detecting-bluetooth-low-energy-attacks
>
detecting-broken-object-property-level-authorization
Detect and test for OWASP API3:2023 Broken Object Property Level Authorization vulnerabilities including excessive data exposure and mass assignment attacks.
detecting-business-email-compromise-with-ai
Deploy AI and NLP-powered detection systems to identify business email compromise attacks by analyzing writing style, behavioral patterns, and contextual anomalies that evade traditional rule-based filters.
detecting-business-email-compromise
Business Email Compromise (BEC) is a sophisticated fraud scheme where attackers impersonate executives, vendors, or trusted partners to trick employees into transferring funds, sharing sensitive data,
detecting-cloud-threats-with-guardduty
>
detecting-command-and-control-over-dns
>
detecting-compromised-cloud-credentials
>
detecting-container-drift-at-runtime
Detect unauthorized modifications to running containers by monitoring for binary execution drift, file system changes, and configuration deviations from the original container image.
detecting-kerberoasting-attacks
Detect Kerberoasting attacks by monitoring for anomalous Kerberos TGS requests targeting service accounts with SPNs for offline password cracking.
detecting-container-escape-attempts
Container escape is a critical attack technique where an adversary breaks out of container isolation to access the host system or other containers. Detection involves monitoring for escape indicators
detecting-container-escape-with-falco-rules
Detect container escape attempts in real-time using Falco runtime security rules that monitor syscalls, file access, and privilege escalation.
detecting-credential-dumping-techniques
Detect LSASS credential dumping, SAM database extraction, and NTDS.dit theft using Sysmon Event ID 10, Windows Security logs, and SIEM correlation rules
detecting-cryptomining-in-cloud
>
detecting-dcsync-attack-in-active-directory
Detect DCSync attacks where adversaries abuse Active Directory replication privileges to extract password hashes by monitoring for non-domain-controller accounts requesting directory replication via DsGetNCChanges.
detecting-deepfake-audio-in-vishing-attacks
>
detecting-dll-sideloading-attacks
Detect DLL side-loading attacks where adversaries place malicious DLLs alongside legitimate applications to hijack execution flow for defense evasion.
detecting-dnp3-protocol-anomalies
>
detecting-dns-exfiltration-with-dns-query-analysis
Detect data exfiltration through DNS tunneling by analyzing query entropy, subdomain length, query volume, TXT record abuse, and response payload sizes using passive DNS monitoring.
detecting-email-account-compromise
Detect compromised O365 and Google Workspace email accounts by analyzing inbox rule creation, suspicious sign-in locations, mail forwarding rules, and unusual API access patterns via Microsoft Graph and audit logs.
detecting-email-forwarding-rules-attack
Detect malicious email forwarding rules created by adversaries to maintain persistent access to email communications for intelligence collection and BEC attacks.
detecting-evasion-techniques-in-endpoint-logs
>
detecting-exfiltration-over-dns-with-zeek
Detect DNS-based data exfiltration by analyzing Zeek dns.log for high-entropy subdomains and anomalous query patterns
detecting-fileless-attacks-on-endpoints
>
detecting-fileless-malware-techniques
>
detecting-golden-ticket-attacks-in-kerberos-logs
Detect Golden Ticket attacks in Active Directory by analyzing Kerberos TGT anomalies including mismatched encryption types, impossible ticket lifetimes, non-existent accounts, and forged PAC signatures in domain controller event logs.
detecting-golden-ticket-forgery
Detect Kerberos Golden Ticket forgery by analyzing Windows Event ID 4769 for RC4 encryption downgrades (0x17), abnormal ticket lifetimes, and krbtgt account anomalies in Splunk and Elastic SIEM
detecting-insider-data-exfiltration-via-dlp
>
detecting-insider-threat-behaviors
Detect insider threat behavioral indicators including unusual data access, off-hours activity, mass file downloads, privilege abuse, and resignation-correlated data theft.
detecting-insider-threat-with-ueba
Implement User and Entity Behavior Analytics using Elasticsearch/OpenSearch to build behavioral baselines, calculate anomaly scores, perform peer group analysis, and detect insider threat indicators such as data exfiltration, privilege abuse, and unauthorized access patterns.
detecting-lateral-movement-with-splunk
Detect adversary lateral movement across networks using Splunk SPL queries against Windows authentication logs, SMB traffic, and remote service abuse.
detecting-lateral-movement-with-zeek
>
detecting-living-off-the-land-attacks
>
detecting-living-off-the-land-with-lolbas
Detect Living Off the Land Binaries (LOLBins/LOLBAS) abuse including certutil, regsvr32, mshta, and rundll32 via process telemetry, Sigma rules, and parent-child process analysis
detecting-malicious-scheduled-tasks-with-sysmon
>
detecting-mimikatz-execution-patterns
Detect Mimikatz execution through command-line patterns, LSASS access signatures, binary indicators, and in-memory detection of known modules.
detecting-misconfigured-azure-storage
>
detecting-mobile-malware-behavior
>
detecting-modbus-command-injection-attacks
>
detecting-modbus-protocol-anomalies
>
detecting-network-anomalies-with-zeek
>
detecting-network-scanning-with-ids-signatures
Detect network reconnaissance and port scanning using Suricata and Snort IDS signatures, threshold-based detection rules, and traffic anomaly analysis to identify Nmap, Masscan, and custom scanning activity.
detecting-ntlm-relay-with-event-correlation
>
detecting-oauth-token-theft
>
detecting-pass-the-hash-attacks
Detect Pass-the-Hash attacks by analyzing NTLM authentication patterns, identifying Type 3 logons with NTLM where Kerberos is expected, and correlating with credential dumping.
detecting-pass-the-ticket-attacks
Detect Kerberos Pass-the-Ticket (PtT) attacks by analyzing Windows Event IDs 4768, 4769, and 4771 for anomalous ticket usage patterns in Splunk and Elastic SIEM
detecting-port-scanning-with-fail2ban
>
detecting-privilege-escalation-attempts
Detect privilege escalation attempts including token manipulation, UAC bypass, unquoted service paths, kernel exploits, and sudo/doas abuse across Windows and Linux.
detecting-privilege-escalation-in-kubernetes-pods
Detect and prevent privilege escalation in Kubernetes pods by monitoring security contexts, capabilities, and syscall patterns with Falco and OPA policies.
detecting-process-hollowing-technique
Detect process hollowing (T1055.012) by analyzing memory-mapped sections, hollowed process indicators, and parent-child process anomalies in EDR telemetry.
detecting-process-injection-techniques
>
Page 10 of 41 · 2048 results