{ "name": "AlphaSOC Detection Coverage", "versions": { "attack": "19.1", "navigator": "5.1.0", "layer": "4.5" }, "domain": "enterprise-attack", "description": "AlphaSOC MITRE ATT\u0026CK coverage map. Coverage: 76/141 applicable techniques (54%)", "filters": {}, "sorting": 3, "layout": { "layout": "side", "aggregateFunction": "average", "showID": false, "showName": true, "showAggregateScores": false, "countUnscored": false }, "hideDisabled": false, "techniques": [ { "techniqueID": "T1589", "tactic": "reconnaissance", "enabled": true, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1590", "tactic": "reconnaissance", "enabled": true, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1591", "tactic": "reconnaissance", "enabled": true, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1592", "tactic": "reconnaissance", "enabled": true, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1593", "tactic": "reconnaissance", "enabled": true, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1594", "tactic": "reconnaissance", "enabled": true, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1595", "tactic": "reconnaissance", "enabled": true, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1596", "tactic": "reconnaissance", "enabled": true, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1597", "tactic": "reconnaissance", "enabled": true, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1598", "tactic": "reconnaissance", "enabled": true, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1681", "tactic": "reconnaissance", "enabled": true, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1682", "tactic": "reconnaissance", "enabled": true, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1583", "tactic": "resource-development", "color": "#2d9b2d", "comment": "6 detection(s)", "enabled": true, "score": 75, "metadata": [], "links": [ { "label": "aws_ip_transfer_unknown", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_ip_transfer_unknown" }, { "label": "aws_route53_domain_registered", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_route53_domain_registered" }, { "label": "aws_route53_domain_registered_volume", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_route53_domain_registered_volume" }, { "label": "aws_route53_domain_transfer", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_route53_domain_transfer" }, { "label": "aws_route53_domain_transfer_unknown", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_route53_domain_transfer_unknown" }, { "label": "azure_container_service_provider_registration", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/azure_container_service_provider_registration" } ], "showSubtechniques": true }, { "techniqueID": "T1584", "tactic": "resource-development", "color": "#5cb85c", "comment": "2 detection(s)", "enabled": true, "score": 50, "metadata": [], "links": [ { "label": "aws_route53_public_zone_created", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_route53_public_zone_created" }, { "label": "aws_route53_public_zone_created_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_route53_public_zone_created_anomaly" } ], "showSubtechniques": true }, { "techniqueID": "T1585", "tactic": "resource-development", "enabled": true, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1586", "tactic": "resource-development", "color": "#5cb85c", "comment": "2 detection(s)", "enabled": true, "score": 50, "metadata": [], "links": [ { "label": "aws_compromised_key_quarantine", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_compromised_key_quarantine" }, { "label": "aws_compromised_key_quarantine_self", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_compromised_key_quarantine_self" } ], "showSubtechniques": true }, { "techniqueID": "T1587", "tactic": "resource-development", "enabled": true, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1588", "tactic": "resource-development", "enabled": true, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1608", "tactic": "resource-development", "color": "#a3d9a3", "comment": "1 detection(s)", "enabled": true, "score": 25, "metadata": [], "links": [ { "label": "aws_rebinding", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_rebinding" } ], "showSubtechniques": false }, { "techniqueID": "T1650", "tactic": "resource-development", "enabled": true, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1683", "tactic": "resource-development", "enabled": true, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1078", "tactic": "initial-access", "color": "#1a6b1a", "comment": "75 detection(s)", "enabled": true, "score": 100, "metadata": [], "links": [ { "label": "1password_login", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/1password_login" }, { "label": "1password_login_anomalous_device", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/1password_login_anomalous_device" }, { "label": "1password_login_impossible_travel", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/1password_login_impossible_travel" }, { "label": "1password_login_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/1password_login_suspicious" }, { "label": "1password_malicious_caller", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/1password_malicious_caller" }, { "label": "atlassian_malicious_caller", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/atlassian_malicious_caller" }, { "label": "audit_unseen_asn", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/audit_unseen_asn" }, { "label": "audit_unseen_asn_unique", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/audit_unseen_asn_unique" }, { "label": "audit_unseen_country", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/audit_unseen_country" }, { "label": "audit_unseen_country_unique", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/audit_unseen_country_unique" }, { "label": "aws_assume_role_external_principal", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_assume_role_external_principal" }, { "label": "aws_assume_role_new", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_assume_role_new" }, { "label": "aws_assume_role_new_external", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_assume_role_new_external" }, { "label": "aws_assume_role_user_agent", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_assume_role_user_agent" }, { "label": "aws_compromised_key_quarantine", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_compromised_key_quarantine" }, { "label": "aws_compromised_key_quarantine_self", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_compromised_key_quarantine_self" }, { "label": "aws_console_login_failure", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_console_login_failure" }, { "label": "aws_console_login_failure_ip", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_console_login_failure_ip" }, { "label": "aws_console_login_failure_user", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_console_login_failure_user" }, { "label": "aws_console_login_failure_users", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_console_login_failure_users" }, { "label": "aws_iam_access_key_wakeup", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_iam_access_key_wakeup" }, { "label": "aws_iam_policy_role_external_principal", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_iam_policy_role_external_principal" }, { "label": "aws_iam_policy_role_public", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_iam_policy_role_public" }, { "label": "aws_iam_role_wakeup", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_iam_role_wakeup" }, { "label": "aws_iam_role_wakeup_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_iam_role_wakeup_suspicious" }, { "label": "aws_iam_trust_policy_oidc_misconfigured", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_iam_trust_policy_oidc_misconfigured" }, { "label": "aws_iam_user_profile_no_reset", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_iam_user_profile_no_reset" }, { "label": "aws_iam_user_wakeup", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_iam_user_wakeup" }, { "label": "aws_malicious_caller", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_malicious_caller" }, { "label": "aws_malicious_caller_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_malicious_caller_anomaly" }, { "label": "aws_malicious_caller_likely", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_malicious_caller_likely" }, { "label": "aws_policy_accidental_allow", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_policy_accidental_allow" }, { "label": "aws_policy_accidental_broad", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_policy_accidental_broad" }, { "label": "aws_policy_accidental_write", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_policy_accidental_write" }, { "label": "aws_policy_template", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_policy_template" }, { "label": "aws_root_access", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_root_access" }, { "label": "aws_root_access_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_root_access_anomaly" }, { "label": "aws_root_access_key", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_root_access_key" }, { "label": "aws_root_access_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_root_access_suspicious" }, { "label": "aws_root_access_unusual", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_root_access_unusual" }, { "label": "aws_root_password_recovery", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_root_password_recovery" }, { "label": "aws_root_password_recovery_unknown_asn", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_root_password_recovery_unknown_asn" }, { "label": "aws_root_password_recovery_volume", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_root_password_recovery_volume" }, { "label": "azure_malicious_caller", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/azure_malicious_caller" }, { "label": "entra_signin_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/entra_signin_anomaly" }, { "label": "entra_signin_impossible_travel", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/entra_signin_impossible_travel" }, { "label": "entra_signin_new_country", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/entra_signin_new_country" }, { "label": "entra_signin_success", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/entra_signin_success" }, { "label": "entra_signin_success_no_mfa", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/entra_signin_success_no_mfa" }, { "label": "entra_signin_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/entra_signin_suspicious" }, { "label": "github_malicious_caller", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/github_malicious_caller" }, { "label": "google_workspace_account_hijacked", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/google_workspace_account_hijacked" }, { "label": "google_workspace_password_leaked", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/google_workspace_password_leaked" }, { "label": "google_workspace_suspicious_login", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/google_workspace_suspicious_login" }, { "label": "jira_malicious_caller", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/jira_malicious_caller" }, { "label": "k8s_malicious_caller", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/k8s_malicious_caller" }, { "label": "k8s_malicious_caller_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/k8s_malicious_caller_anomaly" }, { "label": "k8s_malicious_caller_likely", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/k8s_malicious_caller_likely" }, { "label": "linux_sshd_malicious_caller", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/linux_sshd_malicious_caller" }, { "label": "okta_mfa_failed_number_challenge", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/okta_mfa_failed_number_challenge" }, { "label": "okta_mfa_push_bruteforce", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/okta_mfa_push_bruteforce" }, { "label": "okta_multiple_login_failed", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/okta_multiple_login_failed" }, { "label": "okta_multiple_mfa_push_rejected", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/okta_multiple_mfa_push_rejected" }, { "label": "okta_multiple_users_login_failed_from_ip", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/okta_multiple_users_login_failed_from_ip" }, { "label": "okta_user_session_created_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/okta_user_session_created_anomaly" }, { "label": "okta_user_session_created_impossible_travel", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/okta_user_session_created_impossible_travel" }, { "label": "okta_user_session_created_new_country", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/okta_user_session_created_new_country" }, { "label": "okta_user_session_created_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/okta_user_session_created_suspicious" }, { "label": "slack_credential_testing_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/slack_credential_testing_anomaly" }, { "label": "slack_device_compromised", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/slack_device_compromised" }, { "label": "slack_ip_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/slack_ip_anomaly" }, { "label": "slack_login_email_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/slack_login_email_anomaly" }, { "label": "slack_malicious_caller", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/slack_malicious_caller" }, { "label": "slack_unexpected_client_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/slack_unexpected_client_anomaly" }, { "label": "slack_user_agent_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/slack_user_agent_anomaly" } ], "showSubtechniques": true }, { "techniqueID": "T1091", "tactic": "initial-access", "color": "#d3d3d3", "comment": "N/A - excluded from coverage", "enabled": true, "score": -1, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1133", "tactic": "initial-access", "color": "#5cb85c", "comment": "2 detection(s)", "enabled": true, "score": 50, "metadata": [], "links": [ { "label": "k8s_anonymous_access_granted", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/k8s_anonymous_access_granted" }, { "label": "k8s_anonymous_access_granted_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/k8s_anonymous_access_granted_anomaly" } ], "showSubtechniques": false }, { "techniqueID": "T1189", "tactic": "initial-access", "color": "#2d9b2d", "comment": "6 detection(s)", "enabled": true, "score": 75, "metadata": [], "links": [ { "label": "bad_tld", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/bad_tld" }, { "label": "dns_misconfiguration", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/dns_misconfiguration" }, { "label": "malicious_js", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/malicious_js" }, { "label": "malware_distribution", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/malware_distribution" }, { "label": "popup_traffic", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/popup_traffic" }, { "label": "unwanted_program", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/unwanted_program" } ], "showSubtechniques": false }, { "techniqueID": "T1190", "tactic": "initial-access", "color": "#2d9b2d", "comment": "6 detection(s)", "enabled": true, "score": 75, "metadata": [], "links": [ { "label": "aws_eks_endpoint_public", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_eks_endpoint_public" }, { "label": "aws_redshift_cluster_public", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_redshift_cluster_public" }, { "label": "aws_s3_unauthenticated", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_s3_unauthenticated" }, { "label": "aws_sagemaker_domain_public", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_sagemaker_domain_public" }, { "label": "k8s_anonymous_access", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/k8s_anonymous_access" }, { "label": "k8s_anonymous_access_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/k8s_anonymous_access_anomaly" } ], "showSubtechniques": false }, { "techniqueID": "T1195", "tactic": "initial-access", "enabled": true, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1199", "tactic": "initial-access", "color": "#5cb85c", "comment": "2 detection(s)", "enabled": true, "score": 50, "metadata": [], "links": [ { "label": "okta_idp_login", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/okta_idp_login" }, { "label": "okta_impersonation", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/okta_impersonation" } ], "showSubtechniques": false }, { "techniqueID": "T1200", "tactic": "initial-access", "color": "#d3d3d3", "comment": "N/A - excluded from coverage", "enabled": true, "score": -1, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1566", "tactic": "initial-access", "color": "#1a6b1a", "comment": "13 detection(s)", "enabled": true, "score": 100, "metadata": [], "links": [ { "label": "adversary_simulation", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/adversary_simulation" }, { "label": "imposter", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/imposter" }, { "label": "imposter_registered_domain", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/imposter_registered_domain" }, { "label": "imposter_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/imposter_suspicious" }, { "label": "imposter_suspicious_young", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/imposter_suspicious_young" }, { "label": "imposter_volume", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/imposter_volume" }, { "label": "imposter_young", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/imposter_young" }, { "label": "okta_fastpass_phishing", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/okta_fastpass_phishing" }, { "label": "slack_suspicious_file", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/slack_suspicious_file" }, { "label": "spearphishing_traffic", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/spearphishing_traffic" }, { "label": "survey", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/survey" }, { "label": "survey_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/survey_suspicious" }, { "label": "unique_young_domain_volume", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/unique_young_domain_volume" } ], "showSubtechniques": true }, { "techniqueID": "T1659", "tactic": "initial-access", "enabled": true, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1669", "tactic": "initial-access", "enabled": true, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1047", "tactic": "execution", "color": "#d3d3d3", "comment": "N/A - excluded from coverage", "enabled": true, "score": -1, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1053", "tactic": "execution", "color": "#d3d3d3", "comment": "N/A - excluded from coverage", "enabled": true, "score": -1, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1059", "tactic": "execution", "color": "#1a6b1a", "comment": "10 detection(s)", "enabled": true, "score": 100, "metadata": [], "links": [ { "label": "aws_bedrock_suspicious_api", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_bedrock_suspicious_api" }, { "label": "aws_ssm_association_all_instances", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_ssm_association_all_instances" }, { "label": "aws_ssm_send_command_multiple_instances", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_ssm_send_command_multiple_instances" }, { "label": "aws_ssm_send_command_multiple_instances_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_ssm_send_command_multiple_instances_anomaly" }, { "label": "aws_ssm_send_command_multiple_instances_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_ssm_send_command_multiple_instances_suspicious" }, { "label": "azure_container_command_run", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/azure_container_command_run" }, { "label": "azure_notebook_proxy_modification_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/azure_notebook_proxy_modification_anomaly" }, { "label": "azure_notebook_proxy_modification_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/azure_notebook_proxy_modification_suspicious" }, { "label": "k8s_pod_exec", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/k8s_pod_exec" }, { "label": "malicious_js", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/malicious_js" } ], "showSubtechniques": true }, { "techniqueID": "T1072", "tactic": "execution", "enabled": true, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1106", "tactic": "execution", "color": "#d3d3d3", "comment": "N/A - excluded from coverage", "enabled": true, "score": -1, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1127", "tactic": "execution", "color": "#d3d3d3", "comment": "N/A - excluded from coverage", "enabled": true, "score": -1, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1129", "tactic": "execution", "color": "#d3d3d3", "comment": "N/A - excluded from coverage", "enabled": true, "score": -1, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1197", "tactic": "execution", "color": "#d3d3d3", "comment": "N/A - excluded from coverage", "enabled": true, "score": -1, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1203", "tactic": "execution", "enabled": true, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1204", "tactic": "execution", "color": "#5cb85c", "comment": "4 detection(s)", "enabled": true, "score": 50, "metadata": [], "links": [ { "label": "aws_ecr_image_uploaded", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_ecr_image_uploaded" }, { "label": "aws_ssm_command_output_external_bucket", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_ssm_command_output_external_bucket" }, { "label": "malicious_js", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/malicious_js" }, { "label": "malware_distribution", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/malware_distribution" } ], "showSubtechniques": true }, { "techniqueID": "T1559", "tactic": "execution", "color": "#d3d3d3", "comment": "N/A - excluded from coverage", "enabled": true, "score": -1, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1569", "tactic": "execution", "color": "#d3d3d3", "comment": "N/A - excluded from coverage", "enabled": true, "score": -1, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1574", "tactic": "execution", "color": "#d3d3d3", "comment": "N/A - excluded from coverage", "enabled": true, "score": -1, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1609", "tactic": "execution", "enabled": true, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1610", "tactic": "execution", "color": "#2d9b2d", "comment": "6 detection(s)", "enabled": true, "score": 75, "metadata": [], "links": [ { "label": "gcp_cloud_run_service_created", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_cloud_run_service_created" }, { "label": "gcp_cloud_run_service_created_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_cloud_run_service_created_anomaly" }, { "label": "gcp_cloud_run_service_created_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_cloud_run_service_created_suspicious" }, { "label": "gcp_cloud_run_service_modified", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_cloud_run_service_modified" }, { "label": "gcp_cloud_run_service_modified_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_cloud_run_service_modified_anomaly" }, { "label": "gcp_cloud_run_service_modified_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_cloud_run_service_modified_suspicious" } ], "showSubtechniques": false }, { "techniqueID": "T1648", "tactic": "execution", "enabled": true, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1651", "tactic": "execution", "color": "#2d9b2d", "comment": "6 detection(s)", "enabled": true, "score": 75, "metadata": [], "links": [ { "label": "aws_ssm_send_command", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_ssm_send_command" }, { "label": "aws_ssm_send_command_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_ssm_send_command_anomaly" }, { "label": "aws_ssm_send_command_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_ssm_send_command_suspicious" }, { "label": "azure_aks_run_command_execution", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/azure_aks_run_command_execution" }, { "label": "azure_automation_account_created", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/azure_automation_account_created" }, { "label": "azure_vm_command_run", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/azure_vm_command_run" } ], "showSubtechniques": false }, { "techniqueID": "T1674", "tactic": "execution", "color": "#d3d3d3", "comment": "N/A - excluded from coverage", "enabled": true, "score": -1, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1675", "tactic": "execution", "enabled": true, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1677", "tactic": "execution", "enabled": true, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1037", "tactic": "persistence", "enabled": true, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1053", "tactic": "persistence", "color": "#d3d3d3", "comment": "N/A - excluded from coverage", "enabled": true, "score": -1, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1078", "tactic": "persistence", "color": "#1a6b1a", "comment": "13 detection(s)", "enabled": true, "score": 100, "metadata": [], "links": [ { "label": "aws_console_login_ec2", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_console_login_ec2" }, { "label": "aws_sns_topic_public", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_sns_topic_public" }, { "label": "aws_sqs_queue_public", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_sqs_queue_public" }, { "label": "github_anomalous_bot_activity", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/github_anomalous_bot_activity" }, { "label": "okta_identity_provider_created", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/okta_identity_provider_created" }, { "label": "okta_identity_provider_created_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/okta_identity_provider_created_anomaly" }, { "label": "okta_identity_provider_created_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/okta_identity_provider_created_suspicious" }, { "label": "okta_user_created", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/okta_user_created" }, { "label": "okta_user_created_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/okta_user_created_anomaly" }, { "label": "okta_user_created_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/okta_user_created_suspicious" }, { "label": "okta_user_profile_modified", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/okta_user_profile_modified" }, { "label": "okta_user_profile_modified_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/okta_user_profile_modified_anomaly" }, { "label": "okta_user_profile_modified_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/okta_user_profile_modified_suspicious" } ], "showSubtechniques": true }, { "techniqueID": "T1098", "tactic": "persistence", "color": "#1a6b1a", "comment": "102 detection(s)", "enabled": true, "score": 100, "metadata": [], "links": [ { "label": "1password_login", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/1password_login" }, { "label": "1password_login_anomalous_device", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/1password_login_anomalous_device" }, { "label": "1password_login_impossible_travel", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/1password_login_impossible_travel" }, { "label": "1password_login_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/1password_login_suspicious" }, { "label": "1password_service_account_token", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/1password_service_account_token" }, { "label": "atlassian_admin_api_token_created", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/atlassian_admin_api_token_created" }, { "label": "aws_access_key_created", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_access_key_created" }, { "label": "aws_access_key_created_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_access_key_created_anomaly" }, { "label": "aws_access_key_created_by_root", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_access_key_created_by_root" }, { "label": "aws_access_key_created_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_access_key_created_suspicious" }, { "label": "aws_account_created", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_account_created" }, { "label": "aws_account_created_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_account_created_anomaly" }, { "label": "aws_apigateway_key_created", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_apigateway_key_created" }, { "label": "aws_apigateway_key_created_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_apigateway_key_created_anomaly" }, { "label": "aws_apigateway_key_created_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_apigateway_key_created_suspicious" }, { "label": "aws_ecs_create_cluster", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_ecs_create_cluster" }, { "label": "aws_ecs_create_cluster_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_ecs_create_cluster_anomaly" }, { "label": "aws_ecs_create_cluster_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_ecs_create_cluster_suspicious" }, { "label": "aws_eks_admin_access_entry", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_eks_admin_access_entry" }, { "label": "aws_eks_admin_access_entry_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_eks_admin_access_entry_anomaly" }, { "label": "aws_eks_multicluster_privilege_escalation", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_eks_multicluster_privilege_escalation" }, { "label": "aws_eks_principal_granted_multiple_clusters", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_eks_principal_granted_multiple_clusters" }, { "label": "aws_elb_security_groups_modified", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_elb_security_groups_modified" }, { "label": "aws_elb_security_groups_modified_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_elb_security_groups_modified_anomaly" }, { "label": "aws_elb_security_groups_modified_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_elb_security_groups_modified_suspicious" }, { "label": "aws_iam_trust_policy_oidc_misconfigured", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_iam_trust_policy_oidc_misconfigured" }, { "label": "aws_iam_user_created_with_key", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_iam_user_created_with_key" }, { "label": "aws_login_profile_created", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_login_profile_created" }, { "label": "aws_login_profile_created_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_login_profile_created_anomaly" }, { "label": "aws_login_profile_modified", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_login_profile_modified" }, { "label": "aws_login_profile_modified_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_login_profile_modified_anomaly" }, { "label": "aws_password_changed", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_password_changed" }, { "label": "aws_password_changed_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_password_changed_anomaly" }, { "label": "aws_password_changed_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_password_changed_suspicious" }, { "label": "aws_persistence", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_persistence" }, { "label": "aws_persistence_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_persistence_anomaly" }, { "label": "aws_persistence_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_persistence_suspicious" }, { "label": "aws_rolesanywhere_profile_created", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_rolesanywhere_profile_created" }, { "label": "aws_rolesanywhere_trust_external_ca", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_rolesanywhere_trust_external_ca" }, { "label": "aws_root_access_key_created", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_root_access_key_created" }, { "label": "aws_route53_associated_vpc", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_route53_associated_vpc" }, { "label": "aws_s3_bucket_policy_external_account", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_s3_bucket_policy_external_account" }, { "label": "aws_sso_access_token_created", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_sso_access_token_created" }, { "label": "aws_sso_access_token_created_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_sso_access_token_created_anomaly" }, { "label": "aws_sso_access_token_created_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_sso_access_token_created_suspicious" }, { "label": "aws_sts_consoler", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_sts_consoler" }, { "label": "azure_automation_runbook_created", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/azure_automation_runbook_created" }, { "label": "azure_automation_webhook_created", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/azure_automation_webhook_created" }, { "label": "azure_key_vault_access_policy_modification_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/azure_key_vault_access_policy_modification_anomaly" }, { "label": "azure_key_vault_access_policy_modification_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/azure_key_vault_access_policy_modification_suspicious" }, { "label": "azure_storage_account_role_assigned_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/azure_storage_account_role_assigned_anomaly" }, { "label": "azure_storage_account_role_assigned_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/azure_storage_account_role_assigned_suspicious" }, { "label": "entra_role_assignment", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/entra_role_assignment" }, { "label": "entra_role_assignment_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/entra_role_assignment_anomaly" }, { "label": "entra_role_assignment_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/entra_role_assignment_suspicious" }, { "label": "gcp_api_key_created", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_api_key_created" }, { "label": "gcp_api_key_created_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_api_key_created_anomaly" }, { "label": "gcp_api_key_created_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_api_key_created_suspicious" }, { "label": "gcp_compute_engine_iam_policy_modified", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_compute_engine_iam_policy_modified" }, { "label": "gcp_compute_engine_iam_policy_modified_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_compute_engine_iam_policy_modified_anomaly" }, { "label": "gcp_compute_engine_iam_policy_modified_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_compute_engine_iam_policy_modified_suspicious" }, { "label": "gcp_gcs_bucket_iam_modified", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_gcs_bucket_iam_modified" }, { "label": "gcp_gcs_bucket_iam_modified_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_gcs_bucket_iam_modified_anomaly" }, { "label": "gcp_gcs_bucket_iam_modified_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_gcs_bucket_iam_modified_suspicious" }, { "label": "gcp_iam_custom_role_created", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_iam_custom_role_created" }, { "label": "gcp_iam_custom_role_created_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_iam_custom_role_created_anomaly" }, { "label": "gcp_iam_custom_role_created_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_iam_custom_role_created_suspicious" }, { "label": "gcp_iam_service_account_key_created", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_iam_service_account_key_created" }, { "label": "gcp_iam_service_account_key_created_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_iam_service_account_key_created_anomaly" }, { "label": "gcp_iam_service_account_key_created_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_iam_service_account_key_created_suspicious" }, { "label": "gcp_instance_ssh_key_modified", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_instance_ssh_key_modified" }, { "label": "gcp_instance_ssh_key_modified_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_instance_ssh_key_modified_anomaly" }, { "label": "gcp_instance_ssh_key_modified_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_instance_ssh_key_modified_suspicious" }, { "label": "gcp_kms_key_iam_modified", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_kms_key_iam_modified" }, { "label": "gcp_kms_key_iam_modified_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_kms_key_iam_modified_anomaly" }, { "label": "gcp_kms_key_iam_modified_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_kms_key_iam_modified_suspicious" }, { "label": "gcp_project_ssh_key_modified", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_project_ssh_key_modified" }, { "label": "gcp_project_ssh_key_modified_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_project_ssh_key_modified_anomaly" }, { "label": "gcp_project_ssh_key_modified_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_project_ssh_key_modified_suspicious" }, { "label": "gcp_workload_identity_pool_modified", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_workload_identity_pool_modified" }, { "label": "gcp_workload_identity_pool_modified_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_workload_identity_pool_modified_anomaly" }, { "label": "gcp_workload_identity_pool_modified_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_workload_identity_pool_modified_suspicious" }, { "label": "github_enterprise_owner_added", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/github_enterprise_owner_added" }, { "label": "github_organization_member_updated", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/github_organization_member_updated" }, { "label": "github_organization_moderators_changed", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/github_organization_moderators_changed" }, { "label": "github_repository_deploy_key_changed", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/github_repository_deploy_key_changed" }, { "label": "github_ssh_key_added_by_suspicious_ip", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/github_ssh_key_added_by_suspicious_ip" }, { "label": "github_team_changed", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/github_team_changed" }, { "label": "github_user_added_to_org", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/github_user_added_to_org" }, { "label": "github_user_added_to_repository", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/github_user_added_to_repository" }, { "label": "github_user_unblocked", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/github_user_unblocked" }, { "label": "google_workspace_mobile_app_whitelisted", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/google_workspace_mobile_app_whitelisted" }, { "label": "google_workspace_password_reuse_enabled", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/google_workspace_password_reuse_enabled" }, { "label": "google_workspace_strong_password_enforcement_disabled", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/google_workspace_strong_password_enforcement_disabled" }, { "label": "okta_admin_role_assigned", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/okta_admin_role_assigned" }, { "label": "okta_api_token_created", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/okta_api_token_created" }, { "label": "okta_idp_login", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/okta_idp_login" }, { "label": "okta_mfa_modified", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/okta_mfa_modified" }, { "label": "okta_mfa_modified_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/okta_mfa_modified_anomaly" }, { "label": "okta_mfa_modified_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/okta_mfa_modified_suspicious" }, { "label": "okta_privilege_granted", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/okta_privilege_granted" }, { "label": "okta_suspicious_activity_reported", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/okta_suspicious_activity_reported" } ], "showSubtechniques": true }, { "techniqueID": "T1112", "tactic": "persistence", "color": "#d3d3d3", "comment": "N/A - excluded from coverage", "enabled": true, "score": -1, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1133", "tactic": "persistence", "color": "#2d9b2d", "comment": "6 detection(s)", "enabled": true, "score": 75, "metadata": [], "links": [ { "label": "aws_ec2_open_port", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_ec2_open_port" }, { "label": "aws_ec2_wide_ports_open", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_ec2_wide_ports_open" }, { "label": "gcp_compute_engine_external_ip_assigned", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_compute_engine_external_ip_assigned" }, { "label": "gcp_compute_engine_external_ip_assigned_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_compute_engine_external_ip_assigned_anomaly" }, { "label": "gcp_compute_engine_external_ip_assigned_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_compute_engine_external_ip_assigned_suspicious" }, { "label": "remote_access_software", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/remote_access_software" } ], "showSubtechniques": false }, { "techniqueID": "T1136", "tactic": "persistence", "color": "#1a6b1a", "comment": "14 detection(s)", "enabled": true, "score": 100, "metadata": [], "links": [ { "label": "aws_iam_entity_created", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_iam_entity_created" }, { "label": "aws_iam_user_created_with_admin_policy", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_iam_user_created_with_admin_policy" }, { "label": "aws_iam_user_generic_name", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_iam_user_generic_name" }, { "label": "aws_iam_user_generic_name_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_iam_user_generic_name_anomaly" }, { "label": "aws_iam_user_generic_name_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_iam_user_generic_name_suspicious" }, { "label": "aws_login_profile_created", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_login_profile_created" }, { "label": "aws_login_profile_created_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_login_profile_created_anomaly" }, { "label": "aws_organization_invite_sent", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_organization_invite_sent" }, { "label": "gcp_service_account_created", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_service_account_created" }, { "label": "gcp_service_account_created_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_service_account_created_anomaly" }, { "label": "gcp_service_account_created_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_service_account_created_suspicious" }, { "label": "k8s_service_account_created_in_public_namespace", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/k8s_service_account_created_in_public_namespace" }, { "label": "k8s_service_account_created_in_service_namespace", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/k8s_service_account_created_in_service_namespace" }, { "label": "slack_organization_created", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/slack_organization_created" } ], "showSubtechniques": true }, { "techniqueID": "T1137", "tactic": "persistence", "color": "#d3d3d3", "comment": "N/A - excluded from coverage", "enabled": true, "score": -1, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1176", "tactic": "persistence", "color": "#d3d3d3", "comment": "N/A - excluded from coverage", "enabled": true, "score": -1, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1197", "tactic": "persistence", "color": "#d3d3d3", "comment": "N/A - excluded from coverage", "enabled": true, "score": -1, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1205", "tactic": "persistence", "enabled": true, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1505", "tactic": "persistence", "color": "#5cb85c", "comment": "2 detection(s)", "enabled": true, "score": 50, "metadata": [], "links": [ { "label": "slack_admin_app_added", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/slack_admin_app_added" }, { "label": "slack_app_added", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/slack_app_added" } ], "showSubtechniques": false }, { "techniqueID": "T1525", "tactic": "persistence", "color": "#5cb85c", "comment": "3 detection(s)", "enabled": true, "score": 50, "metadata": [], "links": [ { "label": "gcp_image_created", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_image_created" }, { "label": "gcp_image_created_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_image_created_anomaly" }, { "label": "gcp_image_created_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_image_created_suspicious" } ], "showSubtechniques": false }, { "techniqueID": "T1542", "tactic": "persistence", "color": "#d3d3d3", "comment": "N/A - excluded from coverage", "enabled": true, "score": -1, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1543", "tactic": "persistence", "color": "#5cb85c", "comment": "2 detection(s)", "enabled": true, "score": 50, "metadata": [], "links": [ { "label": "k8s_resource_created_in_public_namespace", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/k8s_resource_created_in_public_namespace" }, { "label": "k8s_resource_created_in_service_namespace", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/k8s_resource_created_in_service_namespace" } ], "showSubtechniques": true }, { "techniqueID": "T1546", "tactic": "persistence", "color": "#5cb85c", "comment": "2 detection(s)", "enabled": true, "score": 50, "metadata": [], "links": [ { "label": "aws_lambda_public", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_lambda_public" }, { "label": "k8_admission_controller_created", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/k8_admission_controller_created" } ], "showSubtechniques": false }, { "techniqueID": "T1547", "tactic": "persistence", "color": "#d3d3d3", "comment": "N/A - excluded from coverage", "enabled": true, "score": -1, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1554", "tactic": "persistence", "color": "#d3d3d3", "comment": "N/A - excluded from coverage", "enabled": true, "score": -1, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1556", "tactic": "persistence", "color": "#1a6b1a", "comment": "21 detection(s)", "enabled": true, "score": 100, "metadata": [], "links": [ { "label": "aws_iam_update_trust_policy_failed", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_iam_update_trust_policy_failed" }, { "label": "aws_iam_update_trust_policy_failed_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_iam_update_trust_policy_failed_anomaly" }, { "label": "aws_iam_update_trust_policy_failed_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_iam_update_trust_policy_failed_suspicious" }, { "label": "aws_lambda_layer_version_public", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_lambda_layer_version_public" }, { "label": "aws_mfa_disabled", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_mfa_disabled" }, { "label": "aws_mfa_disabled_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_mfa_disabled_anomaly" }, { "label": "aws_mfa_registered", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_mfa_registered" }, { "label": "aws_mfa_registered_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_mfa_registered_anomaly" }, { "label": "aws_s3_bucket_mfa_delete_disabled", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_s3_bucket_mfa_delete_disabled" }, { "label": "aws_sagemaker_presigned_url", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_sagemaker_presigned_url" }, { "label": "aws_sagemaker_presigned_url_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_sagemaker_presigned_url_anomaly" }, { "label": "aws_sagemaker_presigned_url_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_sagemaker_presigned_url_suspicious" }, { "label": "aws_ssm_document_public", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_ssm_document_public" }, { "label": "github_mfa_disabled", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/github_mfa_disabled" }, { "label": "github_recovery_codes_accessed", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/github_recovery_codes_accessed" }, { "label": "github_ssh_certificate_authority_created", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/github_ssh_certificate_authority_created" }, { "label": "github_webhook_modified", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/github_webhook_modified" }, { "label": "okta_weak_mfa_fallback", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/okta_weak_mfa_fallback" }, { "label": "slack_idp_config_modified", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/slack_idp_config_modified" }, { "label": "slack_mfa_disabled", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/slack_mfa_disabled" }, { "label": "slack_sso_settings_modified", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/slack_sso_settings_modified" } ], "showSubtechniques": true }, { "techniqueID": "T1653", "tactic": "persistence", "color": "#d3d3d3", "comment": "N/A - excluded from coverage", "enabled": true, "score": -1, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1668", "tactic": "persistence", "color": "#d3d3d3", "comment": "N/A - excluded from coverage", "enabled": true, "score": -1, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1671", "tactic": "persistence", "enabled": true, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1037", "tactic": "privilege-escalation", "color": "#2d9b2d", "comment": "5 detection(s)", "enabled": true, "score": 75, "metadata": [], "links": [ { "label": "aws_ec2_startup_script_modify", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_ec2_startup_script_modify" }, { "label": "aws_ec2_startup_script_modify_volume", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_ec2_startup_script_modify_volume" }, { "label": "gcp_compute_engine_startup_script_modified", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_compute_engine_startup_script_modified" }, { "label": "gcp_compute_engine_startup_script_modified_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_compute_engine_startup_script_modified_anomaly" }, { "label": "gcp_compute_engine_startup_script_modified_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_compute_engine_startup_script_modified_suspicious" } ], "showSubtechniques": false }, { "techniqueID": "T1053", "tactic": "privilege-escalation", "color": "#d3d3d3", "comment": "N/A - excluded from coverage", "enabled": true, "score": -1, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1055", "tactic": "privilege-escalation", "color": "#d3d3d3", "comment": "N/A - excluded from coverage", "enabled": true, "score": -1, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1068", "tactic": "privilege-escalation", "enabled": true, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1078", "tactic": "privilege-escalation", "color": "#1a6b1a", "comment": "30 detection(s)", "enabled": true, "score": 100, "metadata": [], "links": [ { "label": "aws_assume_root", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_assume_root" }, { "label": "aws_assume_root_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_assume_root_anomaly" }, { "label": "aws_console_login", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_console_login" }, { "label": "aws_console_login_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_console_login_anomaly" }, { "label": "aws_console_login_impossible_travel", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_console_login_impossible_travel" }, { "label": "aws_console_login_new_country", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_console_login_new_country" }, { "label": "aws_console_login_no_mfa", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_console_login_no_mfa" }, { "label": "aws_console_login_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_console_login_suspicious" }, { "label": "aws_privilege_escalation", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_privilege_escalation" }, { "label": "aws_privilege_escalation_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_privilege_escalation_anomaly" }, { "label": "aws_privilege_escalation_cloudformation", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_privilege_escalation_cloudformation" }, { "label": "aws_privilege_escalation_datapipeline", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_privilege_escalation_datapipeline" }, { "label": "aws_privilege_escalation_dynamodb", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_privilege_escalation_dynamodb" }, { "label": "aws_privilege_escalation_ec2", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_privilege_escalation_ec2" }, { "label": "aws_privilege_escalation_glue", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_privilege_escalation_glue" }, { "label": "aws_privilege_escalation_iam", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_privilege_escalation_iam" }, { "label": "aws_privilege_escalation_kms", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_privilege_escalation_kms" }, { "label": "aws_privilege_escalation_lambda", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_privilege_escalation_lambda" }, { "label": "aws_privilege_escalation_s3", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_privilege_escalation_s3" }, { "label": "aws_privilege_escalation_ssm", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_privilege_escalation_ssm" }, { "label": "aws_privilege_escalation_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_privilege_escalation_suspicious" }, { "label": "aws_rds_password_changed", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_rds_password_changed" }, { "label": "aws_rds_password_changed_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_rds_password_changed_anomaly" }, { "label": "confluence_admin_key_bypass", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/confluence_admin_key_bypass" }, { "label": "gcp_compute_engine_instance_service_account_modified", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_compute_engine_instance_service_account_modified" }, { "label": "gcp_compute_engine_instance_service_account_modified_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_compute_engine_instance_service_account_modified_anomaly" }, { "label": "gcp_compute_engine_instance_service_account_modified_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_compute_engine_instance_service_account_modified_suspicious" }, { "label": "okta_org2org_app_modified", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/okta_org2org_app_modified" }, { "label": "slack_admin_action_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/slack_admin_action_anomaly" }, { "label": "slack_service_owner_transferred", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/slack_service_owner_transferred" } ], "showSubtechniques": true }, { "techniqueID": "T1098", "tactic": "privilege-escalation", "color": "#1a6b1a", "comment": "44 detection(s)", "enabled": true, "score": 100, "metadata": [], "links": [ { "label": "atlassian_added_organization_admin", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/atlassian_added_organization_admin" }, { "label": "atlassian_user_added_to_admin_group", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/atlassian_user_added_to_admin_group" }, { "label": "atlassian_user_impersonated", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/atlassian_user_impersonated" }, { "label": "atlassian_user_invited_as_admin", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/atlassian_user_invited_as_admin" }, { "label": "aws_ec2_iam_access", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_ec2_iam_access" }, { "label": "aws_ec2_iam_access_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_ec2_iam_access_anomaly" }, { "label": "aws_iam_group_deleted", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_iam_group_deleted" }, { "label": "aws_iam_group_deleted_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_iam_group_deleted_anomaly" }, { "label": "aws_iam_policy_any_resource", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_iam_policy_any_resource" }, { "label": "aws_iam_policy_any_resource_suspicious_statement", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_iam_policy_any_resource_suspicious_statement" }, { "label": "aws_iam_policy_modified", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_iam_policy_modified" }, { "label": "aws_iam_policy_modified_permissive", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_iam_policy_modified_permissive" }, { "label": "aws_iam_policy_role_external_principal", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_iam_policy_role_external_principal" }, { "label": "aws_iam_policy_role_public", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_iam_policy_role_public" }, { "label": "aws_kms_key_public", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_kms_key_public" }, { "label": "aws_login_profile_created", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_login_profile_created" }, { "label": "aws_login_profile_created_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_login_profile_created_anomaly" }, { "label": "aws_login_profile_modified", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_login_profile_modified" }, { "label": "aws_login_profile_modified_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_login_profile_modified_anomaly" }, { "label": "aws_mass_mailer_script_setup", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_mass_mailer_script_setup" }, { "label": "aws_privilege_escalation_ec2", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_privilege_escalation_ec2" }, { "label": "aws_ram_modified", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_ram_modified" }, { "label": "aws_ram_modified_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_ram_modified_anomaly" }, { "label": "aws_ram_modified_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_ram_modified_suspicious" }, { "label": "aws_rds_attach_role", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_rds_attach_role" }, { "label": "aws_rds_attach_role_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_rds_attach_role_anomaly" }, { "label": "aws_route53_transfer_lock_disabled", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_route53_transfer_lock_disabled" }, { "label": "aws_ses_production_access_granted", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_ses_production_access_granted" }, { "label": "aws_set_default_policy_version", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_set_default_policy_version" }, { "label": "aws_set_default_policy_version_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_set_default_policy_version_anomaly" }, { "label": "aws_sts_get_federation_token_any_action", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_sts_get_federation_token_any_action" }, { "label": "aws_sts_get_federation_token_any_resource", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_sts_get_federation_token_any_resource" }, { "label": "azure_storage_account_role_assigned_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/azure_storage_account_role_assigned_anomaly" }, { "label": "azure_storage_account_role_assigned_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/azure_storage_account_role_assigned_suspicious" }, { "label": "gcp_iam_role_modified", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_iam_role_modified" }, { "label": "gcp_iam_role_modified_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_iam_role_modified_anomaly" }, { "label": "gcp_iam_role_modified_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_iam_role_modified_suspicious" }, { "label": "github_repository_ruleset_modified", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/github_repository_ruleset_modified" }, { "label": "jira_user_added_to_admin_group", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/jira_user_added_to_admin_group" }, { "label": "k8s_user_attached_to_pod", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/k8s_user_attached_to_pod" }, { "label": "slack_admin_app_access_expanded", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/slack_admin_app_access_expanded" }, { "label": "slack_app_access_expanded", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/slack_app_access_expanded" }, { "label": "slack_privilege_escalation", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/slack_privilege_escalation" }, { "label": "slack_user_role_changed", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/slack_user_role_changed" } ], "showSubtechniques": true }, { "techniqueID": "T1134", "tactic": "privilege-escalation", "color": "#d3d3d3", "comment": "N/A - excluded from coverage", "enabled": true, "score": -1, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1484", "tactic": "privilege-escalation", "color": "#1a6b1a", "comment": "18 detection(s)", "enabled": true, "score": 100, "metadata": [], "links": [ { "label": "aws_delete_permission_boundary", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_delete_permission_boundary" }, { "label": "aws_identity_added_to_admin_group", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_identity_added_to_admin_group" }, { "label": "aws_privilege_escalation_cloudformation", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_privilege_escalation_cloudformation" }, { "label": "aws_privilege_escalation_datapipeline", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_privilege_escalation_datapipeline" }, { "label": "aws_privilege_escalation_dynamodb", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_privilege_escalation_dynamodb" }, { "label": "aws_privilege_escalation_glue", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_privilege_escalation_glue" }, { "label": "aws_privilege_escalation_iam", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_privilege_escalation_iam" }, { "label": "aws_privilege_escalation_kms", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_privilege_escalation_kms" }, { "label": "aws_privilege_escalation_lambda", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_privilege_escalation_lambda" }, { "label": "aws_privilege_escalation_s3", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_privilege_escalation_s3" }, { "label": "aws_privilege_escalation_ssm", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_privilege_escalation_ssm" }, { "label": "aws_s3_modify_acl", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_s3_modify_acl" }, { "label": "aws_s3_modify_acl_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_s3_modify_acl_anomaly" }, { "label": "aws_s3_modify_acl_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_s3_modify_acl_suspicious" }, { "label": "gcp_gcs_bucket_permissions_modified", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_gcs_bucket_permissions_modified" }, { "label": "gcp_gcs_bucket_permissions_modified_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_gcs_bucket_permissions_modified_anomaly" }, { "label": "gcp_gcs_bucket_permissions_modified_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_gcs_bucket_permissions_modified_suspicious" }, { "label": "github_app_restrictions_disabled", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/github_app_restrictions_disabled" } ], "showSubtechniques": false }, { "techniqueID": "T1543", "tactic": "privilege-escalation", "color": "#a3d9a3", "comment": "1 detection(s)", "enabled": true, "score": 25, "metadata": [], "links": [ { "label": "k8s_privileged_pod_created", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/k8s_privileged_pod_created" } ], "showSubtechniques": true }, { "techniqueID": "T1546", "tactic": "privilege-escalation", "enabled": true, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1547", "tactic": "privilege-escalation", "color": "#d3d3d3", "comment": "N/A - excluded from coverage", "enabled": true, "score": -1, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1548", "tactic": "privilege-escalation", "enabled": true, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1611", "tactic": "privilege-escalation", "color": "#a3d9a3", "comment": "1 detection(s)", "enabled": true, "score": 25, "metadata": [], "links": [ { "label": "k8s_hostnetwork_pod_created", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/k8s_hostnetwork_pod_created" } ], "showSubtechniques": false }, { "techniqueID": "T1006", "tactic": "stealth", "color": "#d3d3d3", "comment": "N/A - excluded from coverage", "enabled": true, "score": -1, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1014", "tactic": "stealth", "color": "#d3d3d3", "comment": "N/A - excluded from coverage", "enabled": true, "score": -1, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1027", "tactic": "stealth", "color": "#d3d3d3", "comment": "N/A - excluded from coverage", "enabled": true, "score": -1, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1036", "tactic": "stealth", "color": "#d3d3d3", "comment": "N/A - excluded from coverage", "enabled": true, "score": -1, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1055", "tactic": "stealth", "color": "#d3d3d3", "comment": "N/A - excluded from coverage", "enabled": true, "score": -1, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1070", "tactic": "stealth", "color": "#5cb85c", "comment": "4 detection(s)", "enabled": true, "score": 50, "metadata": [], "links": [ { "label": "azure_automation_account_deleted_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/azure_automation_account_deleted_anomaly" }, { "label": "azure_automation_account_deleted_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/azure_automation_account_deleted_suspicious" }, { "label": "azure_automation_runbook_deleted_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/azure_automation_runbook_deleted_anomaly" }, { "label": "azure_automation_runbook_deleted_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/azure_automation_runbook_deleted_suspicious" } ], "showSubtechniques": false }, { "techniqueID": "T1078", "tactic": "stealth", "enabled": true, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1127", "tactic": "stealth", "color": "#d3d3d3", "comment": "N/A - excluded from coverage", "enabled": true, "score": -1, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1134", "tactic": "stealth", "color": "#d3d3d3", "comment": "N/A - excluded from coverage", "enabled": true, "score": -1, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1140", "tactic": "stealth", "color": "#d3d3d3", "comment": "N/A - excluded from coverage", "enabled": true, "score": -1, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1197", "tactic": "stealth", "color": "#d3d3d3", "comment": "N/A - excluded from coverage", "enabled": true, "score": -1, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1202", "tactic": "stealth", "color": "#d3d3d3", "comment": "N/A - excluded from coverage", "enabled": true, "score": -1, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1205", "tactic": "stealth", "enabled": true, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1211", "tactic": "stealth", "enabled": true, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1216", "tactic": "stealth", "color": "#d3d3d3", "comment": "N/A - excluded from coverage", "enabled": true, "score": -1, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1218", "tactic": "stealth", "color": "#d3d3d3", "comment": "N/A - excluded from coverage", "enabled": true, "score": -1, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1220", "tactic": "stealth", "color": "#d3d3d3", "comment": "N/A - excluded from coverage", "enabled": true, "score": -1, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1221", "tactic": "stealth", "enabled": true, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1480", "tactic": "stealth", "enabled": true, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1497", "tactic": "stealth", "enabled": true, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1535", "tactic": "stealth", "color": "#a3d9a3", "comment": "1 detection(s)", "enabled": true, "score": 25, "metadata": [], "links": [ { "label": "aws_region_toggled", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_region_toggled" } ], "showSubtechniques": false }, { "techniqueID": "T1542", "tactic": "stealth", "color": "#d3d3d3", "comment": "N/A - excluded from coverage", "enabled": true, "score": -1, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1564", "tactic": "stealth", "color": "#d3d3d3", "comment": "N/A - excluded from coverage", "enabled": true, "score": -1, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1574", "tactic": "stealth", "color": "#d3d3d3", "comment": "N/A - excluded from coverage", "enabled": true, "score": -1, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1612", "tactic": "stealth", "enabled": true, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1620", "tactic": "stealth", "color": "#d3d3d3", "comment": "N/A - excluded from coverage", "enabled": true, "score": -1, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1622", "tactic": "stealth", "color": "#d3d3d3", "comment": "N/A - excluded from coverage", "enabled": true, "score": -1, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1678", "tactic": "stealth", "color": "#d3d3d3", "comment": "N/A - excluded from coverage", "enabled": true, "score": -1, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1679", "tactic": "stealth", "color": "#d3d3d3", "comment": "N/A - excluded from coverage", "enabled": true, "score": -1, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1684", "tactic": "stealth", "color": "#d3d3d3", "comment": "N/A - excluded from coverage", "enabled": true, "score": -1, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1112", "tactic": "defense-impairment", "color": "#d3d3d3", "comment": "N/A - excluded from coverage", "enabled": true, "score": -1, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1207", "tactic": "defense-impairment", "color": "#d3d3d3", "comment": "N/A - excluded from coverage", "enabled": true, "score": -1, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1222", "tactic": "defense-impairment", "enabled": true, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1484", "tactic": "defense-impairment", "enabled": true, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1553", "tactic": "defense-impairment", "color": "#d3d3d3", "comment": "N/A - excluded from coverage", "enabled": true, "score": -1, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1556", "tactic": "defense-impairment", "enabled": true, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1578", "tactic": "defense-impairment", "enabled": true, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1599", "tactic": "defense-impairment", "enabled": true, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1600", "tactic": "defense-impairment", "enabled": true, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1601", "tactic": "defense-impairment", "color": "#d3d3d3", "comment": "N/A - excluded from coverage", "enabled": true, "score": -1, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1647", "tactic": "defense-impairment", "color": "#d3d3d3", "comment": "N/A - excluded from coverage", "enabled": true, "score": -1, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1666", "tactic": "defense-impairment", "enabled": true, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1685", "tactic": "defense-impairment", "color": "#d3d3d3", "comment": "N/A - excluded from coverage", "enabled": true, "score": -1, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1686", "tactic": "defense-impairment", "color": "#d3d3d3", "comment": "N/A - excluded from coverage", "enabled": true, "score": -1, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1687", "tactic": "defense-impairment", "enabled": true, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1688", "tactic": "defense-impairment", "color": "#d3d3d3", "comment": "N/A - excluded from coverage", "enabled": true, "score": -1, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1689", "tactic": "defense-impairment", "enabled": true, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1690", "tactic": "defense-impairment", "color": "#d3d3d3", "comment": "N/A - excluded from coverage", "enabled": true, "score": -1, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1003", "tactic": "credential-access", "color": "#d3d3d3", "comment": "N/A - excluded from coverage", "enabled": true, "score": -1, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1040", "tactic": "credential-access", "color": "#5cb85c", "comment": "2 detection(s)", "enabled": true, "score": 50, "metadata": [], "links": [ { "label": "azure_network_packet_capture_created", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/azure_network_packet_capture_created" }, { "label": "cleartext_protocol", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/cleartext_protocol" } ], "showSubtechniques": false }, { "techniqueID": "T1056", "tactic": "credential-access", "color": "#d3d3d3", "comment": "N/A - excluded from coverage", "enabled": true, "score": -1, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1110", "tactic": "credential-access", "color": "#1a6b1a", "comment": "17 detection(s)", "enabled": true, "score": 100, "metadata": [], "links": [ { "label": "1password_brute_force", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/1password_brute_force" }, { "label": "aws_assume_root_failure", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_assume_root_failure" }, { "label": "aws_assume_root_failure_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_assume_root_failure_anomaly" }, { "label": "aws_console_login_failure", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_console_login_failure" }, { "label": "aws_console_login_failure_ip", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_console_login_failure_ip" }, { "label": "aws_console_login_failure_user", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_console_login_failure_user" }, { "label": "aws_console_login_failure_users", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_console_login_failure_users" }, { "label": "aws_iam_password_change_failure", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_iam_password_change_failure" }, { "label": "entra_signin_brute_force", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/entra_signin_brute_force" }, { "label": "okta_mfa_push_bruteforce", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/okta_mfa_push_bruteforce" }, { "label": "okta_multiple_login_failed", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/okta_multiple_login_failed" }, { "label": "okta_multiple_mfa_push_rejected", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/okta_multiple_mfa_push_rejected" }, { "label": "okta_multiple_users_login_failed_from_ip", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/okta_multiple_users_login_failed_from_ip" }, { "label": "rdp_brute_force", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/rdp_brute_force" }, { "label": "slack_login_brute_force", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/slack_login_brute_force" }, { "label": "ssh_brute_force", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/ssh_brute_force" }, { "label": "winrm_brute_force", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/winrm_brute_force" } ], "showSubtechniques": false }, { "techniqueID": "T1111", "tactic": "credential-access", "enabled": true, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1187", "tactic": "credential-access", "color": "#a3d9a3", "comment": "1 detection(s)", "enabled": true, "score": 25, "metadata": [], "links": [ { "label": "capture", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/capture" } ], "showSubtechniques": false }, { "techniqueID": "T1212", "tactic": "credential-access", "enabled": true, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1528", "tactic": "credential-access", "color": "#5cb85c", "comment": "3 detection(s)", "enabled": true, "score": 50, "metadata": [], "links": [ { "label": "github_oauth_token_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/github_oauth_token_anomaly" }, { "label": "okta_app_token_reuse", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/okta_app_token_reuse" }, { "label": "slack_session_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/slack_session_anomaly" } ], "showSubtechniques": false }, { "techniqueID": "T1539", "tactic": "credential-access", "color": "#a3d9a3", "comment": "1 detection(s)", "enabled": true, "score": 25, "metadata": [], "links": [ { "label": "okta_suspicious_session_cookie", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/okta_suspicious_session_cookie" } ], "showSubtechniques": false }, { "techniqueID": "T1552", "tactic": "credential-access", "color": "#1a6b1a", "comment": "16 detection(s)", "enabled": true, "score": 100, "metadata": [], "links": [ { "label": "aws_compromised_key_quarantine", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_compromised_key_quarantine" }, { "label": "aws_compromised_key_quarantine_self", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_compromised_key_quarantine_self" }, { "label": "azure_aks_credential_access_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/azure_aks_credential_access_anomaly" }, { "label": "azure_aks_credential_access_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/azure_aks_credential_access_suspicious" }, { "label": "azure_aks_credential_enumeration", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/azure_aks_credential_enumeration" }, { "label": "azure_cosmosdb_connection_strings_viewed_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/azure_cosmosdb_connection_strings_viewed_anomaly" }, { "label": "azure_cosmosdb_connection_strings_viewed_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/azure_cosmosdb_connection_strings_viewed_suspicious" }, { "label": "azure_cosmosdb_keys_viewed_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/azure_cosmosdb_keys_viewed_anomaly" }, { "label": "azure_cosmosdb_keys_viewed_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/azure_cosmosdb_keys_viewed_suspicious" }, { "label": "azure_storage_keys_accessed_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/azure_storage_keys_accessed_anomaly" }, { "label": "azure_storage_keys_accessed_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/azure_storage_keys_accessed_suspicious" }, { "label": "azure_storage_shared_key_access_enabled", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/azure_storage_shared_key_access_enabled" }, { "label": "github_secret_scanning_alert", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/github_secret_scanning_alert" }, { "label": "k8s_secret_access", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/k8s_secret_access" }, { "label": "k8s_secret_access_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/k8s_secret_access_anomaly" }, { "label": "k8s_secret_access_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/k8s_secret_access_suspicious" } ], "showSubtechniques": true }, { "techniqueID": "T1555", "tactic": "credential-access", "color": "#1a6b1a", "comment": "17 detection(s)", "enabled": true, "score": 100, "metadata": [], "links": [ { "label": "1password_modification", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/1password_modification" }, { "label": "1password_unexpected_action", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/1password_unexpected_action" }, { "label": "aws_ec2_admin_credential_enumeration", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_ec2_admin_credential_enumeration" }, { "label": "aws_ec2_admin_credential_enumeration_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_ec2_admin_credential_enumeration_anomaly" }, { "label": "aws_ec2_admin_credential_fetch_attempt", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_ec2_admin_credential_fetch_attempt" }, { "label": "aws_ec2_admin_credential_fetch_attempt_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_ec2_admin_credential_fetch_attempt_anomaly" }, { "label": "aws_gateway_api_key_access", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_gateway_api_key_access" }, { "label": "aws_gateway_api_key_access_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_gateway_api_key_access_anomaly" }, { "label": "aws_gateway_api_key_access_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_gateway_api_key_access_suspicious" }, { "label": "aws_secretsmanager_cloudshell_read", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_secretsmanager_cloudshell_read" }, { "label": "aws_ssm_decrypt_parameter", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_ssm_decrypt_parameter" }, { "label": "aws_ssm_decrypt_parameter_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_ssm_decrypt_parameter_anomaly" }, { "label": "aws_unauthorized_access", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_unauthorized_access" }, { "label": "aws_unauthorized_access_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_unauthorized_access_anomaly" }, { "label": "aws_unauthorized_access_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_unauthorized_access_suspicious" }, { "label": "azure_key_vault_access_policy_modification_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/azure_key_vault_access_policy_modification_anomaly" }, { "label": "azure_key_vault_access_policy_modification_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/azure_key_vault_access_policy_modification_suspicious" } ], "showSubtechniques": true }, { "techniqueID": "T1556", "tactic": "credential-access", "color": "#1a6b1a", "comment": "10 detection(s)", "enabled": true, "score": 100, "metadata": [], "links": [ { "label": "aws_saml_activity", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_saml_activity" }, { "label": "aws_saml_activity_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_saml_activity_anomaly" }, { "label": "aws_saml_activity_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_saml_activity_suspicious" }, { "label": "github_enterprise_recovery_codes", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/github_enterprise_recovery_codes" }, { "label": "github_organization_recovery_codes", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/github_organization_recovery_codes" }, { "label": "github_recovery_codes_accessed", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/github_recovery_codes_accessed" }, { "label": "okta_org2org_app_modified", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/okta_org2org_app_modified" }, { "label": "okta_password_extraction_via_scim", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/okta_password_extraction_via_scim" }, { "label": "slack_idp_config_modified", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/slack_idp_config_modified" }, { "label": "slack_sso_settings_modified", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/slack_sso_settings_modified" } ], "showSubtechniques": true }, { "techniqueID": "T1557", "tactic": "credential-access", "enabled": true, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1558", "tactic": "credential-access", "color": "#d3d3d3", "comment": "N/A - excluded from coverage", "enabled": true, "score": -1, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1606", "tactic": "credential-access", "enabled": true, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1621", "tactic": "credential-access", "color": "#a3d9a3", "comment": "1 detection(s)", "enabled": true, "score": 25, "metadata": [], "links": [ { "label": "okta_mfa_mismatch", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/okta_mfa_mismatch" } ], "showSubtechniques": false }, { "techniqueID": "T1649", "tactic": "credential-access", "enabled": true, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1007", "tactic": "discovery", "color": "#d3d3d3", "comment": "N/A - excluded from coverage", "enabled": true, "score": -1, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1010", "tactic": "discovery", "color": "#d3d3d3", "comment": "N/A - excluded from coverage", "enabled": true, "score": -1, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1012", "tactic": "discovery", "color": "#d3d3d3", "comment": "N/A - excluded from coverage", "enabled": true, "score": -1, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1016", "tactic": "discovery", "color": "#d3d3d3", "comment": "N/A - excluded from coverage", "enabled": true, "score": -1, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1018", "tactic": "discovery", "enabled": true, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1033", "tactic": "discovery", "color": "#d3d3d3", "comment": "N/A - excluded from coverage", "enabled": true, "score": -1, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1040", "tactic": "discovery", "enabled": true, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1046", "tactic": "discovery", "color": "#5cb85c", "comment": "2 detection(s)", "enabled": true, "score": 50, "metadata": [], "links": [ { "label": "outbound_port_scan", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/outbound_port_scan" }, { "label": "reverse_lookup_volume", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/reverse_lookup_volume" } ], "showSubtechniques": false }, { "techniqueID": "T1049", "tactic": "discovery", "color": "#d3d3d3", "comment": "N/A - excluded from coverage", "enabled": true, "score": -1, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1057", "tactic": "discovery", "color": "#d3d3d3", "comment": "N/A - excluded from coverage", "enabled": true, "score": -1, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1069", "tactic": "discovery", "color": "#5cb85c", "comment": "4 detection(s)", "enabled": true, "score": 50, "metadata": [], "links": [ { "label": "aws_iam_group_discovery", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_iam_group_discovery" }, { "label": "k8s_permission_discovery", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/k8s_permission_discovery" }, { "label": "k8s_permission_discovery_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/k8s_permission_discovery_anomaly" }, { "label": "k8s_permission_discovery_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/k8s_permission_discovery_suspicious" } ], "showSubtechniques": true }, { "techniqueID": "T1082", "tactic": "discovery", "color": "#d3d3d3", "comment": "N/A - excluded from coverage", "enabled": true, "score": -1, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1083", "tactic": "discovery", "color": "#d3d3d3", "comment": "N/A - excluded from coverage", "enabled": true, "score": -1, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1087", "tactic": "discovery", "color": "#2d9b2d", "comment": "8 detection(s)", "enabled": true, "score": 75, "metadata": [], "links": [ { "label": "aws_organization_discovery", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_organization_discovery" }, { "label": "aws_organization_discovery_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_organization_discovery_anomaly" }, { "label": "aws_organization_discovery_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_organization_discovery_suspicious" }, { "label": "aws_sts_discovery", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_sts_discovery" }, { "label": "aws_sts_discovery_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_sts_discovery_anomaly" }, { "label": "aws_sts_discovery_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_sts_discovery_suspicious" }, { "label": "aws_sts_discovery_truffle_hog", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_sts_discovery_truffle_hog" }, { "label": "slack_api_call_volume_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/slack_api_call_volume_anomaly" } ], "showSubtechniques": false }, { "techniqueID": "T1120", "tactic": "discovery", "color": "#d3d3d3", "comment": "N/A - excluded from coverage", "enabled": true, "score": -1, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1124", "tactic": "discovery", "color": "#d3d3d3", "comment": "N/A - excluded from coverage", "enabled": true, "score": -1, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1135", "tactic": "discovery", "enabled": true, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1201", "tactic": "discovery", "enabled": true, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1217", "tactic": "discovery", "color": "#d3d3d3", "comment": "N/A - excluded from coverage", "enabled": true, "score": -1, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1482", "tactic": "discovery", "color": "#d3d3d3", "comment": "N/A - excluded from coverage", "enabled": true, "score": -1, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1497", "tactic": "discovery", "enabled": true, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1518", "tactic": "discovery", "color": "#d3d3d3", "comment": "N/A - excluded from coverage", "enabled": true, "score": -1, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1526", "tactic": "discovery", "color": "#1a6b1a", "comment": "16 detection(s)", "enabled": true, "score": 100, "metadata": [], "links": [ { "label": "aws_config_monitoring_modified", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_config_monitoring_modified" }, { "label": "aws_config_monitoring_modified_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_config_monitoring_modified_anomaly" }, { "label": "aws_config_monitoring_modified_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_config_monitoring_modified_suspicious" }, { "label": "aws_cost_explorer_discovery", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_cost_explorer_discovery" }, { "label": "aws_cost_explorer_discovery_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_cost_explorer_discovery_anomaly" }, { "label": "aws_cost_explorer_discovery_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_cost_explorer_discovery_suspicious" }, { "label": "aws_iam_policy_broad_pass_role", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_iam_policy_broad_pass_role" }, { "label": "aws_secretsmanager_discovery", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_secretsmanager_discovery" }, { "label": "aws_secretsmanager_discovery_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_secretsmanager_discovery_anomaly" }, { "label": "aws_secretsmanager_discovery_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_secretsmanager_discovery_suspicious" }, { "label": "aws_ses_discovery", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_ses_discovery" }, { "label": "aws_ses_discovery_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_ses_discovery_anomaly" }, { "label": "aws_ses_discovery_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_ses_discovery_suspicious" }, { "label": "aws_tagging_discovery", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_tagging_discovery" }, { "label": "aws_tagging_discovery_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_tagging_discovery_anomaly" }, { "label": "aws_tagging_discovery_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_tagging_discovery_suspicious" } ], "showSubtechniques": false }, { "techniqueID": "T1538", "tactic": "discovery", "enabled": true, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1580", "tactic": "discovery", "color": "#1a6b1a", "comment": "31 detection(s)", "enabled": true, "score": 100, "metadata": [], "links": [ { "label": "aws_access_denied", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_access_denied" }, { "label": "aws_assume_role_access_denied", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_assume_role_access_denied" }, { "label": "aws_assume_root_failure", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_assume_root_failure" }, { "label": "aws_assume_root_failure_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_assume_root_failure_anomaly" }, { "label": "aws_decoy_resource_accessed", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_decoy_resource_accessed" }, { "label": "aws_describe_quota_multi_region", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_describe_quota_multi_region" }, { "label": "aws_describe_quota_multi_region_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_describe_quota_multi_region_anomaly" }, { "label": "aws_dry_run", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_dry_run" }, { "label": "aws_dry_run_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_dry_run_anomaly" }, { "label": "aws_ec2_describe_multi_region", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_ec2_describe_multi_region" }, { "label": "aws_ec2_describe_multi_region_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_ec2_describe_multi_region_anomaly" }, { "label": "aws_ec2_list_s3_buckets", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_ec2_list_s3_buckets" }, { "label": "aws_ec2_multiple_actions", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_ec2_multiple_actions" }, { "label": "aws_ec2_startup_script_enumeration", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_ec2_startup_script_enumeration" }, { "label": "aws_reconnaissance", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_reconnaissance" }, { "label": "aws_reconnaissance_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_reconnaissance_anomaly" }, { "label": "aws_reconnaissance_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_reconnaissance_suspicious" }, { "label": "aws_resource_explorer_enumeration", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_resource_explorer_enumeration" }, { "label": "aws_resource_explorer_enumeration_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_resource_explorer_enumeration_anomaly" }, { "label": "aws_resource_explorer_enumeration_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_resource_explorer_enumeration_suspicious" }, { "label": "aws_s3_access_denied", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_s3_access_denied" }, { "label": "aws_s3_buckets_discovery", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_s3_buckets_discovery" }, { "label": "aws_s3_buckets_discovery_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_s3_buckets_discovery_suspicious" }, { "label": "aws_s3_reconnaissance", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_s3_reconnaissance" }, { "label": "aws_s3_reconnaissance_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_s3_reconnaissance_anomaly" }, { "label": "aws_s3_reconnaissance_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_s3_reconnaissance_suspicious" }, { "label": "aws_ses_get_account", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_ses_get_account" }, { "label": "aws_ses_identities_discovery_via_access_key", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_ses_identities_discovery_via_access_key" }, { "label": "azure_aks_credential_enumeration", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/azure_aks_credential_enumeration" }, { "label": "azure_storage_account_enumeration", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/azure_storage_account_enumeration" }, { "label": "gcp_access_denied", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_access_denied" } ], "showSubtechniques": false }, { "techniqueID": "T1613", "tactic": "discovery", "color": "#2d9b2d", "comment": "5 detection(s)", "enabled": true, "score": 75, "metadata": [], "links": [ { "label": "aws_bedrock_discovery", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_bedrock_discovery" }, { "label": "aws_bedrock_discovery_access_key", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_bedrock_discovery_access_key" }, { "label": "aws_bedrock_discovery_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_bedrock_discovery_anomaly" }, { "label": "aws_bedrock_discovery_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_bedrock_discovery_suspicious" }, { "label": "k8s_access_denied", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/k8s_access_denied" } ], "showSubtechniques": false }, { "techniqueID": "T1614", "tactic": "discovery", "color": "#a3d9a3", "comment": "1 detection(s)", "enabled": true, "score": 25, "metadata": [], "links": [ { "label": "ip_lookup", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/ip_lookup" } ], "showSubtechniques": false }, { "techniqueID": "T1615", "tactic": "discovery", "color": "#d3d3d3", "comment": "N/A - excluded from coverage", "enabled": true, "score": -1, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1619", "tactic": "discovery", "color": "#a3d9a3", "comment": "1 detection(s)", "enabled": true, "score": 25, "metadata": [], "links": [ { "label": "aws_ec2_list_s3_buckets", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_ec2_list_s3_buckets" } ], "showSubtechniques": false }, { "techniqueID": "T1622", "tactic": "discovery", "color": "#d3d3d3", "comment": "N/A - excluded from coverage", "enabled": true, "score": -1, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1652", "tactic": "discovery", "color": "#d3d3d3", "comment": "N/A - excluded from coverage", "enabled": true, "score": -1, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1654", "tactic": "discovery", "enabled": true, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1673", "tactic": "discovery", "enabled": true, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1680", "tactic": "discovery", "color": "#d3d3d3", "comment": "N/A - excluded from coverage", "enabled": true, "score": -1, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1021", "tactic": "lateral-movement", "color": "#2d9b2d", "comment": "6 detection(s)", "enabled": true, "score": 75, "metadata": [], "links": [ { "label": "aws_ec2_connect_ssh", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_ec2_connect_ssh" }, { "label": "aws_ec2_connect_ssh_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_ec2_connect_ssh_suspicious" }, { "label": "aws_ec2_connect_ssh_volume", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_ec2_connect_ssh_volume" }, { "label": "rdp_brute_force", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/rdp_brute_force" }, { "label": "ssh_brute_force", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/ssh_brute_force" }, { "label": "winrm_brute_force", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/winrm_brute_force" } ], "showSubtechniques": true }, { "techniqueID": "T1072", "tactic": "lateral-movement", "enabled": true, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1080", "tactic": "lateral-movement", "enabled": true, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1091", "tactic": "lateral-movement", "color": "#d3d3d3", "comment": "N/A - excluded from coverage", "enabled": true, "score": -1, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1210", "tactic": "lateral-movement", "enabled": true, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1534", "tactic": "lateral-movement", "enabled": true, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1550", "tactic": "lateral-movement", "color": "#a3d9a3", "comment": "1 detection(s)", "enabled": true, "score": 25, "metadata": [], "links": [ { "label": "aws_console_long_session", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_console_long_session" } ], "showSubtechniques": true }, { "techniqueID": "T1563", "tactic": "lateral-movement", "enabled": true, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1570", "tactic": "lateral-movement", "color": "#a3d9a3", "comment": "1 detection(s)", "enabled": true, "score": 25, "metadata": [], "links": [ { "label": "slack_malware_share_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/slack_malware_share_anomaly" } ], "showSubtechniques": false }, { "techniqueID": "T1005", "tactic": "collection", "color": "#d3d3d3", "comment": "N/A - excluded from coverage", "enabled": true, "score": -1, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1025", "tactic": "collection", "color": "#d3d3d3", "comment": "N/A - excluded from coverage", "enabled": true, "score": -1, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1039", "tactic": "collection", "color": "#d3d3d3", "comment": "N/A - excluded from coverage", "enabled": true, "score": -1, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1056", "tactic": "collection", "color": "#d3d3d3", "comment": "N/A - excluded from coverage", "enabled": true, "score": -1, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1074", "tactic": "collection", "color": "#d3d3d3", "comment": "N/A - excluded from coverage", "enabled": true, "score": -1, "metadata": [], "links": [ { "label": "gcp_pubsub_subscription_created", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_pubsub_subscription_created" }, { "label": "gcp_pubsub_subscription_created_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_pubsub_subscription_created_anomaly" }, { "label": "gcp_pubsub_subscription_created_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_pubsub_subscription_created_suspicious" }, { "label": "gcp_pubsub_topic_created", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_pubsub_topic_created" }, { "label": "gcp_pubsub_topic_created_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_pubsub_topic_created_anomaly" }, { "label": "gcp_pubsub_topic_created_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_pubsub_topic_created_suspicious" } ], "showSubtechniques": false }, { "techniqueID": "T1113", "tactic": "collection", "color": "#d3d3d3", "comment": "N/A - excluded from coverage", "enabled": true, "score": -1, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1114", "tactic": "collection", "color": "#a3d9a3", "comment": "1 detection(s)", "enabled": true, "score": 25, "metadata": [], "links": [ { "label": "google_workspace_external_email_forwarding", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/google_workspace_external_email_forwarding" } ], "showSubtechniques": true }, { "techniqueID": "T1115", "tactic": "collection", "color": "#d3d3d3", "comment": "N/A - excluded from coverage", "enabled": true, "score": -1, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1119", "tactic": "collection", "enabled": true, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1123", "tactic": "collection", "color": "#d3d3d3", "comment": "N/A - excluded from coverage", "enabled": true, "score": -1, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1125", "tactic": "collection", "color": "#d3d3d3", "comment": "N/A - excluded from coverage", "enabled": true, "score": -1, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1185", "tactic": "collection", "color": "#d3d3d3", "comment": "N/A - excluded from coverage", "enabled": true, "score": -1, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1213", "tactic": "collection", "color": "#2d9b2d", "comment": "5 detection(s)", "enabled": true, "score": 75, "metadata": [], "links": [ { "label": "github_repo_download_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/github_repo_download_anomaly" }, { "label": "github_repos_exfiltration", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/github_repos_exfiltration" }, { "label": "github_repos_exfiltration_with_pat", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/github_repos_exfiltration_with_pat" }, { "label": "github_unknown_user_repo_clone", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/github_unknown_user_repo_clone" }, { "label": "slack_scraping_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/slack_scraping_anomaly" } ], "showSubtechniques": true }, { "techniqueID": "T1530", "tactic": "collection", "color": "#1a6b1a", "comment": "12 detection(s)", "enabled": true, "score": 100, "metadata": [], "links": [ { "label": "aws_s3_exfiltration", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_s3_exfiltration" }, { "label": "aws_s3_exfiltration_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_s3_exfiltration_anomaly" }, { "label": "aws_s3_exfiltration_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_s3_exfiltration_suspicious" }, { "label": "aws_s3_unauthenticated", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_s3_unauthenticated" }, { "label": "aws_s3_unencrypted", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_s3_unencrypted" }, { "label": "confluence_public_link", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/confluence_public_link" }, { "label": "confluence_site_export", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/confluence_site_export" }, { "label": "confluence_space_export", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/confluence_space_export" }, { "label": "gcp_bigquery_dataset_public", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_bigquery_dataset_public" }, { "label": "gcp_compute_engine_snapshot_created", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_compute_engine_snapshot_created" }, { "label": "gcp_compute_engine_snapshot_created_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_compute_engine_snapshot_created_anomaly" }, { "label": "gcp_compute_engine_snapshot_created_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_compute_engine_snapshot_created_suspicious" } ], "showSubtechniques": false }, { "techniqueID": "T1557", "tactic": "collection", "enabled": true, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1560", "tactic": "collection", "color": "#d3d3d3", "comment": "N/A - excluded from coverage", "enabled": true, "score": -1, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1602", "tactic": "collection", "color": "#d3d3d3", "comment": "N/A - excluded from coverage", "enabled": true, "score": -1, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1001", "tactic": "command-and-control", "color": "#5cb85c", "comment": "3 detection(s)", "enabled": true, "score": 50, "metadata": [], "links": [ { "label": "high_volume_ssh", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/high_volume_ssh" }, { "label": "ssh_mask", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/ssh_mask" }, { "label": "ssh_uncommon", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/ssh_uncommon" } ], "showSubtechniques": true }, { "techniqueID": "T1008", "tactic": "command-and-control", "color": "#a3d9a3", "comment": "1 detection(s)", "enabled": true, "score": 25, "metadata": [], "links": [ { "label": "excessive_dns_failures", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/excessive_dns_failures" } ], "showSubtechniques": false }, { "techniqueID": "T1071", "tactic": "command-and-control", "color": "#1a6b1a", "comment": "45 detection(s)", "enabled": true, "score": 100, "metadata": [], "links": [ { "label": "alternate_dns", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/alternate_dns" }, { "label": "bad_dynamic_dns", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/bad_dynamic_dns" }, { "label": "bad_irc_traffic", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/bad_irc_traffic" }, { "label": "bad_tld", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/bad_tld" }, { "label": "c2_communication", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/c2_communication" }, { "label": "encrypted_dns", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/encrypted_dns" }, { "label": "encrypted_dns_common", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/encrypted_dns_common" }, { "label": "encrypted_dns_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/encrypted_dns_suspicious" }, { "label": "encrypted_dns_volume", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/encrypted_dns_volume" }, { "label": "excessive_dns_failures", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/excessive_dns_failures" }, { "label": "excessive_http_failures", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/excessive_http_failures" }, { "label": "excessive_http_failures_bad", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/excessive_http_failures_bad" }, { "label": "excessive_http_failures_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/excessive_http_failures_suspicious" }, { "label": "high_volume_ftp", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/high_volume_ftp" }, { "label": "high_volume_ssh", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/high_volume_ssh" }, { "label": "http_get_bad", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/http_get_bad" }, { "label": "http_get_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/http_get_suspicious" }, { "label": "http_post_bad", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/http_post_bad" }, { "label": "http_post_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/http_post_suspicious" }, { "label": "irc_traffic", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/irc_traffic" }, { "label": "likely_malicious_domain", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/likely_malicious_domain" }, { "label": "mail_implant", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/mail_implant" }, { "label": "multiple_long_hostnames", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/multiple_long_hostnames" }, { "label": "rare_domain_beacon", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/rare_domain_beacon" }, { "label": "rare_domain_volume", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/rare_domain_volume" }, { "label": "sinkholed_destination", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/sinkholed_destination" }, { "label": "smb_outbound", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/smb_outbound" }, { "label": "smb_outbound_volume", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/smb_outbound_volume" }, { "label": "ssh_mask", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/ssh_mask" }, { "label": "ssh_uncommon", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/ssh_uncommon" }, { "label": "suspicious_cluster_volume", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/suspicious_cluster_volume" }, { "label": "suspicious_domain", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/suspicious_domain" }, { "label": "suspicious_domain_beacon", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/suspicious_domain_beacon" }, { "label": "suspicious_domain_brand", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/suspicious_domain_brand" }, { "label": "suspicious_domain_brand_young", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/suspicious_domain_brand_young" }, { "label": "suspicious_domain_volume", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/suspicious_domain_volume" }, { "label": "suspicious_dynamic_dns", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/suspicious_dynamic_dns" }, { "label": "suspicious_hosting_provider", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/suspicious_hosting_provider" }, { "label": "suspicious_ip", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/suspicious_ip" }, { "label": "suspicious_ip_trickbot", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/suspicious_ip_trickbot" }, { "label": "suspicious_ip_volume", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/suspicious_ip_volume" }, { "label": "tds_traffic", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/tds_traffic" }, { "label": "unknown_dynamic_dns", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/unknown_dynamic_dns" }, { "label": "unreachable_domain_volume", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/unreachable_domain_volume" }, { "label": "young_domain", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/young_domain" } ], "showSubtechniques": true }, { "techniqueID": "T1090", "tactic": "command-and-control", "color": "#5cb85c", "comment": "2 detection(s)", "enabled": true, "score": 50, "metadata": [], "links": [ { "label": "anon_circuit", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/anon_circuit" }, { "label": "tor_dns", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/tor_dns" } ], "showSubtechniques": true }, { "techniqueID": "T1092", "tactic": "command-and-control", "color": "#d3d3d3", "comment": "N/A - excluded from coverage", "enabled": true, "score": -1, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1095", "tactic": "command-and-control", "color": "#a3d9a3", "comment": "1 detection(s)", "enabled": true, "score": 25, "metadata": [], "links": [ { "label": "icmp_tunneling", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/icmp_tunneling" } ], "showSubtechniques": false }, { "techniqueID": "T1102", "tactic": "command-and-control", "color": "#5cb85c", "comment": "3 detection(s)", "enabled": true, "score": 50, "metadata": [], "links": [ { "label": "oast_traffic", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/oast_traffic" }, { "label": "telegram_bot", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/telegram_bot" }, { "label": "webhook_traffic", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/webhook_traffic" } ], "showSubtechniques": true }, { "techniqueID": "T1104", "tactic": "command-and-control", "color": "#a3d9a3", "comment": "1 detection(s)", "enabled": true, "score": 25, "metadata": [], "links": [ { "label": "tds_traffic", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/tds_traffic" } ], "showSubtechniques": false }, { "techniqueID": "T1105", "tactic": "command-and-control", "color": "#5cb85c", "comment": "4 detection(s)", "enabled": true, "score": 50, "metadata": [], "links": [ { "label": "opendir", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/opendir" }, { "label": "opendir_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/opendir_suspicious" }, { "label": "opendir_suspicious_unusual_port", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/opendir_suspicious_unusual_port" }, { "label": "opendir_unusual_port", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/opendir_unusual_port" } ], "showSubtechniques": false }, { "techniqueID": "T1132", "tactic": "command-and-control", "enabled": true, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1205", "tactic": "command-and-control", "enabled": true, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1219", "tactic": "command-and-control", "color": "#a3d9a3", "comment": "1 detection(s)", "enabled": true, "score": 25, "metadata": [], "links": [ { "label": "remote_access_software", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/remote_access_software" } ], "showSubtechniques": false }, { "techniqueID": "T1568", "tactic": "command-and-control", "color": "#5cb85c", "comment": "2 detection(s)", "enabled": true, "score": 50, "metadata": [], "links": [ { "label": "dga_volume", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/dga_volume" }, { "label": "excessive_dns_failures", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/excessive_dns_failures" } ], "showSubtechniques": true }, { "techniqueID": "T1571", "tactic": "command-and-control", "color": "#2d9b2d", "comment": "7 detection(s)", "enabled": true, "score": 75, "metadata": [], "links": [ { "label": "c2_communication", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/c2_communication" }, { "label": "high_volume_ssh", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/high_volume_ssh" }, { "label": "ssh_mask", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/ssh_mask" }, { "label": "ssh_uncommon", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/ssh_uncommon" }, { "label": "suspicious_ip_trickbot", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/suspicious_ip_trickbot" }, { "label": "unusual_network_port", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/unusual_network_port" }, { "label": "unusual_network_port_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/unusual_network_port_suspicious" } ], "showSubtechniques": false }, { "techniqueID": "T1572", "tactic": "command-and-control", "color": "#1a6b1a", "comment": "11 detection(s)", "enabled": true, "score": 100, "metadata": [], "links": [ { "label": "anon_circuit", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/anon_circuit" }, { "label": "bad_tunnel", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/bad_tunnel" }, { "label": "encrypted_dns", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/encrypted_dns" }, { "label": "encrypted_dns_common", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/encrypted_dns_common" }, { "label": "encrypted_dns_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/encrypted_dns_suspicious" }, { "label": "encrypted_dns_volume", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/encrypted_dns_volume" }, { "label": "icmp_tunneling", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/icmp_tunneling" }, { "label": "multiple_long_hostnames", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/multiple_long_hostnames" }, { "label": "suspicious_tunnel", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/suspicious_tunnel" }, { "label": "unknown_tunnel", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/unknown_tunnel" }, { "label": "vpn_activity", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/vpn_activity" } ], "showSubtechniques": false }, { "techniqueID": "T1573", "tactic": "command-and-control", "color": "#2d9b2d", "comment": "8 detection(s)", "enabled": true, "score": 75, "metadata": [], "links": [ { "label": "encrypted_dns", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/encrypted_dns" }, { "label": "encrypted_dns_common", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/encrypted_dns_common" }, { "label": "encrypted_dns_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/encrypted_dns_suspicious" }, { "label": "encrypted_dns_volume", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/encrypted_dns_volume" }, { "label": "high_volume_ssh", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/high_volume_ssh" }, { "label": "ssh_mask", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/ssh_mask" }, { "label": "ssh_uncommon", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/ssh_uncommon" }, { "label": "vpn_activity", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/vpn_activity" } ], "showSubtechniques": false }, { "techniqueID": "T1659", "tactic": "command-and-control", "enabled": true, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1665", "tactic": "command-and-control", "enabled": true, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1011", "tactic": "exfiltration", "enabled": true, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1020", "tactic": "exfiltration", "enabled": true, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1029", "tactic": "exfiltration", "enabled": true, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1030", "tactic": "exfiltration", "enabled": true, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1041", "tactic": "exfiltration", "color": "#5cb85c", "comment": "2 detection(s)", "enabled": true, "score": 50, "metadata": [], "links": [ { "label": "http_post_bad", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/http_post_bad" }, { "label": "http_post_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/http_post_suspicious" } ], "showSubtechniques": false }, { "techniqueID": "T1048", "tactic": "exfiltration", "color": "#1a6b1a", "comment": "30 detection(s)", "enabled": true, "score": 100, "metadata": [], "links": [ { "label": "anon_circuit", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/anon_circuit" }, { "label": "aws_console_login_failure", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_console_login_failure" }, { "label": "aws_console_login_failure_ip", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_console_login_failure_ip" }, { "label": "aws_console_login_failure_user", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_console_login_failure_user" }, { "label": "aws_console_login_failure_users", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_console_login_failure_users" }, { "label": "bad_tunnel", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/bad_tunnel" }, { "label": "encrypted_dns", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/encrypted_dns" }, { "label": "encrypted_dns_common", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/encrypted_dns_common" }, { "label": "encrypted_dns_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/encrypted_dns_suspicious" }, { "label": "encrypted_dns_volume", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/encrypted_dns_volume" }, { "label": "high_volume_ftp", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/high_volume_ftp" }, { "label": "high_volume_ssh", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/high_volume_ssh" }, { "label": "icmp_tunneling", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/icmp_tunneling" }, { "label": "mail_implant", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/mail_implant" }, { "label": "multiple_long_hostnames", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/multiple_long_hostnames" }, { "label": "oast_traffic", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/oast_traffic" }, { "label": "p2p_activity", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/p2p_activity" }, { "label": "rare_domain_beacon", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/rare_domain_beacon" }, { "label": "rare_domain_volume", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/rare_domain_volume" }, { "label": "slack_link_created_to_sensitive_file", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/slack_link_created_to_sensitive_file" }, { "label": "smb_outbound", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/smb_outbound" }, { "label": "smb_outbound_volume", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/smb_outbound_volume" }, { "label": "ssh_mask", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/ssh_mask" }, { "label": "ssh_uncommon", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/ssh_uncommon" }, { "label": "suspicious_tunnel", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/suspicious_tunnel" }, { "label": "telegram_bot", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/telegram_bot" }, { "label": "unknown_tunnel", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/unknown_tunnel" }, { "label": "unusual_high_traffic_volume", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/unusual_high_traffic_volume" }, { "label": "vpn_activity", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/vpn_activity" }, { "label": "webhook_traffic", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/webhook_traffic" } ], "showSubtechniques": false }, { "techniqueID": "T1052", "tactic": "exfiltration", "color": "#d3d3d3", "comment": "N/A - excluded from coverage", "enabled": true, "score": -1, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1537", "tactic": "exfiltration", "color": "#1a6b1a", "comment": "34 detection(s)", "enabled": true, "score": 100, "metadata": [], "links": [ { "label": "aws_ami_public", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_ami_public" }, { "label": "aws_backup_vault_public", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_backup_vault_public" }, { "label": "aws_codebuild_project_public", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_codebuild_project_public" }, { "label": "aws_data_exfiltration", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_data_exfiltration" }, { "label": "aws_data_exfiltration_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_data_exfiltration_anomaly" }, { "label": "aws_data_exfiltration_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_data_exfiltration_suspicious" }, { "label": "aws_ebs_snapshot_copied", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_ebs_snapshot_copied" }, { "label": "aws_ebs_snapshot_public", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_ebs_snapshot_public" }, { "label": "aws_opensearch_domain_public", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_opensearch_domain_public" }, { "label": "aws_rds_instance_public", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_rds_instance_public" }, { "label": "aws_rds_snapshot_copied", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_rds_snapshot_copied" }, { "label": "aws_rds_snapshot_created", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_rds_snapshot_created" }, { "label": "aws_rds_snapshot_created_public", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_rds_snapshot_created_public" }, { "label": "aws_rds_snapshot_created_public_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_rds_snapshot_created_public_anomaly" }, { "label": "aws_rds_snapshot_public", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_rds_snapshot_public" }, { "label": "aws_s3_bucket_public", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_s3_bucket_public" }, { "label": "aws_s3_bucket_public_accidental", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_s3_bucket_public_accidental" }, { "label": "aws_s3_bucket_public_suspicious_statement", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_s3_bucket_public_suspicious_statement" }, { "label": "aws_s3_bucket_replication_unknown", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_s3_bucket_replication_unknown" }, { "label": "azure_disk_snapshot_export_uri", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/azure_disk_snapshot_export_uri" }, { "label": "azure_storage_allow_public_blobs", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/azure_storage_allow_public_blobs" }, { "label": "azure_storage_cross_tenant_replication", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/azure_storage_cross_tenant_replication" }, { "label": "azure_storage_network_public", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/azure_storage_network_public" }, { "label": "gcp_bigquery_exfiltration", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_bigquery_exfiltration" }, { "label": "gcp_cloud_sql_instance_exported", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_cloud_sql_instance_exported" }, { "label": "gcp_cloud_sql_instance_exported_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_cloud_sql_instance_exported_anomaly" }, { "label": "gcp_cloud_sql_instance_exported_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_cloud_sql_instance_exported_suspicious" }, { "label": "gcp_cloud_sql_public", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_cloud_sql_public" }, { "label": "gcp_gcs_bucket_public", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_gcs_bucket_public" }, { "label": "gcp_pubsub_subscription_modified", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_pubsub_subscription_modified" }, { "label": "gcp_pubsub_subscription_modified_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_pubsub_subscription_modified_anomaly" }, { "label": "gcp_pubsub_subscription_modified_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_pubsub_subscription_modified_suspicious" }, { "label": "github_organization_transferred", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/github_organization_transferred" }, { "label": "github_repository_transferred", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/github_repository_transferred" } ], "showSubtechniques": false }, { "techniqueID": "T1567", "tactic": "exfiltration", "color": "#1a6b1a", "comment": "25 detection(s)", "enabled": true, "score": 100, "metadata": [], "links": [ { "label": "1password_value_exported", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/1password_value_exported" }, { "label": "aws_cloudshell_file_downloaded", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_cloudshell_file_downloaded" }, { "label": "aws_datasync_task", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_datasync_task" }, { "label": "aws_datasync_task_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_datasync_task_anomaly" }, { "label": "aws_datasync_task_unknown", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_datasync_task_unknown" }, { "label": "aws_ec2_export_task_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_ec2_export_task_anomaly" }, { "label": "aws_ec2_export_task_unknown", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_ec2_export_task_unknown" }, { "label": "aws_ecr_public_image_uploaded", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_ecr_public_image_uploaded" }, { "label": "aws_rds_export_task_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_rds_export_task_anomaly" }, { "label": "aws_rds_export_task_unknown", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_rds_export_task_unknown" }, { "label": "aws_s3_bucket_replication_unknown", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_s3_bucket_replication_unknown" }, { "label": "aws_s3_exfiltration", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_s3_exfiltration" }, { "label": "aws_s3_exfiltration_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_s3_exfiltration_anomaly" }, { "label": "aws_s3_exfiltration_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_s3_exfiltration_suspicious" }, { "label": "aws_sns_topic_public", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_sns_topic_public" }, { "label": "aws_sqs_queue_public", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_sqs_queue_public" }, { "label": "aws_workmail_export", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_workmail_export" }, { "label": "aws_workmail_export_public", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_workmail_export_public" }, { "label": "google_calendar_shared_externally", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/google_calendar_shared_externally" }, { "label": "google_drive_document_public", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/google_drive_document_public" }, { "label": "google_drive_document_shared_externally", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/google_drive_document_shared_externally" }, { "label": "slack_excessive_downloads_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/slack_excessive_downloads_anomaly" }, { "label": "slack_excessive_file_sharing_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/slack_excessive_file_sharing_anomaly" }, { "label": "slack_manual_export_downloaded", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/slack_manual_export_downloaded" }, { "label": "slack_multiple_archives_uploaded", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/slack_multiple_archives_uploaded" } ], "showSubtechniques": true }, { "techniqueID": "T1485", "tactic": "impact", "color": "#1a6b1a", "comment": "50 detection(s)", "enabled": true, "score": 100, "metadata": [], "links": [ { "label": "aws_acm_ca_deleted", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_acm_ca_deleted" }, { "label": "aws_detective_graph_deleted", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_detective_graph_deleted" }, { "label": "aws_ecs_cluster_deleted", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_ecs_cluster_deleted" }, { "label": "aws_ecs_cluster_deleted_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_ecs_cluster_deleted_anomaly" }, { "label": "aws_efs_deleted", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_efs_deleted" }, { "label": "aws_efs_deleted_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_efs_deleted_anomaly" }, { "label": "aws_efs_deleted_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_efs_deleted_suspicious" }, { "label": "aws_kms_key_disruption", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_kms_key_disruption" }, { "label": "aws_rds_destruction", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_rds_destruction" }, { "label": "aws_rds_destruction_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_rds_destruction_anomaly" }, { "label": "aws_rds_destruction_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_rds_destruction_suspicious" }, { "label": "aws_s3_bucket_delete_spike", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_s3_bucket_delete_spike" }, { "label": "aws_s3_delete", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_s3_delete" }, { "label": "aws_s3_delete_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_s3_delete_anomaly" }, { "label": "aws_s3_delete_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_s3_delete_suspicious" }, { "label": "aws_s3_short_bucket_retention_period", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_s3_short_bucket_retention_period" }, { "label": "aws_s3_short_bucket_retention_period_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_s3_short_bucket_retention_period_anomaly" }, { "label": "aws_s3_short_bucket_retention_period_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_s3_short_bucket_retention_period_suspicious" }, { "label": "aws_ses_identity_deleted", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_ses_identity_deleted" }, { "label": "azure_aks_cluster_deleted_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/azure_aks_cluster_deleted_anomaly" }, { "label": "azure_aks_cluster_deleted_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/azure_aks_cluster_deleted_suspicious" }, { "label": "azure_compute_restore_point_deleted_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/azure_compute_restore_point_deleted_anomaly" }, { "label": "azure_compute_restore_point_deleted_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/azure_compute_restore_point_deleted_suspicious" }, { "label": "azure_compute_snapshot_deleted_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/azure_compute_snapshot_deleted_anomaly" }, { "label": "azure_compute_snapshot_deleted_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/azure_compute_snapshot_deleted_suspicious" }, { "label": "azure_key_vault_deleted_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/azure_key_vault_deleted_anomaly" }, { "label": "azure_key_vault_deleted_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/azure_key_vault_deleted_suspicious" }, { "label": "azure_resource_group_deleted_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/azure_resource_group_deleted_anomaly" }, { "label": "azure_resource_group_deleted_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/azure_resource_group_deleted_suspicious" }, { "label": "azure_resource_group_mass_deletion", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/azure_resource_group_mass_deletion" }, { "label": "azure_storage_account_deleted_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/azure_storage_account_deleted_anomaly" }, { "label": "azure_storage_account_deleted_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/azure_storage_account_deleted_suspicious" }, { "label": "gcp_gcs_bucket_deleted", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_gcs_bucket_deleted" }, { "label": "gcp_gcs_bucket_deleted_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_gcs_bucket_deleted_anomaly" }, { "label": "gcp_gcs_bucket_deleted_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_gcs_bucket_deleted_suspicious" }, { "label": "gcp_kms_key_destroyed_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_kms_key_destroyed_anomaly" }, { "label": "gcp_kms_key_destroyed_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_kms_key_destroyed_suspicious" }, { "label": "gcp_kms_key_disabled", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_kms_key_disabled" }, { "label": "gcp_kms_key_disabled_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_kms_key_disabled_anomaly" }, { "label": "gcp_kms_key_disabled_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_kms_key_disabled_suspicious" }, { "label": "gcp_pubsub_topic_deleted", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_pubsub_topic_deleted" }, { "label": "gcp_pubsub_topic_deleted_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_pubsub_topic_deleted_anomaly" }, { "label": "gcp_pubsub_topic_deleted_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_pubsub_topic_deleted_suspicious" }, { "label": "gcp_vpc_network_deleted", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_vpc_network_deleted" }, { "label": "gcp_vpc_network_deleted_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_vpc_network_deleted_anomaly" }, { "label": "gcp_vpc_network_deleted_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_vpc_network_deleted_suspicious" }, { "label": "github_enterprise_deleted", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/github_enterprise_deleted" }, { "label": "github_organization_removed_from_enterprise", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/github_organization_removed_from_enterprise" }, { "label": "github_repository_deleted", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/github_repository_deleted" }, { "label": "slack_message_deletion_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/slack_message_deletion_anomaly" } ], "showSubtechniques": true }, { "techniqueID": "T1486", "tactic": "impact", "color": "#5cb85c", "comment": "3 detection(s)", "enabled": true, "score": 50, "metadata": [], "links": [ { "label": "aws_s3_external_kms_bucket_encryption", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_s3_external_kms_bucket_encryption" }, { "label": "aws_s3_external_kms_encryption", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_s3_external_kms_encryption" }, { "label": "aws_s3_ransom_note_uploaded", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_s3_ransom_note_uploaded" } ], "showSubtechniques": false }, { "techniqueID": "T1489", "tactic": "impact", "color": "#2d9b2d", "comment": "5 detection(s)", "enabled": true, "score": 75, "metadata": [], "links": [ { "label": "aws_ec2_delete_nat_gateway", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_ec2_delete_nat_gateway" }, { "label": "azure_aks_cluster_deleted_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/azure_aks_cluster_deleted_anomaly" }, { "label": "azure_aks_cluster_deleted_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/azure_aks_cluster_deleted_suspicious" }, { "label": "github_repository_archived", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/github_repository_archived" }, { "label": "slack_app_removed", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/slack_app_removed" } ], "showSubtechniques": false }, { "techniqueID": "T1490", "tactic": "impact", "color": "#1a6b1a", "comment": "18 detection(s)", "enabled": true, "score": 100, "metadata": [], "links": [ { "label": "aws_backup_plan_deleted", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_backup_plan_deleted" }, { "label": "aws_backup_plan_deleted_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_backup_plan_deleted_anomaly" }, { "label": "aws_backup_plan_deleted_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_backup_plan_deleted_suspicious" }, { "label": "aws_s3_bucket_versioning_suspended", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_s3_bucket_versioning_suspended" }, { "label": "aws_s3_bucket_versioning_suspended_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_s3_bucket_versioning_suspended_anomaly" }, { "label": "azure_backup_vault_deleted", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/azure_backup_vault_deleted" }, { "label": "azure_backup_vault_deleted_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/azure_backup_vault_deleted_anomaly" }, { "label": "azure_backup_vault_deleted_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/azure_backup_vault_deleted_suspicious" }, { "label": "azure_backup_vault_modified", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/azure_backup_vault_modified" }, { "label": "azure_backup_vault_modified_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/azure_backup_vault_modified_anomaly" }, { "label": "azure_backup_vault_modified_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/azure_backup_vault_modified_suspicious" }, { "label": "azure_blob_soft_delete_disabled", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/azure_blob_soft_delete_disabled" }, { "label": "azure_blob_versioning_disabled", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/azure_blob_versioning_disabled" }, { "label": "gcp_cloud_sql_automatic_backup_disabled", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_cloud_sql_automatic_backup_disabled" }, { "label": "gcp_cloud_sql_automatic_backup_disabled_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_cloud_sql_automatic_backup_disabled_anomaly" }, { "label": "gcp_cloud_sql_automatic_backup_disabled_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_cloud_sql_automatic_backup_disabled_suspicious" }, { "label": "gcp_kms_key_destroyed_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_kms_key_destroyed_anomaly" }, { "label": "gcp_kms_key_destroyed_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_kms_key_destroyed_suspicious" } ], "showSubtechniques": false }, { "techniqueID": "T1491", "tactic": "impact", "enabled": true, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1495", "tactic": "impact", "color": "#d3d3d3", "comment": "N/A - excluded from coverage", "enabled": true, "score": -1, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1496", "tactic": "impact", "color": "#1a6b1a", "comment": "16 detection(s)", "enabled": true, "score": 100, "metadata": [], "links": [ { "label": "aws_autoscaling_group_changed", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_autoscaling_group_changed" }, { "label": "aws_autoscaling_group_changed_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_autoscaling_group_changed_anomaly" }, { "label": "aws_autoscaling_group_changed_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_autoscaling_group_changed_suspicious" }, { "label": "aws_autoscaling_large_group_launched", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_autoscaling_large_group_launched" }, { "label": "aws_autoscaling_large_group_launched_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_autoscaling_large_group_launched_anomaly" }, { "label": "aws_autoscaling_large_group_launched_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_autoscaling_large_group_launched_suspicious" }, { "label": "aws_bedrock_model_invoked", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_bedrock_model_invoked" }, { "label": "aws_bedrock_model_invoked_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_bedrock_model_invoked_anomaly" }, { "label": "aws_bedrock_model_invoked_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_bedrock_model_invoked_suspicious" }, { "label": "aws_bedrock_model_invoked_unseen", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_bedrock_model_invoked_unseen" }, { "label": "aws_iac_drift", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_iac_drift" }, { "label": "aws_lambda_modified", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_lambda_modified" }, { "label": "aws_s3_static_website", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_s3_static_website" }, { "label": "aws_ses_modified", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_ses_modified" }, { "label": "cryptomining", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/cryptomining" }, { "label": "github_register_self_hosted_runner", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/github_register_self_hosted_runner" } ], "showSubtechniques": true }, { "techniqueID": "T1498", "tactic": "impact", "color": "#a3d9a3", "comment": "1 detection(s)", "enabled": true, "score": 25, "metadata": [], "links": [ { "label": "dos_outbound", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/dos_outbound" } ], "showSubtechniques": false }, { "techniqueID": "T1499", "tactic": "impact", "enabled": true, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1529", "tactic": "impact", "color": "#d3d3d3", "comment": "N/A - excluded from coverage", "enabled": true, "score": -1, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1531", "tactic": "impact", "color": "#1a6b1a", "comment": "26 detection(s)", "enabled": true, "score": 100, "metadata": [], "links": [ { "label": "aws_account_closed", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_account_closed" }, { "label": "aws_disruption", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_disruption" }, { "label": "aws_disruption_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_disruption_anomaly" }, { "label": "aws_disruption_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_disruption_suspicious" }, { "label": "aws_iam_users_deleted", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_iam_users_deleted" }, { "label": "gcp_iam_role_deleted", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_iam_role_deleted" }, { "label": "gcp_iam_role_deleted_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_iam_role_deleted_anomaly" }, { "label": "gcp_iam_role_deleted_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_iam_role_deleted_suspicious" }, { "label": "gcp_service_account_deleted", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_service_account_deleted" }, { "label": "gcp_service_account_deleted_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_service_account_deleted_anomaly" }, { "label": "gcp_service_account_deleted_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_service_account_deleted_suspicious" }, { "label": "gcp_service_account_disabled", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_service_account_disabled" }, { "label": "gcp_service_account_disabled_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_service_account_disabled_anomaly" }, { "label": "gcp_service_account_disabled_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_service_account_disabled_suspicious" }, { "label": "github_oauth_secret_removed", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/github_oauth_secret_removed" }, { "label": "github_payment_method_removed", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/github_payment_method_removed" }, { "label": "github_user_blocked", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/github_user_blocked" }, { "label": "github_user_removed_from_org", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/github_user_removed_from_org" }, { "label": "github_user_removed_from_repository", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/github_user_removed_from_repository" }, { "label": "google_workspace_account_disabled", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/google_workspace_account_disabled" }, { "label": "okta_api_token_revoked", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/okta_api_token_revoked" }, { "label": "okta_application_modified", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/okta_application_modified" }, { "label": "okta_application_modified_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/okta_application_modified_anomaly" }, { "label": "okta_application_modified_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/okta_application_modified_suspicious" }, { "label": "slack_organization_deleted", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/slack_organization_deleted" }, { "label": "slack_sessions_disruption", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/slack_sessions_disruption" } ], "showSubtechniques": false }, { "techniqueID": "T1561", "tactic": "impact", "color": "#d3d3d3", "comment": "N/A - excluded from coverage", "enabled": true, "score": -1, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1565", "tactic": "impact", "color": "#1a6b1a", "comment": "15 detection(s)", "enabled": true, "score": 100, "metadata": [], "links": [ { "label": "aws_dynamodb_backup_restored", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_dynamodb_backup_restored" }, { "label": "aws_dynamodb_backup_restored_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_dynamodb_backup_restored_anomaly" }, { "label": "aws_dynamodb_backup_restored_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_dynamodb_backup_restored_suspicious" }, { "label": "aws_s3_write", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_s3_write" }, { "label": "aws_s3_write_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_s3_write_anomaly" }, { "label": "aws_s3_write_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_s3_write_suspicious" }, { "label": "gcp_dns_zone_modified", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_dns_zone_modified" }, { "label": "gcp_dns_zone_modified_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_dns_zone_modified_anomaly" }, { "label": "gcp_dns_zone_modified_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_dns_zone_modified_suspicious" }, { "label": "gcp_gcs_bucket_modified", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_gcs_bucket_modified" }, { "label": "gcp_gcs_bucket_modified_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_gcs_bucket_modified_anomaly" }, { "label": "gcp_gcs_bucket_modified_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_gcs_bucket_modified_suspicious" }, { "label": "github_mass_pushes", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/github_mass_pushes" }, { "label": "github_public_repo_created", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/github_public_repo_created" }, { "label": "oast_traffic", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/oast_traffic" } ], "showSubtechniques": true }, { "techniqueID": "T1657", "tactic": "impact", "enabled": true, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1667", "tactic": "impact", "enabled": true, "metadata": [], "links": [], "showSubtechniques": false }, { "techniqueID": "T1114.003", "tactic": "collection", "color": "#a3d9a3", "comment": "1 detection(s)", "enabled": true, "score": 25, "metadata": [], "links": [ { "label": "google_workspace_external_email_forwarding", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/google_workspace_external_email_forwarding" } ], "showSubtechniques": false }, { "techniqueID": "T1213.003", "tactic": "collection", "color": "#5cb85c", "comment": "3 detection(s)", "enabled": true, "score": 50, "metadata": [], "links": [ { "label": "github_repo_download_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/github_repo_download_anomaly" }, { "label": "github_repos_exfiltration", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/github_repos_exfiltration" }, { "label": "github_repos_exfiltration_with_pat", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/github_repos_exfiltration_with_pat" } ], "showSubtechniques": false }, { "techniqueID": "T1213.005", "tactic": "collection", "color": "#a3d9a3", "comment": "1 detection(s)", "enabled": true, "score": 25, "metadata": [], "links": [ { "label": "slack_scraping_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/slack_scraping_anomaly" } ], "showSubtechniques": false }, { "techniqueID": "T1001.003", "tactic": "command-and-control", "color": "#5cb85c", "comment": "3 detection(s)", "enabled": true, "score": 50, "metadata": [], "links": [ { "label": "high_volume_ssh", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/high_volume_ssh" }, { "label": "ssh_mask", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/ssh_mask" }, { "label": "ssh_uncommon", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/ssh_uncommon" } ], "showSubtechniques": false }, { "techniqueID": "T1071.001", "tactic": "command-and-control", "color": "#2d9b2d", "comment": "8 detection(s)", "enabled": true, "score": 75, "metadata": [], "links": [ { "label": "excessive_http_failures", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/excessive_http_failures" }, { "label": "excessive_http_failures_bad", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/excessive_http_failures_bad" }, { "label": "excessive_http_failures_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/excessive_http_failures_suspicious" }, { "label": "http_get_bad", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/http_get_bad" }, { "label": "http_get_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/http_get_suspicious" }, { "label": "http_post_bad", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/http_post_bad" }, { "label": "http_post_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/http_post_suspicious" }, { "label": "tds_traffic", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/tds_traffic" } ], "showSubtechniques": false }, { "techniqueID": "T1071.002", "tactic": "command-and-control", "color": "#5cb85c", "comment": "3 detection(s)", "enabled": true, "score": 50, "metadata": [], "links": [ { "label": "high_volume_ftp", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/high_volume_ftp" }, { "label": "smb_outbound", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/smb_outbound" }, { "label": "smb_outbound_volume", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/smb_outbound_volume" } ], "showSubtechniques": false }, { "techniqueID": "T1071.003", "tactic": "command-and-control", "color": "#a3d9a3", "comment": "1 detection(s)", "enabled": true, "score": 25, "metadata": [], "links": [ { "label": "mail_implant", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/mail_implant" } ], "showSubtechniques": false }, { "techniqueID": "T1071.004", "tactic": "command-and-control", "color": "#2d9b2d", "comment": "7 detection(s)", "enabled": true, "score": 75, "metadata": [], "links": [ { "label": "alternate_dns", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/alternate_dns" }, { "label": "encrypted_dns", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/encrypted_dns" }, { "label": "encrypted_dns_common", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/encrypted_dns_common" }, { "label": "encrypted_dns_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/encrypted_dns_suspicious" }, { "label": "encrypted_dns_volume", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/encrypted_dns_volume" }, { "label": "excessive_dns_failures", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/excessive_dns_failures" }, { "label": "multiple_long_hostnames", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/multiple_long_hostnames" } ], "showSubtechniques": false }, { "techniqueID": "T1090.003", "tactic": "command-and-control", "color": "#5cb85c", "comment": "2 detection(s)", "enabled": true, "score": 50, "metadata": [], "links": [ { "label": "anon_circuit", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/anon_circuit" }, { "label": "tor_dns", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/tor_dns" } ], "showSubtechniques": false }, { "techniqueID": "T1102.003", "tactic": "command-and-control", "color": "#5cb85c", "comment": "3 detection(s)", "enabled": true, "score": 50, "metadata": [], "links": [ { "label": "oast_traffic", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/oast_traffic" }, { "label": "telegram_bot", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/telegram_bot" }, { "label": "webhook_traffic", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/webhook_traffic" } ], "showSubtechniques": false }, { "techniqueID": "T1568.002", "tactic": "command-and-control", "color": "#a3d9a3", "comment": "1 detection(s)", "enabled": true, "score": 25, "metadata": [], "links": [ { "label": "dga_volume", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/dga_volume" } ], "showSubtechniques": false }, { "techniqueID": "T1552.001", "tactic": "credential-access", "color": "#5cb85c", "comment": "3 detection(s)", "enabled": true, "score": 50, "metadata": [], "links": [ { "label": "aws_compromised_key_quarantine", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_compromised_key_quarantine" }, { "label": "aws_compromised_key_quarantine_self", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_compromised_key_quarantine_self" }, { "label": "github_secret_scanning_alert", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/github_secret_scanning_alert" } ], "showSubtechniques": false }, { "techniqueID": "T1552.007", "tactic": "credential-access", "color": "#5cb85c", "comment": "3 detection(s)", "enabled": true, "score": 50, "metadata": [], "links": [ { "label": "k8s_secret_access", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/k8s_secret_access" }, { "label": "k8s_secret_access_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/k8s_secret_access_anomaly" }, { "label": "k8s_secret_access_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/k8s_secret_access_suspicious" } ], "showSubtechniques": false }, { "techniqueID": "T1555.006", "tactic": "credential-access", "color": "#5cb85c", "comment": "3 detection(s)", "enabled": true, "score": 50, "metadata": [], "links": [ { "label": "aws_secretsmanager_cloudshell_read", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_secretsmanager_cloudshell_read" }, { "label": "aws_ssm_decrypt_parameter", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_ssm_decrypt_parameter" }, { "label": "aws_ssm_decrypt_parameter_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_ssm_decrypt_parameter_anomaly" } ], "showSubtechniques": false }, { "techniqueID": "T1556.006", "tactic": "credential-access", "color": "#5cb85c", "comment": "2 detection(s)", "enabled": true, "score": 50, "metadata": [], "links": [ { "label": "github_enterprise_recovery_codes", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/github_enterprise_recovery_codes" }, { "label": "github_organization_recovery_codes", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/github_organization_recovery_codes" } ], "showSubtechniques": false }, { "techniqueID": "T1069.003", "tactic": "discovery", "color": "#a3d9a3", "comment": "1 detection(s)", "enabled": true, "score": 25, "metadata": [], "links": [ { "label": "aws_iam_group_discovery", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_iam_group_discovery" } ], "showSubtechniques": false }, { "techniqueID": "T1059.007", "tactic": "execution", "color": "#a3d9a3", "comment": "1 detection(s)", "enabled": true, "score": 25, "metadata": [], "links": [ { "label": "malicious_js", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/malicious_js" } ], "showSubtechniques": false }, { "techniqueID": "T1059.009", "tactic": "execution", "color": "#a3d9a3", "comment": "1 detection(s)", "enabled": true, "score": 25, "metadata": [], "links": [ { "label": "aws_bedrock_suspicious_api", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_bedrock_suspicious_api" } ], "showSubtechniques": false }, { "techniqueID": "T1204.002", "tactic": "execution", "color": "#a3d9a3", "comment": "1 detection(s)", "enabled": true, "score": 25, "metadata": [], "links": [ { "label": "malicious_js", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/malicious_js" } ], "showSubtechniques": false }, { "techniqueID": "T1204.003", "tactic": "execution", "color": "#a3d9a3", "comment": "1 detection(s)", "enabled": true, "score": 25, "metadata": [], "links": [ { "label": "aws_ecr_image_uploaded", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_ecr_image_uploaded" } ], "showSubtechniques": false }, { "techniqueID": "T1567.002", "tactic": "exfiltration", "color": "#1a6b1a", "comment": "11 detection(s)", "enabled": true, "score": 100, "metadata": [], "links": [ { "label": "aws_ec2_export_task_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_ec2_export_task_anomaly" }, { "label": "aws_ec2_export_task_unknown", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_ec2_export_task_unknown" }, { "label": "aws_ecr_public_image_uploaded", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_ecr_public_image_uploaded" }, { "label": "aws_rds_export_task_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_rds_export_task_anomaly" }, { "label": "aws_rds_export_task_unknown", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_rds_export_task_unknown" }, { "label": "aws_s3_bucket_replication_unknown", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_s3_bucket_replication_unknown" }, { "label": "aws_workmail_export", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_workmail_export" }, { "label": "aws_workmail_export_public", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_workmail_export_public" }, { "label": "google_calendar_shared_externally", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/google_calendar_shared_externally" }, { "label": "google_drive_document_public", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/google_drive_document_public" }, { "label": "google_drive_document_shared_externally", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/google_drive_document_shared_externally" } ], "showSubtechniques": false }, { "techniqueID": "T1485.001", "tactic": "impact", "color": "#5cb85c", "comment": "3 detection(s)", "enabled": true, "score": 50, "metadata": [], "links": [ { "label": "aws_s3_short_bucket_retention_period", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_s3_short_bucket_retention_period" }, { "label": "aws_s3_short_bucket_retention_period_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_s3_short_bucket_retention_period_anomaly" }, { "label": "aws_s3_short_bucket_retention_period_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_s3_short_bucket_retention_period_suspicious" } ], "showSubtechniques": false }, { "techniqueID": "T1496.004", "tactic": "impact", "color": "#2d9b2d", "comment": "8 detection(s)", "enabled": true, "score": 75, "metadata": [], "links": [ { "label": "aws_bedrock_model_invoked", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_bedrock_model_invoked" }, { "label": "aws_bedrock_model_invoked_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_bedrock_model_invoked_anomaly" }, { "label": "aws_bedrock_model_invoked_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_bedrock_model_invoked_suspicious" }, { "label": "aws_bedrock_model_invoked_unseen", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_bedrock_model_invoked_unseen" }, { "label": "aws_iac_drift", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_iac_drift" }, { "label": "aws_lambda_modified", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_lambda_modified" }, { "label": "aws_s3_static_website", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_s3_static_website" }, { "label": "aws_ses_modified", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_ses_modified" } ], "showSubtechniques": false }, { "techniqueID": "T1565.001", "tactic": "impact", "color": "#2d9b2d", "comment": "9 detection(s)", "enabled": true, "score": 75, "metadata": [], "links": [ { "label": "aws_dynamodb_backup_restored", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_dynamodb_backup_restored" }, { "label": "aws_dynamodb_backup_restored_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_dynamodb_backup_restored_anomaly" }, { "label": "aws_dynamodb_backup_restored_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_dynamodb_backup_restored_suspicious" }, { "label": "aws_s3_write", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_s3_write" }, { "label": "aws_s3_write_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_s3_write_anomaly" }, { "label": "aws_s3_write_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_s3_write_suspicious" }, { "label": "gcp_gcs_bucket_modified", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_gcs_bucket_modified" }, { "label": "gcp_gcs_bucket_modified_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_gcs_bucket_modified_anomaly" }, { "label": "gcp_gcs_bucket_modified_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_gcs_bucket_modified_suspicious" } ], "showSubtechniques": false }, { "techniqueID": "T1565.002", "tactic": "impact", "color": "#5cb85c", "comment": "3 detection(s)", "enabled": true, "score": 50, "metadata": [], "links": [ { "label": "gcp_dns_zone_modified", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_dns_zone_modified" }, { "label": "gcp_dns_zone_modified_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_dns_zone_modified_anomaly" }, { "label": "gcp_dns_zone_modified_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_dns_zone_modified_suspicious" } ], "showSubtechniques": false }, { "techniqueID": "T1078.004", "tactic": "initial-access", "color": "#1a6b1a", "comment": "58 detection(s)", "enabled": true, "score": 100, "metadata": [], "links": [ { "label": "1password_malicious_caller", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/1password_malicious_caller" }, { "label": "atlassian_malicious_caller", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/atlassian_malicious_caller" }, { "label": "aws_assume_role_external_principal", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_assume_role_external_principal" }, { "label": "aws_assume_role_new", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_assume_role_new" }, { "label": "aws_assume_role_new_external", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_assume_role_new_external" }, { "label": "aws_assume_role_user_agent", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_assume_role_user_agent" }, { "label": "aws_compromised_key_quarantine", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_compromised_key_quarantine" }, { "label": "aws_compromised_key_quarantine_self", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_compromised_key_quarantine_self" }, { "label": "aws_console_login_failure", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_console_login_failure" }, { "label": "aws_console_login_failure_ip", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_console_login_failure_ip" }, { "label": "aws_console_login_failure_user", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_console_login_failure_user" }, { "label": "aws_console_login_failure_users", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_console_login_failure_users" }, { "label": "aws_iam_access_key_wakeup", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_iam_access_key_wakeup" }, { "label": "aws_iam_policy_role_external_principal", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_iam_policy_role_external_principal" }, { "label": "aws_iam_policy_role_public", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_iam_policy_role_public" }, { "label": "aws_iam_role_wakeup", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_iam_role_wakeup" }, { "label": "aws_iam_role_wakeup_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_iam_role_wakeup_suspicious" }, { "label": "aws_iam_trust_policy_oidc_misconfigured", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_iam_trust_policy_oidc_misconfigured" }, { "label": "aws_iam_user_wakeup", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_iam_user_wakeup" }, { "label": "aws_malicious_caller", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_malicious_caller" }, { "label": "aws_malicious_caller_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_malicious_caller_anomaly" }, { "label": "aws_malicious_caller_likely", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_malicious_caller_likely" }, { "label": "aws_root_access", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_root_access" }, { "label": "aws_root_access_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_root_access_anomaly" }, { "label": "aws_root_access_key", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_root_access_key" }, { "label": "aws_root_access_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_root_access_suspicious" }, { "label": "aws_root_access_unusual", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_root_access_unusual" }, { "label": "aws_root_password_recovery", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_root_password_recovery" }, { "label": "aws_root_password_recovery_unknown_asn", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_root_password_recovery_unknown_asn" }, { "label": "aws_root_password_recovery_volume", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_root_password_recovery_volume" }, { "label": "azure_malicious_caller", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/azure_malicious_caller" }, { "label": "entra_signin_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/entra_signin_anomaly" }, { "label": "entra_signin_impossible_travel", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/entra_signin_impossible_travel" }, { "label": "entra_signin_new_country", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/entra_signin_new_country" }, { "label": "entra_signin_success", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/entra_signin_success" }, { "label": "entra_signin_success_no_mfa", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/entra_signin_success_no_mfa" }, { "label": "entra_signin_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/entra_signin_suspicious" }, { "label": "github_malicious_caller", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/github_malicious_caller" }, { "label": "jira_malicious_caller", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/jira_malicious_caller" }, { "label": "k8s_malicious_caller", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/k8s_malicious_caller" }, { "label": "k8s_malicious_caller_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/k8s_malicious_caller_anomaly" }, { "label": "k8s_malicious_caller_likely", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/k8s_malicious_caller_likely" }, { "label": "linux_sshd_malicious_caller", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/linux_sshd_malicious_caller" }, { "label": "okta_mfa_failed_number_challenge", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/okta_mfa_failed_number_challenge" }, { "label": "okta_mfa_push_bruteforce", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/okta_mfa_push_bruteforce" }, { "label": "okta_multiple_login_failed", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/okta_multiple_login_failed" }, { "label": "okta_multiple_mfa_push_rejected", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/okta_multiple_mfa_push_rejected" }, { "label": "okta_multiple_users_login_failed_from_ip", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/okta_multiple_users_login_failed_from_ip" }, { "label": "okta_user_session_created_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/okta_user_session_created_anomaly" }, { "label": "okta_user_session_created_impossible_travel", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/okta_user_session_created_impossible_travel" }, { "label": "okta_user_session_created_new_country", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/okta_user_session_created_new_country" }, { "label": "okta_user_session_created_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/okta_user_session_created_suspicious" }, { "label": "slack_credential_testing_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/slack_credential_testing_anomaly" }, { "label": "slack_device_compromised", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/slack_device_compromised" }, { "label": "slack_ip_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/slack_ip_anomaly" }, { "label": "slack_malicious_caller", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/slack_malicious_caller" }, { "label": "slack_unexpected_client_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/slack_unexpected_client_anomaly" }, { "label": "slack_user_agent_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/slack_user_agent_anomaly" } ], "showSubtechniques": false }, { "techniqueID": "T1566.001", "tactic": "initial-access", "color": "#a3d9a3", "comment": "1 detection(s)", "enabled": true, "score": 25, "metadata": [], "links": [ { "label": "slack_suspicious_file", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/slack_suspicious_file" } ], "showSubtechniques": false }, { "techniqueID": "T1021.001", "tactic": "lateral-movement", "color": "#a3d9a3", "comment": "1 detection(s)", "enabled": true, "score": 25, "metadata": [], "links": [ { "label": "rdp_brute_force", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/rdp_brute_force" } ], "showSubtechniques": false }, { "techniqueID": "T1021.004", "tactic": "lateral-movement", "color": "#5cb85c", "comment": "4 detection(s)", "enabled": true, "score": 50, "metadata": [], "links": [ { "label": "aws_ec2_connect_ssh", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_ec2_connect_ssh" }, { "label": "aws_ec2_connect_ssh_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_ec2_connect_ssh_suspicious" }, { "label": "aws_ec2_connect_ssh_volume", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_ec2_connect_ssh_volume" }, { "label": "ssh_brute_force", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/ssh_brute_force" } ], "showSubtechniques": false }, { "techniqueID": "T1021.006", "tactic": "lateral-movement", "color": "#a3d9a3", "comment": "1 detection(s)", "enabled": true, "score": 25, "metadata": [], "links": [ { "label": "winrm_brute_force", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/winrm_brute_force" } ], "showSubtechniques": false }, { "techniqueID": "T1550.004", "tactic": "lateral-movement", "color": "#a3d9a3", "comment": "1 detection(s)", "enabled": true, "score": 25, "metadata": [], "links": [ { "label": "aws_console_long_session", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_console_long_session" } ], "showSubtechniques": false }, { "techniqueID": "T1059.009", "tactic": "persistence", "color": "#5cb85c", "comment": "3 detection(s)", "enabled": true, "score": 50, "metadata": [], "links": [ { "label": "azure_automation_account_created", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/azure_automation_account_created" }, { "label": "azure_automation_runbook_modified_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/azure_automation_runbook_modified_anomaly" }, { "label": "azure_automation_runbook_modified_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/azure_automation_runbook_modified_suspicious" } ], "showSubtechniques": false }, { "techniqueID": "T1078.004", "tactic": "persistence", "color": "#2d9b2d", "comment": "9 detection(s)", "enabled": true, "score": 75, "metadata": [], "links": [ { "label": "aws_console_login_ec2", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_console_login_ec2" }, { "label": "aws_sns_topic_public", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_sns_topic_public" }, { "label": "aws_sqs_queue_public", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_sqs_queue_public" }, { "label": "okta_identity_provider_created", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/okta_identity_provider_created" }, { "label": "okta_identity_provider_created_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/okta_identity_provider_created_anomaly" }, { "label": "okta_identity_provider_created_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/okta_identity_provider_created_suspicious" }, { "label": "okta_user_created", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/okta_user_created" }, { "label": "okta_user_created_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/okta_user_created_anomaly" }, { "label": "okta_user_created_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/okta_user_created_suspicious" } ], "showSubtechniques": false }, { "techniqueID": "T1098.001", "tactic": "persistence", "color": "#1a6b1a", "comment": "21 detection(s)", "enabled": true, "score": 100, "metadata": [], "links": [ { "label": "aws_access_key_created", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_access_key_created" }, { "label": "aws_access_key_created_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_access_key_created_anomaly" }, { "label": "aws_access_key_created_by_root", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_access_key_created_by_root" }, { "label": "aws_access_key_created_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_access_key_created_suspicious" }, { "label": "aws_apigateway_key_created", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_apigateway_key_created" }, { "label": "aws_apigateway_key_created_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_apigateway_key_created_anomaly" }, { "label": "aws_apigateway_key_created_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_apigateway_key_created_suspicious" }, { "label": "aws_iam_user_created_with_key", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_iam_user_created_with_key" }, { "label": "aws_root_access_key_created", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_root_access_key_created" }, { "label": "aws_sts_consoler", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_sts_consoler" }, { "label": "gcp_api_key_created", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_api_key_created" }, { "label": "gcp_api_key_created_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_api_key_created_anomaly" }, { "label": "gcp_api_key_created_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_api_key_created_suspicious" }, { "label": "gcp_iam_service_account_key_created", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_iam_service_account_key_created" }, { "label": "gcp_iam_service_account_key_created_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_iam_service_account_key_created_anomaly" }, { "label": "gcp_iam_service_account_key_created_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_iam_service_account_key_created_suspicious" }, { "label": "gcp_workload_identity_pool_modified", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_workload_identity_pool_modified" }, { "label": "gcp_workload_identity_pool_modified_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_workload_identity_pool_modified_anomaly" }, { "label": "gcp_workload_identity_pool_modified_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_workload_identity_pool_modified_suspicious" }, { "label": "github_repository_deploy_key_changed", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/github_repository_deploy_key_changed" }, { "label": "okta_api_token_created", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/okta_api_token_created" } ], "showSubtechniques": false }, { "techniqueID": "T1098.003", "tactic": "persistence", "color": "#1a6b1a", "comment": "13 detection(s)", "enabled": true, "score": 100, "metadata": [], "links": [ { "label": "aws_iam_trust_policy_oidc_misconfigured", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_iam_trust_policy_oidc_misconfigured" }, { "label": "aws_rolesanywhere_profile_created", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_rolesanywhere_profile_created" }, { "label": "aws_rolesanywhere_trust_external_ca", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_rolesanywhere_trust_external_ca" }, { "label": "azure_storage_account_role_assigned_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/azure_storage_account_role_assigned_anomaly" }, { "label": "azure_storage_account_role_assigned_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/azure_storage_account_role_assigned_suspicious" }, { "label": "entra_role_assignment", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/entra_role_assignment" }, { "label": "entra_role_assignment_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/entra_role_assignment_anomaly" }, { "label": "entra_role_assignment_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/entra_role_assignment_suspicious" }, { "label": "github_organization_member_updated", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/github_organization_member_updated" }, { "label": "github_organization_moderators_changed", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/github_organization_moderators_changed" }, { "label": "github_team_changed", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/github_team_changed" }, { "label": "okta_admin_role_assigned", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/okta_admin_role_assigned" }, { "label": "okta_privilege_granted", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/okta_privilege_granted" } ], "showSubtechniques": false }, { "techniqueID": "T1098.004", "tactic": "persistence", "color": "#2d9b2d", "comment": "6 detection(s)", "enabled": true, "score": 75, "metadata": [], "links": [ { "label": "gcp_instance_ssh_key_modified", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_instance_ssh_key_modified" }, { "label": "gcp_instance_ssh_key_modified_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_instance_ssh_key_modified_anomaly" }, { "label": "gcp_instance_ssh_key_modified_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_instance_ssh_key_modified_suspicious" }, { "label": "gcp_project_ssh_key_modified", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_project_ssh_key_modified" }, { "label": "gcp_project_ssh_key_modified_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_project_ssh_key_modified_anomaly" }, { "label": "gcp_project_ssh_key_modified_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_project_ssh_key_modified_suspicious" } ], "showSubtechniques": false }, { "techniqueID": "T1098.005", "tactic": "persistence", "color": "#5cb85c", "comment": "3 detection(s)", "enabled": true, "score": 50, "metadata": [], "links": [ { "label": "okta_mfa_modified", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/okta_mfa_modified" }, { "label": "okta_mfa_modified_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/okta_mfa_modified_anomaly" }, { "label": "okta_mfa_modified_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/okta_mfa_modified_suspicious" } ], "showSubtechniques": false }, { "techniqueID": "T1098.006", "tactic": "persistence", "color": "#5cb85c", "comment": "4 detection(s)", "enabled": true, "score": 50, "metadata": [], "links": [ { "label": "aws_eks_admin_access_entry", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_eks_admin_access_entry" }, { "label": "aws_eks_admin_access_entry_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_eks_admin_access_entry_anomaly" }, { "label": "aws_eks_multicluster_privilege_escalation", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_eks_multicluster_privilege_escalation" }, { "label": "aws_eks_principal_granted_multiple_clusters", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_eks_principal_granted_multiple_clusters" } ], "showSubtechniques": false }, { "techniqueID": "T1136.003", "tactic": "persistence", "color": "#2d9b2d", "comment": "9 detection(s)", "enabled": true, "score": 75, "metadata": [], "links": [ { "label": "aws_iam_entity_created", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_iam_entity_created" }, { "label": "aws_iam_user_created_with_admin_policy", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_iam_user_created_with_admin_policy" }, { "label": "aws_login_profile_created", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_login_profile_created" }, { "label": "aws_login_profile_created_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_login_profile_created_anomaly" }, { "label": "aws_organization_invite_sent", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_organization_invite_sent" }, { "label": "gcp_service_account_created", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_service_account_created" }, { "label": "gcp_service_account_created_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_service_account_created_anomaly" }, { "label": "gcp_service_account_created_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_service_account_created_suspicious" }, { "label": "slack_organization_created", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/slack_organization_created" } ], "showSubtechniques": false }, { "techniqueID": "T1543.005", "tactic": "persistence", "color": "#5cb85c", "comment": "2 detection(s)", "enabled": true, "score": 50, "metadata": [], "links": [ { "label": "k8s_resource_created_in_public_namespace", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/k8s_resource_created_in_public_namespace" }, { "label": "k8s_resource_created_in_service_namespace", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/k8s_resource_created_in_service_namespace" } ], "showSubtechniques": false }, { "techniqueID": "T1556.006", "tactic": "persistence", "color": "#2d9b2d", "comment": "9 detection(s)", "enabled": true, "score": 75, "metadata": [], "links": [ { "label": "aws_mfa_disabled", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_mfa_disabled" }, { "label": "aws_mfa_disabled_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_mfa_disabled_anomaly" }, { "label": "aws_mfa_registered", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_mfa_registered" }, { "label": "aws_mfa_registered_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_mfa_registered_anomaly" }, { "label": "aws_s3_bucket_mfa_delete_disabled", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_s3_bucket_mfa_delete_disabled" }, { "label": "github_mfa_disabled", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/github_mfa_disabled" }, { "label": "okta_weak_mfa_fallback", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/okta_weak_mfa_fallback" }, { "label": "slack_mfa_disabled", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/slack_mfa_disabled" }, { "label": "slack_sso_settings_modified", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/slack_sso_settings_modified" } ], "showSubtechniques": false }, { "techniqueID": "T1078.001", "tactic": "privilege-escalation", "color": "#5cb85c", "comment": "2 detection(s)", "enabled": true, "score": 50, "metadata": [], "links": [ { "label": "aws_assume_root", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_assume_root" }, { "label": "aws_assume_root_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_assume_root_anomaly" } ], "showSubtechniques": false }, { "techniqueID": "T1078.004", "tactic": "privilege-escalation", "color": "#1a6b1a", "comment": "19 detection(s)", "enabled": true, "score": 100, "metadata": [], "links": [ { "label": "aws_privilege_escalation", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_privilege_escalation" }, { "label": "aws_privilege_escalation_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_privilege_escalation_anomaly" }, { "label": "aws_privilege_escalation_cloudformation", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_privilege_escalation_cloudformation" }, { "label": "aws_privilege_escalation_datapipeline", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_privilege_escalation_datapipeline" }, { "label": "aws_privilege_escalation_dynamodb", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_privilege_escalation_dynamodb" }, { "label": "aws_privilege_escalation_ec2", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_privilege_escalation_ec2" }, { "label": "aws_privilege_escalation_glue", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_privilege_escalation_glue" }, { "label": "aws_privilege_escalation_iam", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_privilege_escalation_iam" }, { "label": "aws_privilege_escalation_kms", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_privilege_escalation_kms" }, { "label": "aws_privilege_escalation_lambda", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_privilege_escalation_lambda" }, { "label": "aws_privilege_escalation_s3", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_privilege_escalation_s3" }, { "label": "aws_privilege_escalation_ssm", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_privilege_escalation_ssm" }, { "label": "aws_privilege_escalation_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_privilege_escalation_suspicious" }, { "label": "gcp_compute_engine_instance_service_account_modified", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_compute_engine_instance_service_account_modified" }, { "label": "gcp_compute_engine_instance_service_account_modified_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_compute_engine_instance_service_account_modified_anomaly" }, { "label": "gcp_compute_engine_instance_service_account_modified_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_compute_engine_instance_service_account_modified_suspicious" }, { "label": "okta_org2org_app_modified", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/okta_org2org_app_modified" }, { "label": "slack_admin_action_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/slack_admin_action_anomaly" }, { "label": "slack_service_owner_transferred", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/slack_service_owner_transferred" } ], "showSubtechniques": false }, { "techniqueID": "T1098.003", "tactic": "privilege-escalation", "color": "#1a6b1a", "comment": "16 detection(s)", "enabled": true, "score": 100, "metadata": [], "links": [ { "label": "aws_iam_policy_role_external_principal", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_iam_policy_role_external_principal" }, { "label": "aws_iam_policy_role_public", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_iam_policy_role_public" }, { "label": "aws_privilege_escalation_ec2", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_privilege_escalation_ec2" }, { "label": "aws_rds_attach_role", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_rds_attach_role" }, { "label": "aws_rds_attach_role_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_rds_attach_role_anomaly" }, { "label": "aws_sts_get_federation_token_any_action", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_sts_get_federation_token_any_action" }, { "label": "aws_sts_get_federation_token_any_resource", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_sts_get_federation_token_any_resource" }, { "label": "azure_storage_account_role_assigned_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/azure_storage_account_role_assigned_anomaly" }, { "label": "azure_storage_account_role_assigned_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/azure_storage_account_role_assigned_suspicious" }, { "label": "gcp_iam_role_modified", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_iam_role_modified" }, { "label": "gcp_iam_role_modified_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_iam_role_modified_anomaly" }, { "label": "gcp_iam_role_modified_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_iam_role_modified_suspicious" }, { "label": "slack_admin_app_access_expanded", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/slack_admin_app_access_expanded" }, { "label": "slack_app_access_expanded", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/slack_app_access_expanded" }, { "label": "slack_privilege_escalation", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/slack_privilege_escalation" }, { "label": "slack_user_role_changed", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/slack_user_role_changed" } ], "showSubtechniques": false }, { "techniqueID": "T1543.005", "tactic": "privilege-escalation", "color": "#a3d9a3", "comment": "1 detection(s)", "enabled": true, "score": 25, "metadata": [], "links": [ { "label": "k8s_privileged_pod_created", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/k8s_privileged_pod_created" } ], "showSubtechniques": false }, { "techniqueID": "T1583.001", "tactic": "resource-development", "color": "#5cb85c", "comment": "4 detection(s)", "enabled": true, "score": 50, "metadata": [], "links": [ { "label": "aws_route53_domain_registered", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_route53_domain_registered" }, { "label": "aws_route53_domain_registered_volume", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_route53_domain_registered_volume" }, { "label": "aws_route53_domain_transfer", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_route53_domain_transfer" }, { "label": "aws_route53_domain_transfer_unknown", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_route53_domain_transfer_unknown" } ], "showSubtechniques": false }, { "techniqueID": "T1584.001", "tactic": "resource-development", "color": "#5cb85c", "comment": "2 detection(s)", "enabled": true, "score": 50, "metadata": [], "links": [ { "label": "aws_route53_public_zone_created", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_route53_public_zone_created" }, { "label": "aws_route53_public_zone_created_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_route53_public_zone_created_anomaly" } ], "showSubtechniques": false }, { "techniqueID": "T1586.003", "tactic": "resource-development", "color": "#5cb85c", "comment": "2 detection(s)", "enabled": true, "score": 50, "metadata": [], "links": [ { "label": "aws_compromised_key_quarantine", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_compromised_key_quarantine" }, { "label": "aws_compromised_key_quarantine_self", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_compromised_key_quarantine_self" } ], "showSubtechniques": false }, { "techniqueID": "T1550.001", "tactic": "stealth", "color": "#5cb85c", "comment": "3 detection(s)", "enabled": true, "score": 50, "metadata": [], "links": [ { "label": "aws_get_signin_token", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_get_signin_token" }, { "label": "aws_get_signin_token_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_get_signin_token_anomaly" }, { "label": "aws_get_signin_token_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_get_signin_token_suspicious" } ], "showSubtechniques": false }, { "techniqueID": "T1562.001", "tactic": "stealth", "color": "#1a6b1a", "comment": "33 detection(s)", "enabled": true, "score": 100, "metadata": [], "links": [ { "label": "aws_detective_graph_deleted", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_detective_graph_deleted" }, { "label": "aws_ecr_automatic_registry_scanning_disabled", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_ecr_automatic_registry_scanning_disabled" }, { "label": "aws_ecr_automatic_repository_scanning_disabled", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_ecr_automatic_repository_scanning_disabled" }, { "label": "aws_ecr_automatic_repository_scanning_disabled_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_ecr_automatic_repository_scanning_disabled_anomaly" }, { "label": "aws_ecr_automatic_repository_scanning_disabled_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_ecr_automatic_repository_scanning_disabled_suspicious" }, { "label": "aws_security_hub_disabled", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_security_hub_disabled" }, { "label": "gcp_compute_engine_shield_config_disabled", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_compute_engine_shield_config_disabled" }, { "label": "gcp_compute_engine_shield_config_disabled_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_compute_engine_shield_config_disabled_anomaly" }, { "label": "gcp_compute_engine_shield_config_disabled_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_compute_engine_shield_config_disabled_suspicious" }, { "label": "gcp_monitoring_policy_impaired", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_monitoring_policy_impaired" }, { "label": "gcp_monitoring_policy_modified", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_monitoring_policy_modified" }, { "label": "gcp_monitoring_policy_modified_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_monitoring_policy_modified_anomaly" }, { "label": "gcp_monitoring_policy_modified_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_monitoring_policy_modified_suspicious" }, { "label": "gcp_pubsub_subscription_deleted", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_pubsub_subscription_deleted" }, { "label": "gcp_pubsub_subscription_deleted_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_pubsub_subscription_deleted_anomaly" }, { "label": "gcp_pubsub_subscription_deleted_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_pubsub_subscription_deleted_suspicious" }, { "label": "github_audit_log_stream_disabled", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/github_audit_log_stream_disabled" }, { "label": "github_audit_log_stream_modified", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/github_audit_log_stream_modified" }, { "label": "github_branch_protection_bypassed", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/github_branch_protection_bypassed" }, { "label": "github_branch_protection_policy_changed", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/github_branch_protection_policy_changed" }, { "label": "github_dependabot_repository_access_changed", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/github_dependabot_repository_access_changed" }, { "label": "github_repository_branch_protection_disabled", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/github_repository_branch_protection_disabled" }, { "label": "github_secret_scanning_disabled", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/github_secret_scanning_disabled" }, { "label": "github_sso_configuration_modified", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/github_sso_configuration_modified" }, { "label": "github_token_auto_approve_policy_modified", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/github_token_auto_approve_policy_modified" }, { "label": "okta_application_sign_on_modified", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/okta_application_sign_on_modified" }, { "label": "okta_application_sign_on_modified_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/okta_application_sign_on_modified_anomaly" }, { "label": "okta_application_sign_on_modified_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/okta_application_sign_on_modified_suspicious" }, { "label": "slack_dlp_rule_modified", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/slack_dlp_rule_modified" }, { "label": "slack_information_barrier_modified", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/slack_information_barrier_modified" }, { "label": "slack_legal_hold_policy_modified", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/slack_legal_hold_policy_modified" }, { "label": "slack_microsoft_intune_mdm_disabled", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/slack_microsoft_intune_mdm_disabled" }, { "label": "slack_private_channel_made_public", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/slack_private_channel_made_public" } ], "showSubtechniques": false }, { "techniqueID": "T1562.004", "tactic": "stealth", "color": "#5cb85c", "comment": "2 detection(s)", "enabled": true, "score": 50, "metadata": [], "links": [ { "label": "aws_rds_security_group", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_rds_security_group" }, { "label": "aws_rds_security_group_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_rds_security_group_anomaly" } ], "showSubtechniques": false }, { "techniqueID": "T1562.007", "tactic": "stealth", "color": "#1a6b1a", "comment": "34 detection(s)", "enabled": true, "score": 100, "metadata": [], "links": [ { "label": "aws_cloudtrail_event_selector_coverage_limited", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_cloudtrail_event_selector_coverage_limited" }, { "label": "aws_elasticache_security_group_modified", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_elasticache_security_group_modified" }, { "label": "aws_elasticache_security_group_modified_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_elasticache_security_group_modified_anomaly" }, { "label": "aws_ipset_modified", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_ipset_modified" }, { "label": "aws_ipset_modified_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_ipset_modified_anomaly" }, { "label": "aws_ipset_modified_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_ipset_modified_suspicious" }, { "label": "aws_waf_control_list_modified", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_waf_control_list_modified" }, { "label": "aws_waf_control_list_modified_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_waf_control_list_modified_anomaly" }, { "label": "aws_waf_control_list_modified_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_waf_control_list_modified_suspicious" }, { "label": "aws_waf_disassociation", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_waf_disassociation" }, { "label": "aws_waf_disassociation_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_waf_disassociation_anomaly" }, { "label": "aws_waf_disassociation_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_waf_disassociation_suspicious" }, { "label": "azure_front_door_waf_policy_deleted", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/azure_front_door_waf_policy_deleted" }, { "label": "azure_mysql_firewall_modified_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/azure_mysql_firewall_modified_anomaly" }, { "label": "azure_mysql_firewall_modified_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/azure_mysql_firewall_modified_suspicious" }, { "label": "azure_mysql_firewall_public", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/azure_mysql_firewall_public" }, { "label": "azure_nsg_deleted_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/azure_nsg_deleted_anomaly" }, { "label": "azure_nsg_deleted_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/azure_nsg_deleted_suspicious" }, { "label": "azure_nsg_modified_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/azure_nsg_modified_anomaly" }, { "label": "azure_nsg_modified_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/azure_nsg_modified_suspicious" }, { "label": "azure_postgresql_firewall_modified_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/azure_postgresql_firewall_modified_anomaly" }, { "label": "azure_postgresql_firewall_modified_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/azure_postgresql_firewall_modified_suspicious" }, { "label": "azure_postgresql_firewall_public", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/azure_postgresql_firewall_public" }, { "label": "azure_waf_policy_deleted_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/azure_waf_policy_deleted_anomaly" }, { "label": "azure_waf_policy_deleted_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/azure_waf_policy_deleted_suspicious" }, { "label": "azure_waf_policy_disabled_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/azure_waf_policy_disabled_anomaly" }, { "label": "azure_waf_policy_disabled_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/azure_waf_policy_disabled_suspicious" }, { "label": "gcp_firewall_modified", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_firewall_modified" }, { "label": "gcp_firewall_modified_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_firewall_modified_anomaly" }, { "label": "gcp_firewall_modified_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_firewall_modified_suspicious" }, { "label": "gcp_network_security_firewall_public_egress", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_network_security_firewall_public_egress" }, { "label": "gcp_vpc_network_created", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_vpc_network_created" }, { "label": "gcp_vpc_network_created_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_vpc_network_created_anomaly" }, { "label": "gcp_vpc_network_created_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_vpc_network_created_suspicious" } ], "showSubtechniques": false }, { "techniqueID": "T1562.008", "tactic": "stealth", "color": "#1a6b1a", "comment": "43 detection(s)", "enabled": true, "score": 100, "metadata": [], "links": [ { "label": "aws_evasion", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_evasion" }, { "label": "aws_evasion_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_evasion_anomaly" }, { "label": "aws_evasion_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_evasion_suspicious" }, { "label": "aws_firehose_destination_changed", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_firehose_destination_changed" }, { "label": "aws_firehose_destination_changed_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_firehose_destination_changed_anomaly" }, { "label": "aws_firehose_destination_changed_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_firehose_destination_changed_suspicious" }, { "label": "aws_guardduty_destination_deleted", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_guardduty_destination_deleted" }, { "label": "aws_logging_evasion", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_logging_evasion" }, { "label": "aws_logging_evasion_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_logging_evasion_anomaly" }, { "label": "aws_logging_evasion_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_logging_evasion_suspicious" }, { "label": "aws_route53_evasion", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_route53_evasion" }, { "label": "aws_route53_evasion_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_route53_evasion_anomaly" }, { "label": "aws_route53_evasion_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_route53_evasion_suspicious" }, { "label": "aws_s3_logging_disabled", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_s3_logging_disabled" }, { "label": "azure_event_hub_deleted_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/azure_event_hub_deleted_anomaly" }, { "label": "azure_event_hub_deleted_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/azure_event_hub_deleted_suspicious" }, { "label": "azure_log_alert_impaired_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/azure_log_alert_impaired_anomaly" }, { "label": "azure_log_alert_impaired_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/azure_log_alert_impaired_suspicious" }, { "label": "azure_network_watcher_deleted", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/azure_network_watcher_deleted" }, { "label": "azure_network_watcher_updated", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/azure_network_watcher_updated" }, { "label": "azure_postgresql_logging_config_changed_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/azure_postgresql_logging_config_changed_anomaly" }, { "label": "azure_postgresql_logging_config_changed_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/azure_postgresql_logging_config_changed_suspicious" }, { "label": "azure_sql_server_audit_settings_modified_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/azure_sql_server_audit_settings_modified_anomaly" }, { "label": "azure_sql_server_audit_settings_modified_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/azure_sql_server_audit_settings_modified_suspicious" }, { "label": "gcp_dns_logs_disabled", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_dns_logs_disabled" }, { "label": "gcp_dns_logs_disabled_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_dns_logs_disabled_anomaly" }, { "label": "gcp_dns_logs_disabled_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_dns_logs_disabled_suspicious" }, { "label": "gcp_flow_logs_disabled", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_flow_logs_disabled" }, { "label": "gcp_gke_logging_disabled", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_gke_logging_disabled" }, { "label": "gcp_gke_logging_disabled_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_gke_logging_disabled_anomaly" }, { "label": "gcp_gke_logging_disabled_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_gke_logging_disabled_suspicious" }, { "label": "gcp_gke_metrics_disabled", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_gke_metrics_disabled" }, { "label": "gcp_gke_metrics_disabled_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_gke_metrics_disabled_anomaly" }, { "label": "gcp_gke_metrics_disabled_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_gke_metrics_disabled_suspicious" }, { "label": "gcp_log_deleted", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_log_deleted" }, { "label": "gcp_log_deleted_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_log_deleted_anomaly" }, { "label": "gcp_log_deleted_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_log_deleted_suspicious" }, { "label": "gcp_logging_bucket_deleted", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_logging_bucket_deleted" }, { "label": "gcp_logging_bucket_deleted_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_logging_bucket_deleted_anomaly" }, { "label": "gcp_logging_bucket_deleted_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_logging_bucket_deleted_suspicious" }, { "label": "gcp_logging_sink_deleted", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_logging_sink_deleted" }, { "label": "gcp_logging_sink_modified", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_logging_sink_modified" }, { "label": "slack_ekm_logging_config_modified", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/slack_ekm_logging_config_modified" } ], "showSubtechniques": false }, { "techniqueID": "T1578.002", "tactic": "stealth", "color": "#1a6b1a", "comment": "12 detection(s)", "enabled": true, "score": 100, "metadata": [], "links": [ { "label": "aws_ec2_launch_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_ec2_launch_anomaly" }, { "label": "aws_ec2_launch_multi_region", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_ec2_launch_multi_region" }, { "label": "aws_ec2_launch_multiple", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_ec2_launch_multiple" }, { "label": "aws_ec2_launch_multiple_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_ec2_launch_multiple_anomaly" }, { "label": "aws_ec2_launch_new_region", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_ec2_launch_new_region" }, { "label": "aws_ec2_launch_new_type", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_ec2_launch_new_type" }, { "label": "aws_lightsail_launch", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_lightsail_launch" }, { "label": "gcp_compute_engine_gpu_instance_created", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_compute_engine_gpu_instance_created" }, { "label": "gcp_compute_engine_gpu_instance_created_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_compute_engine_gpu_instance_created_anomaly" }, { "label": "gcp_compute_engine_gpu_instance_created_suspicious", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_compute_engine_gpu_instance_created_suspicious" }, { "label": "gcp_compute_engine_multiple_instances_created", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_compute_engine_multiple_instances_created" }, { "label": "gcp_compute_engine_multiple_instances_created_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/gcp_compute_engine_multiple_instances_created_anomaly" } ], "showSubtechniques": false }, { "techniqueID": "T1578.003", "tactic": "stealth", "color": "#a3d9a3", "comment": "1 detection(s)", "enabled": true, "score": 25, "metadata": [], "links": [ { "label": "aws_ec2_termination_anomaly", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_ec2_termination_anomaly" } ], "showSubtechniques": false }, { "techniqueID": "T1578.005", "tactic": "stealth", "color": "#a3d9a3", "comment": "1 detection(s)", "enabled": true, "score": 25, "metadata": [], "links": [ { "label": "aws_ebs_encryption_disabled", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_ebs_encryption_disabled" } ], "showSubtechniques": false }, { "techniqueID": "T1600.001", "tactic": "stealth", "color": "#5cb85c", "comment": "2 detection(s)", "enabled": true, "score": 50, "metadata": [], "links": [ { "label": "aws_alb_insecure_ssl", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_alb_insecure_ssl" }, { "label": "aws_cloudfront_insecure_ssl", "url": "https://docs.alphasoc.com/detections_and_findings/alphasoc_detections/aws_cloudfront_insecure_ssl" } ], "showSubtechniques": false } ], "gradient": { "colors": [ "#ffffff", "#a3d9a3", "#5cb85c", "#2d9b2d", "#1a6b1a" ], "minValue": 0, "maxValue": 100 }, "legendItems": [ { "label": "10+ detections", "color": "#1a6b1a" }, { "label": "5-9 detections", "color": "#2d9b2d" }, { "label": "2-4 detections", "color": "#5cb85c" }, { "label": "1 detection", "color": "#a3d9a3" }, { "label": "Not covered", "color": "#ffffff" }, { "label": "N/A (excluded)", "color": "#d3d3d3" } ], "metadata": [], "links": [], "showTacticRowBackground": true, "tacticRowBackground": "#dddddd", "selectTechniquesAcrossTactics": true, "selectSubtechniquesWithParent": true }