Script production
Sigma Potential SMB Relay Attack Tool Execution test
Kusto Powershell Empire Cmdlets Executed in Command Line available
Sigma RottenPotato Like Attack Pattern test
Sigma Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing experimental
Sigma Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing - Network experimental
Splunk Suspicious Spool Authentication (Windows Event Log)
Sigma WinDivert Driver Load test
Splunk Windows Credential Target Information Structure in Commandline production
Splunk Windows Kerberos Coercion via DNS production
Splunk Windows Short Lived DNS Record production
Splunk Windows Theme File Creation in Unusual Location production

Adversary-in-the-Middle: ARP Cache Poisoning T1557.002 3 rules

Splunk Detect ARP Poisoning experimental
Splunk Detect IPv6 Network Infrastructure Threats experimental
Splunk Detect Port Security Violation experimental

Adversary-in-the-Middle: DHCP Spoofing T1557.003 1 rule

Sigma Potential Kerberos Coercion by Spoofing SPNs via DNS Manipulation experimental

Archive Collected Data T1560 44 rules

Splunk 7zip CommandLine To SMB Share Path production
Sigma 7Zip Compressing Dump Files test
Splunk Anomalous usage of 7zip production
Sigma APT31 Judgement Panda Activity test
Sigma Cisco Stage Data test
Sigma Compress Data and Lock With Password for Exfiltration With 7-ZIP test
Sigma Compress Data and Lock With Password for Exfiltration With WINZIP test
Sigma Compress-Archive Cmdlet Execution test
Sigma Compressed File Creation Via Tar.EXE test
Sigma Compressed File Extraction Via Tar.EXE test
Elastic Compression DLL Loaded by Unusual Process production building block
Sigma Conti NTDS Exfiltration Command test
Sigma Data Compressed test
Splunk Detect Certipy File Modifications production
Splunk Detect Renamed 7-Zip production
Splunk Detect Renamed WinRAR production
Sigma Disk Image Mounting Via Hdiutil - MacOS test
Elastic Encrypting Files with WinRar or 7z production
Elastic File Compressed or Archived into Common Format by Unsigned Process production building block
Sigma Files Added To An Archive Using Rar.EXE test
Elastic GenAI Process Performing Encoding/Chunking Prior to Network Activity production
Splunk IcedID Exfiltrated Archived File Creation production
Sigma LiteLLM / TeamPCP Supply Chain Attack Indicators experimental
Sigma macOS Data Compression Tools experimental
Splunk Native Archive Commands (PowerShell)
Splunk Native Archive Commands (Sysmon)
Splunk Native Archive Commands (Windows Event Log)
Sigma Password Protected Compressed File Extraction Via 7Zip test
Sigma Potentially Suspicious Compression Tool Parameters test
Kusto Powershell Empire Cmdlets Executed in Command Line available
Elastic PowerShell Script with Archive Compression Capabilities production building block
Sigma Rar Usage with Password and Compression Level test
Elastic Sensitive File Access followed by Compression production
Elastic Sensitive File Compression Detected via Defend for Containers production
Elastic Sensitive Files Compression production
Elastic Sensitive Files Compression Inside A Container production
Sigma Suspicious Manipulation Of Default Accounts Via Net.EXE test
Splunk Utility Archive Data (PowerShell)
Splunk Utility Archive Data (Windows Event Log)
Splunk Windows Archive Collected Data via Powershell production
Splunk Windows Archive Collected Data via Rar production
Splunk Windows Archived Collected Data In TEMP Folder production
Sigma Winrar Compressing Dump Files test
Sigma WinRAR Execution in Non-Standard Folder test

Archive Collected Data: Archive via Utility T1560.001 35 rules

Splunk 7zip CommandLine To SMB Share Path production
Sigma 7Zip Compressing Dump Files test
Splunk Anomalous usage of 7zip production
Sigma APT31 Judgement Panda Activity test
Sigma Cisco Stage Data test
Sigma Compress Data and Lock With Password for Exfiltration With 7-ZIP test
Sigma Compress Data and Lock With Password for Exfiltration With WINZIP test
Sigma Compressed File Creation Via Tar.EXE test
Sigma Compressed File Extraction Via Tar.EXE test
Panther CrowdStrike Large Zip Creation
Panther CrowdStrike Large Zip Creation (crowdstrike_fdrevent table)
Sigma Data Compressed test
Splunk Detect Renamed 7-Zip production
Splunk Detect Renamed WinRAR production
Sigma Disk Image Mounting Via Hdiutil - MacOS test
Elastic Encrypting Files with WinRar or 7z production
Elastic File Compressed or Archived into Common Format by Unsigned Process production building block
Sigma Files Added To An Archive Using Rar.EXE test
Elastic GenAI Process Performing Encoding/Chunking Prior to Network Activity production
Splunk IcedID Exfiltrated Archived File Creation production
Sigma LiteLLM / TeamPCP Supply Chain Attack Indicators experimental
Sigma macOS Data Compression Tools experimental
Sigma Password Protected Compressed File Extraction Via 7Zip test
Sigma Potentially Suspicious Compression Tool Parameters test
Elastic PowerShell Script with Archive Compression Capabilities production building block
Sigma Rar Usage with Password and Compression Level test
Elastic Sensitive File Compression Detected via Defend for Containers production
Elastic Sensitive Files Compression production
Elastic Sensitive Files Compression Inside A Container production
Sigma Suspicious Manipulation Of Default Accounts Via Net.EXE test
Splunk Utility Archive Data (PowerShell)
Splunk Utility Archive Data (Windows Event Log)
Splunk Windows Archive Collected Data via Rar production
Sigma Winrar Compressing Dump Files test
Sigma WinRAR Execution in Non-Standard Folder test

Archive Collected Data: Archive via Library T1560.002 3 rules

Elastic Compression DLL Loaded by Unusual Process production building block
Elastic GenAI Process Performing Encoding/Chunking Prior to Network Activity production
Elastic PowerShell Script with Archive Compression Capabilities production building block

No specific technique 5 rules

Elastic M365 Purview Insider Risk Signal production building block
Elastic M365 Purview Security Compliance Signal production building block
Sigma macOS UL Unusual TCC Access Request experimental
Sigma Renamed Remote Utilities RAT (RURAT) Execution test
Sigma Suspicious Access to Sensitive File Extensions - Zeek test

Command & Control

Data Obfuscation T1001 8 rules

Sigma ADSI-Cache File Creation By Uncommon Tool test
Kusto Cisco Cloud Security - Empty User Agent Detected available
Kusto Detect presence of private IP addresses in URLs (ASIM Web Session) available
Kusto Excessive Blocked Traffic Events Generated by User available
Splunk Obfuscated Powershell Techniques (PowerShell)
Sigma Suspicious LDAP-Attributes Used test
Splunk Windows PowGoop Beacon Decoding production
Splunk Windows Suspicious QEMU Execution production

Data Obfuscation: Protocol or Service Impersonation T1001.003 3 rules

Sigma ADSI-Cache File Creation By Uncommon Tool test
Kusto Cisco Cloud Security - Empty User Agent Detected available
Sigma Suspicious LDAP-Attributes Used test

Fallback Channels T1008 16 rules

Kusto Detect DNS queries reporting multiple errors from different clients - Anomaly Based (ASIM DNS Solution) available
Kusto Detect DNS queries reporting multiple errors from different clients - Static threshold based (ASIM DNS Solution) available
Kusto Detect excessive NXDOMAIN DNS queries - Anomaly based (ASIM DNS Solution) available
Kusto Detect excessive NXDOMAIN DNS queries - Static threshold based (ASIM DNS Solution) available
Kusto Excessive NXDOMAIN DNS Queries available
Kusto Excessive NXDOMAIN DNS Queries (ASIM DNS Schema)
Sigma New Outlook Macro Created test
Sigma Outlook Macro Execution Without Warning Setting Enabled test
Kusto Potential DGA detected available
Kusto Potential DGA detected (ASIM DNS Schema)
Kusto Potential DGA(Domain Generation Algorithm) detected via Repetitive Failures - Anomaly based (ASIM DNS Solution) available
Kusto Potential DGA(Domain Generation Algorithm) detected via Repetitive Failures - Static threshold based (ASIM DNS Solution) available
Sigma Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting test
Kusto Squid proxy events for ToR proxies
Sigma Suspicious Outlook Macro Created test
Splunk Windows Outlook Macro Security Modified production

Application Layer Protocol T1071 387 rules

Elastic Accepted Default Telnet Port Connection production
Kusto Anomaly found in Network Session Traffic (ASIM Network Session schema) available
Kusto ApexOne - C&C callback events available
Elastic Apple Script Execution followed by Network Connection production
Sigma APT User Agent test
Sigma APT40 Dropbox Tool User Agent test
YARA-L AWS GuardDuty Black Hole Traffic Detected
YARA-L AWS GuardDuty Command And Control Activity Detected
Sigma Axios NPM Compromise Malicious C2 Domain DNS Query experimental
Panther Azure Storage Account HTTPS-Only Traffic Disabled
Kusto Beacon Traffic Based on Common User Agents Visiting Limited Number of Domains available
Splunk BitsAdmin NetCat PowerCat File Transfer (EDR)
Splunk BitsAdmin NetCat PowerCat File Transfer (Sysmon)
Splunk BitsAdmin NetCat PowerCat File Transfer (Windows Event Log)
Sigma Bitsadmin to Uncommon IP Server Address test
Sigma Bitsadmin to Uncommon TLD test
Sigma Chafer Malware URL Pattern test
Sigma Change User Agents with WebRequest test
Kusto Cisco Cloud Security - Connection to Unpopular Website Detected available
Kusto Cisco Cloud Security - Crypto Miner User-Agent Detected available
Kusto Cisco Cloud Security - Rare User Agent Detected available
Kusto Cisco Cloud Security - Request Allowed to harmful/malicious URI category available
Kusto Cisco Cloud Security - URI contains IP address available
Kusto Cisco SDWAN - Monitor Critical IPs available
Kusto Cisco SE - Connection to known C2 server available
Splunk Cisco Secure Firewall - Blacklisted SSL Certificate Fingerprint production
Splunk Cisco Secure Firewall - Connection to File Sharing Domain production
Splunk Cisco Secure Firewall - High EVE Threat Confidence production
Splunk Cisco Secure Firewall - High Priority Intrusion Classification production
Splunk Cisco Secure Firewall - High Volume of Intrusion Events Per Host production
Splunk Cisco Secure Firewall - Wget or Curl Download production
Kusto Cloudflare - Unexpected POST requests available
Kusto Cloudflare - Unexpected POST requests available
Sigma Cloudflared Tunnels Related DNS Requests test
Kusto CloudNGFW By Palo Alto Networks - Threat signatures from Unusual IP addresses available
Elastic Cobalt Strike Command and Control Beacon production
Sigma Cobalt Strike DNS Beaconing test
Splunk Command and Control Detection (Windows Event Log)
Sigma ComRAT Network Communication test
Kusto Conditional Access - A Conditional Access app exclusion has changed
Elastic Connection to Commonly Abused Web Services production
Elastic Connection to External Network via Telnet production
Sigma Crypto Miner User Agent test
Elastic Curl or Wget Spawned via Node.js production
Sigma Curl.EXE Execution With Custom UserAgent test
Elastic Default Cobalt Strike Team Server Certificate production
Elastic Deprecated - SUNBURST Command and Control Activity production
Elastic Deprecated - Uncommon Destination Port Connection by Web Server production
Elastic Deprecated - Unusual Command Execution from Web Server Parent production
Elastic Deprecated - Unusual Process Spawned from Web Server Parent production
Kusto Detect instances of multiple client errors occurring within a brief period of time (ASIM Web Session) available
Kusto Detect known risky user agents (ASIM Web Session) available
Splunk Detect Outbound SMB Traffic production
Kusto Detect potential file enumeration activity (ASIM Web Session) available
Kusto Detect potential presence of a malicious file with a double extension (ASIM Web Session) available
Kusto Detect presence of private IP addresses in URLs (ASIM Web Session) available
Kusto Detect requests for an uncommon resources on the web (ASIM Web Session) available
Kusto Detect URLs containing known malicious keywords or commands (ASIM Web Session) available
Kusto Discord CDN Risky File Download available
Kusto Discord CDN Risky File Download (ASIM Web Session Schema)
Sigma DNS Exfiltration and Tunneling Tools Execution test
Splunk DNS Kerberos Coercion production
Sigma DNS Query by Finger Utility experimental
Sigma DNS Query Request By QuickAssist.EXE experimental
Sigma DNS Query To Common Malware Hosting and Shortener Services experimental
Sigma DNS Query To Devtunnels Domain test
Sigma DNS Query To Katz Stealer Domains experimental
Sigma DNS Query To Katz Stealer Domains - Network experimental
Sigma DNS Query To Visual Studio Code Tunnels Domain test
Elastic DNS to Commonly Abused Web Services production building block
Elastic DNS Tunneling production
Sigma DNS TXT Answer with Possible Execution Strings test
Sigma DoT (DNS over TLS) activation (command) stable
Sigma DoT (DNS over TLS) activation (PowerShell) experimental
Elastic Egress Connection from Entrypoint in Container production
Elastic Entra ID Protection - Risk Detection - Sign-in Risk production
Elastic Entra ID Protection - Risk Detection - User Risk production
Kusto Europium - Hash and IP IOCs - September 2022
Splunk Excessive DNS Failures experimental
Elastic Execution via OpenClaw Agent production
Sigma Exploit Framework User Agent test
Elastic File Creation and Execution Detected via Defend for Containers production
Elastic File Download Detected via Defend for Containers production
Kusto Fortinet - Beacon pattern detected
Sigma GALLIUM Artefacts - Builtin test
Sigma GALLIUM IOCs test
Kusto GCP Audit Logs - DNSSEC Disabled on Managed DNS Zone available
Kusto GCP Security Command Center - Detect DNSSEC disabled for DNS zones available
Elastic GenAI Process Connection to Suspicious Top Level Domain production
Elastic GenAI Process Connection to Unusual Domain production
Elastic Git Hook Egress Network Connection production
Elastic Git Repository or File Download to Suspicious Directory production
Sigma Github Self-Hosted Runner Execution test
Kusto Google Threat Intelligence - Threat Hunting Domain
Kusto Google Threat Intelligence - Threat Hunting IP
Kusto GreyNoise TI Map IP Entity to CommonSecurityLog
Kusto GreyNoise TI Map IP Entity to DnsEvents
Kusto GreyNoise TI map IP entity to Network Session Events (ASIM Network Session schema) available
Kusto GreyNoise TI map IP entity to OfficeActivity
Kusto GreyNoise TI Map IP Entity to SigninLogs
Kusto GSA - TI Domain Entity available
Kusto GSA - TI IP Entity available
Kusto GSA - TI URL Entity available
Sigma HackTool - BabyShark Agent Default URL Pattern test
Sigma HackTool - CobaltStrike Malleable Profile Patterns - Proxy test
Sigma HackTool - Empire UserAgent URI Combo test
Sigma HackTool - SILENTTRINITY Stager DLL Load test
Sigma HackTool - SILENTTRINITY Stager Execution test
Elastic Halfbaked Command and Control Beacon production
Elastic High Number of Egress Network Connections from Unusual Executable production
Splunk HTTP C2 Framework User Agent production
Splunk HTTP Duplicated Header production
Splunk HTTP Malware User Agent production
Splunk HTTP Possible Request Smuggling production
Splunk HTTP PUA User Agent production
Splunk HTTP Rapid POST with Mixed Status Codes production
Splunk HTTP Request to Reserved Name on IIS Server production
Sigma HTTP Request With Empty User Agent test
Splunk HTTP RMM User Agent production
Splunk HTTP Scripting Tool User Agent production
Kusto IP address of Windows host encoded in web request
Sigma Kalambur Backdoor Curl TOR SOCKS Proxy Execution experimental
Sigma Katz Stealer Suspicious User-Agent experimental
Kusto Known Forest Blizzard group domains - July 2019
Kusto Linked Malicious Storage Artifacts available
Elastic Linux Telegram API Request production
Kusto Log4j vulnerability exploit aka Log4Shell IP IOC available
Sigma Low Reputation Effective Top-Level Domain (eTLD) experimental
Kusto Lumen TI domain in DnsEvents
Kusto Lumen TI IPAddress in CommonSecurityLog
Kusto Lumen TI IPAddress in DeviceEvents
Kusto Lumen TI IPAddress in IdentityLogonEvents
Kusto Lumen TI IPAddress in OfficeActivity
Kusto Lumen TI IPAddress in SecurityEvents
Kusto Lumen TI IPAddress in SigninLogs
Kusto Lumen TI IPAddress in WindowsEvents
Elastic Machine Learning Detected a DNS Request Predicted to be a DGA Domain production
Elastic Machine Learning Detected a DNS Request With a High DGA Probability Score production
Elastic Machine Learning Detected DGA activity using a known SUNBURST DNS domain production
Sigma macOS DNS Query Tools for C2 experimental
Sigma macOS HTTP Tools with Protocol Indicators experimental
Sigma macOS Network Utility Tools for C2 experimental
Kusto Malformed user agent
Sigma Malware User Agent test
Kusto McAfee ePO - Firewall disabled available
Kusto Mercury - Domain, Hash and IP IOCs - August 2022
Elastic MsBuild Making Network Connections production
Kusto Multiple Sources Affected by the Same TI Destination available
Kusto Netskope - Suspicious Network Context (Unusual IPs/Geo/Ports) available
Elastic Network Activity to a Suspicious Top Level Domain production
Elastic Network Connection from Binary with RWX Memory Region production
Sigma Network Connection Initiated via Finger.EXE experimental
Elastic Network Connection via Compiled HTML File production
Elastic Network Connection via Recently Compiled Executable production
Elastic Network Traffic to Rare Destination Country production
Kusto New UserAgent observed in last 24 hours available
Sigma OilRig APT Activity test
Sigma OilRig APT Registry Persistence test
Sigma OilRig APT Schedule Task Persistence - Security test
Sigma OilRig APT Schedule Task Persistence - System test
Panther OpenAI Anomalous API Key Activity
Elastic Openssl Client or Server Activity production
Sigma Outbound Network Connection Initiated By Microsoft Dialer test
Kusto Outgoing connection attempts stateful anomaly on database available
Elastic Outlook Home Page Registry Modification production
Kusto Palo Alto - potential beaconing detected available
Kusto Palo Alto - potential beaconing detected available
Kusto Palo Alto Threat signatures from Unusual IP addresses available
Elastic PANW and Elastic Defend - Command and Control Correlation production
Kusto Pathlock TDnR - SAP HTTP Webserver Events available
Kusto Pathlock TDnR - SAP RFC Gateway Events available
Kusto Pathlock TDnR - SAP Web Dispatcher HTTP Events available
Elastic Payload Execution via Shell Pipe Detected by Defend for Containers production
Elastic Perl Outbound Network Connection production
Elastic Possible FIN7 DGA Command and Control Behavior production
Sigma Potential Base64 Encoded User-Agent test
Kusto Potential beaconing activity (ASIM Network Session schema) available
Elastic Potential Command and Control via Internet Explorer production
Elastic Potential DGA Activity production
Elastic Potential DNS Tunneling via NsLookup production
Elastic Potential File Transfer via Certreq production
Elastic Potential File Transfer via Curl for Windows production
Elastic Potential Linux Tunneling and/or Port Forwarding production
Elastic Potential Malware-Driven SSH Brute Force Attempt production
Elastic Potential Meterpreter Reverse Shell production
Elastic Potential Reverse Shell production
Elastic Potential Reverse Shell via Background Process production
Elastic Potential Reverse Shell via Child production
Elastic Potential Reverse Shell via Java production
Elastic Potential Reverse Shell via Suspicious Binary production
Elastic Potential Reverse Shell via Suspicious Child Process production
Elastic Potential Reverse Shell via UDP production
Sigma Potentially Suspicious Rundll32.EXE Execution of UDL File test
Kusto Powershell Empire Cmdlets Executed in Command Line available
Kusto Preview - TI map Domain entity to Cloud App Events
Kusto Preview - TI map IP entity to Cloud App Events
Kusto Preview - TI map URL entity to Cloud App Events
Sigma PwnDrp Access test
Sigma Raw Paste Service Access test
Sigma Renamed Visual Studio Code Tunnel Execution test
Kusto Request for single resource on domain available
Kusto Risky user signin observed in non-Microsoft network device
Elastic Root Network Connection via GDB CAP_SYS_PTRACE production
Kusto RunningRAT request parameters
Kusto Several deny actions registered available
Sigma Silence.EDA Detection test
Elastic Simple HTTP Web Server Connection production
Elastic Simple HTTP Web Server Creation production
Panther Slack Anomaly Detected
Kusto SlackAudit - Unknown User Agent available
Elastic SMTP on Port 26/TCP production
Elastic Spike in Firewall Denies production
Elastic Spike in host-based traffic production
Elastic Spike in Network Traffic To a Country production
Elastic Statistical Model Detected C2 Beaconing Activity production
Elastic Statistical Model Detected C2 Beaconing Activity with High Confidence production
Kusto SUPERNOVA webshell
Elastic Suricata and Elastic Defend Network Correlation production
Sigma Suspicious Base64 Encoded User-Agent test
Sigma Suspicious Cobalt Strike DNS Beaconing - DNS Client test
Sigma Suspicious Cobalt Strike DNS Beaconing - Sysmon test
Elastic Suspicious Command Prompt Network Connection production
Sigma Suspicious Curl Change User Agents - Linux test
Elastic Suspicious Curl from macOS Application production
Elastic Suspicious Curl to Google App Script Endpoint production
Sigma Suspicious DNS Query with B64 Encoded String test
Elastic Suspicious Execution from a WebDav Share production
Sigma Suspicious Installer Package Child Process test
Elastic Suspicious Installer Package Spawns Network Event production
Elastic Suspicious Interpreter Execution Detected via Defend for Containers production
Elastic Suspicious Named Pipe Creation production
Elastic Suspicious Network Activity to the Internet by Previously Unknown Executable production
Elastic Suspicious Process Execution Detected via Defend for Containers production
Sigma Suspicious User Agent test
Elastic System Path File Creation and Execution Detected via Defend for Containers production
Elastic System Public IP Discovery via DNS Query production
Sigma Telegram API Access test
Kusto The download of potentially risky files from the Discord Content Delivery Network (CDN) (ASIM Web Session) available
Kusto Threat Connect TI map Domain entity to DnsEvents
Kusto ThreatConnect TI map Email entity to OfficeActivity
Kusto ThreatConnect TI map Email entity to SigninLogs
Kusto ThreatConnect TI map IP entity to Network Session Events (ASIM Network Session schema)
Kusto ThreatConnect TI Map URL Entity to OfficeActivity Data
Kusto TI map Domain entity to Cloud App Events
Kusto TI Map Domain Entity to DeviceNetworkEvents
Kusto TI Map Domain Entity to DeviceNetworkEvents
Kusto TI map Domain entity to Dns Events (ASIM DNS Schema)
Kusto TI map Domain entity to Dns Events (ASIM DNS Schema)
Kusto TI map Domain entity to DnsEvents
Kusto TI map Domain entity to DnsEvents
Kusto TI map Domain entity to PaloAlto
Kusto TI map Domain entity to PaloAlto
Kusto TI map Domain entity to PaloAlto CommonSecurityLog
Kusto TI map Domain entity to PaloAlto CommonSecurityLog
Kusto TI map Domain entity to SecurityAlert
Kusto TI map Domain entity to SecurityAlert
Kusto TI map Domain entity to Syslog
Kusto TI map Domain entity to Syslog
Kusto TI map Domain entity to Web Session Events (ASIM Web Session schema)
Kusto TI map Domain entity to Web Session Events (ASIM Web Session schema)
Kusto TI map File Hash to CommonSecurityLog Event
Kusto TI map File Hash to CommonSecurityLog Event
Kusto TI map File Hash to DeviceFileEvents Event
Kusto TI map File Hash to DeviceFileEvents Event
Kusto TI map File Hash to Security Event
Kusto TI map File Hash to Security Event
Kusto TI map IP entity to AppServiceHTTPLogs
Kusto TI map IP entity to AppServiceHTTPLogs
Kusto TI map IP entity to AWSCloudTrail
Kusto TI map IP entity to AWSCloudTrail
Kusto TI map IP entity to Azure Key Vault logs
Kusto TI map IP entity to Azure Key Vault logs
Kusto TI Map IP Entity to Azure SQL Security Audit Events
Kusto TI Map IP Entity to Azure SQL Security Audit Events
Kusto TI Map IP Entity to AzureActivity
Kusto TI Map IP Entity to AzureActivity
Kusto TI map IP entity to AzureFirewall
Kusto TI map IP entity to AzureFirewall
Kusto TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs)
Kusto TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs)
Kusto TI map IP entity to Cloud App Events
Kusto TI Map IP Entity to CommonSecurityLog
Kusto TI Map IP Entity to CommonSecurityLog
Kusto TI Map IP Entity to DeviceNetworkEvents
Kusto TI Map IP Entity to DeviceNetworkEvents
Kusto TI map IP entity to DNS Events (ASIM DNS schema)
Kusto TI map IP entity to DNS Events (ASIM DNS schema)
Kusto TI Map IP Entity to DnsEvents
Kusto TI Map IP Entity to DnsEvents
Kusto TI Map IP Entity to Duo Security
Kusto TI Map IP Entity to Duo Security
Kusto TI map IP entity to GitHub_CL
Kusto TI map IP entity to GitHub_CL
Kusto TI map IP entity to Network Session Events (ASIM Network Session schema) available
Kusto TI map IP entity to Network Session Events (ASIM Network Session schema) available
Kusto TI map IP entity to OfficeActivity
Kusto TI map IP entity to OfficeActivity
Kusto TI Map IP Entity to SigninLogs
Kusto TI Map IP Entity to SigninLogs
Kusto TI Map IP Entity to VMConnection
Kusto TI Map IP Entity to VMConnection
Kusto TI Map IP Entity to W3CIISLog
Kusto TI Map IP Entity to W3CIISLog
Kusto TI map IP entity to Web Session Events (ASIM Web Session schema)
Kusto TI map IP entity to Web Session Events (ASIM Web Session schema)
Kusto TI map IP entity to Workday(ASimAuditEventLogs)
Kusto TI map IP entity to Workday(ASimAuditEventLogs)
Kusto TI Map URL Entity to AuditLogs
Kusto TI Map URL Entity to AuditLogs
Kusto TI map URL entity to Cloud App Events
Kusto TI Map URL Entity to DeviceNetworkEvents
Kusto TI Map URL Entity to DeviceNetworkEvents
Kusto TI Map URL Entity to EmailUrlInfo
Kusto TI Map URL Entity to EmailUrlInfo
Kusto TI Map URL Entity to OfficeActivity Data [Deprecated]
Kusto TI Map URL Entity to PaloAlto Data
Kusto TI Map URL Entity to PaloAlto Data
Kusto TI Map URL Entity to SecurityAlert Data
Kusto TI Map URL Entity to SecurityAlert Data
Kusto TI Map URL Entity to Syslog Data
Kusto TI Map URL Entity to Syslog Data
Kusto TI Map URL Entity to UrlClickEvents
Kusto TI Map URL Entity to UrlClickEvents
Kusto TI map URL entity to Web Session Events (ASIM Web Session schema)
Sigma Tunneling Tool Execution test
Kusto Ubiquiti - Connection to known malicious IP or C2 available
Kusto Ubiquiti - Possible connection to cryptominning pool available
Kusto Ubiquiti - Unusual FTP connection to external server available
Elastic Uncommon DNS Request via Bun or Node.js production
Splunk Unexpected Network Connection from System Process (Sysmon)
Splunk Unexpected Network Connection from System Process (Windows Event Log)
Elastic Unusual Child Execution via Web Server production
Elastic Unusual Command Execution via Web Server production
Elastic Unusual DNS Activity production
Elastic Unusual File Creation by Web Server production building block
Splunk Unusual HTTP Download (Sysmon)
Elastic Unusual Linux Network Activity production
Elastic Unusual Linux Network Port Activity production
Elastic Unusual Network Connection to Suspicious Top Level Domain production
Elastic Unusual Network Connection to Suspicious Web Service production
Elastic Unusual Network Connection via DllHost production
Elastic Unusual Network Connection via RunDLL32 production
Elastic Unusual Network Destination Domain Name production
Elastic Unusual Web Request production
Elastic Unusual Web User Agent production
Elastic Unusual Windows Network Activity production
Sigma Ursnif Malware C2 URL Pattern stable
Sigma Ursnif Malware Download URL Pattern stable
Kusto User Accessed Suspicious URL Categories available
Kusto Vectra Account's Behaviors available
Kusto Vectra AI Detect - Detections with High Severity available
Kusto Vectra AI Detect - New Campaign Detected available
Kusto Vectra AI Detect - Suspected Compromised Account available
Kusto Vectra AI Detect - Suspected Compromised Host available
Kusto Vectra AI Detect - Suspicious Behaviors by Category available
Kusto Vectra Host's Behaviors available
Sigma Visual Studio Code Tunnel Execution test
Splunk Visual Studio Code Tunnel Execution (Sysmon)
Splunk Visual Studio Code Tunnel Execution (Windows Event Log)
Sigma Visual Studio Code Tunnel Service Installation test
Sigma Visual Studio Code Tunnel Shell Execution test
Panther VPC Flow Logs Unapproved Outbound DNS Traffic
Sigma Wannacry Killswitch Domain test
Elastic Web Server Exploitation Detected via Defend for Containers production
Elastic Web Server Potential Command Injection Request production
Elastic Web Server Potential SQL Injection Request production building block
Kusto Web sites blocked by Eset available
Kusto Website blocked by ESET
Splunk Windows AI Platform DNS Query production
Splunk Windows App Layer Protocol Qakbot NamedPipe production
Splunk Windows App Layer Protocol Wermgr Connect To NamedPipe production
Splunk Windows Application Layer Protocol RMS Radmin Tool Namedpipe production
Splunk Windows ConvertTo-AADIntBackdoor Execution Via PowerShell Script production
Splunk Windows Credential Target Information Structure in Commandline production
Splunk Windows DNS Query Request by Telegram Bot API production
Splunk Windows File Transfer Protocol In Non-Common Process Path production
Splunk Windows FTP Exfiltration (PowerShell)
Splunk Windows FTP Exfiltration (Sysmon)
Splunk Windows FTP Exfiltration (Windows Event Log)
Kusto Windows host username encoded in base64 web request
Splunk Windows Kerberos Coercion via DNS production
Splunk Windows Mail Protocol In Non-Common Process Path production
Splunk Windows Multi hop Proxy TOR Website Query production
Sigma Windows PowerShell User Agent test
Splunk Windows Short Lived DNS Record production
Splunk Windows Visual Basic Commandline Compiler DNSQuery production
Sigma Windows WebDAV User Agent test

Application Layer Protocol: Web Protocols T1071.001 107 rules

Sigma APT User Agent test
Sigma APT40 Dropbox Tool User Agent test
Sigma Axios NPM Compromise Malicious C2 Domain DNS Query experimental
Kusto Beacon Traffic Based on Common User Agents Visiting Limited Number of Domains available
Sigma Bitsadmin to Uncommon IP Server Address test
Sigma Bitsadmin to Uncommon TLD test
Sigma Chafer Malware URL Pattern test
Sigma Change User Agents with WebRequest test
Kusto Cisco Cloud Security - Connection to Unpopular Website Detected available
Kusto Cisco Cloud Security - Crypto Miner User-Agent Detected available
Kusto Cisco Cloud Security - Rare User Agent Detected available
Kusto Cisco Cloud Security - Request Allowed to harmful/malicious URI category available
Splunk Cisco Secure Firewall - Blacklisted SSL Certificate Fingerprint production
Splunk Cisco Secure Firewall - Connection to File Sharing Domain production
Splunk Cisco Secure Firewall - High EVE Threat Confidence production
Splunk Cisco Secure Firewall - Wget or Curl Download production
Sigma Cloudflared Tunnels Related DNS Requests test
Kusto CloudNGFW By Palo Alto Networks - Threat signatures from Unusual IP addresses available
Elastic Cobalt Strike Command and Control Beacon production
Splunk Command and Control Detection (Windows Event Log)
Sigma ComRAT Network Communication test
Elastic Connection to Commonly Abused Web Services production
Sigma Crypto Miner User Agent test
Elastic Curl or Wget Spawned via Node.js production
Sigma Curl.EXE Execution With Custom UserAgent test
Elastic Default Cobalt Strike Team Server Certificate production
Elastic Deprecated - SUNBURST Command and Control Activity production
Kusto Detect presence of private IP addresses in URLs (ASIM Web Session) available
Kusto Discord CDN Risky File Download available
Kusto Discord CDN Risky File Download (ASIM Web Session Schema)
Sigma DNS Query Request By QuickAssist.EXE experimental
Sigma DNS Query To Devtunnels Domain test
Sigma DNS Query To Visual Studio Code Tunnels Domain test
Elastic DNS to Commonly Abused Web Services production building block
Elastic Execution via OpenClaw Agent production
Sigma Exploit Framework User Agent test
Elastic File Download Detected via Defend for Containers production
Elastic GenAI Process Connection to Unusual Domain production
Elastic Git Repository or File Download to Suspicious Directory production
Sigma HackTool - BabyShark Agent Default URL Pattern test
Sigma HackTool - CobaltStrike Malleable Profile Patterns - Proxy test
Sigma HackTool - Empire UserAgent URI Combo test
Elastic Halfbaked Command and Control Beacon production
Splunk HTTP C2 Framework User Agent production
Splunk HTTP Duplicated Header production
Splunk HTTP Malware User Agent production
Splunk HTTP Possible Request Smuggling production
Splunk HTTP PUA User Agent production
Splunk HTTP Rapid POST with Mixed Status Codes production
Splunk HTTP Request to Reserved Name on IIS Server production
Sigma HTTP Request With Empty User Agent test
Splunk HTTP RMM User Agent production
Splunk HTTP Scripting Tool User Agent production
Kusto IP address of Windows host encoded in web request
Sigma Kalambur Backdoor Curl TOR SOCKS Proxy Execution experimental
Sigma Katz Stealer Suspicious User-Agent experimental
Elastic Linux Telegram API Request production
Sigma macOS HTTP Tools with Protocol Indicators experimental
Sigma Malware User Agent test
Sigma Outbound Network Connection Initiated By Microsoft Dialer test
Elastic Outlook Home Page Registry Modification production
Kusto Palo Alto Threat signatures from Unusual IP addresses available
Elastic Perl Outbound Network Connection production
Elastic Possible FIN7 DGA Command and Control Behavior production
Sigma Potential Base64 Encoded User-Agent test
Elastic Potential File Transfer via Certreq production
Elastic Potential File Transfer via Curl for Windows production
Kusto Powershell Empire Cmdlets Executed in Command Line available
Sigma PwnDrp Access test
Sigma Raw Paste Service Access test
Sigma Renamed Visual Studio Code Tunnel Execution test
Kusto RunningRAT request parameters
Elastic Simple HTTP Web Server Connection production
Elastic Simple HTTP Web Server Creation production
Kusto SlackAudit - Unknown User Agent available
Sigma Suspicious Base64 Encoded User-Agent test
Sigma Suspicious Curl Change User Agents - Linux test
Elastic Suspicious Curl from macOS Application production
Elastic Suspicious Curl to Google App Script Endpoint production
Elastic Suspicious Execution from a WebDav Share production
Sigma Suspicious Installer Package Child Process test
Elastic Suspicious Installer Package Spawns Network Event production
Elastic Suspicious Interpreter Execution Detected via Defend for Containers production
Sigma Suspicious User Agent test
Sigma Telegram API Access test
Kusto The download of potentially risky files from the Discord Content Delivery Network (CDN) (ASIM Web Session) available
Sigma Tunneling Tool Execution test
Splunk Unusual HTTP Download (Sysmon)
Elastic Unusual Network Connection to Suspicious Top Level Domain production
Elastic Unusual Network Connection to Suspicious Web Service production
Elastic Unusual Network Connection via RunDLL32 production
Elastic Unusual Network Destination Domain Name production
Elastic Unusual Web Request production
Elastic Unusual Web User Agent production
Sigma Ursnif Malware C2 URL Pattern stable
Sigma Ursnif Malware Download URL Pattern stable
Sigma Visual Studio Code Tunnel Execution test
Splunk Visual Studio Code Tunnel Execution (Sysmon)
Splunk Visual Studio Code Tunnel Execution (Windows Event Log)
Sigma Visual Studio Code Tunnel Service Installation test
Sigma Visual Studio Code Tunnel Shell Execution test
Sigma Wannacry Killswitch Domain test
Kusto Web sites blocked by Eset available
Splunk Windows ConvertTo-AADIntBackdoor Execution Via PowerShell Script production
Kusto Windows host username encoded in base64 web request
Sigma Windows PowerShell User Agent test
Sigma Windows WebDAV User Agent test

Application Layer Protocol: File Transfer Protocols T1071.002 8 rules

Splunk BitsAdmin NetCat PowerCat File Transfer (EDR)
Splunk BitsAdmin NetCat PowerCat File Transfer (Sysmon)
Splunk BitsAdmin NetCat PowerCat File Transfer (Windows Event Log)
Splunk Detect Outbound SMB Traffic production
Kusto Ubiquiti - Unusual FTP connection to external server available
Splunk Windows FTP Exfiltration (PowerShell)
Splunk Windows FTP Exfiltration (Sysmon)
Splunk Windows FTP Exfiltration (Windows Event Log)

Application Layer Protocol: Mail Protocols T1071.003 4 rules

Elastic SMTP on Port 26/TCP production
Splunk Windows File Transfer Protocol In Non-Common Process Path production
Splunk Windows Mail Protocol In Non-Common Process Path production
Splunk Windows Multi hop Proxy TOR Website Query production

Application Layer Protocol: DNS T1071.004 44 rules

Sigma Cobalt Strike DNS Beaconing test
Sigma DNS Exfiltration and Tunneling Tools Execution test
Splunk DNS Kerberos Coercion production
Sigma DNS Query by Finger Utility experimental
Sigma DNS Query To Common Malware Hosting and Shortener Services experimental
Sigma DNS Query To Katz Stealer Domains experimental
Sigma DNS Query To Katz Stealer Domains - Network experimental
Panther DNS request to denylisted domain
Elastic DNS Tunneling production
Sigma DNS TXT Answer with Possible Execution Strings test
Sigma DoT (DNS over TLS) activation (command) stable
Sigma DoT (DNS over TLS) activation (PowerShell) experimental
Splunk Excessive DNS Failures experimental
Kusto GCP Audit Logs - DNSSEC Disabled on Managed DNS Zone available
Kusto GCP Security Command Center - Detect DNSSEC disabled for DNS zones available
Elastic GenAI Process Connection to Suspicious Top Level Domain production
Sigma Low Reputation Effective Top-Level Domain (eTLD) experimental
Elastic Machine Learning Detected a DNS Request Predicted to be a DGA Domain production
Elastic Machine Learning Detected a DNS Request With a High DGA Probability Score production
Elastic Machine Learning Detected DGA activity using a known SUNBURST DNS domain production
Sigma macOS DNS Query Tools for C2 experimental
Elastic Network Activity to a Suspicious Top Level Domain production
Sigma Network Connection Initiated via Finger.EXE experimental
Sigma OilRig APT Activity test
Sigma OilRig APT Registry Persistence test
Sigma OilRig APT Schedule Task Persistence - Security test
Sigma OilRig APT Schedule Task Persistence - System test
Elastic Potential Command and Control via Internet Explorer production
Elastic Potential DGA Activity production
Elastic Potential DNS Tunneling via NsLookup production
Sigma Silence.EDA Detection test
Sigma Suspicious Cobalt Strike DNS Beaconing - DNS Client test
Sigma Suspicious Cobalt Strike DNS Beaconing - Sysmon test
Sigma Suspicious DNS Query with B64 Encoded String test
Elastic System Public IP Discovery via DNS Query production
Elastic Uncommon DNS Request via Bun or Node.js production
Elastic Unusual DNS Activity production
Elastic Unusual Network Destination Domain Name production
Splunk Windows AI Platform DNS Query production
Splunk Windows Credential Target Information Structure in Commandline production
Splunk Windows DNS Query Request by Telegram Bot API production
Splunk Windows Kerberos Coercion via DNS production
Splunk Windows Short Lived DNS Record production
Splunk Windows Visual Basic Commandline Compiler DNSQuery production

Proxy T1090 82 rules

Panther AppOmni Alert Passthrough
YARA-L AWS GuardDuty Tor Network Activity Detected
Panther AWS WAF Managed IP Reputation Passthrough Rule
Kusto BitSight - drop in company ratings available
Kusto BitSight - drop in the headline rating available
Splunk Cisco IOS XE Tunnel Interface Configuration production
Splunk Cisco SA - Access to Anonymizer Services production
Splunk Cisco Secure Firewall - Connection to File Sharing Domain production
Sigma Cloudflared Portable Execution test
Sigma Cloudflared Quick Tunnel Execution test
Sigma Cloudflared Tunnel Connections Cleanup test
Sigma Cloudflared Tunnel Execution test
Sigma Communication To LocaltoNet Tunneling Service Initiated test
Sigma Communication To LocaltoNet Tunneling Service Initiated - Linux test
Sigma Communication To Ngrok Tunneling Service - Linux test
Sigma Communication To Ngrok Tunneling Service Initiated test
Sigma Connection Proxy test
Elastic Connection to Commonly Abused Web Services production
Kusto Corelight - External Proxy Detected available
Elastic Curl SOCKS Proxy Activity from Unusual Parent production
Elastic Curl SOCKS Proxy Detected via Defend for Containers production
Sigma DNS Query Tor .Onion Address - Sysmon test
Elastic DNS to Commonly Abused Web Services production building block
Kusto Excessive Denied Proxy Traffic available
Elastic FortiGate SOCKS Traffic from an Unusual Process production
YARA-L GCTI Benign Binaries Contacts Tor Exit Node
YARA-L GCTI Tor Exit Nodes
YARA-L Google Safebrowsing File Contacts Tor Exit Node
Sigma HackTool - Htran/NATBypass Execution test
Sigma HackTool - SharpChisel Execution test
Elastic IPv4/IPv6 Forwarding Activity production
Sigma Kalambur Backdoor Curl TOR SOCKS Proxy Execution experimental
Elastic Kubectl Network Configuration Modification production
Splunk Linux Ngrok Reverse Proxy Usage production
Splunk Linux Proxy Socks Curl production
Sigma Malicious IP Address Sign-In Failure Rate test
Sigma Malicious IP Address Sign-In Suspicious test
YARA-L MITRE ATT&CK T1090 Port Proxy Forwarding CISA Report
Sigma Network Communication Initiated To Portmap.IO Domain test
Sigma Network proxy configuration changed experimental
Sigma New Port Forwarding Rule Added Via Netsh.EXE test
Sigma New PortProxy Registry Entry Added test
Splunk Ngrok Reverse Proxy on Network production
Kusto Ngrok Reverse Proxy on Network (ASIM DNS Solution) available
Sigma Ngrok Usage with Remote Desktop Service test
Splunk Okta Non-Standard VPN Usage experimental
Sigma OpenCanary - HTTPPROXY Login Attempt test
Elastic Port Forwarding Rule Addition production
Elastic Potential Linux Tunneling and/or Port Forwarding production
Elastic Potential Linux Tunneling and/or Port Forwarding via Command Line production
Elastic Potential Linux Tunneling and/or Port Forwarding via SSH Option production
Elastic Potential Protocol Tunneling via Chisel Client production
Elastic Potential Protocol Tunneling via Cloudflared production
Elastic Potential Protocol Tunneling via EarthWorm production
Elastic Potential Protocol Tunneling via Yuze production
Elastic Potential Traffic Tunneling using QEMU production
Sigma Potentially Suspicious Azure Front Door Connection test
Sigma Potentially Suspicious Usage Of Qemu test
Elastic ProxyChains Activity production
Sigma PUA - Chisel Tunneling Tool Execution test
Sigma PUA - Fast Reverse Proxy (FRP) Execution test
Sigma PUA - NPS Tunneling Tool Execution test
Sigma PUA- IOX Tunneling Tool Execution test
Sigma Query Tor Onion Address - DNS Client test
Sigma RDP over Reverse SSH Tunnel WFP test
Sigma RDP Port Forwarding Rule Added Via Netsh.EXE test
Sigma Renamed Cloudflared.EXE Execution test
Sigma Sign-In From Malware Infected IP test
Kusto Squid proxy events for ToR proxies
Sigma Suspicious TCP Tunnel Via PowerShell Script test
Elastic Suspicious Utility Launched via ProxyChains production
Sigma Tor Client/Browser Execution test
Splunk TOR Traffic production
Elastic Tunneling and/or Port Forwarding Detected via Defend for Containers production
Kusto Ubiquiti - Unusual DNS connection available
YARA-L VT Relationships File Contacts Tor IP
Splunk Windows Devtunnels Execution production
Splunk Windows Devtunnels Image Loaded production
Splunk Windows Ngrok Reverse Proxy Usage production
Splunk Windows Proxy Via Netsh production
Splunk Windows Proxy Via Registry production
Splunk Windows TOR Client Execution production

Proxy: Internal Proxy T1090.001 10 rules

Sigma Cloudflared Portable Execution test
Sigma Cloudflared Quick Tunnel Execution test
Sigma HackTool - SharpChisel Execution test
Elastic IPv4/IPv6 Forwarding Activity production
Elastic Port Forwarding Rule Addition production
Sigma PUA - Chisel Tunneling Tool Execution test
Sigma RDP over Reverse SSH Tunnel WFP test
Sigma Renamed Cloudflared.EXE Execution test
Splunk Windows Proxy Via Netsh production
Splunk Windows Proxy Via Registry production

Proxy: External Proxy T1090.002 7 rules

Splunk Cisco Secure Firewall - Connection to File Sharing Domain production
Elastic Connection to Commonly Abused Web Services production
Elastic Curl SOCKS Proxy Activity from Unusual Parent production
Elastic DNS to Commonly Abused Web Services production building block
Sigma Network Communication Initiated To Portmap.IO Domain test
Elastic Potential Protocol Tunneling via Cloudflared production
Sigma RDP over Reverse SSH Tunnel WFP test

Proxy: Multi-hop Proxy T1090.003 13 rules

YARA-L AWS GuardDuty Tor Network Activity Detected
Splunk Cisco SA - Access to Anonymizer Services production
Sigma DNS Query Tor .Onion Address - Sysmon test
YARA-L GCTI Benign Binaries Contacts Tor Exit Node
YARA-L GCTI Tor Exit Nodes
YARA-L Google Safebrowsing File Contacts Tor Exit Node
Elastic ProxyChains Activity production
Sigma Query Tor Onion Address - DNS Client test
Elastic Suspicious Utility Launched via ProxyChains production
Sigma Tor Client/Browser Execution test
Splunk TOR Traffic production
YARA-L VT Relationships File Contacts Tor IP
Splunk Windows TOR Client Execution production

Proxy: Domain Fronting T1090.004 1 rule

Sigma Potentially Suspicious Azure Front Door Connection test

Non-Application Layer Protocol T1095 42 rules

Kusto Anomaly found in Network Session Traffic (ASIM Network Session schema) available
Panther AWS Network ACL Restricts Insecure Protocols
Splunk Command and Control Detection (Windows Event Log)
Kusto CyberArkEPM - Uncommon process Internet access
Splunk Detect Large ICMP Traffic production
Kusto Detect port misuse by anomaly based detection (ASIM Network Session schema) available
Kusto Detect port misuse by static threshold (ASIM Network Session schema) available
Elastic File Transfer or Listener Established via Netcat production
Kusto Google DNS - IP check activity
Kusto Google DNS - Multiple errors for source
Kusto Google DNS - Multiple errors to same domain
Kusto Google DNS - Request to dynamic DNS service
Kusto Google DNS - UNC2452 (Nobelium) APT Group activity
Elastic IPSEC NAT Traversal Port Activity production
Splunk Linux Proxy Socks Curl production
Splunk Meterpreter Reverse Shell (Windows Event Log)
Elastic Netcat File Transfer or Listener Detected via Defend for Containers production
Elastic Netcat Listener Established via rlwrap production
Sigma Netcat The Powershell Version test
Elastic Network Activity Detected via cat production
Elastic Network Connection Initiated by Suspicious SSHD Child Process production
Elastic Network Connection via Recently Compiled Executable production
Elastic Potential Command Shell via NetCat production
Elastic Potential Reverse Shell production
Elastic Potential Reverse Shell Activity via Terminal production
Elastic Potential Reverse Shell via Background Process production
Elastic Potential Reverse Shell via Child production
Elastic Potential Reverse Shell via Suspicious Binary production
Elastic Potential Reverse Shell via Suspicious Child Process production
Elastic Potential Reverse Shell via UDP production
Sigma PUA - Netcat Suspicious Execution test
Splunk QEMU Network Tunneling - Windows (PowerShell)
Splunk QEMU Network Tunneling - Windows (Sysmon)
Splunk QEMU Network Tunneling - Windows (Windows Event Log)
Sigma Suspicious DNS Z Flag Bit Set test
Elastic Suspicious Interpreter Execution Detected via Defend for Containers production
Elastic Suspicious React Server Child Process production
Splunk Tunneling Process Created (PowerShell)
Splunk Tunneling Process Created (Sysmon)
Splunk Tunneling Process Created (Windows Event Log)
Kusto Ubiquiti - Possible connection to cryptominning pool available
Elastic Web Server Exploitation Detected via Defend for Containers production

Web Service T1102 59 rules

Kusto A host is potentially running a hacking tool (ASIM Web Session schema)
Kusto ApexOne - Suspicious connections available
Elastic AWS CLI Command with Custom Endpoint URL production
Elastic AWS SNS Rare Protocol Subscription by User production
Elastic AWS SNS Topic Message Publish by Rare User production
Kusto Cisco Cloud Security - Hack Tool User-Agent Detected available
Kusto Cisco SE - Possible webshell available
Kusto Cisco WSA - Multiple errors to resource from risky category available
Kusto Cisco WSA - Multiple errors to URL available
Kusto Cisco WSA - Unexpected URL available
Sigma Cloudflared Tunnel Connections Cleanup test
Sigma Cloudflared Tunnel Execution test
Sigma Communication To LocaltoNet Tunneling Service Initiated test
Sigma Communication To LocaltoNet Tunneling Service Initiated - Linux test
Sigma Communication To Ngrok Tunneling Service - Linux test
Sigma Communication To Ngrok Tunneling Service Initiated test
Elastic Connection to Common Large Language Model Endpoints production
Elastic Connection to Commonly Abused Web Services production
Kusto CreepyDrive request URL sequence
Kusto CreepyDrive URLs
Kusto Detect requests for an uncommon resources on the web (ASIM Web Session) available
Elastic DNS to Commonly Abused Web Services production building block
Sigma Github Self-Hosted Runner Execution test
Elastic Google Calendar C2 via Script Interpreter production
Splunk Linux Ngrok Reverse Proxy Usage production
Elastic Linux Telegram API Request production
Sigma Network Connection Initiated To AzureWebsites.NET By Non-Browser Process test
Elastic Network Connection to OAST Domain via Script Interpreter production
Sigma New Connection Initiated To Potential Dead Drop Resolver Domain test
Splunk Ngrok Reverse Proxy on Network production
Kusto Ngrok Reverse Proxy on Network (ASIM DNS Solution) available
Kusto NRT Squid proxy events related to mining pools
Kusto Possible Phishing with CSL and Network Sessions available
Elastic Potential Etherhiding C2 via Blockchain Connection production
Splunk Potential Telegram API Request Via CommandLine production
Sigma Potentially Suspicious Azure Front Door Connection test
Sigma Potentially Suspicious Network Connection To Notion API test
Kusto Powershell Empire Cmdlets Executed in Command Line available
Sigma Process Initiated Network Connection To Ngrok Domain test
Sigma PwnDrp Access test
Sigma Raw Paste Service Access test
Kusto Request for single resource on domain available
Kusto Squid proxy events related to mining pools
Elastic Statistical Model Detected C2 Beaconing Activity production
Elastic Statistical Model Detected C2 Beaconing Activity with High Confidence production
Elastic Suspicious AWS S3 Connection via Script Interpreter production
Sigma Suspicious Child Process Of Manage Engine ServiceDesk test
Elastic Suspicious Curl to Google App Script Endpoint production
Elastic Suspicious File Downloaded from Google Drive production
Sigma Suspicious Non-Browser Network Communication With Google API experimental
Sigma Suspicious Non-Browser Network Communication With Telegram API test
Sigma Telegram API Access test
Sigma Telegram Bot API Request test
Elastic Uncommon DNS Request via Bun or Node.js production
Elastic Unusual Network Connection to Suspicious Web Service production
Elastic Unusual Web Request production
Splunk Windows Abused Web Services production
Splunk Windows DNS Query Request by Telegram Bot API production
Splunk Windows Ngrok Reverse Proxy Usage production

Web Service: Dead Drop Resolver T1102.001 8 rules

Elastic Connection to Commonly Abused Web Services production
Elastic DNS to Commonly Abused Web Services production building block
Elastic Google Calendar C2 via Script Interpreter production
Sigma Network Connection Initiated To AzureWebsites.NET By Non-Browser Process test
Sigma New Connection Initiated To Potential Dead Drop Resolver Domain test
Elastic Potential Etherhiding C2 via Blockchain Connection production
Sigma PwnDrp Access test
Sigma Raw Paste Service Access test

Web Service: Bidirectional Communication T1102.002 19 rules

Elastic AWS CLI Command with Custom Endpoint URL production
Elastic Connection to Common Large Language Model Endpoints production
Elastic Connection to Commonly Abused Web Services production
Kusto CreepyDrive request URL sequence
Kusto CreepyDrive URLs
Elastic DNS to Commonly Abused Web Services production building block
Sigma Github Self-Hosted Runner Execution test
Elastic Google Calendar C2 via Script Interpreter production
Elastic Linux Telegram API Request production
Elastic Potential Etherhiding C2 via Blockchain Connection production
Splunk Potential Telegram API Request Via CommandLine production
Sigma Potentially Suspicious Azure Front Door Connection test
Kusto Powershell Empire Cmdlets Executed in Command Line available
Elastic Statistical Model Detected C2 Beaconing Activity production
Elastic Statistical Model Detected C2 Beaconing Activity with High Confidence production
Elastic Suspicious Curl to Google App Script Endpoint production
Sigma Telegram API Access test
Sigma Telegram Bot API Request test
Splunk Windows DNS Query Request by Telegram Bot API production

Web Service: One-Way Communication T1102.003 4 rules

Elastic AWS SNS Rare Protocol Subscription by User production
Sigma PwnDrp Access test
Sigma Raw Paste Service Access test
Elastic Suspicious File Downloaded from Google Drive production

Ingress Tool Transfer T1105 265 rules

Elastic Apple Script Execution followed by Network Connection production
Sigma AppX Package Installation Attempts Via AppInstaller.EXE test
Sigma Arbitrary File Download Via GfxDownloadWrapper.EXE test
Elastic AWS EC2 LOLBin Execution via SSM SendCommand production
Sigma Axios NPM Compromise File Creation Indicators - Linux experimental
Sigma Axios NPM Compromise File Creation Indicators - MacOS experimental
Sigma Axios NPM Compromise Indicators - Linux experimental
Sigma Axios NPM Compromise Indicators - macOS experimental
Sigma Axios NPM Compromise Indicators - Windows experimental
Sigma BITS payload downloaded via commandline experimental
Sigma BITS payload downloaded via PowerShell experimental
Elastic Bitsadmin Activity production building block
Kusto Bitsadmin Activity available
Splunk BITSAdmin Download File production
Splunk BITSadmin Execution (PowerShell)
Splunk BITSadmin Execution (Sysmon)
Splunk BITSadmin Execution (Windows Event Log)
Sigma Browser Execution In Headless Mode test
Kusto C2-NamedPipe available
Splunk Certutil Execution (Sysmon)
Splunk Certutil Execution (Windows Event Log)
Splunk Certutil File Download (PowerShell)
Splunk Certutil File Download (Sysmon)
Splunk Certutil File Download (Windows Event Log)
Sigma Certutil payload download (command) experimental
Kusto Cisco Cloud Security - Request to blocklisted file type available
Splunk Cisco Isovalent - Curl Execution With Insecure Flags production
Splunk Cisco NVM - Suspicious File Download via Headless Browser production
Splunk Cisco NVM - Webserver Download From File Sharing Website production
Splunk Cisco Secure Firewall - Communication Over Suspicious Ports production
Splunk Cisco Secure Firewall - Connection to File Sharing Domain production
Splunk Cisco Secure Firewall - File Download Over Uncommon Port production
Splunk Cisco Secure Firewall - High EVE Threat Confidence production
Splunk Cisco Secure Firewall - Malware File Downloaded production
Splunk Cisco Secure Firewall - Repeated Malware Downloads production
Splunk Cisco Secure Firewall - Snort Rule Triggered Across Multiple Hosts production
Splunk Cisco Secure Firewall - Wget or Curl Download production
Sigma Cisco Stage Data test
Sigma Command Line Execution with Suspicious URL and AppData Strings test
Sigma Curl Download And Execute Combination test
Elastic Curl Execution via Shell Profile production
Splunk Curl Execution with Percent Encoded URL production
Elastic Curl or Wget Egress Network Connection via LoLBin production
Elastic Curl or Wget Execution from Container Context production
Elastic Curl or Wget Spawned via Node.js production
Sigma Curl Usage on Linux test
Sigma Curl.EXE Execution test
Sigma DarkGate - Autoit3.EXE File Creation By Uncommon Process test
Splunk Detect Certify Command Line Arguments production
Sigma Download File To Potentially Suspicious Directory Via Wget test
Splunk Download Files Using Telegram production
Sigma Download from Suspicious Dyndns Hosts test
Splunk Esentutl Execution (PowerShell)
Splunk Esentutl Execution (Sysmon)
Splunk Esentutl Execution (Windows Event Log)
Elastic Executable File Download via Wget production
Splunk Executable File Written to Disk (Sysmon)
Splunk Executable File Written to Disk (Windows Event Log)
Sigma Executable from Webdav test
Elastic Execution via OpenClaw Agent production
Splunk Expand.exe Execution (PowerShell)
Splunk Expand.exe Execution (Sysmon)
Splunk Expand.exe Execution (Windows Event Log)
Elastic File Creation, Execution and Self-Deletion in Suspicious Directory production
Sigma File Download And Execution Via IEExec.EXE test
Elastic File Download Detected via Defend for Containers production
Sigma File Download From Browser Process Via Inline URL test
Sigma File Download From IP Based URL Via CertOC.EXE test
Splunk File Download or Read to Pipe Execution production
Sigma File Download Using Notepad++ GUP Utility test
YARA-L File Download Using Notepad++ GUP Utility
Sigma File Download Via Bitsadmin test
Sigma File Download Via Bitsadmin To A Suspicious Target Folder test
Sigma File Download via CertOC.EXE test
Sigma File Download Via Curl.EXE test
Sigma File Download Via Nscurl - MacOS test
Sigma File Download Via Windows Defender MpCmpRun.EXE test
YARA-L File Download Via Windows Defender MpCmpRun.EXE
Sigma File Download with Headless Browser test
Splunk File Executed from INetCache (Sysmon)
Splunk File Executed from INetCache (Windows Event Log)
Sigma File with high volume downloaded via BITS experimental
Sigma File With Suspicious Extension Downloaded Via Bitsadmin test
Splunk Finger Execution (Sysmon)
Splunk Finger Execution (Windows Event Log)
Sigma Finger.EXE Execution test
YARA-L Finger.EXE Execution
Splunk Git Clone Repository (PowerShell)
Elastic Git Repository or File Download to Suspicious Directory production
Splunk Git Submodule Cloned - Windows (Sysmon)
Splunk Git Submodule Cloned - Windows (Windows Event Log)
Sigma Greenbug Espionage Group Indicators test
Sigma Hidden Flag Set On File/Directory Via Chflags - MacOS test
Sigma Import LDAP Data Interchange Format File Via Ldifde.EXE test
Kusto Ingress Tool Transfer - Certutil available
Elastic Ingress Tool Transfer Followed by Execution and Deletion Detected via Defend for Containers production
Elastic Ingress Transfer via Windows BITS production
Elastic Initial Access via File Upload Followed by GET Request production
Sigma Insensitive Subfolder Search Via Findstr.EXE test
Splunk Invoke-WebRequest Command (PowerShell)
Splunk Invoke-WebRequest Command (Sysmon)
Splunk Invoke-WebRequest Command (Windows Event Log)
Splunk Juniper Networks Remote Code Execution Exploit Detection production
Elastic Kubernetes Pod Exec with Curl or Wget to HTTPS production
Sigma Legitimate Application Writing Files In Uncommon Location experimental
Splunk Linux Curl Upload File production
Splunk Linux Ingress Tool Transfer Hunting production
Splunk Linux Ingress Tool Transfer with Curl production
Splunk Live Sysinternals Execution (Sysmon)
Splunk Live Sysinternals Execution (Windows Event Log)
Splunk Living Off The Land Detection production
Sigma Local Network Connection Initiated By Script Interpreter test
Splunk Log4Shell CVE-2021-44228 Exploitation production
Sigma Lolbas OneDriveStandaloneUpdater.exe Proxy Download test
Splunk LOLBAS With Network Traffic production
Sigma macOS HTTP Tools with Protocol Indicators experimental
Splunk Microsoft Intune Device Health Scripts production
Splunk Microsoft Intune Mobile Apps experimental
Splunk mshta.exe File Download (PowerShell)
Splunk mshta.exe File Download (Sysmon)
Splunk mshta.exe File Download (Windows Event Log)
Sigma MsiExec Web Install test
Sigma Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder test
Sigma Network Connection Initiated By IMEWDBLD.EXE test
Sigma Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location test
Sigma Network Connection Initiated From Users\Public Folder test
Elastic Network Connection via Certutil production building block
Elastic Network Connection via MsXsl production
Splunk Network Connection with Suspicious Folder (Sysmon)
Splunk Network Connection with Suspicious Folder (Windows Event Log)
Elastic Network Traffic to Rare Destination Country production
Kusto New executable via Office FileUploaded Operation available
Splunk ngen.exe File Download (PowerShell)
Splunk ngen.exe File Download (Sysmon)
Splunk ngen.exe File Download (Windows Event Log)
Kusto Office Apps Launching Wscipt available
Splunk Office Binary Download Remote File (Windows Event Log)
Elastic Ollama DNS Query to Untrusted Domain production building block
Sigma Outbound Network Connection Initiated By Script Interpreter test
Kusto Outgoing connection attempts stateful anomaly on database available
Splunk Package installation (PowerShell)
Splunk Package installation (Sysmon)
Splunk Package installation (Windows Event Log)
Sigma Pandemic Registry Key test
Sigma Password Protected ZIP File Opened (Suspicious Filenames) test
Sigma Payload downloaded via PowerShell
Elastic Payload Execution via Shell Pipe Detected by Defend for Containers production
Elastic Pluggable Authentication Module (PAM) Source Download production
Sigma Potential COM Objects Download Cradles Usage - Process Creation test
Sigma Potential COM Objects Download Cradles Usage - PS Script test
Sigma Potential Data Exfiltration Via Curl.EXE test
Sigma Potential DLL File Download Via PowerShell Invoke-WebRequest test
Sigma Potential Download/Upload Activity Using Type Command test
Sigma Potential Exploitation of RCE Vulnerability CVE-2025-33053 experimental
Sigma Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Image Load experimental
Sigma Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Process Access experimental
Elastic Potential File Download via a Headless Browser production
Elastic Potential File Transfer via Certreq production
Elastic Potential File Transfer via Curl for Windows production
Elastic Potential Git CVE-2025-48384 Exploitation production
Sigma Potential In-Memory Download And Compile Of Payloads test
Sigma Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXE test
Elastic Potential Remote File Execution via MSIEXEC production
Elastic Potential Remote Install via MsiExec production
Elastic Potential THC Tool Downloaded production
Elastic Potential Webshell Deployed via Apache Struts CVE-2023-50164 Exploitation production
Sigma Potentially Suspicious File Creation by OpenEDR's ITSMService experimental
Elastic Potentially Suspicious Process Started via tmux or screen production
Splunk PowerShell Download Activity (PowerShell)
Sigma PowerShell Download Via Net.WebClient - PowerShell Classic test
Splunk PowerShell DownloadFile_DownloadString (PowerShell)
Splunk PowerShell DownloadFile_DownloadString (Sysmon)
Splunk PowerShell DownloadFile_DownloadString (Windows Event Log)
Kusto Powershell Empire Cmdlets Executed in Command Line available
Sigma PowerShell MSI Install via WindowsInstaller COM From Remote Location experimental
Splunk PowerShell Script Block With URL Chain production
Splunk PowerShell WebRequest Using Memory Stream production
Sigma PrintBrm ZIP Creation of Extraction test
YARA-L PrintBrm ZIP Creation of Extraction
Sigma Process Execution From WebDAV Share experimental
Splunk ProtocolHandler.exe File Download (PowerShell)
Splunk ProtocolHandler.exe File Download (Sysmon)
Splunk ProtocolHandler.exe File Download (Windows Event Log)
Sigma PUA - Nimgrab Execution test
YARA-L PUA - Nimgrab Execution
Sigma Remote Access Tool - TacticalRMM Agent Registration to Potentially Attacker-Controlled Server experimental
Sigma Remote File Copy stable
Elastic Remote File Copy via TeamViewer production
Elastic Remote File Creation in World Writeable Directory production
Sigma Remote File Download Via Desktopimgdownldr Utility test
Elastic Remote File Download via Desktopimgdownldr Utility production
Sigma Remote File Download Via Findstr.EXE test
Elastic Remote File Download via MpCmdRun production
Elastic Remote File Download via PowerShell production
Elastic Remote File Download via Script Interpreter production
Sigma Replace.exe Usage test
Elastic Roshal Archive (RAR) or PowerShell File Downloaded from the Internet production
Sigma Scheduled Task Creation with Curl and PowerShell Execution Combo experimental
Elastic Suspicious Browser Child Process production
Sigma Suspicious CertReq Command to Download experimental
YARA-L Suspicious Certreq Command to Download
Elastic Suspicious CertUtil Commands production
Elastic Suspicious Command Prompt Network Connection production
Sigma Suspicious Curl File Upload - Linux test
Elastic Suspicious Curl from macOS Application production
Splunk Suspicious Curl Network Connection experimental
Elastic Suspicious Curl to Google App Script Endpoint production
Sigma Suspicious Curl.EXE Download test
YARA-L Suspicious Curl.EXE Download
Sigma Suspicious Deno File Written from Remote Source experimental
Sigma Suspicious Desktopimgdownldr Command test
Sigma Suspicious Desktopimgdownldr Target File test
Sigma Suspicious Diantz Download and Compress Into a CAB File test
Sigma Suspicious Download From File-Sharing Website Via Bitsadmin test
Sigma Suspicious Download from Office Domain test
Sigma Suspicious Download Via Certutil.EXE test
Sigma Suspicious Dropbox API Usage test
Elastic Suspicious Execution from a WebDav Share production
Elastic Suspicious Execution from Foomatic-rip or Cupsd Parent production
Elastic Suspicious Execution from INET Cache production
Elastic Suspicious Execution from VS Code Extension production
Sigma Suspicious Extrac32 Execution test
Sigma Suspicious File Created by ArcSOC.exe experimental
Sigma Suspicious File Downloaded From Direct IP Via Certutil.EXE test
Sigma Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE test
Elastic Suspicious File Downloaded from Google Drive production
Splunk Suspicious File written to Disk (Windows Event Log)
Elastic Suspicious Installer Package Spawns Network Event production
Sigma Suspicious Invoke-WebRequest Execution test
YARA-L Suspicious Invoke-WebRequest Execution
Sigma Suspicious Invoke-WebRequest Execution With DirectIP test
Elastic Suspicious JavaScript Execution via Deno production
Elastic Suspicious Network Tool Launch Detected via Defend for Containers production
Elastic Suspicious Network Tool Launched Inside A Container production
Sigma Suspicious Non-Browser Network Communication With Telegram API test
Elastic Suspicious ScreenConnect Client Child Process production
Elastic Suspicious Windows Command Shell Arguments production
Elastic Suspicious Windows Powershell Arguments production
Elastic System Path File Creation and Execution Detected via Defend for Containers production
Splunk Temporary File Executed from Public Folder (Sysmon)
Splunk Temporary File Executed from Public Folder (Windows Event Log)
Elastic Tool Installation Detected via Defend for Containers production
Sigma Uncommon Network Connection Initiated By Certutil.EXE test
Splunk Unusual HTTP Download (Sysmon)
Elastic Unusual Network Destination Domain Name production
Elastic Unusual Remote File Creation production
Splunk Visio.exe File Download (PowerShell)
Splunk Visio.exe File Download (Sysmon)
Splunk Visio.exe File Download (Windows Event Log)
Elastic Web Server Exploitation Detected via Defend for Containers production
Elastic Web Server Potential Command Injection Request production
Sigma Wget Creating Files in Tmp Directory test
Splunk Windows Cabinet File Extraction Via Expand production
Splunk Windows Curl Download to Suspicious Path production
Splunk Windows Curl Upload to Remote Destination production
Splunk Windows DLL Module Loaded in Temp Dir production
Splunk Windows DNS Query Request To TinyUrl production
Splunk Windows File Download Via CertUtil production
Splunk Windows File Download Via PowerShell production
Splunk Windows Ingress Tool Transfer Using Explorer production
Splunk Windows Ldifde Directory Object Behavior production
Splunk Windows Process Execution From RDP Share production
Splunk Windows SQL Spawning CertUtil experimental
Splunk Windows SSH Proxy Command production
Splunk WinRAR Spawning Shell Application production

Data Encoding T1132 15 rules

Kusto A host is potentially running PowerShell to send HTTP(S) requests (ASIM Web Session schema)
Elastic Base16 or Base32 Encoding/Decoding Activity production
Splunk Certutil Execution (Sysmon)
Splunk Certutil Execution (Windows Event Log)
Splunk Certutil Obfuscate_Encode Files (EDR)
Splunk Certutil Obfuscate_Encode Files (PowerShell)
Splunk Certutil Obfuscate_Encode Files (Sysmon)
Splunk Certutil Obfuscate_Encode Files (Windows Event Log)
Kusto Cisco Cloud Security - Windows PowerShell User-Agent Detected available
Sigma DNS Exfiltration and Tunneling Tools Execution test
Kusto Excessive Blocked Traffic Events Generated by User available
Elastic File Compressed or Archived into Common Format by Unsigned Process production building block
Sigma Gzip Archive Decode Via PowerShell test
Sigma Suspicious FromBase64String Usage On Gzip Archive - Process Creation test
Sigma Suspicious FromBase64String Usage On Gzip Archive - Ps Script test

Data Encoding: Standard Encoding T1132.001 6 rules

Elastic Base16 or Base32 Encoding/Decoding Activity production
Sigma DNS Exfiltration and Tunneling Tools Execution test
Elastic File Compressed or Archived into Common Format by Unsigned Process production building block
Sigma Gzip Archive Decode Via PowerShell test
Sigma Suspicious FromBase64String Usage On Gzip Archive - Process Creation test
Sigma Suspicious FromBase64String Usage On Gzip Archive - Ps Script test

Traffic Signaling T1205 1 rule

Elastic Unusual Linux Network Port Activity production

Traffic Signaling: Port Knocking T1205.001 1 rule

Elastic Unusual Linux Network Port Activity production

Remote Access Tools T1219 100 rules

Sigma Antivirus Exploitation Framework Detection stable
Splunk AnyDesk Command Line Execution (Sysmon)
Splunk AnyDesk Command Line Execution (Windows Event Log)
Splunk AnyDesk Execution from Suspicious Folder (Sysmon)
Splunk AnyDesk Execution from Suspicious Folder (Windows Event Log)
Splunk AnyDesk Silent Install (Sysmon)
Splunk AnyDesk Silent Install (Windows Event Log)
Sigma Anydesk Temporary Artefact test
Sigma Atera Agent Installation test
Splunk AteraAgent Installation - Windows (Sysmon)
Splunk AteraAgent Installation - Windows (Windows Event Log)
Elastic Attempt to Establish VScode Remote Tunnel production
Splunk Cisco Secure Firewall - Communication Over Suspicious Ports production
Splunk Cisco Secure Firewall - Remote Access Software Usage Traffic production
Panther Crowdstrike Remote Access Tool Execution
Splunk Detect Remote Access Software Usage DNS production
Splunk Detect Remote Access Software Usage File production
Splunk Detect Remote Access Software Usage FileInfo production
Splunk Detect Remote Access Software Usage Process production
Splunk Detect Remote Access Software Usage Registry production
Splunk Detect Remote Access Software Usage Traffic production
Splunk Detect Remote Access Software Usage URL production
Sigma DNS Query To AzureWebsites.NET By Non-Browser Process test
Sigma DNS Query To Remote Access Software Domain From Non-Browser App test
Elastic First Time Seen DNS Query to RMM Domain production
Elastic First Time Seen Remote Monitoring and Management Tool production
YARA-L GCTI Remote Access Tools
Sigma GoToAssist Temporary Installation Artefact test
Sigma HackTool - Inveigh Execution Artefacts test
Sigma HackTool - RemoteKrbRelay SMB Relay Secrets Dump Module Indicators test
Sigma Hijack Legit RDP Session to Move Laterally test
Splunk HTTP RMM User Agent production
Sigma Installation of TeamViewer Desktop test
Sigma Mesh Agent Service Installation test
Sigma Mstsc.EXE Execution With Local RDP File test
Elastic Multiple Remote Management Tool Vendors on Same Host production
Elastic NetSupport Manager Execution from an Unusual Path production
Elastic Newly Observed ScreenConnect Host Server production
Sigma OpenEDR Spawning Command Shell experimental
Sigma Potential Amazon SSM Agent Hijacking test
Sigma Potential CSharp Streamer RAT Loading .NET Executable Image test
Sigma Potential Linux Amazon SSM Agent Hijacking test
Elastic Potential REMCOS Trojan Execution production
Sigma Potential Remote Desktop Connection to Non-Domain Host test
Sigma Potential SocGholish Second Stage C2 DNS Query test
Elastic Potential Traffic Tunneling using QEMU production
Sigma Potentially Suspicious File Creation by OpenEDR's ITSMService experimental
Sigma QuickAssist Execution experimental
Splunk Remote Access Software Execution (Sysmon)
Splunk Remote Access Software Execution (Windows Event Log)
Sigma Remote Access Tool - Action1 Arbitrary Code Execution and Remote Sessions test
Sigma Remote Access Tool - AnyDesk Execution test
Sigma Remote Access Tool - Anydesk Execution From Suspicious Folder test
Sigma Remote Access Tool - AnyDesk Incoming Connection experimental
Sigma Remote Access Tool - AnyDesk Piped Password Via CLI test
Sigma Remote Access Tool - AnyDesk Silent Installation test
Sigma Remote Access Tool - GoToAssist Execution test
Sigma Remote Access Tool - LogMeIn Execution test
Sigma Remote Access Tool - MeshAgent Command Execution via MeshCentral test
Sigma Remote Access Tool - NetSupport Execution test
Sigma Remote Access Tool - Potential MeshAgent Execution - MacOS experimental
Sigma Remote Access Tool - Potential MeshAgent Execution - Windows experimental
Sigma Remote Access Tool - Renamed MeshAgent Execution - MacOS experimental
Sigma Remote Access Tool - Renamed MeshAgent Execution - Windows experimental
Sigma Remote Access Tool - ScreenConnect Execution test
Sigma Remote Access Tool - ScreenConnect Potential Suspicious Remote Command Execution test
Sigma Remote Access Tool - Simple Help Execution test
Sigma Remote Access Tool - TacticalRMM Agent Registration to Potentially Attacker-Controlled Server experimental
Sigma Remote Access Tool - UltraViewer Execution test
Elastic Remote File Copy via TeamViewer production
Elastic Remote GitHub Actions Runner Registration production
Elastic Remote Management Access Launch After MSI Install production
Sigma Renamed Visual Studio Code Tunnel Execution test
Sigma ScreenConnect Temporary Installation Artefact test
Splunk SimpleHelp Remote Access Tool Execution (Sysmon)
Splunk SimpleHelp Remote Access Tool Execution (Windows Event Log)
Splunk SimpleHelp Remote Access Tool Service Installation (Windows Event Log)
Splunk Suspicious AteraAgent Installation - Windows (PowerShell)
Splunk Suspicious AteraAgent Installation - Windows (Sysmon)
Splunk Suspicious AteraAgent Installation - Windows (Windows Event Log)
Sigma Suspicious Binary Writes Via AnyDesk test
Sigma Suspicious Mstsc.EXE Execution With Local RDP File test
Elastic Suspicious ScreenConnect Client Child Process production
Elastic Suspicious Shell Execution via Velociraptor production
Sigma Suspicious TSCON Start as SYSTEM test
Sigma Suspicious Velociraptor Child Process experimental
Sigma TacticalRMM Service Installation test
Sigma TeamViewer Domain Query By Non-TeamViewer Application test
Sigma TeamViewer Remote Session test
Splunk Temporary ConnectWise xml File Activity (Windows Event Log)
YARA-L Uncommon or Suspicious RMM Tool Execution Detected
Sigma Use of UltraVNC Remote Access Software test
Sigma Visual Studio Code Tunnel Execution test
Elastic VNC (Virtual Network Computing) from the Internet production
Elastic VNC (Virtual Network Computing) to the Internet production
Splunk Windows Level RMM PowerShell Script Installer production
Splunk Windows Level RMM Watchdog Task Created production
Splunk Windows Remote Access Software BRC4 Loaded Dll production
Splunk Windows Remote Access Software RMS Registry production
Splunk Windows RMM Tool Execution production

Remote Access Tools: Remote Desktop Software T1219.002 50 rules

Sigma Antivirus Exploitation Framework Detection stable
Sigma Anydesk Temporary Artefact test
Sigma Atera Agent Installation test
Sigma DNS Query To AzureWebsites.NET By Non-Browser Process test
Sigma DNS Query To Remote Access Software Domain From Non-Browser App test
Elastic First Time Seen DNS Query to RMM Domain production
Elastic First Time Seen Remote Monitoring and Management Tool production
Sigma GoToAssist Temporary Installation Artefact test
Sigma HackTool - Inveigh Execution Artefacts test
Sigma HackTool - RemoteKrbRelay SMB Relay Secrets Dump Module Indicators test
Sigma Hijack Legit RDP Session to Move Laterally test
Sigma Installation of TeamViewer Desktop test
Sigma Mesh Agent Service Installation test
Sigma Mstsc.EXE Execution With Local RDP File test
Elastic Multiple Remote Management Tool Vendors on Same Host production
Elastic Newly Observed ScreenConnect Host Server production
Sigma Potential Amazon SSM Agent Hijacking test
Sigma Potential CSharp Streamer RAT Loading .NET Executable Image test
Sigma Potential Linux Amazon SSM Agent Hijacking test
Sigma Potential Remote Desktop Connection to Non-Domain Host test
Sigma Potential SocGholish Second Stage C2 DNS Query test
Sigma QuickAssist Execution experimental
Sigma Remote Access Tool - Action1 Arbitrary Code Execution and Remote Sessions test
Sigma Remote Access Tool - AnyDesk Execution test
Sigma Remote Access Tool - Anydesk Execution From Suspicious Folder test
Sigma Remote Access Tool - AnyDesk Incoming Connection experimental
Sigma Remote Access Tool - AnyDesk Piped Password Via CLI test
Sigma Remote Access Tool - AnyDesk Silent Installation test
Sigma Remote Access Tool - GoToAssist Execution test
Sigma Remote Access Tool - LogMeIn Execution test
Sigma Remote Access Tool - MeshAgent Command Execution via MeshCentral test
Sigma Remote Access Tool - NetSupport Execution test
Sigma Remote Access Tool - Potential MeshAgent Execution - MacOS experimental
Sigma Remote Access Tool - Potential MeshAgent Execution - Windows experimental
Sigma Remote Access Tool - Renamed MeshAgent Execution - MacOS experimental
Sigma Remote Access Tool - Renamed MeshAgent Execution - Windows experimental
Sigma Remote Access Tool - ScreenConnect Execution test
Sigma Remote Access Tool - ScreenConnect Potential Suspicious Remote Command Execution test
Sigma Remote Access Tool - Simple Help Execution test
Sigma Remote Access Tool - UltraViewer Execution test
Elastic Remote Management Access Launch After MSI Install production
Sigma ScreenConnect Temporary Installation Artefact test
Sigma Suspicious Binary Writes Via AnyDesk test
Sigma Suspicious Mstsc.EXE Execution With Local RDP File test
Elastic Suspicious Shell Execution via Velociraptor production
Sigma Suspicious TSCON Start as SYSTEM test
Sigma TacticalRMM Service Installation test
Sigma TeamViewer Domain Query By Non-TeamViewer Application test
Sigma TeamViewer Remote Session test
Sigma Use of UltraVNC Remote Access Software test

Dynamic Resolution T1568 34 rules

Kusto Abnormal Deny Rate for Source IP available
YARA-L AWS GuardDuty DGA Domain Activity Detected
Sigma Axios NPM Compromise Malicious C2 Domain DNS Query experimental
Kusto CiscoISE - Device changed IP in last 24 hours available
Elastic Cobalt Strike Command and Control Beacon production
Sigma Communication To Ngrok Tunneling Service - Linux test
Sigma Communication To Ngrok Tunneling Service Initiated test
Elastic Connection to Commonly Abused Web Services production
Kusto Corelight - C2 DGA Detected Via Repetitive Failures available
Kusto Detect DNS queries reporting multiple errors from different clients - Anomaly Based (ASIM DNS Solution) available
Kusto Detect DNS queries reporting multiple errors from different clients - Static threshold based (ASIM DNS Solution) available
Kusto Detect excessive NXDOMAIN DNS queries - Anomaly based (ASIM DNS Solution) available
Kusto Detect excessive NXDOMAIN DNS queries - Static threshold based (ASIM DNS Solution) available
Sigma DNS Resolution Failure Spike experimental
Elastic DNS to Commonly Abused Web Services production building block
Sigma Download from Suspicious Dyndns Hosts test
Kusto Excessive NXDOMAIN DNS Queries available
Kusto Excessive NXDOMAIN DNS Queries (ASIM DNS Schema)
Elastic Halfbaked Command and Control Beacon production
Elastic Machine Learning Detected a DNS Request Predicted to be a DGA Domain production
Elastic Machine Learning Detected a DNS Request With a High DGA Probability Score production
Elastic Machine Learning Detected DGA activity using a known SUNBURST DNS domain production
Sigma macOS DNS Query Tools for C2 experimental
Kusto Possible contact with a domain generated by a DGA
Elastic Possible FIN7 DGA Command and Control Behavior production
Kusto Potential communication with a Domain Generation Algorithm (DGA) based hostname (ASIM Web Session schema)
Elastic Potential DGA Activity production
Kusto Potential DGA detected available
Kusto Potential DGA detected (ASIM DNS Schema)
Kusto Potential DGA(Domain Generation Algorithm) detected via Repetitive Failures - Anomaly based (ASIM DNS Solution) available
Kusto Potential DGA(Domain Generation Algorithm) detected via Repetitive Failures - Static threshold based (ASIM DNS Solution) available
Kusto RecordedFuture Threat Hunting Domain All Actors
Kusto RecordedFuture Threat Hunting IP All Actors
Elastic Unusual DNS Activity production

Dynamic Resolution: Fast Flux DNS T1568.001 1 rule

Kusto Abnormal Deny Rate for Source IP available

Dynamic Resolution: Domain Generation Algorithms T1568.002 14 rules

Kusto Abnormal Deny Rate for Source IP available
YARA-L AWS GuardDuty DGA Domain Activity Detected
Elastic Cobalt Strike Command and Control Beacon production
Sigma Communication To Ngrok Tunneling Service - Linux test
Sigma Communication To Ngrok Tunneling Service Initiated test
Elastic Connection to Commonly Abused Web Services production
Sigma DNS Resolution Failure Spike experimental
Elastic DNS to Commonly Abused Web Services production building block
Elastic Halfbaked Command and Control Beacon production
Elastic Machine Learning Detected a DNS Request Predicted to be a DGA Domain production
Elastic Machine Learning Detected a DNS Request With a High DGA Probability Score production
Elastic Machine Learning Detected DGA activity using a known SUNBURST DNS domain production
Elastic Possible FIN7 DGA Command and Control Behavior production
Elastic Potential DGA Activity production

Non-Standard Port T1571 27 rules

Kusto Abnormal Port to Protocol available
Splunk Cisco NVM - Outbound Connection to Suspicious Port production
Splunk Cisco Secure Firewall - Communication Over Suspicious Ports production
Splunk Cisco Secure Firewall - File Download Over Uncommon Port production
Sigma Communication To Uncommon Destination Ports test
Elastic Deprecated - Uncommon Destination Port Connection by Web Server production
Kusto Fortinet - Beacon pattern detected
Kusto GSA - Detect Abnormal Deny Rate for Source to Destination IP available
Kusto GSA - Detect Protocol Changes for Destination Ports available
Splunk Ollama Abnormal Network Connectivity experimental
Kusto Palo Alto - potential beaconing detected available
Kusto Palo Alto - potential beaconing detected available
Kusto Potential beaconing activity (ASIM Network Session schema) available
Elastic Potential Data Exfiltration Activity to an Unusual Destination Port production
Sigma Potentially Suspicious Malware Callback Communication test
Sigma Potentially Suspicious Malware Callback Communication - Linux test
Elastic Script Interpreter Connection to Non-Standard Port production
Elastic SMTP on Port 26/TCP production
Elastic Suricata and Elastic Defend Network Correlation production
Sigma Suspicious DNS Z Flag Bit Set test
Elastic Suspicious Outbound Network Connection via Unsigned Binary production
Sigma Testing Usage of Uncommonly Used Port test
Kusto Ubiquiti - Connection to known malicious IP or C2 available
Kusto Ubiquiti - Possible connection to cryptominning pool available
Elastic Unusual Linux Network Port Activity production
Panther VPC Flow Logs Inbound Port Allowlist
Panther VPC Flow Logs Inbound Port Blocklist

Protocol Tunneling T1572 82 rules

Kusto Abnormal Port to Protocol available
Splunk Cisco IOS XE Tunnel Interface Configuration production
Sigma Cloudflared Tunnel Connections Cleanup test
Sigma Cloudflared Tunnel Execution test
Sigma Cloudflared Tunnels Related DNS Requests test
Sigma Communication To LocaltoNet Tunneling Service Initiated test
Sigma Communication To LocaltoNet Tunneling Service Initiated - Linux test
Sigma Communication To Ngrok Tunneling Service - Linux test
Sigma Communication To Ngrok Tunneling Service Initiated test
Elastic Curl SOCKS Proxy Activity from Unusual Parent production
Elastic Curl SOCKS Proxy Detected via Defend for Containers production
Sigma DNS Query To Devtunnels Domain test
Elastic DNS Tunneling production
Elastic IPSEC NAT Traversal Port Activity production
Elastic IPv4/IPv6 Forwarding Activity production
Elastic Kubectl Network Configuration Modification production
Splunk Linux Ngrok Reverse Proxy Usage production
Elastic Linux SSH X11 Forwarding production
Splunk Named Pipe Created (Sysmon)
Sigma Network Connection Initiated To BTunnels Domains test
Sigma Network Connection Initiated To Cloudflared Tunnels Domains test
Sigma Network Connection Initiated To DevTunnels Domain test
Sigma Network Connection Initiated To Visual Studio Code Tunnels Domain test
Splunk ngrok Execution - Windows (PowerShell)
Splunk ngrok Execution - Windows (Sysmon)
Splunk ngrok Execution - Windows (Windows Event Log)
Splunk Ngrok Reverse Proxy on Network production
Kusto Ngrok Reverse Proxy on Network (ASIM DNS Solution) available
Splunk Okta Non-Standard VPN Usage experimental
Kusto Pathlock TDnR - SAP Router Log Events available
Sigma Port Forwarding Activity Via SSH.EXE test
Elastic Port Forwarding Rule Addition production
Elastic Potential DNS Tunneling via NsLookup production
Elastic Potential Linux Tunneling and/or Port Forwarding production
Elastic Potential Linux Tunneling and/or Port Forwarding via Command Line production
Elastic Potential Linux Tunneling and/or Port Forwarding via SSH Option production
Splunk Potential ngrok Tunnel - Windows (Windows Event Log)
Elastic Potential Protocol Tunneling via Chisel Client production
Elastic Potential Protocol Tunneling via Cloudflared production
Elastic Potential Protocol Tunneling via EarthWorm production
Elastic Potential Protocol Tunneling via Yuze production
Sigma Potential RDP Tunneling Via Plink test
Sigma Potential RDP Tunneling Via SSH test
Kusto Potential Remote Desktop Tunneling available
Elastic Potential Remote Desktop Tunneling Detected production
Elastic Potential Traffic Tunneling using QEMU production
Sigma Potentially Suspicious Usage Of Qemu test
Sigma Process Initiated Network Connection To Ngrok Domain test
Elastic ProxyChains Activity production
Sigma PUA - 3Proxy Execution test
Sigma PUA - Ngrok Execution test
Splunk QEMU Network Tunneling - Windows (PowerShell)
Splunk QEMU Network Tunneling - Windows (Sysmon)
Splunk QEMU Network Tunneling - Windows (Windows Event Log)
Sigma RDP Over Reverse SSH Tunnel test
Sigma RDP to HTTP or HTTPS Target Ports test
Sigma RDP tunneling configuration enabled for port forwarding experimental
Sigma RDP tunneling detected experimental
Sigma RDP tunneling via ngrok detected experimental
Splunk Scheduled Task with Potential SSH Tunnel - Windows (PowerShell)
Splunk Scheduled Task with Potential SSH Tunnel - Windows (Sysmon)
Splunk Scheduled Task with Potential SSH Tunnel - Windows (Windows Event Log)
Sigma Silence.EDA Detection test
Splunk ssh.exe Execution (Sysmon)
Splunk ssh.exe Execution (Windows Event Log)
Sigma Suspicious Plink Port Forwarding test
Elastic Suspicious Utility Launched via ProxyChains production
Elastic Tunneling and/or Port Forwarding Detected via Defend for Containers production
Splunk Tunneling Process Created (PowerShell)
Splunk Tunneling Process Created (Sysmon)
Splunk Tunneling Process Created (Windows Event Log)
Sigma Tunneling Tool Execution test
Kusto Ubiquiti - Connection to known malicious IP or C2 available
Kusto Ubiquiti - connection to non-corporate DNS server available
Kusto Ubiquiti - Large ICMP to external server available
Kusto Ubiquiti - Unusual DNS connection available
Splunk Windows Ngrok Reverse Proxy Usage production
Splunk Windows Potential Cloudflared Network Connection production
Splunk Windows Potential Cloudflared Tunnel Execution production
Splunk Windows Protocol Tunneling with Plink production
Splunk Windows SoftEther VPN Masquerading as Legitimate Binary production
Splunk Windows SSH Proxy Command production

Encrypted Channel T1573 23 rules

Sigma Activity from Anonymous IP Addresses test
Sigma Activity from Infrequent Country test
Sigma Activity from Suspicious IP Addresses test
Kusto Cisco Cloud Security - Connection to non-corporate private network available
Splunk Cisco Secure Firewall - Blacklisted SSL Certificate Fingerprint production
Splunk Cisco Secure Firewall - High EVE Threat Confidence production
Splunk Cisco Secure Firewall - Intrusion Events by Threat Activity production
Splunk Cisco Secure Firewall - Lumma Stealer Download Attempt production
Splunk Cisco Secure Firewall - Lumma Stealer Outbound Connection Attempt production
Elastic Connection to Commonly Abused Free SSL Certificate Providers production
Elastic Default Cobalt Strike Team Server Certificate production
Kusto Detect DNS queries reporting multiple errors from different clients - Anomaly Based (ASIM DNS Solution) available
Kusto Detect DNS queries reporting multiple errors from different clients - Static threshold based (ASIM DNS Solution) available
Elastic IPSEC NAT Traversal Port Activity production
Sigma Kalambur Backdoor Curl TOR SOCKS Proxy Execution experimental
Elastic Openssl Client or Server Activity production
Sigma Potential Pikabot C2 Activity test
Kusto Powershell Empire Cmdlets Executed in Command Line available
Kusto ProofpointPOD - Weak ciphers available
Splunk SSL Certificates with Punycode experimental
Sigma Suspicious SSL Connection test
Kusto Ubiquiti - Unusual traffic available
Splunk Zeek x509 Certificate with Punycode experimental

Encrypted Channel: Asymmetric Cryptography T1573.002 9 rules

Splunk Cisco Secure Firewall - Blacklisted SSL Certificate Fingerprint production
Splunk Cisco Secure Firewall - High EVE Threat Confidence production
Splunk Cisco Secure Firewall - Intrusion Events by Threat Activity production
Splunk Cisco Secure Firewall - Lumma Stealer Download Attempt production
Splunk Cisco Secure Firewall - Lumma Stealer Outbound Connection Attempt production
Panther GCP K8s IOCActivity Deprecated
Panther Kubernetes API Activity from Tor Exit Node
Elastic Openssl Client or Server Activity production
Kusto Powershell Empire Cmdlets Executed in Command Line available

Content Injection T1659 4 rules

Kusto Dynatrace - Problem detection available
Kusto Dynatrace Application Security - Code-Level runtime vulnerability detection available
Kusto Dynatrace Application Security - Non-critical runtime vulnerability detection available
Kusto Dynatrace Application Security - Third-Party runtime vulnerability detection available

No specific technique 49 rules

Sigma API Call From Hacking Distro test
Kusto Cisco Umbrella - Connection to non-corporate private network
Kusto Cisco Umbrella - Connection to Unpopular Website Detected
Kusto Cisco Umbrella - Crypto Miner User-Agent Detected
Kusto Cisco Umbrella - Empty User Agent Detected
Kusto Cisco Umbrella - Hack Tool User-Agent Detected
Kusto Cisco Umbrella - Rare User Agent Detected
Kusto Cisco Umbrella - Request Allowed to harmful/malicious URI category
Kusto Cisco Umbrella - URI contains IP address
Kusto Cisco Umbrella - Windows PowerShell User-Agent Detected
Sigma Default Cobalt Strike Certificate test
Sigma Devil Bait Potential C2 Communication Traffic test
Sigma Diamond Sleet APT DNS Communication Indicators test
Sigma DNS Query To Put.io - DNS Client test
Sigma DPRK Threat Actor - C2 Communication DNS Indicators test
Sigma Goofy Guineapig Backdoor Potential C2 Communication test
Sigma HTTP Request to Low Reputation TLD or Suspicious File Extension experimental
Sigma macOS ESF Suspicious Curl Download experimental
Sigma macOS ESF Suspicious Process Execution experimental
Sigma New Kind of Network (NKN) Detection test
Sigma Office Application Initiated Network Connection Over Uncommon Ports test
Sigma Okta Security Threat Detected test
Sigma Potential Compromised 3CXDesktopApp Beaconing Activity - DNS test
Sigma Potential Compromised 3CXDesktopApp Beaconing Activity - Netcon test
Sigma Potential Compromised 3CXDesktopApp Beaconing Activity - Proxy test
Sigma Potential Compromised 3CXDesktopApp ICO C2 File Download test
Sigma Potential CVE-2023-36884 Exploitation - File Downloads test
Sigma Potential CVE-2023-36884 Exploitation - Share Access test
Sigma Potential CVE-2023-36884 Exploitation - URL Marker test
Sigma Potential CVE-2023-36884 Exploitation Pattern test
Sigma Potential CVE-2303-36884 URL Request Pattern Traffic test
Sigma Potential Operation Triangulation C2 Beaconing Activity - DNS test
Sigma Potential Operation Triangulation C2 Beaconing Activity - Proxy test
Sigma Potential Peach Sandstorm APT C2 Communication Activity test
Sigma Potential WizardUpdate Malware Infection test
Sigma Potential XCSSET Malware Infection test
Kusto Radiflow - Platform Alert available
Sigma Renamed Remote Utilities RAT (RURAT) Execution test
Sigma Renamed VsCode Code Tunnel Execution - File Indicator test
Kusto RITA Beacon Analyzer for Windows Firewall Events
Sigma Small Sieve Malware Potential C2 Communication test
Sigma Suspicious C2 Activities test
Kusto Suspicious Network Beacons - Microsoft Defender for Endpoint Aggregated Reports
Kusto Suspicious Network Beacons - Microsoft Defender(MDE/M365D)
Kusto Suspicious Network Beacons - Sysmon
Kusto Suspicious Network Connections - Supply Chain Attack
Sigma Suspicious Wordpad Outbound Connections test
Sigma Visual Studio Code Tunnel Remote File Creation test
Sigma VsCode Code Tunnel Execution File Indicator test

Exfiltration

Exfiltration Over Other Network Medium T1011 3 rules

Kusto SonicWall - Allowed SSH, Telnet, and RDP Connections experimental
Elastic Spike in Bytes Sent to an External Device via Airdrop production
Splunk Windows Network Connection From Program In Suspect Location production

Exfiltration Over Other Network Medium: Exfiltration Over Bluetooth T1011.001 1 rule

Elastic Spike in Bytes Sent to an External Device via Airdrop production

Automated Exfiltration T1020 49 rules

Kusto A host is potentially running a hacking tool (ASIM Web Session schema)
Kusto API - BOLA available
Elastic AWS EC2 Full Network Packet Capture Detected production
Panther AWS Public RDS Restore
Sigma AWS RDS Master Password Change test
Kusto Cisco Cloud Security - Hack Tool User-Agent Detected available
Kusto Claroty - Suspicious file transfer available
Kusto Deimos Component Execution available
Panther DEPRECATED - GitHub Web Hook Modified Deprecated
Splunk Detect RClone Command-Line Usage production
Splunk Detect Renamed RClone production
Splunk Detect Traffic Mirroring experimental
Splunk Executable Create Script Process (PowerShell)
Splunk Executable Create Script Process (Sysmon)
Splunk Executable Create Script Process (Windows Event Log)
Elastic GitHub Exfiltration via High Number of Repository Clones by User production
Sigma Github Fork Private Repositories Setting Enabled/Cleared test
Elastic GitHub Private Repository Turned Public production
Sigma Github Repository/Organization Transferred test
Panther GitHub Web Hook Modified
Elastic High Number of Closed Pull Requests by User production
Elastic High Number of Protected Branch Force Pushes by User production
Elastic M365 OneDrive/SharePoint Excessive File Downloads production
Sigma Mail Forwarding/Redirecting Activity In O365 test
Sigma Mail Forwarding/Redirecting Activity Via ExchangePowerShell Cmdlet experimental
Kusto Mail redirect via ExO transport rule available
Panther Microsoft Exchange External Forwarding
Sigma Modification or Deletion of an AWS RDS Cluster experimental
Kusto Multiple users email forwarded to same destination available
Kusto NRT Multiple users email forwarded to same destination
Kusto Office365 Sharepoint File transfer above threshold
Kusto Office365 Sharepoint File transfer Folders above threshold
Sigma PowerShell Script With File Hostname Resolving Capabilities test
Sigma PowerShell Script With File Upload Capabilities test
Kusto Progress MOVEIt File transfer above threshold
Kusto Progress MOVEIt File transfer folder count above threshold
Sigma Restore Public AWS RDS Instance test
Panther Salesforce Bulk API Data Exfiltration
Panther Salesforce OAuth Credential Abuse Detection
Kusto Server Oriented Cmdlet And User Oriented Cmdlet used available
Elastic Several Failed Protected Branch Force Pushes by User production
Kusto SFTP File transfer above threshold
Kusto SFTP File transfer folder count above threshold
Sigma Suspicious Inbox Forwarding test
Kusto Third party integrated apps available
Kusto Threat Essentials - Mail redirect via ExO transport rule available
Kusto Users searching for VIP user activity
Kusto VIP Mailbox manipulation available
Splunk Windows Mustang Panda USB Tool Execution production

Automated Exfiltration: Traffic Duplication T1020.001 1 rule

Splunk Detect Traffic Mirroring experimental

Scheduled Transfer T1029 2 rules

Kusto OracleDBAudit - Connection to database from external IP available
Splunk Rare Scheduled Task (Windows Event Log)

Data Transfer Size Limits T1030 26 rules

Kusto Anomaly found in Network Session Traffic (ASIM Network Session schema) available
Kusto Cisco SEG - DLP policy violation available
Kusto Cisco SEG - Multiple large emails sent to external recipient available
Kusto CloudNGFW By Palo Alto Networks - Threat signatures from Unusual IP addresses available
Kusto Corelight - Multiple files sent over HTTP with abnormal requests available
Kusto Detect unauthorized data transfers using timeseries anomaly (ASIM Web Session) available
Elastic GenAI Process Performing Encoding/Chunking Prior to Network Activity production
Splunk Linux Auditd Data Transfer Size Limits Via Split production
Splunk Linux Auditd Data Transfer Size Limits Via Split Syscall production
Splunk MacOS Data Chunking production
Kusto Mimecast Data Leak Prevention - Hold
Kusto Mimecast Data Leak Prevention - Hold
Kusto Mimecast Data Leak Prevention - Notifications
Kusto Mimecast Data Leak Prevention - Notifications
Kusto Palo Alto Threat signatures from Unusual IP addresses available
Elastic Potential Data Splitting Detected production
Splunk Rclone Execution (PowerShell)
Splunk Rclone Execution (Sysmon)
Splunk Rclone Execution (Windows Event Log)
Kusto SharePointFileOperation via devices with previously unseen user agents available
Kusto SharePointFileOperation via previously unseen IPs available
Sigma Split A File Into Pieces test
Sigma Split A File Into Pieces - Linux test
Kusto Threat Essentials - Time series anomaly for data size transferred to public internet available
Kusto Time series anomaly detection for total volume of traffic
Kusto Time series anomaly for data size transferred to public internet

Exfiltration Over C2 Channel T1041 77 rules

Kusto Abnormal Deny Rate for Source IP available
Kusto Abnormal Port to Protocol available
Panther Auth0 Delete Tenant Member
Splunk Cisco ASA - Device File Copy to Remote Location production
Kusto Cisco Cloud Security - Connection to non-corporate private network available
Kusto Cisco Cloud Security - Connection to Unpopular Website Detected available
Kusto Cisco Cloud Security - Crypto Miner User-Agent Detected available
Kusto Cisco Cloud Security - Rare User Agent Detected available
Kusto Cisco Cloud Security - Request Allowed to harmful/malicious URI category available
Splunk Cisco Secure Firewall - High EVE Threat Confidence production
Splunk Cisco Secure Firewall - Intrusion Events by Threat Activity production
Splunk Cisco Secure Firewall - Lumma Stealer Download Attempt production
Splunk Cisco Secure Firewall - Lumma Stealer Outbound Connection Attempt production
Splunk Cisco Secure Firewall - Potential Data Exfiltration production
Kusto Detect presence of private IP addresses in URLs (ASIM Web Session) available
Splunk Detect SNICat SNI Exfiltration experimental
Elastic DNS Tunneling production
Sigma Equation Group C2 Communication test
Kusto Excessive Blocked Traffic Events Generated by User available
Kusto Files Copied to USB Drives available
Panther GCP K8S Pod Create Or Modify Host Path Volume Mount Deprecated
Kusto High severity malicious activity detected available
Kusto IP address of Windows host encoded in web request
Panther Kubernetes Pod With HostPath Volume Mount
Sigma macOS Network Upload Activity experimental
Kusto Multiple Sources Affected by the Same TI Destination available
Elastic Network Activity Detected via Kworker production
Sigma Network Communication Initiated To Portmap.IO Domain test
Elastic Network Traffic to Rare Destination Country production
Sigma OpenCanary - TFTP Request test
Elastic Potential Data Exfiltration Activity to an Unusual Destination Port production
Elastic Potential Data Exfiltration Activity to an Unusual IP Address production
Elastic Potential Data Exfiltration Activity to an Unusual ISO Code production
Elastic Potential Data Exfiltration Activity to an Unusual Region production
Splunk Potential Telegram API Request Via CommandLine production
Kusto Powershell Empire Cmdlets Executed in Command Line available
Splunk Powershell ICMP Data Exfiltration (PowerShell)
Kusto RecordedFuture Threat Hunting IP All Actors
Kusto RunningRAT request parameters
YARA-L sap suspected data exfiltration
Splunk Script Connected to External Destination - Windows (Sysmon)
Splunk Script Connected to External Destination - Windows (Windows Event Log)
Sigma Shai-Hulud NPM Package Malicious Exfiltration via Curl experimental
Panther Snowflake Data Exfiltration
Panther Snowflake Data Exfiltration
Panther Snowflake File Downloaded
Panther Snowflake File Downloaded
Panther Snowflake Table Copied Into Stage
Panther Snowflake Table Copied Into Stage
Panther Snowflake Temporary Stage Created
Panther Snowflake Temporary Stage Created
Kusto SonicWall - Allowed SSH, Telnet, and RDP Connections experimental
Elastic Spike in Firewall Denies production
Elastic Spike in host-based traffic production
Elastic Spike in Network Traffic production
Elastic Spike in Network Traffic To a Country production
Sigma Tunneling Tool Execution test
Kusto Ubiquiti - connection to non-corporate DNS server available
Kusto Ubiquiti - Large ICMP to external server available
Elastic Unusual AWS Command for a User production
Elastic Unusual Azure Activity Logs Event for a User production
Elastic Unusual GCP Event for a User production
Elastic Unusual Linux Network Activity production
Elastic Unusual Linux Network Port Activity production
Elastic Unusual Network Destination Domain Name production
Elastic Unusual Windows Network Activity production
Kusto Vectra Account's Behaviors available
Kusto Vectra AI Detect - Detections with High Severity available
Kusto Vectra AI Detect - Suspected Compromised Account available
Kusto Vectra AI Detect - Suspected Compromised Host available
Kusto Vectra AI Detect - Suspicious Behaviors by Category available
Kusto Vectra Host's Behaviors available
Sigma Vice Society directory crawling script for data exfiltration (via ps_script) stable
Kusto Website blocked by ESET
Splunk Windows Exfiltration Over C2 Via Invoke RestMethod production
Splunk Windows Exfiltration Over C2 Via Powershell UploadString production
Kusto Windows host username encoded in base64 web request

Exfiltration Over Alternative Protocol T1048 118 rules

Kusto Apache - Put suspicious file available
Panther Azure Storage File Share Created or Modified
Sigma BITS payload downloaded via commandline experimental
Sigma BITS payload downloaded via PowerShell experimental
Kusto Bitsadmin Activity available
Splunk BITSadmin Execution (PowerShell)
Splunk BITSadmin Execution (Sysmon)
Splunk BITSadmin Execution (Windows Event Log)
Kusto Box - File containing sensitive data available
Splunk Cisco ASA - Device File Copy to Remote Location production
Splunk Cisco Secure Firewall - Potential Data Exfiltration production
Kusto Cisco WSA - Suspected protocol abuse available
Sigma Copy From Or To Admin Share Or Sysvol Folder test
Sigma Data Exfiltration with Wget test
Sigma Data Export From MSSQL Table Via BCP.EXE test
Kusto Dataverse - Export activity from terminated or notified employee available
Kusto Dataverse - Suspicious use of TDS endpoint available
Kusto Dataverse - User bulk retrieval outside normal activity available
Kusto Dev-0270 Malicious Powershell usage available
Kusto Digital Guardian - Bulk exfiltration to external domain available
Kusto Digital Guardian - Exfiltration to external domain available
Kusto Digital Guardian - Exfiltration to online fileshare available
Kusto Digital Guardian - Exfiltration to private email available
Kusto Digital Guardian - Exfiltration using DNS protocol available
Kusto Digital Guardian - Incident with not blocked action available
Kusto Digital Guardian - Multiple incidents from user available
Kusto Digital Guardian - Possible SMTP protocol abuse available
Kusto Digital Guardian - Sensitive data transfer over insecure channel available
Kusto Digital Guardian - Unexpected protocol available
Kusto DNS events related to ToR proxies available
Kusto DNS events related to ToR proxies (ASIM DNS Schema)
Sigma DNS Exfiltration and Tunneling Tools Execution test
Splunk DNS Exfiltration Using Nslookup App production
Splunk DNS Query Length With High Standard Deviation production
Sigma DNS TOR Proxies test
Panther EC2 Route Table Modified
Splunk Excessive Usage of NSLOOKUP App production
Splunk Exfiltration via curl.exe - Windows (PowerShell)
Splunk Exfiltration via curl.exe - Windows (Sysmon)
Splunk Exfiltration via curl.exe - Windows (Windows Event Log)
Panther External Principal Accessing AWS Resources Via VPC Endpoint
Elastic File Transfer or Listener Established via Netcat production
Elastic File Transfer Utility Launched from Unusual Parent production
Sigma File with high volume downloaded via BITS experimental
Kusto Filewall - Blocked emails available
Kusto Filewall - Blocked files available
Sigma FTP Connection Open Attempt Via Winscp CLI experimental
Splunk Gsuite Outbound Email With Attachment To External Domain production
YARA-L Hunt for Non-Anonymous Office 365 file downloads
Splunk Multiple Archive Files Http Post Traffic production
Elastic Netcat File Transfer or Listener Detected via Defend for Containers production
Kusto Netskope - Large Outbound Data Transfer / Sensitive Upload (DLP) available
Kusto Netskope - Repeated or Critical Policy Violations available
Kusto Netskope - Suspicious Network Context (Unusual IPs/Geo/Ports) available
Elastic Network Activity Detected via cat production
Elastic Network Traffic to Rare Destination Country production
Splunk O365 DLP Rule Triggered production
YARA-L O365 OneDrive Anonymous File Accessed
YARA-L O365 OneDrive Anonymous File Downloaded
YARA-L O365 OneDrive Anonymous Link Accessed
Splunk Ollama Possible Model Exfiltration Data Leakage experimental
Kusto Oracle - Put suspicious file available
Kusto Pathlock TDnR - OData Application Log Events available
Kusto Pathlock TDnR - Outbound SAP SMTP Email available
Kusto Pathlock TDnR - Outgoing Spool Print Job Events available
Kusto Pathlock TDnR - SAP Download Observer Events available
Kusto Pathlock TDnR - SAP Read Access Logging Data available
Kusto Pathlock TDnR - SE16N Direct Table Change Documents available
Splunk Plain HTTP POST Exfiltrated Data production
Splunk Potential CVE-2023-23397 (EDR)
Splunk Potential CVE-2023-23397 (Sysmon)
Splunk Potential CVE-2023-23397 (Windows Event Log)
Sigma Potential Data Exfiltration Over SMTP Via Send-MailMessage Cmdlet test
Elastic Potential Data Exfiltration Through Curl production
Elastic Potential Data Exfiltration Through Wget production
Elastic Potential Data Exfiltration via Rclone production
Elastic Potential Database Dumping Activity production
Sigma Powershell DNSExfiltration test
Sigma PowerShell ICMP Exfiltration test
Splunk Prohibited Network Traffic Allowed production
Splunk Protocol or Port Mismatch production
Sigma PUA - Restic Backup Tool Execution experimental
Splunk PuTTY Secure Copy Client Execution (PowerShell)
Splunk PuTTY Secure Copy Client Execution (Sysmon)
Splunk PuTTY Secure Copy Client Execution (Windows Event Log)
Sigma Python WebServer Execution - Linux experimental
Elastic Rare SMB Connection to the Internet production
Splunk Rclone Execution (PowerShell)
Splunk Rclone Execution (Sysmon)
Splunk Rclone Execution (Windows Event Log)
Kusto SlackAudit - Public link created for file which can contain sensitive information. available
Elastic SMB (Windows File Sharing) Activity to the Internet production
Elastic SMTP on Port 26/TCP production
Kusto SonicWall - Allowed SSH, Telnet, and RDP Connections experimental
Elastic Spike in host-based traffic production
Elastic Spike in Network Traffic To a Country production
Sigma Suspicious DNS Query with B64 Encoded String test
Sigma Suspicious Outbound SMTP Connections test
Sigma Suspicious Redirection to Local Admin Share test
Sigma Suspicious WebDav Client Execution Via Rundll32.EXE test
Sigma Tap Driver Installation test
Sigma Tap Driver Installation - Security test
Sigma Tap Installer Execution test
Kusto Trend Micro CAS - DLP violation available
Kusto Ubiquiti - Unusual FTP connection to external server available
Kusto Unauthorized user access across AWS and Azure
Elastic Unusual DNS Activity production
Elastic Unusual Windows Network Activity production
Sigma WebDav Client Execution Via Rundll32.EXE test
Sigma WebDav Put Request test
Splunk Windows FTP Exfiltration (PowerShell)
Splunk Windows FTP Exfiltration (Sysmon)
Splunk Windows FTP Exfiltration (Windows Event Log)
Elastic Windows Registry File Creation in SMB Share production
Splunk Windows Rundll32 WebDAV Request production
Splunk Windows Rundll32 WebDav With Network Connection production
Splunk WinSCP Execution (Windows Event Log)
Sigma Winscp Execution From Non Standard Folder experimental

Exfiltration Over Alternative Protocol: Exfiltration Over Symmetric Encrypted Non-C2 Protocol T1048.001 2 rules

Sigma DNS Exfiltration and Tunneling Tools Execution test
Elastic Potential Data Exfiltration Through Curl production

Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol T1048.002 4 rules

YARA-L Hunt for Non-Anonymous Office 365 file downloads
YARA-L O365 OneDrive Anonymous File Accessed
YARA-L O365 OneDrive Anonymous File Downloaded
YARA-L O365 OneDrive Anonymous Link Accessed

Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol T1048.003 31 rules

Splunk BITSadmin Execution (PowerShell)
Splunk BITSadmin Execution (Sysmon)
Splunk BITSadmin Execution (Windows Event Log)
Splunk Cisco ASA - Device File Copy to Remote Location production
Splunk Cisco Secure Firewall - Potential Data Exfiltration production
Sigma Data Exfiltration with Wget test
Splunk DNS Query Length With High Standard Deviation production
Elastic File Transfer or Listener Established via Netcat production
Splunk Gsuite Outbound Email With Attachment To External Domain production
Splunk Multiple Archive Files Http Post Traffic production
Elastic Netcat File Transfer or Listener Detected via Defend for Containers production
Splunk Plain HTTP POST Exfiltrated Data production
Splunk Potential CVE-2023-23397 (EDR)
Splunk Potential CVE-2023-23397 (Sysmon)
Splunk Potential CVE-2023-23397 (Windows Event Log)
Sigma Potential Data Exfiltration Over SMTP Via Send-MailMessage Cmdlet test
Elastic Potential Data Exfiltration Through Curl production
Sigma PowerShell ICMP Exfiltration test
Splunk Protocol or Port Mismatch production
Sigma Python WebServer Execution - Linux experimental
Splunk Rclone Execution (PowerShell)
Splunk Rclone Execution (Sysmon)
Splunk Rclone Execution (Windows Event Log)
Sigma Suspicious DNS Query with B64 Encoded String test
Sigma Suspicious Outbound SMTP Connections test
Sigma Suspicious WebDav Client Execution Via Rundll32.EXE test
Sigma WebDav Client Execution Via Rundll32.EXE test
Sigma WebDav Put Request test
Splunk Windows Rundll32 WebDAV Request production
Splunk Windows Rundll32 WebDav With Network Connection production
Splunk WinSCP Execution (Windows Event Log)

Exfiltration Over Physical Medium T1052 6 rules

Kusto Dataverse - Terminated employee exfiltration to USB drive available
Elastic First Time Seen Removable Device production
Kusto Mass Download & copy to USB device by single user
Elastic New USB Storage Device Mounted production
Elastic Spike in Bytes Sent to an External Device production
Elastic Unusual Process Writing Data to an External Device production

Exfiltration Over Physical Medium: Exfiltration over USB T1052.001 4 rules

Elastic First Time Seen Removable Device production
Elastic New USB Storage Device Mounted production
Elastic Spike in Bytes Sent to an External Device production
Elastic Unusual Process Writing Data to an External Device production

Transfer Data to Cloud Account T1537 55 rules

Panther Amazon Machine Image (AMI) Modified to Allow Public Access
Panther AppOmni Alert Passthrough
Splunk ASL AWS EC2 Snapshot Shared Externally production
Splunk AWS AMI Attribute Modification for Exfiltration production
Panther AWS AMI Sharing
YARA-L AWS EC2 AMI Or Snapshot Shared Publicly
Elastic AWS EC2 AMI Shared with Another Account production
Elastic AWS EC2 EBS Snapshot Shared or Made Public production
Elastic AWS EC2 Export Task production
Elastic AWS EC2 Full Network Packet Capture Detected production
Splunk AWS EC2 Snapshot Shared Externally production
Sigma AWS EC2 VM Export Failure test
Splunk AWS Exfiltration via Bucket Replication production
Splunk AWS Exfiltration via EC2 Snapshot production
Elastic AWS RDS DB Snapshot Shared with Another Account production
Panther AWS RDS Manual/Public Snapshot Created
Panther AWS RDS Snapshot Copied Cross-Region
Panther AWS RDS Snapshot Exported to S3 Experimental
Panther AWS RDS Snapshot Shared
YARA-L AWS RDS Snapshot Shared Publicly
Panther AWS Resource Made Public
Elastic AWS S3 Bucket Policy Added to Allow Public Access production
Elastic AWS S3 Bucket Policy Added to Share with External Account production
Elastic AWS S3 Bucket Replicated to Another Account production
Sigma AWS S3 Data Management Tampering test
Splunk AWS S3 Exfiltration Behavior Identified production
Panther AWS S3 Large Download
Panther AWS S3 Object Copied to External Account Bucket
Panther AWS S3 Object Exfiltration FOLLOWED BY Object Deletion
Sigma AWS Snapshot Backup Exfiltration test
Panther AWS Snapshot Made Public
Kusto AWSCloudTrail - RDS instance publicly exposed available
Kusto AWSCloudTrail - S3 bucket access point publicly exposed available
Kusto AWSCloudTrail - S3 bucket exposed via ACL available
Kusto AWSCloudTrail - S3 bucket exposed via policy available
Kusto AWSCloudTrail - S3 object publicly exposed available
Elastic Azure Blob Storage Container Access Level Modified production
Kusto Box - Item shared to external entity available
Sigma Data Exfiltration to Unsanctioned Apps test
Panther Databricks Data Movement with Explicit Credentials Experimental
Kusto Dataverse - SharePoint document management site added or updated available
YARA-L GCP GCE Image Open To Public
Panther GCP GCS Bulk Object Rewrite Operation
Panther GCP GCS Object Copied to Different Bucket
Elastic GCP Logging Sink Modification production
Sigma Github Fork Private Repositories Setting Enabled/Cleared test
YARA-L GitHub Outgoing Organization Transfer Initiated
Sigma Github Repository/Organization Transferred test
Elastic Google Workspace Drive Data Transfer or Takeout Export Initiated production
Splunk High Frequency Copy Of Files In Network Share production
Elastic M365 Exchange Mail Flow Transport Rule Created production
Elastic M365 Exchange Mail Flow Transport Rule Modified production
Sigma macOS Cloud Storage Access Tools experimental
Kusto Power Platform - Connector added to a sensitive environment available
Panther Snowflake External Data Share

Exfiltration Over Web Service T1567 151 rules

Panther Anthropic Artifact Shared Publicly
Panther Anthropic MCP Server Created
Panther AppOmni Alert Passthrough
Sigma APT40 Dropbox Tool User Agent test
Sigma Arbitrary File Download Via ConfigSecurityPolicy.EXE test
Elastic AWS API Activity from Uncommon S3 Client by Rare User production
Elastic AWS DynamoDB Scan by Unusual User production
Elastic AWS DynamoDB Table Exported to S3 production
Elastic AWS EC2 Export Task production
Panther AWS Network ACL Restricts Outbound Traffic
Panther AWS RDS Instance Public Access
Panther AWS RDS Instance Snapshot Public Access
Elastic AWS RDS Snapshot Export production
Panther AWS S3 Bucket Policy Modified
Elastic AWS S3 Bucket Replicated to Another Account production
Panther AWS Security Group Restricts Outbound Traffic
Panther AWS Security Group Restricts Traffic Leaving CDE
Panther AWS Security Group Tightly Restricts Outbound Traffic
Kusto AWS Security Hub - Detect SQS Queue policy allowing public access available
Elastic AWS SNS Rare Protocol Subscription by User production
Elastic AWS SNS Topic Message Publish by Rare User production
Panther Azure Storage Account Public Network Access Enabled
Panther Azure Storage Blob Bulk Extraction
Elastic Azure Storage Blob Retrieval via AzCopy production
Panther Azure Storage SAS Token Access from External IP
Kusto Bitglass - Multiple files shared with external entity available
Kusto Bitglass - Suspicious file uploads available
Panther Box event triggered by unknown or external user
Panther Box Large Number of Downloads
Panther Box Shield Detected Anomalous Download Activity
Kusto Cisco Cloud Security - URI contains IP address available
Splunk Cisco NVM - Rclone Execution With Network Activity production
Splunk Cisco Secure Firewall - Connection to File Sharing Domain production
Splunk Cisco Secure Firewall - Potential Data Exfiltration production
Splunk Cisco TFTP Server Configuration for Data Exfiltration production
Kusto Cisco WSA - Unexpected uploads available
Panther CodeBuild Project made Public
Sigma Communication To Ngrok Tunneling Service - Linux test
Sigma Communication To Ngrok Tunneling Service Initiated test
Elastic Connection to Commonly Abused Web Services production
Kusto Corelight - Multiple Compressed Files Transferred over HTTP available
Kusto CreepyDrive request URL sequence
Kusto CreepyDrive URLs
Splunk Data Exfiltration via AWS CLI - Windows (Sysmon)
Splunk Data Exfiltration via AWS CLI - Windows (Windows Event Log)
Panther Databricks Data Downloads From Control Plane Experimental
Kusto Dataverse - Export activity from terminated or notified employee available
Kusto Dataverse - Guest user exfiltration following Power Platform defense impairment available
Kusto Dataverse - Honeypot instance activity available
Kusto Dataverse - Mass download from SharePoint document management available
Kusto Dataverse - Mass export of records to Excel available
Kusto Dataverse - SharePoint document management site added or updated available
Kusto Dataverse - Suspicious use of Web API available
Kusto Dataverse - Terminated employee exfiltration over email available
Sigma DNS Query for Anonfiles.com Domain - DNS Client test
Sigma DNS Query for Anonfiles.com Domain - Sysmon test
Sigma DNS Query To MEGA Hosting Website test
Sigma DNS Query To MEGA Hosting Website - DNS Client test
Sigma DNS Query To Ufile.io test
Sigma DNS Query To Ufile.io - DNS Client test
Panther DNS request to denylisted domain
Elastic DNS to Commonly Abused Web Services production building block
Panther Dropbox Many Downloads Experimental
Kusto GCP Audit Logs - Storage Bucket Made Public available
YARA-L GCP BigQuery Results Downloaded From Multiple Tables
Elastic GitHub Exfiltration via High Number of Repository Clones by User production
Elastic GitHub Private Repository Turned Public production
Sigma GitHub Repository Pages Site Changed to Public experimental
Panther GitHub Repository Visibility Change
Kusto Google DNS - Possible data exfiltration
YARA-L Google Workspace File Shared From Google Drive To Free Email Domain
Panther Google Workspace Many Docs Downloaded Experimental
YARA-L Google Workspace Multiple Files Copied From Google Drive
YARA-L Google Workspace Multiple Files Downloaded From Google Drive
YARA-L Google Workspace Multiple Files Sent As Email Attachments From Google Drive
YARA-L Google Workspace Suspicious Login and Google Drive File Download
YARA-L Google Workspace Suspicious Login and Google Drive File Share
Splunk Gsuite Drive Share In External Email experimental
Elastic High Number of Closed Pull Requests by User production
Elastic High Number of Protected Branch Force Pushes by User production
Splunk High Volume of Bytes Out to Url production
Kusto Insider Risk_Sensitive Data Access Outside Organizational Geo-location
Kusto Linked Malicious Storage Artifacts available
Splunk Linux Gdrive Binary Activity production
Sigma LOLBAS Data Exfiltration by DataSvcUtil.exe test
Splunk LOLBAS With Network Traffic production
Elastic M365 OneDrive/SharePoint Excessive File Downloads production
Elastic M365 Purview DLP Signal production building block
Sigma macOS Cloud Storage Access Tools experimental
Sigma macOS Network Upload Activity experimental
Splunk Mega Utility Execution - Windows (Sysmon)
Splunk Mega Utility Execution - Windows (Windows Event Log)
Sigma Monero Crypto Coin Mining Pool Lookup stable
Kusto Netskope - Anomalous User Behavior (High Volume from Unmanaged Device) available
Kusto Netskope - Data Movement Tracking (Upload/Download Monitoring) available
Kusto Netskope - Heavy Personal Cloud Storage Usage (Shadow IT) available
Kusto Netskope - Large Outbound Data Transfer / Sensitive Upload (DLP) available
Kusto Netskope - Unsanctioned/Risky Cloud App Access (Shadow IT) available
Sigma Network Connection Initiated To BTunnels Domains test
Sigma Network Connection Initiated To Cloudflared Tunnels Domains test
Sigma Network Connection Initiated To DevTunnels Domain test
Sigma Network Connection Initiated To Mega.nz test
Sigma Network Connection Initiated To Visual Studio Code Tunnels Domain test
Elastic Network Connection to OAST Domain via Script Interpreter production
Splunk O365 DLP Rule Triggered production
Splunk O365 Email Access By Security Administrator production
Splunk O365 Exfiltration via File Access production
Splunk O365 Exfiltration via File Download production
Splunk O365 Exfiltration via File Sync Download production
Sigma Potential Data Exfiltration Via Curl.EXE test
Elastic Potential Data Exfiltration via Rclone production
Elastic Potential File Transfer via Certreq production
Elastic Potential File Transfer via Curl for Windows production
Elastic Potential PowerShell HackTool Script by Function Names production
Kusto Power Automate - Departing employee flow activity available
Kusto Power Platform - Connector added to a sensitive environment available
Kusto Powershell Empire Cmdlets Executed in Command Line available
Splunk Process Connection to Mega - Windows (Sysmon)
Splunk Process Connection to Mega - Windows (Windows Event Log)
Sigma Process Initiated Network Connection To Ngrok Domain test
Kusto ProofpointPOD - Email sender in TI list
Kusto ProofpointPOD - Email sender IP in TI list
Kusto ProofpointPOD - Multiple archived attachments to the same recipient available
Kusto ProofpointPOD - Multiple large emails to the same recipient available
Kusto ProofpointPOD - Multiple protected emails to unknown recipient available
Sigma PUA - Rclone Execution test
Sigma PUA - Restic Backup Tool Execution experimental
Sigma Rclone Activity via Proxy test
Sigma Rclone Config File Creation test
Splunk Rclone Execution (PowerShell)
Splunk Rclone Execution (Sysmon)
Splunk Rclone Execution (Windows Event Log)
Panther Salesforce API Anomaly Detection (RET Passthrough)
Panther Salesforce Bulk API Data Exfiltration
Elastic Several Failed Protected Branch Force Pushes by User production
Panther Slack Enterprise Key Management Unenrolled
Panther Slack Microsoft Intune Mobile Device Management Disabled
Panther Slack Private Channel Made Public
Kusto SlackAudit - Multiple archived files uploaded in short period of time available
Kusto SlackAudit - Public link created for file which can contain sensitive information. available
Panther Snowflake User Daily Query Volume Spike
Kusto SonicWall - Allowed SSH, Telnet, and RDP Connections experimental
Elastic Suspicious AWS S3 Connection via Script Interpreter production
Sigma Suspicious Curl File Upload - Linux test
Sigma Suspicious Dropbox API Usage test
Sigma Suspicious Non-Browser Network Communication With Telegram API test
Elastic Unusual Network Connection to Suspicious Web Service production
Kusto Web sites blocked by Eset available
Splunk Windows Azure Storage Utility Execution Via CLI production
Splunk Windows Gdrive Binary Activity production
Splunk Windows OneDrive Share Mounted via Net production

Exfiltration Over Web Service: Exfiltration to Code Repository T1567.001 11 rules

Elastic Connection to Commonly Abused Web Services production
Elastic DNS to Commonly Abused Web Services production building block
Elastic GitHub Exfiltration via High Number of Repository Clones by User production
Elastic GitHub Private Repository Turned Public production
Sigma GitHub Repository Pages Site Changed to Public experimental
Elastic High Number of Closed Pull Requests by User production
Elastic High Number of Protected Branch Force Pushes by User production
Sigma Network Connection Initiated To DevTunnels Domain test
Elastic Potential PowerShell HackTool Script by Function Names production
Kusto Powershell Empire Cmdlets Executed in Command Line available
Elastic Several Failed Protected Branch Force Pushes by User production

Exfiltration Over Web Service: Exfiltration to Cloud Storage T1567.002 43 rules

Sigma APT40 Dropbox Tool User Agent test
Elastic AWS API Activity from Uncommon S3 Client by Rare User production
Elastic AWS DynamoDB Table Exported to S3 production
Elastic AWS EC2 Export Task production
Elastic AWS RDS Snapshot Export production
Elastic AWS S3 Bucket Replicated to Another Account production
Panther Azure Storage Blob Container Permissions Modified
Elastic Azure Storage Blob Retrieval via AzCopy production
Panther Azure VM Disk SAS URI Generated
Splunk Cisco NVM - Rclone Execution With Network Activity production
Splunk Cisco Secure Firewall - Connection to File Sharing Domain production
Splunk Cisco Secure Firewall - Potential Data Exfiltration production
Elastic Connection to Commonly Abused Web Services production
Kusto CreepyDrive request URL sequence
Kusto CreepyDrive URLs
Sigma DNS Query for Anonfiles.com Domain - DNS Client test
Sigma DNS Query for Anonfiles.com Domain - Sysmon test
Sigma DNS Query To MEGA Hosting Website test
Sigma DNS Query To MEGA Hosting Website - DNS Client test
Sigma DNS Query To Ufile.io test
Sigma DNS Query To Ufile.io - DNS Client test
Elastic DNS to Commonly Abused Web Services production building block
Kusto GCP Audit Logs - Storage Bucket Made Public available
Splunk Gsuite Drive Share In External Email experimental
Elastic M365 Purview DLP Signal production building block
Sigma macOS Cloud Storage Access Tools experimental
Sigma Network Connection Initiated To Mega.nz test
Elastic Potential Data Exfiltration via Rclone production
Elastic Potential PowerShell HackTool Script by Function Names production
Kusto Powershell Empire Cmdlets Executed in Command Line available
Sigma PUA - Rclone Execution test
Sigma PUA - Restic Backup Tool Execution experimental
Sigma Rclone Activity via Proxy test
Sigma Rclone Config File Creation test
Splunk Rclone Execution (PowerShell)
Splunk Rclone Execution (Sysmon)
Splunk Rclone Execution (Windows Event Log)
Kusto SlackAudit - Public link created for file which can contain sensitive information. available
Elastic Suspicious AWS S3 Connection via Script Interpreter production
Sigma Suspicious Dropbox API Usage test
Elastic Unusual Network Connection to Suspicious Web Service production
Splunk Windows Azure Storage Utility Execution Via CLI production
Splunk Windows OneDrive Share Mounted via Net production

Exfiltration Over Web Service: Exfiltration to Text Storage Sites T1567.003 3 rules

Elastic Connection to Commonly Abused Web Services production
Elastic DNS to Commonly Abused Web Services production building block
Elastic Unusual Network Connection to Suspicious Web Service production

Exfiltration Over Web Service: Exfiltration Over Webhook T1567.004 1 rule

Elastic Unusual Network Connection to Suspicious Web Service production

No specific technique 16 rules

Sigma Active Directory Structure Export Via Ldifde.EXE test
Kusto Cisco Umbrella - Connection to non-corporate private network
Sigma Disk Image Creation Via Hdiutil - MacOS test
Sigma Email Exifiltration Via Powershell test
Sigma Ingress Port 22 Opened test
Elastic M365 Purview Insider Risk Signal production building block
Elastic M365 Purview Security Compliance Signal production building block
Sigma Potential CVE-2023-23397 Exploitation Attempt - SMB test
Sigma Potential Data Exfiltration Via Audio File test
Panther Query.Snowflake.CopyIntoStage
Panther Query.Snowflake.FileDownloaded
Panther Query.Snowflake.TempStageCreated
Kusto Radiflow - Platform Alert available
Sigma Suspicious OAuth App File Download Activities test
Sigma Suspicious PowerShell Mailbox Export to Share test
Sigma Suspicious PowerShell Mailbox Export to Share - PS test

Impact

Data Destruction T1485 177 rules

Kusto Affected rows stateful anomaly on database available
Panther AppOmni Alert Passthrough
Splunk ASL AWS Defense Evasion PutBucketLifecycle production
Kusto AV detections related to Ukraine threats available
Splunk AWS Bedrock Delete Knowledge Base production
Elastic AWS CloudWatch Log Group Deletion production
Elastic AWS CloudWatch Log Stream Deletion production
Splunk AWS Defense Evasion PutBucketLifecycle production
Elastic AWS EC2 EBS Snapshot Access Removed production
Elastic AWS EFS File System Deleted production
Sigma AWS EFS Fileshare Mount Modified or Deleted test
Sigma AWS EKS Cluster Created or Deleted test
Elastic AWS KMS Customer Managed Key Disabled or Scheduled for Deletion production
YARA-L AWS KMS Key Disabled Or Scheduled For Deletion
Panther AWS RDS Automated Backup Deleted
Elastic AWS RDS DB Instance or Cluster Deleted production
Elastic AWS RDS DB Instance or Cluster Deletion Protection Disabled production
Panther AWS RDS Instance or Cluster Deleted Experimental
Elastic AWS RDS Snapshot Deleted production
Panther AWS RDS Snapshot Deleted Experimental
Panther AWS S3 Bucket Action Restrictions
Elastic AWS S3 Bucket Expiration Lifecycle Configuration Added production
Panther AWS S3 Bucket MFA Delete
Panther AWS S3 Bucket Object Lock Configured
Panther AWS S3 Bucket Public Write
Panther AWS S3 Bucket Versioning
Panther AWS S3 Security Control Disabling Experimental
Elastic AWS S3 Unauthenticated Bucket Access by Rare Source production
Elastic AWS SQS Queue Purge production
Kusto AWSCloudTrail - Creating keys with encrypt policy without MFA available
Elastic Azure Automation Runbook Deleted production
Elastic Azure Compute Snapshot Deletion by Unusual User and Resource Group production
Elastic Azure Compute Snapshot Deletions by User production
Sigma Azure Container Registry Created or Deleted test
Sigma Azure Device or Configuration Modified or Deleted test
Panther Azure Disk Deleted Experimental
Elastic Azure Event Hub Deleted production
Panther Azure Key Vault Deleted
Panther Azure Key Vault Key Permanently Purged
Panther Azure Key Vault Permanently Purged
Sigma Azure Kubernetes Cluster Created or Deleted test
Sigma Azure Kubernetes Network Policy Change test
Sigma Azure Kubernetes RoleBinding/ClusterRoleBinding Modified and Deleted test
Sigma Azure Kubernetes Secret or Config Object Access test
Sigma Azure Kubernetes Sensitive Role Access test
Sigma Azure Kubernetes Service Account Modified or Deleted test
Panther Azure Log Analytics Workspace Deleted
Panther Azure Network Security Configuration Modified or Deleted Experimental
Panther Azure Recovery Services Protection Container Deleted
Elastic Azure Resource Group Deleted production
Panther Azure Resource Group Deleted
Panther Azure Restore Point Collection Deleted
Panther Azure SQL Server Deleted
Panther Azure Storage Account Blob Versioning Disabled
Panther Azure Storage Account Deleted
Elastic Azure Storage Account Deletion by Unusual User production
Elastic Azure Storage Account Deletions by User production
Panther Azure Storage Blob Deletion
Panther Azure Storage Blob Soft Delete Disabled
Panther Azure Storage Container Soft Delete Disabled
Panther Azure Storage Immutability Policy Deleted
Panther Azure Virtual Machine Deleted Experimental
Panther Azure Virtual Network Deleted
Panther Azure VM Snapshot Deleted
Elastic Backup Deletion with Wbadmin production
Kusto Box - Many items deleted by user available
Kusto BTP - Mass user deletion in a sub account available
Kusto BTP - Mass user deletion in SAP Cloud Identity Service available
Splunk Cipher.exe Execution (Sysmon)
Splunk Cipher.exe Execution (Windows Event Log)
Splunk Common Ransomware Extensions production
Splunk Common Ransomware Notes production
Kusto CTERA Mass Deletions Detection Analytic available
Panther Databricks Destructive Activities Experimental
Kusto Dataverse - Mass deletion of records available
Kusto Dataverse - Mass record updates available
Sigma DD File Overwrite test
Sigma Deleted Data Overwritten Via Cipher.EXE test
Kusto Deletion of data on multiple drives using cipher exe available
Elastic Deprecated - M365 Security Compliance Unusual Volume of File Deletion production
Splunk Detect DNS Query to Decommissioned S3 Bucket experimental
Splunk Detect Web Access to Decommissioned S3 Bucket experimental
Kusto Drop attempts stateful anomaly on database available
Panther Dropbox Many Deletes Experimental
Kusto Employee account deleted available
Splunk Excessive File Deletion In WinDefender Folder production
Kusto F&O - Mass update or deletion of user records available
Elastic File Deletion via Shred production
Sigma Fsutil Suspicious Invocation stable
Kusto GCP Audit Logs - Detect Bulk VM Snapshot Deletion available
Panther GCP GCS Bulk Object Deletion Experimental
YARA-L GCP Multiple KMS Keys Disabled Or Destroyed
YARA-L GCP Multiple Secrets Deleted
Elastic GCP Storage Bucket Deletion production
Elastic GCP Virtual Private Cloud Network Deletion production
YARA-L GitHub Enterprise Deleted
Splunk GitHub Enterprise Remove Organization production
Splunk GitHub Enterprise Repository Archived production
Splunk GitHub Enterprise Repository Deleted production
YARA-L GitHub Organization Removed From Enterprise
Splunk GitHub Organizations Repository Archived production
Splunk GitHub Organizations Repository Deleted production
YARA-L GitHub Repository Archived Or Deleted
Elastic GitHub Repository Deleted production
Kusto GitLab - Abnormal number of repositories deleted available
YARA-L Google Workspace Multiple Files Deleted From Google Drive
Panther GSuite Drive Many Documents Deleted Experimental
Elastic High Number of Closed Pull Requests by User production
Elastic High Number of Protected Branch Force Pushes by User production
Panther KMS CMK Disabled or Deleted
Splunk Linux Account Manipulation Of SSH Config and Keys production
Splunk Linux Auditd Data Destruction Command production
Splunk Linux Auditd Dd File Overwrite production
Splunk Linux Auditd Shred Overwrite Command production
Splunk Linux Data Destruction Command production
Splunk Linux DD File Overwrite production
Splunk Linux Deleting Critical Directory Using RM Command production
Splunk Linux Deletion Of Cron Jobs production
Splunk Linux Deletion Of Init Daemon Script production
Splunk Linux Deletion Of Services production
Splunk Linux Deletion of SSL Certificate production
Splunk Linux High Frequency Of File Deletion In Boot Folder production
Splunk Linux High Frequency Of File Deletion In Etc Folder production
Splunk Linux Shred Overwrite Command production
Sigma macOS Data Destruction Tools experimental
Kusto Mass Cloud resource deletions Time Series Anomaly available
Sigma Microsoft 365 - Unusual Volume of File Deletion test
Sigma MSSQL Destructive Query experimental
Kusto Multiple Teams deleted by a single user available
Panther Netskope Many Objects Deleted
Kusto NRT Sensitive Azure Key Vault operations available
Splunk O365 Email Hard Delete Excessive Volume production
Splunk O365 Email Password and Payroll Compromise Behavior production
Splunk O365 Email Receive and Hard Delete Takeover Behavior production
Splunk O365 Email Send and Hard Delete Exfiltration Behavior production
Splunk O365 Email Send and Hard Delete Suspicious Behavior production
Splunk O365 Email Send Attachments Excessive Volume production
Kusto OracleDBAudit - Multiple tables dropped in short time available
Sigma Overwriting the File with Dev Zero or Null stable
Elastic Potential AWS S3 Bucket Ransomware Note Uploaded production
Sigma Potential BlackByte Ransomware Activity test
Sigma Potential File Overwrite Via Sysinternals SDelete test
Elastic Potential Ransomware Behavior - Note Files by System production
Elastic Potential Ransomware Note File Dropped via SMB production
Kusto Potential re-named sdelete usage available
Kusto Potential re-named sdelete usage (ASIM Version)
Sigma Potential Secure Deletion with SDelete test
Elastic Potential Secure File Deletion via SDelete Utility production
Elastic Potential System Tampering via File Modification production
Kusto Power Apps - Multiple apps deleted available
Kusto Power Automate - Departing employee flow activity available
Kusto Power Automate - Unusual bulk deletion of flow resources available
Sigma Renamed Sysinternals Sdelete Execution test
Panther S3 Bucket Deleted
Panther S3 Bucket Encryption Deleted Experimental
Panther S3 Bucket Logging Disabled
Panther S3 Bucket Replication Deleted
Panther S3 Bucket Versioning Suspended
Panther S3 MFA Delete Disabled
Splunk Sdelete Application Execution production
Kusto Sdelete deployed via GPO and run recursively available
Kusto Sdelete deployed via GPO and run recursively (ASIM Version)
Kusto SenservaPro AD Applications Not Using Client Credentials available
Kusto Sensitive Azure Key Vault operations available
Elastic Several Failed Protected Branch Force Pushes by User production
Kusto Snowflake - Possible data destraction available
Elastic SSL Certificate Deletion production
Elastic Suspicious File Renamed via SMB production
Elastic Third-party Backup Files Deleted via Unexpected Process production
Kusto Threat Essentials - Mass Cloud resource deletions Time Series Anomaly available
Kusto TI map IP entity to LastPass data available
Kusto Unusual Volume of file deletion by users available
Kusto Unusual Volume of Password Updated or Removed available
Splunk Windows Data Destruction Recursive Exec Files Deletion production
Splunk Windows Disable Memory Crash Dump production
Splunk Windows File Without Extension In Critical Folder production
Splunk Windows High File Deletion Frequency production

Data Destruction: Lifecycle-Triggered Deletion T1485.001 4 rules

Splunk ASL AWS Defense Evasion PutBucketLifecycle production
Splunk AWS Defense Evasion PutBucketLifecycle production
Elastic AWS KMS Customer Managed Key Disabled or Scheduled for Deletion production
Elastic AWS S3 Bucket Expiration Lifecycle Configuration Added production

Data Encrypted for Impact T1486 75 rules

Kusto Acronis - Multiple Endpoints Infected by Ransomware
Sigma Antivirus Ransomware Detection test
Panther AppOmni Alert Passthrough
Splunk ASL AWS Detect Users creating keys with encrypt policy without MFA production
Kusto AV detections related to Dev-0530 actors
Kusto AV detections related to Europium actors
Kusto AV detections related to Hive Ransomware
Kusto AV detections related to Zinc actors available
Splunk AWS Detect Users creating keys with encrypt policy without MFA production
Splunk AWS Detect Users with KMS keys performing encryption S3 production
Sigma AWS EC2 Disable EBS Encryption stable
Panther AWS EC2 EBS Encryption Disabled
Sigma AWS KMS Imported Key Material Usage experimental
Panther AWS S3 Object Copied to External Account Bucket
Elastic AWS S3 Object Encryption Using External KMS Key production
Panther AWS S3 Object Exfiltration FOLLOWED BY Object Deletion
Kusto AWSCloudTrail - S3 bucket suspicious ransomware activity available
Kusto AWSCloudTrail - Suspicious overly permissive KMS key policy created available
Panther Azure Storage Blob CPK Encryption Detected
Panther Azure Storage Blob Upload FOLLOWED BY CPK Encryption Error
Sigma BitLocker feature activation on multiple hosts (native) experimental
Sigma BitLocker feature configuration (Reg via command) experimental
Sigma BitLocker server feature activation (PowerShell) experimental
Sigma BlueSky Ransomware Artefacts test
Kusto Cisco SE - Ransomware Activity available
Elastic Deprecated - M365 Security Compliance Potential Ransomware Activity production
Kusto Dev-0270 Registry IOC - September 2022 available
Kusto Dev-0530 File Extension Rename
Elastic Excessive AWS S3 Object Encryption with SSE-C production
Sigma FunkLocker Ransomware File Creation experimental
Panther GCP Cloud Storage Buckets Modified Or Deleted
Panther GCP GCS Bulk Object Rewrite Operation
Panther GCP GCS Ransom Note Upload
Panther GCP KMS Bulk Encryption by GCS Service Account
Panther GCP KMS Key Granted to GCS Service Account
Panther GCP KMS Key Version Disabled or Destroyed Experimental
Splunk High Process Termination Frequency production
Sigma Load Of RstrtMgr.DLL By A Suspicious Process test
Sigma Load Of RstrtMgr.DLL By An Uncommon Process test
Sigma LockerGoga Ransomware Activity stable
Sigma macOS Encryption Tool Usage experimental
Sigma Microsoft 365 - Potential Ransomware Activity test
Sigma Portable Gpg.EXE Execution test
Elastic Potential AWS S3 Bucket Ransomware Note Uploaded production
Sigma Potential Conti Ransomware Activity test
Elastic Potential Linux Ransomware Note Creation Detected production
Elastic Potential Ransomware Behavior - Note Files by System production
Elastic Potential Ransomware Note File Dropped via SMB production
Elastic PowerShell Script with Encryption/Decryption Capabilities production
Kusto Ransom Protect Detected a Ransomware Attack available
Kusto Ransom Protect User Blocked available
Elastic Ransomware - Detected - Elastic Defend production
Elastic Ransomware - Prevented - Elastic Defend production
Kusto Ransomware Attack Detected available
Kusto Ransomware Client Blocked available
Splunk Ransomware Notes bulk creation production
Sigma Renamed Gpg.EXE Execution test
Splunk Ryuk Test Files Detected production
Panther S3 Object Encrypted with External KMS Key
Splunk Samsam Test File Write production
Panther Slack Potentially Malicious File Shared
Kusto SSG_Security_Incidents
Sigma Suspicious Creation TXT File in User Desktop test
Elastic Suspicious Data Encryption via OpenSSL Utility production
Elastic Suspicious File Renamed via SMB production
Sigma Suspicious Reg Add BitLocker test
Elastic Suspicious Renaming of ESXI Files production
Kusto Trend Micro CAS - Ransomware infection available
Kusto Trend Micro CAS - Ransomware outbreak available
Elastic Unusual AWS S3 Object Encryption with SSE-C production
Kusto Votiro - File Blocked in Email
Sigma WannaCry Ransomware Activity test
Splunk Windows .Key File Creation in Root Directory production
Splunk Windows BitLocker Suspicious Command Usage production
Splunk Windows DiskCryptor Usage production

Service Stop T1489 78 rules

Sigma Application Uninstalled test
Elastic Attempt to Deactivate an Okta Application production
Elastic Attempt to Delete an Okta Application production
Elastic Attempt to Disable Auditd Service production
Elastic Attempt to Disable IPTables or Firewall production
Elastic Attempt to Disable Syslog Service production
Elastic AWS EventBridge Rule Disabled or Deleted production
Sigma Azure Application Deleted test
Sigma Azure Container Registry Created or Deleted test
Sigma Azure Kubernetes Cluster Created or Deleted test
Sigma Azure Kubernetes Network Policy Change test
Sigma Azure Kubernetes RoleBinding/ClusterRoleBinding Modified and Deleted test
Sigma Azure Kubernetes Secret or Config Object Access test
Sigma Azure Kubernetes Sensitive Role Access test
Sigma Azure Kubernetes Service Account Modified or Deleted test
Elastic Azure Kubernetes Services (AKS) Kubernetes Pods Deleted production
Elastic Azure Resource Group Deleted production
Elastic Azure Storage Account Deletion by Unusual User production
Elastic Azure Storage Account Deletions by User production
Panther Azure Virtual Machine Deleted Experimental
Kusto BTP - Mass user deletion in a sub account available
Kusto BTP - Mass user deletion in SAP Cloud Identity Service available
Kusto Cisco Duo - AD sync failed available
Kusto Critical or High Severity Detections by User available
Elastic Decline in host-based traffic production
Sigma Delete All Scheduled Tasks test
Sigma Delete Important Scheduled Task test
Sigma Disable Important Scheduled Task test
Sigma Disable Or Stop Services test
Elastic Elastic Agent Service Terminated production
Splunk Excessive Attempt To Disable Services production
YARA-L GCP Multiple Service APIs Disabled
Elastic GCP Pub/Sub Subscription Deletion production
Elastic GCP Pub/Sub Topic Deletion production
Elastic High Number of Process and/or Service Terminations production
Elastic High Number of Process Terminations production
Sigma Important Scheduled Task Deleted or Disabled test
Elastic Kill Command Execution production
Splunk Linux Auditd Auditd Service Stop production
Splunk Linux Auditd Osquery Service Stop production
Splunk Linux Auditd Stop Services production
Splunk Linux Auditd Sysmon Service Stop production
Splunk Linux Disable Services production
Splunk Linux Magic SysRq Key Abuse production
Splunk Linux Stop Services production
Sigma macOS Service Disruption Activity experimental
Sigma Mass Process Termination experimental
Sigma Massive processes termination burst experimental
Sigma Massive services deletion burst experimental
Sigma Massive services termination burst experimental
Kusto Multiple Teams deleted by a single user available
Splunk Ollama Abnormal Service Crash Availability Attack experimental
Sigma Potential Abuse of Linux Magic System Request Key experimental
Elastic Process Killing Detected via Defend for Containers production
Sigma Process Terminated Via Taskkill test
Sigma Service deactivation (command) experimental
Elastic Service Disabled via Registry Modification production building block
Splunk Service Stop Commands (PowerShell)
Splunk Service Stop Commands (Sysmon)
Splunk Service Stop Commands (Windows Event Log)
Panther Slack App Removed
Panther Slack EKM Slackbot Unenrolled
Sigma Stop Windows Service Via Net.EXE test
Sigma Stop Windows Service Via PowerShell Stop-Service test
Sigma Stop Windows Service Via Sc.EXE test
Elastic Suspicious Termination of ESXI Process production
Sigma Suspicious Windows Service Tampering test
Splunk Windows - Service Stop (PowerShell)
Splunk Windows - Service Stop (Windows Event Log)
Splunk Windows Excessive Service Stop Attempt production
Splunk Windows Processes Killed By Industroyer2 Malware production
Splunk Windows Security Account Manager Stopped production
Splunk Windows Service Deletion In Registry production
Splunk Windows Service Stop Attempt production
Splunk Windows Service Stop By Deletion production
Splunk Windows Service Stop Win Updates production
Splunk Windows Set Account Password Policy To Unlimited Via Net production
Kusto Workspace deletion activity from an infected device

Inhibit System Recovery T1490 96 rules

Sigma All Backups Deleted Via Wbadmin.EXE test
Sigma Amsi.DLL Load By Uncommon Process test
Splunk ASL AWS Disable Bucket Versioning production
YARA-L AWS Backup Plan Deleted
Splunk AWS Disable Bucket Versioning production
Elastic AWS EC2 EBS Snapshot Access Removed production
Panther AWS RDS Automated Backup Deleted
Panther AWS RDS Deletion Protection Disabled
Elastic AWS RDS Snapshot Deleted production
Elastic AWS S3 Bucket Configuration Deletion production
Sigma AWS S3 Bucket Versioning Disable test
Elastic AWS S3 Object Versioning Suspended production
Elastic Azure Compute Restore Point Collection Deleted by Unusual User production
Elastic Azure Compute Restore Point Collections Deleted production
Elastic Azure Compute Snapshot Deletion by Unusual User and Resource Group production
Elastic Azure Compute Snapshot Deletions by User production
Panther Azure Disk Deleted Experimental
Panther Azure Key Vault Deleted
Panther Azure Key Vault Key Permanently Purged
Panther Azure Key Vault Permanently Purged
Panther Azure Recovery Services Protection Container Deleted
Elastic Azure Recovery Services Resource Deleted production building block
Elastic Azure Resource Group Deleted production
Panther Azure Resource Lock Deleted
Panther Azure Restore Point Collection Deleted
Panther Azure SQL Server Deleted
Panther Azure Storage Account Deleted
Panther Azure Storage Blob CPK Encryption Detected
Panther Azure Storage Blob Deletion
Panther Azure Storage Blob Soft Delete Disabled
Panther Azure Storage Blob Upload FOLLOWED BY CPK Encryption Error
Panther Azure Storage Container Soft Delete Disabled
Panther Azure Storage Immutability Policy Deleted
Panther Azure VM Snapshot Deleted
Elastic Backup Deletion with Wbadmin production
Sigma Backup Files Deleted test
Splunk Bcdedit Command Back To Normal Mode Boot production
Splunk BCDEdit Failure Recovery Modification production
Sigma Boot Configuration Tampering Via Bcdedit.EXE stable
Splunk Change To Safe Mode With Network Config production
Sigma Cisco Modify Configuration test
Kusto CiscoISE - Backup failed available
Sigma Copy From VolumeShadowCopy Via Cmd.EXE test
Splunk Delete ShadowCopy With PowerShell production
Sigma Delete Volume Shadow Copies Via WMI With PowerShell stable
Splunk Deleting Shadow Copies production
Sigma Deletion of Volume Shadow Copies via WMI with PowerShell test
Sigma Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script test
Kusto Detect Malicious Usage of Recovery Tools to Delete Backup Files available
Kusto Detecting UAC bypass - ChangePK and SLUI registry tampering available
Kusto Detecting UAC bypass - elevated COM interface available
Kusto Detecting UAC bypass - modify Windows Store settings available
Splunk Disabling SystemRestore In Registry production
Sigma File Recovery From Backup Via Wbadmin.EXE test
Kusto GCP Audit Logs - Detect Bulk VM Snapshot Deletion available
Elastic Modification of Boot Configuration production
Sigma New File Exclusion Added To Time Machine Via Tmutil - MacOS test
Sigma New Root or CA or AuthRoot Certificate to Store test
Sigma Potential Dtrack RAT Activity stable
Sigma Potential Maze Ransomware Activity test
Kusto Potential Ransomware activity related to Cobalt Strike available
Elastic Potential Ransomware Note File Dropped via SMB production
Elastic Potential System Tampering via File Modification production
Sigma Potentially Suspicious Volume Shadow Copy Vsstrace.dll Load test
Splunk Prevent Automatic Repair Mode using Bcdedit production
Sigma Registry Disable System Restore test
Splunk Resize ShadowStorage volume production
Sigma Sensitive File Access Via Volume Shadow Copy Backup test
Sigma Shadow Copies Deletion Using Operating Systems Utilities stable
Kusto Shadow Copy Deletions available
Kusto SonicWall - Allowed SSH, Telnet, and RDP Connections experimental
Elastic Suspicious File Renamed via SMB production
Sigma Suspicious Volume Shadow Copy VSS_PS.dll Load test
Sigma Suspicious Volume Shadow Copy Vssapi.dll Load test
Sigma System Restore Registry Modification via CommandLine experimental
Elastic Third-party Backup Files Deleted via Unexpected Process production
Sigma Time Machine Backup Deletion Attempt Via Tmutil - MacOS test
Sigma Time Machine Backup Disabled Via Tmutil - MacOS test
Elastic Volume Shadow Copy Deleted or Resized via VssAdmin production
Elastic Volume Shadow Copy Deletion via PowerShell production
Elastic Volume Shadow Copy Deletion via WMIC production
Sigma VSS backup deletion (WMI) experimental
Sigma VSS backup deletion or resize experimental
Sigma VSS backup deletion via WMI (Powershell) experimental
Sigma WannaCry Ransomware Activity test
Splunk WBAdmin Delete System Backups production
Sigma Windows Backup Deleted Via Wbadmin.EXE test
Splunk Windows BitLocker Suspicious Command Usage production
Splunk Windows Cisco Secure Endpoint Related Service Stopped production
Sigma Windows native backup deletion experimental
Sigma Windows native backup size re-configuration experimental
Sigma Windows Recovery Environment Disabled Via Reagentc experimental
Splunk Windows Security And Backup Services Stop production
Splunk Windows Suspicious File in EFI Volume production
Splunk Windows WBAdmin File Recovery From Backup production
Splunk Windows WMIC Shadowcopy Delete production

Defacement T1491 12 rules

Kusto Affected rows stateful anomaly on database available
Elastic AWS S3 Static Site JavaScript File Uploaded production
Kusto BitSight - new alert found available
Kusto BitSight - new breach found available
Kusto F&O - Mass update or deletion of user records available
Splunk Modification Of Wallpaper production
Sigma Potential Ransomware Activity Using LegalNotice Message test
Sigma Potentially Suspicious Desktop Background Change Using Reg.EXE test
Sigma Potentially Suspicious Desktop Background Change Via Registry test
Kusto Power Automate - Departing employee flow activity available
Sigma Replace Desktop Wallpaper by Powershell test
Splunk Windows Defacement Modify Transcodedwallpaper File production

Defacement: Internal Defacement T1491.001 4 rules

Sigma Potential Ransomware Activity Using LegalNotice Message test
Sigma Potentially Suspicious Desktop Background Change Using Reg.EXE test
Sigma Potentially Suspicious Desktop Background Change Via Registry test
Sigma Replace Desktop Wallpaper by Powershell test

Defacement: External Defacement T1491.002 1 rule

Elastic AWS S3 Static Site JavaScript File Uploaded production

Firmware Corruption T1495 1 rule

Sigma Cisco Denial of Service test

Resource Hijacking T1496 51 rules

Kusto A host is potentially running a crypto miner (ASIM Web Session schema)
Panther Anthropic Spend Limit Deleted
Elastic AWS Bedrock Provisioned Model Throughput Tampering production
Panther AWS CloudFormation Stack Drift
Panther AWS CloudFormation Stack Termination Protection
Panther AWS DNS Crypto Domain
Panther AWS EC2 Instance Approved AMI
YARA-L AWS GuardDuty Cryptocurrency Activity Detected
YARA-L AWS SES Service Modification
Elastic AWS SNS Rare Protocol Subscription by User production
Elastic AWS SNS Topic Created by Rare User production
Elastic AWS SNS Topic Message Publish by Rare User production
Kusto AWSCloudTrail - Suspicious AWS EC2 Compute Resource Deployments
Sigma Azure Container Registry Created or Deleted test
Kusto Azure DevOps Personal Access Token (PAT) misuse available
Kusto Azure DevOps Service Connection Abuse available
Kusto Azure DevOps Service Connection Addition/Abuse - Historic allow list available
Sigma Azure Kubernetes Cluster Created or Deleted test
Sigma Azure Kubernetes Network Policy Change test
Sigma Azure Kubernetes RoleBinding/ClusterRoleBinding Modified and Deleted test
Sigma Azure Kubernetes Secret or Config Object Access test
Sigma Azure Kubernetes Sensitive Role Access test
Sigma Azure Kubernetes Service Account Modified or Deleted test
Kusto Azure Machine Learning Write Operations available
Kusto Chia_Crypto_Mining IOC - June 2021 available
Kusto Cisco Cloud Security - Crypto Miner User-Agent Detected available
Panther Crowdstrike Cryptomining Tools
Kusto Detect CoreBackUp Deletion Activity from related Security Alerts available
Sigma DNS Events Related To Mining Pools test
Kusto DNS events related to mining pools available
Kusto DNS events related to mining pools (ASIM DNS Schema)
Kusto F&O - Reverted bank account number modifications available
Sigma Linux Crypto Mining Indicators test
Sigma Linux Crypto Mining Pool Connections stable
Kusto Medium severity malicious activity detected available
Elastic Memory Swap Modification production
Sigma Monero Crypto Coin Mining Pool Lookup stable
Sigma Network Communication With Crypto Mining Pool stable
Elastic Newly Observed Process Exhibiting High CPU Usage production
Kusto NRT DNS events related to mining pools available
Kusto OCI - Multiple instances launched available
Sigma Potential Crypto Mining Activity stable
Splunk Potential Cryptomining Commands (PowerShell)
Splunk Potential Cryptomining Commands (Sysmon)
Splunk Potential Cryptomining Commands (Windows Event Log)
Elastic Potential Malware-Driven SSH Brute Force Attempt production
Kusto Subscription moved to another tenant
Elastic Suspicious Mining Process Creation Event production
Kusto Suspicious number of resource creation or deployment activities available
Kusto Suspicious Resource deployment available
Kusto VMware ESXi - Unexpected disk image available

Resource Hijacking: Compute Hijacking T1496.001 2 rules

Elastic Memory Swap Modification production
Elastic Newly Observed Process Exhibiting High CPU Usage production

Resource Hijacking: Cloud Service Hijacking T1496.004 5 rules

Panther AWS Bedrock Model Invocation Abnormal Token Usage Experimental
Elastic AWS Bedrock Provisioned Model Throughput Tampering production
Elastic AWS SNS Rare Protocol Subscription by User production
Elastic AWS SNS Topic Created by Rare User production
Elastic AWS SNS Topic Message Publish by Rare User production

Network Denial of Service T1498 46 rules

Kusto Apache - Multiple server errors from single IP available
Kusto Apache - Request from private IP available
YARA-L AWS GuardDuty Denial Of Service Activity Detected
Kusto Azure secure score admin MFA available
Kusto Cisco ASA - average attack detection rate increase available
Kusto Cisco ASA - threat detection message fired available
Kusto DDoS attack detected available
Kusto DDoS Attack IP Addresses - Percent Threshold available
Kusto DDoS Attack IP Addresses - PPS Threshold available
Sigma Deployment Deleted From Kubernetes Cluster test
Splunk Detect ARP Poisoning experimental
Kusto Detect instances of multiple server errors occurring within a brief period of time (ASIM Web Session) available
Splunk Detect IPv6 Network Infrastructure Threats experimental
Splunk Detect Port Security Violation experimental
Splunk Detect Rogue DHCP Server experimental
Splunk Detect Traffic Mirroring experimental
Kusto Infoblox - Data Exfiltration Attack available
Kusto Infoblox - High Threat Level Query Not Blocked Detected available
Kusto Infoblox - Many High Threat Level Queries From Single Host Detected available
Kusto Infoblox - Many High Threat Level Single Query Detected available
Kusto Infoblox - Many NXDOMAIN DNS Responses Detected available
Kusto Infoblox - SOC Insight Detected - API Source available
Kusto Infoblox - SOC Insight Detected - API Source available
Kusto Infoblox - SOC Insight Detected - CDC Source available
Kusto Infoblox - SOC Insight Detected - CDC Source available
Kusto Infoblox - TI - CommonSecurityLog Match Found - MalwareC2 available
Kusto Infoblox - TI - InfobloxCDC Match Found - Lookalike Domains available
Kusto Infoblox - TI - Syslog Match Found - URL available
Splunk Large Volume of DNS ANY Queries experimental
Kusto NGINX - Multiple server errors from single IP address available
Elastic Nping Process Activity production
Panther Okta Rate Limits
Splunk Ollama Excessive API Requests experimental
Sigma OpenCanary - NTP Monlist Request test
Kusto Oracle - Multiple server errors from single IP available
Elastic Possible Okta DoS Attack production
Sigma Potential BlackByte Ransomware Activity test
Elastic Spike in Firewall Denies production
Elastic Spike in host-based traffic production
Elastic Spike in Network Traffic production
Kusto Tomcat - Multiple server errors from single IP address available
Kusto Tomcat - Server errors after multiple requests from same IP available
Kusto VMware SD-WAN Edge - Device Congestion Alert - Packet Drops
Kusto VMware SD-WAN Edge - Network Anomaly Detection - Potential Fragmentation Attack
Kusto VMware SD-WAN Edge - Network Anomaly Detection - RPF Check Failure
Kusto Votiro - File Blocked from Connector

Network Denial of Service: Reflection Amplification T1498.002 1 rule

Splunk Large Volume of DNS ANY Queries experimental

Endpoint Denial of Service T1499 37 rules

Elastic Abnormally Large DNS Response production
Sigma Apache Segmentation Fault test
Kusto API - Rate limiting available
Sigma Audit CVE Event test
Panther AWS RDS Cluster Failover Initiated
Panther AWS RDS Instance or Cluster Rebooted
Panther AWS WAF Managed Anti-DDoS Passthrough Rule
Panther Azure Virtual Network Deleted
Splunk Cisco Secure Firewall - Static Tundra Smart Install Abuse production
Kusto Critical Severity Detection available
Sigma CVE-2024-49113 Exploitation Attempt - LDAP Nightmare experimental
Elastic Decline in host-based traffic production
Splunk ESXi Bulk VM Termination production
Kusto Excessive Amount of Denied Connections from a Single Source available
Kusto Excessive number of failed connections from a single source (ASIM Network Session schema) available
Splunk Linux Magic SysRq Key Abuse production
Sigma LSASS Crash Via Netlogon Stack Buffer Overflow - CVE-2026-41089 experimental
Sigma MFA attack - bombarding a user with SMS for MFA experimental
Kusto Missing Domain Controller Heartbeat
Kusto NGINX - Core Dump available
Sigma Nginx Core Dump test
Sigma NTFS Vulnerability Exploitation test
Splunk Ollama Possible Memory Exhaustion Resource Abuse experimental
Elastic Possible Okta DoS Attack production
Sigma Potential Abuse of Linux Magic System Request Key experimental
Splunk Potential CVE-2024-49113 - LDAPNightmare (Windows Event Log)
Sigma Rapid creation of clients with the dynamic client registration endpoint experimental
Kusto Snowflake - Abnormal query process time available
Elastic Spike in Firewall Denies production
Elastic Spike in host-based traffic production
Kusto Tomcat - Multiple empty requests from same IP available
Kusto Vectra Account's Behaviors available
Kusto Vectra AI Detect - Detections with High Severity available
Kusto Vectra AI Detect - Suspected Compromised Account available
Kusto Vectra AI Detect - Suspected Compromised Host available
Kusto Vectra AI Detect - Suspicious Behaviors by Category available
Kusto Vectra Host's Behaviors available

Endpoint Denial of Service: OS Exhaustion Flood T1499.001 1 rule

Sigma NTFS Vulnerability Exploitation test

Endpoint Denial of Service: Service Exhaustion Flood T1499.002 2 rules

Sigma MFA attack - bombarding a user with SMS for MFA experimental
Elastic Possible Okta DoS Attack production

Endpoint Denial of Service: Application Exhaustion Flood T1499.003 2 rules

Elastic Possible Okta DoS Attack production
Panther Slack Denial of Service via Session Invalidation

Endpoint Denial of Service: Application or System Exploitation T1499.004 4 rules

Elastic Abnormally Large DNS Response production
Sigma Apache Segmentation Fault test
Sigma Audit CVE Event test
Sigma Nginx Core Dump test

System Shutdown/Reboot T1529 35 rules

Elastic Azure Kubernetes Services (AKS) Kubernetes Pods Deleted production
Elastic Azure Resource Group Deleted production
Kusto Azure secure score admin MFA available
Kusto Azure secure score one admin available
Kusto Azure secure score role overlap available
Kusto Azure Secure Score Self Service Password Reset available
Kusto Azure secure score sign in risk policy available
Kusto Azure secure score user risk policy available
Sigma Cisco Denial of Service test
Kusto Claroty - Asset Down available
Kusto Claroty - Critical baseline deviation available
Splunk ESXi Bulk VM Termination production
Sigma ESXi VM Kill Via ESXCLI test
Splunk Linux Magic SysRq Key Abuse production
Splunk Linux System Reboot Via System Request Key production
Sigma macOS Service Disruption Activity experimental
Splunk Microsoft Intune Manual Device Management production
Kusto OCI - Multiple instances terminated available
Kusto OracleDBAudit - Shutdown Server available
Sigma Potential Abuse of Linux Magic System Request Key experimental
Kusto SenservaPro AD Applications Not Using Client Credentials available
Sigma Silence.EDA Detection test
Sigma Suspicious Execution of Shutdown test
Sigma Suspicious Execution of Shutdown to Log Out test
Splunk System Shutdown or Reboot (Windows Event Log)
Sigma System Shutdown/Reboot - Linux test
Sigma System Shutdown/Reboot - MacOs test
Kusto VMware ESXi - Low patch disk space available
Kusto VMware ESXi - Low temp directory space available
Kusto VMware ESXi - Multiple VMs stopped available
Kusto VMware ESXi - VM stopped available
Splunk Windows Common Abused Cmd Shell Risk Behavior production
Splunk Windows System LogOff Commandline production
Splunk Windows System Reboot CommandLine production
Splunk Windows System Shutdown CommandLine production

Account Access Removal T1531 62 rules

Splunk Account Password Changed from Command Line - Windows (PowerShell)
Splunk Account Password Changed from Command Line - Windows (Windows Event Log)
Elastic Account Password Reset Remotely production
Panther Anthropic Organization User Deleted
Panther AppOmni Alert Passthrough
Elastic Attempt to Revoke Okta API Token production
Sigma AWS ElastiCache Security Group Modified or Deleted test
Elastic AWS IAM Deactivation of MFA Device production
Elastic AWS IAM Group Deletion production
Panther AWS RDS Instance or Cluster Deleted Experimental
Sigma AWS SAML Provider Deletion Activity experimental
Sigma Azure Kubernetes Service Account Modified or Deleted test
Kusto BTP - Build Work Zone unauthorized access and role tampering available
Kusto BTP - Mass user deletion in a sub account available
Kusto BTP - Mass user deletion in SAP Cloud Identity Service available
Splunk Cisco ASA - User Account Deleted From Local Database production
Kusto Cisco Duo - Admin user deleted available
Kusto Cisco Duo - Multiple users deleted available
Panther Crowdstrike Allowlist Removed
Panther Crowdstrike API Key Deleted
Panther Databricks Group Deleted Experimental
Panther Databricks User Account Deleted Experimental
Elastic GCP IAM Role Deletion production
Elastic GCP IAM Service Account Key Deletion production
YARA-L GCP Multiple HMAC Keys Deleted
Elastic GCP Service Account Deletion production
Elastic GCP Service Account Disabled production
Elastic GitHub PAT Access Revoked production building block
Elastic GitHub User Blocked From Organization production building block
Sigma Google Cloud Service Account Disabled or Deleted test
Elastic Google Workspace Admin Role Deletion production
Elastic Google Workspace MFA Enforcement Disabled production
Sigma Group Has Been Deleted Via Groupdel test
Sigma IAM Login Profile Deleted test
Kusto Jira - Permission scheme updated available
Kusto Jira - Project roles changed available
Kusto Jira - User removed from group available
Kusto Jira - User removed from project available
Elastic Linux User or Group Deletion production
Elastic Member Removed From GitHub Organization production building block
Kusto Multiple admin membership removals from newly created admin. available
Sigma Okta User Account Locked Out test
Panther OneLogin Multiple Accounts Deleted
Panther OneLogin Multiple Accounts Modified
Sigma Remove Account From Domain Admin Group test
Panther Slack Organization Deleted
Panther Slack Primary Owner Transferred
Panther Slack User Privileges Changed to User
Elastic SSH Authorized Keys File Deletion production
Kusto Threat Essentials - Multiple admin membership removals from newly created admin. available
Sigma User Has Been Deleted Via Userdel test
Sigma User Logoff Event test
Kusto Valimail Enforce - High-Value User Management Event available
Kusto Valimail Enforce - Unusual Rate of Configuration Changes or User Additions available
Splunk Windows Account Access Removal via Logoff Exec production
Splunk Windows Excessive Usage Of Net App production
Splunk Windows Powershell Logoff User via Quser production
Splunk Windows User Deletion Via Net production
Splunk Windows User Disabled Via Net production
Panther Wiz Revoke User Sessions
Panther Zendesk User Suspension Status Changed
Panther ZIA Account Access Removed

Disk Wipe T1561 4 rules

Sigma Cisco File Deletion test
Splunk Microsoft Intune Bulk Wipe production
Splunk Windows Raw Access To Disk Volume Partition production
Splunk Windows Raw Access To Master Boot Record Drive production

Disk Wipe: Disk Content Wipe T1561.001 2 rules

Sigma Cisco File Deletion test
Splunk Microsoft Intune Bulk Wipe production

Disk Wipe: Disk Structure Wipe T1561.002 3 rules

Sigma Cisco File Deletion test
Splunk Windows Raw Access To Disk Volume Partition production
Splunk Windows Raw Access To Master Boot Record Drive production

Data Manipulation T1565 69 rules

Kusto Affected rows stateful anomaly on database available
Elastic Agent Spoofing - Multiple Hosts Using Same Agent production
Panther AppOmni Alert Passthrough
Elastic AWS Bedrock Knowledge Base or RAG Data Source Tampering production
Elastic AWS CloudTrail Log Updated production
Sigma AWS EC2 Disable EBS Encryption stable
Panther AWS EC2 EBS Encryption Disabled
Elastic AWS EC2 Encryption Disabled production
Elastic AWS S3 Static Site JavaScript File Uploaded production
Elastic AWS S3 Unauthenticated Bucket Access by Rare Source production
Kusto AWS Security Hub - Detect CloudTrail trails lacking KMS encryption available
Kusto AWS Security Hub - Detect SQS Queue lacking encryption at rest available
Sigma Azure Device or Configuration Modified or Deleted test
Sigma Azure DNS Zone Modified or Deleted test
Sigma Cisco Denial of Service test
Sigma Cisco Modify Configuration test
Kusto Claroty - Critical baseline deviation available
Sigma Commands to Clear or Remove the Syslog - Builtin test
Kusto Copilot - Jailbreak Attempt Detected available
Kusto Dataverse - Mass record updates available
Elastic Deprecated - M365 Security Compliance Potential Ransomware Activity production
Sigma DNS hosts file modified experimental
Kusto Dynatrace - Problem detection available
Kusto Dynatrace Application Security - Attack detection available
Kusto Dynatrace Application Security - Code-Level runtime vulnerability detection available
Kusto Dynatrace Application Security - Non-critical runtime vulnerability detection available
Kusto Dynatrace Application Security - Third-Party runtime vulnerability detection available
Kusto F&O - Mass update or deletion of user records available
Kusto F&O - Reverted bank account number modifications available
Elastic GitHub Actions Unusual Bot Push to Repository production
Sigma Google Cloud Re-identifies Sensitive Information test
Elastic High Number of Closed Pull Requests by User production
Elastic High Number of Protected Branch Force Pushes by User production
Sigma History File Deletion test
Elastic Hosts File Modified production
Kusto Infoblox - Data Exfiltration Attack available
Kusto Infoblox - High Threat Level Query Not Blocked Detected available
Kusto Infoblox - Many High Threat Level Queries From Single Host Detected available
Kusto Infoblox - Many High Threat Level Single Query Detected available
Kusto Infoblox - Many NXDOMAIN DNS Responses Detected available
Kusto Infoblox - SOC Insight Detected - API Source available
Kusto Infoblox - SOC Insight Detected - API Source available
Kusto Infoblox - SOC Insight Detected - CDC Source available
Kusto Infoblox - SOC Insight Detected - CDC Source available
Kusto Infoblox - TI - CommonSecurityLog Match Found - MalwareC2 available
Kusto Infoblox - TI - InfobloxCDC Match Found - Lookalike Domains available
Kusto Infoblox - TI - Syslog Match Found - URL available
Sigma ISATAP Router Address Was Set experimental
Elastic Kubernetes CoreDNS or Kube-DNS Configuration Modified production
Elastic Kubernetes Secret or ConfigMap Access via Azure Arc Proxy production
Sigma macOS Encryption Tool Usage experimental
Kusto Pathlock TDnR - Bank Master Data Changes available
Kusto Pathlock TDnR - Business Partner Bank Data Changes available
Kusto Pathlock TDnR - Credit Card Data Changes available
Kusto Pathlock TDnR - Debitor Change Documents available
Kusto Pathlock TDnR - G/L Account Changes available
Kusto Pathlock TDnR - Generic SAP Change Documents available
Kusto Pathlock TDnR - Generic Table Content Changes available
Kusto Pathlock TDnR - HR User Master Change Requests available
Kusto Pathlock TDnR - IBAN Change Documents available
Kusto Pathlock TDnR - Payment Request Changes available
Kusto Pathlock TDnR - Vendor Change Documents available
Elastic Potential AWS S3 Bucket Ransomware Note Uploaded production
Sigma Potential Suspicious Change To Sensitive/Critical Files test
Sigma Powershell Add Name Resolution Policy Table Rule test
Elastic Several Failed Protected Branch Force Pushes by User production
Elastic Suspicious Sysctl File Event production building block
Kusto Votiro - File Blocked from Connector
Splunk Windows WBAdmin File Recovery From Backup production

Data Manipulation: Stored Data Manipulation T1565.001 26 rules

Elastic AWS Bedrock Knowledge Base or RAG Data Source Tampering production
Elastic AWS CloudTrail Log Updated production
Elastic AWS EC2 Encryption Disabled production
Elastic AWS S3 Static Site JavaScript File Uploaded production
Elastic AWS S3 Unauthenticated Bucket Access by Rare Source production
Kusto AWS Security Hub - Detect CloudTrail trails lacking KMS encryption available
Kusto AWS Security Hub - Detect SQS Queue lacking encryption at rest available
Sigma Azure Device or Configuration Modified or Deleted test
Sigma Azure DNS Zone Modified or Deleted test
Sigma Cisco Denial of Service test
Kusto Claroty - Critical baseline deviation available
Sigma Commands to Clear or Remove the Syslog - Builtin test
Elastic Deprecated - M365 Security Compliance Potential Ransomware Activity production
Elastic GitHub Actions Unusual Bot Push to Repository production
Elastic High Number of Closed Pull Requests by User production
Elastic High Number of Protected Branch Force Pushes by User production
Sigma History File Deletion test
Elastic Hosts File Modified production
Elastic Kubernetes CoreDNS or Kube-DNS Configuration Modified production
Elastic Kubernetes Secret or ConfigMap Access via Azure Arc Proxy production
Sigma macOS Encryption Tool Usage experimental
Elastic Potential AWS S3 Bucket Ransomware Note Uploaded production
Sigma Potential Suspicious Change To Sensitive/Critical Files test
Elastic Several Failed Protected Branch Force Pushes by User production
Elastic Suspicious Sysctl File Event production building block
Splunk Windows WBAdmin File Recovery From Backup production

Data Manipulation: Transmitted Data Manipulation T1565.002 3 rules

Elastic Agent Spoofing - Multiple Hosts Using Same Agent production
Sigma Cisco Modify Configuration test
Sigma ISATAP Router Address Was Set experimental

Financial Theft T1657 1 rule

Elastic AWS S3 Bucket Enumeration or Brute Force production

No specific technique 48 rules

Sigma AADInternals PowerShell Cmdlets Execution - ProccessCreation test
Sigma AADInternals PowerShell Cmdlets Execution - PsScript test
Sigma Activity Performed by Terminated User test
Elastic Attempt to Modify an Okta Application production
Sigma AWS EFS Fileshare Modified or Deleted test
Panther AWS S3 Copy Object with Client-Side Encryption
Sigma Azure Application Gateway Modified or Deleted test
Sigma Azure Application Security Group Modified or Deleted test
Sigma Azure Device No Longer Managed or Compliant test
Sigma Azure Firewall Rule Configuration Modified or Deleted test
Sigma Azure Kubernetes Pods Deleted test
Sigma Azure Network Security Configuration Modified or Deleted test
Sigma Azure Point-to-site VPN Modified or Deleted test
Sigma Azure Suppression Rule Created test
Sigma Azure Virtual Network Device Modified or Deleted test
Sigma Azure Virtual Network Modified or Deleted test
Sigma Azure VPN Connection Modified or Deleted test
Elastic Deprecated - M365 Security Compliance User Restricted from Sending Email production
Elastic Detection Alert on a Process Exhibiting CPU Spike production
Sigma GitHub Repository Archive Status Changed experimental
Sigma Google Cloud DNS Zone Modified or Deleted test
Sigma Google Cloud Service Account Modified test
Sigma Google Cloud SQL Database Modified or Deleted test
Sigma Google Cloud Storage Buckets Modified or Deleted test
Sigma Google Cloud VPN Tunnel Modified or Deleted test
Sigma Google Workspace Application Removed test
Sigma Google Workspace MFA Disabled test
Sigma Google Workspace Role Modified or Deleted test
Sigma Google Workspace Role Privilege Deleted test
Sigma Locked Workstation stable
Elastic M365 Purview Insider Risk Signal production building block
Elastic M365 Purview Security Compliance Signal production building block
Elastic Multiple Alerts on a Host Exhibiting CPU Spike production
Sigma Okta API Token Revoked test
Sigma Okta Application Modified or Deleted test
Sigma Okta Application Sign-On Policy Modified or Deleted test
Sigma Okta Network Zone Deactivated or Deleted test
Sigma Okta Policy Modified or Deleted test
Sigma Okta Policy Rule Modified or Deleted test
Sigma Okta Unauthorized Access to App test
Sigma OneLogin User Account Locked test
Sigma OneLogin User Assumed Another User test
Sigma Potential Active Directory Enumeration Using AD Module - ProcCreation test
Sigma Potential Active Directory Enumeration Using AD Module - PsModule test
Sigma Potential Active Directory Enumeration Using AD Module - PsScript test
Kusto RSA ID Plus - Locked Administrator Account Detected available
Sigma Suspicious Log Entries test
Sigma Suspicious MacOS Firmware Activity test

MITRE ATT&CK Mobile

Initial Access

Drive-By Compromise T1456 1 rule

Kusto Dataverse - TI map URL to DataverseActivity available

Supply Chain Compromise T1474 2 rules

Kusto Dataverse - TI map URL to DataverseActivity available
Kusto Quokka - Malicious Results Detected available

Phishing T1660 1 rule

Kusto Lookout - Critical Smishing and Phishing Alerts (v2) available

Execution

Command and Scripting Interpreter T1623 1 rule

Kusto Quokka - Malicious Results Detected available

Persistence

Foreground Persistence T1541 1 rule

Kusto Quokka - Malicious Results Detected available

Event Triggered Execution T1624 1 rule

Kusto Quokka - Malicious Results Detected available

Hijack Execution Flow T1625 1 rule

Kusto Quokka - Malicious Results Detected available

Privilege Escalation

Exploitation for Privilege Escalation T1404 1 rule

Kusto Dataverse - Suspicious security role modifications available

Abuse Elevation Control Mechanism T1626 2 rules

Kusto Dataverse - Suspicious security role modifications available
Kusto Lookout - Critical Audit and Policy Changes (v2) available

Process Injection T1631 1 rule

Kusto Quokka - Malicious Results Detected available

Defense Evasion

Obfuscated Files or Information T1406 1 rule

Kusto Quokka - Malicious Results Detected available

Input Injection T1516 1 rule

Kusto Quokka - Malicious Results Detected available

Foreground Persistence T1541 1 rule

Kusto Quokka - Malicious Results Detected available

Hooking T1617 1 rule

Kusto Quokka - Malicious Results Detected available

Execution Guardrails T1627 1 rule

Kusto Quokka - Malicious Results Detected available

Hide Artifacts T1628 1 rule

Kusto Quokka - Malicious Results Detected available

Impair Defenses T1629 7 rules

Kusto Dataverse - Guest user exfiltration following Power Platform defense impairment available
Kusto Dataverse - Removal of blocked file extensions available
Kusto Dataverse - Unusual sign-in following disabled IP address-based cookie binding protection available
Kusto Lookout - Critical Audit and Policy Changes (v2) available
Kusto Lookout - Device Compliance and Security Status Changes (v2) available
Kusto Lookout - High Severity Mobile Threats Detected (v2) available
Kusto Quokka - Malicious Results Detected available

Indicator Removal on Host T1630 2 rules

Kusto Lookout - High Severity Mobile Threats Detected (v2) available
Kusto Quokka - Malicious Results Detected available

Process Injection T1631 1 rule

Kusto Quokka - Malicious Results Detected available

Virtualization/Sandbox Evasion T1633 1 rule

Kusto Quokka - Malicious Results Detected available

Masquerading T1655 1 rule

Kusto Lookout - Device Compliance and Security Status Changes (v2) available

Credential Access

Clipboard Data T1414 1 rule

Kusto Quokka - Malicious Results Detected available

Input Capture T1417 2 rules

Kusto Lookout - Critical Smishing and Phishing Alerts (v2) available
Kusto Quokka - Malicious Results Detected available

Access Notifications T1517 1 rule

Kusto Quokka - Malicious Results Detected available

Credentials from Password Store T1634 1 rule

Kusto Quokka - Malicious Results Detected available

Steal Application Access Token T1635 2 rules

Kusto Dataverse - New Dataverse application user activity type available
Kusto Quokka - Malicious Results Detected available

Discovery

Software Discovery T1418 3 rules

Kusto Lookout - Device Compliance and Security Status Changes (v2) available
Kusto Lookout - High Severity Mobile Threats Detected (v2) available
Kusto Quokka - Malicious Results Detected available

System Network Configuration Discovery T1422 1 rule

Kusto Quokka - Malicious Results Detected available

Network Service Scanning T1423 1 rule

Kusto Lookout - Critical Smishing and Phishing Alerts (v2) available

Process Discovery T1424 2 rules

Kusto Lookout - High Severity Mobile Threats Detected (v2) available
Kusto Quokka - Malicious Results Detected available

Location Tracking T1430 1 rule

Kusto Quokka - Malicious Results Detected available

Lateral Movement

Exploitation of Remote Services T1428 1 rule

Kusto Dataverse - TI map IP to DataverseActivity available

Collection

Stored Application Data T1409 1 rule

Kusto Quokka - Malicious Results Detected available

Clipboard Data T1414 1 rule

Kusto Quokka - Malicious Results Detected available

Input Capture T1417 2 rules

Kusto Lookout - Critical Smishing and Phishing Alerts (v2) available
Kusto Quokka - Malicious Results Detected available

Audio Capture T1429 1 rule

Kusto Quokka - Malicious Results Detected available

Location Tracking T1430 1 rule

Kusto Quokka - Malicious Results Detected available

Video Capture T1512 1 rule

Kusto Quokka - Malicious Results Detected available

Screen Capture T1513 1 rule

Kusto Quokka - Malicious Results Detected available

Access Notifications T1517 1 rule

Kusto Quokka - Malicious Results Detected available

Archive Collected Data T1532 1 rule

Kusto Quokka - Malicious Results Detected available

Call Control T1616 1 rule

Kusto Quokka - Malicious Results Detected available

Protected User Data T1636 1 rule

Kusto Quokka - Malicious Results Detected available

Protected User Data: Contact List T1636.003 1 rule

Panther Wiz Update Support Contact List

Adversary-in-the-Middle T1638 1 rule

Kusto Quokka - Malicious Results Detected available

Command and Control

Web Service T1481 1 rule

Kusto Quokka - Malicious Results Detected available

Non-Standard Port T1509 1 rule

Kusto Quokka - Malicious Results Detected available

Ingress Tool Transfer T1544 1 rule

Kusto Quokka - Malicious Results Detected available

Call Control T1616 1 rule

Kusto Quokka - Malicious Results Detected available

Exfiltration

Exfiltration Over Alternative Protocol T1639 1 rule

Kusto Dataverse - Terminated employee exfiltration over email available

Impact

Data Encrypted for Impact T1471 1 rule

Kusto Quokka - Malicious Results Detected available

Input Injection T1516 1 rule

Kusto Quokka - Malicious Results Detected available

SMS Control T1582 1 rule

Kusto Quokka - Malicious Results Detected available

Call Control T1616 1 rule

Kusto Quokka - Malicious Results Detected available

Account Access Removal T1640 1 rule

Kusto Quokka - Malicious Results Detected available

Data Manipulation T1641 2 rules

Kusto Dataverse - Mass record updates available
Kusto Quokka - Malicious Results Detected available

Endpoint Denial of Service T1642 1 rule

Kusto Quokka - Malicious Results Detected available

Generate Traffic from Victim T1643 1 rule

Kusto Quokka - Malicious Results Detected available

MITRE ATT&CK ICS

Initial Access

Exploit Public-Facing Application T0819 3 rules

Kusto Dataverse - New user agent type that was not used before available
Kusto Dataverse - TI map URL to DataverseActivity available
Kusto Radiflow - Exploit Detected available

External Remote Services T0822 1 rule

Kusto Radiflow - Unauthorized Internet Access available

Rogue Master T0848 1 rule

Kusto Radiflow - New Activity Detected available

Supply Chain Compromise T0862 1 rule

Kusto Dataverse - TI map URL to DataverseActivity available

Spearphishing Attachment T0865 5 rules

Kusto Dataverse - TI map URL to DataverseActivity available
Kusto Mimecast Secure Email Gateway - Attachment Protect available
Kusto Mimecast Secure Email Gateway - Attachment Protect
Kusto Mimecast Targeted Threat Protection - Attachment Protect available
Kusto Mimecast Targeted Threat Protection - URL Protect available

Exploitation of Remote Services T0866 5 rules

Kusto Cynerio - Exploitation Attempt of IoT device
Kusto Cynerio - Medical device scanning
Kusto Cynerio - Suspicious Connection to External Address
Kusto Dataverse - New user agent type that was not used before available
Kusto Radiflow - Exploit Detected available

Internet Accessible Device T0883 1 rule

Kusto Radiflow - Unauthorized Internet Access available

Remote Services T0886 4 rules

Kusto Dataverse - TI map IP to DataverseActivity available
Kusto Internet Access (Microsoft Defender for IoT) available
Kusto Radiflow - Policy Violation Detected available
Kusto Unauthorized remote access to the network (Microsoft Defender for IoT) available

Execution

Native API T0834 1 rule

Kusto Dataverse - Anomalous application user activity available

Scripting T0853 7 rules

Kusto App Gateway WAF - XSS Detection available
Kusto Application Gateway WAF - XSS Detection
Kusto Egress Defend - Dangerous Attachment Detected available
Kusto Egress Defend - Dangerous Link Click available
Kusto Front Door Premium WAF - XSS Detection available
Kusto KnowBe4 Defend - Dangerous Attachment Detected available
Kusto KnowBe4 Defend - Dangerous Link Click available

Change Operating Mode T0858 4 rules

Kusto PLC Stop Command (Microsoft Defender for IoT) available
Kusto PLC unsecure key state (Microsoft Defender for IoT) available
Kusto Radiflow - Policy Violation Detected available
Kusto Radiflow - Unauthorized Command in Operational Device available

User Execution T0863 4 rules

Kusto Dataverse - Executable uploaded to SharePoint document management site available
Kusto Dataverse - TI map URL to DataverseActivity available
Kusto Egress Defend - Dangerous Attachment Detected available
Kusto KnowBe4 Defend - Dangerous Attachment Detected available

Execution through API T0871 5 rules

Kusto Dataverse - Anomalous application user activity available
Kusto Dataverse - New Dataverse application user activity type available
Kusto External Fabric Module XFM1 is unhealthy
Kusto Power Platform - Connector added to a sensitive environment available
Kusto Pure Controller Failed

Persistence

Module Firmware T0839 1 rule

Kusto Unauthorized PLC changes (Microsoft Defender for IoT) available

System Firmware T0857 2 rules

Kusto Firmware Updates (Microsoft Defender for IoT) available
Kusto Radiflow - Unauthorized Command in Operational Device available

Valid Accounts T0859 7 rules

Kusto BTP - User added to Cloud Identity Service privileged Administrators list available
Kusto BTP - User added to sensitive privileged role collection available
Kusto Dataverse - Anomalous application user activity available
Kusto Dataverse - New non-interactive identity granted access available
Kusto Dataverse - TI map IP to DataverseActivity available
Kusto F&O - Bank account change following network alias reassignment available
Kusto F&O - Non-interactive account mapped to self or sensitive privileged user available

Project File Infection T0873 3 rules

Kusto BTP - Malware detected in BAS dev space available
Kusto Dataverse - Executable uploaded to SharePoint document management site available
Kusto Dataverse - TI map URL to DataverseActivity available

Modify Program T0889 1 rule

Kusto Radiflow - Policy Violation Detected available

Privilege Escalation

Exploitation for Privilege Escalation T0890 4 rules

Kusto App Gateway WAF - SQLi Detection available
Kusto Application Gateway WAF - SQLi Detection
Kusto Front Door Premium WAF - SQLi Detection available
Kusto Radiflow - Exploit Detected available

Evasion

Rootkit T0851 1 rule

Kusto Radiflow - Suspicious Malicious Activity Detected available

Change Operating Mode T0858 4 rules

Kusto PLC Stop Command (Microsoft Defender for IoT) available
Kusto PLC unsecure key state (Microsoft Defender for IoT) available
Kusto Radiflow - Policy Violation Detected available
Kusto Radiflow - Unauthorized Command in Operational Device available

Discovery

Network Connection Enumeration T0840 1 rule

Kusto Radiflow - Network Scanning Detected available

Network Sniffing T0842 4 rules

Kusto High bandwidth in the network (Microsoft Defender for IoT) available
Kusto Multiple scans in the network (Microsoft Defender for IoT) available
Kusto Unauthorized device in the network (Microsoft Defender for IoT) available
Kusto Unauthorized DHCP configuration in the network (Microsoft Defender for IoT) available

Remote System Discovery T0846 1 rule

Kusto Radiflow - Network Scanning Detected available

Remote System Information Discovery T0888 1 rule

Kusto Radiflow - Network Scanning Detected available

Lateral Movement

Program Download T0843 2 rules

Kusto Radiflow - Policy Violation Detected available
Kusto Radiflow - Unauthorized Command in Operational Device available

Valid Accounts T0859 7 rules

Kusto BTP - User added to Cloud Identity Service privileged Administrators list available
Kusto BTP - User added to sensitive privileged role collection available
Kusto Dataverse - Anomalous application user activity available
Kusto Dataverse - New non-interactive identity granted access available
Kusto Dataverse - TI map IP to DataverseActivity available
Kusto F&O - Bank account change following network alias reassignment available
Kusto F&O - Non-interactive account mapped to self or sensitive privileged user available

Exploitation of Remote Services T0866 5 rules

Kusto Cynerio - Exploitation Attempt of IoT device
Kusto Cynerio - Medical device scanning
Kusto Cynerio - Suspicious Connection to External Address
Kusto Dataverse - New user agent type that was not used before available
Kusto Radiflow - Exploit Detected available

Remote Services T0886 4 rules

Kusto Dataverse - TI map IP to DataverseActivity available
Kusto Internet Access (Microsoft Defender for IoT) available
Kusto Radiflow - Policy Violation Detected available
Kusto Unauthorized remote access to the network (Microsoft Defender for IoT) available

Collection

Program Upload T0845 1 rule

Kusto Radiflow - Policy Violation Detected available

Command and Control

Connection Proxy T0884 1 rule

Sigma Network proxy configuration changed experimental

Commonly Used Port T0885 1 rule

Kusto Votiro - File Blocked in Email

Inhibit Response Function

Denial of Service T0814 1 rule

Kusto Denial of Service (Microsoft Defender for IoT) available

Device Restart/Shutdown T0816 1 rule

Kusto Radiflow - Unauthorized Command in Operational Device available

Rootkit T0851 1 rule

Kusto Radiflow - Suspicious Malicious Activity Detected available

System Firmware T0857 2 rules

Kusto Firmware Updates (Microsoft Defender for IoT) available
Kusto Radiflow - Unauthorized Command in Operational Device available

Service Stop T0881 1 rule

Kusto No traffic on Sensor Detected (Microsoft Defender for IoT) available

Impair Process Control

Brute Force I/O T0806 1 rule

Kusto Excessive Login Attempts (Microsoft Defender for IoT) available

Modify Parameter T0836 1 rule

Kusto Radiflow - Unauthorized Command in Operational Device available

Module Firmware T0839 1 rule

Kusto Unauthorized PLC changes (Microsoft Defender for IoT) available

Unauthorized Command Message T0855 3 rules

Kusto Illegal Function Codes for ICS traffic (Microsoft Defender for IoT) available
Kusto Radiflow - Policy Violation Detected available
Kusto Radiflow - Unauthorized Command in Operational Device available

Impact

Denial of Control T0813 3 rules

Kusto BTP - Mass user deletion in a sub account available
Kusto BTP - Mass user deletion in SAP Cloud Identity Service available
Kusto Power Automate - Departing employee flow activity available

Loss of Availability T0826 4 rules

Kusto BTP - Mass user deletion in a sub account available
Kusto BTP - Mass user deletion in SAP Cloud Identity Service available
Kusto Power Apps - Multiple apps deleted available
Kusto Power Automate - Departing employee flow activity available

Loss of Control T0827 2 rules

Kusto BTP - Mass user deletion in a sub account available
Kusto BTP - Mass user deletion in SAP Cloud Identity Service available

Loss of Productivity and Revenue T0828 2 rules

Kusto F&O - Reverted bank account number modifications available
Kusto Power Automate - Unusual bulk deletion of flow resources available

Manipulation of Control T0831 1 rule

Kusto F&O - Reverted bank account number modifications available

Loss of Protection T0837 1 rule

Kusto Votiro - File Blocked from Connector

Damage to Property T0879 1 rule

Kusto Power Automate - Departing employee flow activity available

Theft of Operational Information T0882 2 rules

Kusto Radiflow - Unauthorized Internet Access available
Kusto Suspicious malware found in the network (Microsoft Defender for IoT) available

Initial Access MITRE ATLAS

AI Supply Chain Compromise: Model AML.T0010.003 1 rule

Elastic Ollama DNS Query to Untrusted Domain production building block

Evade AI Model AML.T0015 2 rules

Elastic AWS Bedrock Detected Multiple Attempts to use Denied Models by a Single User production
Elastic AWS Bedrock Detected Multiple Validation Exception Errors by a Single User production

AI Model Access MITRE ATLAS

AI Model Inference API Access AML.T0040 1 rule

Elastic Ollama API Accessed from External Network production

Full AI Model Access AML.T0044 2 rules

Elastic Ollama API Accessed from External Network production
Elastic Potential Azure OpenAI Model Theft production

Execution MITRE ATLAS

LLM Prompt Injection AML.T0051 8 rules

Elastic AWS Bedrock Guardrails Detected Multiple Policy Violations Within a Single Blocked Request production
Elastic AWS Bedrock Guardrails Detected Multiple Violations by a Single User Over a Session production
Elastic AWS Bedrock Invocations without Guardrails Detected by a Single User Over a Session production
Splunk MCP Prompt Injection production
Elastic Unusual High Confidence Content Filter Blocks Detected production
Elastic Unusual High Denied Sensitive Information Policy Blocks Detected production
Elastic Unusual High Denied Topic Blocks Detected production
Elastic Unusual High Word Policy Blocks Detected production

AI Agent Tool Invocation AML.T0053 2 rules

Elastic GenAI or MCP Server Child Process Execution production building block
Elastic GenAI Process Compiling or Generating Executables production

Privilege Escalation MITRE ATLAS

AI Agent Tool Invocation AML.T0053 2 rules

Elastic GenAI or MCP Server Child Process Execution production building block
Elastic GenAI Process Compiling or Generating Executables production

LLM Jailbreak AML.T0054 7 rules

Elastic AWS Bedrock Guardrails Detected Multiple Policy Violations Within a Single Blocked Request production
Elastic AWS Bedrock Guardrails Detected Multiple Violations by a Single User Over a Session production
Elastic AWS Bedrock Invocations without Guardrails Detected by a Single User Over a Session production
Elastic Unusual High Confidence Content Filter Blocks Detected production
Elastic Unusual High Denied Sensitive Information Policy Blocks Detected production
Elastic Unusual High Denied Topic Blocks Detected production
Elastic Unusual High Word Policy Blocks Detected production

Defense Evasion MITRE ATLAS

Evade AI Model AML.T0015 2 rules

Elastic AWS Bedrock Detected Multiple Attempts to use Denied Models by a Single User production
Elastic AWS Bedrock Detected Multiple Validation Exception Errors by a Single User production

LLM Jailbreak AML.T0054 7 rules

Elastic AWS Bedrock Guardrails Detected Multiple Policy Violations Within a Single Blocked Request production
Elastic AWS Bedrock Guardrails Detected Multiple Violations by a Single User Over a Session production
Elastic AWS Bedrock Invocations without Guardrails Detected by a Single User Over a Session production
Elastic Unusual High Confidence Content Filter Blocks Detected production
Elastic Unusual High Denied Sensitive Information Policy Blocks Detected production
Elastic Unusual High Denied Topic Blocks Detected production
Elastic Unusual High Word Policy Blocks Detected production

Credential Access MITRE ATLAS

Unsecured Credentials AML.T0055 1 rule

Elastic GenAI Process Accessing Sensitive Files production

Collection MITRE ATLAS

Data from AI Services AML.T0085 1 rule

Elastic GenAI Process Accessing Sensitive Files production

Data from AI Services: AI Agent Tools AML.T0085.001 1 rule

Elastic GenAI Process Accessing Sensitive Files production

Exfiltration MITRE ATLAS

Exfiltration via AI Inference API AML.T0024 1 rule

Elastic AWS Bedrock High-Frequency Single-Model Inference API Probing production

Exfiltration via AI Inference API: Infer Training Data Membership AML.T0024.000 1 rule

Elastic AWS Bedrock High-Frequency Single-Model Inference API Probing production

Exfiltration via AI Agent Tool Invocation AML.T0086 3 rules

Elastic GenAI Process Connection to Suspicious Top Level Domain production
Elastic GenAI Process Connection to Unusual Domain production
Elastic GenAI Process Performing Encoding/Chunking Prior to Network Activity production

Impact MITRE ATLAS

Evade AI Model AML.T0015 2 rules

Elastic AWS Bedrock Detected Multiple Attempts to use Denied Models by a Single User production
Elastic AWS Bedrock Detected Multiple Validation Exception Errors by a Single User production

Denial of AI Service AML.T0029 1 rule

Elastic Potential Denial of Azure OpenAI ML Service production

Cost Harvesting AML.T0034 2 rules

Elastic AWS Bedrock Detected Multiple Attempts to use Denied Models by a Single User production
Elastic AWS Bedrock Detected Multiple Validation Exception Errors by a Single User production

Spamming AI System with Chaff Data AML.T0046 1 rule

Elastic AWS Bedrock Detected Multiple Validation Exception Errors by a Single User production

Credential Phishing Sublime email taxonomy

Credential Phishing 1 rule

Sublime MQL Link: Tycoon2FA phishing kit (non-exhaustive)

Encryption 12 rules

Sublime MQL Attachment: Encrypted PDF With Credential Harvesting Indicators
Sublime MQL Attachment: Encrypted PDF with credential theft body
Sublime MQL Attachment: HTML smuggling with excessive line break obfuscation
Sublime MQL Attachment: HTML smuggling with RC4 decryption
Sublime MQL Attachment: HTML smuggling with ROT13
Sublime MQL Attachment: Password-protected PDF with fake document indicators
Sublime MQL Attachment: PDF with password in filename matching body text
Sublime MQL Attachment: PDF with recipient email in link
Sublime MQL Encrypted Microsoft Office files from untrusted sender
Sublime MQL Link: Base64 encoded recipient address in URL fragment with subject hash
Sublime MQL Link: Excessive URL rewrite encoders
Sublime MQL Link: Suspicious Family fragment parameter with encoded recipient data

Evasion 306 rules

Sublime MQL Abuse: Cloudflare Workers Hosted EvilTokens Domain Structure
Sublime MQL Attachment: Any HTML file within archive (unsolicited)
Sublime MQL Attachment: Archive containing HTML file with file scheme link
Sublime MQL Attachment: Calendar file with invisible Unicode characters
Sublime MQL Attachment: DOCX with hyperlink targeting recipient address
Sublime MQL Attachment: Double base64-encoded zip file in HTML smuggling attachment
Sublime MQL Attachment: EML containing a base64 encoded script
Sublime MQL Attachment: EML file contains HTML attachment with login portal indicators
Sublime MQL Attachment: EML file with HTML attachment (unsolicited)
Sublime MQL Attachment: EML file with IPFS links
Sublime MQL Attachment: EML with embedded Javascript in SVG file
Sublime MQL Attachment: EML with link to credential phishing page
Sublime MQL Attachment: EML with QR code redirecting to Cloudflare challenges
Sublime MQL Attachment: EML with SharePoint files shared from GoDaddy federated tenants
Sublime MQL Attachment: EML with Sharepoint link likely unrelated to sender
Sublime MQL Attachment: EML with suspicious indicators
Sublime MQL Attachment: Encrypted PDF With Credential Harvesting Indicators
Sublime MQL Attachment: Encrypted PDF with credential theft body
Sublime MQL Attachment: Excel file with suspicious template identifier
Sublime MQL Attachment: Excel Web Query File (IQY)
Sublime MQL Attachment: Fake attachment image lure
Sublime MQL Attachment: Finance themed PDF with observed phishing template
Sublime MQL Attachment: HTML attachment with Javascript location
Sublime MQL Attachment: HTML file contains exclusively Javascript
Sublime MQL Attachment: HTML file with excessive 'const' declarations and abnormally long timeouts
Sublime MQL Attachment: HTML file with excessive padding and suspicious patterns
Sublime MQL Attachment: HTML smuggling 'body onload' linking to suspicious destination
Sublime MQL Attachment: HTML smuggling 'body onload' with high entropy and suspicious text
Sublime MQL Attachment: HTML smuggling with atob and high entropy via calendar invite
Sublime MQL Attachment: HTML smuggling with base64 encoded ZIP file
Sublime MQL Attachment: HTML smuggling with concatenation obfuscation
Sublime MQL Attachment: HTML smuggling with decimal encoding
Sublime MQL Attachment: HTML smuggling with embedded base64-encoded ISO
Sublime MQL Attachment: HTML smuggling with eval and atob
Sublime MQL Attachment: HTML smuggling with eval and atob via calendar invite
Sublime MQL Attachment: HTML smuggling with excessive line break obfuscation
Sublime MQL Attachment: HTML smuggling with excessive string concatenation and suspicious patterns
Sublime MQL Attachment: HTML smuggling with fromCharCode and other signals
Sublime MQL Attachment: HTML smuggling with hex strings
Sublime MQL Attachment: HTML smuggling with raw array buffer
Sublime MQL Attachment: HTML smuggling with RC4 decryption
Sublime MQL Attachment: HTML smuggling with ROT13
Sublime MQL Attachment: HTML smuggling with setTimeout
Sublime MQL Attachment: HTML smuggling with unescape
Sublime MQL Attachment: HTML with emoji-to-character map
Sublime MQL Attachment: HTML with hidden body
Sublime MQL Attachment: HTML with JavaScript functions for HTTP requests
Sublime MQL Attachment: ICS calendar file with base64 encoded recipient address in URL parameters
Sublime MQL Attachment: ICS calendar file with QR code containing recipient email address
Sublime MQL Attachment: ICS calendar file with suspicious product identifier
Sublime MQL Attachment: ICS calendar with embedded file from internal sender with SPF failure
Sublime MQL Attachment: ICS file with AWS Lambda URL
Sublime MQL Attachment: ICS file with non-Gregorian calendar scale
Sublime MQL Attachment: ICS with embedded Javascript in SVG file
Sublime MQL Attachment: ICS with employee policy review lure
Sublime MQL Attachment: JPEG with gd-jpeg creator and suspicious file name
Sublime MQL Attachment: Legal themed message or PDF with suspicious indicators
Sublime MQL Attachment: Link file with UNC path
Sublime MQL Attachment: Link to Doubleclick.net open redirect
Sublime MQL Attachment: Macro files containing MHT content
Sublime MQL Attachment: Malformed OLE file
Sublime MQL Attachment: Microsoft OAuth credential harvesting via EML with embedded malicious links
Sublime MQL Attachment: Office file contains OLE relationship to credential phishing page
Sublime MQL Attachment: Office file with credential phishing URLs
Sublime MQL Attachment: Office file with document sharing and browser instruction lures
Sublime MQL Attachment: Password-protected PDF with fake document indicators
Sublime MQL Attachment: PDF Attachment with links to workers.dev
Sublime MQL Attachment: PDF generated with wkhtmltopdf tool and default title
Sublime MQL Attachment: PDF proposal with credential theft indicators
Sublime MQL Attachment: PDF with a suspicious string and single URL
Sublime MQL Attachment: PDF with multistage landing - ClickUp abuse
Sublime MQL Attachment: PDF with password in filename matching body text
Sublime MQL Attachment: PDF with ReportLab library and default metadata
Sublime MQL Attachment: PDF with self-service platform links with self sender or blank recipients
Sublime MQL Attachment: PDF with split QR code
Sublime MQL Attachment: PDF with suspicious HeadlessChrome metadata
Sublime MQL Attachment: PDF with suspicious language and redirect to suspicious file type
Sublime MQL Attachment: PDF with suspicious link and action-oriented language
Sublime MQL Attachment: PDF with suspicious view document characteristics
Sublime MQL Attachment: QR code link with base64-encoded recipient address
Sublime MQL Attachment: QR code with encoded recipient targeting and redirect indicators
Sublime MQL Attachment: QR code with recipient targeting and special characters
Sublime MQL Attachment: QR code with suspicious URL patterns in EML file
Sublime MQL Attachment: QR code with userinfo portion
Sublime MQL Attachment: RFC822 containing suspicious file sharing language with links from untrusted sender
Sublime MQL Attachment: RTF file with suspicious link
Sublime MQL Attachment: Self-sender PDF with minimal content and view prompt
Sublime MQL Attachment: Small text file with link containing recipient email address
Sublime MQL Attachment: Suspicious employee policy update document lure
Sublime MQL Attachment: Suspicious PDF created with headless browser
Sublime MQL Attachment: SVG file with HTML entity encoded href attributes
Sublime MQL Attachment: SVG file with hyperlinks and cursor styling
Sublime MQL Attachment: SVG files with evasion elements
Sublime MQL Attachment: Web files with suspicious comments
Sublime MQL Attachment: XLSX file with suspicious print titles metadata
Sublime MQL Benefits enrollment impersonation
Sublime MQL Body HTML: Recipient SLD in HTML class
Sublime MQL Body: Embedded email headers indicative of thread hijacking/abuse
Sublime MQL Body: HTML whitespace stuffing with short initial message
Sublime MQL Body: Suspicious date format
Sublime MQL Body: Yellow highlighted text markers
Sublime MQL Brand impersonation: Coinbase with suspicious links
Sublime MQL Brand impersonation: DocuSign with embedded QR code
Sublime MQL Brand impersonation: File sharing notification with template artifacts
Sublime MQL Brand impersonation: Microsoft logo in HTML with fake quarantine release notification
Sublime MQL Brand impersonation: Microsoft Planner with suspicious link
Sublime MQL Brand impersonation: QuickBooks notification from Intuit themed company name
Sublime MQL Brand Impersonation: ShareFile
Sublime MQL Brand impersonation: SharePoint PDF attachment with credential theft language
Sublime MQL Brand impersonation: Stripe notification
Sublime MQL Brand impersonation: Zoom
Sublime MQL Canva design with suspicious embedded link
Sublime MQL Credential Phishing via Dropbox comment abuse
Sublime MQL Credential phishing: Generic document share template
Sublime MQL Credential phishing: Generic document sharing
Sublime MQL Credential phishing: Hyper-linked image leading to free file host
Sublime MQL Credential phishing: Image as content, short or no body contents
Sublime MQL Credential Phishing: Suspicious language, link, recipients and other indicators
Sublime MQL Credential Phishing: W-2 lure with inline SVG Windows logo
Sublime MQL Credential theft with 'safe content' deception and social engineering topics
Sublime MQL Cyrillic vowel substitution in subject or display name from unknown sender
Sublime MQL Cyrillic vowel substitutions with suspicious subject from unknown sender
Sublime MQL EML attachment with credential theft language (unknown sender)
Sublime MQL Encrypted Microsoft Office files from untrusted sender
Sublime MQL Fake shipping notification with suspicious language
Sublime MQL Fake thread with suspicious indicators
Sublime MQL Fake warning banner using confusable characters
Sublime MQL Fake Zoho Sign template abuse
Sublime MQL Fake Zoom meeting invite with suspicious link
Sublime MQL Generic service abuse from newly registered domain
Sublime MQL Google Drive direct download link from unsolicited sender
Sublime MQL Google presentation open redirect phishing
Sublime MQL Google services using g.co shortlinks
Sublime MQL Hardbacon infrastructure abuse
Sublime MQL Headers: Fake in-reply-to with wildcard sender and missing thread context
Sublime MQL Headers: Invalid recipient domain with mismatched reply-to from new sender
Sublime MQL Headers: iOS/iPadOS mailer with invalid build number
Sublime MQL Headers: Outlook Express mailer
Sublime MQL Headers: Self-sender using Microsoft CompAuth bypass with credential theft content
Sublime MQL HR impersonation via e-sign agreement comment
Sublime MQL HTML content with print styling and credential theft language
Sublime MQL HTML smuggling containing recipient email address
Sublime MQL HTML: Bidirectional (BIDI) HTML override with right to left obfuscation
Sublime MQL Image as content with a link to an open redirect
Sublime MQL Impersonation: SharePoint reply header anomaly
Sublime MQL Inline image as message with attachment or link
Sublime MQL Issuu document with suspicious embedded link
Sublime MQL Link to a domain with punycode characters
Sublime MQL Link: .onion From Unsolicited Sender
Sublime MQL Link: Abused Adobe Express
Sublime MQL Link: Adobe share from unsolicited sender
Sublime MQL Link: Adobe share with suspicious indicators
Sublime MQL Link: Apple App Store malicious ad manager themed apps from free email provider
Sublime MQL Link: Apple TestFlight from suspicious sender
Sublime MQL Link: Base64 encoded recipient address in URL fragment with hex subdomain
Sublime MQL Link: Base64 encoded recipient address in URL fragment with subject hash
Sublime MQL Link: Common hidden directory observed
Sublime MQL Link: Concatenated display text concealing duplicate URLs with PDF reference
Sublime MQL Link: Credential harvesting with excess padding evasion
Sublime MQL Link: Credential phishing link with undisclosed recipients
Sublime MQL Link: Credential theft with Cloudflare tunnel and recipient targeting
Sublime MQL Link: Credential theft with invisible Unicode character in page title from unsolicited sender
Sublime MQL Link: Direct link to gamma.app document with mode parameter
Sublime MQL Link: Direct link to keap.app contact-us page
Sublime MQL Link: Display text matches subject line
Sublime MQL Link: Display text with excessive right-to-left mark characters
Sublime MQL Link: Excessive URL rewrite encoders
Sublime MQL Link: Executable file download with suspicious message content
Sublime MQL Link: Figma design deck with credential theft language
Sublime MQL Link: File sharing pretext with suspicious body and link
Sublime MQL Link: Flagged bit.ly link
Sublime MQL Link: Free file hosting with undisclosed recipients
Sublime MQL Link: Google Cloud Storage with suspicious URL pattern
Sublime MQL Link: Google Firebase dynamic link that redirects to new domain (<7 days old)
Sublime MQL Link: GoPhish query param values
Sublime MQL Link: Hotel booking spoofed display URL
Sublime MQL Link: HTML file with suspicious binary fragment ending pattern
Sublime MQL Link: IPv4-mapped IPv6 address obfuscation
Sublime MQL Link: JavaScript obfuscation with Telegram bot integration
Sublime MQL Link: Mamba 2FA phishing kit
Sublime MQL Link: Microsoft device code authentication with suspicious indicators
Sublime MQL Link: Microsoft Dynamics 365 form phishing
Sublime MQL Link: Microsoft protected message with matching sender and recipient addresses
Sublime MQL Link: Mixed case HTTPS protocol
Sublime MQL Link: Multiple HTTP protocols in single URL
Sublime MQL Link: Multistage landing - Abused Adobe frame.io
Sublime MQL Link: Multistage landing - Abused Docusign
Sublime MQL Link: Multistage landing - Abused Google Drive
Sublime MQL Link: Multistage landing - ClickUp abuse
Sublime MQL Link: Multistage landing - JotForm abuse
Sublime MQL Link: Multistage landing - Ludus presentation
Sublime MQL Link: Multistage landing - Scribd document
Sublime MQL Link: Non-standard port 8443 in display URL
Sublime MQL Link: Numeric IP obfuscation in URL
Sublime MQL Link: Obfuscation via userinfo with excessive URL padding
Sublime MQL Link: Obfuscation via userinfo with suspicious indicators
Sublime MQL Link: PDF display text with fake copyright claim template
Sublime MQL Link: PDF file disguised as HTML page
Sublime MQL Link: PDF filename impersonation with credential theft language
Sublime MQL Link: QR code in EML attachment with credential phishing indicators
Sublime MQL Link: Recipient email address in 'eta' parameter
Sublime MQL Link: Referrer anonymization service from untrusted sender
Sublime MQL Link: Scribd fullscreen link from suspicious sender
Sublime MQL Link: Secure SharePoint file share from new or unusual sender
Sublime MQL Link: Self-sender credential theft with configuration placeholder
Sublime MQL Link: Self-sender with sender org in subject and credential theft indicator
Sublime MQL Link: Self-sent message with quarterly document review request
Sublime MQL Link: Self-sent PDF lure with subject correlation
Sublime MQL Link: SharePoint files shared from GoDaddy federated tenants
Sublime MQL Link: SharePoint OneNote or PDF link with self sender behavior
Sublime MQL Link: Shortened URL with fragment matching subject
Sublime MQL Link: Single character path with credential theft body and self sender behavior or invalid recipient
Sublime MQL Link: Suspicious Family fragment parameter with encoded recipient data
Sublime MQL Link: Suspicious go.php redirect with document lure
Sublime MQL Link: Suspicious SharePoint document name
Sublime MQL Link: Suspicious Sharepoint folder share
Sublime MQL Link: Suspicious URL path with binary character sequence
Sublime MQL Link: Suspicious URL with recipient targeting and special characters
Sublime MQL Link: SVG with embedded recipient data
Sublime MQL Link: Tycoon2FA phishing kit (non-exhaustive)
Sublime MQL Link: Unsolicited email contains link leading to Tycoon URL structure
Sublime MQL Link: Unsolicited email contains link to page containing Tycoon URI structure
Sublime MQL Link: URL fragment with hexadecimal pattern obfuscation
Sublime MQL Link: URL path containing /moni/index
Sublime MQL Link: URL redirecting to blob URL
Sublime MQL Link: URL scheme obfuscation via split HTML anchors
Sublime MQL Link: URL shortener with copy-paste instructions and credential theft language
Sublime MQL Link: WordPress admin targeting with recipient identifier in URL fragment
Sublime MQL Low reputation link to auto-downloaded HTML file with smuggling indicators
Sublime MQL Malformed URL prefix
Sublime MQL Notion suspicious file share
Sublime MQL Open redirect: Cartoon Network
Sublime MQL Open redirect: giving.lluh.org
Sublime MQL Open Redirect: Google domain with /url path and suspicious indicators
Sublime MQL Open redirect: Klaviyo
Sublime MQL Open redirect: Mailtrack Korea
Sublime MQL Open redirect: marketing.edinburghairport.com
Sublime MQL Open redirect: next2.io
Sublime MQL Open redirect: people.anuneo.com
Sublime MQL Open redirect: Shibboleth SSO Logout Return Parameter
Sublime MQL Open redirect: slubnaglowie.pl
Sublime MQL Open redirect: typedrawers.com
Sublime MQL Open redirect: weblinkconnect.com
Sublime MQL Open redirect: Xfinity CMP Redirection to Google AMP
Sublime MQL Outlook hyperlink bypass: left-to-right mark (LRM) in base HTML tag
Sublime MQL PhaaS: Impact Solutions (Impact Vector Suite)
Sublime MQL Potential prompt injection attack in body HTML
Sublime MQL Punycode sender domain
Sublime MQL Reconnaissance: Empty subject with mismatched reply-to from new sender
Sublime MQL Request for Quote or Purchase (RFQ|RFP) with HTML smuggling attachment
Sublime MQL Salesforce infrastructure abuse
Sublime MQL Self-sender with copy/paste instructions and suspicious domains (French/Français)
Sublime MQL Self-sent fake PDF attachment with misleading link
Sublime MQL Sender: IP address in local part
Sublime MQL Sendgrid onmicrosoft.com domain phishing
Sublime MQL Service abuse: Adobe Creative Cloud share from an unsolicited sender address
Sublime MQL Service abuse: AppSheet infrastructure with suspicious indicators
Sublime MQL Service Abuse: Box file sharing with credential phishing intent
Sublime MQL Service abuse: DocSend share from an unsolicited reply-to address
Sublime MQL Service abuse: DocSend share from newly registered domain
Sublime MQL Service abuse: DocuSign share from an unsolicited reply-to address
Sublime MQL Service abuse: Domains By Proxy sender
Sublime MQL Service abuse: Dropbox Paper with copy-paste instructions
Sublime MQL Service abuse: Dropbox share from new domain
Sublime MQL Service Abuse: ExactTarget with suspicious sender indicators
Sublime MQL Service abuse: FlipHTML5 with attachment deception and credential theft language
Sublime MQL Service abuse: Free provider with SendGrid routing
Sublime MQL Service abuse: Google application integration redirecting to suspicious hosts
Sublime MQL Service abuse: Google OAuth with suspicious redirect destination
Sublime MQL Service abuse: HelloSign from an unsolicited sender address
Sublime MQL Service abuse: Linode Objects HTML file hosting
Sublime MQL Service abuse: Meetup.com redirect with brand impersonation
Sublime MQL Service abuse: Mimecast URL with excessive path length
Sublime MQL Service abuse: Monday.com infrastructure with phishing intent
Sublime MQL Service abuse: Nylas tracking subdomain with suspicious content
Sublime MQL Service abuse: QuickBooks notification from new domain
Sublime MQL Service abuse: QuickBooks notification with suspicious comments
Sublime MQL Service abuse: SendGrid-formatted link with actor-controlled fragment
Sublime MQL Service abuse: Substack credential theft with confusable characters and branded button redirects
Sublime MQL Service abuse: SurveyMonkey survey from newly registered domain
Sublime MQL Service abuse: Suspicious Datadog alert
Sublime MQL Service abuse: Suspicious Zoom Docs link
Sublime MQL Service abuse: Task management message sent via SendGrid
Sublime MQL Service abuse: Wix redirect through bulk mailer domains
Sublime MQL Sharepoint file share with suspicious recipients pattern
Sublime MQL Sharepoint online with external recipients and external display name
Sublime MQL Spam: Firebase password reset from suspicious sender
Sublime MQL Subject and sender display name contains matching long alphanumeric string
Sublime MQL Subject: Suspicious bracketed reference
Sublime MQL Suspected cross-site scripting (XSS) found in subject
Sublime MQL Suspicious attachment with unscannable Cloudflare link
Sublime MQL Suspicious attachment: Duplicate decoy PDF files
Sublime MQL Suspicious DocuSign share from new domain
Sublime MQL Suspicious link to Looker Studio (lookerstudio.google.com) from a new and unsolicited sender
Sublime MQL Suspicious message with unscannable Vercel link
Sublime MQL Suspicious recipients pattern with NLU credential theft indicators
Sublime MQL Suspicious sender display name with long procedurally generated text blob
Sublime MQL Suspicious subject with long procedurally generated text blob
Sublime MQL Truth Social infrastructure abuse via link redirect
Sublime MQL Twitter infrastructure abuse via link shortener
Sublime MQL Unicode QR code
Sublime MQL Unusually long local part from untrusted sender address
Sublime MQL URL with Unicode U+2044 (⁄) or U+2215 (∕) characters
Sublime MQL Vendor compromise: GovDelivery message with suspicious link
Sublime MQL VIP Impersonation via Google Group relay with suspicious indicators
Sublime MQL Xero infrastructure abuse

Exploit 4 rules

Sublime MQL Attachment: Archive containing HTML file with file scheme link
Sublime MQL Attachment: CVE-2025-24071 - Microsoft Windows File Explorer Spoofing Vulnerability
Sublime MQL Open redirect: City of Calgary
Sublime MQL Outlook hyperlink bypass: left-to-right mark (LRM) in base HTML tag

Free email provider 26 rules

Sublime MQL Attachment: Canva PDF with susupicious author metadata
Sublime MQL Brand impersonation: Hulu
Sublime MQL Brand impersonation: KnowBe4
Sublime MQL Brand impersonation: Norton
Sublime MQL Brand impersonation: SiriusXM
Sublime MQL Brand impersonation: Zoom via lookalike domain
Sublime MQL ClickFunnels link infrastructure abuse
Sublime MQL Constant Contact link infrastructure abuse
Sublime MQL Credential phishing language and suspicious indicators (unknown sender)
Sublime MQL Credential phishing: Engaging language and other indicators (untrusted sender)
Sublime MQL Domain impersonation: Freemail reply-to local lookalike with financial request
Sublime MQL Free email provider sender with mismatched provider reply-to
Sublime MQL Google services using g.co shortlinks
Sublime MQL Impersonation: Chrome Web Store policy
Sublime MQL Link abuse: Self-service creation platform link with suspicious recipient behavior
Sublime MQL Link: Apple App Store malicious ad manager themed apps from free email provider
Sublime MQL Link: Apple TestFlight from suspicious sender
Sublime MQL Link: Multistage landing - Abused Google Drive
Sublime MQL Link: PDF and financial display text to free file host
Sublime MQL Reconnaissance: Email address harvesting attempt
Sublime MQL Service abuse: Free provider with SendGrid routing
Sublime MQL Service abuse: Google Drive share from an unsolicited reply-to address
Sublime MQL Service abuse: Google Drive share from new reply-to domain
Sublime MQL Spam: Default Microsoft Exchange Online sender domain (onmicrosoft.com)
Sublime MQL Suspicious SharePoint file sharing
Sublime MQL VIP Impersonation via Google Group relay with suspicious indicators

Free file host 82 rules

Sublime MQL Attachment: EML file with IPFS links
Sublime MQL Attachment: EML with link to credential phishing page
Sublime MQL Attachment: Fake scan-to-email
Sublime MQL Attachment: ICS file with AWS Lambda URL
Sublime MQL Attachment: PDF bid/proposal lure with credential theft indicators
Sublime MQL Attachment: PDF with multistage landing - ClickUp abuse
Sublime MQL Attachment: PDF with self-service platform links with self sender or blank recipients
Sublime MQL Brand impersonation: Fake Fax
Sublime MQL Brand impersonation: Microsoft quarantine release notification in image attachment
Sublime MQL Brand impersonation: Microsoft with low reputation links
Sublime MQL Canva design with suspicious embedded link
Sublime MQL Cloud storage impersonation with credential theft indicators
Sublime MQL Credential phishing: Engaging language with IPFS link
Sublime MQL Credential phishing: Hyper-linked image leading to free file host
Sublime MQL Deceptive Dropbox mention
Sublime MQL DocuSign impersonation via CloudHQ links
Sublime MQL Fake scan-to-email message
Sublime MQL File sharing link from suspicious sender domain
Sublime MQL Google Drive abuse: Credential phishing link
Sublime MQL Google Drive direct download link from unsolicited sender
Sublime MQL Google share notification with suspicious comments
Sublime MQL Invoicera infrastructure abuse
Sublime MQL Issuu document with suspicious embedded link
Sublime MQL Link: Abused Adobe Express
Sublime MQL Link: Adobe share from unsolicited sender
Sublime MQL Link: Adobe share with suspicious indicators
Sublime MQL Link: Direct link to gamma.app document with mode parameter
Sublime MQL Link: Direct link to keap.app contact-us page
Sublime MQL Link: Direct link to riddle.com hosted showcase
Sublime MQL Link: Document sharing invitation template
Sublime MQL Link: Figma design deck with credential theft language
Sublime MQL Link: Financial account issue with suspicious indicators
Sublime MQL Link: Free file hosting with undisclosed recipients
Sublime MQL Link: Google Cloud Storage impersonating with googledrive in URL path
Sublime MQL Link: Google Cloud Storage with suspicious URL pattern
Sublime MQL Link: IPFS
Sublime MQL Link: Multistage landing - Abused Adobe frame.io
Sublime MQL Link: Multistage Landing - Abused Buildin.ai
Sublime MQL Link: Multistage landing - Abused Docusign
Sublime MQL Link: Multistage landing - Abused Google Drive
Sublime MQL Link: Multistage landing - ClickUp abuse
Sublime MQL Link: Multistage landing - Published Google Doc
Sublime MQL Link: Multistage landing - Scribd document
Sublime MQL Link: Multistage landing - Trello board abuse
Sublime MQL Link: PDF and financial display text to free file host
Sublime MQL Link: Personalized URL with recipient address on commonly abused web service
Sublime MQL Link: Scribd fullscreen link from suspicious sender
Sublime MQL Link: Secure SharePoint file share from new or unusual sender
Sublime MQL Link: SharePoint OneNote or PDF link with self sender behavior
Sublime MQL Link: Suspicious SharePoint document name
Sublime MQL Link: Suspicious Sharepoint folder share
Sublime MQL Link: Tax document lure Portuguese/Spanish with suspicious domains
Sublime MQL Link: URL redirecting to blob URL
Sublime MQL Low reputation link to auto-downloaded HTML file with smuggling indicators
Sublime MQL Mismatched links: Free file share with urgent language
Sublime MQL Notion suspicious file share
Sublime MQL Service abuse: Adobe Creative Cloud share from an unsolicited sender address
Sublime MQL Service abuse: Behance document sharing with suspicious language
Sublime MQL Service abuse: Citrix ShareFile impersonation via Outlook plugin
Sublime MQL Service abuse: DocSend share from an unsolicited reply-to address
Sublime MQL Service abuse: DocSend share from newly registered domain
Sublime MQL Service abuse: DocuSign share from an unsolicited reply-to address
Sublime MQL Service abuse: Dropbox Paper with copy-paste instructions
Sublime MQL Service abuse: FlipHTML5 with attachment deception and credential theft language
Sublime MQL Service abuse: Formester with suspicious link behavior
Sublime MQL Service abuse: GitHub notification with excessive mentions and suspicious links
Sublime MQL Service abuse: Google account notification with links to free file host
Sublime MQL Service abuse: Google application integration redirecting to suspicious hosts
Sublime MQL Service abuse: Google Drive share from an unsolicited reply-to address
Sublime MQL Service abuse: Google Drive share from new reply-to domain
Sublime MQL Service abuse: Google OAuth with suspicious redirect destination
Sublime MQL Service abuse: HelloSign from an unsolicited sender address
Sublime MQL Service abuse: Linode Objects HTML file hosting
Sublime MQL Service abuse: SendThisFile with credential theft and financial language
Sublime MQL Service abuse: Square marketing with suspicious QR code
Sublime MQL Service abuse: SurveyMonkey survey from newly registered domain
Sublime MQL Service abuse: Suspicious Zoom Docs link
Sublime MQL Spoofable internal domain with suspicious signals
Sublime MQL Suspicious DocuSign share from new domain
Sublime MQL Suspicious Links to Cloudflare R2 and Edge Services
Sublime MQL Suspicious SharePoint file sharing
Sublime MQL Zoom Events newsletter abuse

Free subdomain host 42 rules

Sublime MQL Attachment: EML file with IPFS links
Sublime MQL Attachment: EML with link to credential phishing page
Sublime MQL Attachment: HTML smuggling Microsoft sign in
Sublime MQL Attachment: HTML smuggling with raw array buffer
Sublime MQL Attachment: PDF Attachment with links to workers.dev
Sublime MQL Attachment: PDF bid/proposal lure with credential theft indicators
Sublime MQL Attachment: PDF with credential theft language and link to a free subdomain (unsolicited)
Sublime MQL Attachment: PDF with multistage landing - ClickUp abuse
Sublime MQL Brand impersonation: Coinbase with suspicious links
Sublime MQL Brand impersonation: Fake Fax
Sublime MQL ClickFunnels link infrastructure abuse
Sublime MQL Credential phishing: AWS Lambda URL with recipient targeting
Sublime MQL Credential phishing: Engaging language with IPFS link
Sublime MQL Credential phishing: Onedrive impersonation
Sublime MQL Deceptive Dropbox mention
Sublime MQL Free subdomain link with credential theft indicators
Sublime MQL Free subdomain link with login or captcha (untrusted sender)
Sublime MQL Invoicera infrastructure abuse
Sublime MQL Link: Abused Adobe Express
Sublime MQL Link: Breely link masquerading as PDF
Sublime MQL Link: Credential phishing via WordPress
Sublime MQL Link: File sharing impersonation with suspicious language and sending patterns
Sublime MQL Link: Financial account issue with suspicious indicators
Sublime MQL Link: Flare-branded credential harvesting via Cloudflare tunnels
Sublime MQL Link: Free file hosting with undisclosed recipients
Sublime MQL Link: IPFS
Sublime MQL Link: Multistage landing - Abused Docusign
Sublime MQL Link: Multistage landing - ClickUp abuse
Sublime MQL Link: Tax document lure Portuguese/Spanish with suspicious domains
Sublime MQL Link: Tycoon2FA phishing kit (non-exhaustive)
Sublime MQL Link: WordPress login page with Blogspot Binance scam
Sublime MQL Low reputation link to auto-downloaded HTML file with smuggling indicators
Sublime MQL Self-sender with copy/paste instructions and suspicious domains (French/Français)
Sublime MQL Self-sent fake PDF attachment with misleading link
Sublime MQL Service abuse: GitHub notification with excessive mentions and suspicious links
Sublime MQL Service abuse: Google application integration redirecting to suspicious hosts
Sublime MQL Service abuse: Google Firebase sender address with suspicious content
Sublime MQL Service abuse: Google OAuth with suspicious redirect destination
Sublime MQL Service abuse: Suspicious Datadog alert
Sublime MQL Spoofable internal domain with suspicious signals
Sublime MQL Vendor compromise: GovDelivery message with suspicious link
Sublime MQL Zoom Events newsletter abuse

HTML injection 1 rule

Sublime MQL Link: URL scheme obfuscation via split HTML anchors

HTML smuggling 44 rules

Sublime MQL Attachment: Any HTML file within archive (unsolicited)
Sublime MQL Attachment: Archive containing HTML file with file scheme link
Sublime MQL Attachment: Double base64-encoded zip file in HTML smuggling attachment
Sublime MQL Attachment: EML containing a base64 encoded script
Sublime MQL Attachment: EML file contains HTML attachment with login portal indicators
Sublime MQL Attachment: EML file with HTML attachment (unsolicited)
Sublime MQL Attachment: EML with suspicious indicators
Sublime MQL Attachment: HTML attachment with Javascript location
Sublime MQL Attachment: HTML attachment with login portal indicators
Sublime MQL Attachment: HTML file contains exclusively Javascript
Sublime MQL Attachment: HTML file with excessive 'const' declarations and abnormally long timeouts
Sublime MQL Attachment: HTML file with excessive padding and suspicious patterns
Sublime MQL Attachment: HTML file with reference to recipient and suspicious patterns
Sublime MQL Attachment: HTML smuggling 'body onload' linking to suspicious destination
Sublime MQL Attachment: HTML smuggling 'body onload' with high entropy and suspicious text
Sublime MQL Attachment: HTML smuggling Microsoft sign in
Sublime MQL Attachment: HTML smuggling with atob and high entropy
Sublime MQL Attachment: HTML smuggling with atob and high entropy via calendar invite
Sublime MQL Attachment: HTML smuggling with auto-downloaded file
Sublime MQL Attachment: HTML smuggling with base64 encoded JavaScript function
Sublime MQL Attachment: HTML smuggling with base64 encoded ZIP file
Sublime MQL Attachment: HTML smuggling with concatenation obfuscation
Sublime MQL Attachment: HTML smuggling with decimal encoding
Sublime MQL Attachment: HTML smuggling with embedded base64-encoded ISO
Sublime MQL Attachment: HTML smuggling with eval and atob
Sublime MQL Attachment: HTML smuggling with eval and atob via calendar invite
Sublime MQL Attachment: HTML smuggling with excessive line break obfuscation
Sublime MQL Attachment: HTML smuggling with excessive string concatenation and suspicious patterns
Sublime MQL Attachment: HTML smuggling with fromCharCode and other signals
Sublime MQL Attachment: HTML smuggling with hex strings
Sublime MQL Attachment: HTML smuggling with raw array buffer
Sublime MQL Attachment: HTML smuggling with RC4 decryption
Sublime MQL Attachment: HTML smuggling with ROT13
Sublime MQL Attachment: HTML smuggling with setTimeout
Sublime MQL Attachment: HTML smuggling with unescape
Sublime MQL Attachment: HTML with emoji-to-character map
Sublime MQL Attachment: HTML with obfuscation and recipient's email in JavaScript strings
Sublime MQL Attachment: SVG file with HTML entity encoded href attributes
Sublime MQL Attachment: Web files with suspicious comments
Sublime MQL Credential Phishing: W-2 lure with inline SVG Windows logo
Sublime MQL HTML content with print styling and credential theft language
Sublime MQL HTML smuggling containing recipient email address
Sublime MQL HTML smuggling with atob in message body
Sublime MQL Low reputation link to auto-downloaded HTML file with smuggling indicators

ICS Phishing 12 rules

Sublime MQL Attachment: Calendar file with invisible Unicode characters
Sublime MQL Attachment: Calendar invite with Google redirect and invoice request
Sublime MQL Attachment: HTML smuggling with atob and high entropy via calendar invite
Sublime MQL Attachment: HTML smuggling with eval and atob via calendar invite
Sublime MQL Attachment: ICS calendar file with base64 encoded recipient address in URL parameters
Sublime MQL Attachment: ICS calendar file with suspicious product identifier
Sublime MQL Attachment: ICS calendar with embedded file from internal sender with SPF failure
Sublime MQL Attachment: ICS file with AWS Lambda URL
Sublime MQL Attachment: ICS file with meeting prefix
Sublime MQL Attachment: ICS file with non-Gregorian calendar scale
Sublime MQL Attachment: ICS with embedded Javascript in SVG file
Sublime MQL Attachment: ICS with employee policy review lure

IPFS 4 rules

Sublime MQL Attachment: EML file with IPFS links
Sublime MQL Credential phishing: Engaging language with IPFS link
Sublime MQL Link: IPFS
Sublime MQL Vendor compromise: GovDelivery message with suspicious link

ISO 1 rule

Sublime MQL Attachment: HTML smuggling with embedded base64-encoded ISO

Image as content 27 rules

Sublime MQL Attachment: Adobe image lure in body or attachment with suspicious link
Sublime MQL Attachment: Fake attachment image lure
Sublime MQL Attachment: Fake scan-to-email
Sublime MQL Attachment: Fake secure message and suspicious indicators
Sublime MQL Attachment: Microsoft impersonation via PDF with link and suspicious language
Sublime MQL Attachment: QR code link with base64-encoded recipient address
Sublime MQL Attachment: QR code with encoded recipient targeting and redirect indicators
Sublime MQL Attachment: QR code with userinfo portion
Sublime MQL Attachment: SVG file with hyperlinks and cursor styling
Sublime MQL Attachment: SVG files with evasion elements
Sublime MQL Brand impersonation: Coinbase with suspicious links
Sublime MQL Brand impersonation: DocuSign with embedded QR code
Sublime MQL Brand impersonation: Fake Fax
Sublime MQL Brand impersonation: Figma with malicious document access overlay
Sublime MQL Brand impersonation: Microsoft Planner with suspicious link
Sublime MQL Brand impersonation: Microsoft with low reputation links
Sublime MQL Brand impersonation: USPS
Sublime MQL Cloud storage impersonation with credential theft indicators
Sublime MQL Credential phishing: Hyper-linked image leading to free file host
Sublime MQL Credential phishing: Image as content, short or no body contents
Sublime MQL Image as content with a link to an open redirect
Sublime MQL Impersonation: Recipient organization in sender display name with credential theft image
Sublime MQL Inline image as message with attachment or link
Sublime MQL Invoicera infrastructure abuse
Sublime MQL Link: PDF display text with fake copyright claim template
Sublime MQL PHP Mailer with common phishing attachments
Sublime MQL Spam: Mastercard promotional content with image-based body

Impersonation: Brand 236 rules

Sublime MQL Abuse: Cloudflare Workers Hosted EvilTokens Domain Structure
Sublime MQL Abuse: Robinhood injected content
Sublime MQL Attachment: Adobe image lure in body or attachment with suspicious link
Sublime MQL Attachment: Adobe Sign lure PDF with embedded banner images
Sublime MQL Attachment: Compensation-themed DOCX with QR code credential theft
Sublime MQL Attachment: Decoy PDF author (Julie P.)
Sublime MQL Attachment: DocuSign impersonation via PDF linking to new domain
Sublime MQL Attachment: Dropbox image lure with no Dropbox domains in links
Sublime MQL Attachment: EML with SharePoint files shared from GoDaddy federated tenants
Sublime MQL Attachment: EML with Sharepoint link likely unrelated to sender
Sublime MQL Attachment: Fake secure message and suspicious indicators
Sublime MQL Attachment: HTML smuggling Microsoft sign in
Sublime MQL Attachment: HTML with emoji-to-character map
Sublime MQL Attachment: Microsoft 365 credential phishing
Sublime MQL Attachment: Microsoft impersonation via PDF with link and suspicious language
Sublime MQL Attachment: Microsoft OAuth credential harvesting via EML with embedded malicious links
Sublime MQL Attachment: PDF with Microsoft Purview message impersonation
Sublime MQL Attachment: PDF With SAI Global ISO9001 Logo
Sublime MQL Brand impersonation: AARP
Sublime MQL Brand impersonation: Adobe (QR code)
Sublime MQL Brand impersonation: Adobe Acrobat Sign PDF phishing file format template
Sublime MQL Brand impersonation: Adobe Sign with suspicious indicators
Sublime MQL Brand impersonation: Adobe with suspicious language and link
Sublime MQL Brand impersonation: ADP
Sublime MQL Brand impersonation: AliExpress
Sublime MQL Brand impersonation: Amazon
Sublime MQL Brand impersonation: Amazon Web Services (AWS)
Sublime MQL Brand impersonation: Amazon with suspicious attachment
Sublime MQL Brand impersonation: American Express (AMEX)
Sublime MQL Brand impersonation: Apple
Sublime MQL Brand impersonation: Aquent
Sublime MQL Brand impersonation: AuthentiSign
Sublime MQL Brand impersonation: Automobile assistance associations
Sublime MQL Brand impersonation: Bank of America
Sublime MQL Brand impersonation: Barracuda Networks
Sublime MQL Brand impersonation: Binance
Sublime MQL Brand impersonation: Blockchain.com
Sublime MQL Brand impersonation: Booking.com
Sublime MQL Brand impersonation: Box file sharing service
Sublime MQL Brand impersonation: Canada Revenue Agency
Sublime MQL Brand impersonation: Capital One
Sublime MQL Brand impersonation: Charles Schwab
Sublime MQL Brand impersonation: Chase Bank
Sublime MQL Brand impersonation: Chase bank with credential phishing indicators
Sublime MQL Brand impersonation: Coinbase
Sublime MQL Brand impersonation: Coinbase with suspicious links
Sublime MQL Brand impersonation: Dashlane
Sublime MQL Brand impersonation: DHL
Sublime MQL Brand impersonation: DigitalOcean
Sublime MQL Brand impersonation: Discord notification
Sublime MQL Brand Impersonation: Disney
Sublime MQL Brand impersonation: DocSend
Sublime MQL Brand impersonation: DocuSign
Sublime MQL Brand impersonation: DocuSign (QR code)
Sublime MQL Brand impersonation: DocuSign branded attachment lure with no DocuSign links
Sublime MQL Brand impersonation: DocuSign PDF attachment with suspicious link
Sublime MQL Brand impersonation: DocuSign with embedded QR code
Sublime MQL Brand impersonation: DoorDash
Sublime MQL Brand impersonation: Dotloop
Sublime MQL Brand impersonation: Dropbox
Sublime MQL Brand impersonation: Enbridge
Sublime MQL Brand impersonation: Evite
Sublime MQL Brand impersonation: Exodus
Sublime MQL Brand impersonation: Fake DocuSign HTML table not linking to DocuSign domains
Sublime MQL Brand impersonation: Fake Fax
Sublime MQL Brand impersonation: Fastway
Sublime MQL Brand impersonation: FedEx
Sublime MQL Brand impersonation: Figma with malicious document access overlay
Sublime MQL Brand impersonation: File sharing notification with template artifacts
Sublime MQL Brand impersonation: FINRA
Sublime MQL Brand Impersonation: Gemini Trust Company
Sublime MQL Brand impersonation: Github
Sublime MQL Brand impersonation: GoDaddy
Sublime MQL Brand Impersonation: Google (QR Code)
Sublime MQL Brand impersonation: Google Careers
Sublime MQL Brand impersonation: Google Drive fake file share
Sublime MQL Brand impersonation: Google fake sign-in warning
Sublime MQL Brand impersonation: Google Meet with malicious link
Sublime MQL Brand impersonation: Google using Microsoft Forms
Sublime MQL Brand impersonation: Google Workspace alert notification
Sublime MQL Brand impersonation: Greenvelope
Sublime MQL Brand impersonation: Gusto
Sublime MQL Brand impersonation: Hulu
Sublime MQL Brand impersonation: Internal Revenue Service
Sublime MQL Brand impersonation: KnowBe4
Sublime MQL Brand impersonation: LastPass
Sublime MQL Brand impersonation: Ledger
Sublime MQL Brand impersonation: LinkedIn
Sublime MQL Brand impersonation: Mailchimp
Sublime MQL Brand impersonation: Mailgun
Sublime MQL Brand impersonation: Marriott with gift language
Sublime MQL Brand impersonation: McAfee
Sublime MQL Brand impersonation: Meta and subsidiaries
Sublime MQL Brand impersonation: MetaMask
Sublime MQL Brand impersonation: Microsoft
Sublime MQL Brand impersonation: Microsoft (QR code)
Sublime MQL Brand impersonation: Microsoft fake sign-in alert
Sublime MQL Brand impersonation: Microsoft logo in HTML with fake quarantine release notification
Sublime MQL Brand impersonation: Microsoft Planner with suspicious link
Sublime MQL Brand impersonation: Microsoft quarantine release notification in body
Sublime MQL Brand impersonation: Microsoft quarantine release notification in image attachment
Sublime MQL Brand impersonation: Microsoft Teams
Sublime MQL Brand impersonation: Microsoft Teams invitation
Sublime MQL Brand impersonation: Microsoft with embedded logo and credential theft language
Sublime MQL Brand impersonation: Microsoft with low reputation links
Sublime MQL Brand impersonation: Morgan Stanley
Sublime MQL Brand impersonation: Navan
Sublime MQL Brand impersonation: Netflix
Sublime MQL Brand impersonation: Norton
Sublime MQL Brand impersonation: Office 365 mail service
Sublime MQL Brand impersonation: Okta
Sublime MQL Brand impersonation: OpenAI with payment issues
Sublime MQL Brand impersonation: Outlook
Sublime MQL Brand impersonation: Paperless Post
Sublime MQL Brand Impersonation: PayPal
Sublime MQL Brand impersonation: PNC
Sublime MQL Brand Impersonation: Procore
Sublime MQL Brand impersonation: Proofpoint secure messaging without legitimate indicators
Sublime MQL Brand impersonation: Punchbowl
Sublime MQL Brand impersonation: Purdue ePlanroom with suspicious links
Sublime MQL Brand impersonation: Quickbooks
Sublime MQL Brand impersonation: Ripple
Sublime MQL Brand impersonation: Robert Half
Sublime MQL Brand impersonation: Robinhood
Sublime MQL Brand impersonation: SendGrid
Sublime MQL Brand Impersonation: ShareFile
Sublime MQL Brand impersonation: Sharepoint
Sublime MQL Brand impersonation: Sharepoint fake file share
Sublime MQL Brand impersonation: SharePoint PDF attachment with credential theft language
Sublime MQL Brand Impersonation: Shein
Sublime MQL Brand impersonation: Silicon Valley Bank
Sublime MQL Brand impersonation: SiriusXM
Sublime MQL Brand impersonation: Social Security Administration
Sublime MQL Brand impersonation: Spotify
Sublime MQL Brand impersonation: Square
Sublime MQL Brand impersonation: Squarespace
Sublime MQL Brand impersonation: State Farm
Sublime MQL Brand impersonation: Stellar Development Foundation (SDF)
Sublime MQL Brand Impersonation: Stripe
Sublime MQL Brand impersonation: Stripe notification
Sublime MQL Brand impersonation: Sublime Security
Sublime MQL Brand impersonation: Survey request with credential theft indicators
Sublime MQL Brand impersonation: TikTok
Sublime MQL Brand impersonation: Toronto-Dominion Bank
Sublime MQL Brand impersonation: Trust Wallet
Sublime MQL Brand impersonation: TurboTax
Sublime MQL Brand impersonation: Twitter
Sublime MQL Brand impersonation: UK government Home Office
Sublime MQL Brand impersonation: ukr[.]net
Sublime MQL Brand impersonation: United Healthcare
Sublime MQL Brand impersonation: UPS
Sublime MQL Brand impersonation: USPS
Sublime MQL Brand impersonation: Vanguard
Sublime MQL Brand impersonation: Vanta
Sublime MQL Brand impersonation: Venmo
Sublime MQL Brand impersonation: Wells Fargo
Sublime MQL Brand impersonation: WeTransfer
Sublime MQL Brand impersonation: Wise
Sublime MQL Brand impersonation: Wix
Sublime MQL Brand impersonation: Xodo Sign
Sublime MQL Brand impersonation: Zoom
Sublime MQL Brand impersonation: Zoom (strict)
Sublime MQL Brand impersonation: Zoom via HTML styling
Sublime MQL Brand impersonation: Zoom via lookalike domain
Sublime MQL Brand impersonation: Zoom with deceptive link display
Sublime MQL Brand spoof: Dropbox
Sublime MQL Cloud storage impersonation with credential theft indicators
Sublime MQL Credential phishing: Blue button styled link with file-sharing template artifacts
Sublime MQL Credential phishing: DocuSign embedded image lure with no DocuSign domains in links
Sublime MQL Credential phishing: Email delivery failure impersonation
Sublime MQL Credential phishing: Onedrive impersonation
Sublime MQL Credential phishing: Re-Authentication lure
Sublime MQL Credential phishing: Suspicious subject with urgent financial request and link
Sublime MQL Credential phishing: Tax form impersonation with payment request
Sublime MQL Cyrillic vowel substitutions with suspicious subject from unknown sender
Sublime MQL Deceptive Dropbox mention
Sublime MQL DocuSign impersonation via CloudHQ links
Sublime MQL DocuSign impersonation via spoofed Intuit sender
Sublime MQL Fake Zoom meeting invite with suspicious link
Sublime MQL Google Accelerated Mobile Pages (AMP) abuse
Sublime MQL Google Drive abuse: Credential phishing link
Sublime MQL Hardbacon infrastructure abuse
Sublime MQL HR impersonation via e-sign agreement comment
Sublime MQL Impersonation: Chrome Web Store policy
Sublime MQL Impersonation: Fake Gmail attachment
Sublime MQL Impersonation: Recipient organization in sender display name with credential theft image
Sublime MQL Impersonation: Salesforce fake campaign failure notification
Sublime MQL Impersonation: SharePoint reply header anomaly
Sublime MQL Link: Apple App Store link to apps impersonating AI adveristing
Sublime MQL Link: Direct link to Zoom Docs from non-Zoom sender
Sublime MQL Link: File sharing impersonation with suspicious language and sending patterns
Sublime MQL Link: Google Cloud Storage impersonating with googledrive in URL path
Sublime MQL Link: Intuit link abuse with file share context
Sublime MQL Link: Microsoft device code authentication with suspicious indicators
Sublime MQL Link: Microsoft impersonation using hosted png with suspicious link
Sublime MQL Link: Multistage landing - Abused Adobe Acrobat hosted PDF
Sublime MQL Link: Multistage landing - FreshDesk knowledge base abuse
Sublime MQL Link: Multistage landing - Ludus presentation
Sublime MQL Link: Multistage landing - Microsoft Forms abuse
Sublime MQL Link: Multistage landing - Scribd document
Sublime MQL Link: Obfuscation via userinfo with excessive URL padding
Sublime MQL Link: QR Code with suspicious language (untrusted sender)
Sublime MQL Link: QuickBooks image lure with suspicious link
Sublime MQL Link: Squarespace infrastructure abuse
Sublime MQL Link: Suspicious Loom HTML file path
Sublime MQL Link: WordPress login page with Blogspot Binance scam
Sublime MQL Low reputation link to auto-downloaded HTML file with smuggling indicators
Sublime MQL Microsoft device code phishing
Sublime MQL Open redirect (go2.aspx) leading to Microsoft credential phishing
Sublime MQL Open redirect: Klaviyo
Sublime MQL Open redirect: queue.swytchbike.com
Sublime MQL Recruitee Infrastructure Abuse
Sublime MQL Scam soliciting employer review/rating
Sublime MQL Service abuse: DocSend share from newly registered domain
Sublime MQL Service abuse: Facebook business with action required subject
Sublime MQL Service abuse: File sharing impersonation with external SharePoint links
Sublime MQL Service abuse: Google account notification with links to free file host
Sublime MQL Service abuse: Meetup.com redirect with brand impersonation
Sublime MQL Service abuse: Microsoft with suspicious indicators in subject
Sublime MQL Service abuse: PayPal manager account creation with callback scam indicators
Sublime MQL Service abuse: Roomsy with unrelated body content
Sublime MQL Service abuse: SendGrid impersonation via Sendgrid from new sender
Sublime MQL Service abuse: Task management message sent via SendGrid
Sublime MQL Service abuse: Vimeo with external plain-text links in message
Sublime MQL SharePoint OTP for filename matching org name
Sublime MQL Spam: Default Microsoft Exchange Online sender domain (onmicrosoft.com)
Sublime MQL Spam: Mastercard promotional content with image-based body
Sublime MQL Subject: Suspicious bracketed reference
Sublime MQL Suspected WordPress abuse with cross-site scripting (XSS) indicators
Sublime MQL Suspicious DocuSign share from new domain
Sublime MQL Truth Social infrastructure abuse via link redirect
Sublime MQL Twitter infrastructure abuse via link shortener
Sublime MQL Vendor compromise: GovDelivery message with suspicious link
Sublime MQL X (Twitter) impersonation with credential phishing motives
Sublime MQL Xero invoice abuse
Sublime MQL Zoom Events newsletter abuse

Impersonation: Domain 2 rules

Sublime MQL Observed IOC: Malicious sender domains
Sublime MQL Observed IOC: Malicious sender root domains

Impersonation: Email address 1 rule

Sublime MQL Observed IOC: Malicious sender email addresses

Impersonation: Employee 12 rules

Sublime MQL Benefits enrollment impersonation
Sublime MQL Credential phishing: Generic document sharing
Sublime MQL Headers: System account impersonation with empty sender address
Sublime MQL Impersonation: Human Resources with link or attachment and engaging language
Sublime MQL Impersonation: Internal corporate services
Sublime MQL Link: HR impersonation with suspicious domain indicators and credential theft
Sublime MQL Link: SharePoint filename matches org name
Sublime MQL Service Abuse: Box file sharing with credential phishing intent
Sublime MQL Sharepoint link likely unrelated to sender
Sublime MQL Suspicious attachment with unscannable Cloudflare link
Sublime MQL VIP Impersonation via Google Group relay with suspicious indicators
Sublime MQL Xero invoice abuse

Impersonation: VIP 4 rules

Sublime MQL Google share notification with suspicious comments
Sublime MQL Service Abuse: Box file sharing with credential phishing intent
Sublime MQL Service abuse: Trello board invitation with VIP impersonation
Sublime MQL Suspicious attachment with unscannable Cloudflare link

LNK 1 rule

Sublime MQL Attachment: Link file with UNC path

Lookalike domain 52 rules

Sublime MQL Brand impersonation: American Express (AMEX)
Sublime MQL Brand impersonation: AuthentiSign
Sublime MQL Brand impersonation: Bank of America
Sublime MQL Brand impersonation: Barracuda Networks
Sublime MQL Brand impersonation: Binance
Sublime MQL Brand impersonation: Blockchain.com
Sublime MQL Brand impersonation: Capital One
Sublime MQL Brand impersonation: Charles Schwab
Sublime MQL Brand impersonation: Chase Bank
Sublime MQL Brand impersonation: Coinbase
Sublime MQL Brand impersonation: DHL
Sublime MQL Brand impersonation: DigitalOcean
Sublime MQL Brand impersonation: DocSend
Sublime MQL Brand impersonation: DocuSign
Sublime MQL Brand impersonation: Fastway
Sublime MQL Brand impersonation: FedEx
Sublime MQL Brand impersonation: FINRA
Sublime MQL Brand impersonation: Github
Sublime MQL Brand impersonation: Google using Microsoft Forms
Sublime MQL Brand impersonation: Google Workspace alert notification
Sublime MQL Brand impersonation: Gusto
Sublime MQL Brand impersonation: Hulu
Sublime MQL Brand impersonation: KnowBe4
Sublime MQL Brand impersonation: Ledger
Sublime MQL Brand impersonation: LinkedIn
Sublime MQL Brand impersonation: Meta and subsidiaries
Sublime MQL Brand impersonation: Netflix
Sublime MQL Brand impersonation: Office 365 mail service
Sublime MQL Brand impersonation: Okta
Sublime MQL Brand impersonation: Outlook
Sublime MQL Brand Impersonation: PayPal
Sublime MQL Brand impersonation: PNC
Sublime MQL Brand Impersonation: ShareFile
Sublime MQL Brand impersonation: Silicon Valley Bank
Sublime MQL Brand impersonation: Spotify
Sublime MQL Brand Impersonation: Stripe
Sublime MQL Brand impersonation: Sublime Security
Sublime MQL Brand impersonation: TurboTax
Sublime MQL Brand impersonation: Twitter
Sublime MQL Brand impersonation: UK government Home Office
Sublime MQL Brand impersonation: UPS
Sublime MQL Brand impersonation: Vanta
Sublime MQL Brand impersonation: Venmo
Sublime MQL Brand impersonation: Wells Fargo
Sublime MQL Brand impersonation: Wix
Sublime MQL Impersonation: Chrome Web Store policy
Sublime MQL Link to a domain with punycode characters
Sublime MQL Link: HR impersonation with suspicious domain indicators and credential theft
Sublime MQL Link: Recipient domain in URL path
Sublime MQL Lookalike sender domain (untrusted sender)
Sublime MQL Punycode sender domain
Sublime MQL Sharepoint link likely unrelated to sender

Macros 6 rules

Sublime MQL Attachment: CVE-2025-24071 - Microsoft Windows File Explorer Spoofing Vulnerability
Sublime MQL Attachment: Excel file with document sharing lure created by Go Excelize
Sublime MQL Attachment: Excel file with suspicious template identifier
Sublime MQL Attachment: Macro files containing MHT content
Sublime MQL Attachment: QR code link with base64-encoded recipient address
Sublime MQL Attachment: XLSX file with suspicious print titles metadata

OneNote 4 rules

Sublime MQL Link: SharePoint OneNote or PDF link with self sender behavior
Sublime MQL Link: Uncommon SharePoint document type with sender's display name
Sublime MQL Sharepoint link likely unrelated to sender
Sublime MQL Suspicious SharePoint file sharing

Open redirect 141 rules

Sublime MQL Attachment: Calendar invite with Google redirect and invoice request
Sublime MQL Attachment: Link to Doubleclick.net open redirect
Sublime MQL Attachment: QR code with encoded recipient targeting and redirect indicators
Sublime MQL Constant Contact link infrastructure abuse
Sublime MQL Fake Zoho Sign template abuse
Sublime MQL Google Accelerated Mobile Pages (AMP) abuse
Sublime MQL Google presentation open redirect phishing
Sublime MQL Image as content with a link to an open redirect
Sublime MQL Link to Google Apps Script macro (unsolicited)
Sublime MQL Link: Google Translate (unsolicited)
Sublime MQL Link: Multistage landing - ClickUp abuse
Sublime MQL Link: Multistage landing - FreshDesk knowledge base abuse
Sublime MQL Link: QR code in EML attachment with credential phishing indicators
Sublime MQL Link: Referrer anonymization service from untrusted sender
Sublime MQL Link: URL path containing /moni/index
Sublime MQL Link: URL redirecting to blob URL
Sublime MQL Low reputation link to auto-downloaded HTML file with smuggling indicators
Sublime MQL Open redirect (go2.aspx) leading to Microsoft credential phishing
Sublime MQL Open redirect: adnxs.com
Sublime MQL Open redirect: agena-smile.com
Sublime MQL Open redirect: amaterasu-for-website-5.com
Sublime MQL Open redirect: api.spently.com
Sublime MQL Open redirect: Artisteer
Sublime MQL Open redirect: artkaderne
Sublime MQL Open Redirect: asemailmgmteu.com
Sublime MQL Open redirect: astroarts.co.jp
Sublime MQL Open redirect: Atdmt
Sublime MQL Open redirect: Avast
Sublime MQL Open redirect: bananaguide.com
Sublime MQL Open redirect: bangkoksync.com
Sublime MQL Open redirect: bestdeals.today
Sublime MQL Open redirect: Bitrix24 URL Path
Sublime MQL Open redirect: BMW USA
Sublime MQL Open redirect: bubblelife.com
Sublime MQL Open redirect: buildingengines.com
Sublime MQL Open redirect: business.google.com website_shared URL Param
Sublime MQL Open redirect: Cartoon Network
Sublime MQL Open redirect: chkc.com.hk
Sublime MQL Open redirect: City of Calgary
Sublime MQL Open redirect: Club-OS
Sublime MQL Open redirect: convertcart.com
Sublime MQL Open redirect: Dell
Sublime MQL Open redirect: designsori.com
Sublime MQL Open redirect: documentmailbox.com
Sublime MQL Open redirect: Doubleclick.net
Sublime MQL Open redirect: eaoko.org
Sublime MQL Open redirect: easycamp.com
Sublime MQL Open redirect: embluemail.com
Sublime MQL Open redirect: emlakarsa
Sublime MQL Open redirect: emp.eduyield.com
Sublime MQL Open redirect: eodcnetworkdirect.com
Sublime MQL Open redirect: events.csiro.au
Sublime MQL Open redirect: ExacTag
Sublime MQL Open redirect: fenc.com
Sublime MQL Open redirect: g7.fr
Sublime MQL Open redirect: giving.lluh.org
Sublime MQL Open redirect: Google Ad Services
Sublime MQL Open Redirect: Google domain with /url path and suspicious indicators
Sublime MQL Open redirect: Google Web Light
Sublime MQL Open redirect: Hakumonkai.org
Sublime MQL Open redirect: HHS
Sublime MQL Open redirect: ijf.org
Sublime MQL Open redirect: Indeed
Sublime MQL Open redirect: IndiaTimes
Sublime MQL Open redirect: isadatalab.com
Sublime MQL Open redirect: k-mil.net
Sublime MQL Open redirect: Klaviyo
Sublime MQL Open redirect: labcluster.com
Sublime MQL Open redirect: LearningApps
Sublime MQL Open redirect: Linkedin
Sublime MQL Open redirect: LinkedIn Redirect
Sublime MQL Open redirect: listing.ca
Sublime MQL Open redirect: magic4media.com
Sublime MQL Open redirect: magiccity.ne.jp
Sublime MQL Open redirect: magneticmarketing.com
Sublime MQL Open redirect: mail.spiceworks.com
Sublime MQL Open redirect: Mailtrack Korea
Sublime MQL Open redirect: marketing.edinburghairport.com
Sublime MQL Open redirect: McGill University
Sublime MQL Open redirect: Medium
Sublime MQL Open redirect: Meta --> YouTube Redirection Chain
Sublime MQL Open redirect: mindmixer.com
Sublime MQL Open redirect: MSN
Sublime MQL Open redirect: museepicassoparis.fr
Sublime MQL Open redirect: Nested Doubleclick.net
Sublime MQL Open redirect: Newegg
Sublime MQL Open redirect: next2.io
Sublime MQL Open redirect: nowlifestyle.com
Sublime MQL Open redirect: obunsha.co.jp
Sublime MQL Open redirect: Panera Bread
Sublime MQL Open redirect: people.anuneo.com
Sublime MQL Open redirect: phoenixartstudio.net
Sublime MQL Open redirect: PIRL San Diego
Sublime MQL Open redirect: plasticsurgery.or.kr
Sublime MQL Open redirect: pmifunds.com
Sublime MQL Open redirect: predictiveresponse.net
Sublime MQL Open redirect: PremierBet
Sublime MQL Open redirect: qrxtech.com
Sublime MQL Open redirect: queue.swytchbike.com
Sublime MQL Open redirect: radiopublic.com
Sublime MQL Open redirect: retailrocket.net
Sublime MQL Open redirect: ringaraja.net
Sublime MQL Open redirect: Samsung
Sublime MQL Open redirect: sciencebuddies.org
Sublime MQL Open redirect: secondstreetapp.com
Sublime MQL Open redirect: Shibboleth SSO Logout Return Parameter
Sublime MQL Open redirect: shoppermeet.net
Sublime MQL Open redirect: shoppingwebapi.didatravel.com
Sublime MQL Open redirect: Signature Travel Network
Sublime MQL Open redirect: Slack
Sublime MQL Open redirect: slubnaglowie.pl
Sublime MQL Open redirect: smartadserver.com
Sublime MQL Open redirect: smore.com
Sublime MQL Open redirect: Snapchat
Sublime MQL Open redirect: social.bigpress.net
Sublime MQL Open redirect: ssg-financial.com
Sublime MQL Open redirect: stats.lib.pdx.edu
Sublime MQL Open redirect: storematch.jp
Sublime MQL Open redirect: Ticketmaster
Sublime MQL Open redirect: TikTok
Sublime MQL Open redirect: tkqlhce.com
Sublime MQL Open redirect: tuttocauzioni.it
Sublime MQL Open redirect: typedrawers.com
Sublime MQL Open redirect: U.S. Antarctic Program Data Center (USAP-DC)
Sublime MQL Open redirect: unitedwaynwvt.org
Sublime MQL Open redirect: ust.hk
Sublime MQL Open redirect: vconfex.com
Sublime MQL Open redirect: VK
Sublime MQL Open redirect: weblinkconnect.com
Sublime MQL Open redirect: whitefox.pl
Sublime MQL Open redirect: Xfinity CMP Redirection to Google AMP
Sublime MQL Open redirect: xfinity.com
Sublime MQL Open redirect: YouTube
Sublime MQL Open redirect: YouTube --> Google Redirection Chain
Sublime MQL Service abuse: Formester with suspicious link behavior
Sublime MQL Service abuse: Google application integration redirecting to suspicious hosts
Sublime MQL Service abuse: Google OAuth with suspicious redirect destination
Sublime MQL Service abuse: Google Tag Manager debug cookie clearing with open redirect potential
Sublime MQL Service abuse: Meetup.com redirect with brand impersonation
Sublime MQL Service abuse: Mimecast URL with excessive path length
Sublime MQL Service abuse: Wix redirect through bulk mailer domains

Out of band pivot 4 rules

Sublime MQL Benefits enrollment impersonation
Sublime MQL Credential Phishing via Dropbox comment abuse
Sublime MQL HR impersonation via e-sign agreement comment
Sublime MQL Link: chatbot.page platform abuse

PDF 64 rules

Sublime MQL Attachment: Adobe Sign lure PDF with embedded banner images
Sublime MQL Attachment: Canva PDF with susupicious author metadata
Sublime MQL Attachment: Compensation review lure with QR code
Sublime MQL Attachment: Decoy PDF author (Julie P.)
Sublime MQL Attachment: DocuSign impersonation via PDF linking to new domain
Sublime MQL Attachment: Encrypted PDF With Credential Harvesting Indicators
Sublime MQL Attachment: Encrypted PDF with credential theft body
Sublime MQL Attachment: Fake PDF Invoices Yara
Sublime MQL Attachment: Fake scan-to-email
Sublime MQL Attachment: Fake voicemail via PDF
Sublime MQL Attachment: Finance themed PDF with observed phishing template
Sublime MQL Attachment: Legal themed message or PDF with suspicious indicators
Sublime MQL Attachment: Microsoft impersonation via PDF with link and suspicious language
Sublime MQL Attachment: Microsoft OAuth credential harvesting via EML with embedded malicious links
Sublime MQL Attachment: Password-protected PDF with fake document indicators
Sublime MQL Attachment: PDF Attachment with links to workers.dev
Sublime MQL Attachment: PDF bid/proposal lure with credential theft indicators
Sublime MQL Attachment: PDF contains W9 or invoice YARA signatures
Sublime MQL Attachment: PDF generated with wkhtmltopdf tool and default title
Sublime MQL Attachment: PDF proposal with credential theft indicators
Sublime MQL Attachment: PDF with a suspicious string and single URL
Sublime MQL Attachment: PDF with blurry lure image
Sublime MQL Attachment: PDF with credential theft language and invalid reply-to domain
Sublime MQL Attachment: PDF with credential theft language and link to a free subdomain (unsolicited)
Sublime MQL Attachment: PDF with eCheckRun lures
Sublime MQL Attachment: PDF with Microsoft Purview message impersonation
Sublime MQL Attachment: PDF with multistage landing - ClickUp abuse
Sublime MQL Attachment: PDF with password in filename matching body text
Sublime MQL Attachment: PDF with personal Microsoft OneNote URL
Sublime MQL Attachment: PDF with QR code containing recipient-specific credential theft content
Sublime MQL Attachment: PDF with recipient email in link
Sublime MQL Attachment: PDF with ReportLab library and default metadata
Sublime MQL Attachment: PDF With SAI Global ISO9001 Logo
Sublime MQL Attachment: PDF with self-service platform links with self sender or blank recipients
Sublime MQL Attachment: PDF with specific author metadata
Sublime MQL Attachment: PDF with split QR code
Sublime MQL Attachment: PDF with suspicious HeadlessChrome metadata
Sublime MQL Attachment: PDF with suspicious language and redirect to suspicious file type
Sublime MQL Attachment: PDF with suspicious link and action-oriented language
Sublime MQL Attachment: PDF with suspicious view document characteristics
Sublime MQL Attachment: QR code link with base64-encoded recipient address
Sublime MQL Attachment: QR code with userinfo portion
Sublime MQL Attachment: Self-sender PDF with minimal content and view prompt
Sublime MQL Attachment: Soda PDF producer with encryption themes
Sublime MQL Attachment: Suspicious employee policy update document lure
Sublime MQL Attachment: Suspicious PDF created with headless browser
Sublime MQL Brand impersonation: Adobe (QR code)
Sublime MQL Brand impersonation: Adobe Acrobat Sign PDF phishing file format template
Sublime MQL Brand impersonation: DocuSign (QR code)
Sublime MQL Brand impersonation: DocuSign PDF attachment with suspicious link
Sublime MQL Brand Impersonation: Google (QR Code)
Sublime MQL Brand impersonation: Microsoft (QR code)
Sublime MQL Brand impersonation: SharePoint PDF attachment with credential theft language
Sublime MQL Credential phishing: Tax form impersonation with payment request
Sublime MQL Link: PDF display text with fake copyright claim template
Sublime MQL Link: PDF file disguised as HTML page
Sublime MQL Link: PDF filename impersonation with credential theft language
Sublime MQL Link: SharePoint OneNote or PDF link with self sender behavior
Sublime MQL Link: Uncommon SharePoint document type with sender's display name
Sublime MQL Sharepoint link likely unrelated to sender
Sublime MQL Suspicious attachment with unscannable Cloudflare link
Sublime MQL Suspicious attachment: Duplicate decoy PDF files
Sublime MQL Suspicious SharePoint file sharing
Sublime MQL URLhaus: Malicious domain in message body or pdf attachment (trusted reporters)

Punycode 2 rules

Sublime MQL Link to a domain with punycode characters
Sublime MQL Punycode sender domain

QR code 29 rules

Sublime MQL Attachment: Compensation review lure with QR code
Sublime MQL Attachment: Compensation-themed DOCX with QR code credential theft
Sublime MQL Attachment: EML with QR code redirecting to Cloudflare challenges
Sublime MQL Attachment: Fake voicemail via PDF
Sublime MQL Attachment: HTML smuggling - QR Code with suspicious links
Sublime MQL Attachment: ICS calendar file with QR code containing recipient email address
Sublime MQL Attachment: PDF with QR code containing recipient-specific credential theft content
Sublime MQL Attachment: PDF with recipient email in link
Sublime MQL Attachment: PDF with split QR code
Sublime MQL Attachment: QR code link with base64-encoded recipient address
Sublime MQL Attachment: QR code with credential phishing indicators
Sublime MQL Attachment: QR code with encoded recipient targeting and redirect indicators
Sublime MQL Attachment: QR code with recipient targeting and special characters
Sublime MQL Attachment: QR code with suspicious URL patterns in EML file
Sublime MQL Attachment: QR code with userinfo portion
Sublime MQL Attachment: SVG files with evasion elements
Sublime MQL Brand impersonation: Adobe (QR code)
Sublime MQL Brand impersonation: DocuSign (QR code)
Sublime MQL Brand impersonation: DocuSign with embedded QR code
Sublime MQL Brand Impersonation: Google (QR Code)
Sublime MQL Brand impersonation: Microsoft (QR code)
Sublime MQL Compensation review with QR code in attached EML
Sublime MQL Link: QR code in EML attachment with credential phishing indicators
Sublime MQL Link: QR code with phishing disposition in img or pdf
Sublime MQL Link: QR Code with suspicious language (untrusted sender)
Sublime MQL Open redirect: typedrawers.com
Sublime MQL QR Code with suspicious indicators
Sublime MQL Service abuse: Monday.com infrastructure with phishing intent
Sublime MQL Service abuse: Square marketing with suspicious QR code

Scripting 39 rules

Sublime MQL Attachment: CVE-2025-24071 - Microsoft Windows File Explorer Spoofing Vulnerability
Sublime MQL Attachment: Double base64-encoded zip file in HTML smuggling attachment
Sublime MQL Attachment: EML containing a base64 encoded script
Sublime MQL Attachment: EML with embedded Javascript in SVG file
Sublime MQL Attachment: HTML attachment with Javascript location
Sublime MQL Attachment: HTML attachment with login portal indicators
Sublime MQL Attachment: HTML file contains exclusively Javascript
Sublime MQL Attachment: HTML file with excessive 'const' declarations and abnormally long timeouts
Sublime MQL Attachment: HTML file with reference to recipient and suspicious patterns
Sublime MQL Attachment: HTML smuggling 'body onload' linking to suspicious destination
Sublime MQL Attachment: HTML smuggling 'body onload' with high entropy and suspicious text
Sublime MQL Attachment: HTML smuggling with atob and high entropy
Sublime MQL Attachment: HTML smuggling with atob and high entropy via calendar invite
Sublime MQL Attachment: HTML smuggling with auto-downloaded file
Sublime MQL Attachment: HTML smuggling with base64 encoded JavaScript function
Sublime MQL Attachment: HTML smuggling with base64 encoded ZIP file
Sublime MQL Attachment: HTML smuggling with concatenation obfuscation
Sublime MQL Attachment: HTML smuggling with decimal encoding
Sublime MQL Attachment: HTML smuggling with eval and atob
Sublime MQL Attachment: HTML smuggling with eval and atob via calendar invite
Sublime MQL Attachment: HTML smuggling with excessive line break obfuscation
Sublime MQL Attachment: HTML smuggling with excessive string concatenation and suspicious patterns
Sublime MQL Attachment: HTML smuggling with fromCharCode and other signals
Sublime MQL Attachment: HTML smuggling with RC4 decryption
Sublime MQL Attachment: HTML smuggling with ROT13
Sublime MQL Attachment: HTML smuggling with setTimeout
Sublime MQL Attachment: HTML smuggling with unescape
Sublime MQL Attachment: HTML with emoji-to-character map
Sublime MQL Attachment: HTML with hidden body
Sublime MQL Attachment: HTML with JavaScript functions for HTTP requests
Sublime MQL Attachment: HTML with obfuscation and recipient's email in JavaScript strings
Sublime MQL Attachment: ICS with embedded Javascript in SVG file
Sublime MQL Attachment: Macro files containing MHT content
Sublime MQL Attachment: Microsoft impersonation via PDF with link and suspicious language
Sublime MQL HTML smuggling containing recipient email address
Sublime MQL HTML: Bidirectional (BIDI) HTML override with right to left obfuscation
Sublime MQL Link: JavaScript obfuscation with Telegram bot integration
Sublime MQL Suspected cross-site scripting (XSS) found in subject
Sublime MQL Suspected WordPress abuse with cross-site scripting (XSS) indicators

Service abuse 1 rule

Sublime MQL Service abuse: Google Tag Manager debug cookie clearing with open redirect potential

Social engineering 439 rules

Sublime MQL Abuse: Cloudflare Workers Hosted EvilTokens Domain Structure
Sublime MQL Abuse: Robinhood injected content
Sublime MQL Attachment: Archive containing HTML file with file scheme link
Sublime MQL Attachment: Calendar invite with Google redirect and invoice request
Sublime MQL Attachment: Compensation review lure with QR code
Sublime MQL Attachment: Compensation-themed DOCX with QR code credential theft
Sublime MQL Attachment: DocuSign impersonation via PDF linking to new domain
Sublime MQL Attachment: DOCX with hyperlink targeting recipient address
Sublime MQL Attachment: Dropbox image lure with no Dropbox domains in links
Sublime MQL Attachment: EML containing a base64 encoded script
Sublime MQL Attachment: EML with link to credential phishing page
Sublime MQL Attachment: EML with SharePoint files shared from GoDaddy federated tenants
Sublime MQL Attachment: EML with Sharepoint link likely unrelated to sender
Sublime MQL Attachment: EML with suspicious indicators
Sublime MQL Attachment: Encrypted PDF with credential theft body
Sublime MQL Attachment: Excel file with document sharing lure created by Go Excelize
Sublime MQL Attachment: Fake attachment image lure
Sublime MQL Attachment: Fake PDF Invoices Yara
Sublime MQL Attachment: Fake scan-to-email
Sublime MQL Attachment: Fake secure message and suspicious indicators
Sublime MQL Attachment: Fake voicemail via PDF
Sublime MQL Attachment: HTML smuggling Microsoft sign in
Sublime MQL Attachment: HTML smuggling with excessive string concatenation and suspicious patterns
Sublime MQL Attachment: HTML with emoji-to-character map
Sublime MQL Attachment: ICS calendar file with base64 encoded recipient address in URL parameters
Sublime MQL Attachment: ICS calendar file with QR code containing recipient email address
Sublime MQL Attachment: ICS calendar file with recipient address in UID field
Sublime MQL Attachment: ICS calendar file with suspicious product identifier
Sublime MQL Attachment: ICS file with links to newly registered domains
Sublime MQL Attachment: ICS file with meeting prefix
Sublime MQL Attachment: ICS with employee policy review lure
Sublime MQL Attachment: Legal themed message or PDF with suspicious indicators
Sublime MQL Attachment: Link to Doubleclick.net open redirect
Sublime MQL Attachment: Microsoft 365 credential phishing
Sublime MQL Attachment: Microsoft impersonation via PDF with link and suspicious language
Sublime MQL Attachment: Office file contains OLE relationship to credential phishing page
Sublime MQL Attachment: Office file with credential phishing URLs
Sublime MQL Attachment: Office file with document sharing and browser instruction lures
Sublime MQL Attachment: PDF bid/proposal lure with credential theft indicators
Sublime MQL Attachment: PDF contains W9 or invoice YARA signatures
Sublime MQL Attachment: PDF proposal with credential theft indicators
Sublime MQL Attachment: PDF with a suspicious string and single URL
Sublime MQL Attachment: PDF with credential theft language and invalid reply-to domain
Sublime MQL Attachment: PDF with credential theft language and link to a free subdomain (unsolicited)
Sublime MQL Attachment: PDF with Microsoft Purview message impersonation
Sublime MQL Attachment: PDF with multistage landing - ClickUp abuse
Sublime MQL Attachment: PDF with personal Microsoft OneNote URL
Sublime MQL Attachment: PDF with QR code containing recipient-specific credential theft content
Sublime MQL Attachment: PDF with recipient email in link
Sublime MQL Attachment: PDF with suspicious link and action-oriented language
Sublime MQL Attachment: PDF with suspicious view document characteristics
Sublime MQL Attachment: QR code link with base64-encoded recipient address
Sublime MQL Attachment: QR code with credential phishing indicators
Sublime MQL Attachment: QR code with recipient targeting and special characters
Sublime MQL Attachment: QR code with suspicious URL patterns in EML file
Sublime MQL Attachment: RFC822 containing suspicious file sharing language with links from untrusted sender
Sublime MQL Attachment: Self-sender PDF with minimal content and view prompt
Sublime MQL Attachment: Small text file with link containing recipient email address
Sublime MQL Attachment: Soda PDF producer with encryption themes
Sublime MQL Attachment: Suspicious employee policy update document lure
Sublime MQL Benefits enrollment impersonation
Sublime MQL Body HTML: Recipient SLD in HTML class
Sublime MQL Body: Embedded email headers indicative of thread hijacking/abuse
Sublime MQL Body: HTML whitespace stuffing with short initial message
Sublime MQL Body: Suspicious date format
Sublime MQL Brand impersonation: AARP
Sublime MQL Brand impersonation: Adobe Sign with suspicious indicators
Sublime MQL Brand impersonation: Adobe with suspicious language and link
Sublime MQL Brand impersonation: ADP
Sublime MQL Brand impersonation: AliExpress
Sublime MQL Brand impersonation: Amazon
Sublime MQL Brand impersonation: Amazon Web Services (AWS)
Sublime MQL Brand impersonation: Amazon with suspicious attachment
Sublime MQL Brand impersonation: American Express (AMEX)
Sublime MQL Brand impersonation: Apple
Sublime MQL Brand impersonation: Aquent
Sublime MQL Brand impersonation: AuthentiSign
Sublime MQL Brand impersonation: Automobile assistance associations
Sublime MQL Brand impersonation: Bank of America
Sublime MQL Brand impersonation: Barracuda Networks
Sublime MQL Brand impersonation: Binance
Sublime MQL Brand impersonation: Blockchain.com
Sublime MQL Brand impersonation: Booking.com
Sublime MQL Brand impersonation: Box file sharing service
Sublime MQL Brand impersonation: Canada Revenue Agency
Sublime MQL Brand impersonation: Capital One
Sublime MQL Brand impersonation: Charles Schwab
Sublime MQL Brand impersonation: Chase Bank
Sublime MQL Brand impersonation: Chase bank with credential phishing indicators
Sublime MQL Brand impersonation: Cloud services with credential theft intent
Sublime MQL Brand impersonation: Coinbase
Sublime MQL Brand impersonation: Dashlane
Sublime MQL Brand impersonation: DHL
Sublime MQL Brand impersonation: DigitalOcean
Sublime MQL Brand impersonation: Discord notification
Sublime MQL Brand Impersonation: Disney
Sublime MQL Brand impersonation: DocSend
Sublime MQL Brand impersonation: DocuSign
Sublime MQL Brand impersonation: DocuSign (QR code)
Sublime MQL Brand impersonation: DocuSign branded attachment lure with no DocuSign links
Sublime MQL Brand impersonation: DocuSign PDF attachment with suspicious link
Sublime MQL Brand impersonation: DoorDash
Sublime MQL Brand impersonation: Dotloop
Sublime MQL Brand impersonation: Dropbox
Sublime MQL Brand impersonation: Enbridge
Sublime MQL Brand impersonation: Evite
Sublime MQL Brand impersonation: Exodus
Sublime MQL Brand impersonation: Fake DocuSign HTML table not linking to DocuSign domains
Sublime MQL Brand impersonation: Fake Fax
Sublime MQL Brand impersonation: Fastway
Sublime MQL Brand impersonation: FedEx
Sublime MQL Brand impersonation: Figma with malicious document access overlay
Sublime MQL Brand impersonation: File sharing notification with template artifacts
Sublime MQL Brand impersonation: FINRA
Sublime MQL Brand Impersonation: Gemini Trust Company
Sublime MQL Brand impersonation: Github
Sublime MQL Brand impersonation: GoDaddy
Sublime MQL Brand impersonation: Google Careers
Sublime MQL Brand impersonation: Google Drive fake file share
Sublime MQL Brand impersonation: Google fake sign-in warning
Sublime MQL Brand impersonation: Google Meet with malicious link
Sublime MQL Brand impersonation: Google using Microsoft Forms
Sublime MQL Brand impersonation: Google Workspace alert notification
Sublime MQL Brand impersonation: Greenvelope
Sublime MQL Brand impersonation: Gusto
Sublime MQL Brand impersonation: Hulu
Sublime MQL Brand impersonation: Internal Revenue Service
Sublime MQL Brand impersonation: KnowBe4
Sublime MQL Brand impersonation: LastPass
Sublime MQL Brand impersonation: Ledger
Sublime MQL Brand impersonation: LinkedIn
Sublime MQL Brand impersonation: Mailchimp
Sublime MQL Brand impersonation: Marriott with gift language
Sublime MQL Brand impersonation: McAfee
Sublime MQL Brand impersonation: Meta and subsidiaries
Sublime MQL Brand impersonation: MetaMask
Sublime MQL Brand impersonation: Microsoft
Sublime MQL Brand impersonation: Microsoft (QR code)
Sublime MQL Brand impersonation: Microsoft fake sign-in alert
Sublime MQL Brand impersonation: Microsoft logo in HTML with fake quarantine release notification
Sublime MQL Brand impersonation: Microsoft Planner with suspicious link
Sublime MQL Brand impersonation: Microsoft quarantine release notification in body
Sublime MQL Brand impersonation: Microsoft quarantine release notification in image attachment
Sublime MQL Brand impersonation: Microsoft Teams
Sublime MQL Brand impersonation: Microsoft Teams invitation
Sublime MQL Brand impersonation: Microsoft with embedded logo and credential theft language
Sublime MQL Brand impersonation: Microsoft with low reputation links
Sublime MQL Brand impersonation: Morgan Stanley
Sublime MQL Brand impersonation: Navan
Sublime MQL Brand impersonation: Netflix
Sublime MQL Brand impersonation: Norton
Sublime MQL Brand impersonation: Office 365 mail service
Sublime MQL Brand impersonation: Okta
Sublime MQL Brand impersonation: OpenAI with payment issues
Sublime MQL Brand impersonation: Outlook
Sublime MQL Brand Impersonation: PayPal
Sublime MQL Brand impersonation: PNC
Sublime MQL Brand Impersonation: Procore
Sublime MQL Brand impersonation: Proofpoint secure messaging without legitimate indicators
Sublime MQL Brand impersonation: Punchbowl
Sublime MQL Brand impersonation: Purdue ePlanroom with suspicious links
Sublime MQL Brand impersonation: Quickbooks
Sublime MQL Brand impersonation: QuickBooks notification from Intuit themed company name
Sublime MQL Brand impersonation: Ripple
Sublime MQL Brand impersonation: Robert Half
Sublime MQL Brand impersonation: Robinhood
Sublime MQL Brand impersonation: SendGrid
Sublime MQL Brand impersonation: Sharepoint
Sublime MQL Brand impersonation: Sharepoint fake file share
Sublime MQL Brand impersonation: SharePoint PDF attachment with credential theft language
Sublime MQL Brand Impersonation: Shein
Sublime MQL Brand impersonation: Silicon Valley Bank
Sublime MQL Brand impersonation: SiriusXM
Sublime MQL Brand impersonation: Social Security Administration
Sublime MQL Brand impersonation: Spotify
Sublime MQL Brand impersonation: Square
Sublime MQL Brand impersonation: Squarespace
Sublime MQL Brand impersonation: State Farm
Sublime MQL Brand impersonation: Stellar Development Foundation (SDF)
Sublime MQL Brand Impersonation: Stripe
Sublime MQL Brand impersonation: Stripe notification
Sublime MQL Brand impersonation: Sublime Security
Sublime MQL Brand impersonation: Survey request with credential theft indicators
Sublime MQL Brand impersonation: TikTok
Sublime MQL Brand impersonation: Toronto-Dominion Bank
Sublime MQL Brand impersonation: Trust Wallet
Sublime MQL Brand impersonation: TurboTax
Sublime MQL Brand impersonation: Twitter
Sublime MQL Brand impersonation: UK government Home Office
Sublime MQL Brand impersonation: ukr[.]net
Sublime MQL Brand impersonation: United Healthcare
Sublime MQL Brand impersonation: UPS
Sublime MQL Brand impersonation: USPS
Sublime MQL Brand impersonation: Vanta
Sublime MQL Brand impersonation: Venmo
Sublime MQL Brand impersonation: Wells Fargo
Sublime MQL Brand impersonation: Wise
Sublime MQL Brand impersonation: Wix
Sublime MQL Brand impersonation: Xodo Sign
Sublime MQL Brand impersonation: Zoom
Sublime MQL Brand impersonation: Zoom (strict)
Sublime MQL Brand impersonation: Zoom via HTML styling
Sublime MQL Brand impersonation: Zoom via lookalike domain
Sublime MQL Canva design with suspicious embedded link
Sublime MQL ClickFunnels link infrastructure abuse
Sublime MQL Cloud storage impersonation with credential theft indicators
Sublime MQL Commonly abused sender TLD with engaging language
Sublime MQL Compensation review with QR code in attached EML
Sublime MQL Constant Contact link infrastructure abuse
Sublime MQL Credential phishing content and link (untrusted sender)
Sublime MQL Credential phishing language and suspicious indicators (unknown sender)
Sublime MQL Credential phishing link (unknown sender)
Sublime MQL Credential Phishing via Dropbox comment abuse
Sublime MQL Credential phishing: 'Secure message' and engaging language
Sublime MQL Credential phishing: AWS Lambda URL with recipient targeting
Sublime MQL Credential phishing: Blue button styled link with file-sharing template artifacts
Sublime MQL Credential phishing: DocuSign embedded image lure with no DocuSign domains in links
Sublime MQL Credential phishing: Email delivery failure impersonation
Sublime MQL Credential phishing: Engaging language and other indicators (untrusted sender)
Sublime MQL Credential phishing: Fake card notification with tracking lure
Sublime MQL Credential phishing: Fake password expiration from new and unsolicited sender
Sublime MQL Credential phishing: Fake storage alerts (unsolicited)
Sublime MQL Credential phishing: Financial lure via ActiveCampaign infrastructure
Sublime MQL Credential phishing: Generic document share template
Sublime MQL Credential phishing: Generic document sharing
Sublime MQL Credential phishing: Hyper-linked image leading to free file host
Sublime MQL Credential phishing: Onedrive impersonation
Sublime MQL Credential phishing: Re-Authentication lure
Sublime MQL Credential phishing: Suspicious e-sign agreement document notification
Sublime MQL Credential phishing: Suspicious subject with urgent financial request and link
Sublime MQL Credential phishing: Tax form impersonation with payment request
Sublime MQL Credential Phishing: W-2 lure with inline SVG Windows logo
Sublime MQL Credential theft with 'safe content' deception and social engineering topics
Sublime MQL Cyrillic vowel substitution in subject or display name from unknown sender
Sublime MQL Cyrillic vowel substitutions with suspicious subject from unknown sender
Sublime MQL Deceptive Dropbox mention
Sublime MQL Display name and subject impersonation using recipient SLD (new sender)
Sublime MQL Display name impersonation using recipient SLD
Sublime MQL Domain impersonation: Freemail reply-to local lookalike with financial request
Sublime MQL EML attachment with credential theft language (unknown sender)
Sublime MQL Fake email quarantine notification
Sublime MQL Fake message thread with a suspicious link and engaging language from an unknown sender
Sublime MQL Fake scan-to-email message
Sublime MQL Fake thread with suspicious indicators
Sublime MQL Fake voicemail notification (untrusted sender)
Sublime MQL Fake warning banner using confusable characters
Sublime MQL Fake Zoho Sign template abuse
Sublime MQL Fake Zoom meeting invite with suspicious link
Sublime MQL Free email provider sender with mismatched provider reply-to
Sublime MQL Free subdomain link with login or captcha (untrusted sender)
Sublime MQL Generic service abuse from newly registered domain
Sublime MQL Google Drive direct download link from unsolicited sender
Sublime MQL Google Notification alert link from non-Google sender
Sublime MQL Google presentation open redirect phishing
Sublime MQL Hardbacon infrastructure abuse
Sublime MQL Headers: Fake in-reply-to with wildcard sender and missing thread context
Sublime MQL Headers: Invalid recipient domain with mismatched reply-to from new sender
Sublime MQL Headers: System account impersonation with empty sender address
Sublime MQL HR impersonation via e-sign agreement comment
Sublime MQL HTML content with print styling and credential theft language
Sublime MQL HTML: Bidirectional (BIDI) HTML override with right to left obfuscation
Sublime MQL Image as content with a link to an open redirect
Sublime MQL Impersonation using recipient domain (untrusted sender)
Sublime MQL Impersonation: Human Resources with link or attachment and engaging language
Sublime MQL Impersonation: Internal corporate services
Sublime MQL Impersonation: Recipient organization in sender display name with credential theft image
Sublime MQL Impersonation: Salesforce fake campaign failure notification
Sublime MQL Impersonation: SharePoint reply header anomaly
Sublime MQL Invoicera infrastructure abuse
Sublime MQL Issuu document with suspicious embedded link
Sublime MQL Link abuse: Self-service creation platform link with suspicious recipient behavior
Sublime MQL Link to Google Apps Script macro (unsolicited)
Sublime MQL Link to Google Apps Script macro via comment tagging
Sublime MQL Link: .onion From Unsolicited Sender
Sublime MQL Link: Apple App Store malicious ad manager themed apps from free email provider
Sublime MQL Link: Base64 encoded recipient address in URL fragment with subject hash
Sublime MQL Link: Breely link masquerading as PDF
Sublime MQL Link: chatbot.page platform abuse
Sublime MQL Link: Concatenated display text concealing duplicate URLs with PDF reference
Sublime MQL Link: Credential harvesting with excess padding evasion
Sublime MQL Link: Credential phishing traversing Russian infrastructure
Sublime MQL Link: Credential phishing via WordPress
Sublime MQL Link: Credential theft with Cloudflare tunnel and recipient targeting
Sublime MQL Link: Credential theft with invisible Unicode character in page title from unsolicited sender
Sublime MQL Link: Direct link to Zoom Docs from non-Zoom sender
Sublime MQL Link: Direct POWR.io Form Builder with suspicious patterns
Sublime MQL Link: Display text matches subject line
Sublime MQL Link: Document sharing invitation template
Sublime MQL Link: Executable file download with suspicious message content
Sublime MQL Link: Figma design deck with credential theft language
Sublime MQL Link: File sharing impersonation with suspicious language and sending patterns
Sublime MQL Link: File sharing pretext with suspicious body and link
Sublime MQL Link: Financial account issue with suspicious indicators
Sublime MQL Link: Flare-branded credential harvesting via Cloudflare tunnels
Sublime MQL Link: Google Drawings link from new sender
Sublime MQL Link: Google Forms link with credential theft language
Sublime MQL Link: Hotel booking spoofed display URL
Sublime MQL Link: HR impersonation with suspicious domain indicators and credential theft
Sublime MQL Link: Intuit link abuse with file share context
Sublime MQL Link: Job recruitment lure from unsolicited sender with suspicious hosting
Sublime MQL Link: Mamba 2FA phishing kit
Sublime MQL Link: Microsoft device code authentication with suspicious indicators
Sublime MQL Link: Microsoft impersonation using hosted png with suspicious link
Sublime MQL Link: Microsoft protected message with matching sender and recipient addresses
Sublime MQL Link: Multistage landing - Abused Adobe Acrobat hosted PDF
Sublime MQL Link: Multistage Landing - Abused Buildin.ai
Sublime MQL Link: Multistage landing - FreshDesk knowledge base abuse
Sublime MQL Link: Multistage landing - JotForm abuse
Sublime MQL Link: Multistage landing - Ludus presentation
Sublime MQL Link: Multistage landing - Microsoft Forms abuse
Sublime MQL Link: Multistage landing - Published Google Doc
Sublime MQL Link: Multistage landing - Scribd document
Sublime MQL Link: Multistage landing - Trello board abuse
Sublime MQL Link: MyActiveCampaign Link Abuse
Sublime MQL Link: PDF and financial display text to free file host
Sublime MQL Link: PDF filename impersonation with credential theft language
Sublime MQL Link: Personal SharePoint with invalid recipients and credential theft language
Sublime MQL Link: Personalized URL with recipient address on commonly abused web service
Sublime MQL Link: QR code with phishing disposition in img or pdf
Sublime MQL Link: QR Code with suspicious language (untrusted sender)
Sublime MQL Link: QuickBooks image lure with suspicious link
Sublime MQL Link: Recipient email address in 'eta' parameter
Sublime MQL Link: Remittance payment request with timeline template
Sublime MQL Link: Scribd fullscreen link from suspicious sender
Sublime MQL Link: Self-sender credential theft with configuration placeholder
Sublime MQL Link: Self-sender with sender org in subject and credential theft indicator
Sublime MQL Link: Self-sent message with quarterly document review request
Sublime MQL Link: Self-sent PDF lure with subject correlation
Sublime MQL Link: SharePoint filename matches org name
Sublime MQL Link: Shortened URL with fragment matching subject
Sublime MQL Link: Single character path with credential theft body and self sender behavior or invalid recipient
Sublime MQL Link: Squarespace infrastructure abuse
Sublime MQL Link: Suspicious Family fragment parameter with encoded recipient data
Sublime MQL Link: Suspicious file retrieval with recipient targeting
Sublime MQL Link: Suspicious go.php redirect with document lure
Sublime MQL Link: Suspicious Loom HTML file path
Sublime MQL Link: Suspicious URL with recipient targeting and special characters
Sublime MQL Link: Tax document lure Portuguese/Spanish with suspicious domains
Sublime MQL Link: Uncommon SharePoint document type with sender's display name
Sublime MQL Link: Unsolicited email contains link leading to Tycoon URL structure
Sublime MQL Link: Unsolicited email contains link to page containing Tycoon URI structure
Sublime MQL Link: URL scheme obfuscation via split HTML anchors
Sublime MQL Link: URL shortener with copy-paste instructions and credential theft language
Sublime MQL Link: WordPress admin targeting with recipient identifier in URL fragment
Sublime MQL Link: WordPress login page with Blogspot Binance scam
Sublime MQL Lookalike sender domain (untrusted sender)
Sublime MQL Low reputation link to auto-downloaded HTML file with smuggling indicators
Sublime MQL Mass campaign: recipient address in subject, body, and link (untrusted sender)
Sublime MQL Microsoft device code phishing
Sublime MQL Mismatched links: Free file share with urgent language
Sublime MQL Newly registered sender or reply-to domain with newly registered linked domain
Sublime MQL Observed IOC: Malicious sender domains
Sublime MQL Observed IOC: Malicious sender email addresses
Sublime MQL Observed IOC: Malicious sender root domains
Sublime MQL Open redirect: City of Calgary
Sublime MQL Open redirect: giving.lluh.org
Sublime MQL Open redirect: Klaviyo
Sublime MQL Open redirect: marketing.edinburghairport.com
Sublime MQL Open redirect: next2.io
Sublime MQL Open redirect: people.anuneo.com
Sublime MQL Open redirect: queue.swytchbike.com
Sublime MQL Open redirect: slubnaglowie.pl
Sublime MQL Open redirect: typedrawers.com
Sublime MQL Potential prompt injection attack in body HTML
Sublime MQL Punycode sender domain
Sublime MQL QR Code with suspicious indicators
Sublime MQL Reconnaissance: Email address harvesting attempt
Sublime MQL Reconnaissance: Empty subject with mismatched reply-to from new sender
Sublime MQL Recruitee Infrastructure Abuse
Sublime MQL Salesforce infrastructure abuse
Sublime MQL Scam soliciting employer review/rating
Sublime MQL Self-sender with copy/paste instructions and suspicious domains (French/Français)
Sublime MQL Self-sent fake PDF attachment with misleading link
Sublime MQL Sendgrid voicemail phish
Sublime MQL Service abuse: Adobe Creative Cloud share from an unsolicited sender address
Sublime MQL Service abuse: Adobe legitimate domain with document approval language
Sublime MQL Service abuse: AppSheet infrastructure with suspicious indicators
Sublime MQL Service abuse: Behance document sharing with suspicious language
Sublime MQL Service Abuse: Box file sharing with credential phishing intent
Sublime MQL Service abuse: Citrix ShareFile impersonation via Outlook plugin
Sublime MQL Service abuse: DocSend share from an unsolicited reply-to address
Sublime MQL Service abuse: DocSend share from newly registered domain
Sublime MQL Service abuse: DocuSign share from an unsolicited reply-to address
Sublime MQL Service abuse: Domains By Proxy sender
Sublime MQL Service abuse: Dropbox Paper with copy-paste instructions
Sublime MQL Service abuse: Dropbox share from new domain
Sublime MQL Service Abuse: ExactTarget with suspicious sender indicators
Sublime MQL Service abuse: Facebook business with action required subject
Sublime MQL Service abuse: File sharing impersonation with external SharePoint links
Sublime MQL Service abuse: FlipHTML5 with attachment deception and credential theft language
Sublime MQL Service abuse: Formester with suspicious link behavior
Sublime MQL Service abuse: GitHub notification with excessive mentions and suspicious links
Sublime MQL Service abuse: Google account notification with links to free file host
Sublime MQL Service abuse: Google Drive share from an unsolicited reply-to address
Sublime MQL Service abuse: Google Drive share from new reply-to domain
Sublime MQL Service abuse: Google Firebase sender address with suspicious content
Sublime MQL Service abuse: Google OAuth with suspicious redirect destination
Sublime MQL Service abuse: HelloSign from an unsolicited sender address
Sublime MQL Service abuse: Microsoft with suspicious indicators in subject
Sublime MQL Service abuse: Monday.com infrastructure with phishing intent
Sublime MQL Service abuse: Nylas tracking subdomain with suspicious content
Sublime MQL Service abuse: PayPal manager account creation with callback scam indicators
Sublime MQL Service abuse: QuickBooks notification from new domain
Sublime MQL Service abuse: QuickBooks notification with suspicious comments
Sublime MQL Service abuse: Roomsy with unrelated body content
Sublime MQL Service abuse: Sendgrid credential theft with personalized request targeting single recipient
Sublime MQL Service abuse: SendGrid impersonation via Sendgrid from new sender
Sublime MQL Service abuse: SendGrid-formatted link with actor-controlled fragment
Sublime MQL Service abuse: SendThisFile with credential theft and financial language
Sublime MQL Service abuse: Substack credential theft with confusable characters and branded button redirects
Sublime MQL Service abuse: SurveyMonkey survey from newly registered domain
Sublime MQL Service abuse: Suspicious Zoom Docs link
Sublime MQL Service abuse: Task management message sent via SendGrid
Sublime MQL Service abuse: Trello board invitation with VIP impersonation
Sublime MQL Service abuse: Vimeo with external plain-text links in message
Sublime MQL Sharepoint link likely unrelated to sender
Sublime MQL SharePoint OTP for filename matching org name
Sublime MQL Spam: Default Microsoft Exchange Online sender domain (onmicrosoft.com)
Sublime MQL Spam: Firebase password reset from suspicious sender
Sublime MQL Spam: Mastercard promotional content with image-based body
Sublime MQL Spoofable internal domain with suspicious signals
Sublime MQL Subject and sender display name contains matching long alphanumeric string
Sublime MQL Suspected WordPress abuse with cross-site scripting (XSS) indicators
Sublime MQL Suspicious attachment with unscannable Cloudflare link
Sublime MQL Suspicious display name: Gmail sender with engaging language
Sublime MQL Suspicious DocuSign share from new domain
Sublime MQL Suspicious invoice reference with missing or image-only attachments
Sublime MQL Suspicious link to Looker Studio (lookerstudio.google.com) from a new and unsolicited sender
Sublime MQL Suspicious recipient pattern and language with low reputation link to login
Sublime MQL Tax Form: W-8BEN solicitation
Sublime MQL Truth Social infrastructure abuse via link redirect
Sublime MQL Twitter infrastructure abuse via link shortener
Sublime MQL URL with Unicode U+2044 (⁄) or U+2215 (∕) characters
Sublime MQL Vendor compromise: GovDelivery message with suspicious link
Sublime MQL VIP Impersonation via Google Group relay with suspicious indicators
Sublime MQL X (Twitter) impersonation with credential phishing motives
Sublime MQL Xero infrastructure abuse
Sublime MQL Xero invoice abuse
Sublime MQL Zoom Events newsletter abuse

Spoofing 22 rules

Sublime MQL Attachment: ICS calendar with embedded file from internal sender with SPF failure
Sublime MQL Attachment: PDF with credential theft language and invalid reply-to domain
Sublime MQL Body: Embedded email headers indicative of thread hijacking/abuse
Sublime MQL Body: Suspicious date format
Sublime MQL Brand impersonation: DocuSign
Sublime MQL Brand impersonation: Navan
Sublime MQL Brand impersonation: State Farm
Sublime MQL Brand impersonation: Survey request with credential theft indicators
Sublime MQL Brand spoof: Dropbox
Sublime MQL Cyrillic vowel substitution in subject or display name from unknown sender
Sublime MQL DocuSign impersonation via spoofed Intuit sender
Sublime MQL Headers: Fake in-reply-to with wildcard sender and missing thread context
Sublime MQL Headers: Outlook Express mailer
Sublime MQL Headers: Self-sender using Microsoft CompAuth bypass with credential theft content
Sublime MQL Headers: System account impersonation with empty sender address
Sublime MQL Impersonation: SharePoint reply header anomaly
Sublime MQL Reconnaissance: Empty subject with mismatched reply-to from new sender
Sublime MQL Sender: IP address in local part
Sublime MQL Service Abuse: Nifty.com with impersonation
Sublime MQL Service abuse: PayPal manager account creation with callback scam indicators
Sublime MQL Spoofable internal domain with suspicious signals
Sublime MQL VIP Impersonation via Google Group relay with suspicious indicators

No specific technique 8 rules

Sublime MQL AnonymousFox indicators
Sublime MQL Attachment: RDP connection file
Sublime MQL Attachment: Uncommon compressed file
Sublime MQL New link domain (<=10d) from untrusted sender
Sublime MQL Russia return-path TLD (untrusted sender)
Sublime MQL Sender name contains Active Directory distinguished name
Sublime MQL Suspicious message with unscannable Cloudflare link
Sublime MQL Suspicious Office 365 app authorization (OAuth) link

Malware/Ransomware Sublime email taxonomy

Encryption 18 rules

Sublime MQL Adobe branded PDF file linking to a password-protected file from untrusted sender
Sublime MQL Attachment with encrypted zip (unsolicited)
Sublime MQL Attachment with unscannable encrypted zip
Sublime MQL Attachment: Base64 encoded bash command in filename
Sublime MQL Attachment: EML with Encrypted ZIP
Sublime MQL Attachment: Encrypted Microsoft Office file (unsolicited)
Sublime MQL Attachment: Encrypted ZIP containing VHDX file
Sublime MQL Attachment: Encrypted zip file with payment-related lure
Sublime MQL Attachment: HTML smuggling with excessive line break obfuscation
Sublime MQL Attachment: HTML smuggling with RC4 decryption
Sublime MQL Attachment: HTML smuggling with ROT13
Sublime MQL Attachment: Password-protected PDF with fake document indicators
Sublime MQL Attachment: PDF with password in filename matching body text
Sublime MQL Encrypted Microsoft Office files from untrusted sender
Sublime MQL Link to auto-download of a suspicious file type (unsolicited)
Sublime MQL Link to auto-downloaded disk image in encrypted zip
Sublime MQL Link to auto-downloaded DMG in encrypted zip
Sublime MQL Link: Excessive URL rewrite encoders

Evasion 151 rules

Sublime MQL Adobe branded PDF file linking to a password-protected file from untrusted sender
Sublime MQL Attachment with encrypted zip (unsolicited)
Sublime MQL Attachment with macro calling executable
Sublime MQL Attachment with unscannable encrypted zip
Sublime MQL Attachment: .csproj with suspicious commands
Sublime MQL Attachment: 7z Archive Containing RAR File
Sublime MQL Attachment: Any .sap file (unsolicited)
Sublime MQL Attachment: Any HTML file within archive (unsolicited)
Sublime MQL Attachment: Archive containing disallowed file type
Sublime MQL Attachment: Archive with embedded CHM file
Sublime MQL Attachment: Archive with embedded EXE file
Sublime MQL Attachment: Archive with pdf, txt and wsf files
Sublime MQL Attachment: Base64 encoded bash command in filename
Sublime MQL Attachment: Calendar file with invisible Unicode characters
Sublime MQL Attachment: DocX embedded binary
Sublime MQL Attachment: DOCX with hyperlink targeting recipient address
Sublime MQL Attachment: Double base64-encoded zip file in HTML smuggling attachment
Sublime MQL Attachment: Embedded VBScript in MHT file
Sublime MQL Attachment: EML file with HTML attachment (unsolicited)
Sublime MQL Attachment: EML with embedded Javascript in SVG file
Sublime MQL Attachment: EML with Encrypted ZIP
Sublime MQL Attachment: EML with QR code redirecting to Cloudflare challenges
Sublime MQL Attachment: Emotet heavily padded doc in zip file
Sublime MQL Attachment: Employment contract update with suspicious file naming
Sublime MQL Attachment: Encrypted ZIP containing VHDX file
Sublime MQL Attachment: Encrypted zip file with payment-related lure
Sublime MQL Attachment: Excel Web Query File (IQY)
Sublime MQL Attachment: Fake attachment image lure
Sublime MQL Attachment: Fake Slack installer
Sublime MQL Attachment: Fake Zoom installer
Sublime MQL Attachment: File execution via Javascript
Sublime MQL Attachment: Filename containing Unicode braille pattern blank character
Sublime MQL Attachment: Filename containing Unicode right-to-left override character
Sublime MQL Attachment: HTML attachment with Javascript location
Sublime MQL Attachment: HTML file contains exclusively Javascript
Sublime MQL Attachment: HTML file with excessive 'const' declarations and abnormally long timeouts
Sublime MQL Attachment: HTML file with excessive padding and suspicious patterns
Sublime MQL Attachment: HTML smuggling 'body onload' linking to suspicious destination
Sublime MQL Attachment: HTML smuggling 'body onload' with high entropy and suspicious text
Sublime MQL Attachment: HTML smuggling with atob and high entropy via calendar invite
Sublime MQL Attachment: HTML smuggling with base64 encoded ZIP file
Sublime MQL Attachment: HTML smuggling with concatenation obfuscation
Sublime MQL Attachment: HTML smuggling with decimal encoding
Sublime MQL Attachment: HTML smuggling with embedded base64-encoded executable
Sublime MQL Attachment: HTML smuggling with embedded base64-encoded ISO
Sublime MQL Attachment: HTML smuggling with eval and atob
Sublime MQL Attachment: HTML smuggling with eval and atob via calendar invite
Sublime MQL Attachment: HTML smuggling with excessive line break obfuscation
Sublime MQL Attachment: HTML smuggling with fromCharCode and other signals
Sublime MQL Attachment: HTML smuggling with hex strings
Sublime MQL Attachment: HTML smuggling with high entropy and other signals
Sublime MQL Attachment: HTML smuggling with raw array buffer
Sublime MQL Attachment: HTML smuggling with RC4 decryption
Sublime MQL Attachment: HTML smuggling with ROT13
Sublime MQL Attachment: HTML smuggling with setTimeout
Sublime MQL Attachment: HTML smuggling with unescape
Sublime MQL Attachment: ICS file with AWS Lambda URL
Sublime MQL Attachment: ICS file with excessive custom properties
Sublime MQL Attachment: ICS with embedded document
Sublime MQL Attachment: ICS with embedded Javascript in SVG file
Sublime MQL Attachment: JavaScript file with suspicious base64-encoded executable
Sublime MQL Attachment: Macro files containing MHT content
Sublime MQL Attachment: Malformed OLE file
Sublime MQL Attachment: MS Office or RTF file with Shell.Explorer.1 com object with embedded LNK
Sublime MQL Attachment: MS OOXML file created by Administrator with zero edit time
Sublime MQL Attachment: MSI installer file
Sublime MQL Attachment: Office file with suspicious function calls or downloaded file path
Sublime MQL Attachment: OLE external relationship containing file scheme link to executable filetype
Sublime MQL Attachment: OLE external relationship containing file scheme link to IP address
Sublime MQL Attachment: Password-protected PDF with fake document indicators
Sublime MQL Attachment: PDF file with low reputation link to ZIP file (unsolicited)
Sublime MQL Attachment: PDF file with low reputation links to suspicious filetypes (unsolicited)
Sublime MQL Attachment: PDF generated with wkhtmltopdf tool and default title
Sublime MQL Attachment: PDF Object Hash - Encrypted PDFs with fake payment notification
Sublime MQL Attachment: PDF Object Hash with Blue File Icon
Sublime MQL Attachment: PDF with JSFck obfuscation
Sublime MQL Attachment: PDF with link to DMG file download
Sublime MQL Attachment: PDF with link to zip containing a wsf file
Sublime MQL Attachment: PDF with password in filename matching body text
Sublime MQL Attachment: PDF with suspicious HeadlessChrome metadata
Sublime MQL Attachment: PDF with suspicious language and redirect to suspicious file type
Sublime MQL Attachment: PDF with suspicious view document characteristics
Sublime MQL Attachment: Potential sandbox evasion in Office file
Sublime MQL Attachment: PowerPoint with suspicious hyperlink
Sublime MQL Attachment: QR code with userinfo portion
Sublime MQL Attachment: RTF with embedded content
Sublime MQL Attachment: Self-sender PDF with minimal content and view prompt
Sublime MQL Attachment: SFX archive containing commands
Sublime MQL Attachment: SVG file with HTML entity encoded href attributes
Sublime MQL Attachment: SVG files with evasion elements
Sublime MQL Attachment: TAR file with RAR type
Sublime MQL Attachment: Web files with suspicious comments
Sublime MQL Attachment: WinRAR CVE-2025-8088 exploitation
Sublime MQL Attachment: ZIP file with CVE-2026-0866 exploit
Sublime MQL CVE-2023-5631 - Roundcube Webmail XSS via crafted SVG
Sublime MQL Encrypted Microsoft Office files from untrusted sender
Sublime MQL Google Drive direct download link from unsolicited sender
Sublime MQL Headers: iOS/iPadOS mailer with invalid build number
Sublime MQL Headers: Outlook Express mailer
Sublime MQL HTML smuggling containing recipient email address
Sublime MQL Image as content with a link to an open redirect
Sublime MQL Link to auto-download of a suspicious file type (unsolicited)
Sublime MQL Link to auto-downloaded disk image in encrypted zip
Sublime MQL Link to auto-downloaded DMG in archive
Sublime MQL Link to auto-downloaded DMG in encrypted zip
Sublime MQL Link: .onion From Unsolicited Sender
Sublime MQL Link: 9WOLF phishkit initial landing URI
Sublime MQL Link: Apple App Store malicious ad manager themed apps from free email provider
Sublime MQL Link: Commonly Abused Web Service redirecting to ZIP file
Sublime MQL Link: CVE-2024-21413 Microsoft Outlook Remote Code Execution Vulnerability
Sublime MQL Link: Direct download of executable file
Sublime MQL Link: Direct link to gamma.app document with mode parameter
Sublime MQL Link: Direct link to keap.app contact-us page
Sublime MQL Link: Direct MSI download from low reputation domain
Sublime MQL Link: Excessive URL rewrite encoders
Sublime MQL Link: Executable file download with suspicious message content
Sublime MQL Link: Free file hosting with undisclosed recipients
Sublime MQL Link: Google Firebase dynamic link that redirects to new domain (<7 days old)
Sublime MQL Link: GoPhish query param values
Sublime MQL Link: IPv4-mapped IPv6 address obfuscation
Sublime MQL Link: Landing page with search-ms protocol redirect
Sublime MQL Link: Mixed case HTTPS protocol
Sublime MQL Link: Multiple HTTP protocols in single URL
Sublime MQL Link: Multistage landing - ClickUp abuse
Sublime MQL Link: Non-standard port 8443 in display URL
Sublime MQL Link: Numeric IP obfuscation in URL
Sublime MQL Link: Obfuscation via userinfo with suspicious indicators
Sublime MQL Link: PDF display text with fake copyright claim template
Sublime MQL Link: PDF file disguised as HTML page
Sublime MQL Link: ScreenConnect installer with suspicious relay domain
Sublime MQL Link: URL redirecting to blob URL
Sublime MQL macOS malware: Compiled AppleScript with document double-extension
Sublime MQL Malformed URL prefix
Sublime MQL Malware: Pikabot delivery via URL auto-download
Sublime MQL MalwareBazaar: Malicious attachment hash in archive (trusted reporters)
Sublime MQL Notion suspicious file share
Sublime MQL Potential prompt injection attack in body HTML
Sublime MQL Punycode sender domain
Sublime MQL QR code to auto-download of a suspicious file type (unsolicited)
Sublime MQL Service abuse: Google application integration redirecting to suspicious hosts
Sublime MQL Service abuse: Linode Objects HTML file hosting
Sublime MQL Service abuse: Mimecast URL with excessive path length
Sublime MQL Service abuse: Suspicious Datadog alert
Sublime MQL Service abuse: Wix redirect through bulk mailer domains
Sublime MQL Sharepoint file share with suspicious recipients pattern
Sublime MQL Subject and sender display name contains matching long alphanumeric string
Sublime MQL Truth Social infrastructure abuse via link redirect
Sublime MQL Twitter infrastructure abuse via link shortener
Sublime MQL URI protocol handler: search-ms
Sublime MQL Vendor compromise: GovDelivery message with suspicious link
Sublime MQL VIP Impersonation via Google Group relay with suspicious indicators

Exploit 10 rules

Sublime MQL Anthropic Magic String in HTML
Sublime MQL Attachment: Archive contains DLL-loading macro
Sublime MQL Attachment: CVE-2021-40444 - MSHTML Remote Code Execution Vulnerability
Sublime MQL Attachment: CVE-2023-21716 - Microsoft Office Remote Code Execution Vulnerability
Sublime MQL Attachment: LNK with embedded content
Sublime MQL Attachment: WinRAR CVE-2025-8088 exploitation
Sublime MQL Attachment: ZIP file with CVE-2026-0866 exploit
Sublime MQL CVE-2023-5631 - Roundcube Webmail XSS via crafted SVG
Sublime MQL Link: CVE-2024-21413 Microsoft Outlook Remote Code Execution Vulnerability
Sublime MQL Mass campaign: Cross Site Scripting (XSS) attempt

Free email provider 3 rules

Sublime MQL Link: Apple App Store malicious ad manager themed apps from free email provider
Sublime MQL Mass campaign: Cross Site Scripting (XSS) attempt
Sublime MQL VIP Impersonation via Google Group relay with suspicious indicators

Free file host 20 rules

Sublime MQL Attachment: ICS file with AWS Lambda URL
Sublime MQL Catbox.moe link from untrusted source
Sublime MQL File sharing link from suspicious sender domain
Sublime MQL Google Drive direct download link from unsolicited sender
Sublime MQL Link: Commonly Abused Web Service redirecting to ZIP file
Sublime MQL Link: Direct link to gamma.app document with mode parameter
Sublime MQL Link: Direct link to keap.app contact-us page
Sublime MQL Link: Direct link to limewire hosted file
Sublime MQL Link: Free file hosting with undisclosed recipients
Sublime MQL Link: IPFS
Sublime MQL Link: Multistage landing - ClickUp abuse
Sublime MQL Link: Personalized URL with recipient address on commonly abused web service
Sublime MQL Link: Tax document lure Portuguese/Spanish with suspicious domains
Sublime MQL Link: URL redirecting to blob URL
Sublime MQL Mismatched links: Free file share with urgent language
Sublime MQL Notion suspicious file share
Sublime MQL Service abuse: GitHub notification with excessive mentions and suspicious links
Sublime MQL Service abuse: Google application integration redirecting to suspicious hosts
Sublime MQL Service abuse: Linode Objects HTML file hosting
Sublime MQL Suspicious Links to Cloudflare R2 and Edge Services

Free subdomain host 10 rules

Sublime MQL Attachment: HTML smuggling with raw array buffer
Sublime MQL Link: Commonly Abused Web Service redirecting to ZIP file
Sublime MQL Link: Free file hosting with undisclosed recipients
Sublime MQL Link: IPFS
Sublime MQL Link: Multistage landing - ClickUp abuse
Sublime MQL Link: Tax document lure Portuguese/Spanish with suspicious domains
Sublime MQL Service abuse: GitHub notification with excessive mentions and suspicious links
Sublime MQL Service abuse: Google application integration redirecting to suspicious hosts
Sublime MQL Service abuse: Suspicious Datadog alert
Sublime MQL Vendor compromise: GovDelivery message with suspicious link

HTML smuggling 37 rules

Sublime MQL Attachment: Any HTML file within archive (unsolicited)
Sublime MQL Attachment: Double base64-encoded zip file in HTML smuggling attachment
Sublime MQL Attachment: EML file with HTML attachment (unsolicited)
Sublime MQL Attachment: Fake Slack installer
Sublime MQL Attachment: Fake Zoom installer
Sublime MQL Attachment: HTML attachment with Javascript location
Sublime MQL Attachment: HTML file contains exclusively Javascript
Sublime MQL Attachment: HTML file with excessive 'const' declarations and abnormally long timeouts
Sublime MQL Attachment: HTML file with excessive padding and suspicious patterns
Sublime MQL Attachment: HTML smuggling 'body onload' linking to suspicious destination
Sublime MQL Attachment: HTML smuggling 'body onload' with high entropy and suspicious text
Sublime MQL Attachment: HTML smuggling with atob and high entropy
Sublime MQL Attachment: HTML smuggling with atob and high entropy via calendar invite
Sublime MQL Attachment: HTML smuggling with auto-downloaded file
Sublime MQL Attachment: HTML smuggling with base64 encoded JavaScript function
Sublime MQL Attachment: HTML smuggling with base64 encoded ZIP file
Sublime MQL Attachment: HTML smuggling with concatenation obfuscation
Sublime MQL Attachment: HTML smuggling with decimal encoding
Sublime MQL Attachment: HTML smuggling with embedded base64 streamed file download
Sublime MQL Attachment: HTML smuggling with embedded base64-encoded executable
Sublime MQL Attachment: HTML smuggling with embedded base64-encoded ISO
Sublime MQL Attachment: HTML smuggling with eval and atob
Sublime MQL Attachment: HTML smuggling with eval and atob via calendar invite
Sublime MQL Attachment: HTML smuggling with excessive line break obfuscation
Sublime MQL Attachment: HTML smuggling with fromCharCode and other signals
Sublime MQL Attachment: HTML smuggling with hex strings
Sublime MQL Attachment: HTML smuggling with high entropy and other signals
Sublime MQL Attachment: HTML smuggling with raw array buffer
Sublime MQL Attachment: HTML smuggling with RC4 decryption
Sublime MQL Attachment: HTML smuggling with ROT13
Sublime MQL Attachment: HTML smuggling with setTimeout
Sublime MQL Attachment: HTML smuggling with unescape
Sublime MQL Attachment: SVG file with HTML entity encoded href attributes
Sublime MQL Attachment: Web files with suspicious comments
Sublime MQL CVE-2023-5631 - Roundcube Webmail XSS via crafted SVG
Sublime MQL HTML smuggling containing recipient email address
Sublime MQL HTML smuggling with atob in message body

ICS Phishing 7 rules

Sublime MQL Attachment: Calendar file with invisible Unicode characters
Sublime MQL Attachment: HTML smuggling with atob and high entropy via calendar invite
Sublime MQL Attachment: HTML smuggling with eval and atob via calendar invite
Sublime MQL Attachment: ICS file with AWS Lambda URL
Sublime MQL Attachment: ICS file with excessive custom properties
Sublime MQL Attachment: ICS with embedded document
Sublime MQL Attachment: ICS with embedded Javascript in SVG file

IPFS 2 rules

Sublime MQL Link: IPFS
Sublime MQL Vendor compromise: GovDelivery message with suspicious link

ISO 1 rule

Sublime MQL Attachment: HTML smuggling with embedded base64-encoded ISO

Image as content 6 rules

Sublime MQL Attachment: Fake attachment image lure
Sublime MQL Attachment: Microsoft impersonation via PDF with link and suspicious language
Sublime MQL Attachment: QR code with userinfo portion
Sublime MQL Attachment: SVG files with evasion elements
Sublime MQL Image as content with a link to an open redirect
Sublime MQL Link: PDF display text with fake copyright claim template

Impersonation: Brand 18 rules

Sublime MQL Adobe branded PDF file linking to a password-protected file from untrusted sender
Sublime MQL Attachment: Fake Slack installer
Sublime MQL Attachment: Fake Zoom installer
Sublime MQL Attachment: Microsoft impersonation via PDF with link and suspicious language
Sublime MQL Brand impersonation: Google Drive fake file share
Sublime MQL Brand impersonation: Paperless Post
Sublime MQL Brand impersonation: Sharepoint fake file share
Sublime MQL Brand impersonation: Vanguard
Sublime MQL Brand impersonation: WeTransfer
Sublime MQL Brand impersonation: Zoom with deceptive link display
Sublime MQL Brand spoof: Dropbox
Sublime MQL Google Accelerated Mobile Pages (AMP) abuse
Sublime MQL Link to auto-downloaded file with Adobe branding
Sublime MQL Link to auto-downloaded file with Google Drive branding
Sublime MQL Suspected WordPress abuse with cross-site scripting (XSS) indicators
Sublime MQL Truth Social infrastructure abuse via link redirect
Sublime MQL Twitter infrastructure abuse via link shortener
Sublime MQL Vendor compromise: GovDelivery message with suspicious link

Impersonation: Domain 2 rules

Sublime MQL Observed IOC: Malicious sender domains
Sublime MQL Observed IOC: Malicious sender root domains

Impersonation: Email address 1 rule

Sublime MQL Observed IOC: Malicious sender email addresses

Impersonation: Employee 2 rules

Sublime MQL Attachment with VBA macros from employee impersonation (unsolicited)
Sublime MQL VIP Impersonation via Google Group relay with suspicious indicators

LNK 5 rules

Sublime MQL Attachment: Archive contains DLL-loading macro
Sublime MQL Attachment: LNK file
Sublime MQL Attachment: LNK with embedded content
Sublime MQL Link to auto-download of a suspicious file type (unsolicited)
Sublime MQL QR code to auto-download of a suspicious file type (unsolicited)

Lookalike domain 2 rules

Sublime MQL Lookalike sender domain (untrusted sender)
Sublime MQL Punycode sender domain

Macros 13 rules

Sublime MQL Attachment soliciting user to enable macros
Sublime MQL Attachment with auto-executing macro (unsolicited)
Sublime MQL Attachment with auto-opening VBA macro (unsolicited)
Sublime MQL Attachment with high risk VBA macro (unsolicited)
Sublime MQL Attachment with macro calling executable
Sublime MQL Attachment with VBA macros from employee impersonation (unsolicited)
Sublime MQL Attachment: Archive contains DLL-loading macro
Sublime MQL Attachment: CVE-2021-40444 - MSHTML Remote Code Execution Vulnerability
Sublime MQL Attachment: Encrypted Microsoft Office file (unsolicited)
Sublime MQL Attachment: Macro files containing MHT content
Sublime MQL Attachment: Macro with suspected use of COM ShellBrowserWindow object for process creation
Sublime MQL Attachment: Potential sandbox evasion in Office file
Sublime MQL Suspicious VBA macros from untrusted sender

OneNote 1 rule

Sublime MQL Attachment: Malicious OneNote commands

Open redirect 102 rules

Sublime MQL Google Accelerated Mobile Pages (AMP) abuse
Sublime MQL Image as content with a link to an open redirect
Sublime MQL Link to Google Apps Script macro (unsolicited)
Sublime MQL Link: Commonly Abused Web Service redirecting to ZIP file
Sublime MQL Link: Multistage landing - ClickUp abuse
Sublime MQL Link: URL redirecting to blob URL
Sublime MQL Open redirect: adnxs.com
Sublime MQL Open redirect: agena-smile.com
Sublime MQL Open redirect: amaterasu-for-website-5.com
Sublime MQL Open redirect: api.spently.com
Sublime MQL Open redirect: artkaderne
Sublime MQL Open Redirect: asemailmgmteu.com
Sublime MQL Open redirect: astroarts.co.jp
Sublime MQL Open redirect: Atdmt
Sublime MQL Open redirect: Avast
Sublime MQL Open redirect: bananaguide.com
Sublime MQL Open redirect: bangkoksync.com
Sublime MQL Open redirect: bestdeals.today
Sublime MQL Open redirect: BMW USA
Sublime MQL Open redirect: bubblelife.com
Sublime MQL Open redirect: buildingengines.com
Sublime MQL Open redirect: business.google.com website_shared URL Param
Sublime MQL Open redirect: chkc.com.hk
Sublime MQL Open redirect: Club-OS
Sublime MQL Open redirect: convertcart.com
Sublime MQL Open redirect: Dell
Sublime MQL Open redirect: designsori.com
Sublime MQL Open redirect: documentmailbox.com
Sublime MQL Open redirect: Doubleclick.net
Sublime MQL Open redirect: eaoko.org
Sublime MQL Open redirect: easycamp.com
Sublime MQL Open redirect: embluemail.com
Sublime MQL Open redirect: emlakarsa
Sublime MQL Open redirect: emp.eduyield.com
Sublime MQL Open redirect: eodcnetworkdirect.com
Sublime MQL Open redirect: events.csiro.au
Sublime MQL Open redirect: ExacTag
Sublime MQL Open redirect: fenc.com
Sublime MQL Open redirect: g7.fr
Sublime MQL Open redirect: Google Ad Services
Sublime MQL Open redirect: Google Web Light
Sublime MQL Open redirect: HHS
Sublime MQL Open redirect: ijf.org
Sublime MQL Open redirect: Indeed
Sublime MQL Open redirect: IndiaTimes
Sublime MQL Open redirect: isadatalab.com
Sublime MQL Open redirect: k-mil.net
Sublime MQL Open redirect: labcluster.com
Sublime MQL Open redirect: LearningApps
Sublime MQL Open redirect: Linkedin
Sublime MQL Open redirect: LinkedIn Redirect
Sublime MQL Open redirect: listing.ca
Sublime MQL Open redirect: magic4media.com
Sublime MQL Open redirect: magiccity.ne.jp
Sublime MQL Open redirect: magneticmarketing.com
Sublime MQL Open redirect: mail.spiceworks.com
Sublime MQL Open redirect: McGill University
Sublime MQL Open redirect: Medium
Sublime MQL Open redirect: MSN
Sublime MQL Open redirect: museepicassoparis.fr
Sublime MQL Open redirect: Nested Doubleclick.net
Sublime MQL Open redirect: Newegg
Sublime MQL Open redirect: obunsha.co.jp
Sublime MQL Open redirect: Panera Bread
Sublime MQL Open redirect: phoenixartstudio.net
Sublime MQL Open redirect: PIRL San Diego
Sublime MQL Open redirect: plasticsurgery.or.kr
Sublime MQL Open redirect: pmifunds.com
Sublime MQL Open redirect: predictiveresponse.net
Sublime MQL Open redirect: PremierBet
Sublime MQL Open redirect: qrxtech.com
Sublime MQL Open redirect: radiopublic.com
Sublime MQL Open redirect: retailrocket.net
Sublime MQL Open redirect: ringaraja.net
Sublime MQL Open redirect: Samsung
Sublime MQL Open redirect: sciencebuddies.org
Sublime MQL Open redirect: secondstreetapp.com
Sublime MQL Open redirect: shoppermeet.net
Sublime MQL Open redirect: shoppingwebapi.didatravel.com
Sublime MQL Open redirect: Slack
Sublime MQL Open redirect: smartadserver.com
Sublime MQL Open redirect: Snapchat
Sublime MQL Open redirect: social.bigpress.net
Sublime MQL Open redirect: ssg-financial.com
Sublime MQL Open redirect: stats.lib.pdx.edu
Sublime MQL Open redirect: storematch.jp
Sublime MQL Open redirect: Ticketmaster
Sublime MQL Open redirect: TikTok
Sublime MQL Open redirect: tkqlhce.com
Sublime MQL Open redirect: tuttocauzioni.it
Sublime MQL Open redirect: U.S. Antarctic Program Data Center (USAP-DC)
Sublime MQL Open redirect: unitedwaynwvt.org
Sublime MQL Open redirect: ust.hk
Sublime MQL Open redirect: vconfex.com
Sublime MQL Open redirect: VK
Sublime MQL Open redirect: whitefox.pl
Sublime MQL Open redirect: xfinity.com
Sublime MQL Open redirect: YouTube
Sublime MQL PDF attachment with Google (AE) redirecting to a php or zip file
Sublime MQL Service abuse: Google application integration redirecting to suspicious hosts
Sublime MQL Service abuse: Mimecast URL with excessive path length
Sublime MQL Service abuse: Wix redirect through bulk mailer domains

Out of band pivot 1 rule

Sublime MQL Link: ScreenConnect installer with suspicious relay domain

PDF 24 rules

Sublime MQL Adobe branded PDF file linking to a password-protected file from untrusted sender
Sublime MQL Attachment: Archive with pdf, txt and wsf files
Sublime MQL Attachment: Fake PDF Invoices Yara
Sublime MQL Attachment: Microsoft impersonation via PDF with link and suspicious language
Sublime MQL Attachment: Password-protected PDF with fake document indicators
Sublime MQL Attachment: PDF file with low reputation link to ZIP file (unsolicited)
Sublime MQL Attachment: PDF file with low reputation links to suspicious filetypes (unsolicited)
Sublime MQL Attachment: PDF generated with wkhtmltopdf tool and default title
Sublime MQL Attachment: PDF Object Hash - Encrypted PDFs with fake payment notification
Sublime MQL Attachment: PDF Object Hash with Blue File Icon
Sublime MQL Attachment: PDF with CVE-2026-34621 lures
Sublime MQL Attachment: PDF with JSFck obfuscation
Sublime MQL Attachment: PDF with link to DMG file download
Sublime MQL Attachment: PDF with link to zip containing a wsf file
Sublime MQL Attachment: PDF with password in filename matching body text
Sublime MQL Attachment: PDF with suspicious HeadlessChrome metadata
Sublime MQL Attachment: PDF with suspicious language and redirect to suspicious file type
Sublime MQL Attachment: PDF with suspicious view document characteristics
Sublime MQL Attachment: QR code with userinfo portion
Sublime MQL Attachment: Self-sender PDF with minimal content and view prompt
Sublime MQL Link: PDF display text with fake copyright claim template
Sublime MQL Link: PDF file disguised as HTML page
Sublime MQL PDF attachment with Google (AE) redirecting to a php or zip file
Sublime MQL URLhaus: Malicious domain in message body or pdf attachment (trusted reporters)

Punycode 1 rule

Sublime MQL Punycode sender domain

QR code 3 rules

Sublime MQL Attachment: EML with QR code redirecting to Cloudflare challenges
Sublime MQL Attachment: QR code with userinfo portion
Sublime MQL Attachment: SVG files with evasion elements

Scripting 53 rules

Sublime MQL Attachment: .csproj with suspicious commands
Sublime MQL Attachment: Any .sap file (unsolicited)
Sublime MQL Attachment: Archive contains DLL-loading macro
Sublime MQL Attachment: cmd file extension
Sublime MQL Attachment: CVE-2021-40444 - MSHTML Remote Code Execution Vulnerability
Sublime MQL Attachment: Double base64-encoded zip file in HTML smuggling attachment
Sublime MQL Attachment: Embedded Javascript in SVG file
Sublime MQL Attachment: Embedded VBScript in MHT file
Sublime MQL Attachment: EML with embedded Javascript in SVG file
Sublime MQL Attachment: Encrypted Microsoft Office file (unsolicited)
Sublime MQL Attachment: Fake Slack installer
Sublime MQL Attachment: Fake Zoom installer
Sublime MQL Attachment: File execution via Javascript
Sublime MQL Attachment: HTML attachment with Javascript location
Sublime MQL Attachment: HTML file contains exclusively Javascript
Sublime MQL Attachment: HTML file with excessive 'const' declarations and abnormally long timeouts
Sublime MQL Attachment: HTML smuggling 'body onload' linking to suspicious destination
Sublime MQL Attachment: HTML smuggling 'body onload' with high entropy and suspicious text
Sublime MQL Attachment: HTML smuggling with atob and high entropy
Sublime MQL Attachment: HTML smuggling with atob and high entropy via calendar invite
Sublime MQL Attachment: HTML smuggling with auto-downloaded file
Sublime MQL Attachment: HTML smuggling with base64 encoded JavaScript function
Sublime MQL Attachment: HTML smuggling with base64 encoded ZIP file
Sublime MQL Attachment: HTML smuggling with concatenation obfuscation
Sublime MQL Attachment: HTML smuggling with decimal encoding
Sublime MQL Attachment: HTML smuggling with embedded base64 streamed file download
Sublime MQL Attachment: HTML smuggling with eval and atob
Sublime MQL Attachment: HTML smuggling with eval and atob via calendar invite
Sublime MQL Attachment: HTML smuggling with excessive line break obfuscation
Sublime MQL Attachment: HTML smuggling with fromCharCode and other signals
Sublime MQL Attachment: HTML smuggling with high entropy and other signals
Sublime MQL Attachment: HTML smuggling with RC4 decryption
Sublime MQL Attachment: HTML smuggling with ROT13
Sublime MQL Attachment: HTML smuggling with setTimeout
Sublime MQL Attachment: HTML smuggling with unescape
Sublime MQL Attachment: ICS with embedded Javascript in SVG file
Sublime MQL Attachment: JavaScript file with suspicious base64-encoded executable
Sublime MQL Attachment: LNK with embedded content
Sublime MQL Attachment: Macro files containing MHT content
Sublime MQL Attachment: Macro with suspected use of COM ShellBrowserWindow object for process creation
Sublime MQL Attachment: Malicious OneNote commands
Sublime MQL Attachment: Microsoft impersonation via PDF with link and suspicious language
Sublime MQL Attachment: Office document with VSTO add-in
Sublime MQL Attachment: Office file with suspicious function calls or downloaded file path
Sublime MQL Attachment: PowerPoint with suspicious hyperlink
Sublime MQL Attachment: PowerShell content
Sublime MQL Attachment: SFX archive containing commands
Sublime MQL Attachment: SVG file execution
Sublime MQL CVE-2023-5631 - Roundcube Webmail XSS via crafted SVG
Sublime MQL HTML smuggling containing recipient email address
Sublime MQL Link: Landing page with search-ms protocol redirect
Sublime MQL Mass campaign: Cross Site Scripting (XSS) attempt
Sublime MQL Suspected WordPress abuse with cross-site scripting (XSS) indicators

Social engineering 50 rules

Sublime MQL Attachment with VBA macros from employee impersonation (unsolicited)
Sublime MQL Attachment: DOCX with hyperlink targeting recipient address
Sublime MQL Attachment: Employment contract update with suspicious file naming
Sublime MQL Attachment: Encrypted zip file with payment-related lure
Sublime MQL Attachment: Fake attachment image lure
Sublime MQL Attachment: Fake PDF Invoices Yara
Sublime MQL Attachment: Fake Slack installer
Sublime MQL Attachment: Fake Zoom installer
Sublime MQL Attachment: HTML smuggling with embedded base64 streamed file download
Sublime MQL Attachment: Microsoft impersonation via PDF with link and suspicious language
Sublime MQL Attachment: PDF with suspicious view document characteristics
Sublime MQL Attachment: Self-sender PDF with minimal content and view prompt
Sublime MQL Brand impersonation: Google Drive fake file share
Sublime MQL Brand impersonation: Sharepoint fake file share
Sublime MQL Catbox.moe link from untrusted source
Sublime MQL Fake request for tax preparation
Sublime MQL Google Drive direct download link from unsolicited sender
Sublime MQL Image as content with a link to an open redirect
Sublime MQL Link to auto-download of a suspicious file type (unsolicited)
Sublime MQL Link to auto-downloaded disk image in encrypted zip
Sublime MQL Link to auto-downloaded DMG in encrypted zip
Sublime MQL Link to auto-downloaded file with Adobe branding
Sublime MQL Link to auto-downloaded file with Google Drive branding
Sublime MQL Link to Google Apps Script macro (unsolicited)
Sublime MQL Link to Google Apps Script macro via comment tagging
Sublime MQL Link: .onion From Unsolicited Sender
Sublime MQL Link: /index.php enclosed in three asterisks
Sublime MQL Link: Apple App Store malicious ad manager themed apps from free email provider
Sublime MQL Link: Executable file download with suspicious message content
Sublime MQL Link: Personalized URL with recipient address on commonly abused web service
Sublime MQL Link: ScreenConnect installer with suspicious relay domain
Sublime MQL Link: Tax document lure Portuguese/Spanish with suspicious domains
Sublime MQL Lookalike sender domain (untrusted sender)
Sublime MQL macOS malware: Compiled AppleScript with document double-extension
Sublime MQL Mass campaign: Cross Site Scripting (XSS) attempt
Sublime MQL Mismatched links: Free file share with urgent language
Sublime MQL Newly registered sender or reply-to domain with newly registered linked domain
Sublime MQL Observed IOC: Malicious sender domains
Sublime MQL Observed IOC: Malicious sender email addresses
Sublime MQL Observed IOC: Malicious sender root domains
Sublime MQL Potential prompt injection attack in body HTML
Sublime MQL Punycode sender domain
Sublime MQL QR code to auto-download of a suspicious file type (unsolicited)
Sublime MQL Service abuse: GitHub notification with excessive mentions and suspicious links
Sublime MQL Subject and sender display name contains matching long alphanumeric string
Sublime MQL Suspected WordPress abuse with cross-site scripting (XSS) indicators
Sublime MQL Truth Social infrastructure abuse via link redirect
Sublime MQL Twitter infrastructure abuse via link shortener
Sublime MQL Vendor compromise: GovDelivery message with suspicious link
Sublime MQL VIP Impersonation via Google Group relay with suspicious indicators

Spoofing 3 rules

Sublime MQL Brand spoof: Dropbox
Sublime MQL Headers: Outlook Express mailer
Sublime MQL VIP Impersonation via Google Group relay with suspicious indicators

No specific technique 9 rules

Sublime MQL AnonymousFox indicators
Sublime MQL Attachment with suspicious author (unsolicited)
Sublime MQL Attachment: EICAR string present
Sublime MQL Attachment: Office document loads remote document template
Sublime MQL Attachment: RDP connection file
Sublime MQL Attachment: Uncommon compressed file
Sublime MQL MalwareBazaar: Malicious attachment hash (trusted reporters)
Sublime MQL New link domain (<=10d) from untrusted sender
Sublime MQL Russia return-path TLD (untrusted sender)

BEC/Fraud Sublime email taxonomy

Encryption 2 rules

Sublime MQL Attachment: Encrypted zip file with payment-related lure
Sublime MQL Encrypted Microsoft Office files from untrusted sender

Evasion 67 rules

Sublime MQL Attachment: Calendar file with invisible Unicode characters
Sublime MQL Attachment: EML with Sharepoint link likely unrelated to sender
Sublime MQL Attachment: Encrypted zip file with payment-related lure
Sublime MQL Attachment: ICS with employee policy review lure
Sublime MQL Attachment: Legal themed message or PDF with suspicious indicators
Sublime MQL Attachment: Link to Doubleclick.net open redirect
Sublime MQL Attachment: PDF generated with wkhtmltopdf tool and default title
Sublime MQL Attachment: PDF with self-service platform links with self sender or blank recipients
Sublime MQL BEC with unusual reply-to or return-path mismatch
Sublime MQL BEC/Fraud: Reply-chain manipulation with urgent keywords and self-reply
Sublime MQL Body: Embedded email headers indicative of thread hijacking/abuse
Sublime MQL Body: Yellow highlighted text markers
Sublime MQL Brand impersonation: QuickBooks notification from Intuit themed company name
Sublime MQL Business Email Compromise (BEC) attempt with masked recipients and reply-to mismatch (unsolicited)
Sublime MQL Callback phishing via Zelle Service Abuse
Sublime MQL Callback phishing: SumUp infrastructure abuse
Sublime MQL Credential phishing: Generic document share template
Sublime MQL Credential phishing: Generic document sharing
Sublime MQL Display Name Emoji with Financial Symbols
Sublime MQL Encrypted Microsoft Office files from untrusted sender
Sublime MQL Fake thread with suspicious indicators
Sublime MQL Fake warning banner using confusable characters
Sublime MQL Generic service abuse from newly registered domain
Sublime MQL Headers: Fake in-reply-to with wildcard sender and missing thread context
Sublime MQL Headers: Invalid recipient domain with mismatched reply-to from new sender
Sublime MQL Headers: iOS/iPadOS mailer with invalid build number
Sublime MQL Headers: Outlook Express mailer
Sublime MQL HR impersonation via e-sign agreement comment
Sublime MQL HTML: Bidirectional (BIDI) HTML override with right to left obfuscation
Sublime MQL Impersonation: Suspected supplier impersonation with suspicious content
Sublime MQL Link: Apple App Store malicious ad manager themed apps from free email provider
Sublime MQL Link: BEC with newly registered domains and financial keywords
Sublime MQL Link: Cryptocurrency fraud with suspicious links
Sublime MQL Link: Display text matches subject line
Sublime MQL Link: Hotel booking spoofed display URL
Sublime MQL Link: Self-sent message with quarterly document review request
Sublime MQL Link: Self-sent PDF lure with subject correlation
Sublime MQL Link: Shortened URL with fragment matching subject
Sublime MQL Link: URL scheme obfuscation via split HTML anchors
Sublime MQL Microsoft infrastructure abuse with suspicious patterns
Sublime MQL Open redirect: Mailtrack Korea
Sublime MQL PayPal invoice abuse
Sublime MQL Potential prompt injection attack in body HTML
Sublime MQL Reconnaissance: Empty subject with mismatched reply-to from new sender
Sublime MQL Request for Quote or Purchase (RFQ|RFP) with suspicious sender or recipient pattern
Sublime MQL Sender: IP address in local part
Sublime MQL Service Abuse: Box file sharing with credential phishing intent
Sublime MQL Service abuse: Cisco secure email service with financial request
Sublime MQL Service abuse: DocSend share from newly registered domain
Sublime MQL Service abuse: DocuSign notification with suspicious sender or document name
Sublime MQL Service abuse: Domains By Proxy sender
Sublime MQL Service abuse: Dropbox share from an unsolicited reply-to address
Sublime MQL Service abuse: Dropbox share from new domain
Sublime MQL Service abuse: Dropbox share with suspicious sender or document name
Sublime MQL Service Abuse: ExactTarget with suspicious sender indicators
Sublime MQL Service Abuse: HelloSign share with suspicious sender or document name
Sublime MQL Service abuse: HungerRush domain with SendGrid tracking targeting ProtonMail
Sublime MQL Service abuse: Nylas tracking subdomain with suspicious content
Sublime MQL Service abuse: Payoneer callback scam
Sublime MQL Service abuse: QuickBooks notification from new domain
Sublime MQL Service abuse: QuickBooks notification with suspicious comments
Sublime MQL Spam/fraud: Predatory journal/research paper request
Sublime MQL Suspected lookalike domain with suspicious language
Sublime MQL Suspicious DocuSign share from new domain
Sublime MQL Venmo payment request abuse
Sublime MQL VIP Impersonation via Google Group relay with suspicious indicators
Sublime MQL VIP impersonation: Fake thread with display name match, email mismatch

Free email provider 32 rules

Sublime MQL Attachment: Canva PDF with susupicious author metadata
Sublime MQL Attachment: PDF file with link to fake Bitcoin exchange
Sublime MQL BEC with unusual reply-to or return-path mismatch
Sublime MQL BEC/Fraud: Job scam fake thread or plaintext pivot to freemail
Sublime MQL BEC/Fraud: Penpal scam
Sublime MQL BEC/Fraud: Romance scam
Sublime MQL BEC/Fraud: Scam lure with freemail pivot
Sublime MQL BEC/Fraud: Student loan callback phishing
Sublime MQL BEC/Fraud: Urgent language and suspicious sending/infrastructure patterns
Sublime MQL Business Email Compromise (BEC) attempt with masked recipients and reply-to mismatch (unsolicited)
Sublime MQL Canva infrastructure abuse
Sublime MQL COVID-19 themed fraud with sender and reply-to mismatch or compensation award
Sublime MQL Employee impersonation: Payroll fraud
Sublime MQL Extortion / Sextortion - PDF attachment leveraging breach data from freemail sender
Sublime MQL Fake message thread - Untrusted sender with a mismatched freemail reply-to address
Sublime MQL Free email provider sender with mismatched provider reply-to
Sublime MQL Honorific greeting BEC attempt with sender and reply-to mismatch
Sublime MQL Impersonation: Executive using numbered local part
Sublime MQL Impersonation: Suspected supplier impersonation with suspicious content
Sublime MQL Link abuse: Self-service creation platform link with suspicious recipient behavior
Sublime MQL Link: Apple App Store malicious ad manager themed apps from free email provider
Sublime MQL Link: Invoice or receipt from freemail sender with customer service number
Sublime MQL Reconnaissance: Email address harvesting attempt
Sublime MQL Reconnaissance: Hotel booking reply-to redirect
Sublime MQL Reconnaissance: Short generic greeting message
Sublime MQL Request for Quote or Purchase (RFQ|RFP) with suspicious sender or recipient pattern
Sublime MQL Scam: Fake estate sale offering welding equipment and tools
Sublime MQL Scam: Piano giveaway
Sublime MQL Service abuse: Google Drive share from an unsolicited reply-to address
Sublime MQL Service abuse: Google Drive share from new reply-to domain
Sublime MQL Suspicious request for financial information
Sublime MQL VIP Impersonation via Google Group relay with suspicious indicators

Free file host 15 rules

Sublime MQL Attachment: PDF bid/proposal lure with credential theft indicators
Sublime MQL Attachment: PDF with self-service platform links with self sender or blank recipients
Sublime MQL DocuSign impersonation via CloudHQ links
Sublime MQL File sharing link with a suspicious subject
Sublime MQL Impersonation: Fake product discount promotion
Sublime MQL Link: Tax document lure Portuguese/Spanish with suspicious domains
Sublime MQL Mismatched links: Free file share with urgent language
Sublime MQL Service abuse: Citrix ShareFile impersonation via Outlook plugin
Sublime MQL Service abuse: DocSend share from newly registered domain
Sublime MQL Service abuse: Formester with suspicious link behavior
Sublime MQL Service abuse: Google Drive share from an unsolicited reply-to address
Sublime MQL Service abuse: Google Drive share from new reply-to domain
Sublime MQL Service abuse: SendThisFile with credential theft and financial language
Sublime MQL Suspicious DocuSign share from new domain
Sublime MQL Suspicious Links to Cloudflare R2 and Edge Services

Free subdomain host 6 rules

Sublime MQL Attachment: PDF bid/proposal lure with credential theft indicators
Sublime MQL Link: Breely link masquerading as PDF
Sublime MQL Link: Cryptocurrency fraud with suspicious links
Sublime MQL Link: File sharing impersonation with suspicious language and sending patterns
Sublime MQL Link: Tax document lure Portuguese/Spanish with suspicious domains
Sublime MQL Link: WordPress login page with Blogspot Binance scam

HTML injection 1 rule

Sublime MQL Link: URL scheme obfuscation via split HTML anchors

ICS Phishing 4 rules

Sublime MQL Attachment: Calendar file with invisible Unicode characters
Sublime MQL Attachment: Calendar invite with Google redirect and invoice request
Sublime MQL Attachment: ICS file with meeting prefix
Sublime MQL Attachment: ICS with employee policy review lure

Impersonation: Brand 51 rules

Sublime MQL Attachment: EML with Sharepoint link likely unrelated to sender
Sublime MQL Attachment: Invoice and W-9 PDFs with suspicious creators
Sublime MQL Attachment: PDF file with link to fake Bitcoin exchange
Sublime MQL Attachment: RFP/RFQ impersonating government entities
Sublime MQL Attachment: USDA bid invitation impersonation
Sublime MQL BEC/Fraud: Urgent language and suspicious sending/infrastructure patterns
Sublime MQL Body: PayApp transaction reference pattern
Sublime MQL Brand impersonation: AARP
Sublime MQL Brand impersonation: Aquent
Sublime MQL Brand impersonation: Aramco
Sublime MQL Brand impersonation: AuthentiSign
Sublime MQL Brand impersonation: Canada Revenue Agency
Sublime MQL Brand impersonation: Enbridge
Sublime MQL Brand impersonation: Interac
Sublime MQL Brand impersonation: Internal Revenue Service
Sublime MQL Brand impersonation: Mailgun
Sublime MQL Brand impersonation: McAfee
Sublime MQL Brand impersonation: MetaMask
Sublime MQL Brand impersonation: Microsoft logo or suspicious language with open redirect
Sublime MQL Brand Impersonation: Procore
Sublime MQL Brand impersonation: Purdue ePlanroom with suspicious links
Sublime MQL Brand impersonation: QuickBooks dispute notification
Sublime MQL Brand impersonation: Robert Half
Sublime MQL Brand impersonation: SendGrid
Sublime MQL Brand impersonation: Social Security Administration
Sublime MQL Brand impersonation: Trust Wallet
Sublime MQL Brand impersonation: UK government Home Office
Sublime MQL Brand impersonation: Vanguard
Sublime MQL Brand impersonation: WeTransfer
Sublime MQL Canva infrastructure abuse
Sublime MQL Credential phishing: Tax form impersonation with payment request
Sublime MQL DocuSign impersonation via CloudHQ links
Sublime MQL Fraudulent e-commerce operators
Sublime MQL HR impersonation via e-sign agreement comment
Sublime MQL Impersonation: Australian Federal Police with criminal case language
Sublime MQL Impersonation: Legal firm with copyright infringement notice
Sublime MQL Link: File sharing impersonation with suspicious language and sending patterns
Sublime MQL Link: Invoice or receipt from freemail sender with customer service number
Sublime MQL Link: WordPress login page with Blogspot Binance scam
Sublime MQL Microsoft infrastructure abuse with suspicious patterns
Sublime MQL Recruitee Infrastructure Abuse
Sublime MQL Scam soliciting employer review/rating
Sublime MQL Service abuse: Adobe Sign notification from an unsolicited reply-to address
Sublime MQL Service abuse: Cisco secure email service with financial request
Sublime MQL Service abuse: DocSend share from newly registered domain
Sublime MQL Service abuse: Google classroom solicitation
Sublime MQL Service abuse: Roomsy with unrelated body content
Sublime MQL Spam/fraud: Predatory journal/research paper request
Sublime MQL Suspicious DocuSign share from new domain
Sublime MQL Venmo payment request abuse
Sublime MQL Xero invoice abuse

Impersonation: Domain 2 rules

Sublime MQL Observed IOC: Malicious sender domains
Sublime MQL Observed IOC: Malicious sender root domains

Impersonation: Email address 1 rule

Sublime MQL Observed IOC: Malicious sender email addresses

Impersonation: Employee 14 rules

Sublime MQL BEC: Employee impersonation with subject manipulation
Sublime MQL Canva infrastructure abuse
Sublime MQL Credential phishing: Generic document sharing
Sublime MQL Employee impersonation with urgent request (untrusted sender)
Sublime MQL Employee impersonation: Payroll fraud
Sublime MQL Headers: System account impersonation with empty sender address
Sublime MQL Impersonation: Employee using fabricated identity in initial contact
Sublime MQL Impersonation: Human Resources with link or attachment and engaging language
Sublime MQL Service Abuse: Box file sharing with credential phishing intent
Sublime MQL Sharepoint link likely unrelated to sender
Sublime MQL Suspicious request for financial information
Sublime MQL VIP Impersonation via Google Group relay with suspicious indicators
Sublime MQL VIP impersonation with charitable donation fraud
Sublime MQL Xero invoice abuse

Impersonation: VIP 12 rules

Sublime MQL Attachment: Fake lawyer & sports agent identities
Sublime MQL Impersonation: Executive using numbered local part
Sublime MQL Service Abuse: Box file sharing with credential phishing intent
Sublime MQL Suspicious request for financial information
Sublime MQL VIP / Executive impersonation (strict match, untrusted)
Sublime MQL VIP / Executive impersonation in subject (untrusted)
Sublime MQL VIP impersonation with BEC language (near match, untrusted sender)
Sublime MQL VIP impersonation with charitable donation fraud
Sublime MQL VIP impersonation with invoicing request
Sublime MQL VIP impersonation with urgent request (strict match, untrusted sender)
Sublime MQL VIP impersonation with w2 request with reply-to mismatch
Sublime MQL VIP impersonation: Fake thread with display name match, email mismatch

Lookalike domain 11 rules

Sublime MQL Brand impersonation: Aramco
Sublime MQL Brand impersonation: AuthentiSign
Sublime MQL Brand impersonation: Interac
Sublime MQL Brand impersonation: UK government Home Office
Sublime MQL Fraudulent e-commerce operators
Sublime MQL Impersonation: Suspected supplier impersonation with suspicious content
Sublime MQL Lookalike sender domain (untrusted sender)
Sublime MQL Sharepoint link likely unrelated to sender
Sublime MQL Spam/fraud: Predatory journal/research paper request
Sublime MQL Suspected lookalike domain with suspicious language
Sublime MQL Vendor impersonation: Thread hijacking with typosquat domain

Macros 1 rule

Sublime MQL Attachment: USDA bid invitation impersonation

OneNote 1 rule

Sublime MQL Sharepoint link likely unrelated to sender

Open redirect 5 rules

Sublime MQL Attachment: Calendar invite with Google redirect and invoice request
Sublime MQL Attachment: Link to Doubleclick.net open redirect
Sublime MQL Brand impersonation: Microsoft logo or suspicious language with open redirect
Sublime MQL Open redirect: Mailtrack Korea
Sublime MQL Service abuse: Formester with suspicious link behavior

Out of band pivot 7 rules

Sublime MQL Attachment: Credit card application with WhatsApp contact
Sublime MQL BEC/Fraud: Job scam fake thread or plaintext pivot to freemail
Sublime MQL BEC/Fraud: Scam lure with freemail pivot
Sublime MQL BEC/Fraud: Student loan callback phishing
Sublime MQL HR impersonation via e-sign agreement comment
Sublime MQL Scam: Fake estate sale offering welding equipment and tools
Sublime MQL Service abuse: Google classroom solicitation

PDF 16 rules

Sublime MQL Attachment: Canva PDF with susupicious author metadata
Sublime MQL Attachment: Fictitious invoice using LinkedIn's address
Sublime MQL Attachment: Invoice and W-9 PDFs with suspicious creators
Sublime MQL Attachment: Legal themed message or PDF with suspicious indicators
Sublime MQL Attachment: PDF bid/proposal lure with credential theft indicators
Sublime MQL Attachment: PDF contains W9 or invoice YARA signatures
Sublime MQL Attachment: PDF file with link to fake Bitcoin exchange
Sublime MQL Attachment: PDF generated with wkhtmltopdf tool and default title
Sublime MQL Attachment: PDF with fake invoice using suspicious font sizing
Sublime MQL Attachment: PDF with self-service platform links with self sender or blank recipients
Sublime MQL Attachment: RFP/RFQ impersonating government entities
Sublime MQL Attachment: USDA bid invitation impersonation
Sublime MQL Credential phishing: Tax form impersonation with payment request
Sublime MQL Extortion / Sextortion - PDF attachment leveraging breach data from freemail sender
Sublime MQL Sharepoint link likely unrelated to sender
Sublime MQL Stripe invoice abuse

QR code 1 rule

Sublime MQL Extortion / Sextortion - PDF attachment leveraging breach data from freemail sender

Scripting 2 rules

Sublime MQL HTML: Bidirectional (BIDI) HTML override with right to left obfuscation
Sublime MQL Link: Cryptocurrency fraud with suspicious links

Social engineering 164 rules

Sublime MQL Advance Fee Fraud (AFF) from freemail provider or suspicious TLD
Sublime MQL Attachment: Calendar invite with Google redirect and invoice request
Sublime MQL Attachment: Credit card application with WhatsApp contact
Sublime MQL Attachment: EML with Sharepoint link likely unrelated to sender
Sublime MQL Attachment: Encrypted zip file with payment-related lure
Sublime MQL Attachment: Fake lawyer & sports agent identities
Sublime MQL Attachment: Fictitious invoice using LinkedIn's address
Sublime MQL Attachment: ICS file with meeting prefix
Sublime MQL Attachment: ICS with employee policy review lure
Sublime MQL Attachment: Invoice and W-9 PDFs with suspicious creators
Sublime MQL Attachment: Legal themed message or PDF with suspicious indicators
Sublime MQL Attachment: Link to Doubleclick.net open redirect
Sublime MQL Attachment: PDF bid/proposal lure with credential theft indicators
Sublime MQL Attachment: PDF contains W9 or invoice YARA signatures
Sublime MQL Attachment: PDF file with link to fake Bitcoin exchange
Sublime MQL Attachment: PDF with fake invoice using suspicious font sizing
Sublime MQL Attachment: RFP/RFQ impersonating government entities
Sublime MQL Attachment: USDA bid invitation impersonation
Sublime MQL BEC with unusual reply-to or return-path mismatch
Sublime MQL BEC/Fraud: Fake investment outreach from suspicious TLD
Sublime MQL BEC/Fraud: Generic scam attempt to undisclosed recipients
Sublime MQL BEC/Fraud: Penpal scam
Sublime MQL BEC/Fraud: Reply-chain manipulation with urgent keywords and self-reply
Sublime MQL BEC/Fraud: Romance scam
Sublime MQL BEC/Fraud: Student loan callback phishing
Sublime MQL BEC/Fraud: Urgent language and suspicious sending/infrastructure patterns
Sublime MQL BEC: Employee impersonation with subject manipulation
Sublime MQL Body: Embedded email headers indicative of thread hijacking/abuse
Sublime MQL Body: PayApp transaction reference pattern
Sublime MQL Brand impersonation: AARP
Sublime MQL Brand impersonation: Aquent
Sublime MQL Brand impersonation: Aramco
Sublime MQL Brand impersonation: AuthentiSign
Sublime MQL Brand impersonation: Canada Revenue Agency
Sublime MQL Brand impersonation: Enbridge
Sublime MQL Brand impersonation: Interac
Sublime MQL Brand impersonation: Internal Revenue Service
Sublime MQL Brand impersonation: McAfee
Sublime MQL Brand impersonation: MetaMask
Sublime MQL Brand impersonation: Microsoft logo or suspicious language with open redirect
Sublime MQL Brand Impersonation: Procore
Sublime MQL Brand impersonation: Purdue ePlanroom with suspicious links
Sublime MQL Brand impersonation: QuickBooks notification from Intuit themed company name
Sublime MQL Brand impersonation: Robert Half
Sublime MQL Brand impersonation: SendGrid
Sublime MQL Brand impersonation: Social Security Administration
Sublime MQL Brand impersonation: Trust Wallet
Sublime MQL Brand impersonation: UK government Home Office
Sublime MQL Business Email Compromise (BEC) attempt from unsolicited sender
Sublime MQL Business Email Compromise (BEC) attempt from untrusted sender
Sublime MQL Business Email Compromise (BEC) attempt from untrusted sender (French/Français)
Sublime MQL Business Email Compromise (BEC) with request for mobile number
Sublime MQL Business Email Compromise: Request for mobile number via reply thread hijacking
Sublime MQL Callback phishing via Zelle Service Abuse
Sublime MQL Callback phishing: SumUp infrastructure abuse
Sublime MQL Canva infrastructure abuse
Sublime MQL COVID-19 themed fraud with sender and reply-to mismatch or compensation award
Sublime MQL Credential phishing: Generic document share template
Sublime MQL Credential phishing: Generic document sharing
Sublime MQL Credential phishing: Tax form impersonation with payment request
Sublime MQL Display Name Emoji with Financial Symbols
Sublime MQL Employee impersonation with urgent request (untrusted sender)
Sublime MQL Employee impersonation: Payroll fraud
Sublime MQL Extortion / Sextortion - PDF attachment leveraging breach data from freemail sender
Sublime MQL Fake message thread - Untrusted sender with a mismatched freemail reply-to address
Sublime MQL Fake request for tax preparation
Sublime MQL Fake thread with suspicious indicators
Sublime MQL Fake warning banner using confusable characters
Sublime MQL File sharing link with a suspicious subject
Sublime MQL Fraudulent e-commerce operators
Sublime MQL Fraudulent order confirmation/shipping notification from Chinese sender domain
Sublime MQL Free email provider sender with mismatched provider reply-to
Sublime MQL Generic service abuse from newly registered domain
Sublime MQL Headers: Fake in-reply-to with wildcard sender and missing thread context
Sublime MQL Headers: Invalid recipient domain with mismatched reply-to from new sender
Sublime MQL Headers: System account impersonation with empty sender address
Sublime MQL Headers: X-Source-Auth mismatch with mismatched reply-to domain
Sublime MQL Honorific greeting BEC attempt with sender and reply-to mismatch
Sublime MQL HR impersonation via e-sign agreement comment
Sublime MQL HTML: Bidirectional (BIDI) HTML override with right to left obfuscation
Sublime MQL Impersonation: Australian Federal Police with criminal case language
Sublime MQL Impersonation: Employee using fabricated identity in initial contact
Sublime MQL Impersonation: Executive using numbered local part
Sublime MQL Impersonation: Fake product discount promotion
Sublime MQL Impersonation: Human Resources with link or attachment and engaging language
Sublime MQL Impersonation: Legal firm with copyright infringement notice
Sublime MQL Impersonation: Suspected supplier impersonation with suspicious content
Sublime MQL Investor solicitation with organization targeting
Sublime MQL Job scam (unsolicited sender)
Sublime MQL Job scam with specific salary pattern
Sublime MQL Link abuse: Self-service creation platform link with suspicious recipient behavior
Sublime MQL Link: Apple App Store malicious ad manager themed apps from free email provider
Sublime MQL Link: BEC with newly registered domains and financial keywords
Sublime MQL Link: Breely link masquerading as PDF
Sublime MQL Link: Cryptocurrency fraud with suspicious links
Sublime MQL Link: Display text matches subject line
Sublime MQL Link: File sharing impersonation with suspicious language and sending patterns
Sublime MQL Link: Google Drawings link from new sender
Sublime MQL Link: Hotel booking spoofed display URL
Sublime MQL Link: Invoice or receipt from freemail sender with customer service number
Sublime MQL Link: Remittance payment request with timeline template
Sublime MQL Link: RFI document reference pattern in display text
Sublime MQL Link: Self-sent message with quarterly document review request
Sublime MQL Link: Self-sent PDF lure with subject correlation
Sublime MQL Link: Shortened URL with fragment matching subject
Sublime MQL Link: Tax document lure Portuguese/Spanish with suspicious domains
Sublime MQL Link: URL scheme obfuscation via split HTML anchors
Sublime MQL Link: WordPress login page with Blogspot Binance scam
Sublime MQL Lookalike sender domain (untrusted sender)
Sublime MQL Microsoft infrastructure abuse with suspicious patterns
Sublime MQL Mismatched links: Free file share with urgent language
Sublime MQL Newly registered sender or reply-to domain with newly registered linked domain
Sublime MQL Observed IOC: Malicious sender domains
Sublime MQL Observed IOC: Malicious sender email addresses
Sublime MQL Observed IOC: Malicious sender root domains
Sublime MQL PayPal invoice abuse
Sublime MQL Potential prompt injection attack in body HTML
Sublime MQL Reconnaissance: Email address harvesting attempt
Sublime MQL Reconnaissance: Empty subject with mismatched reply-to from new sender
Sublime MQL Reconnaissance: Hotel booking reply-to redirect
Sublime MQL Reconnaissance: Short generic greeting message
Sublime MQL Recruitee Infrastructure Abuse
Sublime MQL Scam soliciting employer review/rating
Sublime MQL Scam: Fake estate sale offering welding equipment and tools
Sublime MQL Service abuse: Adobe legitimate domain with document approval language
Sublime MQL Service abuse: Adobe Sign notification from an unsolicited reply-to address
Sublime MQL Service Abuse: Box file sharing with credential phishing intent
Sublime MQL Service abuse: Cisco secure email service with financial request
Sublime MQL Service abuse: Citrix ShareFile impersonation via Outlook plugin
Sublime MQL Service abuse: DocSend share from newly registered domain
Sublime MQL Service abuse: DocuSign notification with suspicious sender or document name
Sublime MQL Service abuse: Domains By Proxy sender
Sublime MQL Service abuse: Dropbox share from an unsolicited reply-to address
Sublime MQL Service abuse: Dropbox share from new domain
Sublime MQL Service abuse: Dropbox share with suspicious sender or document name
Sublime MQL Service Abuse: ExactTarget with suspicious sender indicators
Sublime MQL Service abuse: Formester with suspicious link behavior
Sublime MQL Service abuse: Google classroom solicitation
Sublime MQL Service abuse: Google Drive share from an unsolicited reply-to address
Sublime MQL Service abuse: Google Drive share from new reply-to domain
Sublime MQL Service Abuse: HelloSign share with suspicious sender or document name
Sublime MQL Service abuse: Nylas tracking subdomain with suspicious content
Sublime MQL Service abuse: Payoneer callback scam
Sublime MQL Service abuse: QuickBooks notification from new domain
Sublime MQL Service abuse: QuickBooks notification with suspicious comments
Sublime MQL Service abuse: Recruiting with suspicious language patterns from legitimate platforms
Sublime MQL Service abuse: Roomsy with unrelated body content
Sublime MQL Service abuse: SendThisFile with credential theft and financial language
Sublime MQL Sharepoint link likely unrelated to sender
Sublime MQL Spam/fraud: Predatory journal/research paper request
Sublime MQL Suspected lookalike domain with suspicious language
Sublime MQL Suspicious display name: Gmail sender with engaging language
Sublime MQL Suspicious DocuSign share from new domain
Sublime MQL Suspicious newly registered reply-to domain with engaging financial or urgent language
Sublime MQL Suspicious request for financial information
Sublime MQL Tax Form: W-8BEN solicitation
Sublime MQL Vendor impersonation: Thread hijacking with typosquat domain
Sublime MQL Venmo payment request abuse
Sublime MQL VIP Impersonation via Google Group relay with suspicious indicators
Sublime MQL VIP impersonation with BEC language (near match, untrusted sender)
Sublime MQL VIP impersonation with charitable donation fraud
Sublime MQL VIP impersonation with urgent request (strict match, untrusted sender)
Sublime MQL VIP impersonation: Fake thread with display name match, email mismatch
Sublime MQL Xero invoice abuse

Spoofing 12 rules

Sublime MQL Body: Embedded email headers indicative of thread hijacking/abuse
Sublime MQL Business Email Compromise (BEC) attempt from unsolicited sender
Sublime MQL Headers: Fake in-reply-to with wildcard sender and missing thread context
Sublime MQL Headers: Outlook Express mailer
Sublime MQL Headers: System account impersonation with empty sender address
Sublime MQL Headers: X-Source-Auth mismatch with mismatched reply-to domain
Sublime MQL Link: BEC with newly registered domains and financial keywords
Sublime MQL Reconnaissance: Empty subject with mismatched reply-to from new sender
Sublime MQL Sender: IP address in local part
Sublime MQL Vendor impersonation: Thread hijacking with typosquat domain
Sublime MQL VIP Impersonation via Google Group relay with suspicious indicators
Sublime MQL VIP impersonation: Fake thread with display name match, email mismatch

No specific technique 2 rules

Sublime MQL AnonymousFox indicators
Sublime MQL Russia return-path TLD (untrusted sender)

Callback Phishing Sublime email taxonomy

Encryption 1 rule

Sublime MQL Encrypted Microsoft Office files from untrusted sender

Evasion 33 rules

Sublime MQL Attachment: Calendar invite from recently registered domain
Sublime MQL Attachment: Callback phishing solicitation via image file
Sublime MQL Attachment: Callback phishing solicitation via pdf file
Sublime MQL Attachment: Callback phishing solicitation via text-based file
Sublime MQL Attachment: PDF generated with wkhtmltopdf tool and default title
Sublime MQL Brand impersonation: QuickBooks notification from Intuit themed company name
Sublime MQL Callback phishing via Adobe Sign comment
Sublime MQL Callback phishing via calendar invite
Sublime MQL Callback phishing via DocuSign comment
Sublime MQL Callback phishing via Intuit service abuse
Sublime MQL Callback phishing via Zelle Service Abuse
Sublime MQL Callback phishing via Zoho service abuse
Sublime MQL Callback phishing: Social Security Administration fraud
Sublime MQL Callback phishing: SumUp infrastructure abuse
Sublime MQL Display Name Emoji with Financial Symbols
Sublime MQL Encrypted Microsoft Office files from untrusted sender
Sublime MQL Generic service abuse from newly registered domain
Sublime MQL Inbound message from popular service via newly observed distribution list
Sublime MQL Message traversed multiple onmicrosoft.com tenants
Sublime MQL Microsoft infrastructure abuse with suspicious patterns
Sublime MQL PayPal invoice abuse
Sublime MQL Potential prompt injection attack in body HTML
Sublime MQL Service Abuse: Box file sharing with credential phishing intent
Sublime MQL Service abuse: DocuSign notification with suspicious sender or document name
Sublime MQL Service abuse: Dropbox share from an unsolicited reply-to address
Sublime MQL Service abuse: Dropbox share from new domain
Sublime MQL Service abuse: Dropbox share with suspicious sender or document name
Sublime MQL Service Abuse: GoDaddy infrastructure
Sublime MQL Service Abuse: HelloSign share with suspicious sender or document name
Sublime MQL Service abuse: Payoneer callback scam
Sublime MQL Service abuse: QuickBooks notification from new domain
Sublime MQL Service abuse: QuickBooks notification with suspicious comments
Sublime MQL Venmo payment request abuse

Exploit 3 rules

Sublime MQL Callback Phishing via Signable E-Signature Request
Sublime MQL Callback phishing via SignFree e-signature request
Sublime MQL Callback phishing via Xodo Sign comment

Free email provider 20 rules

Sublime MQL Attachment: Callback phishing solicitation via image file
Sublime MQL Attachment: Callback phishing solicitation via pdf file
Sublime MQL BEC/Fraud: Urgent language and suspicious sending/infrastructure patterns
Sublime MQL Brand impersonation: SiriusXM
Sublime MQL Callback phishing solicitation in message body
Sublime MQL Callback phishing via e-signature service
Sublime MQL Callback phishing via Google Group abuse
Sublime MQL Callback phishing via Intuit service abuse
Sublime MQL Callback phishing via Zoho service abuse
Sublime MQL Callback phishing: AOL senders with suspicious HTML template or PDF attachment
Sublime MQL Callback phishing: Social Security Administration fraud
Sublime MQL Canva infrastructure abuse
Sublime MQL Link: Invoice or receipt from freemail sender with customer service number
Sublime MQL Message traversed multiple onmicrosoft.com tenants
Sublime MQL Reconnaissance: Short generic greeting message
Sublime MQL Service abuse: Google Drive share from an unsolicited reply-to address
Sublime MQL Service abuse: Google Drive share from new reply-to domain
Sublime MQL Service abuse: Google Groups callback scam
Sublime MQL Spam: Default Microsoft Exchange Online sender domain (onmicrosoft.com)
Sublime MQL Suspicious mailer received from Gmail servers

Free file host 7 rules

Sublime MQL Link: Jensi file preview link from unsolicited sender
Sublime MQL Link: Webflow link from unsolicited sender
Sublime MQL Link: Zoho form link from unsolicited sender
Sublime MQL Mismatched links: Free file share with urgent language
Sublime MQL Service abuse: Google Drive share from an unsolicited reply-to address
Sublime MQL Service abuse: Google Drive share from new reply-to domain
Sublime MQL Suspicious Links to Cloudflare R2 and Edge Services

Free subdomain host 3 rules

Sublime MQL Link: Jensi file preview link from unsolicited sender
Sublime MQL Link: Webflow link from unsolicited sender
Sublime MQL Message traversed multiple onmicrosoft.com tenants

ICS Phishing 3 rules

Sublime MQL Attachment: Calendar invite from recently registered domain
Sublime MQL Callback phishing via calendar invite
Sublime MQL Service abuse: Google Calendar notification with callback scam language

Image as content 1 rule

Sublime MQL Attachment: Callback phishing solicitation via image file

Impersonation: Brand 40 rules

Sublime MQL BEC/Fraud: Urgent language and suspicious sending/infrastructure patterns
Sublime MQL Body: PayApp transaction reference pattern
Sublime MQL Brand impersonation: AliExpress
Sublime MQL Brand impersonation: GitHub with callback scam indicators
Sublime MQL Brand impersonation: McAfee
Sublime MQL Brand impersonation: Quickbooks
Sublime MQL Brand impersonation: SiriusXM
Sublime MQL Brand impersonation: Vanguard
Sublime MQL Brand impersonation: WeTransfer
Sublime MQL Callback phishing solicitation in message body
Sublime MQL Callback phishing via Adobe Sign comment
Sublime MQL Callback phishing via Apple ID display name abuse
Sublime MQL Callback phishing via DocuSign comment
Sublime MQL Callback phishing via e-signature service
Sublime MQL Callback phishing via extensionless rfc822 attachment
Sublime MQL Callback phishing via Google Group abuse
Sublime MQL Callback phishing via Intuit service abuse
Sublime MQL Callback phishing via Microsoft comment
Sublime MQL Callback Phishing via Signable E-Signature Request
Sublime MQL Callback phishing via SignFree e-signature request
Sublime MQL Callback phishing via Xodo Sign comment
Sublime MQL Callback phishing via Yammer comment
Sublime MQL Callback phishing via Zoho service abuse
Sublime MQL Callback Phishing via Zoom comment
Sublime MQL Callback phishing: Branded invoice from sender/reply-to domain less than 30 days old
Sublime MQL Callback scam: Impersonation via TimeTrade infrastructure
Sublime MQL Canva infrastructure abuse
Sublime MQL Link: Invoice or receipt from freemail sender with customer service number
Sublime MQL Microsoft infrastructure abuse with suspicious patterns
Sublime MQL Service abuse: Adobe Sign notification from an unsolicited reply-to address
Sublime MQL Service abuse: AWS SNS callback scam impersonation
Sublime MQL Service abuse: Calendly callback scam detection
Sublime MQL Service abuse: Callback phishing via Microsoft Teams invite
Sublime MQL Service abuse: Google classroom solicitation
Sublime MQL Service abuse: IBM IAM account notification with callback scam indicators
Sublime MQL Service abuse: Microsoft Power Apps callback scam
Sublime MQL Service abuse: MongoDB Atlas callback scam
Sublime MQL Service abuse: PayPal manager account creation with callback scam indicators
Sublime MQL Spam: Default Microsoft Exchange Online sender domain (onmicrosoft.com)
Sublime MQL Venmo payment request abuse

Impersonation: Employee 2 rules

Sublime MQL Canva infrastructure abuse
Sublime MQL Service Abuse: Box file sharing with credential phishing intent

Impersonation: VIP 1 rule

Sublime MQL Service Abuse: Box file sharing with credential phishing intent

Out of band pivot 31 rules

Sublime MQL Attachment: Callback phishing solicitation via image file
Sublime MQL Attachment: Callback phishing solicitation via pdf file
Sublime MQL Attachment: Callback phishing solicitation via text-based file
Sublime MQL Brand impersonation: GitHub with callback scam indicators
Sublime MQL Callback phishing in body or attachment (untrusted sender)
Sublime MQL Callback phishing solicitation in message body
Sublime MQL Callback phishing via Adobe Sign comment
Sublime MQL Callback phishing via Apple ID display name abuse
Sublime MQL Callback phishing via DocuSign comment
Sublime MQL Callback phishing via Google Meet
Sublime MQL Callback phishing via Microsoft comment
Sublime MQL Callback Phishing via Signable E-Signature Request
Sublime MQL Callback phishing via SignFree e-signature request
Sublime MQL Callback phishing via Xodo Sign comment
Sublime MQL Callback phishing via Yammer comment
Sublime MQL Callback Phishing via Zoom comment
Sublime MQL Callback phishing: Branded invoice from sender/reply-to domain less than 30 days old
Sublime MQL Callback phishing: Social Security Administration fraud
Sublime MQL Callback scam: Impersonation via TimeTrade infrastructure
Sublime MQL Service abuse: Amazon invitation with suspected callback phishing
Sublime MQL Service abuse: AWS SNS callback scam impersonation
Sublime MQL Service abuse: Callback phishing via Microsoft Teams invite
Sublime MQL Service abuse: GetAccept callback scam content
Sublime MQL Service abuse: Google Calendar notification with callback scam language
Sublime MQL Service abuse: Google classroom solicitation
Sublime MQL Service abuse: IBM IAM account notification with callback scam indicators
Sublime MQL Service abuse: Microsoft Power Apps callback scam
Sublime MQL Service abuse: Microsoft Power Automate callback scam impersonation
Sublime MQL Service abuse: Microsoft Power BI callback scam
Sublime MQL Service abuse: Monday.com callback scam
Sublime MQL Service abuse: WeTransfer callback scam

PDF 5 rules

Sublime MQL Attachment: Callback phishing solicitation via pdf file
Sublime MQL Attachment: PDF generated with wkhtmltopdf tool and default title
Sublime MQL Attachment: PDF with fake invoice using suspicious font sizing
Sublime MQL Callback phishing: Social Security Administration fraud
Sublime MQL Stripe invoice abuse

Social engineering 79 rules

Sublime MQL Attachment: Calendar invite from recently registered domain
Sublime MQL Attachment: Callback phishing solicitation via image file
Sublime MQL Attachment: Callback phishing solicitation via pdf file
Sublime MQL Attachment: Callback phishing solicitation via text-based file
Sublime MQL Attachment: PDF with fake invoice using suspicious font sizing
Sublime MQL BEC/Fraud: Urgent language and suspicious sending/infrastructure patterns
Sublime MQL Body: PayApp transaction reference pattern
Sublime MQL Brand impersonation: AliExpress
Sublime MQL Brand impersonation: GitHub with callback scam indicators
Sublime MQL Brand impersonation: McAfee
Sublime MQL Brand impersonation: Quickbooks
Sublime MQL Brand impersonation: QuickBooks notification from Intuit themed company name
Sublime MQL Brand impersonation: SiriusXM
Sublime MQL Callback phishing in body or attachment (untrusted sender)
Sublime MQL Callback phishing solicitation in message body
Sublime MQL Callback phishing via Adobe Sign comment
Sublime MQL Callback phishing via Apple ID display name abuse
Sublime MQL Callback phishing via calendar invite
Sublime MQL Callback phishing via DocuSign comment
Sublime MQL Callback phishing via e-signature service
Sublime MQL Callback phishing via extensionless rfc822 attachment
Sublime MQL Callback phishing via Google Group abuse
Sublime MQL Callback phishing via Intuit service abuse
Sublime MQL Callback phishing via Microsoft comment
Sublime MQL Callback Phishing via Signable E-Signature Request
Sublime MQL Callback phishing via SignFree e-signature request
Sublime MQL Callback phishing via Xodo Sign comment
Sublime MQL Callback phishing via Yammer comment
Sublime MQL Callback phishing via Zelle Service Abuse
Sublime MQL Callback phishing via Zoho service abuse
Sublime MQL Callback Phishing via Zoom comment
Sublime MQL Callback phishing: AOL senders with suspicious HTML template or PDF attachment
Sublime MQL Callback phishing: Branded invoice from sender/reply-to domain less than 30 days old
Sublime MQL Callback phishing: Social Security Administration fraud
Sublime MQL Callback phishing: SumUp infrastructure abuse
Sublime MQL Callback scam: Impersonation via TimeTrade infrastructure
Sublime MQL Canva infrastructure abuse
Sublime MQL Display Name Emoji with Financial Symbols
Sublime MQL Generic service abuse from newly registered domain
Sublime MQL Inbound message from popular service via newly observed distribution list
Sublime MQL Link: /index.php enclosed in three asterisks
Sublime MQL Link: Direct POWR.io Form Builder with suspicious patterns
Sublime MQL Link: Invoice or receipt from freemail sender with customer service number
Sublime MQL Microsoft infrastructure abuse with suspicious patterns
Sublime MQL Mismatched links: Free file share with urgent language
Sublime MQL PayPal invoice abuse
Sublime MQL Potential prompt injection attack in body HTML
Sublime MQL Reconnaissance: Short generic greeting message
Sublime MQL Service abuse: Adobe Sign notification from an unsolicited reply-to address
Sublime MQL Service abuse: Amazon invitation with suspected callback phishing
Sublime MQL Service abuse: AWS SNS callback scam impersonation
Sublime MQL Service Abuse: Box file sharing with credential phishing intent
Sublime MQL Service abuse: Calendly callback scam detection
Sublime MQL Service abuse: Callback phishing via Microsoft Teams invite
Sublime MQL Service abuse: DocuSign notification with suspicious sender or document name
Sublime MQL Service abuse: Dropbox share from an unsolicited reply-to address
Sublime MQL Service abuse: Dropbox share from new domain
Sublime MQL Service abuse: Dropbox share with suspicious sender or document name
Sublime MQL Service abuse: GetAccept callback scam content
Sublime MQL Service abuse: Google Calendar notification with callback scam language
Sublime MQL Service abuse: Google classroom solicitation
Sublime MQL Service abuse: Google Drive share from an unsolicited reply-to address
Sublime MQL Service abuse: Google Drive share from new reply-to domain
Sublime MQL Service abuse: Google Groups callback scam
Sublime MQL Service Abuse: HelloSign share with suspicious sender or document name
Sublime MQL Service abuse: IBM IAM account notification with callback scam indicators
Sublime MQL Service abuse: Microsoft Power Apps callback scam
Sublime MQL Service abuse: Microsoft Power Automate callback scam impersonation
Sublime MQL Service abuse: Microsoft Power BI callback scam
Sublime MQL Service abuse: Monday.com callback scam
Sublime MQL Service abuse: MongoDB Atlas callback scam
Sublime MQL Service abuse: Payoneer callback scam
Sublime MQL Service abuse: PayPal manager account creation with callback scam indicators
Sublime MQL Service abuse: QuickBooks notification from new domain
Sublime MQL Service abuse: QuickBooks notification with suspicious comments
Sublime MQL Service abuse: WeTransfer callback scam
Sublime MQL Spam: Default Microsoft Exchange Online sender domain (onmicrosoft.com)
Sublime MQL Suspicious mailer received from Gmail servers
Sublime MQL Venmo payment request abuse

Spoofing 1 rule

Sublime MQL Service abuse: PayPal manager account creation with callback scam indicators

Spam Sublime email taxonomy

Encryption 1 rule

Sublime MQL Encrypted Microsoft Office files from untrusted sender

Evasion 27 rules

Sublime MQL Body HTML: Comment with 24-character hex token
Sublime MQL Body: Embedded email headers indicative of thread hijacking/abuse
Sublime MQL Credential theft: Gophish abuse with hidden tracking image
Sublime MQL Encrypted Microsoft Office files from untrusted sender
Sublime MQL Fake shipping notification with suspicious language
Sublime MQL Fake thread with suspicious indicators
Sublime MQL Headers: Invalid recipient domain with mismatched reply-to from new sender
Sublime MQL Headers: risky-recover-production message ID
Sublime MQL Link: Spam website with evasion indicators
Sublime MQL Open redirect: Cartoon Network
Sublime MQL Open redirect: Klaviyo
Sublime MQL Potential prompt injection attack in body HTML
Sublime MQL Reconnaissance: Empty message from uncommon sender
Sublime MQL Sender: IP address in local part
Sublime MQL Service abuse: Domains By Proxy sender
Sublime MQL Service abuse: Zoom with newly registered reply-to domain
Sublime MQL Sharepoint online with external recipients and external display name
Sublime MQL Spam/fraud: Predatory journal/research paper request
Sublime MQL Spam: BlackBaud infrastructure abuse
Sublime MQL Spam: Fake photo share
Sublime MQL Spam: Firebase password reset from suspicious sender
Sublime MQL Spam: Sendersrv.com with financial communications and unsubscribe language
Sublime MQL Spam: Unsolicited malformed PDF
Sublime MQL Suspicious subject with long procedurally generated text blob
Sublime MQL Truth Social infrastructure abuse via link redirect
Sublime MQL Twitter infrastructure abuse via link shortener
Sublime MQL Unusually long local part from untrusted sender address

Exploit 1 rule

Sublime MQL Mass campaign: Cross Site Scripting (XSS) attempt

Free email provider 22 rules

Sublime MQL Attachment: Calendar invite with suspicious link leading to an open redirect
Sublime MQL BEC/Fraud: Urgent language and suspicious sending/infrastructure patterns
Sublime MQL Brand impersonation: Hulu
Sublime MQL Brand impersonation: KnowBe4
Sublime MQL Brand impersonation: SiriusXM
Sublime MQL Link abuse: Self-service creation platform link with suspicious recipient behavior
Sublime MQL Link: Google Calendar invite linking to an open redirect from an untrusted freemail sender
Sublime MQL Link: Observed URL pattern with specific domain registrar
Sublime MQL Mass campaign: Cross Site Scripting (XSS) attempt
Sublime MQL Reconnaissance: Email address harvesting attempt
Sublime MQL Service Abuse: Zoom with freemail reply-to and recipient address in greeting
Sublime MQL Spam: Default Microsoft Exchange Online sender domain (onmicrosoft.com)
Sublime MQL Spam: Fake dating profile notification
Sublime MQL Spam: New link domain (<=10d) and emojis
Sublime MQL Spam: Sexually explicit content with emoji in subject from freemail provider
Sublime MQL Spam: Sexually explicit Google Drive share
Sublime MQL Spam: Sexually explicit Google group invitation
Sublime MQL Spam: Sexually explicit Looker Studio report
Sublime MQL Spam: SMTP & Proxy Communications in Email Body
Sublime MQL Spam: Unsolicited malformed PDF
Sublime MQL Spam: URL shortener with short body content and emojis
Sublime MQL Suspicious mailer received from Gmail servers

Free file host 7 rules

Sublime MQL Attachment: Calendar invite with suspicious link leading to an open redirect
Sublime MQL Fake shipping notification with link to free file hosting
Sublime MQL Invoicera infrastructure abuse
Sublime MQL Link: Google Calendar invite linking to an open redirect from an untrusted freemail sender
Sublime MQL Mismatched links: Free file share with urgent language
Sublime MQL Spam: Campaign with excessive space/char obfuscation and free file hosted link
Sublime MQL Suspicious Links to Cloudflare R2 and Edge Services

Free subdomain host 5 rules

Sublime MQL Attachment: Calendar invite with suspicious link leading to an open redirect
Sublime MQL Invoicera infrastructure abuse
Sublime MQL Link: Blogspot hosting explicit romance content
Sublime MQL Service abuse: Google Firebase sender address with suspicious content
Sublime MQL Spam: Link to blob.core.windows.net from new domain (<30d)

ICS Phishing 2 rules

Image as content 6 rules

Sublime MQL Attachment: Cold outreach with invitation subject and not attachment
Sublime MQL Credential theft: Gophish abuse with hidden tracking image
Sublime MQL Invoicera infrastructure abuse
Sublime MQL Spam: BlackBaud infrastructure abuse
Sublime MQL Spam: Item giveaway spam template
Sublime MQL Spam: Mastercard promotional content with image-based body

Impersonation: Brand 23 rules

Sublime MQL BEC/Fraud: Urgent language and suspicious sending/infrastructure patterns
Sublime MQL Brand impersonation: Hulu
Sublime MQL Brand impersonation: KnowBe4
Sublime MQL Brand impersonation: SendGrid
Sublime MQL Brand Impersonation: Shein
Sublime MQL Brand impersonation: SiriusXM
Sublime MQL Brand impersonation: Vanguard
Sublime MQL Brand impersonation: WeTransfer
Sublime MQL Fake shipping notification with link to free file hosting
Sublime MQL Link: Squarespace infrastructure abuse
Sublime MQL Open redirect: Klaviyo
Sublime MQL Service abuse: Adobe Sign notification from an unsolicited reply-to address
Sublime MQL Service abuse: Demio notifications with suspicious content patterns
Sublime MQL Service abuse: Microsoft with suspicious indicators in subject
Sublime MQL Spam/fraud: Predatory journal/research paper request
Sublime MQL Spam: BlackBaud infrastructure abuse
Sublime MQL Spam: Commonly observed formatting of unauthorized free giveaways
Sublime MQL Spam: Cryptocurrency airdrop/giveaway
Sublime MQL Spam: Default Microsoft Exchange Online sender domain (onmicrosoft.com)
Sublime MQL Spam: Mastercard promotional content with image-based body
Sublime MQL Spam: Single recipient duplicated in cc
Sublime MQL Truth Social infrastructure abuse via link redirect
Sublime MQL Twitter infrastructure abuse via link shortener

Lookalike domain 3 rules

Sublime MQL Brand impersonation: Hulu
Sublime MQL Brand impersonation: KnowBe4
Sublime MQL Spam/fraud: Predatory journal/research paper request

Open redirect 4 rules

Sublime MQL Attachment: Calendar invite with suspicious link leading to an open redirect
Sublime MQL Link: Google Calendar invite linking to an open redirect from an untrusted freemail sender
Sublime MQL Open redirect: Cartoon Network
Sublime MQL Open redirect: Klaviyo

PDF 1 rule

Sublime MQL Spam: Unsolicited malformed PDF

Scripting 1 rule

Sublime MQL Mass campaign: Cross Site Scripting (XSS) attempt

Social engineering 53 rules

Sublime MQL Attachment: Cold outreach with invitation subject and not attachment
Sublime MQL BEC/Fraud: Urgent language and suspicious sending/infrastructure patterns
Sublime MQL Body: Embedded email headers indicative of thread hijacking/abuse
Sublime MQL Brand impersonation: Hulu
Sublime MQL Brand impersonation: KnowBe4
Sublime MQL Brand impersonation: SendGrid
Sublime MQL Brand Impersonation: Shein
Sublime MQL Brand impersonation: SiriusXM
Sublime MQL Fake shipping notification with link to free file hosting
Sublime MQL Fake thread with suspicious indicators
Sublime MQL Headers: Invalid recipient domain with mismatched reply-to from new sender
Sublime MQL Invoicera infrastructure abuse
Sublime MQL Link abuse: Self-service creation platform link with suspicious recipient behavior
Sublime MQL Link: Blogspot hosting explicit romance content
Sublime MQL Link: Google Calendar invite linking to an open redirect from an untrusted freemail sender
Sublime MQL Link: Romance/Sexual Language With Suspicious Link
Sublime MQL Link: Squarespace infrastructure abuse
Sublime MQL Mass campaign: Cross Site Scripting (XSS) attempt
Sublime MQL Mismatched links: Free file share with urgent language
Sublime MQL Open redirect: Klaviyo
Sublime MQL Potential prompt injection attack in body HTML
Sublime MQL Reconnaissance: Email address harvesting attempt
Sublime MQL Reconnaissance: Empty message from uncommon sender
Sublime MQL Service abuse: Adobe Sign notification from an unsolicited reply-to address
Sublime MQL Service abuse: Apple TestFlight with suspicious developer reference
Sublime MQL Service abuse: Demio notifications with suspicious content patterns
Sublime MQL Service abuse: Domains By Proxy sender
Sublime MQL Service abuse: Google Firebase sender address with suspicious content
Sublime MQL Service abuse: Microsoft with suspicious indicators in subject
Sublime MQL Service Abuse: Zoom with freemail reply-to and recipient address in greeting
Sublime MQL Service abuse: Zoom with newly registered reply-to domain
Sublime MQL Spam/fraud: Predatory journal/research paper request
Sublime MQL Spam: BlackBaud infrastructure abuse
Sublime MQL Spam: Commonly observed formatting of unauthorized free giveaways
Sublime MQL Spam: Cryptocurrency airdrop/giveaway
Sublime MQL Spam: Default Microsoft Exchange Online sender domain (onmicrosoft.com)
Sublime MQL Spam: Fake dating profile notification
Sublime MQL Spam: Fake photo share
Sublime MQL Spam: Firebase password reset from suspicious sender
Sublime MQL Spam: Ghostwriting services scam with manipulative language
Sublime MQL Spam: Mastercard promotional content with image-based body
Sublime MQL Spam: Personalized subject and greetings via Salesforce Marketing Cloud
Sublime MQL Spam: Sendersrv.com with financial communications and unsubscribe language
Sublime MQL Spam: Sexually explicit content with emoji in subject from freemail provider
Sublime MQL Spam: Sexually explicit Google Drive share
Sublime MQL Spam: Sexually explicit Google group invitation
Sublime MQL Spam: Sexually explicit Looker Studio report
Sublime MQL Spam: Single recipient duplicated in cc
Sublime MQL Spam: Unsolicited WordPress account creation or password reset request
Sublime MQL Suspicious mailer received from Gmail servers
Sublime MQL Targeting: Specific AOL address
Sublime MQL Truth Social infrastructure abuse via link redirect
Sublime MQL Twitter infrastructure abuse via link shortener

Spoofing 2 rules

Sublime MQL Body: Embedded email headers indicative of thread hijacking/abuse
Sublime MQL Sender: IP address in local part

No specific technique 4 rules

Sublime MQL Spam: Attendee list solicitation
Sublime MQL Spam: Campaign with excessive display-text and keywords found
Sublime MQL Spam: New job cold outreach from unsolicited sender
Sublime MQL Spam: Website errors solicitation

Extortion Sublime email taxonomy

Encryption 1 rule

Sublime MQL Encrypted Microsoft Office files from untrusted sender

Evasion 4 rules

Sublime MQL Attachment: Legal themed message or PDF with suspicious indicators
Sublime MQL Encrypted Microsoft Office files from untrusted sender
Sublime MQL Potential prompt injection attack in body HTML
Sublime MQL Service Abuse: GoDaddy infrastructure

Free file host 2 rules

Sublime MQL Mismatched links: Free file share with urgent language
Sublime MQL Suspicious Links to Cloudflare R2 and Edge Services

Impersonation: Brand 5 rules

Sublime MQL Brand impersonation: Vanguard
Sublime MQL Brand impersonation: WeTransfer
Sublime MQL Impersonation: Australian Federal Police with criminal case language
Sublime MQL Impersonation: Legal firm with copyright infringement notice
Sublime MQL Service abuse: Elastic alerts extortion

PDF 1 rule

Sublime MQL Attachment: Legal themed message or PDF with suspicious indicators

Social engineering 8 rules

Sublime MQL Attachment: Legal themed message or PDF with suspicious indicators
Sublime MQL Extortion / sextortion (untrusted sender)
Sublime MQL Extortion / sextortion in attachment from untrusted sender
Sublime MQL Impersonation: Australian Federal Police with criminal case language
Sublime MQL Impersonation: Legal firm with copyright infringement notice
Sublime MQL Mismatched links: Free file share with urgent language
Sublime MQL Potential prompt injection attack in body HTML
Sublime MQL Service abuse: Elastic alerts extortion

Spoofing 2 rules

Sublime MQL Extortion / sextortion (untrusted sender)
Sublime MQL Extortion / sextortion in attachment from untrusted sender

Reconnaissance Sublime email taxonomy

No specific technique 2 rules

Sublime MQL Reconnaissance: All recipients cc/bcc'd or undisclosed
Sublime MQL Reconnaissance: Large unknown recipient list

Uncategorized Sublime email taxonomy

Evasion 1 rule

Sublime MQL Non-RFC compliant calendar files from unsolicited sender

Free subdomain host 1 rule

Sublime MQL Link: Free subdomain host with undisclosed recipients

HTML smuggling 2 rules

Sublime MQL Attachment: Any HTML file (unsolicited)
Sublime MQL Attachment: Any HTML file (untrusted sender)

ICS Phishing 1 rule

Sublime MQL Non-RFC compliant calendar files from unsolicited sender

Impersonation: VIP 1 rule

Sublime MQL VIP local_part impersonation from unsolicited sender

Social engineering 1 rule

Sublime MQL Non-RFC compliant calendar files from unsolicited sender

Spoofing 2 rules

Sublime MQL SPF temp error
Sublime MQL VIP local_part impersonation from unsolicited sender

Cloud & SaaS activity monitoring 410 rules

Cloud, SaaS, and identity governance: app registrations, OAuth grants, role and permission changes, sharing and config drift -- audit activity no single ATT&CK technique describes.

Veeam 96 rules

Kusto Adding User or Group Failed available
Kusto Application Group Deleted available
Kusto Application Group Settings Updated available
Kusto Archive Repository Deleted available
Kusto Archive Repository Settings Updated available
Kusto Attempt to Update Security Object Failed available
Kusto Backup Proxy Deleted available
Kusto Backup Repository Deleted available
Kusto Backup Repository Settings Updated available
Kusto Cloud Gateway Deleted available
Kusto Cloud Gateway Pool Deleted available
Kusto Cloud Gateway Pool Settings Updated available
Kusto Cloud Gateway Settings Updated available
Kusto Cloud Replica Permanent Failover Performed by Tenant available
Kusto Configuration Backup Job Settings Updated available
Kusto Credential Record Deleted available
Kusto Credential Record Updated available
Kusto Detaching Backups Started available
Kusto Encryption Password Added available
Kusto Encryption Password Changed available
Kusto Encryption Password Deleted available
Kusto External Repository Deleted available
Kusto External Repository Settings Updated available
Kusto Failover Plan Deleted available
Kusto Failover Plan Failed available
Kusto Failover Plan Settings Updated available
Kusto Failover Plan Started available
Kusto Failover Plan Stopped available
Kusto File Server Deleted available
Kusto File Server Settings Updated available
Kusto File Share Deleted available
Kusto Four-Eyes Authorization Disabled available
Kusto Four-Eyes Authorization Request Created available
Kusto Four-Eyes Authorization Request Expired available
Kusto Four-Eyes Authorization Request Rejected available
Kusto General Settings Updated available
Kusto Global Network Traffic Rules Deleted available
Kusto Global VM Exclusions Added available
Kusto Global VM Exclusions Changed available
Kusto Global VM Exclusions Deleted available
Kusto Host Deleted available
Kusto Host Settings Updated available
Kusto Hypervisor Host Deleted available
Kusto Hypervisor Host Settings Updated available
Kusto Invalid Code for Multi-Factor Authentication Entered available
Kusto Job Deleted available
Kusto Job No Longer Used as Second Destination available
Kusto KMS Key Rotation Job Finished available
Kusto KMS Server Deleted available
Kusto KMS Server Settings Updated available
Kusto License Removed available
Kusto Malware Detection Exclusions List Updated available
Kusto Malware Detection Settings Updated available
Kusto Multi-Factor Authentication Disabled available
Kusto Multi-Factor Authentication for User Disabled available
Kusto Multi-Factor Authentication Token Revoked available
Kusto Multi-Factor Authentication User Locked available
Kusto NDMP Server Deleted available
Kusto Object Storage Deleted available
Kusto Object Storage Settings Updated available
Kusto Objects Added to Malware Detection Exclusions available
Kusto Objects Deleted from Malware Detection Exclusions available
Kusto Objects for Job Deleted available
Kusto Objects for Protection Group Changed available
Kusto Objects for Protection Group Deleted available
Kusto Preferred Networks Deleted available
Kusto Protection Group Deleted available
Kusto Protection Group Settings Updated available
Kusto Recovery Token Deleted available
Kusto Scale-Out Backup Repository Deleted available
Kusto Scale-Out Backup Repository Settings Updated available
Kusto Service Provider Deleted available
Kusto Service Provider Updated available
Kusto SSH Credentials Changed available
Kusto Storage Deleted available
Kusto Storage Settings Updated available
Kusto Subtenant Deleted available
Kusto Subtenant Updated available
Kusto Tape Erase Job Started available
Kusto Tape Library Deleted available
Kusto Tape Media Pool Deleted available
Kusto Tape Media Vault Deleted available
Kusto Tape Medium Deleted available
Kusto Tape Server Deleted available
Kusto Tenant Password Changed available
Kusto Tenant Quota Changed available
Kusto Tenant Quota Deleted available
Kusto Tenant Replica Started available
Kusto Tenant Replica Stopped available
Kusto Tenant State Changed available
Kusto User or Group Added available
Kusto User or Group Deleted available
Kusto Virtual Lab Deleted available
Kusto Virtual Lab Settings Updated available
Kusto WAN Accelerator Deleted available
Kusto WAN Accelerator Settings Updated available

GCP 30 rules

Panther Exec into Pod
Panther GCP Access Attempts Violating IAP Access Controls
Panther GCP Access Attempts Violating VPC Service Controls
Panther GCP BigQuery Large Scan
Panther GCP Cloud Armor RCE Attempt Detected
Panther GCP Cloud Run Service Created
Panther GCP Cloud Run Set IAM Policy
Panther GCP Compute IAM Policy Update Detection
Panther GCP Compute SSH Connection Experimental
Panther GCP Destructive Queries
Panther GCP DNS Zone Modified or Deleted
Panther GCP External User Ownership Invite
Panther GCP Firewall Rule Created
Panther GCP Firewall Rule Deleted
Panther GCP Firewall Rule Modified
Panther GCP IAM and Tag Enumeration
Panther GCP iam.roles.update Privilege Escalation
Panther GCP KMS Cross-Project Encryption
Panther GCP Log Bucket or Sink Deleted
Panther GCP Logging Settings Modified
Panther GCP Logging Sink Modified
Panther GCP Permissions Granted to Create or Manage Service Account Key
Panther GCP Privileged Operation
Panther GCP Service Account Access Denied
Panther GCP Service Account or Keys Created
Panther GCP Snapshot Creation Detection
Panther GCP SQL Config Changes
Panther GCP Tag Binding Creation
Panther GCP User Added to IAP Protected Service
Panther GCP VPC Flow Logs Disabled

AWS 27 rules

Panther AWS Authentication from CrowdStrike Unmanaged Device
Panther AWS Authentication From CrowdStrike Unmanaged Device
Panther AWS Authentication from CrowdStrike Unmanaged Device (crowdstrike_fdrevent table)
Panther AWS CloudTrail SES Check Identity Verifications
Panther AWS CloudTrail SES Check Send Quota
Panther AWS CloudTrail SES Check SES Sending Enabled
Panther AWS CloudTrail SES List Identities
Panther AWS Console Login
Panther AWS Potentially Stolen Service Role
Panther AWS S3 Delete Object Detection
Panther AWS S3 Delete Objects Detection
Panther AWS S3 Large Download
Panther AWS S3 Ransomware Note Upload Detection
Panther AWS SAML Activity
Panther AWS SSM Multiple Sessions
Panther AWS.CloudTrail.UserAccessKeyAuth
Panther CloudTrail EC2 StopInstances
Panther IAM Change
Splunk Kubernetes AWS detect suspicious kubectl calls experimental
Panther Kubernetes Exec Into Pod Experimental
Panther Query.CloudTrail.Password.Spraying
Panther S3 Access Via VPC Endpoint From External IP
Panther SIGNAL - AWS Console SSO Sign-In
Panther SIGNAL - Retrieve SSO access token
Panther SIGNAL - Role Assumed by AWS Service
Panther SIGNAL - Role Assumed by User
Panther SIGNAL - Sign-in with AWS CLI prompt

Kubernetes 24 rules

Panther Kubernetes Cron Job Created or Modified
Panther Kubernetes Cron Job Created or Modified
Panther Kubernetes Pod Created in Pre-Configured or Default Name Spaces
Panther Kubernetes Pod Created in Pre-Configured or Default Name Spaces
Panther Kubernetes Service with Type Node Port Deployed
Panther Kubernetes Service with Type Node Port Deployed
Panther New DaemonSet Deployed to Kubernetes
Panther New DaemonSet Deployed to Kubernetes
Panther Pod attached to the Node Host Network
Panther Pod attached to the Node Host Network
Panther Pod Created or Modified Using the Host IPC Namespace
Panther Pod Created or Modified Using the Host IPC Namespace
Panther Pod Created or Modified Using the Host PID Namespace
Panther Pod Created or Modified Using the Host PID Namespace
Panther Pod Created with Overly Permissive Linux Capabilities
Panther Pod Created with Overly Permissive Linux Capabilities
Panther Pod creation or modification to a Host Path Volume Mount
Panther Pod creation or modification to a Host Path Volume Mount
Panther Privileged Pod Created
Panther Privileged Pod Created
Panther Unauthenticated Kubernetes API Request
Panther Unauthenticated Kubernetes API Request
Panther Unauthorized Kubernetes Pod Execution
Panther Unauthorized Kubernetes Pod Execution

Google Workspace 17 rules

Panther Google Accessed a GSuite Resource
Panther Google Workspace Admin Custom Role
Panther Google Workspace Advanced Protection Program
Panther Google Workspace Apps Marketplace Allowlist
Panther Google Workspace Apps Marketplace New Domain Application
Panther Google Workspace Apps New Mobile App Installed
Panther Google Workspace Login Type Anomaly
Panther Google Workspace OAuth Anomalous Privileged Request
Panther Google Workspace OAuth Token Requests from New IPs
Panther Google Workspace OAuthLogin Scope Anomalous Application Access
Panther Google Workspace Rapid Multi-IP Authentication
Panther GSuite Drive Many Documents Deleted Deprecated
Panther GSuite Many Docs Deleted Query
Panther GSuite Many Docs Downloaded Query
Panther GSuite User Banned from Group
Panther GSuite User Suspended
Panther GSuite Workspace Data Export Has Been Created

Auth0 16 rules

Panther Auth0 Brute Force
Panther Auth0 Brute Force Detection
Panther Auth0 CIC Credential Stuffing
Panther Auth0 CIC Credential Stuffing Query
Panther Auth0 Custom Role Created
Panther Auth0 Integration Installed
Panther Auth0 Leaked Password Login Attempt
Panther Auth0 Limit Detections
Panther Auth0 mfa factor enabled
Panther Auth0 MFA Policy Disabled
Panther Auth0 MFA Policy Enabled
Panther Auth0 MFA Risk Assessment Disabled
Panther Auth0 MFA Risk Assessment Enabled
Panther Auth0 Post Login Action Flow Updated
Panther Auth0 User Invitation Created
Panther Auth0 User Joined Tenant

Notion 16 rules

Panther Notion Audit Log Exported
Panther Notion Login From Blocked IP
Panther Notion Login from New Location
Panther Notion Many Pages Deleted
Panther Notion Many Pages Deleted [Deprecated] Deprecated
Panther Notion Many Pages Deleted Query
Panther Notion Many Pages Exported
Panther Notion Page API Permissions Changed
Panther Notion Page Guest Permissions Changed
Panther Notion Page Published to Web
Panther Notion SAML SSO Configuration Changed
Panther Notion SCIM Token Generated
Panther Notion Sharing Settings Updated
Panther Notion Workspace Exported
Panther Notion Workspace public page added
Panther Signal - Notion Login

Duo 15 rules

Panther Duo Admin App Integration Secret Key Viewed
Panther Duo Admin Bypass Code Created
Panther Duo Admin Bypass Code Viewed
Panther Duo Admin Create Admin
Panther Duo Admin Lockout
Panther Duo Admin Marked Push Fraudulent
Panther Duo Admin MFA Restrictions Updated
Panther Duo Admin New Admin API App Integration
Panther Duo Admin Policy Updated
Panther Duo Admin SSO SAML Requirement Disabled
Panther Duo Admin User MFA Bypass Enabled
Panther Duo User Action Reported as Fraudulent
Panther Duo User Auth Denied For Anomalous Push
Panther Duo User Bypass Code Used
Panther Duo User Denied For Endpoint Error

Entra ID / Azure AD 15 rules

GitHub 15 rules

YARA-L GitHub Application Installed
Panther GitHub Dependabot Vulnerability Dismissed
YARA-L GitHub Enterprise Or Organization Recovery Codes Activity
YARA-L GitHub Invitation Sent To Non Company Email Domain
YARA-L GitHub OAuth Application Access Restrictions Disabled
Panther Github Organization App Integration Installed
YARA-L GitHub Outgoing Repository Transfer Initiated
Panther Github Public Repository Created
Panther GitHub Repository Archived
Panther GitHub Repository Created
Panther Github Repository Transfer
YARA-L GitHub Repository Visibility Changed To Public
YARA-L GitHub User Blocked From Accessing Organization Repositories
Panther GitHub User Initial Access to Private Repo
YARA-L GitHub User Unblocked From Accessing Organization Repositories

Okta 14 rules

Panther Okta API Key Revoked
Panther Okta App Refresh Access Token Reuse
Panther Okta App Unauthorized Access Attempt
Panther Okta Group Admin Role Assigned
Panther Okta Login From CrowdStrike Unmanaged Device
Panther Okta Login From CrowdStrike Unmanaged Device
Panther Okta Login From CrowdStrike Unmanaged Device (crowdstrike_fdrevent table)
Panther Okta Login Signal
Panther Okta Login Without Push Marker
Panther Okta User Account Locked
Panther Okta User MFA Factor Suspend
Panther Okta User MFA Own Reset
Panther Okta User MFA Reset All
Panther SIGNAL - Okta SSO to AWS

Snowflake 13 rules

Panther Query.Snowflake.AccountAdminGranted
Panther Query.Snowflake.BruteForceByIp
Panther Query.Snowflake.BruteForceByUsername
Panther Query.Snowflake.External.Shares
Panther Query.Snowflake.KeyUserPasswordLogin
Panther Query.Snowflake.MFALogin
Panther Query.Snowflake.Multiple.Logins.Followed.By.Success
Panther Query.Snowflake.UserCreated
Panther Query.Snowflake.UserEnabled
Panther Snowflake Configuration Drift
Panther Snowflake External Share
Panther Snowflake Multiple Failed Logins Followed By Success
Panther Snowflake Successful Login

Asana 11 rules

Panther Asana Service Account Created
Panther Asana Team Privacy Public
Panther Asana Workspace Default Session Duration Never
Panther Asana Workspace Email Domain Added
Panther Asana Workspace Form Link Auth Requirement Disabled
Panther Asana Workspace Guest Invite Permissions Anyone
Panther Asana Workspace New Admin
Panther Asana Workspace Org Export
Panther Asana Workspace Password Requirements Simple
Panther Asana Workspace Require App Approvals Disabled
Panther Asana Workspace SAML Optional

Snyk 10 rules

Panther Snyk Miscellaneous Settings
Panther Snyk Org or Group Settings Change
Panther Snyk Org Settings
Panther Snyk Project Settings
Panther Snyk Role Change
Panther Snyk Service Account Change
Panther Snyk System External Access Settings Changed
Panther Snyk System Policy Settings Changed
Panther Snyk System SSO Settings Changed
Panther Snyk User Management

Dropbox 9 rules

Panther Dropbox Admin sign-in-as Session
Panther Dropbox Document/Folder Ownership Transfer
Panther Dropbox External Share
Panther Dropbox Linked Team Application Added
Panther Dropbox Many Deletes Deprecated
Panther Dropbox Many Deletes
Panther Dropbox Many Downloads Deprecated
Panther Dropbox Many Downloads
Panther Dropbox User Disabled 2FA

Tines 9 rules

Panther Tines Actions Disabled Change
Panther Tines Custom CertificateAuthority setting changed
Panther Tines Enqueued/Retrying Job Deletion
Panther Tines Global Resource Destruction
Panther Tines SSO Settings
Panther Tines Story Items Destruction
Panther Tines Story Jobs Clearance
Panther Tines Team Destruction
Panther Tines Tenant API Keys Added

Microsoft Graph 7 rules

Push Security 7 rules

Panther Push Security App Banner Acknowledged
Panther Push Security Authorized IdP Login
Panther Push Security New App Detected
Panther Push Security New SaaS Account Created
Panther Push Security Phishable MFA Method
Panther Push Security SaaS App MFA Method Changed
Panther Push Security Unauthorized IdP Login

Zoom 7 rules

Panther Zoom All Meetings Secured With One Option Disabled
Panther Zoom Automatic Sign Out Disabled
Panther Zoom New Meeting Passcode Required Disabled
Panther Zoom Sign In Method Modified
Panther Zoom Sign In Requirements Changed
Panther Zoom Two Factor Authentication Disabled
Panther Zoom User Promoted to Privileged Role

MongoDB 6 rules

Panther MongoDB 2FA Disabled
Panther MongoDB Atlas API Key Created
Panther MongoDB External User Invited
Panther MongoDB External User Invited (no config)
Panther MongoDB user roles changed
Panther MongoDB user was created or deleted

Docusign 5 rules

Panther DocuSign Envelope Corrected
Panther DocuSign Envelope Voided
Panther DocuSign Recipient Authentication Failure
Panther DocuSign Recipient Declined Envelope
Panther DocuSign Template Management Activity

Microsoft 365 5 rules

Axonius 4 rules

VMware SD-WAN and SASE 4 rules

CrowdStrike 3 rules

OneLogin 3 rules

Tailscale 3 rules

Panther Tailscale HTTPS Disabled
Panther Tailscale Machine Approval Requirements Disabled
Panther Tailscale Magic DNS Disabled

Other cloud & SaaS 19 rules

Panther A Teleport Lock was created
Panther Atlassian admin impersonated another user
Panther Azure SignIn via Legacy Authentication Protocol
Panther Azure Storage Blob Uploaded
Panther Box Access Granted
Panther Box Content Workflow Policy Violation
Splunk Cloud Compute Instance Created With Previously Unseen Image production
Panther Databricks Terms of Service Changes Experimental
YARA-L GeoIP User Login From Multiple States Or Countries
Panther Google Drive High Download Count Deprecated
Panther New Admission Controller Created
Panther New Admission Controller Created
Panther New Unique Values - Panther Audit Login from New IP
Panther OpenAI Failed Login (Base Rule)
Panther OpenAI Successful Login (Base Rule)
Panther Salesforce Admin Login As User
Panther Secret Enumeration by a User Deprecated
Panther Secret Enumeration by a User
Panther Zendesk User Role Changed

Endpoint & network anomalies 33 rules

Statistical and behavioral outliers on hosts and networks: process-tree analysis, command-line and volume spikes, baselining.

Panther 17 rules

Panther Anomalous AccessDenied Requests
Panther Anomalous VPC Traffic to Destination Port
Panther Cloudflare Bot High Volume
Panther Cloudflare L7 DDoS
Panther Connection to Embargoed Country
Panther Crowdstrike FDR LOLBAS
Panther Crowdstrike Real Time Response (RTS) Session
Panther Crowdstrike Unusual Parent Child Processes
Panther DNS Base64 Encoded Query
Panther Query.Okta.ADAgentAuthZScoreAnomaly
Panther Query.Okta.ADAgentTokenAbuseBehavioral
Panther Query.Okta.SkeletonKeyBypassBehavioral
Panther Query.VPC.DNS.Tunneling
Panther RoleAssumes by Multiple Useragents
Panther Snowflake User Daily Query Volume Spike
Panther Suspicious Snowflake Sessions - Unusual Application
Panther VPC Flow Port Scanning

Splunk 6 rules

Splunk Detect New Login Attempts to Routers experimental
Splunk Detect Spike in blocked Outbound Traffic from your AWS experimental
Splunk MacOS - Re-opened Applications experimental
Splunk Spike in File Writes experimental
Splunk Unusually Long Command Line experimental
Splunk Unusually Long Content-Type Length experimental

Kusto 4 rules

YARA-L 4 rules

YARA-L ADFS DB Suspicious Named Pipe Connection
YARA-L Network Traffic To Specific Country
YARA-L Suspicious Unusual Location LNK File
YARA-L Windows Short Term Account Use

Elastic 2 rules

Elastic Web Application Suspicious Activity: POST Request Declined production
Elastic Web Application Suspicious Activity: Unauthorized Method production

Threat-intelligence matching 53 rules

Indicator and reputation matching: hash, IP, URL, and domain lookups against threat feeds, VirusTotal, Safebrowsing, and prevalence sources.

YARA-L 28 rules

YARA-L DNS Query To Recently Created Domain
YARA-L Domain Prevalence
YARA-L Google Safebrowsing File Process Creation
YARA-L Google Safebrowsing With Prevalence
YARA-L Hash Prevalence
YARA-L IOC Domain C2
YARA-L IOC Domain Internal Policy
YARA-L IOC Hash Prevalence
YARA-L IOC IP Target
YARA-L IOC SHA256 Hash
YARA-L IOC SHA256 Hash VT
YARA-L IP Target Prevalence
YARA-L Low Prevalence Hash On Process Launch Low Prevalence Domain Accessed
YARA-L Network Connection First Seen In Past Day
YARA-L Network HTTP Low Prevalence Domain Access
YARA-L Process Launch VT Enrichment
YARA-L Safebrowsing Process Creation Hashes Seen More Than 7 Days
YARA-L Suspicious ASN
YARA-L Suspicious ASN Watchlist
YARA-L VT Relationships File Contacts Domain
YARA-L VT Relationships File Contacts IP
YARA-L VT Relationships File Downloaded From IP
YARA-L VT Relationships File Downloaded From URL
YARA-L VT Relationships File Executes File
YARA-L WHOIS DNS Query To Typesquatting Domain
YARA-L WHOIS Expired Domain Accessed
YARA-L WHOIS Expired Domain Executable Downloaded
YARA-L WHOIS Recently Created Domain Access

Panther 15 rules

Panther Axonius login from Tor IP
Panther Cisco Umbrella Domain Name Fuzzy Matching
Panther Cisco Umbrella Suspicious Domains
Panther IOC Activity in K8 Control Plane
Panther IOC Activity in K8 Control Plane
Panther NX Supply Chain - S1ngularity Repository Detection
Panther Okta HAR File IOCs
Panther Okta ThreatInsight Security Threat Detected
Panther Query.Snowflake.ClientIp
Panther Query.Snowflake.SuspectedUserAccess
Panther Query.Snowflake.ThreatHunting.ClientIp
Panther Query.Snowflake.ThreatHunting.SuspectedUserAccess
Panther Sha1-Hulud V2 Filenames Added to Repository
Panther Snowflake Client IP
Panther Snowflake User Access

Elastic 7 rules

Elastic Okta ThreatInsight Threat Suspected Promotion production
Elastic Rapid7 Threat Command CVEs Correlation production
Elastic Threat Intel Email Indicator Match production
Elastic Threat Intel Hash Indicator Match production
Elastic Threat Intel IP Address Indicator Match production
Elastic Threat Intel URL Indicator Match production
Elastic Threat Intel Windows Registry Indicator Match production

Splunk 2 rules

Splunk Monitor Email For Brand Abuse experimental
Splunk Monitor Web Traffic For Brand Abuse experimental

Sublime MQL 1 rule

Sublime MQL Disposable sender email (unsolicited)

Alert correlation & meta-detections 86 rules

Meta-detections that consume the output of other detections or tools: multi-alert aggregation and vendor-verdict passthroughs.

Elastic 34 rules

Elastic Alerts From Multiple Integrations by Destination Address production
Elastic Alerts From Multiple Integrations by Source Address production
Elastic Alerts From Multiple Integrations by User Name production
Elastic Alerts in Different ATT&CK Tactics by Host production
Elastic Container Workload Protection production
Elastic Correlated Alerts on Similar User Identities production
Elastic Elastic Defend and Email Alerts Correlation production
Elastic Elastic Defend and Network Security Alerts Correlation production
Elastic Elastic Security External Alerts production
Elastic Entra ID Protection - Risk Detection production building block
Elastic Forwarded Google Workspace Security Alert production
Elastic IBM QRadar External Alerts production
Elastic LLM-Based Attack Chain Triage by Host production
Elastic LLM-Based Compromised User Triage by User production
Elastic Malware - Detected - Elastic Endgame production
Elastic Malware - Prevented - Elastic Endgame production
Elastic Microsoft Sentinel External Alerts production
Elastic Multiple Alerts in Different ATT&CK Tactics on a Single Host production
Elastic Multiple Alerts in Same ATT&CK Tactic by Host production
Elastic Multiple Alerts Involving a User production
Elastic Multiple Elastic Defend Alerts by Agent production
Elastic Multiple Elastic Defend Alerts from a Single Process Tree production
Elastic Multiple External EDR Alerts by Host production
Elastic Multiple Machine Learning Alerts by Influencer Field production
Elastic Multiple Rare Elastic Defend Behavior Rules by Host production
Elastic Newly Observed Elastic Defend Behavior Alert production
Elastic Newly Observed FortiGate Alert production
Elastic Newly Observed High Severity Detection Alert production
Elastic Newly Observed High Severity Suricata Alert production
Elastic Newly Observed Palo Alto Network Alert production
Elastic Ransomware - Detected - Elastic Endgame production
Elastic Ransomware - Prevented - Elastic Endgame production
Elastic SentinelOne Alert External Alerts production
Elastic Suspected Lateral Movement from Compromised Host production

Panther 28 rules

Panther AWS Console Sign-In NOT PRECEDED BY Okta Redirect
Panther AWS GuardDuty High Severity Finding
Panther AWS GuardDuty Low Severity Finding
Panther AWS GuardDuty Medium Severity Finding
Panther AWS SSO Access Token Retrieved by Unauthenticated IP
Panther Cisco Umbrella Domain Blocked
Panther Cloudflare React2Shell RCE Attempt Detected
Panther Crowdstrike Detection Passthrough
Panther Decoy DynamoDB Accessed
Panther Decoy IAM Assumed
Panther Decoy S3 Accessed
Panther Decoy Secret Accessed
Panther Decoy Systems Manager Parameter Accessed
Panther GSuite Device Suspicious Activity
Panther GSuite Passthrough Rule Triggered
Panther GSuite User Device Compromised
Panther Okta User Reported Suspicious Activity
Panther Push Security Open Security Finding
Panther Push Security Phishing Attack
Panther SentinelOne Threats
Panther Snowflake Brute Force Login Success
Panther Sublime Flagged an Email
Panther Suspicious GSuite Login
Panther Suspicious is_suspicious tag Experimental
Panther Thinkst Canary Incident
Panther Thinkst Canarytoken Incident
Panther Tracebit Alert
Panther Wiz Defend Alert Passthrough Rule

Kusto 17 rules

Kusto AppServices AV Scan with Infected Files
Kusto Awake Security - High Match Counts By Device available
Kusto Awake Security - High Severity Matches By Device available
Kusto Awake Security - Model With Multiple Destinations available
Kusto AWSGuardDuty - GuardDuty Alert available
Kusto Create Incidents from IronDefense available
Kusto Digital Shadows Incident Creation for exclude-app
Kusto Digital Shadows Incident Creation for include-app
Kusto Dragos Notifications available
Kusto Jamf Protect - Unified Logs available
Kusto Malware Activity Detected available
Kusto Malware Detection Session Finished available
Kusto Object Marked as Clean available
Kusto Restore Point Marked as Clean available
Kusto Restore Point Marked as Infected available
Kusto Unusual Anomaly
Kusto VMware Cloud Web Security - Data Loss Prevention Violation

Splunk 4 rules

Splunk Detect Spike in AWS Security Hub Alerts for EC2 Instance production
Splunk Detect Spike in AWS Security Hub Alerts for User experimental
Splunk Microsoft Defender Incident Alerts production
Splunk Splunk AppDynamics Secure Application Alerts production

Sigma 2 rules

Sigma macOS ULS Gatekeeper Block (spctl) experimental
Sigma macOS ULS Quarantine or XProtect Detection experimental

YARA-L 1 rule

YARA-L Google Workspace Alerts Aggregated By Severity

Threat hunting 23 rules

Exploratory hunting queries that surface broad activity for analyst triage rather than firing on a specific malicious match.

YARA-L 17 rules

Kusto 5 rules

Panther 1 rule

Panther Okta Username Above 52 Characters Security Advisory

AI & LLM governance 41 rules

AI and LLM content-safety and governance: prompt-injection, toxicity, bias, banned-topic, and model-policy violations.

Kusto 38 rules

Kusto AIShield - Image classification AI Model Evasion high suspicious vulnerability detection available
Kusto AIShield - Image classification AI Model Evasion low suspicious vulnerability detection available
Kusto AIShield - Image classification AI Model extraction high suspicious vulnerability detection available
Kusto AIShield - Image Segmentation AI Model extraction high suspicious vulnerability detection available
Kusto AIShield - Natural language processing AI model extraction high suspicious vulnerability detection available
Kusto AIShield - Tabular classification AI Model Evasion high suspicious vulnerability detection available
Kusto AIShield - Tabular classification AI Model Evasion low suspicious vulnerability detection available
Kusto AIShield - Tabular classification AI Model extraction high suspicious vulnerability detection available
Kusto AIShield - Timeseries Forecasting AI Model extraction high suspicious vulnerability detection available
Kusto Guardian- Additional check JSON Policy Violation Detection available
Kusto Guardian- Ban Topic Policy Violation Detection available
Kusto Guardian- BII Detection Policy Violation Detection available
Kusto Guardian- Block Competitor Policy Violation Detection available
Kusto Guardian- Blocks specific strings of text Policy Violation Detection available
Kusto Guardian- Code Detection Policy Violation Detection available
Kusto Guardian- Content Access Control Allowed List Policy Violation Detection available
Kusto Guardian- Content Access Control Blocked List Policy Violation Detection available
Kusto Guardian- Content Safety Profanity Policy Violation Detection available
Kusto Guardian- Content Safety Toxicity Policy Violation Detection. available
Kusto Guardian- Gender Bias Policy Violation Detection available
Kusto Guardian- Input Output Relevance Policy Violation Detection available
Kusto Guardian- Input Rate Limiter Policy Violation Detection available
Kusto Guardian- Invisible Text Policy Violation Detection available
Kusto Guardian- Language Detection Policy Violation Detection available
Kusto Guardian- Malicious URL Policy Violation Detection available
Kusto Guardian- No LLM Output Policy Violation Detection available
Kusto Guardian- Not Safe For Work Policy Violation Detection available
Kusto Guardian- Privacy Protection PII Policy Violation Detection available
Kusto Guardian- Racial Bias Policy Violation Detection available
Kusto Guardian- Regex Policy Violation Detection available
Kusto Guardian- Same Input/Output Language Detection Policy Violation Detection available
Kusto Guardian- Secrets Policy Violation Detection available
Kusto Guardian- Security Integrity Checks Prompt Injection Policy Violation Detection available
Kusto Guardian- Sentiment Policy Violation Detection available
Kusto Guardian- Special PII Detection Policy Violation Detection available
Kusto Guardian- Token Limit Policy Violation Detection available
Kusto Guardian- URL Detection Policy Violation Detection available
Kusto Guardian- URL Reachability Policy Violation Detection available

Elastic 2 rules

Elastic Azure OpenAI Insecure Output Handling production
Elastic Potential Abuse of Resources by High Token Count and Large Response Sizes production

Splunk 1 rule

Splunk Cisco AI Defense Security Alerts by Application Name production

Data loss prevention 130 rules

Data-loss-prevention content patterns: payment cards, national IDs, passports, bank accounts, and other regulated or sensitive data.

National IDs & passports 33 rules

Sublime MQL DLP: Argentina DNI Number
Sublime MQL DLP: Australia Driver's License Number
Sublime MQL DLP: Australia Passport Number
Sublime MQL DLP: Austria Social Security Number
Sublime MQL DLP: Canada Driver's License Number
Sublime MQL DLP: Canada Passport Number
Sublime MQL DLP: Finland National ID
Sublime MQL DLP: France Driver's License Number
Sublime MQL DLP: France National ID Card (CNI)
Sublime MQL DLP: France Passport Number
Sublime MQL DLP: France Social Security Number (INSEE)
Sublime MQL DLP: Germany Driver's License Number
Sublime MQL DLP: Germany Passport Number
Sublime MQL DLP: Greece National ID Card
Sublime MQL DLP: Greece Social Security Number (AMKA)
Sublime MQL DLP: Hungary Social Security Number (TAJ)
Sublime MQL DLP: India Aadhaar Number
Sublime MQL DLP: India Passport Number
Sublime MQL DLP: Israel National ID
Sublime MQL DLP: Japan Driver's License Number
Sublime MQL DLP: Japan Passport Number
Sublime MQL DLP: Luxembourg National ID (Natural Persons)
Sublime MQL DLP: Luxembourg National ID (Non-Natural Persons)
Sublime MQL DLP: Mexico Passport Number
Sublime MQL DLP: Saudi Arabia National ID
Sublime MQL DLP: Spain DNI/NIE
Sublime MQL DLP: Spain Passport Number
Sublime MQL DLP: Spain Social Security Number
Sublime MQL DLP: Sweden National ID
Sublime MQL DLP: UK Passport Number
Sublime MQL DLP: US Driver's License Number
Sublime MQL DLP: US Passport Number
Sublime MQL DLP: US Social Security Number (SSN)

Payment cards (PCI) 17 rules

Sublime MQL DLP - PCI: American Express Credit Card Number
Sublime MQL DLP - PCI: Discover Credit Card Number
Sublime MQL DLP - PCI: Mastercard Credit Card Number
Sublime MQL DLP - PCI: US Credit Card Number (Any Network)
Sublime MQL DLP - PCI: Visa Credit Card Number
Sublime MQL DLP: Australia Credit Card Number
Sublime MQL DLP: Canada Credit Card Number
Sublime MQL DLP: Chile Identity Card Number
Sublime MQL DLP: Colombia Citizenship Card Number
Sublime MQL DLP: EU Debit Card Number
Sublime MQL DLP: France Credit Card Number
Sublime MQL DLP: France Debit Card Number
Sublime MQL DLP: Germany Identity Card Number (Personalausweisnummer)
Sublime MQL DLP: Israel Credit Card Number
Sublime MQL DLP: Japan Credit Card Number
Sublime MQL DLP: Malta Identity Card Number
Sublime MQL DLP: Portugal Citizen Card Number

Bank & financial accounts 15 rules

Sublime MQL DLP: Australia Bank Account Number
Sublime MQL DLP: Australia Medical Account Number
Sublime MQL DLP: Australia SWIFT Code
Sublime MQL DLP: Canada Bank Account Number
Sublime MQL DLP: France Bank Account Number
Sublime MQL DLP: Germany Bank Account Number (IBAN)
Sublime MQL DLP: India Bank Account Number
Sublime MQL DLP: Israel Bank Account Number
Sublime MQL DLP: Israel SWIFT Code
Sublime MQL DLP: Japan Bank Account Number
Sublime MQL DLP: Saudi Arabia IBAN
Sublime MQL DLP: Saudi Arabia SWIFT Code
Sublime MQL DLP: Spain Bank Account Number
Sublime MQL DLP: UK SWIFT Code
Sublime MQL DLP: US Bank Account Number

Health & medical 3 rules

Sublime MQL DLP: Canada Health Service Number
Sublime MQL DLP: Canada Personal Health Identification Number (PHIN)
Sublime MQL DLP: UK National Health Service Number

Other sensitive data 62 rules

Sublime MQL DLP: Australia Tax File Number
Sublime MQL DLP: Austria Identity Card
Sublime MQL DLP: Austria Tax Identification Number
Sublime MQL DLP: AWS Credentials
Sublime MQL DLP: Azure Authentication Token
Sublime MQL DLP: Basic Authentication Header
Sublime MQL DLP: Belgium National Number
Sublime MQL DLP: Brazil CPF Number
Sublime MQL DLP: Brazil RG Number
Sublime MQL DLP: Bulgaria Uniform Civil Number
Sublime MQL DLP: Canada Social Insurance Number (SIN)
Sublime MQL DLP: China Resident ID Number
Sublime MQL DLP: Croatia Personal Identification (OIB)
Sublime MQL DLP: Cyprus Identity Card
Sublime MQL DLP: Czech Personal Identity Number
Sublime MQL DLP: Denmark Personal Identification Number
Sublime MQL DLP: Estonia Personal Identification Code
Sublime MQL DLP: France Tax Identification Number (SPI)
Sublime MQL DLP: GCP API Key
Sublime MQL DLP: Germany Tax Identification Number
Sublime MQL DLP: GitHub Token
Sublime MQL DLP: Greece Tax Identification Number
Sublime MQL DLP: Hungary Personal Identification Number
Sublime MQL DLP: Hungary Tax Identification Number
Sublime MQL DLP: IMEI Number
Sublime MQL DLP: IMSI Number
Sublime MQL DLP: India PAN Number
Sublime MQL DLP: IP Address
Sublime MQL DLP: Ireland Personal Public Service (PPS) Number
Sublime MQL DLP: Italy Fiscal Code
Sublime MQL DLP: Japan MyNumber ID
Sublime MQL DLP: Japan Social Insurance Number
Sublime MQL DLP: JSON Web Token (JWT)
Sublime MQL DLP: Latvia Personal Code
Sublime MQL DLP: Lithuania Personal Code
Sublime MQL DLP: MAC Address
Sublime MQL DLP: Malta Tax ID Number
Sublime MQL DLP: Mexico CURP Number
Sublime MQL DLP: Netherlands Citizen's Service (BSN) Number
Sublime MQL DLP: Netherlands Tax Identification Number
Sublime MQL DLP: OAuth Client Secret
Sublime MQL DLP: Poland Identity Card
Sublime MQL DLP: Poland Tax Identification Number
Sublime MQL DLP: Portugal Tax Identification Number
Sublime MQL DLP: Private Key
Sublime MQL DLP: Romania Personal Numerical Code
Sublime MQL DLP: Slack Token
Sublime MQL DLP: Slovakia Personal Number
Sublime MQL DLP: Slovenia Tax Identification Number
Sublime MQL DLP: Slovenia Unique Master Citizen Number
Sublime MQL DLP: South Korea Resident Registration Number (RRN)
Sublime MQL DLP: Spain Tax Identification Number
Sublime MQL DLP: SSL Certificate
Sublime MQL DLP: Sweden Tax Identification Number
Sublime MQL DLP: Taiwan ID Number
Sublime MQL DLP: Turkey ID Number
Sublime MQL DLP: UK National Insurance Number (NINO)
Sublime MQL DLP: US ICD-10-CM Code
Sublime MQL DLP: US ICD-9-CM Code
Sublime MQL DLP: US Individual Taxpayer Identification Number (ITIN)
Sublime MQL DLP: US Insurance Claim Number
Sublime MQL DLP: Vehicle Identification Number (VIN)

Operational & security hygiene 75 rules

Operational and security-hygiene checks: agent and signature staleness, unsupported versions, deployment posture, and outbreak thresholds.

Panther 46 rules

Panther AWS Access Keys At Account Creation
Panther AWS CloudFormation Stack IAM Service Role
Panther AWS CloudWatch Log Encryption
Panther AWS CloudWatch Logs Data Retention
Panther AWS Config Global Resources
Panther AWS Config Recording Status
Panther AWS Config Records All Resource Types
Panther AWS Config Status
Panther AWS DynamoDB Table Autoscaling
Panther AWS DynamoDB Table Autoscaling Configuration
Panther AWS EC2 AMI Approved Host
Panther AWS EC2 AMI Approved Instance Type
Panther AWS EC2 AMI Approved Tenancy
Panther AWS EC2 Instance Approved Host
Panther AWS EC2 Instance Approved Instance Type
Panther AWS EC2 Instance Approved Tenancy
Panther AWS EC2 Instance Approved VPC
Panther AWS EC2 Instance EBS Optimization
Panther AWS IAM Password Unused
Panther AWS IAM Policy Role Mapping
Panther AWS IAM Role Grants (permission) to Non-organizational Account
Panther AWS IAM Role Trust Relationship for GitHub Actions
Panther AWS RDS Instance Backup
Panther AWS RDS Instance Has Acceptable Backup Retention Period
Panther AWS RDS Instance High Availability
Panther AWS RDS Instance Minor Version Upgrades
Panther AWS Redshift Cluster Has Acceptable Snapshot Retention Period
Panther AWS Redshift Cluster Maintenance Window
Panther AWS Redshift Cluster Snapshot Retention
Panther AWS Redshift Cluster Version Upgrade
Panther AWS Resource Minimum Tags
Panther AWS Resource Required Tags
Panther AWS S3 Bucket Lifecycle Configuration
Panther AWS S3 Bucket Name DNS Compliance
Panther AWS Unused Access Key
Panther AWS VPC Healthy Log Status
Panther AWS WAF Rule Ordering
Panther AWS WAF WebACL Has Associated Resources
Panther Azure Advisor Security Recommendation Available Experimental
Panther Azure Policy Violation Detected Experimental
Panther GitHub Action Failed
Panther Osquery Agent Outdated
Panther S3 Bucket Policy Confused Deputy Protection for Service Principals
Panther Sensitive AWS CloudWatch Log Encryption
Panther Thinkst Canary DCRC
Panther Unsupported macOS version

Kusto 22 rules

Kusto AppServices AV Scan Failure
Kusto Attempt to Delete Backup Failed available
Kusto Best Practice Compliance Check Not Passed available
Kusto Configuration Backup Failed available
Kusto Configuration Backup Job Failed available
Kusto Connection to Backup Repository Lost available
Kusto Hunt Device Discovery Subnet Ranges
Kusto Hunt devices supporting MDE Containment
Kusto Hunt for Defender for Identity NNR issues
Kusto Hunt for Defender for Identity not installed but eligible
Kusto Hunt for devices organized by subnet
Kusto Hunt MSOL Azure AD Connect / Entra Sync servers
Kusto License Expired available
Kusto License Expiring available
Kusto License Grace Period Started available
Kusto License Limit Exceeded available
Kusto License Support Expired available
Kusto License Support Expiring available
Kusto SureBackup Job Failed available
Kusto VMware SD-WAN Edge - All Cloud Security Service Tunnels DOWN
Kusto VMware SD-WAN Edge - IDS/IPS Signature Update Failed
Kusto VMware SD-WAN Edge - IDS/IPS Signature Update Succeeded

Sigma 3 rules

Sigma Microsoft Defender massive host infection experimental
Sigma Microsoft Defender massive virus outbreach experimental
Sigma Microsoft Defender signatures not up to date experimental

Splunk 3 rules

Splunk Detect Unauthorized Assets by MAC address experimental
Splunk No Windows Updates in a time frame experimental
Splunk Protocols passing authentication in cleartext production

Elastic 1 rule

Elastic Multiple Vulnerabilities by Asset via Wiz production

Untagged 20 rules without MITRE technique tags

Sublime MQL Attachment: Zip exploiting CVE-2023-38831 (unsolicited)
Splunk Cisco Secure Firewall - Bits Network Activity production
Sigma CrackMaxpExec share permission enumeration experimental
Panther CrowdStrike MacOS plutil Usage
Panther Crowdstrike WMI Query Detection
Splunk Detect malicious requests to exploit JBoss servers experimental
Splunk F5 TMUI Authentication Bypass production
Splunk File with Samsam Extension production
Sublime MQL Headers: Zimbra mailer from a non-supported OS version
Panther MacOS Browser Credential Access
Panther MacOS Browser Credential Access (crowdstrike_fdrevent table)
Sigma macOS ULS Potential TCC Bypass Indicators experimental
Sigma macOS ULS securityd CodeSignature Failure experimental
Sigma macOS ULS Sudo Execution Logged experimental
Sigma macOS ULS TCC Access Denied experimental
Elastic My First Rule production
Sublime MQL New sender domain (<=10d) from untrusted sender
Splunk Processes Tapping Keyboard Events experimental
Sublime MQL Suspicious recipients pattern with no Compauth pass and suspicious content
Elastic Web Application Suspicious Activity: sqlmap User Agent production

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)