GCP Google Security Operations Capability Group

Google Security Ops is able to trigger an alert based off processes and command-line arguments that may indicate adversary reconnaissance and information discovery techniques for network configuration settings (e.g., "net config", "ipconfig.exe", "nbtstat.exe). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/possible_system_network_configuration_discovery__sysmon_windows_logs.yaral

Google Security Ops is able to trigger an alert based off processes and command-line arguments that may indicate adversary reconnaissance and information discovery techniques for network configuration settings (e.g., "net config", "ipconfig.exe", "nbtstat.exe). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/possible_system_network_configuration_discovery__sysmon_windows_logs.yaral

Google Security Operations is able to detect an alert based on system events, such as remote connections.

Google Security Operations can can be configured to detect calls to functions like GetProcAddress() and LoadLibrary().

Google Security Operations can can be configured to detect suspicious syntax or characters in commands.

Google Security Operations is able to trigger an alert based on creation or changes of registry keys and run keys found on Windows platforms.

Google Security Operations is able to trigger an alert based on abnormal command execution from otherwise non-executable file types (such as .txt and .jpg).

Google Security Operations is able to trigger an alert based on abnormal API calls such as fork().

Google Security Operations is able to trigger an alert based on abnormal API calls.

Google Security Ops is able to trigger an alert based on system events of interest, for example: suspicious Entra ID login access and usage. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/process_creation/suspicious_certutil_command.yaral

Google Security Operations is able to trigger an alert based on suspicious behavior seen in the Windows command line.

Google Security Operations is able to trigger an alert based on suspicious behavior seen in the Windows command line.

Google Security Operations is able to trigger an alert when indicators are cleared from the infrastructure. This technique was scored as minimal based on low or uncertain detection coverage factor.

Google Security Operations is able to trigger an alert when indicators are cleared from the infrastructure. This technique was scored as minimal based on low or uncertain detection coverage factor.

Google Security Operations is able to trigger an alert when indicators are cleared from the infrastructure. This technique was scored as minimal based on low or uncertain detection coverage factor.

Google Security Operations is able to trigger an alert when indicators are cleared from the infrastructure. This technique was scored as minimal based on low or uncertain detection coverage factor.

Google Security Operations is able to trigger an alert based on changes account device registrations.

Google Security Operations triggers an alert based on common command line arguments for DFSVC.EXE which is used by adversaries to execute code through ClickOnce applications. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/mixed_other/security/possible_msbuild_abuse__via_cmdline.yaral

Google Security Ops is able to trigger an alert based on suspicious behavior in Windows with the use of regsvr32.exe and a possible fileless attack via this executable. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/ole_controls_registered_via_regsvr32_exe__sysmon_behavior.yaral https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/ioc_sigma/process_creation/fileless_attack_via_regsvr32_exe.yaral

Google Security Operations can detect the creation of new processes, potentially revealing the existence of a mutex. This is rated as partial due to potential guardrails against detection impacting the reliability of the tool.

Google Security Operations is able to trigger alerts based off command execution (e.g. reg.exe or termsrv.dll).

Google Security Operations is able to trigger alerts based off executed commands like docker run or podman run.

Google Security Operations is able to trigger alerts based on executed commands and arguments that may be related to abuse of installer packages.

Google Security Operations is able to trigger alerts based on executed commands that create or modify files where the udev rules are located.

Google Security Ops is able to trigger an alert based on when excessive permissions are assigned to an Entra ID application or privileged roles are assigned to user accounts. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/mitre_attack/T1564_001_macos_hidden_files_and_directories.yaral

Google Security Operations can alert based on processes like AuthorizationExecuteWithPrivileges.

Google Security Operations can prevent those with insufficient privileges from accessing the secrets manager, as well as detect modifications to user privileges that may allow them access. This was ranked as partial as it cannot prevent a compromised account with those permissions from accessing the secrets manager.

The audit capabilities within Google Security Operations Center may be able to detect if Multi-Factor Authentication was disabled, allowing that change to be reverted. This was scored as partial because there is still a window of time in which an adversary can make use of the disabled MFA.

Google Security Operations is able to trigger alerts based off inovcation of utilities (like auditctl).

Google Security Operations is able to trigger alerts based off command-line arguments and suspicious system processes.

Google Security Operations can be configured to detect if a webhook-creating command is run.

Google Search Operations can alert based on Windows API calls such as WriteProcessMemory() and NtQueryInformationProcess().

Google Security Operations is able to trigger an alert based on changes to the infrastructure (e.g., VPC network changes). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/gcp_cloudaudit/gcp_vpc_network_changes.yaral

Google Security Operations can be configured to detect on Google App Scripts.

Google Security Operations is able to trigger alerts based off API calls (such as IsDebuggerPresent()).

Google Security Operations is able to trigger alerts based on executed commands that modify files where plists are typically located.

Google Security Operations can be configured to detect on Google App Scripts.

Google Security Operations is able to trigger alerts based on executed commands that access where certificates are typically stored (e.g. %APPDATA%\Microsoft\SystemCertificates\My\Certificates\).

Google Security Operations is able to trigger alerts based off API calls (such as EnumDeviceDrivers()) that may attempt to gather information about local device drivers.

Google Security Operations is able to trigger alerts based off use of utilities used to enumerate logs (like wevutil.exe).

Google Security Operations is able to detect suspicious command-line process attempted to escalate privileges. Examples of credential access system events include: (e.g.,"re.regex($selection.target.registry.registry_value_data, `.*DumpCreds.*`) or re.regex($selection.target.registry.registry_value_data, `.*Mimikatz.*`) or re.regex($selection.target.registry.registry_value_data, `.*PWCrack.*`) or $selection.target.registry.registry_value_data = "HTool/WCE" or re.regex($selection.target.registry.registry_value_data, `.*PSWtool.*`) or re.regex($selection.target.registry.registry_value_data, `.*PWDump.*`)). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/ioc_sigma/antivirus/antivirus_password_dumper_detection.yaral

Google SecOps is able to detect suspicious command-line process attempted to escalate privileges. For example: access credential material stored in the procecss memory of the Local Security Authority Subsystem Service (LSASS) on Windows machines (e.g., lsass\.exe). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/tree/main/soc_prime_rules/threat_hunting/windows

Google SecOps is able to trigger an alert based on process creations and attacks against the NTDS database on Windows platforms (e.g., execution of "ntdsutil.exe") This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/tree/main/soc_prime_rules/threat_hunting/windows

Google SecOps is able to trigger an alert based off suspicious system processes or command-line arguments that could indicate exfiltration of data over other network mediums. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/tree/main/suspicious

Google Security Ops is able to trigger an alert based off processes and command-line arguments that may indicate adversary reconnaissance and information discovery techniques for network configuration settings (e.g., "net config", "ipconfig.exe", "nbtstat.exe). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/possible_system_network_configuration_discovery__sysmon_windows_logs.yaral

Google Security Ops attempts to identify remote systems via ping sweep. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/ioc_sigma/process_creation/remote_system_discovery___ping_sweep.yaral

Google Security Ops typically filters external network traffic and therefore can be effective for preventing external remote system discovery. Activity originating from inside the trusted network is not mitigated.

Google Security Ops is able to trigger an alert based off suspicious sytem processes, such as using bitsadmin to automatically exfiltrate data from Windows machines (e.g., ".*\\bitsadmin\.exe"). This mapping is scored as minimal based on low or uncertain detection coverage factor for this technique. https://github.com/chronicle/detection-rules/blob/main/soc_prime_rules/threat_hunting/windows/data_exfiltration_attempt_via_bitsadmin.yaral

Google Security Ops is able to detect an alert based on system events, such as remote service connections. This mapping was scored as minimal based on low or uncertain detection coverage factor of this technique. https://github.com/chronicle/detection-rules/tree/main/soc_prime_rules/threat_hunting/windows

Google Security Ops is able to trigger an alert based off suspicious command line arguments or processes that indicate obfuscation techniques to evade cyber defenses. For example, when cmd.exe has been obfuscated. This mapping was scored as minimal based on low or uncertain detection coverage factor of the technique. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/detect_cmd_exe_obfuscation.yaral https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/ursnif_trojan_detection__cmd_obfuscation.yaral

Google Security Ops can trigger an alert based on delivery of encrypted or encoded payloads with uncompiled code. This mapping was scored as minimal based on low detection coverage factor of the technique. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/process_creation/suspicious_powershell_parameter_substring.yaral https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/process_creation/encoded_iex.yaral

Google Security Operations is able to trigger an alert based off command-line arguments that could indicate adversary's attempting to get information about system users (e.g., primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/possible_system_owner_user_discovery__sysmon_windows_logs.yaral

Google Security Operations is able to trigger an alert based on Windows starting uncommon processes (e.g., Detects Winword starting uncommon sub process MicroScMgmt.exe used for CVE-2015-1641). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/proactive_exploit_detection/process_creation/exploit_for_cve_2015_1641.yaral

Google Security Operations can trigger an alert based on malware masquerading as legitimate process for example, Adobe's Acrobat Reader (e.g., re.regex($selection.target.process.file.full_path, `.*\\AcroRD32\.exe). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/ioc_sigma/sysmon/detects_malware_acrord32_exe_execution_process.yaral

Google Security Ops is able to trigger an alert based on registry modifications related to custom logon scripts. (e.g., "REGISTRY_CREATION", ""REGISTRY_MODIFICATION", "HKCU|HKEY_CURRENT_USER"). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/mitre_attack/T1547_001_windows_registry_run_keys_startup_folder.yaral

Google Security Ops triggers an alert based on suspicious connections (e.g., Netlogon connections). https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/proactive_exploit_detection/system/vulnerable_netlogon_secure_channel_connection_allowed.yaral https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/sysmon/logon_scripts__userinitmprlogonscript.yaral

Google Security Ops is able to trigger an alert based off suspicious system processes or command-line arguments that could indicate exfiltration of data over the C2 channel. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/sysmon/possible_data_exfiltration_via_smtp.yaral https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/data_exfiltration_attempt_via_bitsadmin.yaral

Google Security Ops is able to trigger an alert based off suspicious system processes that could indicate exfiltration attempts using cURL from Windows machines (e.g., C:\\Windows\\System32\\curl.exe). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/suspicious_curl_usage.yaral

Google Security Ops is able to trigger an alert based off command-line arguments that could indicate adversary's attempting to get information about network connections (e.g., "net config", "net use", "net file"). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/possible_system_network_connections_discovery__sysmon_windows_logs.yaral

Google Security Ops is able to trigger alerts based on system events, such as: USB device detected. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/info/usb_new_device.yaral https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/usb_device_plugged.yaral

Google Security Ops is able to trigger an alert based on events, such as "new USB device is connected to a system". This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/usb_device_plugged.yaral

Google Security Ops is able to trigger an alert based on suspicious modifications to the infrastructure, such as: new task scheduling to execute programs. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/sysmon/a_scheduled_task_was_created.yaral https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/mitre_attack/T1053_005_windows_creation_of_scheduled_task.yaral

Google Security Ops is able to trigger an alert based on scheduled tasks using the command line (e.g., "schtasks /create"). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/mitre_attack/T1053_005_windows_creation_of_scheduled_task.yaral

Google Security Ops can trigger an alert based on suspicious running processes that could be used to evade defenses and escalate privileges. (e.g., directory traversal attempts via attachment downloads). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/process_creation/mavinject_process_injection.yaral

Google Security Ops is able to trigger an alert based on adversary methods of obtaining credentials or collecting information (e.g., web skimming attacks). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/cloud_security/proxy/the_gocgle_malicious_campaign.yaral

Google Security Ops is able to trigger an alert based on adversary methods of obtaining credentials or collecting information (e.g., web skimming attacks). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/cloud_security/proxy/the_gocgle_malicious_campaign.yaral

Google Security Ops is able to trigger an alert based on adversary methods of obtaining credentials or collecting information (e.g., web skimming attacks). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/cloud_security/proxy/the_gocgle_malicious_campaign.yaral

Google Security Ops is able to trigger an alert based off command-line arguments that could indicate adversary's attempting to get information about running processes on Windows machines (e.g., "tasklist.exe", "Get-Process.*"). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/possible_process_enumeration__sysmon_windows_logs.yaral https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/sysmon/fake_zoom_installer_exe__devil_shadow_botnet.yaral

Google Security Ops is able to trigger an alert based on system events of interest, for example: decoding Windows payloads using \"certutil.exe\" functionality. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/process_creation/suspicious_certutil_command.yaral

Google Security Ops is able to trigger an alert based on suspicious behavior seen in the Windows command line. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/tree/main/soc_prime_rules/threat_hunting/windows https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/process_creation/suspicious_certutil_command.yaral

Google Security Ops triggers an alert based on webshell connections which are used to establish persistent access to a compromised machine [backdoor]. (e.g., `.*/config/keystore/.*\.js.*). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/proactive_exploit_detection/webserver/oracle_weblogic_exploit.yaral

Google Security Ops is able to trigger alert based on suspicious command line behavior that could indicate remote code exploitation attempts (e.g., detect exploits using child processes spawned by Windows DNS processes). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/proactive_exploit_detection/process_creation/cve_2020_1350_dns_remote_code_exploit__sigred___via_cmdline.yaral

Google Security Operations is able to trigger an alert when logs are cleared from the infrastructure. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/main/gcp_cloudaudit/gcp_log_deletion.yaral

Google Security Ops is able to trigger an alert based on suspicious system events used to evade defenses, such as deletion of Windows security event logs. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/main/gcp_cloudaudit/gcp_log_deletion.yaral

Google Security Ops is able to trigger an alert based on system events, such as deletion of cloud audit logs. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/main/gcp_cloudaudit/gcp_log_deletion.yaral

Google Security Ops is able to trigger an alert based off system processes that indicate when backup catalogs are deleted from a windows machine. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/backup_catalog_deleted.yaral

Google Security Ops is able to trigger an alert based off modifications to file time attributes to hide changes to existing files on Windows machines. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/file_creation_time_changed_via_powershell.yaral

Google Security Ops is able to trigger an alert based on suspicious modifications to the network infrastructure. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/tree/main/gcp_cloudaudit https://github.com/chronicle/detection-rules/blob/main/gcp_cloudaudit/gcp_vpc_network_changes.yaral

Google Security Ops is able to trigger an alert based on system events of interest, for example: detection of the Sunburst C2 channel used as backdoor access in the SolarWinds compromise. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/ioc_sigma/dns/solarwinds_backdoor_c2_host_name_detected___via_dns.yaral

Google Security Ops is able to trigger alerts based off suspicious activity on a Linux host that could indicate a bind or reverse shell with Netcat tool. Note: This rule requires installation of auditbeat on the host machine to properly function. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/linux/possible_bind_or_reverse_shell_via_netcat__auditbeat_for_linux.yaral

Google Security Ops is able to trigger an alert based on RDP logons from non-private IP ranges. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/active_directory_security/security/remote_desktop_from_internet__via_audit.yaral

Google Security Ops is able to trigger an alert based on suspicious network behavior seen in malware RAT, such as Netwire activity via WScript or detect the utilization of wmic.exe in order to obtain specific system information. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/process_creation/detect_enumeration_via_wmi.yaral

Google Security Ops is able to trigger an alert based off command line arguments and suspicious system processes that could indicate adversary's account discovery techniques. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/account_discovery_activity_detector__sysmon_behavior.yaral

Google Security Ops is able to trigger an alert based off command line arguments and suspicious system processes that could indicate adversary's account discovery techniques (e.g., "net user /domain", "C:\\Windows\\System32\\net.exe", "C:\\Windows\\System32\\query.exe). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/account_discovery_activity_detector__sysmon_behavior.yaral

Google Security Ops is able to trigger an alert to ensure multi-factor authentication is enabled for all non-service and administrator accounts. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/main/gcp_cloudaudit/gcp_multifactor_authentication.yaral

Google Security Ops is able to trigger an alert based on changes to Cloud Storage IAM permissions. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/main/gcp_cloudaudit/gcp_gcs_iam_changes.yaral

Google Security Ops is able to trigger an alert based off suspicious system processes that could indicate tool transfer attempts using cURL from Windows machines (e.g., C:\\Windows\\System32\\curl.exe). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/suspicious_curl_usage.yaral

Google Security Ops is able to trigger an alert for suspicious events related to the API (e.g., "API keys created for a project"). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/gcp_cloudaudit/gcp_no_project_api_keys.yaral

Google Security Ops is able to trigger an alert based on events of interest, such as: "Command-line execution of the Windows Registry Editor". This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/info/command_line_regedit.yaral

Google Security Ops triggers an alert based on common command line arguments used by adversaries to proxy execution of code through trusted utilities. This technique was scored as minimal based on low or uncertain detection coverage factor. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/process_creation/suspicious_certutil_command.yaral https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/process_creation/detection_of_winrs_usage.yaral

Google Security Ops triggers an alert based on common command line arguments for msbuild.exe which is used by adversaries to execute code through a trusted Windows utility. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/mixed_other/security/possible_msbuild_abuse__via_cmdline.yaral

Google Security Ops is able to trigger an alert based on known indicators used by the adversary, such as data encoding techniques. This technique was scored as minimal based on low or uncertain detection coverage factor. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/ioc_sigma/windows/powershell_encoded_command__sysmon.yaral https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/process_creation/emotet_process_creation.yaral https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/process_creation/suspicious_powershell_parameter_substring.yaral

Google Security Ops is able to trigger an alert based on known indicators used by the adversary, such as data encoding techniques for commands &/or C&C traffic. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/process_creation/suspicious_powershell_parameter_substring.yaral

Google Security Ops is able to trigger an alert based on modifications to user access controls. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/cloud_security/sysmon/suspicious_command_line_contains_azure_tokencache_dat_as_argument__via_cmdline.yaral

Google Security Ops is able to trigger an alert based on successful and failed changes to SID-History. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/active_directory_security/windows/addition_of_sid_history_to_active_directory_object.yaral

Google Security Ops is able to trigger based on suspicious system event logs, such as newly created local user accounts on Windows machines. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/detects_local_user_creation.yaral

Google Security Ops is able to trigger based on suspicious system event logs, such as newly created local user accounts in Windows AD environments (e.g., event 4720). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/detects_local_user_creation.yaral

Google Security Ops is able to trigger an alert based off suspicious system processes, for example: command line executable started from Microsoft's Office-based applications. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/sysmon/office_starup_folder_persistance.yaral https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/sysmon/office_applications_suspicious_process_activity.yaral

Google Security Ops is able to trigger an alert based off suspicious system processes, for example: detects Windows command line executable started from Microsoft's Word or Excel (e.g.., ".*\\WINWORD\.EXE", ".*\\EXCEL\.EXE"). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/office_macro_starts_cmd.yaral

Google Security Ops triggers an alert based on suspicious behavior, such as exploitation attempts against web servers and/or applications (e.g., F5 BIG-IP CVE 2020-5902). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/proactive_exploit_detection/big_ip/possible_f5_big_ip_tmui_attack_cve_2020_5902_part_1.yaral https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/proactive_exploit_detection/big_ip/possible_f5_big_ip_tmui_attack_cve_2020_5902_part_2.yaral

Google Security Ops is able to trigger alerts based on unusual file write events by 3rd party software, specifically SolarWinds executable. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/file_event/unusual_solarwinds_file_creation__via_filewrite.yaral https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/suspicious/unusual_location_svchost_write.yaral

Google Security Ops is able to trigger an alert based on unusual file write events by 3rd party software (e.g., SolarWinds executable ".*\\solarwinds\.businesslayerhost\.exe"). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/file_event/unusual_solarwinds_file_creation__via_filewrite.yaral https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/security/unusual_solarwinds_child_process__via_cmdline.yaral

Google Security Ops is able to trigger an alert based off suspicious event IDs that indicate adversary's abuse of Windows system utilities to perform indirect command-line arguments or code execution. For example: malicious usage of bash.exe using Windows sub-system for Linux (e.g., WSL). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/process_creation/lolbas_wsl_exe__via_cmdline.yaral

Google Security Ops is able to trigger an alert based on Antivirus notifications that report an exploitation framework (e.g., Metapreter, Metasploit, Powersploit). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/detect_service_creation_by_metasploit_on_victim_machine.yaral https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/proxy/exploit_framework_user_agent.yaral

Google Security Ops is able to trigger an alert based on suspicious user activity (e.g., clicking on a malicious links). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/proxy/microsoft_teams_phishing_email.yaral https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/process_creation/detect_possible_execution_of_phishing_attachment.yaral

Google Security Ops is able to trigger an alert based on suspicious system events IDs (e.g., anonymous users changing machine passwords). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/proactive_exploit_detection/security/anonymous_user_changed_machine_password.yaral

Google Security Ops triggers alerts based on credential exploit attempts (e.g., read /dev/cmdb/sslvpn_websession file, this file contains login and passwords in (clear-text)). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/proactive_exploit_detection/webserver/cve_2018_13379_fortigate_ssl_vpn_arbitrary_file_reading.yaral

Google Security Ops is able to trigger an alert based on attempts to evade defenses, such as: bypass execution of digitally signed binaries. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/process_creation/mavinject_process_injection.yaral

Google Security Ops is able to trigger an alert when adversaries attempt to abuse Microsoft's Connection Manager Profile Installer to proxy the execution of malicious code. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/sysmon/cmstp_exe_execution_detector__sysmon_behavior.yaral

Google Security Ops is able to trigger an alert based on using MSHTA to call a remote HTML application on Windows (e.g., "mshta.+http"). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/mitre_attack/T1218_005_windows_mshta_remote_usage.yaral https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/ioc_sigma/windows/mshta_spwaned_by_svchost_as_seen_in_lethalhta__sysmon.yaral

Google Security Ops is able to trigger an alert based on suspicious behavior in Windows with the use of regsvr32.exe and a possible fileless attack via this executable. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/ole_controls_registered_via_regsvr32_exe__sysmon_behavior.yaral https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/ioc_sigma/process_creation/fileless_attack_via_regsvr32_exe.yaral

Google Security Ops is able to trigger an alert based off suspicious system events, such as modifications to Windows password policies (event ID 643 or 4739). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/detect_windows_password_policy_changes.yaral

Google Security Ops is able to trigger an alert based on suspicious events related to ransomware campaigns (e.g., $selection.target.file.md5 = "0c3ef20ede53efbe5eebca50171a589731a17037147102838bdb4a41c33f94e5"). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/ioc_sigma/sysmon/darkgate_cryptocurrency_mining_and_ransomware_campaign__sysmon.yaral https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/ioc_sigma/windows/formbook_malware__sysmon.yaral

Google Security Ops is able to trigger an alert based off suspicious logs that could indicate tampering with the component's firmware (e.g., detects driver load from a temporary directory). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/suspicious_driver_load_from_temp.yaral

Google Security Ops is able to trigger an alert based off suspicious system events that may indicate an adversary's attempt to check for the presence of security tools (e.g., Sysinternals). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/usage_of_sysinternals_tools.yaral

Google Security Ops is able to trigger alerts based off suspicious events and command line arguments that could indicate an adversary tampering with system components. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/sysmon/detection_of_com_hijacking.yaral

Google Security Ops triggers an alert based on webshell connections which are used to establish persistent access to a compromised machine [backdoor]. For example: Detect webshell dropped into a keystore folder on the WebLogic server (`.*/config/keystore/.*\.js.*). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/proactive_exploit_detection/webserver/oracle_weblogic_exploit.yaral

Google Security Ops is able to trigger an alert to notify personnel of GCP resources (e.g., storage buckets) that are publicly accessible to unauthenticated users. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/main/gcp_cloudaudit/gcp_gcs_public_accessible.yaral

Google Security Ops is able to trigger an alert based on creation or modification to system-level processes on Windows machines. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/process_creation/suspicious_process_creation.yaral

Google Security Ops is able to trigger an alert based on property list files scheduled to automatically execute upon startup on macOS platforms (e.g., "`/Library/LaunchAgents/`"). https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/mitre_attack/T1543_001_macos_launch_agent.yaral

Google Security Ops is able to trigger an alert based on system process modifications to existing Windows services which could indicate a malicious payload (e.g., "C:\\Windows\\System32\\sc.exe", "C:\\Windows\\System32\\cmd.exe"). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/underminer_exploit_kit_delivers_malware.yaral

Google Security Ops is able to trigger an alert based on plist files scheduled to automatically execute upon startup on macOS platforms (e.g., "/Library/LaunchDaemons/"). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/mitre_attack/T1543_004_macos_launch_daemon.yaral

Google Security Ops is able to trigger an alert based on manipulation of default programs. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/mitre_attack/T1546_001_windows_change_default_file_association.yaral

Google Security Ops is able to trigger an alert based on manipulation of default programs used for a given extension found on Windows platforms (e.g., "cmd\.exe /c assoc"). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/mitre_attack/T1546_001_windows_change_default_file_association.yaral

Google Security Ops is able to trigger an alert based on suspicious events used by adversary's to establish persistence using Windows Management Instrumentation (WMI) command-line events (e.g. "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe"). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/process_creation/wmi_spawning_windows_powershell.yaral

Google Security Ops is able to generate alerts based off suspicious events, for example: execution of arbitrary code triggered by Netsh Helper DLLs (Netshell (Netsh.exe)). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/possible_system_network_configuration_discovery__sysmon_windows_logs.yaral

Google Security Ops is able to trigger an alert based off suspicious system processes that indicate usage and installation of a backdoor using built-in tools that are accessible from the login screen (e.g., sticky-keys attack). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/sticky_key_like_backdoor_usage.yaral

Google Security Ops is able to trigger an alert based on creation or changes of registry keys and run keys found on Windows platforms. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/mitre_attack/T1547_001_windows_registry_run_keys_startup_folder.yaral

Google Security Ops is able to trigger an alert based on creation or changes of registry keys and run keys on Windows platforms (e.g., ""REGISTRY_MODIFICATION", ""REGISTRY_CREATION"). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/mitre_attack/T1547_001_windows_registry_run_keys_startup_folder.yaral https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/sysmon/suspicious_run_key_from_download.yaral

Google Security Ops is able to trigger an alert based on Custom Role changes. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/gcp_cloudaudit/gcp_custom_role_changes.yaral

Google Security Ops is able to trigger an alert based on system-level processes and other modifications to MacOS platforms (e.g., "FILE_MODIFICATION", "chflags hidden"). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/mitre_attack/T1564_001_macos_hidden_files_and_directories.yaral

Google Security Ops detects an attempt to scan registry hives for unsecured passwords. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/ioc_sigma/process_creation/t1214___credentials_in_registry.yaral

Google Security Ops triggers an alert based on adversary indicators of compromise seen when encrypting or compressing data before exfiltration. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/tree/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/process_creation

Google Security Ops is able to trigger an alert based on processes, such as VPC Network Firewall rule changes. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/gcp_cloudaudit/gcp_firewall_rule_changes.yaral

Google Security Ops is able to trigger an alert based on processes, such as hidden artifacts. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/abusing_attrib_exe_to_change_file_attributes.yaral https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/process_creation/hiding_files_with_attrib_exe.yaral

Google Security Ops is able to trigger an alert based on processes, such as manually setting a file to set a file as a system file on Windows (e.g., "attrib\.exe \+s") setting a file to hidden on Windows platforms (e.g., "attrib\.exe \+h"), or on macOS (e.g., "setfile -a V" or "chflags hidden"). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/process_creation/hiding_files_with_attrib_exe.yaral

Google Security Ops is able to trigger alerts based off command-line arguments and suspicious system process that could indicate abuse of system services. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/process_creation/suspicious_calculator_usage.yaral https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/abusing_attrib_exe_to_change_file_attributes.yaral

Google Security Ops is able to trigger alerts based off command-line arguments and suspicious system process that could indicate abuse of Windows system service to execute malicious commands or code (e.g., "*\\execute\.bat"). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/smbexec_py_service_installation.yaral

Google Security Ops is able to trigger alerts based on suspicious system processes that could indicate hijacking via malicious payloads. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/antivirus/detects_powershell_attack__via_av_ids.yaral

Google Security Ops is able to trigger alerts based on suspicious system processes that could indicate hijacking via malicious payloads (e.g., Windows Unquoted Search Path explotation ""C:\\InventoryWebServer.exe""). This technique was scored as minimal based on low or uncertain detection coverage factor.

Google Security Ops is able to trigger an alert based on changes to the infrastructure (e.g., VPC network changes). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/gcp_cloudaudit/gcp_vpc_network_changes.yaral

Google Security Ops monitors and generates alerts for DNS creation or deletion activity from non-service accounts. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/gcp_cloudaudit/gcp_dns_modification.yaral

Google Security Ops is able to trigger alerts based off suspicious system processes, such as binaries in use on Windows machines. For example: PsExec is a free Microsoft tool that can be used to escalate privileges from administrator to SYSTEM with the -s argument, download files over a network share, and remotely create accounts. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/suspicious_psexec_execution.yaral

Google Security Ops is able to trigger alerts based off command-line arguments and suspicious system process that could indicate a tool being used for malicious purposes on Windows machines. For example: PsExec is a free Microsoft tool that can be used to execute a program on another computer. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/suspicious_psexec_execution.yaral https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/ioc_sigma/sysmon/psexec_detector.yaral https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/process_creation/psexec_service_start.yaral