Navigation :
Release Notes
User Guides
Data Onboarding Guides
Features
SSE Content
- 7Zip Commandline To SMB Share Path
- AWS Create Policy Version To Allow All Resources
- AWS Createaccesskey
- AWS Createloginprofile
- AWS Cross Account Activity From Previously Unseen Account
- AWS Detect Attach To Role Policy
- AWS Detect Permanent Key Creation
- AWS Detect Role Creation
- AWS Detect Sts Assume Role Abuse
- AWS Detect Sts Get Session Token Abuse
- AWS Detect Users Creating Keys With Encrypt Policy Without MFA
- AWS Detect Users With Kms Keys Performing Encryption S3
- AWS Ecr Container Scanning Findings High
- AWS Ecr Container Scanning Findings Low Informational Unknown
- AWS Ecr Container Scanning Findings Medium
- AWS Ecr Container Upload Outside Business Hours
- AWS Ecr Container Upload Unknown User
- AWS Excessive Security Scanning
- AWS Iam Accessdenied Discovery Events
- AWS Iam Assume Role Policy Brute Force
- AWS Iam Delete Policy
- AWS Iam Failure Group Deletion
- AWS Iam Successful Group Deletion
- AWS Network Access Control List Created With All Open Ports
- AWS Network Access Control List Deleted
- AWS Saml Access By Provider User And Principal
- AWS Saml Update Identity Provider
- AWS Setdefaultpolicyversion
- AWS Updateloginprofile
- Abnormally High Number Of Cloud Infrastructure API Calls
- Abnormally High Number Of Cloud Instances Destroyed
- Abnormally High Number Of Cloud Instances Launched
- Abnormally High Number Of Cloud Security Group API Calls
- Abnormally High Number of Endpoint Changes By User
- Abnormally High Number of HTTP Method Events By Src
- Access LSASS Memory For Dump Creation
- Access to In-Scope Unencrypted Resources
- Access to In-scope Resources
- Account Compromise with Suspicious Internal Activity
- Account Compromised followed by Exfiltration
- Account Deleted
- Account Discovery With Net App
- Activity from Expired User Identity
- Activity from Expired User Identity - on Category
- Add Defaultuser And Password In Registry
- Adsisearcher Account Discovery
- Aggregate Risky Events
- Allow File And Printing Sharing In Firewall
- Allow Inbound Traffic By Firewall Rule Registry
- Allow Inbound Traffic In Firewall Rule
- Allow Network Discovery In Firewall
- Allow Operation With Consent Admin
- Amazon EKS Kubernetes Cluster Scan Detection
- Amazon EKS Kubernetes Pod Scan Detection
- Anomalous Audit Trail Activity Detected
- Anomalous New Listening Port
- Anomalous New Process
- Anomalous New Service
- Anomalous Usage Of 7Zip
- Any Powershell Downloadfile
- Any Powershell Downloadstring
- Asset Ownership Unspecified
- Attacker Tools On Endpoint
- Attempt To Add Certificate To Untrusted Store
- Attempt To Stop Security Service
- Attempted Credential Dump From Registry Via Reg Exe
- Auditing Overview of Data Processing Systems (Glass Table)
- Authentication Against a New Domain Controller
- Auto Admin Logon Registry Entry
- Basic Brute Force Detection
- Basic Dynamic DNS Detection
- Basic Malware Outbreak
- Basic Scanning
- Basic TOR Traffic Detection
- Batch File Write To System32
- Bcdedit Command Back To Normal Mode Boot
- Bcdedit Failure Recovery Modification
- Bits Job Persistence
- Bitsadmin Download File
- Blacklisted Application
- Blacklisted Domain
- Blacklisted IP Address
- Brute Force
- Brute Force Access Behavior Detected
- Brute Force Access Behavior Detected - Against Category
- Brute Force Access Behavior Detected Over One Day
- Brute Force Access Behavior Detected Over One Day - Against Category
- Brute Force Attack
- Building a Departmental Peer Group
- COVID-19 Indicator Check
- Certutil Download With Urlcache And Split Arguments
- Certutil Download With Verifyctl And Split Arguments
- Certutil Exe Certificate Extraction
- Certutil With Decode Argument
- Change To Safe Mode With Network Config
- Chcp Command Execution
- Check Elevated Cmd Using Whoami
- Child Processes Of Spoolsv Exe
- Circle Ci Disable Security Job
- Circle Ci Disable Security Step
- Clear Unallocated Sector Using Cipher App
- Cleartext Password At Rest Detected
- Clop Common Exec Parameter
- Clop Ransomware Known Service Name
- Cloud API Calls From Previously Unseen User Roles
- Cloud APIs Called More Often Than Usual Per User
- Cloud Compute Instance Created By Previously Unseen User
- Cloud Compute Instance Created In Previously Unused Region
- Cloud Compute Instance Created With Previously Unseen Image
- Cloud Compute Instance Created With Previously Unseen Instance Type
- Cloud Instance Modified By Previously Unseen User
- Cloud Provisioning Activity From Previously Unseen City
- Cloud Provisioning Activity From Previously Unseen Country
- Cloud Provisioning Activity From Previously Unseen IP Address
- Cloud Provisioning Activity From Previously Unseen Region
- Cloud Provisioning Activity from Unusual Country
- Cloud Provisioning Activity from Unusual IP
- Cmd Echo Pipe - Escalation
- Cmdline Tool Not Executed In Cmd Shell
- Cmlua Or Cmstplua Uac Bypass
- Cobalt Strike Named Pipes
- Common Filename Launched from New Path
- Common Ransomware Extensions
- Common Ransomware Notes
- Completely Inactive Account
- Compromised Account
- Compromised Web Server
- Concentration of Attacker Tools by Filename
- Concentration of Attacker Tools by SHA1 Hash
- Concentration of Discovery Tools by Filename
- Concentration of Discovery Tools by SHA1 Hash
- Concurrent Login Attempts Detected
- Connection to New Domain
- Conti Common Exec Parameter
- Control Loading From World Writable Directory
- Correlation By Repository And Risk
- Correlation By User And Risk
- Create Local Admin Accounts Using Net Exe
- Create Or Delete Windows Shares Using Net Exe
- Create Remote Thread In Shell Application
- Create Remote Thread Into LSASS
- Create Service In Suspicious File Path
- Creation Of LSASS Dump With Taskmgr
- Creation Of Shadow Copy
- Creation Of Shadow Copy With Wmic And Powershell
- Credential Dumping Via Copy Command From Shadow Copy
- Credential Dumping Via Symlink To Shadow Copy
- Credentials In File Detected
- DNS Exfiltration Using Nslookup App
- DNS Query Length Outliers - MLTK
- DNS Query Length With High Standard Deviation
- Data Exfiltration after Account Takeover, High
- Data Exfiltration after Account Takeover, Medium
- Data Exfiltration after Data Staging
- Data Exfiltration by suspicious user or device
- Data Staging
- Default Account Activity Detected
- Default Account At Rest Detected
- Delete Shadowcopy With Powershell
- Deleting Of Net Users
- Deleting Shadow Copies
- Detect AWS Console Login By New User
- Detect AWS Console Login By User From New City
- Detect AWS Console Login By User From New Country
- Detect AWS Console Login By User From New Region
- Detect Activity Related To Pass The Hash Attacks
- Detect Arp Poisoning
- Detect Attackers Scanning For Vulnerable Jboss Servers
- Detect Azurehound Command-Line Arguments
- Detect Azurehound File Modifications
- Detect Baron Samedit Cve-2021-3156
- Detect Baron Samedit Cve-2021-3156 Segfault
- Detect Baron Samedit Cve-2021-3156 Via Osquery
- Detect Computer Changed With Anonymous Account
- Detect Copy Of Shadowcopy With Script Block Logging
- Detect Credential Dumping Through LSASS Access
- Detect Credit Card Numbers using Luhn Algorithm
- Detect Empire With Powershell Script Block Logging
- Detect Excessive Account Lockouts From Endpoint
- Detect Excessive User Account Lockouts
- Detect Exchange Web Shell
- Detect F5 Tmui RCE Cve-2020-5902
- Detect GCP Storage Access From A New IP
- Detect Hosts Connecting To Dynamic Domain Providers
- Detect Html Help Renamed
- Detect Html Help Spawn Child Process
- Detect Html Help Url In Command Line
- Detect Html Help Using Infotech Storage Handlers
- Detect Ipv6 Network Infrastructure Threats
- Detect Journal Clearing
- Detect Large Outbound ICMP Packets
- Detect Lateral Movement With WMI
- Detect Log Clearing With wevtutil
- Detect Malicious Requests To Exploit Jboss Servers
- Detect Many Unauthorized Access Attempts
- Detect Mimikatz Using Loaded Images
- Detect Mimikatz With Powershell Script Block Logging
- Detect Mshta Inline Hta Execution
- Detect Mshta Renamed
- Detect Mshta Url In Command Line
- Detect New Local Admin Account
- Detect New Login Attempts To Routers
- Detect New Open GCP Storage Buckets
- Detect New Open S3 Buckets
- Detect New Open S3 Buckets Over AWS Cli
- Detect Outbound SMB Traffic
- Detect Outlook Exe Writing A Zip File
- Detect Path Interception By Creation Of Program Exe
- Detect Port Security Violation
- Detect Processes Used For System Network Configuration Discovery
- Detect Prohibited Applications Spawning Cmd Exe
- Detect Psexec With Accepteula Flag
- Detect Rare Executables
- Detect Rclone Command-Line Usage
- Detect Regasm Spawning A Process
- Detect Regasm With Network Connection
- Detect Regasm With No Command Line Arguments
- Detect Regsvcs Spawning A Process
- Detect Regsvcs With Network Connection
- Detect Regsvcs With No Command Line Arguments
- Detect Regsvr32 Application Control Bypass
- Detect Renamed 7-Zip
- Detect Renamed Psexec
- Detect Renamed Rclone
- Detect Renamed Winrar
- Detect Rogue DHCP Server
- Detect Rundll32 Application Control Bypass - Advpack
- Detect Rundll32 Application Control Bypass - Setupapi
- Detect Rundll32 Application Control Bypass - Syssetup
- Detect Rundll32 Inline Hta Execution
- Detect S3 Access From A New IP
- Detect Shared EC2 Snapshot
- Detect Sharphound Command-Line Arguments
- Detect Sharphound File Modifications
- Detect Sharphound Usage
- Detect Snicat Sni Exfiltration
- Detect Software Download To Network Device
- Detect Spike In AWS Security Hub Alerts For EC2 Instance
- Detect Spike In AWS Security Hub Alerts For User
- Detect Spike In Blocked Outbound Traffic From Your AWS
- Detect Spike In S3 Bucket Deletion
- Detect Traffic Mirroring
- Detect Unauthorized Assets By MAC Address
- Detect Use Of Cmd Exe To Launch Script Interpreters
- Detect WMI Event Subscription Persistence
- Detect Windows DNS Sigred Via Splunk Stream
- Detect Windows DNS Sigred Via Zeek
- Detect Zerologon Via Zeek
- Detection Of Tools Built By Nirsoft
- Disable Amsi Through Registry
- Disable Etw Through Registry
- Disable Logs Using Wevtutil
- Disable Registry Tool
- Disable Show Hidden Files
- Disable Windows App Hotkeys
- Disable Windows Behavior Monitoring
- Disable Windows Smartscreen Protection
- Disabled Update Service
- Disabling Cmd Application
- Disabling Controlpanel
- Disabling Firewall With Netsh
- Disabling Folderoptions Windows Feature
- Disabling Net User Account
- Disabling Norun Windows App
- Disabling Remote User Account Control
- Disabling Systemrestore In Registry
- Disabling Task Manager
- Dllhost With No Command Line Arguments With Network
- Domain Account Discovery With Dsquery
- Domain Account Discovery With Net App
- Domain Account Discovery With Wmic
- Domain Controller Discovery With Nltest
- Domain Controller Discovery With Wmic
- Domain Group Discovery With Adsisearcher
- Domain Group Discovery With Dsquery
- Domain Group Discovery With Net
- Domain Group Discovery With Wmic
- Download Files Using Telegram
- Download from Internal Server
- Drop Icedid License Dat
- Dsquery Domain Discovery
- Dump LSASS Via Comsvcs DLL
- Dump LSASS Via Procdump
- EC2 Instance Isolation
- Elevated Group Discovery With Net
- Elevated Group Discovery With Powerview
- Elevated Group Discovery With Wmic
- Email Attachments With Lots Of Spaces
- Email Files Written Outside Of The Outlook Directory
- Email Servers Sending High Volume Traffic To Hosts
- Emails from Outside the Organization with Company Domains
- Emails with Lookalike Domains
- Enable Rdp In Other Port Number
- Endpoint Uncleaned Malware Detection
- Enumerate Users Local Group Using Telegram
- Esentutl Sam Copy
- Eventvwr Uac Bypass
- Excel Spawning Powershell
- Excel Spawning Windows Script Host
- Excessive Attempt To Disable Services
- Excessive Box Downloads
- Excessive DNS Queries
- Excessive Data Printed
- Excessive Data Transmission
- Excessive Downloads via VPN
- Excessive Failed Logins
- Excessive HTTP Failure Responses
- Excessive Number Of Distinct Processes Created In Windows Temp Folder
- Excessive Number Of Service Control Start As Disabled
- Excessive Number Of Taskhost Processes
- Excessive Service Stop Attempt
- Excessive Usage Of Cacls App
- Excessive Usage Of Net App
- Excessive Usage Of Nslookup App
- Excessive Usage Of Sc Service Utility
- Excessive Usage Of Taskkill
- Exchange Powershell Abuse Via Ssrf
- Exchange Powershell Module Usage
- Executables Or Script Creation In Suspicious Path
- Execute Javascript With Jscript Com Clsid
- Execution Of File With Multiple Extensions
- Exfiltration
- Exfiltration after Account Compromise
- Exfiltration after Infection
- Exfiltration after Suspicious Internal Activity
- Expected Host Not Reporting
- Expected Host Not Reporting - in Category
- External Alarm Activity
- External Website Attack
- Extraction Of Registry Hives
- Failed Access by Disabled Badge
- Failed Badge Accesses on Multiple Doors
- Fake Windows Processes
- Familiar Filename Launched with New Path on Host
- File With Samsam Extension
- Find Processes with Renamed Executables
- Find Unusually Long CLI Commands
- First Time Access to Jump Server for Peer Group
- First Time Accessing an Internal Git Repository
- First Time Accessing an Internal Git Repository Not Viewed by Peers
- First Time Logon to New Server
- First Time Seen Child Process Of Zoom
- First Time Seen Running Windows Service
- First Time USB Usage
- Flight Risk Emailing
- Flight Risk Printing
- Flight Risk User
- Flight Risk Web Browsing
- Fodhelper Uac Bypass
- Fsutil Zeroing File
- GCP Detect Gcploit Framework
- GCP Kubernetes Cluster Pod Scan Detection
- Geographically Improbable Access (Physical access and VPN)
- Geographically Improbable Access Detected
- Geographically Improbable Access Detected against Category
- Geographically Improbable Access Detected for Privileged Accounts
- Get Addefaultdomainpasswordpolicy With Powershell
- Get Addefaultdomainpasswordpolicy With Powershell Script Block
- Get Aduser With Powershell
- Get Aduser With Powershell Script Block
- Get Aduserresultantpasswordpolicy With Powershell
- Get Aduserresultantpasswordpolicy With Powershell Script Block
- Get Domainpolicy With Powershell
- Get Domainpolicy With Powershell Script Block
- Get Domainuser With Powershell
- Get Domainuser With Powershell Script Block
- Get Wmiobject Group Discovery
- Get Wmiobject Group Discovery With Script Block Logging
- Get-Domaintrust With Powershell
- Get-Domaintrust With Powershell Script Block
- Get-Foresttrust With Powershell
- Get-Foresttrust With Powershell Script Block
- Getadcomputer With Powershell
- Getadcomputer With Powershell Script Block
- Getadgroup With Powershell
- Getadgroup With Powershell Script Block
- Getcurrent User With Powershell
- Getcurrent User With Powershell Script Block
- Getdomaincomputer With Powershell
- Getdomaincomputer With Powershell Script Block
- Getdomaincontroller With Powershell
- Getdomaincontroller With Powershell Script Block
- Getdomaingroup With Powershell
- Getdomaingroup With Powershell Script Block
- Getlocaluser With Powershell
- Getlocaluser With Powershell Script Block
- Getnettcpconnection With Powershell
- Getnettcpconnection With Powershell Script Block
- Getwmiobject Ds Computer With Powershell
- Getwmiobject Ds Computer With Powershell Script Block
- Getwmiobject Ds Group With Powershell
- Getwmiobject Ds Group With Powershell Script Block
- Getwmiobject Ds User With Powershell
- Getwmiobject Ds User With Powershell Script Block
- Getwmiobject User Account With Powershell
- Getwmiobject User Account With Powershell Script Block
- Github Commit Changes In Master
- Github Commit In Develop
- Github Dependabot Alert
- Github Pull Request From Unknown User
- Gpupdate With No Command Line Arguments With Network
- Gsuite Drive Share In External Email
- Gsuite Email Suspicious Attachment
- Gsuite Email Suspicious Subject With Attachment
- Gsuite Email With Known Abuse Web Service Link
- Gsuite Outbound Email With Attachment To External Domain
- Gsuite Suspicious Shared File Name
- Healthcare Worker Opening More Patient Records Than Usual
- Hide User Account From Sign-In Screen
- Hiding Files And Directories With Attrib Exe
- High File Deletion Frequency
- High Number Of Infected Hosts
- High Number Of Login Failures From A Single Source
- High Number of Hosts Not Updating Malware Signatures
- High Or Critical Priority Host With Malware Detected
- High Process Count
- High Process Termination Frequency
- High Volume Email Activity to Non-corporate Domains by User
- High Volume of Traffic from High or Critical Host Observed
- High or Critical Priority Individual Logging into Infected Machine
- High or critical risk NGFW application activity detected
- Host Sending Excessive Email
- Host With A Recurring Malware Infection
- Host With High Number Of Listening ports
- Host With High Number Of Services
- Host With Multiple Infections
- Host With Old Infection Or Potential Re-Infection
- Hosts Receiving High Volume Of Network Traffic From Email Server
- Hosts Sending To More Destinations Than Normal
- Hosts Where Security Sources Go Quiet
- Hosts with Varied and Future Timestamps
- Hunting COVID Themed Attacks With IOCs
- IP Investigate and Report
- Icacls Deny Command
- Icacls Grant Command
- Icedid Exfiltrated Archived File Creation
- Image From New Repository Detected
- In-Scope Device with Outdated Anti-Malware Found
- In-Scope System with Windows Update Disabled
- Inactive Account Activity Detected
- Increase in # of Hosts Logged into
- Increase in Pages Printed
- Increase in Source Code (Git) Downloads
- Increase in Windows Privilege Escalations
- Infected Host
- Infection followed by Exfiltration
- Insecure Or Cleartext Authentication Detected
- Instance Created by Unusual User
- Instance Modified by Unusual User
- Integrating Threat Indicators with MISP and Splunk Enterprise Security
- Investigate GDPR Breaches Using ES
- Jscript Execution Using Cscript App
- Kerberoasting Spn Request With RC4 Encryption
- Known Services Killed By Ransomware
- Kubernetes AWS Detect Suspicious Kubectl Calls
- Kubernetes Nginx Ingress Lfi
- Kubernetes Nginx Ingress Rfi
- Kubernetes Scanner Image Pulling
- Land Speed Violation
- Large Volume Of DNS Any Queries
- Large Web Upload
- Lateral Movement
- Local Account Creation
- Local Account Discovery With Net
- Local Account Discovery With Wmic
- Machine Generated Beacon
- Macos - Re-Opened Applications
- Mailsniper Invoke Functions
- Malicious AD Activity
- Malicious Command Line Executions
- Malicious Insider Containment
- Malicious Powershell Executed As A Service
- Malicious Powershell Process - Connect To Internet With Hidden Window
- Malicious Powershell Process - Encoded Command
- Malicious Powershell Process - Execution Policy Bypass
- Malicious Powershell Process With Obfuscation Techniques
- Malicious URI with Potential Malware
- Malware
- Malware Investigation
- Many USB File Copies for User
- Modification Of Wallpaper
- Modify ACL Permission To Files Or Folder
- Monitor AutoRun Registry Keys
- Monitor Email For Brand Abuse
- Monitor Registry Keys For Print Monitors
- Monitor Successful Backups
- Monitor Successful Windows Updates
- Monitor Unsuccessful Backups
- Monitor Unsuccessful Windows Updates
- Monitor Web Traffic For Brand Abuse
- Ms Scripting Process Loading Ldap Module
- Ms Scripting Process Loading WMI Module
- Mshta Spawning Rundll32 Or Regsvr32 Process
- Mshtml Module Load In Office Product
- Msmpeng Application DLL Side Loading
- Multiple Account Deletion by an Administrator
- Multiple Account Disabled by an Administrator
- Multiple Account Passwords changed by an Administrator
- Multiple Archive Files Http Post Traffic
- Multiple Authentication Failures
- Multiple Authentications
- Multiple Badge Accesses
- Multiple Box login errors
- Multiple Box logins
- Multiple Box operations
- Multiple Disabled Users Failing To Authenticate From Host Using Kerberos
- Multiple External Alarms
- Multiple Failed Badge Access Attempts
- Multiple Infections on Host
- Multiple Invalid Users Failing To Authenticate From Host Using Kerberos
- Multiple Invalid Users Failing To Authenticate From Host Using Ntlm
- Multiple Login Errors
- Multiple Logins
- Multiple Okta Users With Invalid Credentials From The Same IP
- Multiple Outgoing Connections
- Multiple Primary Functions Detected
- Multiple Users Attempting To Authenticate Using Explicit Credentials
- Multiple Users Failing To Authenticate From Host Using Kerberos
- Multiple Users Failing To Authenticate From Host Using Ntlm
- Multiple Users Failing To Authenticate From Process
- Multiple Users Remotely Failing To Authenticate From Host
- Multiple failed badge attempts and unusual badge access time
- Net Localgroup Discovery
- Net Profiler Uac Bypass
- Network Change Detected
- Network Connection Discovery With Arp
- Network Connection Discovery With Net
- Network Connection Discovery With Netstat
- Network Device Rebooted
- Network Protocol Violation
- New AD Domain Detected
- New Application Accessing Salesforce.com API
- New Cloud API Call Per Peer Group
- New Cloud Provider for User
- New Connection to In-Scope Device
- New Container Uploaded To AWS Ecr
- New Data Exfil DLP Alerts for User
- New High Risk Event Types for Salesforce.com User
- New IaaS API Call Per User
- New Interactive Logon from a Service Account
- New Local Admin Account
- New Logon Type for User
- New Parent Process for cmd.exe or regedit.exe
- New RunAs Host / Privileged Account Combination
- New Service Paths for Host
- New Suspicious Executable Launch for User
- New Suspicious cmd.exe / regedit.exe / powershell.exe Service Launch
- New Tables Queried by Salesforce.com Peer Group
- New Tables Queried by Salesforce.com User
- New User Account Created On Multiple Hosts
- New User Taking Privileged Actions
- Nishang Powershelltcponeline
- Nltest Domain Trust Discovery
- No Windows Updates In A Time Frame
- Non Chrome Process Accessing Chrome Default Dir
- Non Firefox Process Access Firefox Profile Dir
- Non-Privileged Users taking Privileged Actions
- Ntdsutil Export Ntds
- O365 Add App Role Assignment Grant User
- O365 Added Service Principal
- O365 Bypass MFA Via Trusted IP
- O365 Disable MFA
- O365 Excessive Authentication Failures Alert
- O365 Excessive Sso Logon Errors
- O365 New Federated Domain Added
- O365 Pst Export Alert
- O365 Suspicious Admin Email Forwarding
- O365 Suspicious Rights Delegation
- O365 Suspicious User Email Forwarding
- Office Application Drop Executable
- Office Application Spawn Regsvr32 Process
- Office Application Spawn Rundll32 Process
- Office Document Creating Schedule Task
- Office Document Executing Macro Code
- Office Document Spawned Child Process To Download
- Office Product Spawn Cmd Process
- Office Product Spawning Bitsadmin
- Office Product Spawning Certutil
- Office Product Spawning Mshta
- Office Product Spawning Rundll32 With No DLL
- Office Product Spawning Wmic
- Office Product Writing Cab Or Inf
- Office Spawning Control
- Okta Account Lockout Events
- Okta Failed Sso Attempts
- Okta User Logins From Multiple Cities
- Old Passwords in Use
- Outbreak Detected
- Outdated Malware Definitions
- Overwriting Accessibility Binaries
- Password Policy Discovery With Net
- Period with Unusual Windows Security Event Sequences
- Permission Modification Using Takeown App
- Personally Identifiable Information Detected
- Petitpotam Network Share Access Request
- Petitpotam Suspicious Kerberos Tgt Request
- Phishing Investigation and Response
- Plain Http Post Exfiltrated Data
- Possible Phishing Attempt
- Potential Day Trading
- Potential Flight Risk Exfiltration
- Potential Flight Risk Staging
- Potential Gap in Data
- Potential Phishing Attack
- Potential Webshell Activity
- Powershell 4104 Hunting
- Powershell Creating Thread Mutex
- Powershell Disable Security Monitoring
- Powershell Domain Enumeration
- Powershell Enable Smb1Protocol Feature
- Powershell Execute Com Object
- Powershell Fileless Process Injection Via Getprocaddress
- Powershell Fileless Script Contains Base64 Encoded Content
- Powershell Get Localgroup Discovery
- Powershell Get Localgroup Discovery With Script Block Logging
- Powershell Loading Dotnet Into Memory Via System Reflection Assembly
- Powershell Processing Stream Of Data
- Powershell Remote Thread To Known Windows Process
- Powershell Start-Bitstransfer
- Powershell Using Memory As Backing Store
- Prevent Automatic Repair Mode Using Bcdedit
- Print Spooler Adding A Printer Driver
- Print Spooler Failed To Load A Plug-In
- Privilege Escalation after Powershell Activity
- Process Creating Lnk File In Suspicious Location
- Process Deleting Its Process File Path
- Process Execution Via WMI
- Process Kill Base On File Path
- Processes Launching Netsh
- Processes Tapping Keyboard Events
- Processes with High Entropy Names
- Processes with Lookalike (typo) Filenames
- Prohibited Network Traffic Allowed
- Prohibited Port Activity Detected
- Prohibited Process Detected
- Prohibited Service Detected
- Prompt and Block Domain
- Protocol Or Port Mismatch
- Protocols Passing Authentication In Cleartext
- Public Cloud Storage (Bucket)
- Public facing Website Attack
- Pull List of Privileged Users
- RFC1918 IP Not in CMDB
- Ransomware Extensions
- Ransomware Investigate and Contain
- Ransomware Note Files
- Ransomware Notes Bulk Creation
- Ransomware Vulnerabilities
- Recon Avproduct Through Pwh Or WMI
- Recon Using WMI Class
- Recurring Infection on Host
- Recursive Delete Of Directory In Batch Cmd
- Reg Exe Manipulating Windows Services Registry Keys
- Registry Keys For Creating Shim Databases
- Registry Keys Used For Persistence
- Registry Keys Used For Privilege Escalation
- Remcos Rat File Creation In Remcos Folder
- Remote Account Takeover
- Remote Desktop Network Bruteforce
- Remote Desktop Network Traffic
- Remote Desktop Process Running On System
- Remote PowerShell Launches
- Remote Process Instantiation Via WMI
- Remote System Discovery With Adsisearcher
- Remote System Discovery With Dsquery
- Remote System Discovery With Net
- Remote System Discovery With Wmic
- Remote WMI Command Attempt
- Resize Shadowstorage Volume
- Revil Common Exec Parameter
- Revil Registry Entry
- Risky Events from Privileged Users
- Rundll Loading DLL By Ordinal
- Rundll32 Control Rundll Hunt
- Rundll32 Control Rundll World Writable Directory
- Rundll32 Create Remote Thread To A Process
- Rundll32 Createremotethread In Browser
- Rundll32 Dnsquery
- Rundll32 Process Creating Exe DLL Files
- Rundll32 With No Command Line Arguments With Network
- Ryuk Test Files Detected
- Ryuk Wake On Lan Command
- SFDC Suspicious volume of records accessed
- SMB Traffic Allowed
- SMB Traffic Spike
- SMB Traffic Spike - MLTK
- Sam Database File Access Attempt
- Same Error On Many Servers Detected
- Samsam Test File Write
- Sc Exe Manipulating Windows Services
- Scanning Activity
- Schcache Change By App Connect And Create Adsi Object
- Schedule Task With Http Command Arguments
- Schedule Task With Rundll32 Command Trigger
- Scheduled Task Deleted Or Created Via Cmd
- Schtasks Run Task On Demand
- Schtasks Scheduling Job On Remote System
- Schtasks Used For Forcing A Reboot
- Script Execution Via WMI
- Sdclt Uac Bypass
- Searchprotocolhost With No Command Line With Network
- Secretdumps Offline Ntds Dumping Tool
- Sensitive Kubernetes Mount Pod Detected
- Service Account Login
- Services Escalate Exe
- Set Default Powershell Execution Policy To Unrestricted Or Bypass
- Shim Database File Creation
- Shim Database Installation With Suspicious Parameters
- Short Lived Admin Accounts
- Short Lived Windows Accounts
- Short-lived Account Detected
- Significant Increase in Interactive Logons
- Significant Increase in Interactively Logged On Users
- Silentcleanup Uac Bypass
- Single Letter Process On Endpoint
- Slui Runas Elevated
- Slui Spawning A Process
- Sources Sending Many DNS Requests
- Sources Sending a High Volume of DNS Traffic
- Spike In File Writes
- Spike in Downloaded Documents Per User from Salesforce.com
- Spike in Exported Records from Salesforce.com
- Spike in Password Reset Emails
- Spike in SMB Traffic
- Spoolsv Spawning Rundll32
- Spoolsv Suspicious Loaded Modules
- Spoolsv Suspicious Process Access
- Spoolsv Writing A DLL
- Spoolsv Writing A DLL - Sysmon
- Sql Injection With Long Urls
- Sqlite Module In Temp Folder
- Stale Account Usage
- Start Up During Safe Mode Boot
- Substantial Increase In Events
- Substantial Increase In Port Activity
- Successful Login of Account for Former Employee
- Sunburst Correlation DLL And Network Event
- Supernova Webshell
- Suspicious Account Activity
- Suspicious Account Lockout
- Suspicious Activity After Intrusion
- Suspicious Badge Activity
- Suspicious Behavior
- Suspicious Box Usage
- Suspicious Container Image Name
- Suspicious Curl Network Connection
- Suspicious Data Collection
- Suspicious Data Movement
- Suspicious Dllhost No Command Line Arguments
- Suspicious Domain Communication
- Suspicious Domain Communication followed by Malware Activity
- Suspicious Domain Name
- Suspicious Driver Loaded Path
- Suspicious Email - UBA Anomaly
- Suspicious Email Attachment Extensions
- Suspicious Event Log Service Behavior
- Suspicious External Alarm Activity
- Suspicious Gpupdate No Command Line Arguments
- Suspicious HTTP Redirects
- Suspicious HTTP Redirects followed by Suspected Infection
- Suspicious IP Address Communication
- Suspicious Icedid Regsvr32 Cmdline
- Suspicious Icedid Rundll32 Cmdline
- Suspicious Image Creation In Appdata Folder
- Suspicious Java Classes
- Suspicious Microsoft Workflow Compiler Rename
- Suspicious Microsoft Workflow Compiler Usage
- Suspicious Msbuild Path
- Suspicious Msbuild Rename
- Suspicious Msbuild Spawn
- Suspicious Mshta Child Process
- Suspicious Mshta Spawn
- Suspicious Network Connection
- Suspicious Network Exploration
- Suspicious New Access
- Suspicious Plistbuddy Usage
- Suspicious Plistbuddy Usage Via Osquery
- Suspicious Powershell Activity
- Suspicious Privilege Escalation
- Suspicious Process File Path
- Suspicious Reg Exe Process
- Suspicious Regsvr32 Register Suspicious Path
- Suspicious Rundll32 Dllregisterserver
- Suspicious Rundll32 No Command Line Arguments
- Suspicious Rundll32 Plugininit
- Suspicious Rundll32 Rename
- Suspicious Rundll32 Startw
- Suspicious Scheduled Task From Public Directory
- Suspicious Searchprotocolhost No Command Line Arguments
- Suspicious Sqlite3 Lsquarantine Behavior
- Suspicious URL Communications and Redirects
- Suspicious Wav File In Appdata Folder
- Suspicious Wevtutil Usage
- Suspicious Writes To Windows Recycle Bin
- System Information Discovery Detection
- System Processes Run From Unexpected Locations
- System User Discovery With Query
- System User Discovery With Whoami
- Threat Activity Detected
- Threat Hunting
- Tor Traffic
- Trickbot Named Pipe
- USB storage attached an unusually high number of times
- Uac Bypass Mmc Load Unsigned DLL
- Uac Bypass With Colorui Com Object
- Unauthorized Connection Through Firewall
- Unified Messaging Service Spawning A Process
- Uninstall App Using Msiexec
- Unload Sysmon Filter Driver
- Unloading Amsi Via Reflection
- Unrouteable Activity Detected
- Untriaged Notable Events
- Unusual Activity Time
- Unusual Badge Reader Access
- Unusual Child Process for spoolsv.exe or connhost.exe
- Unusual Cloud Regions
- Unusual Cloud Storage Deletions
- Unusual Cloud Storage Downloads
- Unusual External Alarm
- Unusual File Extension
- Unusual Geolocation of Communication Destination
- Unusual Machine Access
- Unusual Network Activity
- Unusual Number of Modifications to Cloud ACLs
- Unusual Printer Usage
- Unusual Time of Badge Access
- Unusual USB Activity
- Unusual USB Device Plugged In
- Unusual VPN Login Geolocation
- Unusual Volume of Network Activity
- Unusual Web Browser
- Unusual Windows Security Event (Unusual - Event Code, Process, Directory, LoginType, ReturnCode, Domain)
- Unusually Long Command Line
- Unusually Long Command Line - MLTK
- Unusually Long Content-Type Length
- Unusually Long VPN Session
- User Discovery With Env Vars Powershell
- User Discovery With Env Vars Powershell Script Block
- User Finding Project Code Names from Many Departments
- User Has Access to In-Scope Splunk Indexes They Should Not
- User Logged into In-Scope System They Should Not Have
- User Login to Unauthorized Geo
- User Login with Local Credentials
- User with Increase in Outgoing Email
- User with Many DLP Events
- Usn Journal Deletion
- Vulnerability Scanner Detected (by events)
- Vulnerability Scanner Detected (by targets)
- W3Wp Spawning Shell
- WMI Permanent Event Subscription
- WMI Permanent Event Subscription - Sysmon
- WMI Recon Running Process Or Services
- WMI Temporary Event Subscription
- Watchlisted Event Observed
- Watering Hole Infection
- Wbadmin Delete System Backups
- Wbemprox Com Object Execution
- Web Browsing to Unauthorized Sites
- Web Servers Executing Suspicious Processes
- Web Site Compromised (Webshell)
- Web Uploads to Non-corporate Sites by Users
- Wermgr Process Connecting To IP Check Web Services
- Wermgr Process Create Executable File
- Wermgr Process Spawned Cmd Or Powershell Process
- Windows Adfind Exe
- Windows Disableantispyware Registry
- Windows Event Log Cleared
- Windows Event Log Clearing Events
- Windows Security Account Manager Stopped
- Winevent Scheduled Task Created To Spawn Shell
- Winevent Scheduled Task Created Within Public Path
- Winrm Spawning A Process
- Winword Spawning Cmd
- Winword Spawning Powershell
- Winword Spawning Windows Script Host
- Wmic Group Discovery
- Write Executable In SMB Share
- Wsreset Uac Bypass
- Xmrig Driver Loaded
- Xsl Script Execution With Wmic
Technical Detail
Developing on SSE
Installation Documentation Multiple Account Deletion by an Administrator Multiple Account Deletion by an Administrator Description Detect multiple accounts being deleted by an Administrator
Content Mapping This content is not mapped to any local saved search. Add mapping
Use Case Security Monitoring, Compliance
Category Compliance, Privileged User Monitoring
Security Impact
A technique used by attackers is to create multiple accounts, take a series of actions, and then delete the accounts to mask the activity. This search will find the account which has been used to deleted said accounts.
Alert Volume Medium SPL Difficulty Easy
Data Availability Bad Journey Stage 1 MITRE ATT&CK Tactics Persistence
Initial Access
Credential Access
MITRE ATT&CK Techniques Valid Accounts
Account Manipulation
MITRE Threat Groups Chimera
APT39
FIN4
FIN5
FIN10
Soft Cell
Night Dragon
Lazarus Group
TEMP.Veles
APT3
Leviathan
Dragonfly 2.0
Wizard Spider
OilRig
APT41
Suckfly
Silence
FIN6
Threat Group-3390
APT18
menuPass
APT28
Sandworm Team
PittyTiger
FIN8
Carbanak
APT33
Kill Chain Phases Actions On Objectives
Data Sources Azure
User Activity Audit
AWS
GCP
Windows Security
Data Model Change This search requires an accelerated authentication data model to run. If it is not present, consider ingesting Windows Security or Linux data via the Splunk Universal Forwarder or AWS, GCP or Azure vid the correct add-on, and then accelerating it with the Common Information App
The biggest potential false positive from this detection is that, technically, it will fire for any privileged account that is deleting accounts, not just admin accounts specifically. It's difficult to put sufficient logic into a single search to detect admin only accounts, as often, “privilege” is a general term which implies any user with rights above the average user. So while detecting group deletions from admins, it could also alert for any automated account which may be cleaning up Active Directory.
Beyond that, there are no known sources of false positives for this search.
When this search returns values, initiate your incident response process and capture the time of the creation and deletion events, as well as the user accounts that created the account and the account name itself, the system that initiated the request and other pertinent information. Contact the account owners, to verify whether or not this is authorized behavior. If not, begin to investigate actions taken by each account leading up to it’s deletion. If it is authorized behavior, document that this is authorized and by whom.
Multiple Account Deletion by an Administrator Help
This example leverages the Simple Search assistant. Our dataset is a collection of Windows security logs for user user deletion. We filter for that in a short period of time. Anything that matches, we will surface.
SPL for Multiple Account Deletion by an Administrator Live Data | from datamodel :"Change" ."Account_Management" Here we start with a a data set from the Change datamodel. | where 'tag' ="delete" Filter on deletes only. | stats max (_time) as "lastTime" ,latest (_raw) as "orig_raw" ,values (result) as "signature" ,values (src) as "src" ,values (dest) as "dest" ,count by "src_user" ,"user" We list and count the number of deletions by source user. | where 'count' >1 Only show users that have deleted more than 1 account. | `get_identity4events(user)` This macro attaches information from the ES Asset and Identity framework so you can see if a user if considered privileged. | search category="privileged" Filter on privileged users only.
