detecting-email-forwarding-rules-attack
Detect malicious email forwarding rules created by adversaries to maintain persistent access to email communications for intelligence collection and BEC attacks.
detecting-evasion-techniques-in-endpoint-logs
>
detecting-exfiltration-over-dns-with-zeek
Detect DNS-based data exfiltration by analyzing Zeek dns.log for high-entropy subdomains and anomalous query patterns
detecting-fileless-attacks-on-endpoints
>
detecting-fileless-malware-techniques
>
detecting-golden-ticket-attacks-in-kerberos-logs
Detect Golden Ticket attacks in Active Directory by analyzing Kerberos TGT anomalies including mismatched encryption types, impossible ticket lifetimes, non-existent accounts, and forged PAC signatures in domain controller event logs.
detecting-golden-ticket-forgery
Detect Kerberos Golden Ticket forgery by analyzing Windows Event ID 4769 for RC4 encryption downgrades (0x17), abnormal ticket lifetimes, and krbtgt account anomalies in Splunk and Elastic SIEM
detecting-insider-data-exfiltration-via-dlp
>
detecting-insider-threat-behaviors
Detect insider threat behavioral indicators including unusual data access, off-hours activity, mass file downloads, privilege abuse, and resignation-correlated data theft.
detecting-insider-threat-with-ueba
Implement User and Entity Behavior Analytics using Elasticsearch/OpenSearch to build behavioral baselines, calculate anomaly scores, perform peer group analysis, and detect insider threat indicators such as data exfiltration, privilege abuse, and unauthorized access patterns.
detecting-lateral-movement-with-splunk
Detect adversary lateral movement across networks using Splunk SPL queries against Windows authentication logs, SMB traffic, and remote service abuse.
detecting-lateral-movement-with-zeek
>
detecting-living-off-the-land-attacks
>
detecting-living-off-the-land-with-lolbas
Detect Living Off the Land Binaries (LOLBins/LOLBAS) abuse including certutil, regsvr32, mshta, and rundll32 via process telemetry, Sigma rules, and parent-child process analysis
detecting-malicious-scheduled-tasks-with-sysmon
>
detecting-mimikatz-execution-patterns
Detect Mimikatz execution through command-line patterns, LSASS access signatures, binary indicators, and in-memory detection of known modules.
detecting-misconfigured-azure-storage
>
detecting-mobile-malware-behavior
>
detecting-modbus-command-injection-attacks
>
detecting-modbus-protocol-anomalies
>
detecting-network-anomalies-with-zeek
>
detecting-network-scanning-with-ids-signatures
Detect network reconnaissance and port scanning using Suricata and Snort IDS signatures, threshold-based detection rules, and traffic anomaly analysis to identify Nmap, Masscan, and custom scanning activity.
detecting-ntlm-relay-with-event-correlation
>
detecting-oauth-token-theft
>
detecting-pass-the-hash-attacks
Detect Pass-the-Hash attacks by analyzing NTLM authentication patterns, identifying Type 3 logons with NTLM where Kerberos is expected, and correlating with credential dumping.
detecting-pass-the-ticket-attacks
Detect Kerberos Pass-the-Ticket (PtT) attacks by analyzing Windows Event IDs 4768, 4769, and 4771 for anomalous ticket usage patterns in Splunk and Elastic SIEM
detecting-port-scanning-with-fail2ban
>
detecting-privilege-escalation-attempts
Detect privilege escalation attempts including token manipulation, UAC bypass, unquoted service paths, kernel exploits, and sudo/doas abuse across Windows and Linux.
detecting-privilege-escalation-in-kubernetes-pods
Detect and prevent privilege escalation in Kubernetes pods by monitoring security contexts, capabilities, and syscall patterns with Falco and OPA policies.
detecting-process-hollowing-technique
Detect process hollowing (T1055.012) by analyzing memory-mapped sections, hollowed process indicators, and parent-child process anomalies in EDR telemetry.
detecting-process-injection-techniques
>
detecting-qr-code-phishing-with-email-security
Detect and prevent QR code phishing (quishing) attacks that bypass traditional email security by embedding malicious URLs in QR code images within emails.
detecting-rdp-brute-force-attacks
Detect RDP brute force attacks by analyzing Windows Security Event Logs for failed authentication patterns (Event ID 4625), successful logons after failures (Event ID 4624), NLA failures, and source IP frequency analysis.
detecting-rootkit-activity
>
detecting-s3-data-exfiltration-attempts
>
detecting-serverless-function-injection
>
detecting-service-account-abuse
Detect abuse of service accounts through anomalous interactive logons, privilege escalation, lateral movement, and unauthorized access patterns.
detecting-shadow-api-endpoints
Discover and inventory shadow API endpoints that operate outside documented specifications using traffic analysis, code scanning, and API discovery platforms.
detecting-shadow-it-cloud-usage
Detect unauthorized SaaS and cloud service usage (shadow IT) by analyzing proxy logs, DNS query logs, and netflow data using Python pandas for traffic pattern analysis and domain classification.
detecting-spearphishing-with-email-gateway
Spearphishing targets specific individuals using personalized, researched content that bypasses generic spam filters. Email security gateways (SEGs) like Microsoft Defender for Office 365, Proofpoint,
detecting-sql-injection-via-waf-logs
>-
detecting-stuxnet-style-attacks
>
detecting-supply-chain-attacks-in-ci-cd
>
detecting-suspicious-oauth-application-consent
Detect risky OAuth application consent grants in Azure AD / Microsoft Entra ID using Microsoft Graph API, audit logs, and permission analysis to identify illicit consent grant attacks.
detecting-suspicious-powershell-execution
Detect suspicious PowerShell execution patterns including encoded commands, download cradles, AMSI bypass attempts, and constrained language mode evasion.
detecting-t1003-credential-dumping-with-edr
Detect OS credential dumping techniques targeting LSASS memory, SAM database, NTDS.dit, and cached credentials using EDR telemetry, Sysmon process access monitoring, and Windows security event correlation.
detecting-t1055-process-injection-with-sysmon
Detect process injection techniques (T1055) including classic DLL injection, process hollowing, and APC injection by analyzing Sysmon events for cross-process memory operations, remote thread creation, and anomalous DLL loading patterns.
detecting-t1548-abuse-elevation-control-mechanism
Detect abuse of elevation control mechanisms including UAC bypass, sudo exploitation, and setuid/setgid manipulation by monitoring registry modifications, process elevation flags, and unusual parent-child process relationships.
detecting-typosquatting-packages-in-npm-pypi
>
detecting-wmi-persistence
Detect WMI event subscription persistence by analyzing Sysmon Event IDs 19, 20, and 21 for malicious EventFilter, EventConsumer, and FilterToConsumerBinding creation.
Page 309 of 1445 · 72246 results