T1189

Drive-by Compromise

Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. Drive-by compromise occurs when exploit code is delivered through a browser, often via a compromised legitimate website (watering hole), malicious advertising (malvertising), or injected iframes/scripts. Upon visiting the malicious page, browser or plugin exploits execute code silently, commonly resulting in the browser spawning unexpected child processes, writing executables to disk, or making unusual outbound network connections that establish C2 channels. This technique is particularly dangerous because it requires no user interaction beyond visiting a page and is frequently used for targeted attacks against specific communities or industries.

Microsoft Sentinel / Defender

kusto

let BrowserProcesses = dynamic(["chrome.exe", "firefox.exe", "msedge.exe", "microsoftedge.exe", "iexplore.exe", "opera.exe", "brave.exe", "MicrosoftEdge.exe"]);
let SuspiciousChildProcesses = dynamic([
  "powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe",
  "rundll32.exe", "regsvr32.exe", "certutil.exe", "bitsadmin.exe",
  "wmic.exe", "msiexec.exe", "schtasks.exe", "at.exe",
  "net.exe", "netsh.exe", "sc.exe", "reg.exe",
  "bash.exe", "sh.exe", "curl.exe", "wget.exe"
]);
let SuspiciousExtensions = dynamic([".exe", ".dll", ".bat", ".ps1", ".vbs", ".js", ".hta", ".scr", ".pif", ".com"]);
// Branch 1: Browser spawning suspicious child processes (primary indicator)
let BrowserChildProc = DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ (BrowserProcesses)
| where FileName in~ (SuspiciousChildProcesses)
| extend DetectionType = "BrowserSpawnedSuspiciousChild"
| extend RiskIndicator = strcat("Browser:", InitiatingProcessFileName, " spawned:", FileName);
// Branch 2: Browser writing executables or scripts to disk
let BrowserFileWrite = DeviceFileEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ (BrowserProcesses)
| where FileName has_any (SuspiciousExtensions)
| where FolderPath has_any ("\\Temp\\", "\\AppData\\Local\\Temp\\", "\\Downloads\\", "\\AppData\\Roaming\\", "\\Public\\", "\\ProgramData\\")
| where not (FolderPath has_any ("\\Chrome\\", "\\Firefox\\", "\\Edge\\", "\\CrashReports\\", "\\Cache\\", "\\Update\\"))
| extend DetectionType = "BrowserWroteExecutableToDisk"
| extend RiskIndicator = strcat("Browser:", InitiatingProcessFileName, " wrote:", FileName, " to:", FolderPath);
// Branch 1 output
BrowserChildProc
| project Timestamp, DeviceName, AccountName, DetectionType, RiskIndicator,
          FileName, ProcessCommandLine, InitiatingProcessFileName,
          InitiatingProcessCommandLine, InitiatingProcessParentFileName
| union (
  BrowserFileWrite
  | project Timestamp, DeviceName, AccountName, DetectionType, RiskIndicator,
            FileName, ProcessCommandLine = "", InitiatingProcessFileName,
            InitiatingProcessCommandLine, InitiatingProcessParentFileName
)
| sort by Timestamp desc

high severity high confidence

Data Sources

Process: Process Creation File: File Creation Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceFileEvents

False Positives

Browser-based development tools (VS Code in browser, Jupyter) that legitimately spawn shell processes or write scripts to disk
Software update mechanisms where browser update components (GoogleUpdate.exe, MicrosoftEdgeUpdate.exe) write update executables — distinguish by parent process and folder path
Enterprise web applications that use browser-initiated file downloads as part of legitimate workflows (e.g., downloading batch scripts from internal portals)
Penetration testing tools and red team frameworks that use browsers as delivery mechanisms in authorized engagements
Browser extensions with broad file system permissions writing helper applications or native messaging hosts

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
| eval BrowserParent=case(
    match(ParentImage, "(?i)(chrome\.exe|firefox\.exe|msedge\.exe|microsoftedge\.exe|iexplore\.exe|opera\.exe|brave\.exe)"), "true",
    true(), "false"
  )
| eval BrowserSelf=case(
    match(Image, "(?i)(chrome\.exe|firefox\.exe|msedge\.exe|microsoftedge\.exe|iexplore\.exe|opera\.exe|brave\.exe)"), "true",
    true(), "false"
  )
| eval SuspiciousChild=case(
    match(Image, "(?i)(powershell\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|bitsadmin\.exe|wmic\.exe|msiexec\.exe|schtasks\.exe|net\.exe|netsh\.exe|sc\.exe|reg\.exe|bash\.exe|curl\.exe|wget\.exe)"), "true",
    true(), "false"
  )
(
  (EventCode=1 BrowserParent="true" SuspiciousChild="true")
  OR
  (EventCode=11 BrowserSelf="true"
    (TargetFilename="*.exe" OR TargetFilename="*.dll" OR TargetFilename="*.bat"
     OR TargetFilename="*.ps1" OR TargetFilename="*.vbs" OR TargetFilename="*.js"
     OR TargetFilename="*.hta" OR TargetFilename="*.scr" OR TargetFilename="*.pif")
    (TargetFilename="*\\Temp\\*" OR TargetFilename="*\\AppData\\*"
     OR TargetFilename="*\\Downloads\\*" OR TargetFilename="*\\Public\\*"
     OR TargetFilename="*\\ProgramData\\*")
    NOT (TargetFilename="*\\Chrome\\*" OR TargetFilename="*\\Firefox\\*"
         OR TargetFilename="*\\Edge\\*" OR TargetFilename="*Cache*"
         OR TargetFilename="*Update*" OR TargetFilename="*CrashReport*")
  )
)
| eval DetectionType=case(
    EventCode=1, "BrowserSpawnedSuspiciousChild",
    EventCode=11, "BrowserWroteExecutableToDisk",
    true(), "Unknown"
  )
| eval RiskIndicator=case(
    EventCode=1, "Parent=".ParentImage." spawned=".Image,
    EventCode=11, "Browser=".Image." wrote=".TargetFilename,
    true(), "Unknown"
  )
| table _time, host, User, EventCode, DetectionType, RiskIndicator,
        Image, CommandLine, ParentImage, ParentCommandLine, TargetFilename
| sort - _time

high severity high confidence

Data Sources

Process: Process Creation File: File Creation Sysmon Event ID 1 Sysmon Event ID 11

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Browser-based development tools (VS Code in browser, Jupyter) that legitimately spawn shell processes or write scripts to disk
Software update mechanisms where browser update components write update executables — distinguish by TargetFilename path and ParentImage
Enterprise web applications initiating legitimate file downloads (batch scripts, PowerShell from internal portals) — build allowlist by ParentImage+TargetFilename combination
Browser extensions with native messaging hosts writing helper binaries to AppData
Authorized penetration testing activities using browser-based delivery

Elastic Security (EQL)

eql

sequence by host.id with maxspan=5m
[
  any where event.category == "process" and event.type == "start"
  and process.parent.name in~ ("chrome.exe", "firefox.exe", "msedge.exe", "microsoftedge.exe", "iexplore.exe", "opera.exe", "brave.exe", "MicrosoftEdge.exe")
  and process.name in~ ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe", "bitsadmin.exe", "wmic.exe", "msiexec.exe", "schtasks.exe", "at.exe", "net.exe", "netsh.exe", "sc.exe", "reg.exe", "bash.exe", "sh.exe", "curl.exe", "wget.exe")
]

union

sequence by host.id with maxspan=5m
[
  any where event.category == "file" and event.type in ("creation", "change")
  and process.name in~ ("chrome.exe", "firefox.exe", "msedge.exe", "microsoftedge.exe", "iexplore.exe", "opera.exe", "brave.exe", "MicrosoftEdge.exe")
  and file.extension in~ ("exe", "dll", "bat", "ps1", "vbs", "js", "hta", "scr", "pif", "com")
  and (
    file.path like~ "*\\Temp\\*" or
    file.path like~ "*\\AppData\\Local\\Temp\\*" or
    file.path like~ "*\\Downloads\\*" or
    file.path like~ "*\\AppData\\Roaming\\*" or
    file.path like~ "*\\Public\\*" or
    file.path like~ "*\\ProgramData\\*"
  )
  and not (
    file.path like~ "*\\Chrome\\*" or
    file.path like~ "*\\Firefox\\*" or
    file.path like~ "*\\Edge\\*" or
    file.path like~ "*Cache*" or
    file.path like~ "*Update*" or
    file.path like~ "*CrashReport*"
  )
]

high severity high confidence

Data Sources

Elastic Endpoint Security Elastic Agent (Windows)

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.file-*

False Positives

Browser-integrated download managers or update helpers (e.g., Chrome Updater, Firefox Maintenance Service) that legitimately write executables to temp directories during auto-update cycles
Legitimate developer workflows where a browser-based IDE or test runner (e.g., VS Code Live Share, JupyterLab) spawns cmd.exe or powershell.exe to run build commands
Enterprise web portals that use browser-launched ClickOnce installers or ActiveX controls, resulting in msiexec.exe being spawned by Internet Explorer or Edge

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  "username",
  QIDNAME(qid) AS event_name,
  "sourceip",
  "destinationip",
  CATEGORYNAME(category) AS event_category,
  "ProcessImage" AS child_process,
  "ParentProcessImage" AS parent_process,
  "CommandLine" AS command_line,
  "TargetFilename" AS target_file,
  CASE
    WHEN LOWER("ProcessImage") MATCHES '.*\\\\(powershell|cmd|wscript|cscript|mshta|rundll32|regsvr32|certutil|bitsadmin|wmic|msiexec|schtasks|net|netsh|sc|reg|bash|curl|wget)\.exe'
     AND LOWER("ParentProcessImage") MATCHES '.*\\\\(chrome|firefox|msedge|microsoftedge|iexplore|opera|brave)\.exe'
    THEN 'BrowserSpawnedSuspiciousChild'
    WHEN LOWER("ProcessImage") MATCHES '.*\\\\(chrome|firefox|msedge|microsoftedge|iexplore|opera|brave)\.exe'
     AND LOWER("TargetFilename") MATCHES '.*\.(exe|dll|bat|ps1|vbs|js|hta|scr|pif|com)'
     AND LOWER("TargetFilename") MATCHES '.*(temp|appdata|downloads|public|programdata).*'
    THEN 'BrowserWroteExecutableToDisk'
    ELSE 'Unknown'
  END AS detection_type
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (12, 13, 167, 368)
  AND starttime > NOW() - 86400000
  AND (
    (
      LOWER("ParentProcessImage") MATCHES '.*\\\\(chrome|firefox|msedge|microsoftedge|iexplore|opera|brave)\.exe'
      AND LOWER("ProcessImage") MATCHES '.*\\\\(powershell|cmd|wscript|cscript|mshta|rundll32|regsvr32|certutil|bitsadmin|wmic|msiexec|schtasks|net|netsh|sc|reg|bash|curl|wget)\.exe'
    )
    OR
    (
      LOWER("ProcessImage") MATCHES '.*\\\\(chrome|firefox|msedge|microsoftedge|iexplore|opera|brave)\.exe'
      AND LOWER("TargetFilename") MATCHES '.*\.(exe|dll|bat|ps1|vbs|js|hta|scr|pif|com)'
      AND (
        LOWER("TargetFilename") MATCHES '.*(\\\\temp\\\\|\\\\appdata\\\\local\\\\temp\\\\|\\\\downloads\\\\|\\\\appdata\\\\roaming\\\\|\\\\public\\\\|\\\\programdata\\\\).*'
      )
      AND NOT (
        LOWER("TargetFilename") MATCHES '.*(\\\\chrome\\\\|\\\\firefox\\\\|\\\\edge\\\\|cache|update|crashreport).*'
      )
    )
  )
ORDER BY starttime DESC
LIMIT 500

high severity medium confidence

Data Sources

Microsoft Windows Sysmon Microsoft Windows Security Event Log QRadar DSM for Windows

Required Tables

events

False Positives

Browser-driven CI/CD integrations where a web dashboard (e.g., Jenkins, TeamCity UI) triggers cmd.exe or powershell.exe build steps via the user's browser session
Enterprise endpoint management portals (e.g., SCCM, BigFix) delivered through a browser that launch msiexec.exe to install approved software packages
Legitimate browser plugins or helper applications (PDF viewers, media codecs) that extract temporary executables to AppData during installation initiated from the browser

Sumo Logic CSE

sql

// Branch 1: Browser spawning suspicious child process (Sysmon EventID 1)
(_sourceCategory=*windows*sysmon* OR _sourceCategory=*endpoint*)
| parse regex "EventID>(?<EventCode>\d+)<" nodrop
| parse regex "<Image>(?<Image>[^<]+)</Image>" nodrop
| parse regex "<ParentImage>(?<ParentImage>[^<]+)</ParentImage>" nodrop
| parse regex "<CommandLine>(?<CommandLine>[^<]+)</CommandLine>" nodrop
| parse regex "<ParentCommandLine>(?<ParentCommandLine>[^<]+)</ParentCommandLine>" nodrop
| parse regex "<User>(?<User>[^<]+)</User>" nodrop
| parse regex "<Computer>(?<Computer>[^<]+)</Computer>" nodrop
| where EventCode = "1"
| where (
    matches(toLowerCase(ParentImage), "/(chrome\.exe|firefox\.exe|msedge\.exe|microsoftedge\.exe|iexplore\.exe|opera\.exe|brave\.exe)/")
    and matches(toLowerCase(Image), "/(powershell\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|bitsadmin\.exe|wmic\.exe|msiexec\.exe|schtasks\.exe|at\.exe|net\.exe|netsh\.exe|sc\.exe|reg\.exe|bash\.exe|curl\.exe|wget\.exe)/")
  )
| "BrowserSpawnedSuspiciousChild" as DetectionType
| concat("Parent=", ParentImage, " spawned=", Image) as RiskIndicator

// Union Branch 2: Browser writing executable to disk (Sysmon EventID 11)
| union (
  _sourceCategory=*windows*sysmon*
  | parse regex "EventID>(?<EventCode>\d+)<" nodrop
  | parse regex "<Image>(?<Image>[^<]+)</Image>" nodrop
  | parse regex "<TargetFilename>(?<TargetFilename>[^<]+)</TargetFilename>" nodrop
  | parse regex "<User>(?<User>[^<]+)</User>" nodrop
  | parse regex "<Computer>(?<Computer>[^<]+)</Computer>" nodrop
  | where EventCode = "11"
  | where matches(toLowerCase(Image), "/(chrome\.exe|firefox\.exe|msedge\.exe|microsoftedge\.exe|iexplore\.exe|opera\.exe|brave\.exe)/")
  | where matches(toLowerCase(TargetFilename), "/\.(exe|dll|bat|ps1|vbs|js|hta|scr|pif|com)$/")
  | where matches(toLowerCase(TargetFilename), "/(\\temp\\|appdata\\local\\temp\\|downloads\\|appdata\\roaming\\|public\\|programdata\\)/")
  | where !matches(toLowerCase(TargetFilename), "/(\\chrome\\|\\firefox\\|\\edge\\|cache|update|crashreport)/")
  | "BrowserWroteExecutableToDisk" as DetectionType
  | concat("Browser=", Image, " wrote=", TargetFilename) as RiskIndicator
  | "" as CommandLine | "" as ParentImage | "" as ParentCommandLine
)
| fields _messageTime, Computer, User, EventCode, DetectionType, RiskIndicator, Image, CommandLine, ParentImage, ParentCommandLine, TargetFilename
| sort by _messageTime desc

high severity medium confidence

Data Sources

Windows Sysmon (via Sumo Logic Installed Collector) Sumo Logic Windows Event Log Source

Required Tables

Sysmon Event Log (_sourceCategory=*windows*sysmon*)

False Positives

Browser-launched enterprise software portals that use signed ClickOnce or MSIX bundles dropping legitimate installer artifacts to AppData or Temp directories
Security awareness training platforms delivered via browser that simulate payloads in controlled environments, causing benign file drops in temp locations
Automated browser testing frameworks (Selenium, Puppeteer) running in developer environments where the test browser spawns cmd.exe or powershell.exe as part of scripted interactions

Google Chronicle / SecOps

yaral

rule t1189_drive_by_compromise {
  meta:
    author = "df00tech"
    description = "Detects drive-by compromise: browser processes spawning suspicious child processes or writing executable/script files to user-writable directories"
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Initial Access"
    mitre_attack_technique = "T1189"
    mitre_attack_url = "https://attack.mitre.org/techniques/T1189/"
    reference = "https://attack.mitre.org/techniques/T1189/"

  events:
    // Branch 1: Browser spawning suspicious child process
    $proc_event.metadata.event_type = "PROCESS_LAUNCH"
    $proc_event.principal.process.file.full_path = /(?i)(chrome\.exe|firefox\.exe|msedge\.exe|microsoftedge\.exe|iexplore\.exe|opera\.exe|brave\.exe|MicrosoftEdge\.exe)$/
    $proc_event.target.process.file.full_path = /(?i)(powershell\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|bitsadmin\.exe|wmic\.exe|msiexec\.exe|schtasks\.exe|at\.exe|net\.exe|netsh\.exe|sc\.exe|reg\.exe|bash\.exe|sh\.exe|curl\.exe|wget\.exe)$/
    $proc_event.principal.hostname = $hostname

  match:
    $hostname over 5m

  outcome:
    $risk_score = 85
    $detection_type = "BrowserSpawnedSuspiciousChild"
    $browser_process = $proc_event.principal.process.file.full_path
    $child_process = $proc_event.target.process.file.full_path
    $command_line = $proc_event.target.process.command_line
    $user = $proc_event.principal.user.userid

  condition:
    $proc_event
}

rule t1189_drive_by_browser_file_write {
  meta:
    author = "df00tech"
    description = "Detects drive-by compromise: browser writing executable or script files to writable user directories"
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Initial Access"
    mitre_attack_technique = "T1189"
    mitre_attack_url = "https://attack.mitre.org/techniques/T1189/"

  events:
    $file_event.metadata.event_type = "FILE_CREATION"
    $file_event.principal.process.file.full_path = /(?i)(chrome\.exe|firefox\.exe|msedge\.exe|microsoftedge\.exe|iexplore\.exe|opera\.exe|brave\.exe|MicrosoftEdge\.exe)$/
    $file_event.target.file.full_path = /(?i)\.(exe|dll|bat|ps1|vbs|js|hta|scr|pif|com)$/
    $file_event.target.file.full_path = /(?i)(\\Temp\\|\\AppData\\|\\Downloads\\|\\Public\\|\\ProgramData\\)/
    not $file_event.target.file.full_path = /(?i)(\\Chrome\\|\\Firefox\\|\\Edge\\|Cache|Update|CrashReport)/
    $file_event.principal.hostname = $hostname

  match:
    $hostname over 5m

  outcome:
    $risk_score = 80
    $detection_type = "BrowserWroteExecutableToDisk"
    $browser_process = $file_event.principal.process.file.full_path
    $dropped_file = $file_event.target.file.full_path
    $user = $file_event.principal.user.userid

  condition:
    $file_event
}

high severity high confidence

Data Sources

Google Chronicle (UDM) Windows Sysmon via Chronicle Forwarder Microsoft Defender for Endpoint via Chronicle integration

Required Tables

UDM Events (PROCESS_LAUNCH, FILE_CREATION)

False Positives

Browser-based remote desktop or screen-sharing tools (e.g., TeamViewer Web, AnyDesk browser launch) that drop helper executables to AppData during session initialization
Enterprise intranet portals distributing VPN client updates or certificate installers that cause the browser to write .exe files to Downloads followed by msiexec.exe execution
Browser extensions with native messaging hosts that write compiled helper binaries to AppData/Local during first-run setup, legitimately spawning cmd.exe to complete installation

CrowdStrike LogScale (CQL)

cql

// Branch 1: Browser spawning suspicious child process
#event_simpleName=ProcessRollup2
| ParentBaseFileName = /(?i)^(chrome|firefox|msedge|microsoftedge|iexplore|opera|brave|MicrosoftEdge)\.exe$/
| ImageFileName = /(?i)\\(powershell|cmd|wscript|cscript|mshta|rundll32|regsvr32|certutil|bitsadmin|wmic|msiexec|schtasks|at|net|netsh|sc|reg|bash|sh|curl|wget)\.exe$/
| DetectionType := "BrowserSpawnedSuspiciousChild"
| RiskIndicator := format("Parent=%s spawned=%s", field="ParentBaseFileName", field="ImageFileName")
| table([_time, ComputerName, UserName, DetectionType, RiskIndicator, ImageFileName, CommandLine, ParentBaseFileName, ParentCommandLine])

// Branch 2: Browser writing executable to disk (use SyntheticProcessRollup2 + file write events)
| union (
  #event_simpleName=SyntheticProcessRollup2
  | ContextBaseFileName = /(?i)^(chrome|firefox|msedge|microsoftedge|iexplore|opera|brave|MicrosoftEdge)\.exe$/
  | TargetFileName = /(?i)\.(exe|dll|bat|ps1|vbs|js|hta|scr|pif|com)$/
  | TargetFileName = /(?i)(\\Temp\\|\\AppData\\|\\Downloads\\|\\Public\\|\\ProgramData\\)/
  | TargetFileName != /(?i)(\\Chrome\\|\\Firefox\\|\\Edge\\|Cache|Update|CrashReport)/
  | DetectionType := "BrowserWroteExecutableToDisk"
  | RiskIndicator := format("Browser=%s wrote=%s", field="ContextBaseFileName", field="TargetFileName")
  | CommandLine := ""
  | ParentBaseFileName := ""
  | ParentCommandLine := ""
  | table([_time, ComputerName, UserName, DetectionType, RiskIndicator, ContextBaseFileName, CommandLine, ParentBaseFileName, ParentCommandLine, TargetFileName])
)
| sort(field=_time, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon EDR Falcon Data Replicator (FDR) CrowdStrike Event Stream API

Required Tables

ProcessRollup2 SyntheticProcessRollup2

False Positives

Legitimate software distribution via browser portals where an enterprise deployment tool (e.g., PDQ Deploy web console, JAMF Self Service) causes the browser to download and execute signed MSI packages via msiexec.exe
Developer machines running browser-based build orchestration (e.g., GitHub Actions local runner triggered from a web UI) that legitimately spawns powershell.exe or cmd.exe for build tasks
PDF or Office plugin installers delivered via browser that extract helper executables to AppData during first-run initialization, such as Adobe Acrobat Reader DC updates triggered from within the browser

Last updated: 2026-04-18 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1189 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Drive-by Compromise

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Initial Access

Popular Detections