2024-10-03 12:47:40 -04:00
|
|
|
llm:
|
|
|
|
|
11e33a8f-805b-4394-bee0-08ae8d78b025:
|
|
|
|
|
name: AWS Bedrock LLM Sensitive Content Refusals
|
|
|
|
|
path: ./llm/queries/aws_bedrock_sensitive_content_refusal_detection.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- AML.T0051
|
|
|
|
|
00023411-192e-4472-90aa-da7562bc3f2a:
|
|
|
|
|
name: AWS Bedrock LLM Denial-of-Service or Resource Exhaustion
|
|
|
|
|
path: ./llm/queries/aws_bedrock_dos_resource_exhaustion_detection.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- AML.T0034
|
|
|
|
|
131e5887-463a-46a1-a44e-b96361bc6cbc:
|
|
|
|
|
name: AWS Bedrock LLM Ignore Previous Prompt Detection
|
|
|
|
|
path: ./llm/queries/aws_bedrock_ignore_previous_prompt_detection.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- AML.T0051.000
|
|
|
|
|
991b55c3-6327-4af6-8e0c-5d4870748369:
|
|
|
|
|
name: AWS Bedrock LLM Latency Anomalies
|
|
|
|
|
path: ./llm/queries/aws_bedrock_latency_anomalies_detection.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- AML.T0029
|
|
|
|
|
macos:
|
|
|
|
|
dc04d70a-80aa-4c3f-ad02-2b18d54af6d4:
|
|
|
|
|
name: Suspicious Network Connections by Unsigned Mach-O
|
|
|
|
|
path: ./macos/queries/suspicious_network_connections_by_unsigned_macho.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1071
|
|
|
|
|
69fc4f40-8fb1-4652-99b7-52755cd370fe:
|
|
|
|
|
name: Low Occurrence of Suspicious Launch Agent or Launch Daemon
|
|
|
|
|
path: ./macos/queries/persistence_via_suspicious_launch_agent_or_launch_daemon_with_low_occurrence.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1547
|
|
|
|
|
- T1547.011
|
|
|
|
|
- T1543
|
|
|
|
|
- T1543.001
|
|
|
|
|
- T1543.004
|
2025-04-23 16:41:23 -04:00
|
|
|
7ab00c3d-0ed3-4e4b-9806-b19959bf6b12:
|
|
|
|
|
name: Self-Deleted Python Script Accessing Sensitive Files
|
|
|
|
|
path: ./macos/queries/defense_evasion_self_deleted_python_script_accessing_sensitive_files.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1059.006
|
|
|
|
|
- T1070.004
|
|
|
|
|
- T1552.001
|
|
|
|
|
9aaf1113-cf7a-4fd7-b796-f6456fdaffb5:
|
|
|
|
|
name: Unsigned or Untrusted Binary Execution via Python
|
|
|
|
|
path: ./macos/queries/execution_unsigned_or_untrusted_binary_execution_via_python.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1059.006
|
|
|
|
|
- T1105
|
|
|
|
|
76a1f901-4495-4cbd-a35a-7ff8d116602b:
|
|
|
|
|
name: Python Library Load and Delete
|
|
|
|
|
path: ./macos/queries/defense_evasion_python_library_load_and_delete.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1059.006
|
|
|
|
|
- T1070.004
|
|
|
|
|
04d4b300-bf2f-4e86-8fab-c51502a1db32:
|
|
|
|
|
name: Suspicious Python App Execution via Streamlit
|
|
|
|
|
path: ./macos/queries/execution_suspicious_python_app_execution_via_streamlit.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1059.006
|
|
|
|
|
- T1105
|
|
|
|
|
76f10746-9527-4c99-8ed8-491085ecdcfd:
|
|
|
|
|
name: Python Script Drop and Execute
|
|
|
|
|
path: ./macos/queries/execution_python_script_drop_and_execute.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1059.006
|
|
|
|
|
- T1105
|
|
|
|
|
02e50f28-d5a1-4289-ab49-48ae0e2ca196:
|
|
|
|
|
name: Unsigned or Untrusted Binary Forked by Python
|
|
|
|
|
path: ./macos/queries/execution_unsigned_or_untrusted_binary_fork_via_python.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1059.006
|
|
|
|
|
107fe9a2-6743-4136-a055-fa070fd38f2f:
|
|
|
|
|
name: Potential Python Stealer Activity
|
|
|
|
|
path: ./macos/queries/credential_access_potential_python_stealer.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1059.006
|
|
|
|
|
- T1552.001
|
|
|
|
|
6461f45e-b03f-4756-94d2-34a210caeb78:
|
|
|
|
|
name: Self-Deleting Python Script
|
|
|
|
|
path: ./macos/queries/defense_evasion_self_deleting_python_script.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1059.006
|
|
|
|
|
- T1070.004
|
|
|
|
|
d9b30b84-dc53-413c-a7e4-f42078b10048:
|
|
|
|
|
name: Unusual Library Load via Python
|
|
|
|
|
path: ./macos/queries/execution_unusual_library_load_via_python.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1059.006
|
|
|
|
|
f5b1afc4-207c-11f0-aa05-f661ea17fbcd:
|
|
|
|
|
name: Suspicious Executable File Modification via Docker
|
|
|
|
|
path: ./macos/queries/execution_suspicious_executable_file_modification_via_docker.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1105
|
|
|
|
|
- T1204.002
|
|
|
|
|
fb136106-207c-11f0-aa05-f661ea17fbcd:
|
|
|
|
|
name: Sensitive File Access via Docker
|
|
|
|
|
path: ./macos/queries/execution_suspicious_file_access_via_docker.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1083
|
|
|
|
|
- T1552.001
|
2024-10-03 12:47:40 -04:00
|
|
|
linux:
|
|
|
|
|
ecd84bc7-32ae-474b-93a8-d1d9736c3464:
|
|
|
|
|
name: Network Connections with Low Occurrence Frequency for Unique Agent ID
|
|
|
|
|
path: ./linux/queries/command_and_control_via_network_connections_with_low_occurrence_frequency_for_unique_agents.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1071.001
|
|
|
|
|
- T1071.004
|
|
|
|
|
2db642d2-621a-4183-88b5-b2659dc2c940:
|
|
|
|
|
name: OSQuery SUID Hunting
|
|
|
|
|
path: ./linux/queries/privilege_escalation_via_suid_binaries.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1548.001
|
|
|
|
|
- T1574.002
|
|
|
|
|
5984a354-d76c-43e6-bdd9-228456f1b371:
|
|
|
|
|
name: Persistence via Message-of-the-Day
|
|
|
|
|
path: ./linux/queries/persistence_via_message_of_the_day.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1036.005
|
|
|
|
|
- T1546.003
|
|
|
|
|
00461198-9a2d-4823-b4cc-f3d1b5c17935:
|
|
|
|
|
name: Hidden Process Execution
|
|
|
|
|
path: ./linux/queries/defense_evasion_via_hidden_process_execution.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1036.004
|
|
|
|
|
- T1059
|
|
|
|
|
6e57e6a6-f150-405d-b8be-e4e666a3a86d:
|
|
|
|
|
name: Privilege Escalation Identification via Existing Sudoers File
|
|
|
|
|
path: ./linux/queries/privilege_escalation_via_existing_sudoers.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1548.003
|
|
|
|
|
223f812c-a962-4d58-961d-134d8f8b15da:
|
|
|
|
|
name: Excessive SSH Network Activity to Unique Destinations
|
|
|
|
|
path: ./linux/queries/excessive_ssh_network_activity_unique_destinations.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1021.004
|
|
|
|
|
- T1078.003
|
|
|
|
|
8dcc2161-65e0-4448-a03a-1c4e0cbc9330:
|
|
|
|
|
name: XDG Persistence
|
|
|
|
|
path: ./linux/queries/persistence_via_xdg_autostart_modifications.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1547.001
|
|
|
|
|
- T1053.005
|
|
|
|
|
d2d24ad6-a315-4e05-a3f9-e205eb805df4:
|
|
|
|
|
name: Persistence via Systemd (Timers)
|
|
|
|
|
path: ./linux/queries/persistence_via_systemd_timers.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1053.005
|
|
|
|
|
- T1546.002
|
|
|
|
|
12526f14-5e35-4f5f-884c-96c6a353a544:
|
|
|
|
|
name: Low Volume External Network Connections from Process by Unique Agent
|
|
|
|
|
path: ./linux/queries/low_volume_external_network_connections_from_process.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1071.001
|
|
|
|
|
- T1071.004
|
|
|
|
|
27d76f07-7dc4-49bc-b4a7-6d9a01de171f:
|
|
|
|
|
name: Persistence via System V Init
|
|
|
|
|
path: ./linux/queries/persistence_via_sysv_init.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1037
|
|
|
|
|
2d7bb29d-d53f-47ab-a0b4-1818adb91423:
|
|
|
|
|
name: Git Hook/Pager Persistence
|
|
|
|
|
path: ./linux/queries/persistence_via_git_hook_pager.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1546.004
|
|
|
|
|
- T1059.004
|
|
|
|
|
7422faf1-ba51-49c3-b8ba-13759e6bcec4:
|
|
|
|
|
name: Persistence Through Reverse/Bind Shells
|
|
|
|
|
path: ./linux/queries/persistence_reverse_bind_shells.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1059.004
|
|
|
|
|
c7044817-d9a5-4755-abab-9059e50dab24:
|
|
|
|
|
name: Low Volume Modifications to Critical System Binaries by Unique Host
|
|
|
|
|
path: ./linux/queries/low_volume_modifications_to_critical_system_binaries.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1070.004
|
|
|
|
|
- T1569.002
|
|
|
|
|
20a02fad-2a09-44c0-a8ce-ce4502859c8a:
|
|
|
|
|
name: Shell Modification Persistence
|
|
|
|
|
path: ./linux/queries/persistence_via_shell_modification_persistence.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1546.004
|
|
|
|
|
- T1053.005
|
|
|
|
|
0ea47044-b161-4785-ba99-e11f46d6ac51:
|
|
|
|
|
name: Uncommon Process Execution from Suspicious Directory
|
|
|
|
|
path: ./linux/queries/execution_uncommon_process_execution_from_suspicious_directory.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1036.004
|
|
|
|
|
- T1049
|
|
|
|
|
- T1059
|
|
|
|
|
- T1059.004
|
|
|
|
|
783d6091-b98d-45a8-a880-a07f112a8aa2:
|
|
|
|
|
name: Low Volume GTFOBins External Network Connections
|
|
|
|
|
path: ./linux/queries/low_volume_gtfobins_external_network_connections.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1219
|
|
|
|
|
- T1071.001
|
|
|
|
|
8d42a644-5b60-4165-a8f1-84d5bcdd4ade:
|
|
|
|
|
name: Persistence via Udev
|
|
|
|
|
path: ./linux/queries/persistence_via_udev.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1547.010
|
|
|
|
|
e1f59c9a-7a2a-4eb8-a524-97b16a041a4a:
|
|
|
|
|
name: Drivers Load with Low Occurrence Frequency
|
|
|
|
|
path: ./linux/queries/persistence_via_driver_load_with_low_occurrence_frequency.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1547.006
|
|
|
|
|
- T1069.002
|
|
|
|
|
95c1467d-d566-4645-b5f1-37a4b0093bb6:
|
|
|
|
|
name: Logon Activity by Source IP
|
|
|
|
|
path: ./linux/queries/login_activity_by_source_address.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1110
|
|
|
|
|
- T1078
|
|
|
|
|
d22cbe8f-c84d-4811-aa6d-f1ee00c806b2:
|
|
|
|
|
name: Unusual System Binary Parent (Potential System Binary Hijacking Attempt)
|
|
|
|
|
path: ./linux/queries/persistence_via_unusual_system_binary_parent.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1546.004
|
|
|
|
|
- T1059.004
|
|
|
|
|
3f3fd2b9-940c-4310-adb1-d8b7d726e281:
|
|
|
|
|
name: Segmentation Fault & Potential Buffer Overflow Hunting
|
|
|
|
|
path: ./linux/queries/privilege_escalation_via_segmentation_fault_and_buffer_overflow.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1203
|
|
|
|
|
- T1068
|
|
|
|
|
2d01a413-8d97-407a-8698-02dfc7119c97:
|
|
|
|
|
name: Persistence via Package Manager
|
|
|
|
|
path: ./linux/queries/persistence_via_package_manager.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1546.004
|
|
|
|
|
- T1059.004
|
|
|
|
|
11810497-8ce3-4960-9777-9d0e97052682:
|
|
|
|
|
name: Potential Defense Evasion via Multi-Dot Process Execution
|
|
|
|
|
path: ./linux/queries/defense_evasion_via_multi_dot_process_execution.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1036.004
|
|
|
|
|
- T1070
|
|
|
|
|
0d061fad-cf35-43a6-b9b7-986c348bf182:
|
|
|
|
|
name: Unusual File Downloads from Source Addresses
|
|
|
|
|
path: ./linux/queries/command_and_control_via_unusual_file_downloads_from_source_addresses.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1071.001
|
|
|
|
|
- T1071.004
|
|
|
|
|
6f67704d-e5b1-4613-912c-e2965660fe17:
|
|
|
|
|
name: Process Capability Hunting
|
|
|
|
|
path: ./linux/queries/privilege_escalation_via_process_capabilities.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1548.001
|
|
|
|
|
- T1548.003
|
|
|
|
|
aa759db0-4499-42f2-9f2f-be3e00fdebfa:
|
|
|
|
|
name: Persistence via SSH Configurations and/or Keys
|
|
|
|
|
path: ./linux/queries/persistence_via_ssh_configurations_and_keys.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1098.004
|
|
|
|
|
- T1563.001
|
|
|
|
|
e1cffb7c-4acf-4e7a-8d72-b8b7657cf7b8:
|
|
|
|
|
name: Persistence via Cron
|
|
|
|
|
path: ./linux/queries/persistence_via_cron.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1053.003
|
|
|
|
|
- T1053.005
|
|
|
|
|
c9931736-d5ec-4c89-b4d2-d71dcf5ca12a:
|
|
|
|
|
name: Low Volume Process Injection-Related Syscalls by Process Executable
|
|
|
|
|
path: ./linux/queries/low_volume_process_injection_syscalls_by_executable.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1055.001
|
|
|
|
|
- T1055.009
|
|
|
|
|
f00c9757-d21b-432c-90a6-8372f18075d0:
|
|
|
|
|
name: Privilege Escalation/Persistence via User/Group Creation and/or Modification
|
|
|
|
|
path: ./linux/queries/persistence_via_user_group_creation_modification.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1136
|
|
|
|
|
- T1136.001
|
|
|
|
|
- T1136.002
|
|
|
|
|
9d485892-1ca2-464b-9e4e-6b21ab379b9a:
|
|
|
|
|
name: Defense Evasion via Capitalized Process Execution
|
|
|
|
|
path: ./linux/queries/defense_evasion_via_capitalized_process_execution.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1036.004
|
|
|
|
|
- T1070
|
|
|
|
|
a95f778f-2193-4a3d-bbbe-7b02d5740638:
|
|
|
|
|
name: Persistence via rc.local/rc.common
|
|
|
|
|
path: ./linux/queries/persistence_via_rc_local.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1037.004
|
|
|
|
|
- T1546.003
|
2025-01-07 14:29:17 +01:00
|
|
|
2a3c46b8-7bd6-4bc4-a4a8-a1af114ea152:
|
|
|
|
|
name: Persistence via Pluggable Authentication Modules (PAM)
|
|
|
|
|
path: ./linux/queries/persistence_via_pluggable_authentication_module.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1556.003
|
|
|
|
|
664d65ec-029e-4746-bf97-7bf3a0113e6a:
|
|
|
|
|
name: Persistence via Dynamic Linker Hijacking
|
|
|
|
|
path: ./linux/queries/persistence_via_dynamic_linker_hijacking.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1574.006
|
|
|
|
|
d667d328-fadc-4a52-9b46-f42b1a83181c:
|
|
|
|
|
name: Persistence via Loadable Kernel Modules
|
|
|
|
|
path: ./linux/queries/persistence_via_loadable_kernel_modules.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1547.006
|
|
|
|
|
e2e4a1ad-5e03-4968-927c-9ef13c49a3b8:
|
|
|
|
|
name: Persistence via Web Shell
|
|
|
|
|
path: ./linux/queries/persistence_via_web_shell.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1505.003
|
|
|
|
|
1d7cae97-2dea-4f01-b04c-85fa4bd991d0:
|
|
|
|
|
name: Persistence via DPKG/RPM Package
|
|
|
|
|
path: ./linux/queries/persistence_via_rpm_dpkg_installer_packages.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1546.016
|
|
|
|
|
b9b4f11f-1db9-491a-ab43-0e69e3f6d5be:
|
|
|
|
|
name: Persistence via Docker Container
|
|
|
|
|
path: ./linux/queries/persistence_via_malicious_docker_container.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1610
|
2025-02-06 09:33:42 +01:00
|
|
|
8f3bf096-2f3b-4d38-9925-0eb120323da3:
|
|
|
|
|
name: Persistence via NetworkManager Dispatcher Script
|
|
|
|
|
path: ./linux/queries/persistence_via_network_manager_dispatcher_script.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1546
|
2025-02-05 16:45:17 +01:00
|
|
|
2223bbda-b931-4f33-aeb4-0e0732a370dd:
|
|
|
|
|
name: Persistence via Desktop Bus (D-Bus)
|
|
|
|
|
path: ./linux/queries/persistence_via_desktop_bus.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1543
|
2025-02-05 16:29:47 +01:00
|
|
|
4e8a17d3-9139-4b45-86d5-79e8d1eba71e:
|
|
|
|
|
name: Persistence via PolicyKit
|
|
|
|
|
path: ./linux/queries/persistence_via_policykit.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1543
|
2025-02-05 16:18:51 +01:00
|
|
|
9997c6fb-4e01-477f-9011-fc7fc6b000b6:
|
|
|
|
|
name: General Kernel Manipulation
|
|
|
|
|
path: ./linux/queries/persistence_general_kernel_manipulation.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1542
|
2025-01-27 10:19:44 +01:00
|
|
|
1206f5e2-aee6-4e5c-bda0-718fe440b1cf:
|
|
|
|
|
name: Persistence via Initramfs
|
|
|
|
|
path: ./linux/queries/persistence_via_initramfs.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1542
|
2025-01-27 09:58:43 +01:00
|
|
|
7adc1a69-3962-4f84-a46d-0b68f69e45a8:
|
|
|
|
|
name: Persistence via GRUB Bootloader
|
|
|
|
|
path: ./linux/queries/persistence_via_grub_bootloader.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1542
|
2024-10-03 12:47:40 -04:00
|
|
|
okta:
|
|
|
|
|
0b936024-71d9-11ef-a9be-f661ea17fbcc:
|
|
|
|
|
name: Failed OAuth Access Token Retrieval via Public Client App
|
|
|
|
|
path: ./okta/queries/defense_evasion_failed_oauth_access_token_retrieval_via_public_client_app.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1550.001
|
|
|
|
|
31585786-71f4-11ef-9e99-f661ea17fbcc:
|
|
|
|
|
name: Successful Impossible Travel Sign-On Events
|
|
|
|
|
path: ./okta/queries/initial_access_impossible_travel_sign_on.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1078.004
|
|
|
|
|
223451b0-6eca-11ef-a070-f661ea17fbcc:
|
|
|
|
|
name: Rapid MFA Deny Push Notifications (MFA Bombing)
|
2026-03-06 17:12:45 -05:00
|
|
|
path: ./okta/queries/credential_access_mfa_bombing_push_notifications.toml
|
2024-10-03 12:47:40 -04:00
|
|
|
mitre:
|
|
|
|
|
- T1621
|
|
|
|
|
11666aa0-71d9-11ef-a9be-f661ea17fbcc:
|
|
|
|
|
name: Rare Occurrence of OAuth Access Token Granted to Public Client App
|
|
|
|
|
path: ./okta/queries/defense_evasion_rare_oauth_access_token_granted_by_application.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1550.001
|
|
|
|
|
c8a35a26-71f1-11ef-9c4e-f661ea17fbcc:
|
|
|
|
|
name: Identify High Average of Failed Daily Authentication Attempts
|
|
|
|
|
path: ./okta/queries/initial_access_higher_than_average_failed_authentication.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1078.004
|
|
|
|
|
1c2d2b08-71ee-11ef-952e-f661ea17fbcc:
|
|
|
|
|
name: Password Spraying from Repeat Source
|
|
|
|
|
path: ./okta/queries/initial_access_password_spraying_from_repeat_source.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1078.004
|
|
|
|
|
f3bc68f4-71e9-11ef-952e-f661ea17fbcc:
|
|
|
|
|
name: Rare Occurrence of Domain with User Authentication Events
|
|
|
|
|
path: ./okta/queries/persistence_rare_domain_with_user_authentication.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1078.004
|
|
|
|
|
7c51fe3e-6ae9-11ef-919d-f661ea17fbcc:
|
|
|
|
|
name: Multi-Factor Authentication (MFA) Push Notification Bombing
|
|
|
|
|
path: ./okta/queries/persistence_multi_factor_push_notification_bombing.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1556.006
|
|
|
|
|
c784106e-6ae8-11ef-919d-f661ea17fbcc:
|
|
|
|
|
name: Rapid Reset Password Requests for Different Users
|
|
|
|
|
path: ./okta/queries/credential_access_rapid_reset_password_requests_for_different_users.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1098.001
|
|
|
|
|
38d82c2c-71d9-11ef-a9be-f661ea17fbcc:
|
|
|
|
|
name: OAuth Access Token Granted for Public Client App from Multiple Client Addresses
|
|
|
|
|
path: ./okta/queries/defense_evasion_multiple_client_sources_reported_for_oauth_access_tokens_granted.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1550.001
|
|
|
|
|
03bce3b0-6ded-11ef-9282-f661ea17fbcc:
|
|
|
|
|
name: Multiple Application SSO Authentication from the Same Source
|
|
|
|
|
path: ./okta/queries/defense_evasion_multiple_application_sso_authentication_repeat_source.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1550.001
|
|
|
|
|
aws:
|
|
|
|
|
c3d24ae8-655d-11ef-a990-f661ea17fbcc:
|
|
|
|
|
name: High EC2 Instance Deployment Count Attempts by Single User or Role
|
|
|
|
|
path: ./aws/queries/ec2_high_instance_deployment_count_attempts.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1578.002
|
|
|
|
|
e3206d1c-64a9-11ef-a642-f661ea17fbcc:
|
|
|
|
|
name: Lambda Add Permissions for Write Actions to Function
|
|
|
|
|
path: ./aws/queries/lambda_add_permissions_for_write_actions_to_function.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1584.007
|
|
|
|
|
913a47be-649c-11ef-a693-f661ea17fbcc:
|
|
|
|
|
name: IAM User Activity with No MFA Session
|
|
|
|
|
path: ./aws/queries/iam_user_activity_with_no_mfa_session.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1078.004
|
|
|
|
|
f9eae44e-5e4d-11ef-878f-f661ea17fbce:
|
|
|
|
|
name: SSM Start Remote Session to EC2 Instance
|
|
|
|
|
path: ./aws/queries/ssm_start_remote_session_to_ec2_instance.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1021.007
|
|
|
|
|
e6e78858-6482-11ef-93bd-f661ea17fbcc:
|
|
|
|
|
name: High Frequency of EC2 Multi-Region `DescribeInstances` API Calls
|
|
|
|
|
path: ./aws/queries/ec2_discovery_multi_region_describe_instance_calls.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1580
|
|
|
|
|
429824b6-60b2-11ef-b0a4-f661ea17fbce:
|
|
|
|
|
name: IAM Assume Role Creation with Attached Policy
|
|
|
|
|
path: ./aws/queries/iam_assume_role_creation_with_attached_policy.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1098.003
|
|
|
|
|
1844f2d6-5dc7-11ef-b76c-f661ea17fbce:
|
|
|
|
|
name: SSM Rare SendCommand Code Execution by EC2 Instance
|
|
|
|
|
path: ./aws/queries/ssm_rare_sendcommand_code_execution.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1651
|
|
|
|
|
f11ac62c-5f42-11ef-9d72-f661ea17fbce:
|
|
|
|
|
name: EC2 Modify Instance Attribute User Data
|
|
|
|
|
path: ./aws/queries/ec2_modify_instance_attribute_user_data.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1059.009
|
|
|
|
|
- T1037
|
|
|
|
|
ef579900-75ef-11ef-b47f-f661ea17fbcc:
|
|
|
|
|
name: S3 Public Bucket Rapid Object Access Attempts
|
|
|
|
|
path: ./aws/queries/s3_public_bucket_rapid_object_access_attempts.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1530
|
|
|
|
|
408ba5f6-5db7-11ef-a01c-f661ea17fbce:
|
|
|
|
|
name: EC2 Suspicious Get User Password Request
|
|
|
|
|
path: ./aws/queries/ec2_suspicious_get_user_password_request.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1552.005
|
|
|
|
|
38454a64-5b55-11ef-b345-f661ea17fbce:
|
|
|
|
|
name: SSM SendCommand API Used by EC2 Instance
|
|
|
|
|
path: ./aws/queries/ssm_sendcommand_api_used_by_ec2_instance.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1651
|
|
|
|
|
953b1252-5efd-11ef-a997-f661ea17fbce:
|
|
|
|
|
name: Signin Single Factor Console Login via Federated Session
|
|
|
|
|
path: ./aws/queries/signin_single_factor_console_login_via_federated_session.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1078.004
|
|
|
|
|
d74f8928-5e46-11ef-9488-f661ea17fbce:
|
|
|
|
|
name: Multiple Service Logging Deleted or Stopped
|
|
|
|
|
path: ./aws/queries/multiple_service_logging_deleted_or_stopped.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1562.008
|
|
|
|
|
ef244ca0-5e32-11ef-a8d3-f661ea17fbce:
|
|
|
|
|
name: Secrets Manager High Frequency of Programmatic GetSecretValue API Calls
|
|
|
|
|
path: ./aws/queries/secretsmanager_high_frequency_get_secret_value.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1555.006
|
|
|
|
|
7a083b24-6482-11ef-8a8f-f661ea17fbcc:
|
|
|
|
|
name: High Frequency of Service Quotas Multi-Region `GetServiceQuota` API Calls
|
|
|
|
|
path: ./aws/queries/servicequotas_discovery_multi_region_get_service_quota_calls.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1580
|
|
|
|
|
696c3f40-5b54-11ef-b9df-f661ea17fbce:
|
|
|
|
|
name: User Creation with Administrator Policy Assigned
|
|
|
|
|
path: ./aws/queries/iam_user_creation_with_administrator_policy_assigned.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1098.003
|
|
|
|
|
- T1136.003
|
|
|
|
|
3f8393b2-5f0b-11ef-8a25-f661ea17fbce:
|
|
|
|
|
name: STS Suspicious Federated Temporary Credential Request
|
|
|
|
|
path: ./aws/queries/sts_suspicious_federated_temporary_credential_request.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1550.001
|
2024-11-06 13:36:13 -05:00
|
|
|
418baaf2-9ae1-11ef-be63-f661ea17fbcd:
|
2024-12-12 14:56:20 -05:00
|
|
|
name: AWS IAM Customer-Managed Policy Attachment to Existing Roles
|
2024-11-06 13:36:13 -05:00
|
|
|
path: ./aws/queries/iam_customer_managed_policies_attached_to_existing_roles.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1548.005
|
2024-12-12 14:56:20 -05:00
|
|
|
18ce3dbc-b1b3-11ef-9e63-f661ea17fbce:
|
|
|
|
|
name: AWS IAM Unusual AWS Access Key Usage for User
|
|
|
|
|
path: ./aws/queries/iam_unusual_access_key_usage_for_user.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1078.004
|
2025-01-28 12:09:29 -05:00
|
|
|
9fe48b6e-d83a-11ef-84a6-f661ea17fbcd:
|
|
|
|
|
name: IAM Unusual Default Aviatrix Role Activity
|
|
|
|
|
path: ./aws/queries/iam_unusual_default_aviatrix_role_activity.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1078.004
|
2025-02-20 10:53:36 -05:00
|
|
|
80955fb2-e952-11ef-b7cc-f661ea17fbce:
|
|
|
|
|
name: SNS Topic Created by Rare User
|
|
|
|
|
path: ./aws/queries/sns_topic_created_by_rare_user.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1608
|
|
|
|
|
db405900-e955-11ef-8c29-f661ea17fbce:
|
|
|
|
|
name: SNS Topic Message Published by Rare User
|
|
|
|
|
path: ./aws/queries/sns_topic_message_published_by_rare_user.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1567
|
|
|
|
|
- T1566.003
|
|
|
|
|
21e4d0ee-e955-11ef-8c29-f661ea17fbce:
|
|
|
|
|
name: SNS Direct-to-Phone Messaging Spike
|
|
|
|
|
path: ./aws/queries/sns_direct_to_phone_messaging_spike.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1660
|
|
|
|
|
fb752e42-e952-11ef-85e7-f661ea17fbce:
|
|
|
|
|
name: SNS Topic Subscription with Email by Rare User
|
|
|
|
|
path: ./aws/queries/sns_email_subscription_by_rare_user.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1567
|
|
|
|
|
- T1530
|
2024-10-03 12:47:40 -04:00
|
|
|
windows:
|
|
|
|
|
44e6adc6-e183-4bfa-b06d-db41669641fa:
|
|
|
|
|
name: Rundll32 Execution Aggregated by Command Line
|
|
|
|
|
path: ./windows/queries/rundll32_execution_aggregated_by_cmdline.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1127
|
|
|
|
|
- T1218
|
|
|
|
|
- T1218.011
|
|
|
|
|
df4ee961-254d-4ad1-af15-c65c3b65abcd:
|
|
|
|
|
name: Persistence via Run Key with Low Occurrence Frequency
|
|
|
|
|
path: ./windows/queries/persistence_via_run_key_with_low_occurrence_frequency.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1547
|
|
|
|
|
- T1547.001
|
|
|
|
|
5e5aa9c2-96a8-4d5b-bbca-ff2ec8fefa5b:
|
|
|
|
|
name: High Count of Network Connection Over Extended Period by Process
|
|
|
|
|
path: ./windows/queries/high_count_of_network_connection_over_extended_period_by_process.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1071
|
|
|
|
|
4f878255-53b8-4914-9a7d-4b668bd2ea6a:
|
|
|
|
|
name: Low Occurrence Rate of CreateRemoteThread by Source Process
|
|
|
|
|
path: ./windows/queries/createremotethread_by_source_process_with_low_occurrence.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1055
|
|
|
|
|
34a7aadb-fb0f-45ea-9260-830f39c3343b:
|
|
|
|
|
name: Rare DLL Side-Loading by Occurrence
|
|
|
|
|
path: ./windows/queries/detect_rare_dll_sideload_by_occurrence.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1574
|
|
|
|
|
- T1574.002
|
|
|
|
|
f7d2054f-b571-4cd0-b39e-a779576e9398:
|
|
|
|
|
name: Excessive RDP Network Activity by Host and User
|
|
|
|
|
path: ./windows/queries/excessive_rdp_network_activity_by_source_host_and_user.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1021
|
|
|
|
|
- T1021.001
|
|
|
|
|
d06bc067-6174-412f-b1c9-bf8f15149519:
|
|
|
|
|
name: DLL Hijack via Masquerading as Microsoft Native Libraries
|
|
|
|
|
path: ./windows/queries/detect_dll_hijack_via_masquerading_as_microsoft_native_libraries.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1574
|
|
|
|
|
- T1574.001
|
|
|
|
|
44223fd6-8241-4c21-9d54-21201fa15b12:
|
|
|
|
|
name: Scheduled Tasks Creation for Unique Hosts by Task Command
|
|
|
|
|
path: ./windows/queries/scheduled_tasks_creation_for_unique_hosts_by_task_command.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1053
|
|
|
|
|
- T1053.005
|
|
|
|
|
24925575-defd-4581-bfda-a8753dcfb46e:
|
|
|
|
|
name: Egress Network Connections with Total Bytes Greater than Threshold
|
|
|
|
|
path: ./windows/queries/potential_exfiltration_by_process_total_egress_bytes.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1071
|
|
|
|
|
df50f65e-e820-47f4-a039-671611582f51:
|
|
|
|
|
name: Scheduled tasks Creation by Action via Registry
|
|
|
|
|
path: ./windows/queries/scheduled_task_creation_by_action_via_registry.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1053
|
|
|
|
|
- T1053.005
|
|
|
|
|
a95e69af-22ad-4ab7-919e-794501f10c95:
|
|
|
|
|
name: Low Frequency of Process Execution via WMI by Unique Agent
|
|
|
|
|
path: ./windows/queries/execution_via_windows_management_instrumentation_by_occurrence_frequency_by_unique_agent.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1047
|
|
|
|
|
1c7be6db-12eb-4281-878d-b6abe0454f36:
|
2026-05-04 09:46:13 -04:00
|
|
|
name: DNS Queries via LOLBins with Low Occurrence Frequency
|
2026-03-06 17:12:45 -05:00
|
|
|
path: ./windows/queries/domain_names_queried_via_lolbins_and_with_low_occurrence_frequency.toml
|
2024-10-03 12:47:40 -04:00
|
|
|
mitre:
|
|
|
|
|
- T1071
|
|
|
|
|
386f9cec-bb44-4dd2-8368-45e6fa0a425b:
|
|
|
|
|
name: Network Discovery via Sensitive Ports by Unusual Process
|
|
|
|
|
path: ./windows/queries/network_discovery_via_sensitive_ports_by_unusual_process.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1021
|
|
|
|
|
- T1021.002
|
|
|
|
|
- T1021.001
|
|
|
|
|
48b75e53-3c73-40bd-873d-569dd8d7d925:
|
|
|
|
|
name: Unique Windows Services Creation by Service File Name
|
|
|
|
|
path: ./windows/queries/unique_windows_services_creation_by_servicefilename.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1543
|
|
|
|
|
- T1543.003
|
|
|
|
|
7a2c8397-d219-47ad-a8e2-93562e568d08:
|
|
|
|
|
name: Suspicious DNS TXT Record Lookups by Process
|
|
|
|
|
path: ./windows/queries/suspicious_dns_txt_record_lookups_by_process.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1071
|
|
|
|
|
- T1071.004
|
|
|
|
|
ea950361-33e4-4045-96a5-d36ca28fbc91:
|
|
|
|
|
name: Persistence via Startup with Low Occurrence Frequency by Unique Host
|
|
|
|
|
path: ./windows/queries/persistence_via_startup_with_low_occurrence_frequency.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1547
|
|
|
|
|
- T1547.001
|
|
|
|
|
d0aed6f5-f84c-4da8-bb2a-b5ca0fbb55e0:
|
|
|
|
|
name: Rare LSASS Process Access Attempts
|
|
|
|
|
path: ./windows/queries/detect_rare_lsass_process_access_attempts.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1003
|
|
|
|
|
- T1003.001
|
|
|
|
|
24108755-4d1f-4d7a-ad5f-04c2ca55e9a3:
|
|
|
|
|
name: Frequency of Process Execution via Network Logon by Source Address
|
|
|
|
|
path: ./windows/queries/execution_via_network_logon_by_occurrence_frequency_by_top_source_ip.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1021
|
|
|
|
|
c00f1afe-4f25-4542-8cc9-277b23581121:
|
|
|
|
|
name: Libraries Loaded by svchost with Low Occurrence Frequency
|
|
|
|
|
path: ./windows/queries/libraries_loaded_by_svchost_with_low_occurrence_frequency.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1543
|
|
|
|
|
- T1543.003
|
|
|
|
|
a0a84a86-115f-42f9-90a5-4cb7ceeef981:
|
|
|
|
|
name: Low Occurence of Process Execution via Windows Services with Unique Agent
|
|
|
|
|
path: ./windows/queries/execution_via_windows_services_with_low_occurrence_frequency.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1543
|
|
|
|
|
- T1543.003
|
|
|
|
|
52a958e8-0368-4e74-bd4b-a64faf397bf4:
|
|
|
|
|
name: Startup Execution with Low Occurrence Frequency by Unique Host
|
|
|
|
|
path: ./windows/queries/execution_via_startup_with_low_occurrence_frequency.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1547
|
|
|
|
|
- T1547.001
|
|
|
|
|
a2006c66-d6ab-43ee-871e-d650e38f7972:
|
|
|
|
|
name: Masquerading Attempts as Native Windows Binaries
|
|
|
|
|
path: ./windows/queries/detect_masquerading_attempts_as_native_windows_binaries.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1036
|
|
|
|
|
2e583d3c-7ad6-4544-a0db-c685b2066493:
|
|
|
|
|
name: Suspicious Base64 Encoded Powershell Command
|
|
|
|
|
path: ./windows/queries/suspicious_base64_encoded_powershell_commands.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1059
|
|
|
|
|
- T1059.001
|
|
|
|
|
- T1027
|
|
|
|
|
- T1027.010
|
|
|
|
|
cebfbb4d-5b2a-44d8-b763-5512b654fb26:
|
|
|
|
|
name: Low Occurrence of Drivers Loaded on Unique Hosts
|
|
|
|
|
path: ./windows/queries/drivers_load_with_low_occurrence_frequency.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1068
|
|
|
|
|
441fba85-47a9-4f1f-aab4-569bbfdc548b:
|
|
|
|
|
name: Windows Logon Activity by Source IP
|
|
|
|
|
path: ./windows/queries/windows_logon_activity_by_source_ip.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1110
|
|
|
|
|
- T1110.001
|
|
|
|
|
- T1110.003
|
|
|
|
|
b786bcd7-b119-4ff7-b839-3927c2ff7f1f:
|
|
|
|
|
name: Executable File Creation by an Unusual Microsoft Binary
|
|
|
|
|
path: ./windows/queries/executable_file_creation_by_an_unusual_microsoft_binary.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1211
|
|
|
|
|
- T1055
|
|
|
|
|
0d960760-8a40-49c1-bbdd-4deb32c7fd67:
|
|
|
|
|
name: Low Frequency of Process Execution via Windows Scheduled Task by Unique
|
|
|
|
|
Agent
|
|
|
|
|
path: ./windows/queries/execution_via_windows_scheduled_task_with_low_occurrence_frequency.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1053
|
|
|
|
|
- T1053.005
|
|
|
|
|
5fd5da54-0515-4d6b-b8d7-30fd05f5be33:
|
|
|
|
|
name: Execution via Remote Services by Client Address
|
|
|
|
|
path: ./windows/queries/execution_via_remote_services_by_client_address.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1021
|
|
|
|
|
- T1021.003
|
|
|
|
|
- T1021.006
|
|
|
|
|
- T1047
|
|
|
|
|
aca4877f-d284-4bdb-8e18-b1414d3a7c20:
|
|
|
|
|
name: Windows Command and Scripting Interpreter from Unusual Parent Process
|
|
|
|
|
path: ./windows/queries/windows_command_and_scripting_interpreter_from_unusual_parent.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1059
|
|
|
|
|
- T1059.001
|
|
|
|
|
- T1059.003
|
|
|
|
|
814894a4-c951-4f33-ab0b-09354e1cb957:
|
|
|
|
|
name: PE File Transfer via SMB_Admin Shares by Agent or User
|
|
|
|
|
path: ./windows/queries/pe_file_transfer_via_smb_admin_shares_by_agent.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1021
|
|
|
|
|
- T1021.002
|
|
|
|
|
f1b8519a-4dae-475f-965a-f53559233eab:
|
|
|
|
|
name: Microsoft Office Child Processes with Low Occurrence Frequency by Unique
|
|
|
|
|
Agent
|
|
|
|
|
path: ./windows/queries/microsoft_office_child_processes_with_low_occurrence_frequency.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1566
|
|
|
|
|
- T1566.001
|
|
|
|
|
8a95f552-f149-4c71-888e-f2690f5add15:
|
|
|
|
|
name: Excessive SMB Network Activity by Process ID
|
|
|
|
|
path: ./windows/queries/excessive_smb_network_activity_by_process_id.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1021
|
|
|
|
|
- T1021.002
|
2025-02-21 11:00:34 -05:00
|
|
|
azure:
|
|
|
|
|
d27f1da8-eec6-11ef-983a-f661ea17fbce:
|
|
|
|
|
name: Azure Entra Authentication Attempts from Abused Hosting Service Providers
|
|
|
|
|
path: ./azure/queries/entra_authentication_attempts_from_abused_hosting_service_providers.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1078.004
|
|
|
|
|
b54528ca-eec8-11ef-b314-f661ea17fbce:
|
2026-05-04 09:46:13 -04:00
|
|
|
name: Entra ID Device Code Authentication from Unusual Principal
|
2025-02-21 11:00:34 -05:00
|
|
|
path: ./azure/queries/entra_device_code_authentication_from_unusual_principal.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1078.004
|
|
|
|
|
- T1528
|
2026-05-04 09:46:13 -04:00
|
|
|
- T1566.002
|
2025-03-11 10:27:08 -04:00
|
|
|
a9281116-fde0-11ef-9ee5-f661ea17fbcd:
|
|
|
|
|
name: Azure Entra Excessive Single-Factor Non-Interactive Sign-Ins
|
|
|
|
|
path: ./azure/queries/entra_excessive_non_interactive_sfa_sign_ins_across_users.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1078.004
|
|
|
|
|
- T1110.003
|
|
|
|
|
3f26f262-fe14-11ef-9ee5-f661ea17fbcd:
|
|
|
|
|
name: Azure Entra Unusual Failed Authentication Attempts Behind Rare User Agents
|
|
|
|
|
path: ./azure/queries/entra_authentication_attempts_behind_rare_user_agents.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1078.004
|
|
|
|
|
- T1110.003
|
|
|
|
|
ce47ec2c-fe13-11ef-9ee5-f661ea17fbcd:
|
|
|
|
|
name: Azure Entra Unusual Client App Authentication Requests on Behalf of Principal
|
|
|
|
|
Users
|
|
|
|
|
path: ./azure/queries/entra_unusual_client_app_auth_request_on_behalf_of_user.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1078.004
|
|
|
|
|
- T1110.003
|
2025-04-16 13:58:17 -04:00
|
|
|
d2dd0288-0a8c-11f0-b738-f661ea17fbcc:
|
2025-05-28 14:11:46 -04:00
|
|
|
name: Microsoft Entra ID Uncommon IP Adding Credentials to Service Principal
|
2025-04-16 13:58:17 -04:00
|
|
|
path: ./azure/queries/entra_service_principal_credentials_added_to_rare_app.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1098.001
|
2025-05-09 22:14:42 -04:00
|
|
|
0d3d2254-2b4a-11f0-a019-f661ea17fbcc:
|
|
|
|
|
name: Microsoft Entra Infrequent Suspicious OData Client Requests
|
|
|
|
|
path: ./azure/queries/entra_suspicious_odata_client_requests.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1078.004
|
|
|
|
|
- T1550.001
|
|
|
|
|
- T1098.005
|
|
|
|
|
- T1071.001
|
|
|
|
|
- T1556.006
|
2025-05-28 14:11:46 -04:00
|
|
|
91f4e8e6-7d35-45e1-89c5-8c77e78ef5c1:
|
|
|
|
|
name: Microsoft Entra ID Rare Service Principal Activity from Multiple IPs
|
|
|
|
|
path: ./azure/queries/entra_rare_actions_by_service_principal.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1098.001
|
2025-06-26 12:38:48 -04:00
|
|
|
cross-platform:
|
|
|
|
|
e912f5c6-eed3-11ef-a5d7-6f9f7a1e2e00:
|
|
|
|
|
name: Potential Spoofed `microsoftonline.com` via Fuzzy Match
|
|
|
|
|
path: ./cross-platform/queries/potentially_spoofed_microsoft_authentication_domain.toml
|
|
|
|
|
mitre:
|
|
|
|
|
- T1566.002
|
|
|
|
|
- T1583.001
|
