|
Cisco SD-WAN - Low Frequency Rogue Peer
|
Cisco SD-WAN NTCE 1000001
|
T1190
|
Anomaly
|
Cisco Catalyst SD-WAN Analytics
|
2026-03-02
|
|
Cisco SD-WAN - Peering Activity
|
Cisco SD-WAN NTCE 1000001
|
T1190
|
Hunting
|
Cisco Catalyst SD-WAN Analytics
|
2026-03-02
|
|
Windows Suspicious React or Next.js Child Process
|
CrowdStrike ProcessRollup2,  Sysmon EventID 1, Windows Event Log Security 4688
|
T1190
T1059.003
T1059.001
|
TTP
|
React2Shell
|
2026-02-26
|
|
Cisco AI Defense Security Alerts by Application Name
|
Cisco AI Defense Alerts
|
|
Anomaly
|
Critical Alerts
|
2026-02-25
|
|
Cisco ASA - AAA Policy Tampering
|
Cisco ASA Logs
|
T1556.004
|
Anomaly
|
Suspicious Cisco Adaptive Security Appliance Activity
|
2026-02-25
|
|
Cisco ASA - Device File Copy Activity
|
Cisco ASA Logs
|
T1005
T1530
|
Anomaly
|
ArcaneDoor, Suspicious Cisco Adaptive Security Appliance Activity
|
2026-02-25
|
|
Cisco ASA - Device File Copy to Remote Location
|
Cisco ASA Logs
|
T1005
T1041
T1048.003
|
Anomaly
|
ArcaneDoor, Suspicious Cisco Adaptive Security Appliance Activity
|
2026-02-25
|
|
Cisco ASA - Logging Disabled via CLI
|
Cisco ASA Logs
|
T1562
|
TTP
|
Suspicious Cisco Adaptive Security Appliance Activity
|
2026-02-25
|
|
Cisco ASA - Logging Filters Configuration Tampering
|
Cisco ASA Logs
|
T1562
|
Anomaly
|
Suspicious Cisco Adaptive Security Appliance Activity
|
2026-02-25
|
|
Cisco ASA - Logging Message Suppression
|
Cisco ASA Logs
|
T1562.002
T1070
|
Anomaly
|
ArcaneDoor, Suspicious Cisco Adaptive Security Appliance Activity
|
2026-02-25
|
|
Cisco ASA - New Local User Account Created
|
Cisco ASA Logs
|
T1136.001
T1078.003
|
Anomaly
|
Suspicious Cisco Adaptive Security Appliance Activity
|
2026-02-25
|
|
Cisco ASA - Packet Capture Activity
|
Cisco ASA Logs
|
T1040
T1557
|
Anomaly
|
ArcaneDoor, Suspicious Cisco Adaptive Security Appliance Activity
|
2026-02-25
|
|
Cisco ASA - Reconnaissance Command Activity
|
Cisco ASA Logs
|
T1082
T1590.001
T1590.005
|
Anomaly
|
Suspicious Cisco Adaptive Security Appliance Activity
|
2026-02-25
|
|
Cisco ASA - User Account Deleted From Local Database
|
Cisco ASA Logs
|
T1531
T1070.008
|
Anomaly
|
Suspicious Cisco Adaptive Security Appliance Activity
|
2026-02-25
|
|
Cisco ASA - User Account Lockout Threshold Exceeded
|
Cisco ASA Logs
|
T1110.001
T1110.003
|
Anomaly
|
Suspicious Cisco Adaptive Security Appliance Activity
|
2026-02-25
|
|
Cisco ASA - User Privilege Level Change
|
Cisco ASA Logs
|
T1078.003
T1098
|
Anomaly
|
ArcaneDoor, Suspicious Cisco Adaptive Security Appliance Activity
|
2026-02-25
|
|
Cisco Duo Admin Login Unusual Browser
|
Cisco Duo Activity
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-02-25
|
|
Cisco Duo Admin Login Unusual Country
|
Cisco Duo Activity
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-02-25
|
|
Cisco Duo Admin Login Unusual Os
|
Cisco Duo Activity
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-02-25
|
|
Cisco Duo Bypass Code Generation
|
Cisco Duo Administrator
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-02-25
|
|
Cisco Duo Policy Allow Devices Without Screen Lock
|
Cisco Duo Administrator
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-02-25
|
|
Cisco Duo Policy Allow Network Bypass 2FA
|
Cisco Duo Administrator
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-02-25
|
|
Cisco Duo Policy Allow Old Flash
|
Cisco Duo Administrator
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-02-25
|
|
Cisco Duo Policy Allow Old Java
|
Cisco Duo Administrator
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-02-25
|
|
Cisco Duo Policy Allow Tampered Devices
|
Cisco Duo Administrator
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-02-25
|
|
Cisco Duo Policy Bypass 2FA
|
Cisco Duo Administrator
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-02-25
|
|
Cisco Duo Policy Deny Access
|
Cisco Duo Administrator
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-02-25
|
|
Cisco Duo Policy Skip 2FA for Other Countries
|
Cisco Duo Administrator
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-02-25
|
|
Cisco Duo Set User Status to Bypass 2FA
|
Cisco Duo Administrator
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-02-25
|
|
Detect Distributed Password Spray Attempts
|
 Azure Active Directory Sign-in activity
|
T1110.003
|
Hunting
|
Active Directory Password Spraying, Compromised User Account
|
2026-02-25
|
|
Detect HTML Help Spawn Child Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.001
|
TTP
|
APT37 Rustonotto and FadeStealer, AgentTesla, Compromised Windows Host, Living Off The Land, Suspicious Compiled HTML Activity
|
2026-02-25
|
|
Detect New Login Attempts to Routers
|
|
|
TTP
|
Router and Infrastructure Security, Scattered Lapsus$ Hunters
|
2026-02-25
|
|
Email Attachments With Lots Of Spaces
|
|
|
Anomaly
|
Data Destruction, Emotet Malware DHS Report TA18-201A, Hermetic Wiper, Suspicious Emails
|
2026-02-25
|
|
Email files written outside of the Outlook directory
|
Sysmon EventID 11
|
T1114.001
|
TTP
|
Collection and Staging
|
2026-02-25
|
|
Email servers sending high volume traffic to hosts
|
|
T1114.002
|
Anomaly
|
Collection and Staging, HAFNIUM Group
|
2026-02-25
|
|
Ivanti VTM New Account Creation
|
Ivanti VTM Audit
|
T1190
|
TTP
|
Hellcat Ransomware, Ivanti Virtual Traffic Manager CVE-2024-7593, Scattered Lapsus$ Hunters
|
2026-02-25
|
|
M365 Copilot Failed Authentication Patterns
|
M365 Copilot Graph API
|
T1110
|
Anomaly
|
Suspicious Microsoft 365 Copilot Activities
|
2026-02-25
|
|
M365 Copilot Impersonation Jailbreak Attack
|
M365 Exported eDiscovery Prompts
|
T1562
|
TTP
|
Suspicious Microsoft 365 Copilot Activities
|
2026-02-25
|
|
M365 Copilot Non Compliant Devices Accessing M365 Copilot
|
M365 Copilot Graph API
|
T1562
|
Anomaly
|
Suspicious Microsoft 365 Copilot Activities
|
2026-02-25
|
|
M365 Copilot Session Origin Anomalies
|
M365 Copilot Graph API
|
T1078
|
Anomaly
|
Suspicious Microsoft 365 Copilot Activities
|
2026-02-25
|
|
MCP Github Suspicious Operation
|
MCP Server
|
T1552.001
|
Hunting
|
Suspicious MCP Activities
|
2026-02-25
|
|
MCP Postgres Suspicious Query
|
MCP Server
|
T1555
|
Hunting
|
Suspicious MCP Activities
|
2026-02-25
|
|
MCP Prompt Injection
|
MCP Server
|
T1059
|
TTP
|
Suspicious MCP Activities
|
2026-02-25
|
|
MCP Sensitive System File Search
|
MCP Server
|
T1552.001
|
Hunting
|
Suspicious MCP Activities
|
2026-02-25
|
|
Monitor Email For Brand Abuse
|
|
|
TTP
|
Brand Monitoring, Scattered Lapsus$ Hunters, Suspicious Emails
|
2026-02-25
|
|
No Windows Updates in a time frame
|
|
|
Hunting
|
Monitor for Updates
|
2026-02-25
|
|
Okta Authentication Failed During MFA Challenge
|
Okta
|
T1078.004
T1586.003
T1621
|
TTP
|
Okta Account Takeover, Scattered Lapsus$ Hunters
|
2026-02-25
|
|
Okta IDP Lifecycle Modifications
|
Okta
|
T1087.004
|
Anomaly
|
Suspicious Okta Activity
|
2026-02-25
|
|
Okta MFA Exhaustion Hunt
|
Okta
|
T1110
|
Hunting
|
Okta Account Takeover, Okta MFA Exhaustion, Scattered Lapsus$ Hunters
|
2026-02-25
|
|
Okta Mismatch Between Source and Response for Verify Push Request
|
Okta
|
T1621
|
TTP
|
Okta Account Takeover, Okta MFA Exhaustion, Scattered Lapsus$ Hunters
|
2026-02-25
|
|
Okta Multi-Factor Authentication Disabled
|
Okta
|
T1556.006
|
TTP
|
Okta Account Takeover, Scattered Lapsus$ Hunters
|
2026-02-25
|
|
Okta Multiple Accounts Locked Out
|
Okta
|
T1110
|
Anomaly
|
Okta Account Takeover
|
2026-02-25
|
|
Okta Multiple Failed MFA Requests For User
|
Okta
|
T1621
|
Anomaly
|
Okta Account Takeover, Scattered Lapsus$ Hunters
|
2026-02-25
|
|
Okta Multiple Users Failing To Authenticate From Ip
|
Okta
|
T1110.003
|
Anomaly
|
Okta Account Takeover
|
2026-02-25
|
|
Okta New API Token Created
|
Okta
|
T1078.001
|
TTP
|
Okta Account Takeover, Scattered Lapsus$ Hunters
|
2026-02-25
|
|
Okta New Device Enrolled on Account
|
Okta
|
T1098.005
|
TTP
|
Okta Account Takeover, Scattered Lapsus$ Hunters
|
2026-02-25
|
|
Okta Phishing Detection with FastPass Origin Check
|
Okta
|
T1078.001
T1556
|
TTP
|
Okta Account Takeover
|
2026-02-25
|
|
Okta Risk Threshold Exceeded
|
Okta
|
T1078
T1110
|
Correlation
|
Okta Account Takeover, Okta MFA Exhaustion, Suspicious Okta Activity
|
2026-02-25
|
|
Okta Successful Single Factor Authentication
|
Okta
|
T1078.004
T1586.003
T1621
|
Anomaly
|
Okta Account Takeover
|
2026-02-25
|
|
Okta Suspicious Activity Reported
|
Okta
|
T1078.001
|
TTP
|
Okta Account Takeover
|
2026-02-25
|
|
Okta Suspicious Use of a Session Cookie
|
Okta
|
T1539
|
Anomaly
|
Okta Account Takeover, Scattered Lapsus$ Hunters, Suspicious Okta Activity
|
2026-02-25
|
|
Okta ThreatInsight Threat Detected
|
Okta
|
T1078.004
|
Anomaly
|
Okta Account Takeover
|
2026-02-25
|
|
Okta Unauthorized Access to Application
|
Okta
|
T1087.004
|
Anomaly
|
Okta Account Takeover
|
2026-02-25
|
|
Okta User Logins from Multiple Cities
|
Okta
|
T1586.003
|
Anomaly
|
Okta Account Takeover
|
2026-02-25
|
|
Ollama Abnormal Network Connectivity
|
Ollama Server
|
T1571
|
Anomaly
|
Suspicious Ollama Activities
|
2026-02-25
|
|
Ollama Possible API Endpoint Scan Reconnaissance
|
Ollama Server
|
T1595
|
Anomaly
|
Suspicious Ollama Activities
|
2026-02-25
|
|
Splunk AppDynamics Secure Application Alerts
|
 Splunk AppDynamics Secure Application Alert
|
|
Anomaly
|
Critical Alerts
|
2026-02-25
|
|
Suspicious Java Classes
|
|
|
Anomaly
|
Apache Struts Vulnerability
|
2026-02-25
|
|
Zoom Rare Audio Devices
|
|
T1123
|
Hunting
|
Remote Employment Fraud
|
2026-02-25
|
|
Zoom Rare Input Devices
|
|
T1123
|
Hunting
|
Remote Employment Fraud
|
2026-02-25
|
|
Zoom Rare Video Devices
|
|
T1123
|
Hunting
|
Remote Employment Fraud
|
2026-02-25
|
|
Abnormally High Number Of Cloud Infrastructure API Calls
|
 AWS CloudTrail
|
T1078.004
|
Anomaly
|
Compromised User Account, Scattered Lapsus$ Hunters, Suspicious Cloud User Activities
|
2026-02-25
|
|
Abnormally High Number Of Cloud Instances Destroyed
|
AWS CloudTrail
|
T1078.004
|
Anomaly
|
Suspicious Cloud Instance Activities
|
2026-02-25
|
|
Abnormally High Number Of Cloud Instances Launched
|
AWS CloudTrail
|
T1078.004
|
Anomaly
|
Cloud Cryptomining, Suspicious Cloud Instance Activities
|
2026-02-25
|
|
Abnormally High Number Of Cloud Security Group API Calls
|
AWS CloudTrail
|
T1078.004
|
Anomaly
|
Suspicious Cloud User Activities
|
2026-02-25
|
|
Amazon EKS Kubernetes cluster scan detection
|
|
T1526
|
Hunting
|
Kubernetes Scanning Activity
|
2026-02-25
|
|
Amazon EKS Kubernetes Pod scan detection
|
|
T1526
|
Hunting
|
Kubernetes Scanning Activity
|
2026-02-25
|
|
ASL AWS Concurrent Sessions From Different Ips
|
ASL AWS CloudTrail
|
T1185
|
Anomaly
|
AWS Identity and Access Management Account Takeover, Compromised User Account, Scattered Lapsus$ Hunters
|
2026-02-25
|
|
ASL AWS Create Access Key
|
ASL AWS CloudTrail
|
T1136.003
|
Hunting
|
AWS IAM Privilege Escalation, Scattered Lapsus$ Hunters
|
2026-02-25
|
|
ASL AWS Create Policy Version to allow all resources
|
ASL AWS CloudTrail
|
T1078.004
|
TTP
|
AWS IAM Privilege Escalation, Scattered Lapsus$ Hunters
|
2026-02-25
|
|
ASL AWS Credential Access GetPasswordData
|
ASL AWS CloudTrail
|
T1110.001
T1586.003
|
Anomaly
|
AWS Identity and Access Management Account Takeover
|
2026-02-25
|
|
ASL AWS Credential Access RDS Password reset
|
ASL AWS CloudTrail
|
T1110
T1586.003
|
TTP
|
AWS Identity and Access Management Account Takeover, Scattered Lapsus$ Hunters
|
2026-02-25
|
|
ASL AWS Defense Evasion Delete Cloudtrail
|
ASL AWS CloudTrail
|
T1562.008
|
TTP
|
AWS Defense Evasion
|
2026-02-25
|
|
ASL AWS Defense Evasion Delete CloudWatch Log Group
|
ASL AWS CloudTrail
|
T1562.008
|
TTP
|
AWS Defense Evasion
|
2026-02-25
|
|
ASL AWS Defense Evasion Impair Security Services
|
ASL AWS CloudTrail
|
T1562.008
|
Hunting
|
AWS Defense Evasion
|
2026-02-25
|
|
ASL AWS Defense Evasion PutBucketLifecycle
|
ASL AWS CloudTrail
|
T1485.001
T1562.008
|
Hunting
|
AWS Defense Evasion
|
2026-02-25
|
|
ASL AWS Defense Evasion Stop Logging Cloudtrail
|
ASL AWS CloudTrail
|
T1562.008
|
TTP
|
AWS Defense Evasion
|
2026-02-25
|
|
ASL AWS Defense Evasion Update Cloudtrail
|
ASL AWS CloudTrail
|
T1562.008
|
TTP
|
AWS Defense Evasion
|
2026-02-25
|
|
ASL AWS Detect Users creating keys with encrypt policy without MFA
|
ASL AWS CloudTrail
|
T1486
|
TTP
|
Ransomware Cloud
|
2026-02-25
|
|
ASL AWS Disable Bucket Versioning
|
ASL AWS CloudTrail
|
T1490
|
Anomaly
|
Data Exfiltration, Suspicious AWS S3 Activities
|
2026-02-25
|
|
ASL AWS EC2 Snapshot Shared Externally
|
ASL AWS CloudTrail
|
T1537
|
TTP
|
Data Exfiltration, Suspicious Cloud Instance Activities
|
2026-02-25
|
|
ASL AWS ECR Container Upload Outside Business Hours
|
ASL AWS CloudTrail
|
T1204.003
|
Anomaly
|
Dev Sec Ops
|
2026-02-25
|
|
ASL AWS ECR Container Upload Unknown User
|
ASL AWS CloudTrail
|
T1204.003
|
Anomaly
|
Dev Sec Ops
|
2026-02-25
|
|
ASL AWS IAM AccessDenied Discovery Events
|
ASL AWS CloudTrail
|
T1580
|
Anomaly
|
Suspicious Cloud User Activities
|
2026-02-25
|
|
ASL AWS IAM Assume Role Policy Brute Force
|
ASL AWS CloudTrail
|
T1580
T1110
|
TTP
|
AWS IAM Privilege Escalation, Scattered Lapsus$ Hunters
|
2026-02-25
|
|
ASL AWS IAM Delete Policy
|
ASL AWS CloudTrail
|
T1098
|
Hunting
|
AWS IAM Privilege Escalation
|
2026-02-25
|
|
ASL AWS IAM Failure Group Deletion
|
ASL AWS CloudTrail
|
T1098
|
Anomaly
|
AWS IAM Privilege Escalation
|
2026-02-25
|
|
ASL AWS IAM Successful Group Deletion
|
ASL AWS CloudTrail
|
T1069.003
T1098
|
Hunting
|
AWS IAM Privilege Escalation
|
2026-02-25
|
|
ASL AWS Multi-Factor Authentication Disabled
|
ASL AWS CloudTrail
|
T1556.006
T1586.003
T1621
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2026-02-25
|
|
ASL AWS Network Access Control List Created with All Open Ports
|
ASL AWS CloudTrail
|
T1562.007
|
TTP
|
AWS Network ACL Activity
|
2026-02-25
|
|
ASL AWS Network Access Control List Deleted
|
ASL AWS CloudTrail
|
T1562.007
|
Anomaly
|
AWS Network ACL Activity, Scattered Lapsus$ Hunters
|
2026-02-25
|
|
ASL AWS New MFA Method Registered For User
|
ASL AWS CloudTrail
|
T1556.006
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2026-02-25
|
|
ASL AWS SAML Update identity provider
|
ASL AWS CloudTrail
|
T1078
|
TTP
|
Cloud Federated Credential Abuse
|
2026-02-25
|
|
ASL AWS UpdateLoginProfile
|
ASL AWS CloudTrail
|
T1136.003
|
TTP
|
AWS IAM Privilege Escalation
|
2026-02-25
|
|
AWS AMI Attribute Modification for Exfiltration
|
AWS CloudTrail ModifyImageAttribute
|
T1537
|
TTP
|
Data Exfiltration, Suspicious Cloud Instance Activities
|
2026-02-25
|
|
AWS Bedrock Delete GuardRails
|
AWS CloudTrail DeleteGuardrail
|
T1562.008
|
TTP
|
AWS Bedrock Security
|
2026-02-25
|
|
AWS Bedrock Delete Knowledge Base
|
AWS CloudTrail DeleteKnowledgeBase
|
T1485
|
TTP
|
AWS Bedrock Security
|
2026-02-25
|
|
AWS Bedrock Delete Model Invocation Logging Configuration
|
AWS CloudTrail DeleteModelInvocationLoggingConfiguration
|
T1562.008
|
TTP
|
AWS Bedrock Security
|
2026-02-25
|
|
AWS Bedrock High Number List Foundation Model Failures
|
AWS CloudTrail
|
T1580
|
TTP
|
AWS Bedrock Security
|
2026-02-25
|
|
AWS Bedrock Invoke Model Access Denied
|
AWS CloudTrail
|
T1078
T1550
|
TTP
|
AWS Bedrock Security
|
2026-02-25
|
|
AWS Concurrent Sessions From Different Ips
|
AWS CloudTrail DescribeEventAggregates
|
T1185
|
TTP
|
AWS Identity and Access Management Account Takeover, Compromised User Account, Scattered Lapsus$ Hunters
|
2026-02-25
|
|
AWS Console Login Failed During MFA Challenge
|
AWS CloudTrail ConsoleLogin
|
T1586.003
T1621
|
TTP
|
AWS Identity and Access Management Account Takeover, Compromised User Account
|
2026-02-25
|
|
AWS Create Policy Version to allow all resources
|
AWS CloudTrail CreatePolicyVersion
|
T1078.004
|
TTP
|
AWS IAM Privilege Escalation
|
2026-02-25
|
|
AWS CreateAccessKey
|
AWS CloudTrail CreateAccessKey
|
T1136.003
|
Hunting
|
AWS IAM Privilege Escalation
|
2026-02-25
|
|
AWS CreateLoginProfile
|
AWS CloudTrail ConsoleLogin, AWS CloudTrail CreateLoginProfile
|
T1136.003
|
TTP
|
AWS IAM Privilege Escalation
|
2026-02-25
|
|
AWS Credential Access Failed Login
|
AWS CloudTrail ConsoleLogin
|
T1110.001
T1586.003
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2026-02-25
|
|
AWS Credential Access GetPasswordData
|
AWS CloudTrail GetPasswordData
|
T1110.001
T1586.003
|
Anomaly
|
AWS Identity and Access Management Account Takeover
|
2026-02-25
|
|
AWS Credential Access RDS Password reset
|
AWS CloudTrail ModifyDBInstance
|
T1110
T1586.003
|
TTP
|
AWS Identity and Access Management Account Takeover, Scattered Lapsus$ Hunters
|
2026-02-25
|
|
AWS Defense Evasion Delete Cloudtrail
|
AWS CloudTrail DeleteTrail
|
T1562.008
|
TTP
|
AWS Defense Evasion
|
2026-02-25
|
|
AWS Defense Evasion Delete CloudWatch Log Group
|
AWS CloudTrail DeleteLogGroup
|
T1562.008
|
TTP
|
AWS Defense Evasion
|
2026-02-25
|
|
AWS Defense Evasion Impair Security Services
|
AWS CloudTrail DeleteAlarms, AWS CloudTrail DeleteDetector, AWS CloudTrail DeleteIPSet, AWS CloudTrail DeleteLogStream, AWS CloudTrail DeleteLoggingConfiguration, AWS CloudTrail DeleteRule, AWS CloudTrail DeleteRuleGroup, AWS CloudTrail DeleteWebACL
|
T1562.008
|
TTP
|
AWS Defense Evasion
|
2026-02-25
|
|
AWS Defense Evasion PutBucketLifecycle
|
AWS CloudTrail PutBucketLifecycle
|
T1485.001
T1562.008
|
Hunting
|
AWS Defense Evasion
|
2026-02-25
|
|
AWS Defense Evasion Stop Logging Cloudtrail
|
AWS CloudTrail StopLogging
|
T1562.008
|
TTP
|
AWS Defense Evasion
|
2026-02-25
|
|
AWS Defense Evasion Update Cloudtrail
|
AWS CloudTrail UpdateTrail
|
T1562.008
|
TTP
|
AWS Defense Evasion
|
2026-02-25
|
|
AWS Detect Users creating keys with encrypt policy without MFA
|
AWS CloudTrail CreateKey, AWS CloudTrail PutKeyPolicy
|
T1486
|
TTP
|
Ransomware Cloud
|
2026-02-25
|
|
AWS Detect Users with KMS keys performing encryption S3
|
AWS CloudTrail
|
T1486
|
Anomaly
|
Ransomware Cloud
|
2026-02-25
|
|
AWS Disable Bucket Versioning
|
AWS CloudTrail PutBucketVersioning
|
T1490
|
Anomaly
|
Data Exfiltration, Suspicious AWS S3 Activities
|
2026-02-25
|
|
AWS EC2 Snapshot Shared Externally
|
AWS CloudTrail ModifySnapshotAttribute
|
T1537
|
TTP
|
Data Exfiltration, Suspicious Cloud Instance Activities
|
2026-02-25
|
|
AWS ECR Container Scanning Findings High
|
AWS CloudTrail DescribeImageScanFindings
|
T1204.003
|
TTP
|
Dev Sec Ops
|
2026-02-25
|
|
AWS ECR Container Scanning Findings Low Informational Unknown
|
AWS CloudTrail DescribeImageScanFindings
|
T1204.003
|
Anomaly
|
Dev Sec Ops
|
2026-02-25
|
|
AWS ECR Container Scanning Findings Medium
|
AWS CloudTrail DescribeImageScanFindings
|
T1204.003
|
Anomaly
|
Dev Sec Ops
|
2026-02-25
|
|
AWS ECR Container Upload Outside Business Hours
|
AWS CloudTrail PutImage
|
T1204.003
|
Anomaly
|
Dev Sec Ops
|
2026-02-25
|
|
AWS ECR Container Upload Unknown User
|
AWS CloudTrail PutImage
|
T1204.003
|
Anomaly
|
Dev Sec Ops
|
2026-02-25
|
|
AWS Excessive Security Scanning
|
AWS CloudTrail
|
T1526
|
TTP
|
AWS User Monitoring
|
2026-02-25
|
|
AWS Exfiltration via Anomalous GetObject API Activity
|
AWS CloudTrail GetObject
|
T1119
|
Anomaly
|
Data Exfiltration
|
2026-02-25
|
|
AWS Exfiltration via Batch Service
|
AWS CloudTrail JobCreated
|
T1119
|
TTP
|
Data Exfiltration
|
2026-02-25
|
|
AWS Exfiltration via Bucket Replication
|
AWS CloudTrail PutBucketReplication
|
T1537
|
TTP
|
Data Exfiltration, Suspicious AWS S3 Activities
|
2026-02-25
|
|
AWS Exfiltration via DataSync Task
|
AWS CloudTrail CreateTask
|
T1119
|
TTP
|
Data Exfiltration, Hellcat Ransomware, Suspicious AWS S3 Activities
|
2026-02-25
|
|
AWS Exfiltration via EC2 Snapshot
|
AWS CloudTrail CreateSnapshot, AWS CloudTrail DeleteSnapshot, AWS CloudTrail DescribeSnapshotAttribute, AWS CloudTrail ModifySnapshotAttribute
|
T1537
|
TTP
|
Data Exfiltration, Suspicious Cloud Instance Activities
|
2026-02-25
|
|
AWS High Number Of Failed Authentications For User
|
AWS CloudTrail ConsoleLogin
|
T1201
|
Anomaly
|
AWS Identity and Access Management Account Takeover, Compromised User Account
|
2026-02-25
|
|
AWS High Number Of Failed Authentications From Ip
|
AWS CloudTrail ConsoleLogin
|
T1110.003
T1110.004
|
Anomaly
|
AWS Identity and Access Management Account Takeover, Compromised User Account
|
2026-02-25
|
|
AWS IAM AccessDenied Discovery Events
|
AWS CloudTrail
|
T1580
|
Anomaly
|
Suspicious Cloud User Activities
|
2026-02-25
|
|
AWS IAM Assume Role Policy Brute Force
|
AWS CloudTrail
|
T1580
T1110
|
TTP
|
AWS IAM Privilege Escalation
|
2026-02-25
|
|
AWS IAM Delete Policy
|
AWS CloudTrail DeletePolicy
|
T1098
|
Hunting
|
AWS IAM Privilege Escalation
|
2026-02-25
|
|
AWS IAM Failure Group Deletion
|
AWS CloudTrail DeleteGroup
|
T1098
|
Anomaly
|
AWS IAM Privilege Escalation
|
2026-02-25
|
|
AWS IAM Successful Group Deletion
|
AWS CloudTrail DeleteGroup
|
T1069.003
T1098
|
Hunting
|
AWS IAM Privilege Escalation
|
2026-02-25
|
|
AWS Lambda UpdateFunctionCode
|
AWS CloudTrail
|
T1204
|
Hunting
|
Suspicious Cloud User Activities
|
2026-02-25
|
|
AWS Multi-Factor Authentication Disabled
|
AWS CloudTrail DeactivateMFADevice, AWS CloudTrail DeleteVirtualMFADevice
|
T1556.006
T1586.003
T1621
|
TTP
|
AWS Identity and Access Management Account Takeover, Scattered Lapsus$ Hunters
|
2026-02-25
|
|
AWS Multiple Failed MFA Requests For User
|
AWS CloudTrail ConsoleLogin
|
T1586.003
T1621
|
Anomaly
|
AWS Identity and Access Management Account Takeover
|
2026-02-25
|
|
AWS Multiple Users Failing To Authenticate From Ip
|
AWS CloudTrail ConsoleLogin
|
T1110.003
T1110.004
|
Anomaly
|
AWS Identity and Access Management Account Takeover, Compromised User Account
|
2026-02-25
|
|
AWS Network Access Control List Created with All Open Ports
|
AWS CloudTrail CreateNetworkAclEntry, AWS CloudTrail ReplaceNetworkAclEntry
|
T1562.007
|
TTP
|
AWS Network ACL Activity
|
2026-02-25
|
|
AWS Network Access Control List Deleted
|
AWS CloudTrail DeleteNetworkAclEntry
|
T1562.007
|
Anomaly
|
AWS Network ACL Activity
|
2026-02-25
|
|
AWS New MFA Method Registered For User
|
AWS CloudTrail CreateVirtualMFADevice
|
T1556.006
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2026-02-25
|
|
AWS Password Policy Changes
|
AWS CloudTrail DeleteAccountPasswordPolicy, AWS CloudTrail GetAccountPasswordPolicy, AWS CloudTrail UpdateAccountPasswordPolicy
|
T1201
|
Hunting
|
AWS IAM Privilege Escalation, Compromised User Account
|
2026-02-25
|
|
AWS S3 Exfiltration Behavior Identified
|
|
T1537
|
Correlation
|
Data Exfiltration, Suspicious Cloud Instance Activities
|
2026-02-25
|
|
AWS SAML Update identity provider
|
AWS CloudTrail UpdateSAMLProvider
|
T1078
|
TTP
|
Cloud Federated Credential Abuse
|
2026-02-25
|
|
AWS SetDefaultPolicyVersion
|
AWS CloudTrail SetDefaultPolicyVersion
|
T1078.004
|
TTP
|
AWS IAM Privilege Escalation
|
2026-02-25
|
|
AWS Successful Console Authentication From Multiple IPs
|
AWS CloudTrail ConsoleLogin
|
T1586
T1535
|
Anomaly
|
Compromised User Account, Suspicious AWS Login Activities
|
2026-02-25
|
|
AWS Successful Single-Factor Authentication
|
AWS CloudTrail ConsoleLogin
|
T1078.004
T1586.003
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2026-02-25
|
|
AWS Unusual Number of Failed Authentications From Ip
|
AWS CloudTrail ConsoleLogin
|
T1110.003
T1110.004
T1586.003
|
Anomaly
|
AWS Identity and Access Management Account Takeover
|
2026-02-25
|
|
AWS UpdateLoginProfile
|
AWS CloudTrail UpdateLoginProfile
|
T1136.003
|
TTP
|
AWS IAM Privilege Escalation
|
2026-02-25
|
|
Azure Active Directory High Risk Sign-in
|
Azure Active Directory
|
T1110.003
T1586.003
|
TTP
|
Azure Active Directory Account Takeover
|
2026-02-25
|
|
Azure AD Application Administrator Role Assigned
|
Azure Active Directory Add member to role
|
T1098.003
|
TTP
|
Azure Active Directory Privilege Escalation, Scattered Lapsus$ Hunters
|
2026-02-25
|
|
Azure AD AzureHound UserAgent Detected
|
Azure Active Directory MicrosoftGraphActivityLogs, Azure Active Directory NonInteractiveUserSignInLogs
|
T1087.004
T1526
|
TTP
|
Azure Active Directory Privilege Escalation, Compromised User Account
|
2026-02-25
|
|
Azure AD Concurrent Sessions From Different Ips
|
Azure Active Directory
|
T1185
|
TTP
|
Azure Active Directory Account Takeover, Compromised User Account, Scattered Lapsus$ Hunters
|
2026-02-25
|
|
Azure AD Device Code Authentication
|
Azure Active Directory
|
T1528
T1566.002
|
TTP
|
Azure Active Directory Account Takeover
|
2026-02-25
|
|
Azure AD External Guest User Invited
|
Azure Active Directory Invite external user
|
T1136.003
|
TTP
|
Azure Active Directory Persistence
|
2026-02-25
|
|
Azure AD Global Administrator Role Assigned
|
Azure Active Directory Add member to role
|
T1098.003
|
TTP
|
Azure Active Directory Persistence, Azure Active Directory Privilege Escalation, Scattered Lapsus$ Hunters
|
2026-02-25
|
|
Azure AD Multi-Factor Authentication Disabled
|
Azure Active Directory Disable Strong Authentication
|
T1556.006
T1586.003
|
TTP
|
Azure Active Directory Account Takeover, Scattered Lapsus$ Hunters
|
2026-02-25
|
|
Azure AD Multi-Source Failed Authentications Spike
|
Azure Active Directory
|
T1110.003
T1110.004
T1586.003
|
Hunting
|
Azure Active Directory Account Takeover, NOBELIUM Group
|
2026-02-25
|
|
Azure AD Multiple AppIDs and UserAgents Authentication Spike
|
Azure Active Directory Sign-in activity
|
T1078
|
Anomaly
|
Azure Active Directory Account Takeover
|
2026-02-25
|
|
Azure AD Multiple Denied MFA Requests For User
|
Azure Active Directory Sign-in activity
|
T1621
|
TTP
|
Azure Active Directory Account Takeover
|
2026-02-25
|
|
Azure AD Multiple Failed MFA Requests For User
|
Azure Active Directory Sign-in activity
|
T1078.004
T1586.003
T1621
|
TTP
|
Azure Active Directory Account Takeover
|
2026-02-25
|
|
Azure AD Multiple Service Principals Created by SP
|
Azure Active Directory Add service principal
|
T1136.003
|
Anomaly
|
Azure Active Directory Persistence, NOBELIUM Group
|
2026-02-25
|
|
Azure AD Multiple Service Principals Created by User
|
Azure Active Directory Add service principal
|
T1136.003
|
Anomaly
|
Azure Active Directory Persistence, NOBELIUM Group
|
2026-02-25
|
|
Azure AD Multiple Users Failing To Authenticate From Ip
|
Azure Active Directory
|
T1110.003
T1110.004
T1586.003
|
Anomaly
|
Azure Active Directory Account Takeover
|
2026-02-25
|
|
Azure AD New Custom Domain Added
|
Azure Active Directory Add unverified domain
|
T1484.002
|
TTP
|
Azure Active Directory Persistence
|
2026-02-25
|
|
Azure AD New Federated Domain Added
|
Azure Active Directory Set domain authentication
|
T1484.002
|
TTP
|
Azure Active Directory Persistence, Hellcat Ransomware, Scattered Lapsus$ Hunters, Storm-0501 Ransomware
|
2026-02-25
|
|
Azure AD New MFA Method Registered For User
|
Azure Active Directory User registered security info
|
T1556.006
|
TTP
|
Azure Active Directory Account Takeover, Compromised User Account, Scattered Lapsus$ Hunters
|
2026-02-25
|
|
Azure AD PIM Role Assigned
|
Azure Active Directory
|
T1098.003
|
TTP
|
Azure Active Directory Persistence, Azure Active Directory Privilege Escalation, Scattered Lapsus$ Hunters
|
2026-02-25
|
|
Azure AD PIM Role Assignment Activated
|
Azure Active Directory
|
T1098.003
|
TTP
|
Azure Active Directory Persistence, Azure Active Directory Privilege Escalation, Scattered Lapsus$ Hunters
|
2026-02-25
|
|
Azure AD Privileged Authentication Administrator Role Assigned
|
Azure Active Directory Add member to role
|
T1003.002
|
TTP
|
Azure Active Directory Privilege Escalation, Scattered Lapsus$ Hunters
|
2026-02-25
|
|
Azure AD Privileged Role Assigned
|
Azure Active Directory Add member to role
|
T1098.003
|
TTP
|
Azure Active Directory Persistence, NOBELIUM Group, Scattered Lapsus$ Hunters, Storm-0501 Ransomware
|
2026-02-25
|
|
Azure AD Privileged Role Assigned to Service Principal
|
Azure Active Directory Add member to role
|
T1098.003
|
TTP
|
Azure Active Directory Privilege Escalation, NOBELIUM Group, Scattered Lapsus$ Hunters
|
2026-02-25
|
|
Azure AD Service Principal Authentication
|
Azure Active Directory Sign-in activity
|
T1078.004
|
TTP
|
Azure Active Directory Account Takeover, NOBELIUM Group
|
2026-02-25
|
|
Azure AD Service Principal Created
|
Azure Active Directory Add service principal
|
T1136.003
|
TTP
|
Azure Active Directory Persistence, NOBELIUM Group
|
2026-02-25
|
|
Azure AD Service Principal Enumeration
|
Azure Active Directory MicrosoftGraphActivityLogs
|
T1087.004
T1526
|
TTP
|
Azure Active Directory Privilege Escalation, Compromised User Account
|
2026-02-25
|
|
Azure AD Service Principal New Client Credentials
|
Azure Active Directory
|
T1098.001
|
TTP
|
Azure Active Directory Persistence, Azure Active Directory Privilege Escalation, NOBELIUM Group, Scattered Lapsus$ Hunters
|
2026-02-25
|
|
Azure AD Service Principal Owner Added
|
Azure Active Directory Add owner to application
|
T1098
|
TTP
|
Azure Active Directory Persistence, Azure Active Directory Privilege Escalation, NOBELIUM Group
|
2026-02-25
|
|
Azure AD Successful Authentication From Different Ips
|
Azure Active Directory
|
T1110.001
T1110.003
|
TTP
|
Azure Active Directory Account Takeover, Compromised User Account
|
2026-02-25
|
|
Azure AD Successful PowerShell Authentication
|
Azure Active Directory
|
T1078.004
T1586.003
|
TTP
|
Azure Active Directory Account Takeover
|
2026-02-25
|
|
Azure AD Successful Single-Factor Authentication
|
Azure Active Directory
|
T1078.004
T1586.003
|
TTP
|
Azure Active Directory Account Takeover
|
2026-02-25
|
|
Azure AD Unusual Number of Failed Authentications From Ip
|
Azure Active Directory
|
T1110.003
T1110.004
T1586.003
|
Anomaly
|
Azure Active Directory Account Takeover
|
2026-02-25
|
|
Azure AD User Consent Denied for OAuth Application
|
Azure Active Directory Sign-in activity
|
T1528
|
TTP
|
Azure Active Directory Account Takeover
|
2026-02-25
|
|
Azure AD User Enabled And Password Reset
|
Azure Active Directory Enable account, Azure Active Directory Reset password (by admin), Azure Active Directory Update user
|
T1098
|
TTP
|
Azure Active Directory Persistence, Scattered Lapsus$ Hunters
|
2026-02-25
|
|
Azure AD User ImmutableId Attribute Updated
|
Azure Active Directory Update user
|
T1098
|
TTP
|
Azure Active Directory Persistence, Hellcat Ransomware
|
2026-02-25
|
|
Azure Automation Account Created
|
Azure Audit Create or Update an Azure Automation account
|
T1136.003
|
TTP
|
Azure Active Directory Persistence
|
2026-02-25
|
|
Azure Automation Runbook Created
|
Azure Audit Create or Update an Azure Automation Runbook
|
T1136.003
|
TTP
|
Azure Active Directory Persistence
|
2026-02-25
|
|
Azure Runbook Webhook Created
|
Azure Audit Create or Update an Azure Automation webhook
|
T1078.004
|
TTP
|
Azure Active Directory Persistence
|
2026-02-25
|
|
Circle CI Disable Security Job
|
CircleCI
|
T1554
|
Anomaly
|
Dev Sec Ops
|
2026-02-25
|
|
Circle CI Disable Security Step
|
CircleCI
|
T1554
|
Anomaly
|
Dev Sec Ops
|
2026-02-25
|
|
Cloud API Calls From Previously Unseen User Roles
|
AWS CloudTrail
|
T1078
|
Anomaly
|
Suspicious Cloud User Activities
|
2026-02-25
|
|
Cloud Compute Instance Created By Previously Unseen User
|
AWS CloudTrail
|
T1078.004
|
Anomaly
|
Cloud Cryptomining
|
2026-02-25
|
|
Cloud Compute Instance Created In Previously Unused Region
|
AWS CloudTrail
|
T1535
|
Anomaly
|
Cloud Cryptomining
|
2026-02-25
|
|
Cloud Compute Instance Created With Previously Unseen Image
|
AWS CloudTrail
|
|
Anomaly
|
Cloud Cryptomining
|
2026-02-25
|
|
Cloud Compute Instance Created With Previously Unseen Instance Type
|
AWS CloudTrail
|
|
Anomaly
|
Cloud Cryptomining
|
2026-02-25
|
|
Cloud Instance Modified By Previously Unseen User
|
AWS CloudTrail
|
T1078.004
|
Anomaly
|
Suspicious Cloud Instance Activities
|
2026-02-25
|
|
Cloud Provisioning Activity From Previously Unseen City
|
AWS CloudTrail
|
T1078
|
Anomaly
|
Suspicious Cloud Provisioning Activities
|
2026-02-25
|
|
Cloud Provisioning Activity From Previously Unseen Country
|
AWS CloudTrail
|
T1078
|
Anomaly
|
Suspicious Cloud Provisioning Activities
|
2026-02-25
|
|
Cloud Provisioning Activity From Previously Unseen IP Address
|
AWS CloudTrail
|
T1078
|
Anomaly
|
Suspicious Cloud Provisioning Activities
|
2026-02-25
|
|
Cloud Provisioning Activity From Previously Unseen Region
|
AWS CloudTrail
|
T1078
|
Anomaly
|
Suspicious Cloud Provisioning Activities
|
2026-02-25
|
|
Cloud Security Groups Modifications by User
|
AWS CloudTrail
|
T1578.005
|
Anomaly
|
Suspicious Cloud User Activities
|
2026-02-25
|
|
Detect AWS Console Login by New User
|
AWS CloudTrail
|
T1552
T1586.003
|
Hunting
|
AWS Identity and Access Management Account Takeover, Suspicious Cloud Authentication Activities
|
2026-02-25
|
|
Detect AWS Console Login by User from New City
|
AWS CloudTrail
|
T1535
T1586.003
|
Hunting
|
AWS Identity and Access Management Account Takeover, Compromised User Account, Suspicious AWS Login Activities, Suspicious Cloud Authentication Activities
|
2026-02-25
|
|
Detect AWS Console Login by User from New Country
|
AWS CloudTrail
|
T1535
T1586.003
|
Hunting
|
AWS Identity and Access Management Account Takeover, Compromised User Account, Suspicious AWS Login Activities, Suspicious Cloud Authentication Activities
|
2026-02-25
|
|
Detect AWS Console Login by User from New Region
|
AWS CloudTrail
|
T1535
T1586.003
|
Hunting
|
AWS Identity and Access Management Account Takeover, Compromised User Account, Suspicious AWS Login Activities, Suspicious Cloud Authentication Activities
|
2026-02-25
|
|
Detect GCP Storage access from a new IP
|
|
T1530
|
Anomaly
|
Suspicious GCP Storage Activities
|
2026-02-25
|
|
Detect New Open GCP Storage Buckets
|
|
T1530
|
TTP
|
Suspicious GCP Storage Activities
|
2026-02-25
|
|
Detect New Open S3 buckets
|
AWS CloudTrail
|
T1530
|
TTP
|
Suspicious AWS S3 Activities
|
2026-02-25
|
|
Detect New Open S3 Buckets over AWS CLI
|
AWS CloudTrail
|
T1530
|
TTP
|
Suspicious AWS S3 Activities
|
2026-02-25
|
|
Detect S3 access from a new IP
|
|
T1530
|
Anomaly
|
Suspicious AWS S3 Activities
|
2026-02-25
|
|
Detect Spike in AWS Security Hub Alerts for EC2 Instance
|
AWS Security Hub
|
|
Anomaly
|
AWS Security Hub Alerts, Critical Alerts
|
2026-02-25
|
|
Detect Spike in AWS Security Hub Alerts for User
|
AWS Security Hub
|
|
Anomaly
|
AWS Security Hub Alerts, Critical Alerts
|
2026-02-25
|
|
Detect Spike in blocked Outbound Traffic from your AWS
|
|
|
Anomaly
|
AWS Network ACL Activity, Command And Control, Suspicious AWS Traffic
|
2026-02-25
|
|
Detect Spike in S3 Bucket deletion
|
AWS CloudTrail
|
T1530
|
Anomaly
|
Suspicious AWS S3 Activities
|
2026-02-25
|
|
GCP Authentication Failed During MFA Challenge
|
Google Workspace login_failure
|
T1078.004
T1586.003
T1621
|
TTP
|
GCP Account Takeover, Scattered Lapsus$ Hunters
|
2026-02-25
|
|
GCP Detect gcploit framework
|
|
T1078
|
TTP
|
GCP Cross Account Activity
|
2026-02-25
|
|
GCP Kubernetes cluster pod scan detection
|
|
T1526
|
Hunting
|
Kubernetes Scanning Activity, Scattered Lapsus$ Hunters
|
2026-02-25
|
|
GCP Multi-Factor Authentication Disabled
|
Google Workspace
|
T1556.006
T1586.003
|
TTP
|
GCP Account Takeover, Scattered Lapsus$ Hunters
|
2026-02-25
|
|
GCP Multiple Failed MFA Requests For User
|
Google Workspace
|
T1078.004
T1586.003
T1621
|
TTP
|
GCP Account Takeover, Scattered Lapsus$ Hunters
|
2026-02-25
|
|
GCP Multiple Users Failing To Authenticate From Ip
|
Google Workspace
|
T1110.003
T1110.004
T1586.003
|
Anomaly
|
GCP Account Takeover
|
2026-02-25
|
|
GCP Successful Single-Factor Authentication
|
Google Workspace
|
T1078.004
T1586.003
|
TTP
|
GCP Account Takeover, Scattered Lapsus$ Hunters
|
2026-02-25
|
|
GCP Unusual Number of Failed Authentications From Ip
|
Google Workspace
|
T1110.003
T1110.004
T1586.003
|
Anomaly
|
GCP Account Takeover
|
2026-02-25
|
|
Gdrive suspicious file sharing
|
|
T1566
|
Hunting
|
Data Exfiltration, Scattered Lapsus$ Hunters, Spearphishing Attachments
|
2026-02-25
|
|
GitHub Enterprise Delete Branch Ruleset
|
GitHub Enterprise Audit Logs
|
T1562.001
T1195
|
Anomaly
|
GitHub Malicious Activity, NPM Supply Chain Compromise
|
2026-02-25
|
|
GitHub Enterprise Disable 2FA Requirement
|
GitHub Enterprise Audit Logs
|
T1562.001
T1195
|
Anomaly
|
GitHub Malicious Activity
|
2026-02-25
|
|
GitHub Enterprise Disable Audit Log Event Stream
|
GitHub Enterprise Audit Logs
|
T1562.008
T1195
|
Anomaly
|
GitHub Malicious Activity, NPM Supply Chain Compromise
|
2026-02-25
|
|
GitHub Enterprise Disable Classic Branch Protection Rule
|
GitHub Enterprise Audit Logs
|
T1562.001
T1195
|
Anomaly
|
GitHub Malicious Activity
|
2026-02-25
|
|
GitHub Enterprise Disable Dependabot
|
GitHub Enterprise Audit Logs
|
T1562.001
T1195
|
Anomaly
|
GitHub Malicious Activity
|
2026-02-25
|
|
GitHub Enterprise Disable IP Allow List
|
GitHub Enterprise Audit Logs
|
T1562.001
T1195
|
Anomaly
|
GitHub Malicious Activity
|
2026-02-25
|
|
GitHub Enterprise Modify Audit Log Event Stream
|
GitHub Enterprise Audit Logs
|
T1562.008
T1195
|
Anomaly
|
GitHub Malicious Activity, NPM Supply Chain Compromise
|
2026-02-25
|
|
GitHub Enterprise Pause Audit Log Event Stream
|
GitHub Enterprise Audit Logs
|
T1562.008
T1195
|
Anomaly
|
GitHub Malicious Activity, NPM Supply Chain Compromise
|
2026-02-25
|
|
GitHub Enterprise Register Self Hosted Runner
|
GitHub Enterprise Audit Logs
|
T1562.001
T1195
|
Anomaly
|
GitHub Malicious Activity, NPM Supply Chain Compromise
|
2026-02-25
|
|
GitHub Enterprise Remove Organization
|
GitHub Enterprise Audit Logs
|
T1485
T1195
|
Anomaly
|
GitHub Malicious Activity
|
2026-02-25
|
|
GitHub Enterprise Repository Archived
|
GitHub Enterprise Audit Logs
|
T1485
T1195
|
Anomaly
|
GitHub Malicious Activity, NPM Supply Chain Compromise
|
2026-02-25
|
|
GitHub Enterprise Repository Deleted
|
GitHub Enterprise Audit Logs
|
T1485
T1195
|
Anomaly
|
GitHub Malicious Activity, NPM Supply Chain Compromise
|
2026-02-25
|
|
GitHub Organizations Delete Branch Ruleset
|
GitHub Organizations Audit Logs
|
T1562.001
T1195
|
Anomaly
|
GitHub Malicious Activity, NPM Supply Chain Compromise
|
2026-02-25
|
|
GitHub Organizations Disable 2FA Requirement
|
GitHub Organizations Audit Logs
|
T1562.001
T1195
|
Anomaly
|
GitHub Malicious Activity
|
2026-02-25
|
|
GitHub Organizations Disable Classic Branch Protection Rule
|
GitHub Organizations Audit Logs
|
T1562.001
T1195
|
Anomaly
|
GitHub Malicious Activity
|
2026-02-25
|
|
GitHub Organizations Disable Dependabot
|
GitHub Organizations Audit Logs
|
T1562.001
T1195
|
Anomaly
|
GitHub Malicious Activity
|
2026-02-25
|
|
GitHub Organizations Repository Archived
|
GitHub Organizations Audit Logs
|
T1485
T1195
|
Anomaly
|
GitHub Malicious Activity, NPM Supply Chain Compromise
|
2026-02-25
|
|
GitHub Organizations Repository Deleted
|
GitHub Organizations Audit Logs
|
T1485
T1195
|
Anomaly
|
GitHub Malicious Activity, NPM Supply Chain Compromise
|
2026-02-25
|
|
GSuite Email Suspicious Attachment
|
G Suite Gmail
|
T1566.001
|
Anomaly
|
Dev Sec Ops
|
2026-02-25
|
|
Gsuite Email Suspicious Subject With Attachment
|
G Suite Gmail
|
T1566.001
|
Anomaly
|
Dev Sec Ops
|
2026-02-25
|
|
Gsuite Email With Known Abuse Web Service Link
|
G Suite Gmail
|
T1566.001
|
Anomaly
|
Dev Sec Ops
|
2026-02-25
|
|
Gsuite Outbound Email With Attachment To External Domain
|
G Suite Gmail
|
T1048.003
|
Hunting
|
Dev Sec Ops, Insider Threat
|
2026-02-25
|
|
Gsuite suspicious calendar invite
|
|
T1566
|
Hunting
|
Spearphishing Attachments
|
2026-02-25
|
|
Gsuite Suspicious Shared File Name
|
G Suite Drive
|
T1566.001
|
Anomaly
|
Dev Sec Ops
|
2026-02-25
|
|
High Number of Login Failures from a single source
|
O365 UserLoginFailed
|
T1110.001
|
Anomaly
|
Office 365 Account Takeover
|
2026-02-25
|
|
Kubernetes Abuse of Secret by Unusual Location
|
 Kubernetes Audit
|
T1552.007
|
Anomaly
|
Kubernetes Security
|
2026-02-25
|
|
Kubernetes Abuse of Secret by Unusual User Agent
|
Kubernetes Audit
|
T1552.007
|
Anomaly
|
Kubernetes Security
|
2026-02-25
|
|
Kubernetes Abuse of Secret by Unusual User Group
|
Kubernetes Audit
|
T1552.007
|
Anomaly
|
Kubernetes Security
|
2026-02-25
|
|
Kubernetes Abuse of Secret by Unusual User Name
|
Kubernetes Audit
|
T1552.007
|
Anomaly
|
Kubernetes Security
|
2026-02-25
|
|
Kubernetes Access Scanning
|
Kubernetes Audit
|
T1046
|
Anomaly
|
Kubernetes Security
|
2026-02-25
|
|
Kubernetes AWS detect suspicious kubectl calls
|
Kubernetes Audit
|
|
Anomaly
|
Kubernetes Security
|
2026-02-25
|
|
Kubernetes Create or Update Privileged Pod
|
Kubernetes Audit
|
T1204
|
Anomaly
|
Kubernetes Security
|
2026-02-25
|
|
Kubernetes Cron Job Creation
|
Kubernetes Audit
|
T1053.007
|
Anomaly
|
Kubernetes Security
|
2026-02-25
|
|
Kubernetes DaemonSet Deployed
|
Kubernetes Audit
|
T1204
|
Anomaly
|
Kubernetes Security
|
2026-02-25
|
|
Kubernetes Falco Shell Spawned
|
Kubernetes Falco
|
T1204
|
Anomaly
|
Kubernetes Security
|
2026-02-25
|
|
Kubernetes newly seen TCP edge
|
|
T1204
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2026-02-25
|
|
Kubernetes newly seen UDP edge
|
|
T1204
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2026-02-25
|
|
Kubernetes Node Port Creation
|
Kubernetes Audit
|
T1204
|
Anomaly
|
Kubernetes Security
|
2026-02-25
|
|
Kubernetes Pod Created in Default Namespace
|
Kubernetes Audit
|
T1204
|
Anomaly
|
Kubernetes Security
|
2026-02-25
|
|
Kubernetes Pod With Host Network Attachment
|
Kubernetes Audit
|
T1204
|
Anomaly
|
Kubernetes Security
|
2026-02-25
|
|
Kubernetes Previously Unseen Container Image Name
|
|
T1204
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2026-02-25
|
|
Kubernetes Previously Unseen Process
|
|
T1204
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2026-02-25
|
|
Kubernetes Process Running From New Path
|
|
T1204
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2026-02-25
|
|
Kubernetes Scanner Image Pulling
|
|
T1526
|
TTP
|
Dev Sec Ops
|
2026-02-25
|
|
Kubernetes Scanning by Unauthenticated IP Address
|
Kubernetes Audit
|
T1046
|
Anomaly
|
Kubernetes Security
|
2026-02-25
|
|
Kubernetes Shell Running on Worker Node
|
|
T1204
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2026-02-25
|
|
Kubernetes Shell Running on Worker Node with CPU Activity
|
|
T1204
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2026-02-25
|
|
Kubernetes Suspicious Image Pulling
|
Kubernetes Audit
|
T1526
|
Anomaly
|
Kubernetes Security
|
2026-02-25
|
|
Kubernetes Unauthorized Access
|
Kubernetes Audit
|
T1204
|
Anomaly
|
Kubernetes Security
|
2026-02-25
|
|
Microsoft Intune Device Health Scripts
|
Azure Monitor Activity
|
T1072
T1021.007
T1202
T1105
|
Hunting
|
Azure Active Directory Account Takeover
|
2026-02-25
|
|
Microsoft Intune DeviceManagementConfigurationPolicies
|
Azure Monitor Activity
|
T1072
T1484
T1021.007
T1562.001
T1562.004
|
Hunting
|
Azure Active Directory Account Takeover
|
2026-02-25
|
|
Microsoft Intune Manual Device Management
|
Azure Monitor Activity
|
T1021.007
T1072
T1529
|
Hunting
|
Azure Active Directory Account Takeover
|
2026-02-25
|
|
Microsoft Intune Mobile Apps
|
Azure Monitor Activity
|
T1072
T1021.007
T1202
T1105
|
Hunting
|
Azure Active Directory Account Takeover
|
2026-02-25
|
|
O365 Add App Role Assignment Grant User
|
O365 Add app role assignment grant to user.
|
T1136.003
|
TTP
|
Cloud Federated Credential Abuse, Office 365 Persistence Mechanisms
|
2026-02-25
|
|
O365 Added Service Principal
|
O365
|
T1136.003
|
TTP
|
Cloud Federated Credential Abuse, NOBELIUM Group, Office 365 Persistence Mechanisms
|
2026-02-25
|
|
O365 ApplicationImpersonation Role Assigned
|
O365
|
T1098.002
|
TTP
|
NOBELIUM Group, Office 365 Collection Techniques, Office 365 Persistence Mechanisms
|
2026-02-25
|
|
O365 BEC Email Hiding Rule Created
|
|
T1564.008
|
TTP
|
Office 365 Account Takeover
|
2026-02-25
|
|
O365 Compliance Content Search Exported
|
|
T1114.002
|
TTP
|
Office 365 Collection Techniques
|
2026-02-25
|
|
O365 Compliance Content Search Started
|
|
T1114.002
|
TTP
|
Office 365 Collection Techniques
|
2026-02-25
|
|
O365 Concurrent Sessions From Different Ips
|
O365 UserLoggedIn
|
T1185
|
TTP
|
Office 365 Account Takeover, Scattered Lapsus$ Hunters
|
2026-02-25
|
|
O365 Disable MFA
|
O365 Disable Strong Authentication.
|
T1556
|
TTP
|
Office 365 Persistence Mechanisms
|
2026-02-25
|
|
O365 Elevated Mailbox Permission Assigned
|
O365 Add-MailboxPermission
|
T1098.002
|
TTP
|
Office 365 Collection Techniques
|
2026-02-25
|
|
O365 Email Access By Security Administrator
|
Office 365 Universal Audit Log
|
T1114.002
T1567
|
TTP
|
Azure Active Directory Account Takeover, Data Exfiltration, Office 365 Account Takeover
|
2026-02-25
|
|
O365 Email Hard Delete Excessive Volume
|
Office 365 Universal Audit Log
|
T1070.008
T1485
|
Anomaly
|
Data Destruction, Office 365 Account Takeover, Suspicious Emails
|
2026-02-25
|
|
O365 Email New Inbox Rule Created
|
Office 365 Universal Audit Log
|
T1114.003
T1564.008
|
Anomaly
|
Office 365 Collection Techniques
|
2026-02-25
|
|
O365 Email Password and Payroll Compromise Behavior
|
Office 365 Reporting Message Trace, Office 365 Universal Audit Log
|
T1070.008
T1485
T1114.001
|
TTP
|
Data Destruction, Office 365 Account Takeover, Office 365 Collection Techniques, Suspicious Emails
|
2026-02-25
|
|
O365 Email Receive and Hard Delete Takeover Behavior
|
Office 365 Reporting Message Trace, Office 365 Universal Audit Log
|
T1070.008
T1485
T1114.001
|
Anomaly
|
Data Destruction, Office 365 Account Takeover, Office 365 Collection Techniques, Suspicious Emails
|
2026-02-25
|
|
O365 Email Reported By Admin Found Malicious
|
Office 365 Universal Audit Log
|
T1566.001
T1566.002
|
TTP
|
Spearphishing Attachments, Suspicious Emails
|
2026-02-25
|
|
O365 Email Reported By User Found Malicious
|
Office 365 Universal Audit Log
|
T1566.001
T1566.002
|
TTP
|
Spearphishing Attachments, Suspicious Emails
|
2026-02-25
|
|
O365 Email Security Feature Changed
|
Office 365 Universal Audit Log
|
T1562.001
T1562.008
|
TTP
|
Office 365 Account Takeover, Office 365 Persistence Mechanisms
|
2026-02-25
|
|
O365 Email Send and Hard Delete Exfiltration Behavior
|
Office 365 Reporting Message Trace, Office 365 Universal Audit Log
|
T1114.001
T1070.008
T1485
|
Anomaly
|
Data Destruction, Office 365 Account Takeover, Office 365 Collection Techniques, Suspicious Emails
|
2026-02-25
|
|
O365 Email Send and Hard Delete Suspicious Behavior
|
Office 365 Universal Audit Log
|
T1114.001
T1070.008
T1485
|
Anomaly
|
Data Destruction, Office 365 Account Takeover, Office 365 Collection Techniques, Suspicious Emails
|
2026-02-25
|
|
O365 Email Send Attachments Excessive Volume
|
Office 365 Universal Audit Log
|
T1070.008
T1485
|
Anomaly
|
Office 365 Account Takeover, Suspicious Emails
|
2026-02-25
|
|
O365 Email Suspicious Behavior Alert
|
Office 365 Universal Audit Log
|
T1114.003
|
TTP
|
Office 365 Account Takeover, Office 365 Collection Techniques, Suspicious Emails
|
2026-02-25
|
|
O365 Email Transport Rule Changed
|
Office 365 Universal Audit Log
|
T1114.003
T1564.008
|
Anomaly
|
Data Exfiltration, Office 365 Account Takeover
|
2026-02-25
|
|
O365 Excessive Authentication Failures Alert
|
|
T1110
|
Anomaly
|
Office 365 Account Takeover
|
2026-02-25
|
|
O365 Excessive SSO logon errors
|
O365 UserLoginFailed
|
T1556
|
Anomaly
|
Cloud Federated Credential Abuse, Office 365 Account Takeover
|
2026-02-25
|
|
O365 Exfiltration via File Access
|
Office 365 Universal Audit Log
|
T1567
T1530
|
Anomaly
|
Data Exfiltration, Office 365 Account Takeover
|
2026-02-25
|
|
O365 Exfiltration via File Download
|
Office 365 Universal Audit Log
|
T1567
T1530
|
Anomaly
|
Data Exfiltration, Office 365 Account Takeover
|
2026-02-25
|
|
O365 Exfiltration via File Sync Download
|
Office 365 Universal Audit Log
|
T1567
T1530
|
Anomaly
|
Data Exfiltration, Office 365 Account Takeover
|
2026-02-25
|
|
O365 High Number Of Failed Authentications for User
|
O365 UserLoginFailed
|
T1110.001
|
TTP
|
Office 365 Account Takeover
|
2026-02-25
|
|
O365 Mailbox Folder Read Permission Granted
|
O365 ModifyFolderPermissions
|
T1098.002
|
TTP
|
Office 365 Collection Techniques
|
2026-02-25
|
|
O365 Multi-Source Failed Authentications Spike
|
O365 UserLoginFailed
|
T1110.003
T1110.004
T1586.003
|
Hunting
|
NOBELIUM Group, Office 365 Account Takeover
|
2026-02-25
|
|
O365 Multiple AppIDs and UserAgents Authentication Spike
|
O365 UserLoggedIn, O365 UserLoginFailed
|
T1078
|
Anomaly
|
Office 365 Account Takeover
|
2026-02-25
|
|
O365 Multiple Failed MFA Requests For User
|
O365 UserLoginFailed
|
T1621
|
TTP
|
Office 365 Account Takeover, Scattered Lapsus$ Hunters
|
2026-02-25
|
|
O365 Multiple Mailboxes Accessed via API
|
O365 MailItemsAccessed
|
T1114.002
|
TTP
|
NOBELIUM Group, Office 365 Collection Techniques
|
2026-02-25
|
|
O365 Multiple OS Vendors Authenticating From User
|
Office 365 Universal Audit Log
|
T1110
|
TTP
|
Office 365 Account Takeover
|
2026-02-25
|
|
O365 Multiple Users Failing To Authenticate From Ip
|
O365 UserLoginFailed
|
T1110.003
T1110.004
T1586.003
|
TTP
|
NOBELIUM Group, Office 365 Account Takeover
|
2026-02-25
|
|
O365 New Federated Domain Added
|
O365
|
T1136.003
|
TTP
|
Cloud Federated Credential Abuse, Office 365 Persistence Mechanisms
|
2026-02-25
|
|
O365 OAuth App Mailbox Access via EWS
|
O365 MailItemsAccessed
|
T1114.002
|
TTP
|
NOBELIUM Group, Office 365 Collection Techniques
|
2026-02-25
|
|
O365 OAuth App Mailbox Access via Graph API
|
O365 MailItemsAccessed
|
T1114.002
|
TTP
|
NOBELIUM Group, Office 365 Collection Techniques
|
2026-02-25
|
|
O365 PST export alert
|
O365
|
T1114
|
TTP
|
Data Exfiltration, Office 365 Collection Techniques
|
2026-02-25
|
|
O365 Safe Links Detection
|
Office 365 Universal Audit Log
|
T1566.001
|
TTP
|
Office 365 Account Takeover, Spearphishing Attachments
|
2026-02-25
|
|
O365 Security And Compliance Alert Triggered
|
|
T1078.004
|
TTP
|
Office 365 Account Takeover
|
2026-02-25
|
|
O365 Service Principal New Client Credentials
|
O365
|
T1098.001
|
TTP
|
NOBELIUM Group, Office 365 Persistence Mechanisms
|
2026-02-25
|
|
O365 Service Principal Privilege Escalation
|
O365 Add app role assignment grant to user.
|
T1098.003
|
TTP
|
Azure Active Directory Privilege Escalation, Office 365 Account Takeover
|
2026-02-25
|
|
O365 SharePoint Malware Detection
|
Office 365 Universal Audit Log
|
T1204.002
|
TTP
|
Azure Active Directory Persistence, Office 365 Account Takeover, Ransomware Cloud
|
2026-02-25
|
|
O365 Threat Intelligence Suspicious Email Delivered
|
Office 365 Universal Audit Log
|
T1566.001
T1566.002
|
Anomaly
|
Spearphishing Attachments, Suspicious Emails
|
2026-02-25
|
|
O365 Threat Intelligence Suspicious File Detected
|
Office 365 Universal Audit Log
|
T1204.002
|
TTP
|
Azure Active Directory Account Takeover, Office 365 Account Takeover, Ransomware Cloud
|
2026-02-25
|
|
O365 User Consent Denied for OAuth Application
|
O365
|
T1528
|
TTP
|
Office 365 Account Takeover
|
2026-02-25
|
|
O365 ZAP Activity Detection
|
Office 365 Universal Audit Log
|
T1566.001
T1566.002
|
Anomaly
|
Spearphishing Attachments, Suspicious Emails
|
2026-02-25
|
|
Risk Rule for Dev Sec Ops by Repository
|
|
T1204.003
|
Correlation
|
Dev Sec Ops
|
2026-02-25
|
|
Access LSASS Memory for Dump Creation
|
Sysmon EventID 10
|
T1003.001
|
TTP
|
CISA AA23-347A, Cactus Ransomware, Credential Dumping, Lokibot, Scattered Lapsus$ Hunters
|
2026-02-25
|
|
Active Directory Lateral Movement Identified
|
|
T1210
|
Correlation
|
Active Directory Lateral Movement
|
2026-02-25
|
|
Active Directory Privilege Escalation Identified
|
|
T1484
|
Correlation
|
Active Directory Privilege Escalation
|
2026-02-25
|
|
Add or Set Windows Defender Exclusion
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1562.001
|
TTP
|
AgentTesla, CISA AA22-320A, Compromised Windows Host, Crypto Stealer, Data Destruction, NetSupport RMM Tool Abuse, Remcos, ValleyRAT, WhisperGate, Windows Defense Evasion Tactics, XWorm
|
2026-02-25
|
|
AdsiSearcher Account Discovery
|
Powershell Script Block Logging 4104
|
T1087.002
|
TTP
|
Active Directory Discovery, CISA AA23-347A, Data Destruction, Industroyer2, Scattered Lapsus$ Hunters
|
2026-02-25
|
|
Allow File And Printing Sharing In Firewall
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1562.007
|
TTP
|
BlackByte Ransomware, Hellcat Ransomware, Ransomware
|
2026-02-25
|
|
Allow Inbound Traffic In Firewall Rule
|
Powershell Script Block Logging 4104
|
T1021.001
|
TTP
|
NetSupport RMM Tool Abuse, Prohibited Traffic Allowed or Protocol Mismatch
|
2026-02-25
|
|
Allow Network Discovery In Firewall
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1562.007
|
TTP
|
BlackByte Ransomware, Hellcat Ransomware, Medusa Ransomware, NjRAT, Ransomware, Revil Ransomware
|
2026-02-25
|
|
Anomalous usage of 7zip
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1560.001
|
Anomaly
|
BlackByte Ransomware, BlackSuit Ransomware, Cobalt Strike, Graceful Wipe Out Attack, NOBELIUM Group
|
2026-02-25
|
|
Attacker Tools On Endpoint
|
 Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1003
T1036.005
T1595
|
TTP
|
CISA AA22-264A, Cisco Network Visibility Module Analytics, Compromised Windows Host, PHP-CGI RCE Attack on Japanese Organizations, SamSam Ransomware, Scattered Spider, Unusual Processes, XMRig
|
2026-02-25
|
|
Attempt To Add Certificate To Untrusted Store
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1553.004
|
Anomaly
|
Disabling Security Tools
|
2026-02-25
|
|
Bcdedit Command Back To Normal Mode Boot
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1490
|
TTP
|
Black Basta Ransomware, BlackMatter Ransomware
|
2026-02-25
|
|
BCDEdit Failure Recovery Modification
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1490
|
TTP
|
Compromised Windows Host, Ransomware, Ryuk Ransomware, Storm-2460 CLFS Zero Day Exploitation
|
2026-02-25
|
|
BITS Job Persistence
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1197
|
TTP
|
BITS Jobs, Living Off The Land
|
2026-02-25
|
|
BITSAdmin Download File
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1197
T1105
|
TTP
|
APT37 Rustonotto and FadeStealer, BITS Jobs, DarkSide Ransomware, Flax Typhoon, GhostRedirector IIS Module and Rungan Backdoor, Gozi Malware, Hellcat Ransomware, Ingress Tool Transfer, Living Off The Land, Scattered Spider
|
2026-02-25
|
|
Certutil exe certificate extraction
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
|
TTP
|
Cloud Federated Credential Abuse, Compromised Windows Host, Living Off The Land, Storm-2460 CLFS Zero Day Exploitation, Windows Certificate Services, Windows Persistence Techniques
|
2026-02-25
|
|
CertUtil With Decode Argument
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1140
|
TTP
|
APT29 Diplomatic Deceptions with WINELOADER, Deobfuscate-Decode Files or Information, Forest Blizzard, GhostRedirector IIS Module and Rungan Backdoor, Living Off The Land, Storm-2460 CLFS Zero Day Exploitation
|
2026-02-25
|
|
Change To Safe Mode With Network Config
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1490
|
TTP
|
Black Basta Ransomware, BlackMatter Ransomware
|
2026-02-25
|
|
CHCP Command Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1059
|
Anomaly
|
Azorult, Crypto Stealer, Forest Blizzard, IcedID, Interlock Rat, Quasar RAT
|
2026-02-25
|
|
Check Elevated CMD using whoami
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1033
|
TTP
|
FIN7
|
2026-02-25
|
|
Child Processes of Spoolsv exe
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1068
|
TTP
|
Data Destruction, Hermetic Wiper, Windows Privilege Escalation
|
2026-02-25
|
|
Cisco Isovalent - Access To Cloud Metadata Service
|
Cisco Isovalent Process Connect
|
T1552.005
|
Anomaly
|
Cisco Isovalent Suspicious Activity, VoidLink Cloud-Native Linux Malware
|
2026-02-25
|
|
Cisco Isovalent - Cron Job Creation
|
Cisco Isovalent Process Exec
|
T1053.003
T1053.007
|
Anomaly
|
Cisco Isovalent Suspicious Activity
|
2026-02-25
|
|
Cisco Isovalent - Curl Execution With Insecure Flags
|
Cisco Isovalent Process Exec
|
T1105
|
Anomaly
|
Cisco Isovalent Suspicious Activity
|
2026-02-25
|
|
Cisco Isovalent - Kprobe Spike
|
Cisco Isovalent Process Kprobe
|
T1068
|
Hunting
|
Cisco Isovalent Suspicious Activity, VoidLink Cloud-Native Linux Malware
|
2026-02-25
|
|
Cisco Isovalent - Late Process Execution
|
Cisco Isovalent Process Exec
|
T1543
|
Anomaly
|
Cisco Isovalent Suspicious Activity
|
2026-02-25
|
|
Cisco Isovalent - Non Allowlisted Image Use
|
Cisco Isovalent Process Exec
|
T1204.003
|
Anomaly
|
Cisco Isovalent Suspicious Activity
|
2026-02-25
|
|
Cisco Isovalent - Nsenter Usage in Kubernetes Pod
|
Cisco Isovalent Process Exec
|
T1543
|
Anomaly
|
Cisco Isovalent Suspicious Activity
|
2026-02-25
|
|
Cisco Isovalent - Pods Running Offensive Tools
|
Cisco Isovalent Process Exec
|
T1204.003
|
Anomaly
|
Cisco Isovalent Suspicious Activity
|
2026-02-25
|
|
Cisco Isovalent - Potential Escape to Host
|
Cisco Isovalent Process Exec
|
T1611
|
Anomaly
|
Cisco Isovalent Suspicious Activity, VoidLink Cloud-Native Linux Malware
|
2026-02-25
|
|
Cisco NVM - Curl Execution With Insecure Flags
|
Cisco Network Visibility Module Flow Data
|
T1197
|
Anomaly
|
Cisco Network Visibility Module Analytics, Microsoft WSUS CVE-2025-59287, PromptLock
|
2026-02-25
|
|
Cisco NVM - Installation of Typosquatted Python Package
|
Cisco Network Visibility Module Flow Data
|
T1059
|
TTP
|
Cisco Network Visibility Module Analytics
|
2026-02-25
|
|
Cisco NVM - MSHTML or MSHTA Network Execution Without URL in CLI
|
Cisco Network Visibility Module Flow Data
|
T1218.005
T1059.005
|
Anomaly
|
Cisco Network Visibility Module Analytics
|
2026-02-25
|
|
Cisco NVM - Non-Network Binary Making Network Connection
|
Cisco Network Visibility Module Flow Data
|
T1055
T1036
|
Anomaly
|
Cisco Network Visibility Module Analytics
|
2026-02-25
|
|
Cisco NVM - Outbound Connection to Suspicious Port
|
Cisco Network Visibility Module Flow Data
|
T1571
|
Anomaly
|
Cisco Network Visibility Module Analytics
|
2026-02-25
|
|
Cisco NVM - Rclone Execution With Network Activity
|
Cisco Network Visibility Module Flow Data
|
T1567.002
|
Anomaly
|
Cisco Network Visibility Module Analytics, Scattered Lapsus$ Hunters
|
2026-02-25
|
|
Cisco NVM - Rundll32 Abuse of MSHTML.DLL for Payload Download
|
Cisco Network Visibility Module Flow Data
|
T1218.005
|
Anomaly
|
Cisco Network Visibility Module Analytics
|
2026-02-25
|
|
Cisco NVM - Susp Script From Archive Triggering Network Activity
|
Cisco Network Visibility Module Flow Data
|
T1059.005
T1204.002
|
Anomaly
|
Cisco Network Visibility Module Analytics
|
2026-02-25
|
|
Cisco NVM - Suspicious Download From File Sharing Website
|
Cisco Network Visibility Module Flow Data
|
T1197
|
Anomaly
|
APT37 Rustonotto and FadeStealer, Cisco Network Visibility Module Analytics
|
2026-02-25
|
|
Cisco NVM - Suspicious File Download via Headless Browser
|
Cisco Network Visibility Module Flow Data
|
T1105
T1059
|
TTP
|
Cisco Network Visibility Module Analytics
|
2026-02-25
|
|
Cisco NVM - Suspicious Network Connection From Process With No Args
|
Cisco Network Visibility Module Flow Data
|
T1055
T1218
|
Anomaly
|
Cisco Network Visibility Module Analytics
|
2026-02-25
|
|
Cisco NVM - Suspicious Network Connection Initiated via MsXsl
|
Cisco Network Visibility Module Flow Data
|
T1220
|
Anomaly
|
Cisco Network Visibility Module Analytics
|
2026-02-25
|
|
Cisco NVM - Suspicious Network Connection to IP Lookup Service API
|
Cisco Network Visibility Module Flow Data
|
T1590.005
T1016
|
Anomaly
|
Castle RAT, Cisco Network Visibility Module Analytics
|
2026-02-25
|
|
Cisco NVM - Webserver Download From File Sharing Website
|
Cisco Network Visibility Module Flow Data
|
T1105
T1190
|
TTP
|
Cisco Network Visibility Module Analytics, GhostRedirector IIS Module and Rungan Backdoor
|
2026-02-25
|
|
Clear Unallocated Sector Using Cipher App
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1070.004
|
TTP
|
Compromised Windows Host, Ransomware, Scattered Spider
|
2026-02-25
|
|
Clop Common Exec Parameter
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1204
|
TTP
|
Clop Ransomware, Compromised Windows Host
|
2026-02-25
|
|
Clop Ransomware Known Service Name
|
Windows Event Log System 7045
|
T1543
|
TTP
|
Clop Ransomware, Compromised Windows Host
|
2026-02-25
|
|
CMD Carry Out String Command Parameter
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059.003
|
Hunting
|
0bj3ctivity Stealer, AsyncRAT, Azorult, CISA AA23-347A, Chaos Ransomware, Crypto Stealer, DarkCrystal RAT, DarkGate Malware, Data Destruction, Hermetic Wiper, IcedID, Interlock Rat, Living Off The Land, Log4Shell CVE-2021-44228, Malicious Inno Setup Loader, NjRAT, PlugX, ProxyNotShell, Qakbot, Quasar RAT, RedLine Stealer, Rhysida Ransomware, StealC Stealer, Warzone RAT, WhisperGate, Winter Vivern
|
2026-02-25
|
|
CMD Echo Pipe - Escalation
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059.003
T1543.003
|
TTP
|
BlackByte Ransomware, Cobalt Strike, Compromised Windows Host, Graceful Wipe Out Attack
|
2026-02-25
|
|
Common Ransomware Extensions
|
Sysmon EventID 11
|
T1485
|
TTP
|
Black Basta Ransomware, Clop Ransomware, Interlock Ransomware, LockBit Ransomware, Medusa Ransomware, NailaoLocker Ransomware, Prestige Ransomware, Ransomware, Rhysida Ransomware, Ryuk Ransomware, SamSam Ransomware, Termite Ransomware
|
2026-02-25
|
|
Conti Common Exec parameter
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1204
|
TTP
|
Compromised Windows Host, Hellcat Ransomware, Ransomware
|
2026-02-25
|
|
Create or delete windows shares using net exe
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1070.005
|
TTP
|
CISA AA22-277A, DarkGate Malware, Hidden Cobra Malware, Prestige Ransomware, Windows Post-Exploitation
|
2026-02-25
|
|
Create Remote Thread into LSASS
|
Sysmon EventID 8
|
T1003.001
|
TTP
|
BlackSuit Ransomware, Credential Dumping, Lokibot
|
2026-02-25
|
|
Creation of lsass Dump with Taskmgr
|
Sysmon EventID 11
|
T1003.001
|
TTP
|
CISA AA22-257A, Cactus Ransomware, Credential Dumping, Scattered Lapsus$ Hunters, Seashell Blizzard
|
2026-02-25
|
|
Creation of Shadow Copy
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1003.003
|
TTP
|
Compromised Windows Host, Credential Dumping, Volt Typhoon
|
2026-02-25
|
|
Creation of Shadow Copy with wmic and powershell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1003.003
|
TTP
|
Compromised Windows Host, Credential Dumping, Living Off The Land, Volt Typhoon
|
2026-02-25
|
|
Credential Dumping via Symlink to Shadow Copy
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1003.003
|
TTP
|
Compromised Windows Host, Credential Dumping
|
2026-02-25
|
|
Crowdstrike Admin Weak Password Policy
|
|
T1110
|
TTP
|
Compromised Windows Host
|
2026-02-25
|
|
Crowdstrike Admin With Duplicate Password
|
|
T1110
|
TTP
|
Compromised Windows Host
|
2026-02-25
|
|
CrowdStrike Falcon Stream Alerts
|
CrowdStrike Falcon Stream Alert
|
|
Anomaly
|
Critical Alerts
|
2026-02-25
|
|
Crowdstrike High Identity Risk Severity
|
|
T1110
|
TTP
|
Compromised Windows Host
|
2026-02-25
|
|
Crowdstrike Medium Identity Risk Severity
|
|
T1110
|
TTP
|
Compromised Windows Host
|
2026-02-25
|
|
Crowdstrike Medium Severity Alert
|
|
T1110
|
Anomaly
|
Compromised Windows Host
|
2026-02-25
|
|
Crowdstrike Multiple LOW Severity Alerts
|
|
T1110
|
Anomaly
|
Compromised Windows Host
|
2026-02-25
|
|
Crowdstrike Privilege Escalation For Non-Admin User
|
|
T1110
|
Anomaly
|
Compromised Windows Host
|
2026-02-25
|
|
Crowdstrike User Weak Password Policy
|
|
T1110
|
Anomaly
|
Compromised Windows Host
|
2026-02-25
|
|
Crowdstrike User with Duplicate Password
|
|
T1110
|
Anomaly
|
Compromised Windows Host
|
2026-02-25
|
|
CSC Net On The Fly Compilation
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1027.004
|
Hunting
|
Windows Defense Evasion Tactics
|
2026-02-25
|
|
Delete ShadowCopy With PowerShell
|
Powershell Script Block Logging 4104
|
T1490
|
TTP
|
Cactus Ransomware, DarkGate Malware, DarkSide Ransomware, Ransomware, Revil Ransomware, VanHelsing Ransomware
|
2026-02-25
|
|
Deleting Shadow Copies
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1490
|
TTP
|
Black Basta Ransomware, CISA AA22-264A, Cactus Ransomware, Chaos Ransomware, Clop Ransomware, Compromised Windows Host, DarkGate Malware, LockBit Ransomware, Medusa Ransomware, Prestige Ransomware, Ransomware, Rhysida Ransomware, SamSam Ransomware, Storm-2460 CLFS Zero Day Exploitation, Termite Ransomware, VanHelsing Ransomware, Windows Log Manipulation
|
2026-02-25
|
|
Detect AzureHound Command-Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1069.001
T1069.002
T1087.001
T1087.002
T1482
|
TTP
|
Compromised Windows Host, Windows Discovery Techniques
|
2026-02-25
|
|
Detect AzureHound File Modifications
|
Sysmon EventID 11
|
T1069.001
T1069.002
T1087.001
T1087.002
T1482
|
TTP
|
Windows Discovery Techniques
|
2026-02-25
|
|
Detect Baron Samedit CVE-2021-3156 Segfault
|
|
T1068
|
TTP
|
Baron Samedit CVE-2021-3156
|
2026-02-25
|
|
Detect Certify Command Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1649
T1105
|
TTP
|
Compromised Windows Host, Ingress Tool Transfer, Windows Certificate Services
|
2026-02-25
|
|
Detect Certify With PowerShell Script Block Logging
|
Powershell Script Block Logging 4104
|
T1059.001
T1649
|
TTP
|
Malicious PowerShell, Windows Certificate Services
|
2026-02-25
|
|
Detect Certipy File Modifications
|
Sysmon EventID 11
|
T1649
T1560
|
TTP
|
Data Exfiltration, Ingress Tool Transfer, Windows Certificate Services
|
2026-02-25
|
|
Detect Computer Changed with Anonymous Account
|
Windows Event Log Security 4624, Windows Event Log Security 4742
|
T1210
|
Hunting
|
Detect Zerologon Attack
|
2026-02-25
|
|
Detect Credential Dumping through LSASS access
|
Sysmon EventID 10
|
T1003.001
|
TTP
|
BlackSuit Ransomware, CISA AA23-347A, Credential Dumping, Detect Zerologon Attack, Lokibot, Scattered Lapsus$ Hunters
|
2026-02-25
|
|
Detect Empire with PowerShell Script Block Logging
|
Powershell Script Block Logging 4104
|
T1059.001
|
TTP
|
Data Destruction, Hellcat Ransomware, Hermetic Wiper, Malicious PowerShell
|
2026-02-25
|
|
Detect Excessive Account Lockouts From Endpoint
|
|
T1078.002
|
Anomaly
|
Active Directory Password Spraying
|
2026-02-25
|
|
Detect Excessive User Account Lockouts
|
|
T1078.003
|
Anomaly
|
Active Directory Password Spraying, Scattered Lapsus$ Hunters
|
2026-02-25
|
|
Detect HTML Help Renamed
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.001
|
Hunting
|
APT37 Rustonotto and FadeStealer, Living Off The Land, Suspicious Compiled HTML Activity
|
2026-02-25
|
|
Detect HTML Help URL in Command Line
|
Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.001
|
TTP
|
APT37 Rustonotto and FadeStealer, Cisco Network Visibility Module Analytics, Compromised Windows Host, Living Off The Land, Suspicious Compiled HTML Activity
|
2026-02-25
|
|
Detect HTML Help Using InfoTech Storage Handlers
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.001
|
TTP
|
APT37 Rustonotto and FadeStealer, Compromised Windows Host, Living Off The Land, Suspicious Compiled HTML Activity
|
2026-02-25
|
|
Detect Mimikatz With PowerShell Script Block Logging
|
Powershell Script Block Logging 4104
|
T1003
T1059.001
|
TTP
|
CISA AA22-264A, CISA AA22-320A, CISA AA23-347A, Data Destruction, Hellcat Ransomware, Hermetic Wiper, Malicious PowerShell, Sandworm Tools, Scattered Spider
|
2026-02-25
|
|
Detect mshta renamed
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.005
|
Hunting
|
APT37 Rustonotto and FadeStealer, Living Off The Land, Suspicious MSHTA Activity
|
2026-02-25
|
|
Detect MSHTA Url in Command Line
|
Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.005
|
TTP
|
APT37 Rustonotto and FadeStealer, Cisco Network Visibility Module Analytics, Compromised Windows Host, Living Off The Land, Lumma Stealer, NetSupport RMM Tool Abuse, Suspicious MSHTA Activity, XWorm
|
2026-02-25
|
|
Detect New Local Admin account
|
Windows Event Log Security 4720, Windows Event Log Security 4732
|
T1136.001
|
TTP
|
CISA AA22-257A, CISA AA24-241A, DHS Report TA18-074A, HAFNIUM Group, Scattered Lapsus$ Hunters
|
2026-02-25
|
|
Detect Password Spray Attack Behavior From Source
|
Windows Event Log Security 4624, Windows Event Log Security 4625
|
T1110.003
|
TTP
|
Compromised User Account
|
2026-02-25
|
|
Detect Password Spray Attack Behavior On User
|
Windows Event Log Security 4624, Windows Event Log Security 4625
|
T1110.003
|
TTP
|
Compromised User Account, Crypto Stealer
|
2026-02-25
|
|
Detect Prohibited Applications Spawning cmd exe
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059.003
|
Hunting
|
NOBELIUM Group, Suspicious Command-Line Executions, Suspicious MSHTA Activity, Suspicious Zoom Child Processes
|
2026-02-25
|
|
Detect PsExec With accepteula Flag
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1021.002
|
TTP
|
Active Directory Lateral Movement, BlackByte Ransomware, CISA AA22-320A, Cactus Ransomware, DHS Report TA18-074A, DarkGate Malware, DarkSide Ransomware, HAFNIUM Group, IcedID, Medusa Ransomware, Rhysida Ransomware, SamSam Ransomware, Sandworm Tools, Seashell Blizzard, Storm-0501 Ransomware, VanHelsing Ransomware, Volt Typhoon
|
2026-02-25
|
|
Detect Regasm Spawning a Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.009
|
TTP
|
Compromised Windows Host, DarkGate Malware, Handala Wiper, Living Off The Land, Snake Keylogger, Suspicious Regsvcs Regasm Activity
|
2026-02-25
|
|
Detect Regasm with Network Connection
|
Sysmon EventID 3
|
T1218.009
|
TTP
|
Handala Wiper, Hellcat Ransomware, Living Off The Land, Suspicious Regsvcs Regasm Activity
|
2026-02-25
|
|
Detect Regsvcs Spawning a Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.009
|
TTP
|
Compromised Windows Host, Living Off The Land, Suspicious Regsvcs Regasm Activity
|
2026-02-25
|
|
Detect Regsvr32 Application Control Bypass
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.010
|
TTP
|
BlackByte Ransomware, Cobalt Strike, Compromised Windows Host, Graceful Wipe Out Attack, Living Off The Land, PHP-CGI RCE Attack on Japanese Organizations, Suspicious Regsvr32 Activity
|
2026-02-25
|
|
Detect Remote Access Software Usage FileInfo
|
Sysmon EventID 1
|
T1219
|
Anomaly
|
Cactus Ransomware, Command And Control, Gozi Malware, Insider Threat, Interlock Ransomware, Ransomware, Remote Monitoring and Management Software, Scattered Lapsus$ Hunters, Scattered Spider, Seashell Blizzard
|
2026-02-25
|
|
Detect Remote Access Software Usage Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1219
|
Anomaly
|
CISA AA24-241A, Cactus Ransomware, Command And Control, GhostRedirector IIS Module and Rungan Backdoor, Gozi Malware, Insider Threat, Interlock Ransomware, Ransomware, Remote Monitoring and Management Software, Scattered Lapsus$ Hunters, Scattered Spider, Seashell Blizzard, Storm-0501 Ransomware
|
2026-02-25
|
|
Detect Renamed 7-Zip
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1560.001
|
Hunting
|
Collection and Staging, Malicious Inno Setup Loader
|
2026-02-25
|
|
Detect Renamed PSExec
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1569.002
|
Hunting
|
Active Directory Lateral Movement, BlackByte Ransomware, CISA AA22-320A, Cactus Ransomware, China-Nexus Threat Activity, DHS Report TA18-074A, DarkGate Malware, DarkSide Ransomware, HAFNIUM Group, Medusa Ransomware, Rhysida Ransomware, Salt Typhoon, SamSam Ransomware, Sandworm Tools, VanHelsing Ransomware
|
2026-02-25
|
|
Detect Renamed RClone
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1020
|
Hunting
|
Black Basta Ransomware, Cactus Ransomware, DarkSide Ransomware, Ransomware
|
2026-02-25
|
|
Detect Renamed WinRAR
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1560.001
|
Hunting
|
CISA AA22-277A, China-Nexus Threat Activity, Collection and Staging, Salt Typhoon
|
2026-02-25
|
|
Detect RTLO In File Name
|
Sysmon EventID 11
|
T1036.002
|
TTP
|
Spearphishing Attachments
|
2026-02-25
|
|
Detect Rundll32 Inline HTA Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.005
|
TTP
|
APT37 Rustonotto and FadeStealer, Living Off The Land, NOBELIUM Group, Suspicious MSHTA Activity
|
2026-02-25
|
|
Detect SharpHound Command-Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1069.001
T1069.002
T1087.001
T1087.002
T1482
|
TTP
|
BlackSuit Ransomware, Ransomware, Windows Discovery Techniques
|
2026-02-25
|
|
Detect SharpHound File Modifications
|
Sysmon EventID 11
|
T1069.001
T1069.002
T1087.001
T1087.002
T1482
|
TTP
|
BlackSuit Ransomware, Ransomware, Windows Discovery Techniques
|
2026-02-25
|
|
Detect SharpHound Usage
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1069.001
T1069.002
T1087.001
T1087.002
T1482
|
TTP
|
Ransomware, Windows Discovery Techniques
|
2026-02-25
|
|
Detect suspicious processnames using pretrained model in DSDL
|
Sysmon EventID 1
|
T1059
|
Anomaly
|
Suspicious Command-Line Executions
|
2026-02-25
|
|
Detect Use of cmd exe to Launch Script Interpreters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059.003
|
TTP
|
Azorult, Emotet Malware DHS Report TA18-201A, Suspicious Command-Line Executions
|
2026-02-25
|
|
Detect WMI Event Subscription Persistence
|
Sysmon EventID 20
|
T1546.003
|
TTP
|
Hellcat Ransomware, Suspicious WMI Use
|
2026-02-25
|
|
Detection of tools built by NirSoft
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1072
|
Anomaly
|
Emotet Malware DHS Report TA18-201A
|
2026-02-25
|
|
Disable Logs Using WevtUtil
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1070.001
|
TTP
|
CISA AA23-347A, Ransomware, Rhysida Ransomware
|
2026-02-25
|
|
Disable Schedule Task
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1562.001
|
TTP
|
IcedID, Living Off The Land
|
2026-02-25
|
|
Disabled Kerberos Pre-Authentication Discovery With Get-ADUser
|
Powershell Script Block Logging 4104
|
T1558.004
|
TTP
|
Active Directory Kerberos Attacks, BlackSuit Ransomware, CISA AA23-347A, Interlock Ransomware
|
2026-02-25
|
|
Disabled Kerberos Pre-Authentication Discovery With PowerView
|
Powershell Script Block Logging 4104
|
T1558.004
|
TTP
|
Active Directory Kerberos Attacks, Interlock Ransomware
|
2026-02-25
|
|
Disabling Firewall with Netsh
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1562.001
|
Anomaly
|
BlackByte Ransomware, Windows Defense Evasion Tactics
|
2026-02-25
|
|
DNS Exfiltration Using Nslookup App
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1048
|
TTP
|
Command And Control, Compromised Windows Host, Data Exfiltration, Dynamic DNS, Suspicious DNS Traffic
|
2026-02-25
|
|
Domain Account Discovery with Dsquery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1087.002
|
Anomaly
|
Active Directory Discovery, LAMEHUG
|
2026-02-25
|
|
Domain Controller Discovery with Nltest
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1018
|
TTP
|
Active Directory Discovery, BlackSuit Ransomware, CISA AA23-347A, Medusa Ransomware, NetSupport RMM Tool Abuse, Rhysida Ransomware
|
2026-02-25
|
|
Domain Controller Discovery with Wmic
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1018
|
Hunting
|
Active Directory Discovery
|
2026-02-25
|
|
Domain Group Discovery with Adsisearcher
|
Powershell Script Block Logging 4104
|
T1069.002
|
TTP
|
Active Directory Discovery, Scattered Lapsus$ Hunters
|
2026-02-25
|
|
Domain Group Discovery With Dsquery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1069.002
|
Anomaly
|
Active Directory Discovery, LAMEHUG
|
2026-02-25
|
|
Download Files Using Telegram
|
Sysmon EventID 15
|
T1105
|
TTP
|
0bj3ctivity Stealer, Crypto Stealer, Phemedrone Stealer, Snake Keylogger, Water Gamayun, XMRig
|
2026-02-25
|
|
DSQuery Domain Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1482
|
TTP
|
Active Directory Discovery, Compromised Windows Host, Domain Trust Discovery
|
2026-02-25
|
|
Dump LSASS via comsvcs DLL
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1003.001
|
TTP
|
CISA AA22-257A, CISA AA22-264A, Compromised Windows Host, Credential Dumping, Data Destruction, Flax Typhoon, HAFNIUM Group, Hellcat Ransomware, Industroyer2, Living Off The Land, Prestige Ransomware, Scattered Lapsus$ Hunters, Suspicious Rundll32 Activity, Volt Typhoon
|
2026-02-25
|
|
Dump LSASS via procdump
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1003.001
|
TTP
|
CISA AA22-257A, Compromised Windows Host, Credential Dumping, HAFNIUM Group, Seashell Blizzard, Storm-2460 CLFS Zero Day Exploitation
|
2026-02-25
|
|
Elevated Group Discovery with PowerView
|
Powershell Script Block Logging 4104
|
T1069.002
|
Hunting
|
Active Directory Discovery
|
2026-02-25
|
|
Excessive Attempt To Disable Services
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1489
|
Anomaly
|
Azorult, XMRig
|
2026-02-25
|
|
Excessive number of service control start as disabled
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1562.001
|
Anomaly
|
Windows Defense Evasion Tactics
|
2026-02-25
|
|
Excessive number of taskhost processes
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059
|
Anomaly
|
Meterpreter
|
2026-02-25
|
|
Excessive Usage Of Cacls App
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1222
|
Anomaly
|
Azorult, Crypto Stealer, Defense Evasion or Unauthorized Access Via SDDL Tampering, Prestige Ransomware, Windows Post-Exploitation, XMRig
|
2026-02-25
|
|
Excessive Usage of NSLOOKUP App
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1048
|
Anomaly
|
Command And Control, Data Exfiltration, Dynamic DNS, Suspicious DNS Traffic
|
2026-02-25
|
|
Excessive Usage Of SC Service Utility
|
Sysmon EventID 1
|
T1569.002
|
Anomaly
|
Azorult, Crypto Stealer, Ransomware
|
2026-02-25
|
|
Excessive Usage Of Taskkill
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1562.001
|
Anomaly
|
AgentTesla, Azorult, CISA AA22-264A, CISA AA22-277A, Crypto Stealer, NjRAT, XMRig
|
2026-02-25
|
|
Exchange PowerShell Abuse via SSRF
|
|
T1190
T1133
|
TTP
|
BlackByte Ransomware, ProxyNotShell, ProxyShell, Seashell Blizzard
|
2026-02-25
|
|
Exchange PowerShell Module Usage
|
Powershell Script Block Logging 4104
|
T1059.001
|
TTP
|
BlackByte Ransomware, CISA AA22-264A, CISA AA22-277A, ProxyNotShell, ProxyShell, Scattered Spider
|
2026-02-25
|
|
Execute Javascript With Jscript COM CLSID
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059.005
|
TTP
|
Ransomware
|
2026-02-25
|
|
Execution of File with Multiple Extensions
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1036.003
|
TTP
|
AsyncRAT, DarkGate Malware, Masquerading - Rename System Utilities, Windows File Extension and Association Abuse
|
2026-02-25
|
|
Firewall Allowed Program Enable
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1562.004
|
Anomaly
|
Azorult, BlackByte Ransomware, Medusa Ransomware, NjRAT, PlugX, Windows Defense Evasion Tactics
|
2026-02-25
|
|
First Time Seen Child Process of Zoom
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1068
|
Anomaly
|
Suspicious Zoom Child Processes
|
2026-02-25
|
|
First Time Seen Running Windows Service
|
Windows Event Log System 7036
|
T1569.002
|
Anomaly
|
NOBELIUM Group, Orangeworm Attack Group, Windows Service Abuse
|
2026-02-25
|
|
FodHelper UAC Bypass
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1112
T1548.002
|
TTP
|
Compromised Windows Host, IcedID, ValleyRAT, Windows Defense Evasion Tactics
|
2026-02-25
|
|
Fsutil Zeroing File
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1070
|
TTP
|
LockBit Ransomware, Ransomware
|
2026-02-25
|
|
Get ADDefaultDomainPasswordPolicy with Powershell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1201
|
Hunting
|
Active Directory Discovery
|
2026-02-25
|
|
Get ADDefaultDomainPasswordPolicy with Powershell Script Block
|
Powershell Script Block Logging 4104
|
T1201
|
Hunting
|
Active Directory Discovery
|
2026-02-25
|
|
Get ADUser with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1087.002
|
Hunting
|
Active Directory Discovery, CISA AA23-347A
|
2026-02-25
|
|
Get ADUser with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1087.002
|
Hunting
|
Active Directory Discovery, CISA AA23-347A
|
2026-02-25
|
|
Get ADUserResultantPasswordPolicy with Powershell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1201
|
TTP
|
Active Directory Discovery, CISA AA23-347A
|
2026-02-25
|
|
Get ADUserResultantPasswordPolicy with Powershell Script Block
|
Powershell Script Block Logging 4104
|
T1201
|
TTP
|
Active Directory Discovery, CISA AA23-347A
|
2026-02-25
|
|
Get DomainPolicy with Powershell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1201
|
TTP
|
Active Directory Discovery
|
2026-02-25
|
|
Get DomainPolicy with Powershell Script Block
|
Powershell Script Block Logging 4104
|
T1201
|
TTP
|
Active Directory Discovery
|
2026-02-25
|
|
Get-DomainTrust with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1482
|
TTP
|
Active Directory Discovery
|
2026-02-25
|
|
Get-DomainTrust with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1482
|
TTP
|
Active Directory Discovery
|
2026-02-25
|
|
Get DomainUser with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1087.002
|
TTP
|
Active Directory Discovery, CISA AA23-347A
|
2026-02-25
|
|
Get DomainUser with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1087.002
|
TTP
|
Active Directory Discovery, CISA AA23-347A
|
2026-02-25
|
|
Get-ForestTrust with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1482
|
TTP
|
Active Directory Discovery
|
2026-02-25
|
|
Get-ForestTrust with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1482
T1059.001
|
TTP
|
Active Directory Discovery
|
2026-02-25
|
|
Get WMIObject Group Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1069.001
|
Hunting
|
Active Directory Discovery
|
2026-02-25
|
|
Get WMIObject Group Discovery with Script Block Logging
|
Powershell Script Block Logging 4104
|
T1069.001
|
Hunting
|
Active Directory Discovery
|
2026-02-25
|
|
GetAdComputer with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1018
|
Hunting
|
Active Directory Discovery, Medusa Ransomware
|
2026-02-25
|
|
GetAdComputer with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1018
|
Hunting
|
Active Directory Discovery, CISA AA22-320A, Gozi Malware, Medusa Ransomware
|
2026-02-25
|
|
GetAdGroup with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1069.002
|
Hunting
|
Active Directory Discovery
|
2026-02-25
|
|
GetAdGroup with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1069.002
|
Hunting
|
Active Directory Discovery, Scattered Lapsus$ Hunters
|
2026-02-25
|
|
GetCurrent User with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1033
|
Hunting
|
Active Directory Discovery
|
2026-02-25
|
|
GetCurrent User with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1033
|
Hunting
|
Active Directory Discovery
|
2026-02-25
|
|
GetDomainComputer with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1018
|
TTP
|
Active Directory Discovery
|
2026-02-25
|
|
GetDomainComputer with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1018
|
TTP
|
Active Directory Discovery
|
2026-02-25
|
|
GetDomainController with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1018
|
Hunting
|
Active Directory Discovery
|
2026-02-25
|
|
GetDomainController with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1018
|
TTP
|
Active Directory Discovery
|
2026-02-25
|
|
GetDomainGroup with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1069.002
|
TTP
|
Active Directory Discovery
|
2026-02-25
|
|
GetDomainGroup with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1069.002
|
TTP
|
Active Directory Discovery
|
2026-02-25
|
|
GetLocalUser with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1087.001
|
Hunting
|
Active Directory Discovery
|
2026-02-25
|
|
GetLocalUser with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1059.001
T1087.001
|
Hunting
|
Active Directory Discovery, Malicious PowerShell
|
2026-02-25
|
|
GetNetTcpconnection with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1049
|
Hunting
|
Active Directory Discovery
|
2026-02-25
|
|
GetNetTcpconnection with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1049
|
Hunting
|
Active Directory Discovery
|
2026-02-25
|
|
GetWmiObject User Account with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1087.001
|
Hunting
|
Active Directory Discovery, Water Gamayun, Winter Vivern
|
2026-02-25
|
|
GetWmiObject User Account with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1059.001
T1087.001
|
Hunting
|
Active Directory Discovery, Malicious PowerShell, Winter Vivern
|
2026-02-25
|
|
GPUpdate with no Command Line Arguments with Network
|
Sysmon EventID 1, Sysmon EventID 3
|
T1055
|
TTP
|
BlackByte Ransomware, Cobalt Strike, Compromised Windows Host, Graceful Wipe Out Attack, Hellcat Ransomware
|
2026-02-25
|
|
Headless Browser Mockbin or Mocky Request
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1564.003
|
TTP
|
Forest Blizzard, GhostRedirector IIS Module and Rungan Backdoor
|
2026-02-25
|
|
Hiding Files And Directories With Attrib exe
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1222.001
|
TTP
|
Azorult, Compromised Windows Host, Crypto Stealer, Malicious Inno Setup Loader, Windows Defense Evasion Tactics, Windows Persistence Techniques
|
2026-02-25
|
|
High Process Termination Frequency
|
Sysmon EventID 5
|
T1486
|
Anomaly
|
BlackByte Ransomware, Clop Ransomware, Crypto Stealer, Hellcat Ransomware, Interlock Ransomware, LockBit Ransomware, Medusa Ransomware, NailaoLocker Ransomware, Rhysida Ransomware, Snake Keylogger, Termite Ransomware
|
2026-02-25
|
|
Hunting 3CXDesktopApp Software
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1195.002
|
Hunting
|
3CX Supply Chain Attack
|
2026-02-25
|
|
Icacls Deny Command
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1222
|
Anomaly
|
Azorult, Compromised Windows Host, Crypto Stealer, Defense Evasion or Unauthorized Access Via SDDL Tampering, Sandworm Tools, XMRig
|
2026-02-25
|
|
ICACLS Grant Command
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1222
|
Anomaly
|
Crypto Stealer, Defense Evasion or Unauthorized Access Via SDDL Tampering, NetSupport RMM Tool Abuse, Ransomware, XMRig
|
2026-02-25
|
|
Interactive Session on Remote Endpoint with PowerShell
|
Powershell Script Block Logging 4104
|
T1021.006
|
TTP
|
Active Directory Lateral Movement
|
2026-02-25
|
|
Java Writing JSP File
|
 Sysmon for Linux EventID 1, Sysmon for Linux EventID 11
|
T1190
T1133
|
TTP
|
Atlassian Confluence Server and Data Center CVE-2022-26134, SAP NetWeaver Exploitation, Spring4Shell CVE-2022-22965, SysAid On-Prem Software CVE-2023-47246 Vulnerability
|
2026-02-25
|
|
Jscript Execution Using Cscript App
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1059.007
|
TTP
|
FIN7, Remcos
|
2026-02-25
|
|
Kerberoasting spn request with RC4 encryption
|
Windows Event Log Security 4769
|
T1558.003
|
TTP
|
Active Directory Kerberos Attacks, Compromised Windows Host, Data Destruction, Hermetic Wiper, Windows Privilege Escalation
|
2026-02-25
|
|
Kerberos Pre-Authentication Flag Disabled with PowerShell
|
Powershell Script Block Logging 4104
|
T1558.004
|
TTP
|
Active Directory Kerberos Attacks
|
2026-02-25
|
|
Kerberos Service Ticket Request Using RC4 Encryption
|
Windows Event Log Security 4769
|
T1558.001
|
TTP
|
Active Directory Kerberos Attacks, Active Directory Privilege Escalation, Scattered Lapsus$ Hunters
|
2026-02-25
|
|
Kerberos TGT Request Using RC4 Encryption
|
Windows Event Log Security 4768
|
T1550
|
TTP
|
Active Directory Kerberos Attacks, Scattered Lapsus$ Hunters
|
2026-02-25
|
|
Kerberos User Enumeration
|
Windows Event Log Security 4768
|
T1589.002
|
Anomaly
|
Active Directory Kerberos Attacks
|
2026-02-25
|
|
Linux Account Manipulation Of SSH Config and Keys
|
Sysmon for Linux EventID 11
|
T1070.004
T1485
|
Anomaly
|
AcidRain, Hellcat Ransomware
|
2026-02-25
|
|
Linux Add Files In Known Crontab Directories
|
Sysmon for Linux EventID 11
|
T1053.003
|
Anomaly
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks, XorDDos
|
2026-02-25
|
|
Linux Add User Account
|
Cisco Isovalent Process Exec, Sysmon for Linux EventID 1
|
T1136.001
|
Hunting
|
Cisco Isovalent Suspicious Activity, Linux Persistence Techniques, Linux Privilege Escalation
|
2026-02-25
|
|
Linux Adding Crontab Using List Parameter
|
Sysmon for Linux EventID 1
|
T1053.003
|
Hunting
|
Cisco Isovalent Suspicious Activity, Data Destruction, Gomir, Industroyer2, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks, VoidLink Cloud-Native Linux Malware
|
2026-02-25
|
|
Linux At Allow Config File Creation
|
Sysmon for Linux EventID 11
|
T1053.003
|
Anomaly
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2026-02-25
|
|
Linux At Application Execution
|
Sysmon for Linux EventID 1
|
T1053.002
|
Anomaly
|
Cisco Isovalent Suspicious Activity, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2026-02-25
|
|
Linux Auditd Add User Account
|
Linux Auditd Proctitle
|
T1136.001
|
Anomaly
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation
|
2026-02-25
|
|
Linux Auditd Add User Account Type
|
Linux Auditd Add User
|
T1136.001
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2026-02-25
|
|
Linux Auditd At Application Execution
|
Linux Auditd Syscall
|
T1053.002
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2026-02-25
|
|
Linux Auditd Auditd Daemon Abort
|
Linux Auditd Daemon Abort
|
T1562.012
|
Anomaly
|
Compromised Linux Host
|
2026-02-25
|
|
Linux Auditd Auditd Daemon Shutdown
|
Linux Auditd Daemon End
|
T1562.012
|
Anomaly
|
Compromised Linux Host
|
2026-02-25
|
|
Linux Auditd Auditd Daemon Start
|
Linux Auditd Daemon Start
|
T1562.012
|
Anomaly
|
Compromised Linux Host
|
2026-02-25
|
|
Linux Auditd Auditd Service Stop
|
Linux Auditd Service Stop
|
T1489
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2026-02-25
|
|
Linux Auditd Base64 Decode Files
|
Linux Auditd Execve
|
T1140
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2026-02-25
|
|
Linux Auditd Change File Owner To Root
|
Linux Auditd Proctitle
|
T1222.002
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2026-02-25
|
|
Linux Auditd Clipboard Data Copy
|
Linux Auditd Execve
|
T1115
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land
|
2026-02-25
|
|
Linux Auditd Data Destruction Command
|
Linux Auditd Proctitle
|
T1485
|
TTP
|
AwfulShred, Compromised Linux Host, Data Destruction
|
2026-02-25
|
|
Linux Auditd Data Transfer Size Limits Via Split
|
Linux Auditd Execve
|
T1030
|
Anomaly
|
Compromised Linux Host, Hellcat Ransomware, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2026-02-25
|
|
Linux Auditd Data Transfer Size Limits Via Split Syscall
|
Linux Auditd Syscall
|
T1030
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2026-02-25
|
|
Linux Auditd Database File And Directory Discovery
|
Linux Auditd Execve
|
T1083
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2026-02-25
|
|
Linux Auditd Dd File Overwrite
|
Linux Auditd Proctitle
|
T1485
|
TTP
|
Compromised Linux Host, Data Destruction, Industroyer2
|
2026-02-25
|
|
Linux Auditd Disable Or Modify System Firewall
|
Linux Auditd Service Stop
|
T1562.004
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2026-02-25
|
|
Linux Auditd Doas Tool Execution
|
Linux Auditd Syscall
|
T1548.003
|
Anomaly
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation
|
2026-02-25
|
|
Linux Auditd Edit Cron Table Parameter
|
Linux Auditd Syscall
|
T1053.003
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2026-02-25
|
|
Linux Auditd File And Directory Discovery
|
Linux Auditd Execve
|
T1083
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2026-02-25
|
|
Linux Auditd File Permission Modification Via Chmod
|
Linux Auditd Proctitle
|
T1222.002
|
Anomaly
|
China-Nexus Threat Activity, Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Salt Typhoon, XorDDos
|
2026-02-25
|
|
Linux Auditd File Permissions Modification Via Chattr
|
Linux Auditd Execve
|
T1222.002
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2026-02-25
|
|
Linux Auditd Find Credentials From Password Managers
|
Linux Auditd Execve
|
T1555.005
|
TTP
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scattered Lapsus$ Hunters
|
2026-02-25
|
|
Linux Auditd Find Credentials From Password Stores
|
Linux Auditd Execve
|
T1555.005
|
TTP
|
Compromised Linux Host, Hellcat Ransomware, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scattered Lapsus$ Hunters
|
2026-02-25
|
|
Linux Auditd Find Ssh Private Keys
|
Linux Auditd Execve
|
T1552.004
|
Anomaly
|
Compromised Linux Host, Hellcat Ransomware, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2026-02-25
|
|
Linux Auditd Hardware Addition Swapoff
|
Linux Auditd Execve
|
T1200
|
Anomaly
|
AwfulShred, Compromised Linux Host, Data Destruction, Scattered Lapsus$ Hunters
|
2026-02-25
|
|
Linux Auditd Hidden Files And Directories Creation
|
Linux Auditd Execve
|
T1083
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2026-02-25
|
|
Linux Auditd Insert Kernel Module Using Insmod Utility
|
Linux Auditd Syscall
|
T1547.006
|
Anomaly
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation, Linux Rootkit, XorDDos
|
2026-02-25
|
|
Linux Auditd Install Kernel Module Using Modprobe Utility
|
Linux Auditd Syscall
|
T1547.006
|
Anomaly
|
China-Nexus Threat Activity, Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation, Linux Rootkit
|
2026-02-25
|
|
Linux Auditd Kernel Module Enumeration
|
Linux Auditd Syscall
|
T1082
T1014
|
Anomaly
|
Compromised Linux Host, Linux Rootkit, XorDDos
|
2026-02-25
|
|
Linux Auditd Kernel Module Using Rmmod Utility
|
Linux Auditd Syscall
|
T1547.006
|
TTP
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2026-02-25
|
|
Linux Auditd Nopasswd Entry In Sudoers File
|
Linux Auditd Proctitle
|
T1548.003
|
Anomaly
|
China-Nexus Threat Activity, Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation, Salt Typhoon
|
2026-02-25
|
|
Linux Auditd Osquery Service Stop
|
Linux Auditd Service Stop
|
T1489
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2026-02-25
|
|
Linux Auditd Possible Access To Credential Files
|
Linux Auditd Proctitle
|
T1003.008
|
Anomaly
|
China-Nexus Threat Activity, Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation, Salt Typhoon
|
2026-02-25
|
|
Linux Auditd Preload Hijack Library Calls
|
Linux Auditd Execve
|
T1574.006
|
TTP
|
China-Nexus Threat Activity, Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation, Salt Typhoon
|
2026-02-25
|
|
Linux Auditd Private Keys and Certificate Enumeration
|
Linux Auditd Execve
|
T1552.004
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2026-02-25
|
|
Linux Auditd Service Restarted
|
Linux Auditd Proctitle
|
T1053.006
|
Anomaly
|
AwfulShred, Compromised Linux Host, Data Destruction, Gomir, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2026-02-25
|
|
Linux Auditd Service Started
|
Linux Auditd Proctitle
|
T1569.002
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2026-02-25
|
|
Linux Auditd Setuid Using Chmod Utility
|
Linux Auditd Proctitle
|
T1548.001
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2026-02-25
|
|
Linux Auditd Setuid Using Setcap Utility
|
Linux Auditd Execve
|
T1548.001
|
TTP
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation
|
2026-02-25
|
|
Linux Auditd Shred Overwrite Command
|
Linux Auditd Proctitle
|
T1485
|
TTP
|
AwfulShred, Compromised Linux Host, Data Destruction, Industroyer2, Linux Persistence Techniques, Linux Privilege Escalation
|
2026-02-25
|
|
Linux Auditd Stop Services
|
Linux Auditd Service Stop
|
T1489
|
Hunting
|
AwfulShred, Compromised Linux Host, Data Destruction, Industroyer2
|
2026-02-25
|
|
Linux Auditd Sudo Or Su Execution
|
Linux Auditd Proctitle
|
T1548.003
|
Anomaly
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation
|
2026-02-25
|
|
Linux Auditd Sysmon Service Stop
|
Linux Auditd Service Stop
|
T1489
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2026-02-25
|
|
Linux Auditd System Network Configuration Discovery
|
Linux Auditd Syscall
|
T1016
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2026-02-25
|
|
Linux Auditd Unload Module Via Modprobe
|
Linux Auditd Execve
|
T1547.006
|
TTP
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2026-02-25
|
|
Linux Auditd Virtual Disk File And Directory Discovery
|
Linux Auditd Execve
|
T1083
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2026-02-25
|
|
Linux Auditd Whoami User Discovery
|
Linux Auditd Syscall
|
T1033
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2026-02-25
|
|
Linux AWK Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-02-25
|
|
Linux Busybox Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-02-25
|
|
Linux c89 Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-02-25
|
|
Linux c99 Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-02-25
|
|
Linux Change File Owner To Root
|
Sysmon for Linux EventID 1
|
T1222.002
|
Anomaly
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2026-02-25
|
|
Linux Clipboard Data Copy
|
Sysmon for Linux EventID 1
|
T1115
|
Anomaly
|
Linux Living Off The Land
|
2026-02-25
|
|
Linux Common Process For Elevation Control
|
Sysmon for Linux EventID 1
|
T1548.001
|
Hunting
|
China-Nexus Threat Activity, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Salt Typhoon
|
2026-02-25
|
|
Linux Composer Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-02-25
|
|
Linux Cpulimit Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-02-25
|
|
Linux Csvtool Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-02-25
|
|
Linux Curl Upload File
|
Cisco Isovalent Process Exec, Sysmon for Linux EventID 1
|
T1105
|
TTP
|
Data Exfiltration, Ingress Tool Transfer, Linux Living Off The Land, NPM Supply Chain Compromise
|
2026-02-25
|
|
Linux Data Destruction Command
|
Sysmon for Linux EventID 1
|
T1485
|
TTP
|
AwfulShred, Data Destruction
|
2026-02-25
|
|
Linux DD File Overwrite
|
Sysmon for Linux EventID 1
|
T1485
|
TTP
|
Data Destruction, Industroyer2
|
2026-02-25
|
|
Linux Decode Base64 to Shell
|
Cisco Isovalent Process Exec, Sysmon for Linux EventID 1
|
T1027
T1059.004
|
TTP
|
Cisco Isovalent Suspicious Activity, Linux Living Off The Land
|
2026-02-25
|
|
Linux Deleting Critical Directory Using RM Command
|
Sysmon for Linux EventID 1
|
T1485
|
TTP
|
AwfulShred, Data Destruction, Industroyer2
|
2026-02-25
|
|
Linux Deletion Of Cron Jobs
|
Sysmon for Linux EventID 11
|
T1070.004
T1485
|
Anomaly
|
AcidPour, AcidRain, Data Destruction
|
2026-02-25
|
|
Linux Deletion Of Init Daemon Script
|
Sysmon for Linux EventID 11
|
T1070.004
T1485
|
TTP
|
AcidPour, AcidRain, Data Destruction
|
2026-02-25
|
|
Linux Deletion Of Services
|
Sysmon for Linux EventID 11
|
T1070.004
T1485
|
TTP
|
AcidPour, AcidRain, AwfulShred, Data Destruction
|
2026-02-25
|
|
Linux Deletion of SSL Certificate
|
Sysmon for Linux EventID 11
|
T1070.004
T1485
|
Anomaly
|
AcidPour, AcidRain
|
2026-02-25
|
|
Linux Disable Services
|
Sysmon for Linux EventID 1
|
T1489
|
TTP
|
AwfulShred, Data Destruction, Industroyer2
|
2026-02-25
|
|
Linux Doas Conf File Creation
|
Sysmon for Linux EventID 11
|
T1548.003
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2026-02-25
|
|
Linux Doas Tool Execution
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2026-02-25
|
|
Linux Docker Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-02-25
|
|
Linux Edit Cron Table Parameter
|
Sysmon for Linux EventID 1
|
T1053.003
|
Hunting
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2026-02-25
|
|
Linux Emacs Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-02-25
|
|
Linux File Created In Kernel Driver Directory
|
Sysmon for Linux EventID 11
|
T1547.006
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation, Linux Rootkit
|
2026-02-25
|
|
Linux File Creation In Init Boot Directory
|
Sysmon for Linux EventID 11
|
T1037.004
|
Anomaly
|
Backdoor Pingpong, China-Nexus Threat Activity, Linux Persistence Techniques, Linux Privilege Escalation, XorDDos
|
2026-02-25
|
|
Linux File Creation In Profile Directory
|
Sysmon for Linux EventID 11
|
T1546.004
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2026-02-25
|
|
Linux Find Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-02-25
|
|
Linux GDB Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-02-25
|
|
Linux Gdrive Binary Activity
|
Sysmon for Linux EventID 1
|
T1567
|
TTP
|
China-Nexus Threat Activity
|
2026-02-25
|
|
Linux Gem Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-02-25
|
|
Linux GNU Awk Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-02-25
|
|
Linux Hardware Addition SwapOff
|
Sysmon for Linux EventID 1
|
T1200
|
Anomaly
|
AwfulShred, Data Destruction, Scattered Lapsus$ Hunters
|
2026-02-25
|
|
Linux High Frequency Of File Deletion In Boot Folder
|
Sysmon for Linux EventID 11
|
T1070.004
T1485
|
TTP
|
AcidPour, Data Destruction, Industroyer2
|
2026-02-25
|
|
Linux High Frequency Of File Deletion In Etc Folder
|
Sysmon for Linux EventID 11
|
T1070.004
T1485
|
Anomaly
|
AcidRain, Data Destruction
|
2026-02-25
|
|
Linux Impair Defenses Process Kill
|
Sysmon for Linux EventID 1
|
T1562.001
|
Hunting
|
AwfulShred, Data Destruction, Scattered Lapsus$ Hunters
|
2026-02-25
|
|
Linux Indicator Removal Clear Cache
|
Sysmon for Linux EventID 1
|
T1070
|
TTP
|
AwfulShred, Data Destruction
|
2026-02-25
|
|
Linux Indicator Removal Service File Deletion
|
Sysmon for Linux EventID 1
|
T1070.004
|
Anomaly
|
AwfulShred, Data Destruction
|
2026-02-25
|
|
Linux Ingress Tool Transfer Hunting
|
Sysmon for Linux EventID 1
|
T1105
|
Hunting
|
Ingress Tool Transfer, Linux Living Off The Land, NPM Supply Chain Compromise, XorDDos
|
2026-02-25
|
|
Linux Ingress Tool Transfer with Curl
|
Sysmon for Linux EventID 1
|
T1105
|
Anomaly
|
Ingress Tool Transfer, Linux Living Off The Land, NPM Supply Chain Compromise, XorDDos
|
2026-02-25
|
|
Linux Insert Kernel Module Using Insmod Utility
|
Sysmon for Linux EventID 1
|
T1547.006
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation, Linux Rootkit, XorDDos
|
2026-02-25
|
|
Linux Install Kernel Module Using Modprobe Utility
|
Sysmon for Linux EventID 1
|
T1547.006
|
Anomaly
|
China-Nexus Threat Activity, Linux Persistence Techniques, Linux Privilege Escalation, Linux Rootkit, VoidLink Cloud-Native Linux Malware
|
2026-02-25
|
|
Linux Iptables Firewall Modification
|
Sysmon for Linux EventID 1
|
T1562.004
|
Anomaly
|
Backdoor Pingpong, China-Nexus Threat Activity, Cyclops Blink, Sandworm Tools
|
2026-02-25
|
|
Linux Kernel Module Enumeration
|
Sysmon for Linux EventID 1
|
T1082
T1014
|
Anomaly
|
Linux Rootkit, XorDDos
|
2026-02-25
|
|
Linux Kworker Process In Writable Process Path
|
Sysmon for Linux EventID 1
|
T1036.004
|
Hunting
|
Cyclops Blink, Sandworm Tools
|
2026-02-25
|
|
Linux Make Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-02-25
|
|
Linux Medusa Rootkit
|
Sysmon for Linux EventID 11
|
T1014
T1589.001
|
TTP
|
China-Nexus Threat Activity, Hellcat Ransomware, Medusa Rootkit, VoidLink Cloud-Native Linux Malware
|
2026-02-25
|
|
Linux MySQL Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-02-25
|
|
Linux Ngrok Reverse Proxy Usage
|
Sysmon for Linux EventID 1
|
T1572
T1090
T1102
|
Anomaly
|
Reverse Network Proxy
|
2026-02-25
|
|
Linux Node Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-02-25
|
|
Linux NOPASSWD Entry In Sudoers File
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
China-Nexus Threat Activity, Linux Persistence Techniques, Linux Privilege Escalation, Salt Typhoon
|
2026-02-25
|
|
Linux Obfuscated Files or Information Base64 Decode
|
Sysmon for Linux EventID 1
|
T1027
|
Anomaly
|
Linux Living Off The Land
|
2026-02-25
|
|
Linux Octave Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-02-25
|
|
Linux OpenVPN Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-02-25
|
|
Linux Persistence and Privilege Escalation Risk Behavior
|
|
T1548
|
Correlation
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2026-02-25
|
|
Linux PHP Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-02-25
|
|
Linux pkexec Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1068
|
TTP
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-02-25
|
|
Linux Possible Access Or Modification Of sshd Config File
|
Sysmon for Linux EventID 1
|
T1098.004
|
Anomaly
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2026-02-25
|
|
Linux Possible Access To Credential Files
|
Sysmon for Linux EventID 1
|
T1003.008
|
Anomaly
|
China-Nexus Threat Activity, Linux Persistence Techniques, Linux Privilege Escalation, Salt Typhoon, XorDDos
|
2026-02-25
|
|
Linux Possible Access To Sudoers File
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
China-Nexus Threat Activity, Linux Persistence Techniques, Linux Privilege Escalation, Salt Typhoon
|
2026-02-25
|
|
Linux Possible Append Command To At Allow Config File
|
Sysmon for Linux EventID 1
|
T1053.002
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2026-02-25
|
|
Linux Possible Append Command To Profile Config File
|
Sysmon for Linux EventID 1
|
T1546.004
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2026-02-25
|
|
Linux Possible Append Cronjob Entry on Existing Cronjob File
|
Sysmon for Linux EventID 1
|
T1053.003
|
Hunting
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks, XorDDos
|
2026-02-25
|
|
Linux Possible Cronjob Modification With Editor
|
Sysmon for Linux EventID 1
|
T1053.003
|
Hunting
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks, XorDDos
|
2026-02-25
|
|
Linux Possible Ssh Key File Creation
|
Sysmon for Linux EventID 11
|
T1098.004
|
Anomaly
|
Hellcat Ransomware, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2026-02-25
|
|
Linux Preload Hijack Library Calls
|
Sysmon for Linux EventID 1
|
T1574.006
|
TTP
|
China-Nexus Threat Activity, Linux Persistence Techniques, Linux Privilege Escalation, Salt Typhoon, VoidLink Cloud-Native Linux Malware
|
2026-02-25
|
|
Linux Proxy Socks Curl
|
Sysmon for Linux EventID 1
|
T1090
T1095
|
TTP
|
Ingress Tool Transfer, Linux Living Off The Land
|
2026-02-25
|
|
Linux Puppet Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-02-25
|
|
Linux RPM Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-02-25
|
|
Linux Ruby Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-02-25
|
|
Linux Service File Created In Systemd Directory
|
Sysmon for Linux EventID 11
|
T1053.006
|
Anomaly
|
China-Nexus Threat Activity, Gomir, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks, VoidLink Cloud-Native Linux Malware
|
2026-02-25
|
|
Linux Service Restarted
|
Sysmon for Linux EventID 1
|
T1053.006
|
Anomaly
|
AwfulShred, Data Destruction, Gomir, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2026-02-25
|
|
Linux Service Started Or Enabled
|
Sysmon for Linux EventID 1
|
T1053.006
|
Anomaly
|
Gomir, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2026-02-25
|
|
Linux Setuid Using Chmod Utility
|
Sysmon for Linux EventID 1
|
T1548.001
|
Anomaly
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2026-02-25
|
|
Linux Setuid Using Setcap Utility
|
Sysmon for Linux EventID 1
|
T1548.001
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2026-02-25
|
|
Linux Shred Overwrite Command
|
Sysmon for Linux EventID 1
|
T1485
|
TTP
|
AwfulShred, Data Destruction, Industroyer2, Linux Persistence Techniques, Linux Privilege Escalation
|
2026-02-25
|
|
Linux Sqlite3 Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-02-25
|
|
Linux SSH Authorized Keys Modification
|
Sysmon for Linux EventID 1
|
T1098.004
|
Anomaly
|
Hellcat Ransomware, Linux Living Off The Land, VoidLink Cloud-Native Linux Malware
|
2026-02-25
|
|
Linux SSH Remote Services Script Execute
|
Sysmon for Linux EventID 1
|
T1021.004
|
TTP
|
Hellcat Ransomware, Linux Living Off The Land, VoidLink Cloud-Native Linux Malware
|
2026-02-25
|
|
Linux Stdout Redirection To Dev Null File
|
Sysmon for Linux EventID 1
|
T1562.004
|
Anomaly
|
Cyclops Blink, Data Destruction, Industroyer2
|
2026-02-25
|
|
Linux Stop Services
|
Sysmon for Linux EventID 1
|
T1489
|
TTP
|
AwfulShred, Data Destruction, Industroyer2
|
2026-02-25
|
|
Linux Sudo OR Su Execution
|
Sysmon for Linux EventID 1
|
T1548.003
|
Hunting
|
Linux Persistence Techniques, Linux Privilege Escalation, VoidLink Cloud-Native Linux Malware
|
2026-02-25
|
|
Linux Sudoers Tmp File Creation
|
Sysmon for Linux EventID 11
|
T1548.003
|
Anomaly
|
China-Nexus Threat Activity, Linux Persistence Techniques, Linux Privilege Escalation, Salt Typhoon
|
2026-02-25
|
|
Linux System Network Discovery
|
Sysmon for Linux EventID 1
|
T1016
|
Anomaly
|
Data Destruction, Industroyer2, Network Discovery, VoidLink Cloud-Native Linux Malware
|
2026-02-25
|
|
Linux System Reboot Via System Request Key
|
Sysmon for Linux EventID 1
|
T1529
|
TTP
|
AwfulShred, Data Destruction
|
2026-02-25
|
|
Linux Telnet Authentication Bypass
|
Sysmon for Linux EventID 1
|
T1548
|
TTP
|
Telnetd CVE-2026-24061
|
2026-02-25
|
|
Linux Unix Shell Enable All SysRq Functions
|
Sysmon for Linux EventID 1
|
T1059.004
|
Anomaly
|
AwfulShred, Data Destruction
|
2026-02-25
|
|
Linux Visudo Utility Execution
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2026-02-25
|
|
Living Off The Land Detection
|
|
T1105
T1190
T1059
T1133
|
Correlation
|
Hellcat Ransomware, Living Off The Land
|
2026-02-25
|
|
Local Account Discovery With Wmic
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1087.001
|
Hunting
|
Active Directory Discovery, Scattered Lapsus$ Hunters
|
2026-02-25
|
|
Log4Shell CVE-2021-44228 Exploitation
|
|
T1105
T1190
T1059
T1133
|
Correlation
|
CISA AA22-320A, Log4Shell CVE-2021-44228
|
2026-02-25
|
|
LOLBAS With Network Traffic
|
Sysmon EventID 3
|
T1105
T1567
T1218
|
TTP
|
APT37 Rustonotto and FadeStealer, Fake CAPTCHA Campaigns, GhostRedirector IIS Module and Rungan Backdoor, Hellcat Ransomware, Living Off The Land, Malicious Inno Setup Loader, NetSupport RMM Tool Abuse, Water Gamayun
|
2026-02-25
|
|
MacOS - Re-opened Applications
|
Sysmon EventID 1
|
|
TTP
|
ColdRoot MacOS RAT
|
2026-02-25
|
|
MacOS AMOS Stealer - Virtual Machine Check Activity
|
osquery
|
T1059.002
|
Anomaly
|
AMOS Stealer, Hellcat Ransomware
|
2026-02-25
|
|
MacOS LOLbin
|
osquery
|
T1059.004
|
TTP
|
Hellcat Ransomware, Living Off The Land
|
2026-02-25
|
|
MacOS plutil
|
osquery
|
T1647
|
TTP
|
Living Off The Land
|
2026-02-25
|
|
Mailsniper Invoke functions
|
Powershell Script Block Logging 4104
|
T1114.001
|
TTP
|
Data Exfiltration
|
2026-02-25
|
|
Malicious Powershell Executed As A Service
|
Windows Event Log System 7045
|
T1569.002
|
TTP
|
Compromised Windows Host, Malicious PowerShell, Rhysida Ransomware
|
2026-02-25
|
|
Malicious PowerShell Process - Execution Policy Bypass
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059.001
|
Anomaly
|
0bj3ctivity Stealer, APT37 Rustonotto and FadeStealer, AsyncRAT, China-Nexus Threat Activity, DHS Report TA18-074A, DarkCrystal RAT, HAFNIUM Group, Salt Typhoon, Volt Typhoon, XWorm
|
2026-02-25
|
|
Microsoft Defender ATP Alerts
|
MS Defender ATP Alerts
|
|
TTP
|
Critical Alerts
|
2026-02-25
|
|
Microsoft Defender Incident Alerts
|
MS365 Defender Incident Alerts
|
|
TTP
|
Critical Alerts
|
2026-02-25
|
|
Mimikatz PassTheTicket CommandLine Parameters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1550.003
|
TTP
|
Active Directory Kerberos Attacks, CISA AA22-320A, CISA AA23-347A, Sandworm Tools, Scattered Lapsus$ Hunters
|
2026-02-25
|
|
Mmc LOLBAS Execution Process Spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1021.003
T1218.014
|
TTP
|
Active Directory Lateral Movement, Living Off The Land, Water Gamayun, XML Runner Loader
|
2026-02-25
|
|
Modify ACL permission To Files Or Folder
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1222
|
Anomaly
|
Crypto Stealer, Defense Evasion or Unauthorized Access Via SDDL Tampering, XMRig
|
2026-02-25
|
|
MOVEit Certificate Store Access Failure
|
|
T1190
|
Hunting
|
MOVEit Transfer Authentication Bypass
|
2026-02-25
|
|
MOVEit Empty Key Fingerprint Authentication Attempt
|
|
T1190
|
Hunting
|
Hellcat Ransomware, MOVEit Transfer Authentication Bypass
|
2026-02-25
|
|
MSBuild Suspicious Spawned By Script Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1127.001
|
TTP
|
Storm-2460 CLFS Zero Day Exploitation, Trusted Developer Utilities Proxy Execution MSBuild
|
2026-02-25
|
|
Mshta spawning Rundll32 OR Regsvr32 Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.005
|
TTP
|
APT37 Rustonotto and FadeStealer, IcedID, Living Off The Land, Trickbot
|
2026-02-25
|
|
Network Connection Discovery With Arp
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1049
|
Hunting
|
Active Directory Discovery, IcedID, Interlock Ransomware, Prestige Ransomware, Qakbot, Volt Typhoon, Windows Post-Exploitation
|
2026-02-25
|
|
Network Connection Discovery With Netstat
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1049
|
Hunting
|
Active Directory Discovery, CISA AA22-277A, CISA AA23-347A, Medusa Ransomware, PlugX, Prestige Ransomware, Qakbot, Volt Typhoon, Windows Post-Exploitation
|
2026-02-25
|
|
Network Traffic to Active Directory Web Services Protocol
|
Sysmon EventID 3
|
T1069.001
T1069.002
T1087.001
T1087.002
T1482
|
Hunting
|
Windows Discovery Techniques
|
2026-02-25
|
|
Nishang PowershellTCPOneLine
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059.001
|
TTP
|
Cleo File Transfer Software, HAFNIUM Group
|
2026-02-25
|
|
NLTest Domain Trust Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1482
|
TTP
|
Active Directory Discovery, Cleo File Transfer Software, Domain Trust Discovery, IcedID, Medusa Ransomware, Qakbot, Rhysida Ransomware, Ryuk Ransomware, Storm-0501 Ransomware
|
2026-02-25
|
|
Notepad with no Command Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1055
|
TTP
|
BishopFox Sliver Adversary Emulation Framework
|
2026-02-25
|
|
Ntdsutil Export NTDS
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1003.003
|
TTP
|
Credential Dumping, HAFNIUM Group, Living Off The Land, NetSupport RMM Tool Abuse, Prestige Ransomware, Rhysida Ransomware, Volt Typhoon
|
2026-02-25
|
|
Outbound Network Connection from Java Using Default Ports
|
Sysmon EventID 1, Sysmon EventID 3
|
T1190
T1133
|
TTP
|
Log4Shell CVE-2021-44228
|
2026-02-25
|
|
PaperCut NG Suspicious Behavior Debug Log
|
|
T1190
T1133
|
Hunting
|
PaperCut MF NG Vulnerability
|
2026-02-25
|
|
Permission Modification using Takeown App
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1222
|
Anomaly
|
Crypto Stealer, Ransomware, Sandworm Tools, Scattered Lapsus$ Hunters
|
2026-02-25
|
|
PetitPotam Network Share Access Request
|
Windows Event Log Security 5145
|
T1187
|
TTP
|
PetitPotam NTLM Relay on Active Directory Certificate Services
|
2026-02-25
|
|
PetitPotam Suspicious Kerberos TGT Request
|
Windows Event Log Security 4768
|
T1003
|
TTP
|
Active Directory Kerberos Attacks, PetitPotam NTLM Relay on Active Directory Certificate Services
|
2026-02-25
|
|
Ping Sleep Batch Command
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1497.003
|
Anomaly
|
BlackByte Ransomware, Data Destruction, Meduza Stealer, Quasar RAT, Warzone RAT, WhisperGate
|
2026-02-25
|
|
Potential password in username
|
Linux Secure
|
T1078.003
T1552.001
|
Hunting
|
Credential Dumping, Insider Threat
|
2026-02-25
|
|
Potential System Network Configuration Discovery Activity
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1016
|
Anomaly
|
Unusual Processes
|
2026-02-25
|
|
Potential Telegram API Request Via CommandLine
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1102.002
T1041
|
Anomaly
|
0bj3ctivity Stealer, Hellcat Ransomware, Water Gamayun, XMRig
|
2026-02-25
|
|
PowerShell 4104 Hunting
|
Powershell Script Block Logging 4104
|
T1059.001
|
Hunting
|
0bj3ctivity Stealer, APT37 Rustonotto and FadeStealer, Braodo Stealer, CISA AA23-347A, CISA AA24-241A, Cactus Ransomware, China-Nexus Threat Activity, Cleo File Transfer Software, DarkGate Malware, Data Destruction, Flax Typhoon, GhostRedirector IIS Module and Rungan Backdoor, Hellcat Ransomware, Hermetic Wiper, Interlock Ransomware, Lumma Stealer, Malicious PowerShell, Medusa Ransomware, Microsoft WSUS CVE-2025-59287, PHP-CGI RCE Attack on Japanese Organizations, Rhysida Ransomware, Salt Typhoon, Scattered Spider, SystemBC, Water Gamayun, XWorm
|
2026-02-25
|
|
PowerShell - Connect To Internet With Hidden Window
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059.001
|
Hunting
|
AgentTesla, Data Destruction, HAFNIUM Group, Hermetic Wiper, Log4Shell CVE-2021-44228, Malicious PowerShell, Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns
|
2026-02-25
|
|
Powershell Creating Thread Mutex
|
Powershell Script Block Logging 4104
|
T1027.005
T1059.001
|
TTP
|
Malicious PowerShell, Water Gamayun
|
2026-02-25
|
|
Powershell Disable Security Monitoring
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1562.001
|
TTP
|
CISA AA24-241A, Ransomware, Revil Ransomware
|
2026-02-25
|
|
PowerShell Domain Enumeration
|
Powershell Script Block Logging 4104
|
T1059.001
|
TTP
|
CISA AA23-347A, Data Destruction, Hermetic Wiper, Interlock Ransomware, Malicious PowerShell, Microsoft WSUS CVE-2025-59287
|
2026-02-25
|
|
PowerShell Enable PowerShell Remoting
|
Powershell Script Block Logging 4104
|
T1059.001
|
Anomaly
|
Malicious PowerShell
|
2026-02-25
|
|
Powershell Enable SMB1Protocol Feature
|
Powershell Script Block Logging 4104
|
T1027.005
|
TTP
|
Data Destruction, Hermetic Wiper, Malicious PowerShell, Ransomware
|
2026-02-25
|
|
Powershell Execute COM Object
|
Powershell Script Block Logging 4104
|
T1059.001
T1546.015
|
TTP
|
Data Destruction, Hermetic Wiper, Malicious PowerShell, Ransomware
|
2026-02-25
|
|
Powershell Fileless Process Injection via GetProcAddress
|
Powershell Script Block Logging 4104
|
T1055
T1059.001
|
TTP
|
Data Destruction, Hellcat Ransomware, Hermetic Wiper, Malicious PowerShell
|
2026-02-25
|
|
Powershell Fileless Script Contains Base64 Encoded Content
|
Powershell Script Block Logging 4104
|
T1027
T1059.001
|
TTP
|
0bj3ctivity Stealer, APT37 Rustonotto and FadeStealer, AsyncRAT, Data Destruction, GhostRedirector IIS Module and Rungan Backdoor, Hellcat Ransomware, Hermetic Wiper, IcedID, Malicious PowerShell, Medusa Ransomware, Microsoft WSUS CVE-2025-59287, NetSupport RMM Tool Abuse, NjRAT, Winter Vivern, XWorm
|
2026-02-25
|
|
PowerShell Get LocalGroup Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1069.001
|
Hunting
|
Active Directory Discovery
|
2026-02-25
|
|
Powershell Get LocalGroup Discovery with Script Block Logging
|
Powershell Script Block Logging 4104
|
T1069.001
|
Hunting
|
Active Directory Discovery
|
2026-02-25
|
|
PowerShell Invoke CIMMethod CIMSession
|
Powershell Script Block Logging 4104
|
T1047
|
Anomaly
|
Active Directory Lateral Movement, Malicious PowerShell, Scattered Lapsus$ Hunters
|
2026-02-25
|
|
PowerShell Invoke WmiExec Usage
|
Powershell Script Block Logging 4104
|
T1047
|
TTP
|
Scattered Lapsus$ Hunters, Suspicious WMI Use
|
2026-02-25
|
|
Powershell Load Module in Meterpreter
|
Powershell Script Block Logging 4104
|
T1059.001
|
TTP
|
MetaSploit
|
2026-02-25
|
|
Powershell Processing Stream Of Data
|
Powershell Script Block Logging 4104
|
T1059.001
|
TTP
|
AsyncRAT, Braodo Stealer, Data Destruction, Hellcat Ransomware, Hermetic Wiper, IcedID, Malicious PowerShell, Medusa Ransomware, MoonPeak, PXA Stealer, XWorm
|
2026-02-25
|
|
PowerShell Script Block With URL Chain
|
Powershell Script Block Logging 4104
|
T1059.001
T1105
|
TTP
|
Hellcat Ransomware, Malicious PowerShell
|
2026-02-25
|
|
PowerShell Start-BitsTransfer
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1197
|
TTP
|
BITS Jobs, Gozi Malware
|
2026-02-25
|
|
PowerShell Start or Stop Service
|
Powershell Script Block Logging 4104
|
T1059.001
|
Anomaly
|
Active Directory Lateral Movement, Scattered Lapsus$ Hunters
|
2026-02-25
|
|
Powershell Using memory As Backing Store
|
Powershell Script Block Logging 4104
|
T1059.001
|
TTP
|
Data Destruction, Hermetic Wiper, IcedID, Malicious PowerShell, Medusa Ransomware, MoonPeak
|
2026-02-25
|
|
PowerShell WebRequest Using Memory Stream
|
Powershell Script Block Logging 4104
|
T1059.001
T1105
T1027.011
|
TTP
|
Malicious PowerShell, Medusa Ransomware, MoonPeak, PHP-CGI RCE Attack on Japanese Organizations
|
2026-02-25
|
|
Powershell Windows Defender Exclusion Commands
|
Powershell Script Block Logging 4104
|
T1562.001
|
TTP
|
AgentTesla, CISA AA22-320A, Data Destruction, NetSupport RMM Tool Abuse, Remcos, Warzone RAT, WhisperGate, Windows Defense Evasion Tactics
|
2026-02-25
|
|
Prevent Automatic Repair Mode using Bcdedit
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1490
|
TTP
|
Chaos Ransomware, Ransomware
|
2026-02-25
|
|
Print Spooler Adding A Printer Driver
|
Windows Event Log Printservice 316
|
T1547.012
|
TTP
|
Black Basta Ransomware, PrintNightmare CVE-2021-34527
|
2026-02-25
|
|
Process Kill Base On File Path
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1562.001
|
TTP
|
XMRig
|
2026-02-25
|
|
Process Writing DynamicWrapperX
|
Sysmon EventID 11
|
T1059
T1559.001
|
Hunting
|
Remcos
|
2026-02-25
|
|
Processes launching netsh
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1562.004
|
Anomaly
|
Azorult, DHS Report TA18-074A, Disabling Security Tools, Hellcat Ransomware, Netsh Abuse, ShrinkLocker, Snake Keylogger, Volt Typhoon
|
2026-02-25
|
|
Processes Tapping Keyboard Events
|
osquery
|
|
TTP
|
APT37 Rustonotto and FadeStealer, ColdRoot MacOS RAT
|
2026-02-25
|
|
Randomly Generated Scheduled Task Name
|
Windows Event Log Security 4698
|
T1053.005
|
Hunting
|
0bj3ctivity Stealer, Active Directory Lateral Movement, CISA AA22-257A, Scheduled Tasks
|
2026-02-25
|
|
Randomly Generated Windows Service Name
|
Windows Event Log System 7045
|
T1543.003
|
Hunting
|
Active Directory Lateral Movement, BlackSuit Ransomware
|
2026-02-25
|
|
Ransomware Notes bulk creation
|
Sysmon EventID 11
|
T1486
|
Anomaly
|
Black Basta Ransomware, BlackMatter Ransomware, Cactus Ransomware, Chaos Ransomware, Clop Ransomware, DarkSide Ransomware, Hellcat Ransomware, Interlock Ransomware, LockBit Ransomware, Medusa Ransomware, NailaoLocker Ransomware, Rhysida Ransomware, Termite Ransomware
|
2026-02-25
|
|
Recon AVProduct Through Pwh or WMI
|
Powershell Script Block Logging 4104
|
T1592
|
TTP
|
Data Destruction, Hermetic Wiper, Malicious PowerShell, MoonPeak, Prestige Ransomware, Qakbot, Quasar RAT, Ransomware, Windows Post-Exploitation, XWorm
|
2026-02-25
|
|
Recon Using WMI Class
|
Powershell Script Block Logging 4104
|
T1592
T1059.001
|
Anomaly
|
AsyncRAT, Data Destruction, Hermetic Wiper, Industroyer2, LockBit Ransomware, Malicious Inno Setup Loader, Malicious PowerShell, MoonPeak, Qakbot, Quasar RAT, Scattered Spider
|
2026-02-25
|
|
Recursive Delete of Directory In Batch CMD
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1070.004
|
TTP
|
APT37 Rustonotto and FadeStealer, Ransomware
|
2026-02-25
|
|
Reg exe Manipulating Windows Services Registry Keys
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1574.011
|
TTP
|
Living Off The Land, Windows Persistence Techniques, Windows Service Abuse
|
2026-02-25
|
|
Regsvr32 Silent and Install Param Dll Loading
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.010
|
Anomaly
|
AsyncRAT, Data Destruction, Hermetic Wiper, Living Off The Land, Remcos, Suspicious Regsvr32 Activity
|
2026-02-25
|
|
Regsvr32 with Known Silent Switch Cmdline
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.010
|
Anomaly
|
AsyncRAT, IcedID, Living Off The Land, Qakbot, Remcos, Suspicious Regsvr32 Activity
|
2026-02-25
|
|
Remote Desktop Process Running On System
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1021.001
|
Hunting
|
Active Directory Lateral Movement, Hidden Cobra Malware, Windows RDP Artifacts and Defense Evasion
|
2026-02-25
|
|
Remote Process Instantiation via DCOM and PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1021.003
|
TTP
|
Active Directory Lateral Movement, Compromised Windows Host
|
2026-02-25
|
|
Remote Process Instantiation via DCOM and PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1021.003
|
TTP
|
Active Directory Lateral Movement
|
2026-02-25
|
|
Remote Process Instantiation via WinRM and PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1021.006
|
TTP
|
Active Directory Lateral Movement
|
2026-02-25
|
|
Remote Process Instantiation via WinRM and PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1021.006
|
TTP
|
Active Directory Lateral Movement
|
2026-02-25
|
|
Remote Process Instantiation via WinRM and Winrs
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1021.006
|
TTP
|
Active Directory Lateral Movement
|
2026-02-25
|
|
Remote Process Instantiation via WMI
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1047
|
TTP
|
Active Directory Lateral Movement, CISA AA23-347A, China-Nexus Threat Activity, Ransomware, Salt Typhoon, Suspicious WMI Use
|
2026-02-25
|
|
Remote Process Instantiation via WMI and PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1047
|
TTP
|
Active Directory Lateral Movement, Compromised Windows Host
|
2026-02-25
|
|
Remote Process Instantiation via WMI and PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1047
|
TTP
|
Active Directory Lateral Movement
|
2026-02-25
|
|
Remote System Discovery with Adsisearcher
|
Powershell Script Block Logging 4104
|
T1018
|
TTP
|
Active Directory Discovery
|
2026-02-25
|
|
Remote System Discovery with Dsquery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1018
|
Anomaly
|
Active Directory Discovery, LAMEHUG
|
2026-02-25
|
|
Remote WMI Command Attempt
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1047
|
TTP
|
CISA AA23-347A, Graceful Wipe Out Attack, IcedID, Living Off The Land, Suspicious WMI Use, Volt Typhoon
|
2026-02-25
|
|
Resize ShadowStorage volume
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1490
|
TTP
|
BlackByte Ransomware, Clop Ransomware, Compromised Windows Host, Medusa Ransomware, VanHelsing Ransomware
|
2026-02-25
|
|
Revil Common Exec Parameter
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1204
|
TTP
|
Ransomware, Revil Ransomware
|
2026-02-25
|
|
Rundll32 Control RunDLL Hunt
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.011
|
Hunting
|
Living Off The Land, Microsoft MSHTML Remote Code Execution CVE-2021-40444, Suspicious Rundll32 Activity
|
2026-02-25
|
|
Rundll32 LockWorkStation
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.011
|
Anomaly
|
Ransomware
|
2026-02-25
|
|
Rundll32 Process Creating Exe Dll Files
|
Sysmon EventID 11
|
T1218.011
|
TTP
|
IcedID, Living Off The Land
|
2026-02-25
|
|
Rundll32 Shimcache Flush
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1112
|
TTP
|
Compromised Windows Host, Living Off The Land, Unusual Processes
|
2026-02-25
|
|
RunDLL Loading DLL By Ordinal
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.011
|
TTP
|
IcedID, Living Off The Land, Suspicious Rundll32 Activity, Unusual Processes
|
2026-02-25
|
|
Ryuk Wake on LAN Command
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059.003
|
TTP
|
Compromised Windows Host, Hellcat Ransomware, Ryuk Ransomware
|
2026-02-25
|
|
Sc exe Manipulating Windows Services
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1543.003
|
TTP
|
Azorult, Crypto Stealer, DHS Report TA18-074A, Disabling Security Tools, NOBELIUM Group, Orangeworm Attack Group, Scattered Spider, Windows Drivers, Windows Persistence Techniques, Windows Service Abuse
|
2026-02-25
|
|
SchCache Change By App Connect And Create ADSI Object
|
Sysmon EventID 11
|
T1087.002
|
Anomaly
|
BlackMatter Ransomware
|
2026-02-25
|
|
Schedule Task with HTTP Command Arguments
|
Windows Event Log Security 4698
|
T1053
|
TTP
|
Compromised Windows Host, Hellcat Ransomware, Living Off The Land, Scheduled Tasks, Windows Persistence Techniques, Winter Vivern
|
2026-02-25
|
|
Schedule Task with Rundll32 Command Trigger
|
Windows Event Log Security 4698
|
T1053
|
TTP
|
Castle RAT, Compromised Windows Host, IcedID, Living Off The Land, Scheduled Tasks, Trickbot, Windows Persistence Techniques
|
2026-02-25
|
|
Scheduled Task Initiation on Remote Endpoint
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1053.005
|
TTP
|
Active Directory Lateral Movement, Living Off The Land, Medusa Ransomware, Scheduled Tasks, Seashell Blizzard
|
2026-02-25
|
|
Schtasks Run Task On Demand
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1053
|
TTP
|
CISA AA22-257A, Data Destruction, Industroyer2, Medusa Ransomware, Qakbot, Scheduled Tasks, XMRig
|
2026-02-25
|
|
Schtasks scheduling job on remote system
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1053.005
|
TTP
|
Active Directory Lateral Movement, Compromised Windows Host, Living Off The Land, NOBELIUM Group, Phemedrone Stealer, Prestige Ransomware, Quasar RAT, RedLine Stealer, Scheduled Tasks
|
2026-02-25
|
|
Schtasks used for forcing a reboot
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1053.005
|
TTP
|
Ransomware, Scheduled Tasks, Windows Persistence Techniques
|
2026-02-25
|
|
Script Execution via WMI
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1047
|
TTP
|
Scattered Spider, Suspicious WMI Use
|
2026-02-25
|
|
Sdelete Application Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1070.004
T1485
|
TTP
|
Masquerading - Rename System Utilities, Scattered Spider
|
2026-02-25
|
|
SecretDumps Offline NTDS Dumping Tool
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1003.003
|
TTP
|
Compromised Windows Host, Credential Dumping, Graceful Wipe Out Attack, Rhysida Ransomware, Storm-0501 Ransomware
|
2026-02-25
|
|
ServicePrincipalNames Discovery with PowerShell
|
Powershell Script Block Logging 4104
|
T1558.003
|
TTP
|
Active Directory Discovery, Active Directory Kerberos Attacks, Active Directory Privilege Escalation, Hellcat Ransomware, Malicious PowerShell
|
2026-02-25
|
|
ServicePrincipalNames Discovery with SetSPN
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1558.003
|
TTP
|
Active Directory Discovery, Active Directory Kerberos Attacks, Active Directory Privilege Escalation, Compromised Windows Host
|
2026-02-25
|
|
Services Escalate Exe
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1548
|
TTP
|
BlackByte Ransomware, CISA AA23-347A, Cobalt Strike, Compromised Windows Host, Graceful Wipe Out Attack
|
2026-02-25
|
|
Services LOLBAS Execution Process Spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1543.003
|
TTP
|
Active Directory Lateral Movement, CISA AA23-347A, Hellcat Ransomware, Living Off The Land, Qakbot
|
2026-02-25
|
|
Short Lived Scheduled Task
|
Windows Event Log Security 4698, Windows Event Log Security 4699
|
T1053.005
|
TTP
|
Active Directory Lateral Movement, CISA AA22-257A, CISA AA23-347A, Compromised Windows Host, Scheduled Tasks
|
2026-02-25
|
|
Short Lived Windows Accounts
|
Windows Event Log System 4720, Windows Event Log System 4726
|
T1078.003
T1136.001
|
TTP
|
Active Directory Lateral Movement, GhostRedirector IIS Module and Rungan Backdoor
|
2026-02-25
|
|
SLUI RunAs Elevated
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1548.002
|
TTP
|
Compromised Windows Host, DarkSide Ransomware, Windows Defense Evasion Tactics
|
2026-02-25
|
|
SLUI Spawning a Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1548.002
|
TTP
|
Compromised Windows Host, DarkSide Ransomware, Windows Defense Evasion Tactics
|
2026-02-25
|
|
Spike in File Writes
|
Sysmon EventID 11
|
|
Anomaly
|
Ransomware, Rhysida Ransomware, Ryuk Ransomware, SamSam Ransomware
|
2026-02-25
|
|
Spoolsv Spawning Rundll32
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1547.012
|
TTP
|
Black Basta Ransomware, Compromised Windows Host, PrintNightmare CVE-2021-34527
|
2026-02-25
|
|
Steal or Forge Authentication Certificates Behavior Identified
|
|
T1649
|
Correlation
|
Windows Certificate Services
|
2026-02-25
|
|
Sunburst Correlation DLL and Network Event
|
Sysmon EventID 22, Sysmon EventID 7
|
T1203
|
TTP
|
NOBELIUM Group
|
2026-02-25
|
|
Suspicious Computer Account Name Change
|
Windows Event Log Security 4781
|
T1078.002
|
TTP
|
Active Directory Privilege Escalation, Compromised Windows Host, Scattered Lapsus$ Hunters, sAMAccountName Spoofing and Domain Controller Impersonation
|
2026-02-25
|
|
Suspicious Copy on System32
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1036.003
|
Anomaly
|
AsyncRAT, Compromised Windows Host, IcedID, Qakbot, Sandworm Tools, Unusual Processes, Volt Typhoon, Water Gamayun
|
2026-02-25
|
|
Suspicious Curl Network Connection
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon for Linux EventID 1, Windows Event Log Security 4688
|
T1105
|
TTP
|
APT37 Rustonotto and FadeStealer, GhostRedirector IIS Module and Rungan Backdoor, Hellcat Ransomware, Ingress Tool Transfer, Linux Living Off The Land, Silver Sparrow
|
2026-02-25
|
|
Suspicious IcedID Rundll32 Cmdline
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.011
|
TTP
|
IcedID, Living Off The Land
|
2026-02-25
|
|
Suspicious Kerberos Service Ticket Request
|
Windows Event Log Security 4769
|
T1078.002
|
TTP
|
Active Directory Kerberos Attacks, Active Directory Privilege Escalation, sAMAccountName Spoofing and Domain Controller Impersonation
|
2026-02-25
|
|
Suspicious Linux Discovery Commands
|
Sysmon for Linux EventID 1
|
T1059.004
|
TTP
|
Linux Post-Exploitation, VoidLink Cloud-Native Linux Malware
|
2026-02-25
|
|
Suspicious microsoft workflow compiler rename
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1036.003
T1127
|
Hunting
|
BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack, Living Off The Land, Masquerading - Rename System Utilities, Trusted Developer Utilities Proxy Execution
|
2026-02-25
|
|
Suspicious microsoft workflow compiler usage
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1127
|
TTP
|
Living Off The Land, Trusted Developer Utilities Proxy Execution
|
2026-02-25
|
|
Suspicious MSBuild Rename
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1036.003
T1127.001
|
Hunting
|
BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack, Living Off The Land, Masquerading - Rename System Utilities, Storm-2460 CLFS Zero Day Exploitation, Trusted Developer Utilities Proxy Execution MSBuild
|
2026-02-25
|
|
Suspicious MSBuild Spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1127.001
|
TTP
|
Living Off The Land, Storm-2460 CLFS Zero Day Exploitation, Trusted Developer Utilities Proxy Execution MSBuild
|
2026-02-25
|
|
Suspicious mshta child process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.005
|
TTP
|
Living Off The Land, Lumma Stealer, Suspicious MSHTA Activity
|
2026-02-25
|
|
Suspicious mshta spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.005
|
TTP
|
APT37 Rustonotto and FadeStealer, Living Off The Land, Suspicious MSHTA Activity
|
2026-02-25
|
|
Suspicious PlistBuddy Usage
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1543.001
|
TTP
|
Silver Sparrow
|
2026-02-25
|
|
Suspicious PlistBuddy Usage via OSquery
|
osquery
|
T1543.001
|
TTP
|
Silver Sparrow
|
2026-02-25
|
|
Suspicious Reg exe Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1112
|
Anomaly
|
DHS Report TA18-074A, Disabling Security Tools, Windows Defense Evasion Tactics
|
2026-02-25
|
|
Suspicious Rundll32 dllregisterserver
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.011
|
TTP
|
IcedID, Living Off The Land, Suspicious Rundll32 Activity
|
2026-02-25
|
|
Suspicious Rundll32 no Command Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.011
|
TTP
|
BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack, Hellcat Ransomware, PrintNightmare CVE-2021-34527, Suspicious Rundll32 Activity
|
2026-02-25
|
|
Suspicious Rundll32 PluginInit
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.011
|
TTP
|
IcedID
|
2026-02-25
|
|
Suspicious Rundll32 StartW
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.011
|
TTP
|
BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack, Hellcat Ransomware, Suspicious Rundll32 Activity, Trickbot
|
2026-02-25
|
|
Suspicious SearchProtocolHost no Command Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1055
|
TTP
|
BlackByte Ransomware, Cactus Ransomware, Cobalt Strike, Graceful Wipe Out Attack, Hellcat Ransomware
|
2026-02-25
|
|
Suspicious SQLite3 LSQuarantine Behavior
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1074
|
TTP
|
Silver Sparrow
|
2026-02-25
|
|
Suspicious Ticket Granting Ticket Request
|
Windows Event Log Security 4768, Windows Event Log Security 4781
|
T1078.002
|
Hunting
|
Active Directory Kerberos Attacks, Active Directory Privilege Escalation, sAMAccountName Spoofing and Domain Controller Impersonation
|
2026-02-25
|
|
Suspicious wevtutil Usage
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1070.001
|
TTP
|
CISA AA23-347A, Clop Ransomware, Ransomware, Rhysida Ransomware, Scattered Spider, ShrinkLocker, Storm-0501 Ransomware, Storm-2460 CLFS Zero Day Exploitation, VoidLink Cloud-Native Linux Malware, Windows Log Manipulation
|
2026-02-25
|
|
Suspicious writes to windows Recycle Bin
|
Sysmon EventID 1, Sysmon EventID 11
|
T1036
|
TTP
|
Collection and Staging, PlugX
|
2026-02-25
|
|
Svchost LOLBAS Execution Process Spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1053.005
|
TTP
|
Active Directory Lateral Movement, Hellcat Ransomware, Living Off The Land, Scheduled Tasks
|
2026-02-25
|
|
System Processes Run From Unexpected Locations
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1036.003
|
Anomaly
|
DarkGate Malware, Masquerading - Rename System Utilities, Qakbot, Ransomware, Suspicious Command-Line Executions, Unusual Processes, Windows Error Reporting Service Elevation of Privilege Vulnerability
|
2026-02-25
|
|
System User Discovery With Query
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1033
|
Hunting
|
Active Directory Discovery, Medusa Ransomware
|
2026-02-25
|
|
System User Discovery With Whoami
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1033
|
Anomaly
|
Active Directory Discovery, CISA AA23-347A, LAMEHUG, PHP-CGI RCE Attack on Japanese Organizations, Qakbot, Rhysida Ransomware, Winter Vivern
|
2026-02-25
|
|
Uninstall App Using MsiExec
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.007
|
TTP
|
Ransomware
|
2026-02-25
|
|
Unknown Process Using The Kerberos Protocol
|
Sysmon EventID 1, Sysmon EventID 3
|
T1550
|
TTP
|
Active Directory Kerberos Attacks, BlackSuit Ransomware
|
2026-02-25
|
|
Unload Sysmon Filter Driver
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1562.001
|
TTP
|
CISA AA23-347A, Disabling Security Tools
|
2026-02-25
|
|
Unloading AMSI via Reflection
|
Powershell Script Block Logging 4104
|
T1059.001
T1562
|
TTP
|
Data Destruction, Hermetic Wiper, Malicious PowerShell
|
2026-02-25
|
|
Unusual Number of Computer Service Tickets Requested
|
Windows Event Log Security 4769
|
T1078
|
Hunting
|
Active Directory Kerberos Attacks, Active Directory Lateral Movement, Active Directory Privilege Escalation, Scattered Lapsus$ Hunters
|
2026-02-25
|
|
Unusual Number of Kerberos Service Tickets Requested
|
Windows Event Log Security 4769
|
T1558.003
|
Anomaly
|
Active Directory Kerberos Attacks
|
2026-02-25
|
|
Unusual Number of Remote Endpoint Authentication Events
|
Windows Event Log Security 4624
|
T1078
|
Hunting
|
Active Directory Lateral Movement, Active Directory Privilege Escalation
|
2026-02-25
|
|
Unusually Long Command Line
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
|
Anomaly
|
Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns, Ransomware, Suspicious Command-Line Executions, Unusual Processes
|
2026-02-25
|
|
Unusually Long Command Line - MLTK
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
|
Anomaly
|
Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns, Ransomware, Suspicious Command-Line Executions, Unusual Processes
|
2026-02-25
|
|
User Discovery With Env Vars PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1033
|
Hunting
|
Active Directory Discovery
|
2026-02-25
|
|
User Discovery With Env Vars PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1033
|
Hunting
|
Active Directory Discovery
|
2026-02-25
|
|
USN Journal Deletion
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1070
|
TTP
|
Ransomware, Windows Log Manipulation
|
2026-02-25
|
|
Vbscript Execution Using Wscript App
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1059.005
|
TTP
|
AsyncRAT, FIN7, Remcos
|
2026-02-25
|
|
WBAdmin Delete System Backups
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1490
|
TTP
|
Chaos Ransomware, Prestige Ransomware, Ransomware, Ryuk Ransomware, Storm-0501 Ransomware, Storm-2460 CLFS Zero Day Exploitation
|
2026-02-25
|
|
Web Servers Executing Suspicious Processes
|
Sysmon EventID 1
|
T1082
|
TTP
|
Apache Struts Vulnerability
|
2026-02-25
|
|
Wermgr Process Create Executable File
|
Sysmon EventID 11
|
T1027
|
TTP
|
Trickbot
|
2026-02-25
|
|
Wermgr Process Spawned CMD Or Powershell Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059
|
TTP
|
Qakbot, Trickbot
|
2026-02-25
|
|
Windows Account Access Removal via Logoff Exec
|
Sysmon EventID 1
|
T1059.001
T1531
|
Anomaly
|
Crypto Stealer
|
2026-02-25
|
|
Windows Account Discovery for None Disable User Account
|
Powershell Script Block Logging 4104
|
T1087.001
|
Hunting
|
CISA AA23-347A
|
2026-02-25
|
|
Windows Account Discovery for Sam Account Name
|
Powershell Script Block Logging 4104
|
T1087
|
Anomaly
|
CISA AA23-347A
|
2026-02-25
|
|
Windows Account Discovery With NetUser PreauthNotRequire
|
Powershell Script Block Logging 4104
|
T1087
|
Hunting
|
CISA AA23-347A
|
2026-02-25
|
|
Windows AD Abnormal Object Access Activity
|
Windows Event Log Security 4662
|
T1087.002
|
Anomaly
|
Active Directory Discovery, BlackSuit Ransomware
|
2026-02-25
|
|
Windows AD add Self to Group
|
Windows Event Log Security 4728
|
T1098
|
TTP
|
Active Directory Privilege Escalation, Medusa Ransomware, Sneaky Active Directory Persistence Tricks
|
2026-02-25
|
|
Windows AD DCShadow Privileges ACL Addition
|
Windows Event Log Security 5136
|
T1484
T1207
T1222.001
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-02-25
|
|
Windows AD Domain Controller Audit Policy Disabled
|
Windows Event Log Security 4719
|
T1562.001
|
TTP
|
Windows Audit Policy Tampering
|
2026-02-25
|
|
Windows AD Domain Controller Promotion
|
Windows Event Log Security 4742
|
T1207
|
TTP
|
Compromised Windows Host, Sneaky Active Directory Persistence Tricks
|
2026-02-25
|
|
Windows AD Domain Replication ACL Addition
|
Windows Event Log Security 5136
|
T1484
|
TTP
|
Compromised Windows Host, Sneaky Active Directory Persistence Tricks
|
2026-02-25
|
|
Windows AD DSRM Password Reset
|
Windows Event Log Security 4794
|
T1098
|
TTP
|
Scattered Lapsus$ Hunters, Sneaky Active Directory Persistence Tricks
|
2026-02-25
|
|
Windows AD GPO Deleted
|
Windows Event Log Security 5136
|
T1562.001
T1484.001
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-02-25
|
|
Windows AD GPO Disabled
|
Windows Event Log Security 5136
|
T1562.001
T1484.001
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-02-25
|
|
Windows AD GPO New CSE Addition
|
Windows Event Log Security 5136
|
T1222.001
T1484.001
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-02-25
|
|
Windows AD Object Owner Updated
|
Windows Event Log Security 5136
|
T1222.001
T1484
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-02-25
|
|
Windows AD Privileged Account SID History Addition
|
Windows Event Log Security 4738, Windows Event Log Security 4742
|
T1134.005
|
TTP
|
Compromised Windows Host, Sneaky Active Directory Persistence Tricks
|
2026-02-25
|
|
Windows AD Privileged Group Modification
|
Windows Event Log Security 4728
|
T1098
|
TTP
|
Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks
|
2026-02-25
|
|
Windows AD Privileged Object Access Activity
|
Windows Event Log Security 4662
|
T1087.002
|
TTP
|
Active Directory Discovery, BlackSuit Ransomware
|
2026-02-25
|
|
Windows AD Replication Request Initiated by User Account
|
Windows Event Log Security 4624, Windows Event Log Security 4662
|
T1003.006
|
TTP
|
Compromised Windows Host, Credential Dumping, Sneaky Active Directory Persistence Tricks
|
2026-02-25
|
|
Windows AD Replication Request Initiated from Unsanctioned Location
|
Windows Event Log Security 4624, Windows Event Log Security 4662
|
T1003.006
|
TTP
|
Compromised Windows Host, Credential Dumping, Sneaky Active Directory Persistence Tricks
|
2026-02-25
|
|
Windows AD Self DACL Assignment
|
Windows Event Log Security 5136
|
T1484
T1098
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-02-25
|
|
Windows AD Short Lived Domain Account ServicePrincipalName
|
Windows Event Log Security 5136
|
T1098
|
TTP
|
Interlock Ransomware, Sneaky Active Directory Persistence Tricks
|
2026-02-25
|
|
Windows AD Short Lived Domain Controller SPN Attribute
|
Windows Event Log Security 4624, Windows Event Log Security 5136
|
T1207
|
TTP
|
Compromised Windows Host, Sneaky Active Directory Persistence Tricks
|
2026-02-25
|
|
Windows AD Short Lived Server Object
|
Windows Event Log Security 5137, Windows Event Log Security 5141
|
T1207
|
TTP
|
Compromised Windows Host, Sneaky Active Directory Persistence Tricks
|
2026-02-25
|
|
Windows AD SID History Attribute Modified
|
Windows Event Log Security 5136
|
T1134.005
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-02-25
|
|
Windows AD Suspicious Attribute Modification
|
Windows Event Log Security 5136
|
T1222.001
T1550
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-02-25
|
|
Windows AdFind Exe
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1018
|
TTP
|
BlackSuit Ransomware, Domain Trust Discovery, Graceful Wipe Out Attack, IcedID, NOBELIUM Group
|
2026-02-25
|
|
Windows Admon Default Group Policy Object Modified
|
Windows Active Directory Admon
|
T1484.001
|
TTP
|
Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks
|
2026-02-25
|
|
Windows Admon Group Policy Object Created
|
Windows Active Directory Admon
|
T1484.001
|
TTP
|
Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks
|
2026-02-25
|
|
Windows AI Platform DNS Query
|
Sysmon EventID 22
|
T1071.004
|
Anomaly
|
LAMEHUG, PromptFlux, SesameOp
|
2026-02-25
|
|
Windows Alternate DataStream - Process Execution
|
Sysmon EventID 1, Windows Event Log Security 4688
|
T1564.004
|
TTP
|
Compromised Windows Host, Windows Defense Evasion Tactics
|
2026-02-25
|
|
Windows Apache Benchmark Binary
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059
|
Anomaly
|
MetaSploit
|
2026-02-25
|
|
Windows Application Whitelisting Bypass Attempt via Rundll32
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.011
|
TTP
|
Compromised Windows Host, Living Off The Land, Suspicious Rundll32 Activity
|
2026-02-25
|
|
Windows AppLocker Block Events
|
|
T1218
|
Anomaly
|
Windows AppLocker
|
2026-02-25
|
|
Windows AppLocker Execution from Uncommon Locations
|
|
T1218
|
Hunting
|
Windows AppLocker
|
2026-02-25
|
|
Windows AppLocker Privilege Escalation via Unauthorized Bypass
|
|
T1218
|
TTP
|
Windows AppLocker
|
2026-02-25
|
|
Windows AppLocker Rare Application Launch Detection
|
|
T1218
|
Hunting
|
Windows AppLocker
|
2026-02-25
|
|
Windows AppX Deployment Full Trust Package Installation
|
Windows Event Log AppXDeployment-Server 400
|
T1553.005
T1204.002
|
Hunting
|
MSIX Package Abuse
|
2026-02-25
|
|
Windows AppX Deployment Package Installation Success
|
Windows Event Log AppXDeployment-Server 854
|
T1204.002
|
Anomaly
|
MSIX Package Abuse
|
2026-02-25
|
|
Windows AppX Deployment Unsigned Package Installation
|
Windows Event Log AppXDeployment-Server 855
|
T1553.005
T1204.002
|
TTP
|
MSIX Package Abuse
|
2026-02-25
|
|
Windows Archive Collected Data via Rar
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1560.001
|
Anomaly
|
APT37 Rustonotto and FadeStealer, China-Nexus Threat Activity, DarkGate Malware, Salt Typhoon
|
2026-02-25
|
|
Windows Archived Collected Data In TEMP Folder
|
Sysmon EventID 11
|
T1560
|
Anomaly
|
APT37 Rustonotto and FadeStealer, Braodo Stealer
|
2026-02-25
|
|
Windows Attempt To Stop Security Service
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1562.001
|
TTP
|
Azorult, Data Destruction, Disabling Security Tools, Graceful Wipe Out Attack, Trickbot, WhisperGate
|
2026-02-25
|
|
Windows Audit Policy Auditing Option Disabled via Auditpol
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1562.002
|
TTP
|
Windows Audit Policy Tampering
|
2026-02-25
|
|
Windows Audit Policy Cleared via Auditpol
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1562.002
|
TTP
|
Windows Audit Policy Tampering
|
2026-02-25
|
|
Windows Audit Policy Disabled via Auditpol
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1562.002
|
Anomaly
|
Windows Audit Policy Tampering
|
2026-02-25
|
|
Windows Audit Policy Disabled via Legacy Auditpol
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1562.002
|
Anomaly
|
Windows Audit Policy Tampering
|
2026-02-25
|
|
Windows Audit Policy Excluded Category via Auditpol
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1562.002
|
Anomaly
|
Windows Audit Policy Tampering
|
2026-02-25
|
|
Windows Audit Policy Restored via Auditpol
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1562.002
|
Anomaly
|
Windows Audit Policy Tampering
|
2026-02-25
|
|
Windows Audit Policy Security Descriptor Tampering via Auditpol
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1562.002
|
Anomaly
|
Windows Audit Policy Tampering
|
2026-02-25
|
|
Windows AutoIt3 Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059
|
TTP
|
Crypto Stealer, DarkGate Malware, Handala Wiper
|
2026-02-25
|
|
Windows Binary Proxy Execution Mavinject DLL Injection
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.013
|
TTP
|
Living Off The Land
|
2026-02-25
|
|
Windows BitLocker Suspicious Command Usage
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1486
T1490
|
TTP
|
ShrinkLocker
|
2026-02-25
|
|
Windows BitLockerToGo Process Execution
|
Sysmon EventID 1, Windows Event Log Security 4688
|
T1218
|
Hunting
|
Lumma Stealer
|
2026-02-25
|
|
Windows BitLockerToGo with Network Activity
|
Sysmon EventID 22
|
T1218
|
Hunting
|
Hellcat Ransomware, Lumma Stealer
|
2026-02-25
|
|
Windows BootLoader Inventory
|
|
T1542.001
|
Hunting
|
BlackLotus Campaign, Windows BootKits
|
2026-02-25
|
|
Windows CAB File on Disk
|
Sysmon EventID 11
|
T1566.001
|
Anomaly
|
APT37 Rustonotto and FadeStealer, DarkGate Malware
|
2026-02-25
|
|
Windows Certutil Root Certificate Addition
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1587.003
|
TTP
|
Secret Blizzard
|
2026-02-25
|
|
Windows Change File Association Command To Notepad
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1546.001
|
TTP
|
Compromised Windows Host, Prestige Ransomware
|
2026-02-25
|
|
Windows Chromium Browser Launched with Small Window Size
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1497
|
TTP
|
Browser Hijacking
|
2026-02-25
|
|
Windows Chromium Browser No Security Sandbox Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1497
|
TTP
|
Malicious Inno Setup Loader
|
2026-02-25
|
|
Windows Chromium Browser with Custom User Data Directory
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1497
|
Anomaly
|
Lokibot, Malicious Inno Setup Loader, StealC Stealer
|
2026-02-25
|
|
Windows Chromium process Launched with Disable Popup Blocking
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1497
|
Anomaly
|
Browser Hijacking
|
2026-02-25
|
|
Windows Chromium Process Launched with Logging Disabled
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1497
|
Anomaly
|
Browser Hijacking
|
2026-02-25
|
|
Windows Chromium Process with Disabled Extensions
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1497
|
Anomaly
|
Browser Hijacking
|
2026-02-25
|
|
Windows Cisco Secure Endpoint Related Service Stopped
|
Windows Event Log System 7036
|
T1490
|
Anomaly
|
Hellcat Ransomware, Scattered Lapsus$ Hunters, Security Solution Tampering
|
2026-02-25
|
|
Windows ClipBoard Data via Get-ClipBoard
|
Powershell Script Block Logging 4104
|
T1115
|
Anomaly
|
Prestige Ransomware, Windows Post-Exploitation
|
2026-02-25
|
|
Windows COM Hijacking InprocServer32 Modification
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1546.015
|
TTP
|
Compromised Windows Host, Living Off The Land
|
2026-02-25
|
|
Windows Command Shell DCRat ForkBomb Payload
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1059.003
|
TTP
|
Compromised Windows Host, DarkCrystal RAT
|
2026-02-25
|
|
Windows Common Abused Cmd Shell Risk Behavior
|
|
T1222
T1049
T1033
T1529
T1016
T1059
|
Correlation
|
Azorult, CISA AA23-347A, DarkCrystal RAT, Disabling Security Tools, FIN7, Microsoft WSUS CVE-2025-59287, Netsh Abuse, Qakbot, Sandworm Tools, Volt Typhoon, Windows Defense Evasion Tactics, Windows Post-Exploitation
|
2026-02-25
|
|
Windows Compatibility Telemetry Suspicious Child Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1546
T1053.005
|
TTP
|
Windows Persistence Techniques
|
2026-02-25
|
|
Windows Compatibility Telemetry Tampering Through Registry
|
Sysmon EventID 13
|
T1546
T1053.005
|
TTP
|
Windows Persistence Techniques
|
2026-02-25
|
|
Windows Computer Account Created by Computer Account
|
Windows Event Log Security 4741
|
T1558
|
TTP
|
Active Directory Kerberos Attacks, Local Privilege Escalation With KrbRelayUp
|
2026-02-25
|
|
Windows Computer Account Requesting Kerberos Ticket
|
Windows Event Log Security 4768
|
T1558
|
TTP
|
Active Directory Kerberos Attacks, Local Privilege Escalation With KrbRelayUp
|
2026-02-25
|
|
Windows Computer Account With SPN
|
Windows Event Log Security 4741
|
T1558
|
TTP
|
Active Directory Kerberos Attacks, Compromised Windows Host, Local Privilege Escalation With KrbRelayUp
|
2026-02-25
|
|
Windows ComputerDefaults Spawning a Process
|
Sysmon EventID 1
|
T1548.002
|
TTP
|
Castle RAT
|
2026-02-25
|
|
Windows ConHost with Headless Argument
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1564.003
T1564.006
|
TTP
|
Compromised Windows Host, Spearphishing Attachments
|
2026-02-25
|
|
Windows Create Local Account
|
Windows Event Log Security 4720
|
T1136.001
|
Anomaly
|
Active Directory Password Spraying, CISA AA24-241A, GhostRedirector IIS Module and Rungan Backdoor, Scattered Lapsus$ Hunters
|
2026-02-25
|
|
Windows Create Local Administrator Account Via Net
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1136.001
|
Anomaly
|
Azorult, CISA AA22-257A, CISA AA24-241A, DHS Report TA18-074A, DarkGate Malware, GhostRedirector IIS Module and Rungan Backdoor, Medusa Ransomware, Scattered Lapsus$ Hunters
|
2026-02-25
|
|
Windows Credential Dumping LSASS Memory Createdump
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1003.001
|
TTP
|
Compromised Windows Host, Credential Dumping, Scattered Lapsus$ Hunters
|
2026-02-25
|
|
Windows Credential Target Information Structure in Commandline
|
Sysmon EventID 1
|
T1557.001
T1187
T1071.004
|
TTP
|
Compromised Windows Host, Kerberos Coercion with DNS, Local Privilege Escalation With KrbRelayUp, Suspicious DNS Traffic
|
2026-02-25
|
|
Windows Credentials from Password Stores Creation
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1555
|
TTP
|
Compromised Windows Host, DarkGate Malware, NetSupport RMM Tool Abuse
|
2026-02-25
|
|
Windows Credentials from Password Stores Deletion
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1555
|
TTP
|
Compromised Windows Host, DarkGate Malware, NetSupport RMM Tool Abuse
|
2026-02-25
|
|
Windows Credentials from Password Stores Query
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1555
|
Anomaly
|
DarkGate Malware, NetSupport RMM Tool Abuse, Prestige Ransomware, Windows Post-Exploitation
|
2026-02-25
|
|
Windows Data Destruction Recursive Exec Files Deletion
|
Sysmon EventID 23, Sysmon EventID 26
|
T1485
|
TTP
|
Data Destruction, Disk Wiper, Handala Wiper, Swift Slicer
|
2026-02-25
|
|
Windows Debugger Tool Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1036
|
Hunting
|
DarkGate Malware, PlugX
|
2026-02-25
|
|
Windows Default Group Policy Object Modified
|
Windows Event Log Security 5136
|
T1484.001
|
TTP
|
Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks
|
2026-02-25
|
|
Windows Default Group Policy Object Modified with GPME
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1484.001
|
TTP
|
Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks
|
2026-02-25
|
|
Windows Default RDP File Creation By Non MSTSC Process
|
Sysmon EventID 1, Sysmon EventID 11
|
T1021.001
|
Anomaly
|
Windows RDP Artifacts and Defense Evasion
|
2026-02-25
|
|
Windows Default Rdp File Unhidden
|
Sysmon EventID 1
|
T1021.001
|
Anomaly
|
Windows RDP Artifacts and Defense Evasion
|
2026-02-25
|
|
Windows Defender ASR Audit Events
|
Windows Event Log Defender 1122, Windows Event Log Defender 1125, Windows Event Log Defender 1126, Windows Event Log Defender 1132, Windows Event Log Defender 1134
|
T1059
T1566.001
T1566.002
|
Anomaly
|
Windows Attack Surface Reduction
|
2026-02-25
|
|
Windows Defender ASR Block Events
|
Windows Event Log Defender 1121, Windows Event Log Defender 1126, Windows Event Log Defender 1129, Windows Event Log Defender 1131, Windows Event Log Defender 1133
|
T1059
T1566.001
T1566.002
|
Anomaly
|
Windows Attack Surface Reduction
|
2026-02-25
|
|
Windows Defender ASR or Threat Configuration Tamper
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1562.001
|
TTP
|
Windows Defense Evasion Tactics
|
2026-02-25
|
|
Windows Defender ASR Rules Stacking
|
Windows Event Log Defender 1121, Windows Event Log Defender 1122, Windows Event Log Defender 1125, Windows Event Log Defender 1126, Windows Event Log Defender 1129, Windows Event Log Defender 1131, Windows Event Log Defender 1133, Windows Event Log Defender 1134, Windows Event Log Defender 5007
|
T1566.001
T1566.002
T1059
|
Hunting
|
Windows Attack Surface Reduction
|
2026-02-25
|
|
Windows Delete or Modify System Firewall
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1562.004
|
Anomaly
|
NjRAT, ShrinkLocker
|
2026-02-25
|
|
Windows Developer-Signed MSIX Package Installation
|
Windows Event Log AppXDeployment-Server 855
|
T1553.005
T1204.002
|
Anomaly
|
MSIX Package Abuse
|
2026-02-25
|
|
Windows Disable Internet Explorer Addons
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1176.001
|
Anomaly
|
Malicious Inno Setup Loader
|
2026-02-25
|
|
Windows Disable Notification Center
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
CISA AA23-347A, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2026-02-25
|
|
Windows Disable or Modify Tools Via Taskkill
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1562.001
|
Anomaly
|
Crypto Stealer, NjRAT, PXA Stealer
|
2026-02-25
|
|
Windows Disable or Stop Browser Process
|
Sysmon EventID 1
|
T1562.001
|
TTP
|
Braodo Stealer, Castle RAT, Hellcat Ransomware, Scattered Lapsus$ Hunters
|
2026-02-25
|
|
Windows Disable Windows Event Logging Disable HTTP Logging
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1505.004
T1562.002
|
TTP
|
CISA AA23-347A, Compromised Windows Host, IIS Components, Windows Defense Evasion Tactics
|
2026-02-25
|
|
Windows DiskCryptor Usage
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1486
|
Hunting
|
Ransomware
|
2026-02-25
|
|
Windows DISM Install PowerShell Web Access
|
Sysmon EventID 1, Windows Event Log Security 4688
|
T1548.002
|
TTP
|
CISA AA24-241A
|
2026-02-25
|
|
Windows DISM Remove Defender
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1562.001
|
TTP
|
CISA AA23-347A, Compromised Windows Host, Windows Defense Evasion Tactics
|
2026-02-25
|
|
Windows DLL Search Order Hijacking with iscsicpl
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1574.001
|
TTP
|
Compromised Windows Host, Living Off The Land, Windows Defense Evasion Tactics
|
2026-02-25
|
|
Windows DNS Gather Network Info
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1590.002
|
Anomaly
|
Sandworm Tools, Volt Typhoon
|
2026-02-25
|
|
Windows DNS Query Request To TinyUrl
|
Sysmon EventID 22
|
T1105
|
Anomaly
|
Malicious Inno Setup Loader
|
2026-02-25
|
|
Windows DnsAdmins New Member Added
|
Windows Event Log Security 4732
|
T1098
|
TTP
|
Active Directory Privilege Escalation
|
2026-02-25
|
|
Windows Domain Account Discovery Via Get-NetComputer
|
Powershell Script Block Logging 4104
|
T1087.002
|
Anomaly
|
CISA AA23-347A
|
2026-02-25
|
|
Windows Domain Admin Impersonation Indicator
|
Windows Event Log Security 4627
|
T1558
|
TTP
|
Active Directory Kerberos Attacks, Active Directory Privilege Escalation, Compromised Windows Host, Gozi Malware
|
2026-02-25
|
|
Windows Driver Inventory
|
|
T1068
|
Hunting
|
Windows Drivers
|
2026-02-25
|
|
Windows Driver Load Non-Standard Path
|
Windows Event Log System 7045
|
T1014
T1068
|
TTP
|
AgentTesla, BlackByte Ransomware, BlackSuit Ransomware, CISA AA22-320A, Windows Drivers
|
2026-02-25
|
|
Windows Drivers Loaded by Signature
|
Sysmon EventID 6
|
T1014
T1068
|
Hunting
|
AgentTesla, BlackByte Ransomware, CISA AA22-320A, Windows Drivers
|
2026-02-25
|
|
Windows Enable PowerShell Web Access
|
Powershell Script Block Logging 4104
|
T1059.001
|
TTP
|
CISA AA24-241A, Malicious PowerShell
|
2026-02-25
|
|
Windows ESX Admins Group Creation Security Event
|
Windows Event Log Security 4727, Windows Event Log Security 4730, Windows Event Log Security 4737
|
T1136.001
T1136.002
|
TTP
|
VMware ESXi AD Integration Authentication Bypass CVE-2024-37085
|
2026-02-25
|
|
Windows ESX Admins Group Creation via Net
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1136.002
T1136.001
|
TTP
|
VMware ESXi AD Integration Authentication Bypass CVE-2024-37085
|
2026-02-25
|
|
Windows ESX Admins Group Creation via PowerShell
|
Powershell Script Block Logging 4104
|
T1136.002
T1136.001
|
TTP
|
VMware ESXi AD Integration Authentication Bypass CVE-2024-37085
|
2026-02-25
|
|
Windows Event For Service Disabled
|
Windows Event Log System 7040
|
T1562.001
|
Hunting
|
RedLine Stealer, Windows Defense Evasion Tactics
|
2026-02-25
|
|
Windows Event Log Cleared
|
Windows Event Log Security 1102, Windows Event Log System 104
|
T1070.001
|
TTP
|
CISA AA22-264A, Clop Ransomware, Compromised Windows Host, Ransomware, ShrinkLocker, Windows Log Manipulation
|
2026-02-25
|
|
Windows Event Logging Service Has Shutdown
|
Windows Event Log Security 1100
|
T1070.001
|
Hunting
|
Clop Ransomware, Ransomware, Scattered Lapsus$ Hunters, Windows Log Manipulation
|
2026-02-25
|
|
Windows Event Triggered Image File Execution Options Injection
|
Windows Event Log Application 3000
|
T1546.012
|
Hunting
|
Windows Persistence Techniques
|
2026-02-25
|
|
Windows Eventlog Cleared Via Wevtutil
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1070.001
|
Anomaly
|
CISA AA23-347A, Clop Ransomware, Ransomware, Rhysida Ransomware, ShrinkLocker, Windows Log Manipulation
|
2026-02-25
|
|
Windows EventLog Recon Activity Using Log Query Utilities
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1654
|
Anomaly
|
Windows Discovery Techniques
|
2026-02-25
|
|
Windows Excel ActiveMicrosoftApp Child Process
|
Sysmon EventID 1
|
T1021.003
|
Anomaly
|
PathWiper
|
2026-02-25
|
|
Windows Excessive Disabled Services Event
|
Windows Event Log System 7040
|
T1562.001
|
TTP
|
CISA AA23-347A, Compromised Windows Host, Windows Defense Evasion Tactics
|
2026-02-25
|
|
Windows Excessive Service Stop Attempt
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1489
|
TTP
|
BlackByte Ransomware, Ransomware, XMRig
|
2026-02-25
|
|
Windows Excessive Usage Of Net App
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1531
|
Anomaly
|
Azorult, Graceful Wipe Out Attack, Prestige Ransomware, Ransomware, Rhysida Ransomware, Windows Post-Exploitation, XMRig
|
2026-02-25
|
|
Windows Executable in Loaded Modules
|
Sysmon EventID 7
|
T1129
|
TTP
|
Lokibot, NjRAT
|
2026-02-25
|
|
Windows Executable Masquerading as Benign File Types
|
Sysmon EventID 29
|
T1036.008
|
Anomaly
|
NetSupport RMM Tool Abuse
|
2026-02-25
|
|
Windows Execute Arbitrary Commands with MSDT
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218
|
TTP
|
Compromised Windows Host, Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190
|
2026-02-25
|
|
Windows Execution of Microsoft MSC File In Suspicious Path
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.014
|
Anomaly
|
XML Runner Loader
|
2026-02-25
|
|
Windows Exfiltration Over C2 Via Invoke RestMethod
|
Powershell Script Block Logging 4104
|
T1041
|
TTP
|
APT37 Rustonotto and FadeStealer, Hellcat Ransomware, Microsoft WSUS CVE-2025-59287, Water Gamayun, Winter Vivern
|
2026-02-25
|
|
Windows Exfiltration Over C2 Via Powershell UploadString
|
Powershell Script Block Logging 4104
|
T1041
|
TTP
|
APT37 Rustonotto and FadeStealer, Winter Vivern
|
2026-02-25
|
|
Windows Export Certificate
|
Windows Event Log CertificateServicesClient 1007
|
T1552.004
T1649
|
Anomaly
|
Windows Certificate Services
|
2026-02-25
|
|
Windows File and Directory Permissions Enable Inheritance
|
Sysmon EventID 1, Windows Event Log Security 4688
|
T1222.001
|
Hunting
|
Crypto Stealer, NetSupport RMM Tool Abuse
|
2026-02-25
|
|
Windows File and Directory Permissions Remove Inheritance
|
Sysmon EventID 1, Windows Event Log Security 4688
|
T1222.001
|
Anomaly
|
Crypto Stealer
|
2026-02-25
|
|
Windows File Collection Via Copy Utilities
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1119
|
Anomaly
|
LAMEHUG
|
2026-02-25
|
|
Windows File Download Via CertUtil
|
Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1105
|
TTP
|
CISA AA22-277A, Cisco Network Visibility Module Analytics, Compromised Windows Host, DarkSide Ransomware, Flax Typhoon, Forest Blizzard, Ingress Tool Transfer, Living Off The Land, ProxyNotShell
|
2026-02-25
|
|
Windows File Share Discovery With Powerview
|
Powershell Script Block Logging 4104
|
T1135
|
TTP
|
Active Directory Discovery, Active Directory Privilege Escalation
|
2026-02-25
|
|
Windows File Without Extension In Critical Folder
|
Sysmon EventID 11
|
T1485
|
TTP
|
Data Destruction, Hermetic Wiper
|
2026-02-25
|
|
Windows Files and Dirs Access Rights Modification Via Icacls
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1222.001
|
TTP
|
Amadey, Defense Evasion or Unauthorized Access Via SDDL Tampering
|
2026-02-25
|
|
Windows Find Domain Organizational Units with GetDomainOU
|
Powershell Script Block Logging 4104
|
T1087.002
|
TTP
|
Active Directory Discovery
|
2026-02-25
|
|
Windows Find Interesting ACL with FindInterestingDomainAcl
|
Powershell Script Block Logging 4104
|
T1087.002
|
TTP
|
Active Directory Discovery
|
2026-02-25
|
|
Windows Findstr GPP Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1552.006
|
TTP
|
Active Directory Privilege Escalation
|
2026-02-25
|
|
Windows Firewall Rule Added
|
Windows Event Log Security 4946
|
T1562.004
|
Anomaly
|
Medusa Ransomware, NetSupport RMM Tool Abuse, ShrinkLocker
|
2026-02-25
|
|
Windows Firewall Rule Deletion
|
Windows Event Log Security 4948
|
T1562.004
|
Anomaly
|
Medusa Ransomware, NetSupport RMM Tool Abuse, ShrinkLocker
|
2026-02-25
|
|
Windows Firewall Rule Modification
|
Windows Event Log Security 4947
|
T1562.004
|
Anomaly
|
Medusa Ransomware, NetSupport RMM Tool Abuse, ShrinkLocker
|
2026-02-25
|
|
Windows Forest Discovery with GetForestDomain
|
Powershell Script Block Logging 4104
|
T1087.002
|
TTP
|
Active Directory Discovery
|
2026-02-25
|
|
Windows Gather Victim Host Information Camera
|
Powershell Script Block Logging 4104
|
T1592.001
|
Anomaly
|
DarkCrystal RAT
|
2026-02-25
|
|
Windows Gdrive Binary Activity
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1567
|
TTP
|
China-Nexus Threat Activity
|
2026-02-25
|
|
Windows Get-AdComputer Unconstrained Delegation Discovery
|
Powershell Script Block Logging 4104
|
T1018
|
TTP
|
Active Directory Kerberos Attacks, Medusa Ransomware
|
2026-02-25
|
|
Windows Get Local Admin with FindLocalAdminAccess
|
Powershell Script Block Logging 4104
|
T1087.002
|
TTP
|
Active Directory Discovery
|
2026-02-25
|
|
Windows Global Object Access Audit List Cleared Via Auditpol
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1562.002
|
TTP
|
Windows Audit Policy Tampering
|
2026-02-25
|
|
Windows Group Policy Object Created
|
Windows Event Log Security 5136, Windows Event Log Security 5137
|
T1078.002
T1484.001
|
TTP
|
Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks
|
2026-02-25
|
|
Windows Hidden Schedule Task Settings
|
Windows Event Log Security 4698
|
T1053
|
TTP
|
Active Directory Discovery, CISA AA22-257A, Cactus Ransomware, Compromised Windows Host, Data Destruction, Hellcat Ransomware, Industroyer2, Malicious Inno Setup Loader, Scheduled Tasks
|
2026-02-25
|
|
Windows Hunting System Account Targeting Lsass
|
Sysmon EventID 10
|
T1003.001
|
Hunting
|
CISA AA23-347A, Credential Dumping, Lokibot, Scattered Lapsus$ Hunters
|
2026-02-25
|
|
Windows Identify Protocol Handlers
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059
|
Hunting
|
Living Off The Land
|
2026-02-25
|
|
Windows IIS Components Add New Module
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1505.004
|
Anomaly
|
GhostRedirector IIS Module and Rungan Backdoor, IIS Components
|
2026-02-25
|
|
Windows IIS Components Get-WebGlobalModule Module Query
|
Powershell Installed IIS Modules
|
T1505.004
|
Hunting
|
GhostRedirector IIS Module and Rungan Backdoor, IIS Components, WS FTP Server Critical Vulnerabilities
|
2026-02-25
|
|
Windows IIS Components Module Failed to Load
|
Windows Event Log Application 2282
|
T1505.004
|
Anomaly
|
IIS Components
|
2026-02-25
|
|
Windows IIS Components New Module Added
|
Windows IIS 29
|
T1505.004
|
TTP
|
GhostRedirector IIS Module and Rungan Backdoor, IIS Components
|
2026-02-25
|
|
Windows Impair Defense Add Xml Applocker Rules
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1562.001
|
Hunting
|
Azorult
|
2026-02-25
|
|
Windows Important Audit Policy Disabled
|
Windows Event Log Security 4719
|
T1562.001
|
TTP
|
Windows Audit Policy Tampering
|
2026-02-25
|
|
Windows Increase in Group or Object Modification Activity
|
Windows Event Log Security 4663
|
T1098
T1562
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-02-25
|
|
Windows Increase in User Modification Activity
|
Windows Event Log Security 4720
|
T1098
T1562
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-02-25
|
|
Windows Indirect Command Execution Via forfiles
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1202
|
TTP
|
Living Off The Land, Windows Post-Exploitation
|
2026-02-25
|
|
Windows Indirect Command Execution Via pcalua
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1202
|
TTP
|
Living Off The Land
|
2026-02-25
|
|
Windows Indirect Command Execution Via Series Of Forfiles
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1202
|
Anomaly
|
Prestige Ransomware, Windows Post-Exploitation
|
2026-02-25
|
|
Windows Information Discovery Fsutil
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1082
|
Anomaly
|
Prestige Ransomware, Windows Post-Exploitation
|
2026-02-25
|
|
Windows Ingress Tool Transfer Using Explorer
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1105
|
Anomaly
|
DarkCrystal RAT
|
2026-02-25
|
|
Windows Kerberos Coercion via DNS
|
Windows Event Log Security 4662, Windows Event Log Security 5136, Windows Event Log Security 5137
|
T1071.004
T1557.001
T1187
|
TTP
|
Compromised Windows Host, Kerberos Coercion with DNS, Local Privilege Escalation With KrbRelayUp, Suspicious DNS Traffic
|
2026-02-25
|
|
Windows Kerberos Local Successful Logon
|
Windows Event Log Security 4624
|
T1558
|
TTP
|
Active Directory Kerberos Attacks, Compromised Windows Host, Local Privilege Escalation With KrbRelayUp, Scattered Lapsus$ Hunters
|
2026-02-25
|
|
Windows KrbRelayUp Service Creation
|
Windows Event Log System 7045
|
T1543.003
|
TTP
|
Compromised Windows Host, Local Privilege Escalation With KrbRelayUp
|
2026-02-25
|
|
Windows Large Number of Computer Service Tickets Requested
|
Windows Event Log Security 4769
|
T1135
T1078
|
Anomaly
|
Active Directory Lateral Movement, Active Directory Privilege Escalation
|
2026-02-25
|
|
Windows Ldifde Directory Object Behavior
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1105
T1069.002
|
TTP
|
Volt Typhoon
|
2026-02-25
|
|
Windows Linked Policies In ADSI Discovery
|
Powershell Script Block Logging 4104
|
T1087.002
|
Anomaly
|
Active Directory Discovery, Data Destruction, Industroyer2
|
2026-02-25
|
|
Windows List ENV Variables Via SET Command From Uncommon Parent
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1055
|
Anomaly
|
Qakbot
|
2026-02-25
|
|
Windows Local Administrator Credential Stuffing
|
Windows Event Log Security 4624, Windows Event Log Security 4625
|
T1110.004
|
TTP
|
Active Directory Lateral Movement, Active Directory Privilege Escalation, Scattered Lapsus$ Hunters
|
2026-02-25
|
|
Windows Mail Protocol In Non-Common Process Path
|
Sysmon EventID 3
|
T1071.003
|
Anomaly
|
AgentTesla
|
2026-02-25
|
|
Windows Mark Of The Web Bypass
|
Sysmon EventID 23
|
T1553.005
|
TTP
|
Quasar RAT, Warzone RAT
|
2026-02-25
|
|
Windows Masquerading Msdtc Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1036
|
TTP
|
Compromised Windows Host, PlugX
|
2026-02-25
|
|
Windows Mimikatz Binary Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1003
|
TTP
|
CISA AA22-320A, CISA AA23-347A, Compromised Windows Host, Credential Dumping, Flax Typhoon, Sandworm Tools, Scattered Spider, Volt Typhoon
|
2026-02-25
|
|
Windows Mimikatz Crypto Export File Extensions
|
Sysmon EventID 11
|
T1649
|
Anomaly
|
CISA AA23-347A, Sandworm Tools, Windows Certificate Services
|
2026-02-25
|
|
Windows Modify Registry Regedit Silent Reg Import
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1112
|
Anomaly
|
Azorult
|
2026-02-25
|
|
Windows Modify Registry Risk Behavior
|
|
T1112
|
Correlation
|
Windows Registry Abuse
|
2026-02-25
|
|
Windows MOVEit Transfer Writing ASPX
|
Sysmon EventID 11
|
T1190
T1133
|
TTP
|
Hellcat Ransomware, MOVEit Transfer Critical Vulnerability
|
2026-02-25
|
|
Windows MSExchange Management Mailbox Cmdlet Usage
|
|
T1059.001
|
Anomaly
|
BlackByte Ransomware, ProxyNotShell, ProxyShell, Scattered Spider
|
2026-02-25
|
|
Windows Mshta Execution In Registry
|
Sysmon EventID 13
|
T1218.005
|
TTP
|
Suspicious Windows Registry Activities, Windows Persistence Techniques
|
2026-02-25
|
|
Windows MSIExec DLLRegisterServer
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.007
|
TTP
|
Water Gamayun, Windows System Binary Proxy Execution MSIExec
|
2026-02-25
|
|
Windows MsiExec HideWindow Rundll32 Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.007
|
TTP
|
Qakbot, Water Gamayun
|
2026-02-25
|
|
Windows MSIExec Spawn Discovery Command
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.007
|
TTP
|
Medusa Ransomware, StealC Stealer, Water Gamayun, Windows System Binary Proxy Execution MSIExec
|
2026-02-25
|
|
Windows MSIExec Spawn WinDBG
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.007
|
TTP
|
Compromised Windows Host, DarkGate Malware
|
2026-02-25
|
|
Windows MSIExec Unregister DLLRegisterServer
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.007
|
TTP
|
Windows System Binary Proxy Execution MSIExec
|
2026-02-25
|
|
Windows MSIX Package Interaction
|
Windows Event Log AppXPackaging 171
|
T1204.002
|
Hunting
|
MSIX Package Abuse
|
2026-02-25
|
|
Windows MSTSC RDP Commandline
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1021.001
|
Anomaly
|
Medusa Ransomware, Windows RDP Artifacts and Defense Evasion
|
2026-02-25
|
|
Windows Multiple Account Passwords Changed
|
Windows Event Log Security 4724
|
T1098
T1078
|
TTP
|
Azure Active Directory Persistence
|
2026-02-25
|
|
Windows Multiple Accounts Deleted
|
Windows Event Log Security 4726
|
T1098
T1078
|
TTP
|
Azure Active Directory Persistence
|
2026-02-25
|
|
Windows Multiple Accounts Disabled
|
Windows Event Log Security 4725
|
T1098
T1078
|
TTP
|
Azure Active Directory Persistence
|
2026-02-25
|
|
Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos
|
Windows Event Log Security 4768
|
T1110.003
|
TTP
|
Active Directory Kerberos Attacks, Active Directory Password Spraying, Volt Typhoon
|
2026-02-25
|
|
Windows Multiple Invalid Users Fail To Authenticate Using Kerberos
|
Windows Event Log Security 4768
|
T1110.003
|
TTP
|
Active Directory Kerberos Attacks, Active Directory Password Spraying, Volt Typhoon
|
2026-02-25
|
|
Windows Multiple Invalid Users Failed To Authenticate Using NTLM
|
Windows Event Log Security 4776
|
T1110.003
|
TTP
|
Active Directory Password Spraying, Volt Typhoon
|
2026-02-25
|
|
Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials
|
Windows Event Log Security 4648
|
T1110.003
|
TTP
|
Active Directory Password Spraying, Insider Threat, Volt Typhoon
|
2026-02-25
|
|
Windows Multiple Users Failed To Authenticate From Host Using NTLM
|
Windows Event Log Security 4776
|
T1110.003
|
TTP
|
Active Directory Password Spraying, Volt Typhoon
|
2026-02-25
|
|
Windows Multiple Users Failed To Authenticate From Process
|
Windows Event Log Security 4625
|
T1110.003
|
TTP
|
Active Directory Password Spraying, Insider Threat, Volt Typhoon
|
2026-02-25
|
|
Windows Multiple Users Failed To Authenticate Using Kerberos
|
Windows Event Log Security 4771
|
T1110.003
|
TTP
|
Active Directory Kerberos Attacks, Active Directory Password Spraying, Volt Typhoon
|
2026-02-25
|
|
Windows Multiple Users Remotely Failed To Authenticate From Host
|
Windows Event Log Security 4625
|
T1110.003
|
TTP
|
Active Directory Password Spraying, Volt Typhoon
|
2026-02-25
|
|
Windows Net System Service Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1007
|
Anomaly
|
LAMEHUG
|
2026-02-25
|
|
Windows Network Connection Discovery Via Net
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1049
|
Hunting
|
Active Directory Discovery, Azorult, Prestige Ransomware, Windows Post-Exploitation
|
2026-02-25
|
|
Windows Network Share Interaction Via Net
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1135
T1039
|
Anomaly
|
Active Directory Discovery, Active Directory Privilege Escalation, Network Discovery
|
2026-02-25
|
|
Windows New Deny Permission Set On Service SD Via Sc.EXE
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1564
|
Anomaly
|
Defense Evasion or Unauthorized Access Via SDDL Tampering
|
2026-02-25
|
|
Windows New Service Security Descriptor Set Via Sc.EXE
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1564
|
Anomaly
|
Defense Evasion or Unauthorized Access Via SDDL Tampering
|
2026-02-25
|
|
Windows Ngrok Reverse Proxy Usage
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1572
T1090
T1102
|
Anomaly
|
CISA AA22-320A, CISA AA24-241A, Reverse Network Proxy
|
2026-02-25
|
|
Windows NirSoft AdvancedRun
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1588.002
|
TTP
|
Data Destruction, Ransomware, Unusual Processes, WhisperGate
|
2026-02-25
|
|
Windows Obfuscated Files or Information via RAR SFX
|
Sysmon EventID 11
|
T1027.013
|
Anomaly
|
APT37 Rustonotto and FadeStealer, Crypto Stealer, GhostRedirector IIS Module and Rungan Backdoor
|
2026-02-25
|
|
Windows Odbcconf Hunting
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.008
|
Hunting
|
Living Off The Land
|
2026-02-25
|
|
Windows Odbcconf Load DLL
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.008
|
TTP
|
Living Off The Land
|
2026-02-25
|
|
Windows Odbcconf Load Response File
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.008
|
TTP
|
Living Off The Land
|
2026-02-25
|
|
Windows Office Product Dropped Cab or Inf File
|
Sysmon EventID 1, Sysmon EventID 11, Windows Event Log Security 4688
|
T1566.001
|
TTP
|
APT37 Rustonotto and FadeStealer, Compromised Windows Host, Microsoft MSHTML Remote Code Execution CVE-2021-40444, Spearphishing Attachments
|
2026-02-25
|
|
Windows Office Product Dropped Uncommon File
|
Sysmon EventID 1, Sysmon EventID 11
|
T1566.001
|
Anomaly
|
AgentTesla, CVE-2023-21716 Word RTF Heap Corruption, Compromised Windows Host, FIN7, PlugX, Warzone RAT
|
2026-02-25
|
|
Windows Office Product Spawned Child Process For Download
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1566.001
|
TTP
|
APT37 Rustonotto and FadeStealer, CVE-2023-36884 Office and Windows HTML RCE Vulnerability, NjRAT, PlugX, Spearphishing Attachments
|
2026-02-25
|
|
Windows Office Product Spawned Control
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1566.001
|
TTP
|
Compromised Windows Host, Microsoft MSHTML Remote Code Execution CVE-2021-40444, Spearphishing Attachments
|
2026-02-25
|
|
Windows Office Product Spawned MSDT
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1566.001
|
TTP
|
Compromised Windows Host, Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190, Spearphishing Attachments
|
2026-02-25
|
|
Windows Office Product Spawned Rundll32 With No DLL
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1566.001
|
TTP
|
CVE-2023-36884 Office and Windows HTML RCE Vulnerability, Compromised Windows Host, Crypto Stealer, Graceful Wipe Out Attack, Prestige Ransomware, Spearphishing Attachments
|
2026-02-25
|
|
Windows PaperCut NG Spawn Shell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059
T1190
T1133
|
TTP
|
Compromised Windows Host, PaperCut MF NG Vulnerability
|
2026-02-25
|
|
Windows Parent PID Spoofing with Explorer
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1134.004
|
TTP
|
Compromised Windows Host, Windows Defense Evasion Tactics
|
2026-02-25
|
|
Windows Password Managers Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1555.005
|
Anomaly
|
Prestige Ransomware, Scattered Lapsus$ Hunters, Scattered Spider, Windows Post-Exploitation
|
2026-02-25
|
|
Windows Password Policy Discovery with Net
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1201
|
Hunting
|
Active Directory Discovery
|
2026-02-25
|
|
Windows Phishing PDF File Executes URL Link
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1566.001
|
Anomaly
|
Snake Keylogger, Spearphishing Attachments
|
2026-02-25
|
|
Windows Post Exploitation Risk Behavior
|
|
T1012
T1049
T1069
T1016
T1003
T1082
T1115
T1552
|
Correlation
|
Windows Post-Exploitation
|
2026-02-25
|
|
Windows Potential AppDomainManager Hijack Artifacts Creation
|
Sysmon EventID 11
|
T1574.014
|
Anomaly
|
SesameOp
|
2026-02-25
|
|
Windows PowerShell Add Module to Global Assembly Cache
|
Powershell Script Block Logging 4104
|
T1505.004
|
TTP
|
IIS Components
|
2026-02-25
|
|
Windows Powershell Cryptography Namespace
|
Powershell Script Block Logging 4104
|
T1059.001
|
Anomaly
|
AsyncRAT, XWorm
|
2026-02-25
|
|
Windows PowerShell Disable HTTP Logging
|
Powershell Script Block Logging 4104
|
T1505.004
T1562.002
|
TTP
|
IIS Components, Windows Defense Evasion Tactics
|
2026-02-25
|
|
Windows PowerShell Export Certificate
|
Powershell Script Block Logging 4104
|
T1552.004
T1649
|
Anomaly
|
Windows Certificate Services
|
2026-02-25
|
|
Windows PowerShell Export PfxCertificate
|
Powershell Script Block Logging 4104
|
T1552.004
T1649
|
Anomaly
|
Scattered Lapsus$ Hunters, Water Gamayun, Windows Certificate Services
|
2026-02-25
|
|
Windows PowerShell FakeCAPTCHA Clipboard Execution
|
Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059.001
T1204.001
T1059.003
|
TTP
|
Cisco Network Visibility Module Analytics, Fake CAPTCHA Campaigns, Interlock Ransomware, NetSupport RMM Tool Abuse, Scattered Lapsus$ Hunters
|
2026-02-25
|
|
Windows PowerShell Get CIMInstance Remote Computer
|
Powershell Script Block Logging 4104
|
T1059.001
|
Anomaly
|
Active Directory Lateral Movement
|
2026-02-25
|
|
Windows Powershell History File Deletion
|
Powershell Script Block Logging 4104
|
T1059.003
T1070.003
|
Anomaly
|
Medusa Ransomware
|
2026-02-25
|
|
Windows PowerShell IIS Components WebGlobalModule Usage
|
Powershell Script Block Logging 4104
|
T1505.004
|
Anomaly
|
GhostRedirector IIS Module and Rungan Backdoor, IIS Components
|
2026-02-25
|
|
Windows Powershell Import Applocker Policy
|
Powershell Script Block Logging 4104
|
T1059.001
T1562.001
|
TTP
|
Azorult
|
2026-02-25
|
|
Windows PowerShell Invoke-RestMethod IP Information Collection
|
Powershell Script Block Logging 4104
|
T1082
T1016
T1059.001
|
Anomaly
|
Water Gamayun
|
2026-02-25
|
|
Windows Powershell Logoff User via Quser
|
Powershell Script Block Logging 4104
|
T1059.001
T1531
|
Anomaly
|
Crypto Stealer
|
2026-02-25
|
|
Windows PowerShell MSIX Package Installation
|
Powershell Script Block Logging 4104
|
T1059.001
T1547.001
|
TTP
|
MSIX Package Abuse, Malicious PowerShell
|
2026-02-25
|
|
Windows PowerShell Process With Malicious String
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059.001
|
TTP
|
Malicious PowerShell
|
2026-02-25
|
|
Windows Powershell RemoteSigned File
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059.001
|
Anomaly
|
Amadey
|
2026-02-25
|
|
Windows PowerShell ScheduleTask
|
Powershell Script Block Logging 4104
|
T1053.005
T1059.001
|
Anomaly
|
Scattered Spider, Scheduled Tasks
|
2026-02-25
|
|
Windows PowerShell WMI Win32 ScheduledJob
|
Powershell Script Block Logging 4104
|
T1059.001
|
TTP
|
Active Directory Lateral Movement
|
2026-02-25
|
|
Windows PowerSploit GPP Discovery
|
Powershell Script Block Logging 4104
|
T1552.006
|
TTP
|
Active Directory Privilege Escalation
|
2026-02-25
|
|
Windows PowerView AD Access Control List Enumeration
|
Powershell Script Block Logging 4104
|
T1078.002
T1069
|
TTP
|
Active Directory Discovery, Active Directory Privilege Escalation, Rhysida Ransomware
|
2026-02-25
|
|
Windows PowerView Constrained Delegation Discovery
|
Powershell Script Block Logging 4104
|
T1018
|
TTP
|
Active Directory Kerberos Attacks, CISA AA23-347A, Rhysida Ransomware
|
2026-02-25
|
|
Windows PowerView Kerberos Service Ticket Request
|
Powershell Script Block Logging 4104
|
T1558.003
|
TTP
|
Active Directory Kerberos Attacks, Rhysida Ransomware
|
2026-02-25
|
|
Windows PowerView SPN Discovery
|
Powershell Script Block Logging 4104
|
T1558.003
|
TTP
|
Active Directory Kerberos Attacks, CISA AA23-347A, Interlock Ransomware, Rhysida Ransomware
|
2026-02-25
|
|
Windows PowerView Unconstrained Delegation Discovery
|
Powershell Script Block Logging 4104
|
T1018
|
TTP
|
Active Directory Kerberos Attacks, CISA AA23-347A, Rhysida Ransomware
|
2026-02-25
|
|
Windows Private Keys Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1552.004
|
Anomaly
|
Prestige Ransomware, Windows Post-Exploitation
|
2026-02-25
|
|
Windows Privileged Group Modification
|
Windows Event Log Security 4727, Windows Event Log Security 4731, Windows Event Log Security 4744, Windows Event Log Security 4749, Windows Event Log Security 4754, Windows Event Log Security 4759, Windows Event Log Security 4783, Windows Event Log Security 4790
|
T1136.001
T1136.002
|
TTP
|
Scattered Lapsus$ Hunters, VMware ESXi AD Integration Authentication Bypass CVE-2024-37085
|
2026-02-25
|
|
Windows Process Commandline Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1057
|
Hunting
|
CISA AA23-347A
|
2026-02-25
|
|
Windows Process Executed From Removable Media
|
Sysmon EventID 1, Sysmon EventID 13
|
T1200
T1025
T1091
|
Anomaly
|
APT37 Rustonotto and FadeStealer, Data Protection
|
2026-02-25
|
|
Windows Process Execution From RDP Share
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1021.001
T1105
T1059
|
Anomaly
|
Hidden Cobra Malware
|
2026-02-25
|
|
Windows Process Injection In Non-Service SearchIndexer
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1055
|
TTP
|
Qakbot
|
2026-02-25
|
|
Windows Process Injection Wermgr Child Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1055
|
Anomaly
|
Qakbot, Windows Error Reporting Service Elevation of Privilege Vulnerability
|
2026-02-25
|
|
Windows Process With NetExec Command Line Parameters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1550.003
T1558.003
T1558.004
|
TTP
|
Active Directory Kerberos Attacks, Active Directory Privilege Escalation
|
2026-02-25
|
|
Windows Processes Killed By Industroyer2 Malware
|
Sysmon EventID 5
|
T1489
|
Anomaly
|
Data Destruction, Industroyer2
|
2026-02-25
|
|
Windows Protocol Tunneling with Plink
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1572
T1021.004
|
TTP
|
CISA AA22-257A
|
2026-02-25
|
|
Windows Proxy Via Netsh
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1090.001
|
Anomaly
|
Volt Typhoon
|
2026-02-25
|
|
Windows PUA Named Pipe
|
Sysmon EventID 17, Sysmon EventID 18
|
T1559
T1021.002
T1055
|
Anomaly
|
Active Directory Lateral Movement, BlackByte Ransomware, CISA AA22-320A, Cactus Ransomware, DHS Report TA18-074A, DarkGate Malware, DarkSide Ransomware, HAFNIUM Group, IcedID, Medusa Ransomware, Rhysida Ransomware, SamSam Ransomware, Sandworm Tools, Seashell Blizzard, VanHelsing Ransomware, Volt Typhoon
|
2026-02-25
|
|
Windows Raccine Scheduled Task Deletion
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1562.001
|
TTP
|
Compromised Windows Host, Ransomware
|
2026-02-25
|
|
Windows Rapid Authentication On Multiple Hosts
|
Windows Event Log Security 4624
|
T1003.002
|
TTP
|
Active Directory Lateral Movement, Active Directory Privilege Escalation
|
2026-02-25
|
|
Windows Rasautou DLL Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1055.001
T1218
|
TTP
|
Compromised Windows Host, Hellcat Ransomware, Windows Defense Evasion Tactics
|
2026-02-25
|
|
Windows RDP Client Launched with Admin Session
|
Sysmon EventID 1
|
T1021.001
|
Anomaly
|
Windows RDP Artifacts and Defense Evasion
|
2026-02-25
|
|
Windows RDP Connection Successful
|
Windows Event Log RemoteConnectionManager 1149
|
T1563.002
|
Hunting
|
Active Directory Lateral Movement, BlackByte Ransomware, Interlock Ransomware, NetSupport RMM Tool Abuse, Windows RDP Artifacts and Defense Evasion
|
2026-02-25
|
|
Windows RDP Login Session Was Established
|
Windows Event Log Security 4624
|
T1021.001
|
Anomaly
|
Scattered Lapsus$ Hunters, Windows RDP Artifacts and Defense Evasion
|
2026-02-25
|
|
Windows RDPClient Connection Sequence Events
|
Windows Event Log Microsoft Windows TerminalServices RDPClient 1024
|
T1133
|
Anomaly
|
Spearphishing Attachments, Windows RDP Artifacts and Defense Evasion
|
2026-02-25
|
|
Windows Registry Entries Exported Via Reg
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1012
|
Hunting
|
CISA AA23-347A, Prestige Ransomware, Windows Post-Exploitation
|
2026-02-25
|
|
Windows Registry Entries Restored Via Reg
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1012
|
Hunting
|
Prestige Ransomware, Windows Post-Exploitation
|
2026-02-25
|
|
Windows Registry Payload Injection
|
Sysmon EventID 13
|
T1027.011
|
TTP
|
Unusual Processes
|
2026-02-25
|
|
Windows Regsvr32 Renamed Binary
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.010
|
TTP
|
Compromised Windows Host, Qakbot
|
2026-02-25
|
|
Windows Remote Access Software BRC4 Loaded Dll
|
Sysmon EventID 7
|
T1219
T1003
|
Anomaly
|
Brute Ratel C4
|
2026-02-25
|
|
Windows Remote Assistance Spawning Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1055
|
TTP
|
Compromised Windows Host, Unusual Processes
|
2026-02-25
|
|
Windows Remote Host Computer Management Access
|
Sysmon EventID 1, Windows Event Log Security 4688
|
T1021.006
|
Anomaly
|
Medusa Ransomware
|
2026-02-25
|
|
Windows Remote Management Execute Shell
|
Sysmon EventID 1, Windows Event Log Security 4688
|
T1021.006
|
Anomaly
|
Crypto Stealer
|
2026-02-25
|
|
Windows Remote Service Rdpwinst Tool Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1021.001
|
TTP
|
Azorult, Compromised Windows Host, Scattered Lapsus$ Hunters, Windows RDP Artifacts and Defense Evasion
|
2026-02-25
|
|
Windows Remote Services Allow Rdp In Firewall
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1021.001
|
Anomaly
|
Azorult, Windows RDP Artifacts and Defense Evasion
|
2026-02-25
|
|
Windows Renamed Powershell Execution
|
Sysmon EventID 1
|
T1036.003
|
TTP
|
Hellcat Ransomware, XWorm
|
2026-02-25
|
|
Windows RMM Named Pipe
|
Sysmon EventID 17, Sysmon EventID 18
|
T1559
T1021.002
T1055
|
Anomaly
|
CISA AA24-241A, Cactus Ransomware, Command And Control, GhostRedirector IIS Module and Rungan Backdoor, Gozi Malware, Insider Threat, Interlock Ransomware, Ransomware, Remote Monitoring and Management Software, Scattered Lapsus$ Hunters, Scattered Spider, Seashell Blizzard
|
2026-02-25
|
|
Windows Root Domain linked policies Discovery
|
Powershell Script Block Logging 4104
|
T1087.002
|
Anomaly
|
Active Directory Discovery, Data Destruction, Industroyer2
|
2026-02-25
|
|
Windows Rundll32 Apply User Settings Changes
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.011
|
Anomaly
|
Rhysida Ransomware
|
2026-02-25
|
|
Windows Rundll32 WebDav With Network Connection
|
Sysmon EventID 1, Sysmon EventID 3
|
T1048.003
|
TTP
|
CVE-2023-23397 Outlook Elevation of Privilege
|
2026-02-25
|
|
Windows Scheduled Task Created Via XML
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1053.005
|
Anomaly
|
CISA AA23-347A, Lokibot, Malicious Inno Setup Loader, MoonPeak, Scheduled Tasks, Winter Vivern
|
2026-02-25
|
|
Windows Scheduled Task with Suspicious Name
|
Windows Event Log Security 4698, Windows Event Log Security 4700, Windows Event Log Security 4702
|
T1053.005
|
TTP
|
0bj3ctivity Stealer, APT37 Rustonotto and FadeStealer, Castle RAT, Ransomware, Ryuk Ransomware, Scheduled Tasks, Windows Persistence Techniques
|
2026-02-25
|
|
Windows ScManager Security Descriptor Tampering Via Sc.EXE
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1569.002
|
TTP
|
Defense Evasion or Unauthorized Access Via SDDL Tampering
|
2026-02-25
|
|
Windows Screen Capture Via Powershell
|
Powershell Script Block Logging 4104
|
T1113
|
TTP
|
APT37 Rustonotto and FadeStealer, Water Gamayun, Winter Vivern
|
2026-02-25
|
|
Windows Security Account Manager Stopped
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1489
|
TTP
|
Compromised Windows Host, Ryuk Ransomware, Scattered Lapsus$ Hunters
|
2026-02-25
|
|
Windows Security And Backup Services Stop
|
Windows Event Log System 7036
|
T1490
|
TTP
|
BlackMatter Ransomware, Compromised Windows Host, Hellcat Ransomware, LockBit Ransomware, Ransomware, Scattered Lapsus$ Hunters, Termite Ransomware
|
2026-02-25
|
|
Windows Sensitive Group Discovery With Net
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1069.002
|
Anomaly
|
Active Directory Discovery, BlackSuit Ransomware, IcedID, Microsoft WSUS CVE-2025-59287, Rhysida Ransomware, Volt Typhoon
|
2026-02-25
|
|
Windows Sensitive Registry Hive Dump Via CommandLine
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1003.002
|
TTP
|
CISA AA22-257A, CISA AA23-347A, Compromised Windows Host, Credential Dumping, DarkSide Ransomware, Data Destruction, Industroyer2, Seashell Blizzard, Volt Typhoon, Windows Registry Abuse
|
2026-02-25
|
|
Windows Server Software Component GACUtil Install to GAC
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1505.004
|
TTP
|
IIS Components
|
2026-02-25
|
|
Windows Service Create Kernel Mode Driver
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1068
T1543.003
|
TTP
|
CISA AA22-320A, Windows Drivers
|
2026-02-25
|
|
Windows Service Create RemComSvc
|
Windows Event Log System 7045
|
T1543.003
|
Anomaly
|
Active Directory Discovery
|
2026-02-25
|
|
Windows Service Create SliverC2
|
Windows Event Log System 7045
|
T1569.002
|
TTP
|
BishopFox Sliver Adversary Emulation Framework, Compromised Windows Host, Hellcat Ransomware
|
2026-02-25
|
|
Windows Service Create with Tscon
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1543.003
T1563.002
|
TTP
|
Active Directory Lateral Movement, Compromised Windows Host, Windows RDP Artifacts and Defense Evasion
|
2026-02-25
|
|
Windows Service Created with Suspicious Service Name
|
Windows Event Log System 7045
|
T1569.002
|
Anomaly
|
Active Directory Lateral Movement, Brute Ratel C4, CISA AA23-347A, Clop Ransomware, Flax Typhoon, PlugX, Qakbot, Snake Malware, Tuoni
|
2026-02-25
|
|
Windows Service Stop Attempt
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1489
|
Hunting
|
Graceful Wipe Out Attack, Prestige Ransomware, Scattered Lapsus$ Hunters
|
2026-02-25
|
|
Windows Service Stop By Deletion
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1489
|
TTP
|
Azorult, Crypto Stealer, Graceful Wipe Out Attack
|
2026-02-25
|
|
Windows Service Stop Win Updates
|
Windows Event Log System 7040
|
T1489
|
Anomaly
|
CISA AA23-347A, RedLine Stealer
|
2026-02-25
|
|
Windows Set Account Password Policy To Unlimited Via Net
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1489
|
Anomaly
|
BlackByte Ransomware, Crypto Stealer, Ransomware, XMRig
|
2026-02-25
|
|
Windows Shell Process from CrushFTP
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059.001
T1059.003
T1190
T1505
|
TTP
|
CrushFTP Vulnerabilities
|
2026-02-25
|
|
Windows Short Lived DNS Record
|
Windows Event Log Security 5136, Windows Event Log Security 5137
|
T1071.004
T1557.001
T1187
|
TTP
|
Compromised Windows Host, Kerberos Coercion with DNS, Local Privilege Escalation With KrbRelayUp, Suspicious DNS Traffic
|
2026-02-25
|
|
Windows SIP WinVerifyTrust Failed Trust Validation
|
Windows Event Log CAPI2 81
|
T1553.003
|
Anomaly
|
Subvert Trust Controls SIP and Trust Provider Hijacking
|
2026-02-25
|
|
Windows SOAPHound Binary Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1069.001
T1069.002
T1087.001
T1087.002
T1482
|
TTP
|
Compromised Windows Host, Windows Discovery Techniques
|
2026-02-25
|
|
Windows Spearphishing Attachment Onenote Spawn Mshta
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1566.001
|
TTP
|
APT37 Rustonotto and FadeStealer, AsyncRAT, Compromised Windows Host, Spearphishing Attachments
|
2026-02-25
|
|
Windows Special Privileged Logon On Multiple Hosts
|
Windows Event Log Security 4672
|
T1087
T1021.002
T1135
|
TTP
|
Active Directory Lateral Movement, Active Directory Privilege Escalation, Compromised Windows Host
|
2026-02-25
|
|
Windows SpeechRuntime COM Hijacking DLL Load
|
Sysmon EventID 7
|
T1021.003
|
TTP
|
Active Directory Lateral Movement, Compromised Windows Host, Scattered Lapsus$ Hunters
|
2026-02-25
|
|
Windows SpeechRuntime Suspicious Child Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1021.003
|
TTP
|
Active Directory Lateral Movement, Compromised Windows Host
|
2026-02-25
|
|
Windows SQL Server Configuration Option Hunt
|
Windows Event Log Application 15457
|
T1505.001
|
Hunting
|
SQL Server Abuse
|
2026-02-25
|
|
Windows SQL Server Critical Procedures Enabled
|
Windows Event Log Application 15457
|
T1505.001
|
TTP
|
SQL Server Abuse
|
2026-02-25
|
|
Windows SQL Server Extended Procedure DLL Loading Hunt
|
Windows Event Log Application 8128
|
T1505.001
T1059.009
|
Hunting
|
SQL Server Abuse
|
2026-02-25
|
|
Windows SQL Server xp_cmdshell Config Change
|
Windows Event Log Application 15457
|
T1505.001
|
TTP
|
GhostRedirector IIS Module and Rungan Backdoor, SQL Server Abuse, Seashell Blizzard
|
2026-02-25
|
|
Windows SQL Spawning CertUtil
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1105
|
TTP
|
Flax Typhoon, SQL Server Abuse, Storm-2460 CLFS Zero Day Exploitation
|
2026-02-25
|
|
Windows Sqlservr Spawning Shell
|
Sysmon EventID 1, Windows Event Log Security 4688
|
T1505.001
|
TTP
|
SQL Server Abuse
|
2026-02-25
|
|
Windows Steal Authentication Certificates Certificate Issued
|
Windows Event Log Security 4887
|
T1649
|
Anomaly
|
Windows Certificate Services
|
2026-02-25
|
|
Windows Steal Authentication Certificates Certificate Request
|
Windows Event Log Security 4886
|
T1649
|
Anomaly
|
Windows Certificate Services
|
2026-02-25
|
|
Windows Steal Authentication Certificates CertUtil Backup
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1649
|
Anomaly
|
Storm-2460 CLFS Zero Day Exploitation, Windows Certificate Services
|
2026-02-25
|
|
Windows Steal Authentication Certificates CryptoAPI
|
Windows Event Log CAPI2 70
|
T1649
|
Anomaly
|
Hellcat Ransomware, Windows Certificate Services
|
2026-02-25
|
|
Windows Steal Authentication Certificates CS Backup
|
Windows Event Log Security 4876
|
T1649
|
Anomaly
|
Windows Certificate Services
|
2026-02-25
|
|
Windows Steal Authentication Certificates Export Certificate
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1649
|
Anomaly
|
Windows Certificate Services
|
2026-02-25
|
|
Windows Steal Authentication Certificates Export PfxCertificate
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1649
|
Anomaly
|
Windows Certificate Services
|
2026-02-25
|
|
Windows Steal or Forge Kerberos Tickets Klist
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1558
|
Hunting
|
Prestige Ransomware, Windows Post-Exploitation
|
2026-02-25
|
|
Windows SubInAcl Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1222.001
|
Anomaly
|
Defense Evasion or Unauthorized Access Via SDDL Tampering
|
2026-02-25
|
|
Windows Suspicious C2 Named Pipe
|
Sysmon EventID 17, Sysmon EventID 18
|
T1559
T1021.002
T1055
|
TTP
|
APT37 Rustonotto and FadeStealer, BlackByte Ransomware, Brute Ratel C4, Cobalt Strike, DarkSide Ransomware, Gozi Malware, Graceful Wipe Out Attack, Hellcat Ransomware, LockBit Ransomware, Meterpreter, Remote Monitoring and Management Software, Storm-0501 Ransomware, Trickbot, Tuoni
|
2026-02-25
|
|
Windows Suspicious Child Process Spawned From WebServer
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1505.003
|
TTP
|
BlackByte Ransomware, CISA AA22-257A, CISA AA22-264A, Citrix ShareFile RCE CVE-2023-24489, Compromised Windows Host, Flax Typhoon, GhostRedirector IIS Module and Rungan Backdoor, HAFNIUM Group, Medusa Ransomware, Microsoft SharePoint Vulnerabilities, Microsoft WSUS CVE-2025-59287, ProxyNotShell, ProxyShell, SysAid On-Prem Software CVE-2023-47246 Vulnerability, WS FTP Server Critical Vulnerabilities
|
2026-02-25
|
|
Windows Suspicious Named Pipe
|
Sysmon EventID 17, Sysmon EventID 18
|
T1559
T1021.002
T1055
|
TTP
|
APT37 Rustonotto and FadeStealer, BlackByte Ransomware, Brute Ratel C4, Cobalt Strike, DarkSide Ransomware, Gozi Malware, Graceful Wipe Out Attack, Hellcat Ransomware, LockBit Ransomware, Meterpreter, Remote Monitoring and Management Software, Trickbot, Tuoni
|
2026-02-25
|
|
Windows Suspicious VMWare Tools Child Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059
|
TTP
|
China-Nexus Threat Activity, ESXi Post Compromise
|
2026-02-25
|
|
Windows Symlink Evaluation Change via Fsutil
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1222.001
|
Anomaly
|
Windows Post-Exploitation
|
2026-02-25
|
|
Windows System Binary Proxy Execution Compiled HTML File Decompile
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.001
|
TTP
|
APT37 Rustonotto and FadeStealer, Compromised Windows Host, Living Off The Land, Suspicious Compiled HTML Activity
|
2026-02-25
|
|
Windows System Discovery Using ldap Nslookup
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1033
|
Anomaly
|
Qakbot
|
2026-02-25
|
|
Windows System Discovery Using Qwinsta
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1033
|
Hunting
|
Qakbot
|
2026-02-25
|
|
Windows System File on Disk
|
Sysmon EventID 11
|
T1068
|
Hunting
|
CISA AA22-264A, Crypto Stealer, Windows Drivers
|
2026-02-25
|
|
Windows System LogOff Commandline
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1529
|
Anomaly
|
DarkCrystal RAT, NjRAT, Scattered Lapsus$ Hunters, XWorm
|
2026-02-25
|
|
Windows System Network Config Discovery Display DNS
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1016
|
Anomaly
|
Medusa Ransomware, Prestige Ransomware, Water Gamayun, Windows Post-Exploitation
|
2026-02-25
|
|
Windows System Network Connections Discovery Netsh
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1049
|
Anomaly
|
Prestige Ransomware, Snake Keylogger, Windows Post-Exploitation
|
2026-02-25
|
|
Windows System Reboot CommandLine
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1529
|
Anomaly
|
DarkCrystal RAT, DarkGate Malware, MoonPeak, NjRAT, Quasar RAT, Scattered Lapsus$ Hunters, XWorm
|
2026-02-25
|
|
Windows System Remote Discovery With Query
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1033
|
Anomaly
|
Active Directory Discovery, Medusa Ransomware
|
2026-02-25
|
|
Windows System Script Proxy Execution Syncappvpublishingserver
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1216
T1218
|
TTP
|
Living Off The Land
|
2026-02-25
|
|
Windows System Time Discovery W32tm Delay
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1124
|
Anomaly
|
DarkCrystal RAT
|
2026-02-25
|
|
Windows System User Discovery Via Quser
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1033
|
Hunting
|
Crypto Stealer, Prestige Ransomware, Windows Post-Exploitation
|
2026-02-25
|
|
Windows System User Privilege Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1033
|
Hunting
|
CISA AA23-347A
|
2026-02-25
|
|
Windows Terminating Lsass Process
|
Sysmon EventID 10
|
T1562.001
|
Anomaly
|
Data Destruction, Double Zero Destructor, Scattered Lapsus$ Hunters
|
2026-02-25
|
|
Windows Time Based Evasion
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1497.003
|
TTP
|
NjRAT
|
2026-02-25
|
|
Windows Time Based Evasion via Choice Exec
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1497.003
|
Anomaly
|
0bj3ctivity Stealer, Snake Keylogger
|
2026-02-25
|
|
Windows UAC Bypass Suspicious Escalation Behavior
|
Sysmon EventID 1
|
T1548.002
|
TTP
|
Compromised Windows Host, Living Off The Land, Windows Defense Evasion Tactics
|
2026-02-25
|
|
Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos
|
Windows Event Log Security 4768
|
T1110.003
|
Anomaly
|
Active Directory Kerberos Attacks, Active Directory Password Spraying, Volt Typhoon
|
2026-02-25
|
|
Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos
|
Windows Event Log Security 4768
|
T1110.003
|
Anomaly
|
Active Directory Kerberos Attacks, Active Directory Password Spraying, Volt Typhoon
|
2026-02-25
|
|
Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM
|
Windows Event Log Security 4776
|
T1110.003
|
Anomaly
|
Active Directory Password Spraying, Volt Typhoon
|
2026-02-25
|
|
Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials
|
Windows Event Log Security 4648
|
T1110.003
|
Anomaly
|
Active Directory Password Spraying, Insider Threat, Volt Typhoon
|
2026-02-25
|
|
Windows Unusual Count Of Users Failed To Auth Using Kerberos
|
Windows Event Log Security 4771
|
T1110.003
|
Anomaly
|
Active Directory Kerberos Attacks, Active Directory Password Spraying, Volt Typhoon
|
2026-02-25
|
|
Windows Unusual Count Of Users Failed To Authenticate From Process
|
Windows Event Log Security 4625
|
T1110.003
|
Anomaly
|
Active Directory Password Spraying, Insider Threat, Volt Typhoon
|
2026-02-25
|
|
Windows Unusual Count Of Users Failed To Authenticate Using NTLM
|
Windows Event Log Security 4776
|
T1110.003
|
Anomaly
|
Active Directory Password Spraying, Volt Typhoon
|
2026-02-25
|
|
Windows Unusual Count Of Users Remotely Failed To Auth From Host
|
Windows Event Log Security 4625
|
T1110.003
|
Anomaly
|
Active Directory Password Spraying, Volt Typhoon
|
2026-02-25
|
|
Windows USBSTOR Registry Key Modification
|
Sysmon EventID 12, Sysmon EventID 13
|
T1200
T1025
T1091
|
Anomaly
|
APT37 Rustonotto and FadeStealer, Data Protection
|
2026-02-25
|
|
Windows User Deletion Via Net
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1531
|
Anomaly
|
DarkGate Malware, Graceful Wipe Out Attack, XMRig
|
2026-02-25
|
|
Windows User Disabled Via Net
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1531
|
Anomaly
|
XMRig
|
2026-02-25
|
|
Windows User Discovery Via Net
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1087.001
|
Hunting
|
Active Directory Discovery, Medusa Ransomware, Sandworm Tools
|
2026-02-25
|
|
Windows Visual Basic Commandline Compiler DNSQuery
|
Sysmon EventID 22
|
T1071.004
|
TTP
|
Lokibot
|
2026-02-25
|
|
Windows Vulnerable 3CX Software
|
Sysmon EventID 1
|
T1195.002
|
TTP
|
3CX Supply Chain Attack
|
2026-02-25
|
|
Windows Vulnerable Driver Installed
|
Windows Event Log System 7045
|
T1543.003
|
TTP
|
Windows Drivers
|
2026-02-25
|
|
Windows Vulnerable Driver Loaded
|
Sysmon EventID 6
|
T1543.003
|
Hunting
|
BlackByte Ransomware, Windows Drivers
|
2026-02-25
|
|
Windows WBAdmin File Recovery From Backup
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1490
T1565.001
|
Anomaly
|
Credential Dumping
|
2026-02-25
|
|
Windows WinLogon with Public Network Connection
|
Sysmon EventID 1, Sysmon EventID 3
|
T1542.003
|
Hunting
|
BlackLotus Campaign
|
2026-02-25
|
|
Windows WMI Process And Service List
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1047
|
Anomaly
|
Prestige Ransomware, Windows Post-Exploitation
|
2026-02-25
|
|
Windows WMI Process Call Create
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1047
|
Hunting
|
CISA AA23-347A, Cactus Ransomware, IcedID, Qakbot, Suspicious WMI Use, Volt Typhoon
|
2026-02-25
|
|
Windows Wmic CPU Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1082
|
Anomaly
|
LAMEHUG
|
2026-02-25
|
|
Windows Wmic DiskDrive Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1082
|
Anomaly
|
LAMEHUG
|
2026-02-25
|
|
Windows Wmic Memory Chip Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1082
|
Anomaly
|
LAMEHUG
|
2026-02-25
|
|
Windows Wmic Network Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1082
|
Anomaly
|
LAMEHUG
|
2026-02-25
|
|
Windows Wmic Systeminfo Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1082
|
Anomaly
|
LAMEHUG
|
2026-02-25
|
|
Windows WPDBusEnum Registry Key Modification
|
Sysmon EventID 12, Sysmon EventID 13
|
T1200
T1025
T1091
|
Anomaly
|
APT37 Rustonotto and FadeStealer, Data Protection
|
2026-02-25
|
|
Windows WSUS Spawning Shell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1190
T1505.003
|
TTP
|
Microsoft WSUS CVE-2025-59287
|
2026-02-25
|
|
WinEvent Scheduled Task Created to Spawn Shell
|
Windows Event Log Security 4698
|
T1053.005
|
TTP
|
0bj3ctivity Stealer, CISA AA22-257A, Castle RAT, China-Nexus Threat Activity, Compromised Windows Host, Medusa Ransomware, Ransomware, Ryuk Ransomware, Salt Typhoon, Scheduled Tasks, SystemBC, Windows Error Reporting Service Elevation of Privilege Vulnerability, Windows Persistence Techniques, Winter Vivern
|
2026-02-25
|
|
WinEvent Scheduled Task Created Within Public Path
|
Windows Event Log Security 4698
|
T1053.005
|
TTP
|
0bj3ctivity Stealer, APT37 Rustonotto and FadeStealer, Active Directory Lateral Movement, AsyncRAT, CISA AA22-257A, CISA AA23-347A, Castle RAT, China-Nexus Threat Activity, Compromised Windows Host, Data Destruction, IcedID, Industroyer2, Malicious Inno Setup Loader, Medusa Ransomware, PlugX, Prestige Ransomware, Quasar RAT, Ransomware, Remcos, Ryuk Ransomware, Salt Typhoon, Scheduled Tasks, SystemBC, ValleyRAT, Windows Persistence Techniques, Winter Vivern, XWorm
|
2026-02-25
|
|
WinRAR Spawning Shell Application
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1105
|
TTP
|
Compromised Windows Host, WinRAR Spoofing Attack CVE-2023-38831
|
2026-02-25
|
|
WinRM Spawning a Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1190
|
TTP
|
CISA AA23-347A, Microsoft WSUS CVE-2025-59287, Rhysida Ransomware, Unusual Processes
|
2026-02-25
|
|
WMI Permanent Event Subscription
|
|
T1047
|
TTP
|
Suspicious WMI Use
|
2026-02-25
|
|
WMI Permanent Event Subscription - Sysmon
|
Sysmon EventID 21
|
T1546.003
|
TTP
|
Suspicious WMI Use
|
2026-02-25
|
|
WMI Recon Running Process Or Services
|
Powershell Script Block Logging 4104
|
T1592
|
Anomaly
|
Data Destruction, Hermetic Wiper, Malicious PowerShell
|
2026-02-25
|
|
WMI Temporary Event Subscription
|
|
T1047
|
TTP
|
Suspicious WMI Use
|
2026-02-25
|
|
Wmic Group Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1069.001
|
Anomaly
|
Active Directory Discovery, LAMEHUG
|
2026-02-25
|
|
Wmic NonInteractive App Uninstallation
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1562.001
|
Hunting
|
Azorult, IcedID
|
2026-02-25
|
|
Wmiprvse LOLBAS Execution Process Spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1047
|
TTP
|
Active Directory Lateral Movement
|
2026-02-25
|
|
Wscript Or Cscript Suspicious Child Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1055
T1134.004
T1543
|
TTP
|
0bj3ctivity Stealer, Data Destruction, FIN7, NjRAT, Remcos, ShrinkLocker, Unusual Processes, WhisperGate, XWorm
|
2026-02-25
|
|
Wsmprovhost LOLBAS Execution Process Spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1021.006
|
TTP
|
Active Directory Lateral Movement, CISA AA24-241A, Hellcat Ransomware
|
2026-02-25
|
|
XSL Script Execution With WMIC
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1220
|
TTP
|
FIN7, Suspicious WMI Use
|
2026-02-25
|
|
Cisco Configuration Archive Logging Analysis
|
Cisco IOS Logs
|
T1562.001
T1098
T1505.003
|
Hunting
|
Cisco Smart Install Remote Code Execution CVE-2018-0171
|
2026-02-25
|
|
Cisco IOS Suspicious Privileged Account Creation
|
Cisco IOS Logs
|
T1136
T1078
|
Anomaly
|
Cisco Smart Install Remote Code Execution CVE-2018-0171
|
2026-02-25
|
|
Cisco Network Interface Modifications
|
Cisco IOS Logs
|
T1556
T1021
T1133
|
Anomaly
|
Cisco Smart Install Remote Code Execution CVE-2018-0171
|
2026-02-25
|
|
Cisco Privileged Account Creation with Suspicious SSH Activity
|
|
T1021.004
T1136
T1078
|
Correlation
|
Cisco Secure Firewall Threat Defense Analytics, Salt Typhoon
|
2026-02-25
|
|
Cisco Secure Firewall - Binary File Type Download
|
Cisco Secure Firewall Threat Defense File Event
|
T1203
T1059
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-02-25
|
|
Cisco Secure Firewall - Bits Network Activity
|
Cisco Secure Firewall Threat Defense Connection Event
|
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-02-25
|
|
Cisco Secure Firewall - Blocked Connection
|
Cisco Secure Firewall Threat Defense Connection Event
|
T1018
T1046
T1110
T1203
T1595.002
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-02-25
|
|
Cisco Secure Firewall - Citrix NetScaler Memory Overread Attempt
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1203
T1059
|
TTP
|
Cisco Secure Firewall Threat Defense Analytics, Citrix NetScaler ADC and NetScaler Gateway CVE-2025-5777
|
2026-02-25
|
|
Cisco Secure Firewall - Communication Over Suspicious Ports
|
Cisco Secure Firewall Threat Defense Connection Event
|
T1021
T1055
T1059.001
T1105
T1219
T1571
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-02-25
|
|
Cisco Secure Firewall - Connection to File Sharing Domain
|
Cisco Secure Firewall Threat Defense Connection Event
|
T1071.001
T1090.002
T1105
T1567.002
T1588.002
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics, Scattered Lapsus$ Hunters
|
2026-02-25
|
|
Cisco Secure Firewall - File Download Over Uncommon Port
|
Cisco Secure Firewall Threat Defense File Event
|
T1105
T1571
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-02-25
|
|
Cisco Secure Firewall - High Priority Intrusion Classification
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1203
T1003
T1071
T1190
T1078
|
TTP
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-02-25
|
|
Cisco Secure Firewall - High Volume of Intrusion Events Per Host
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1059
T1071
T1595.002
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-02-25
|
|
Cisco Secure Firewall - Lumma Stealer Activity
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1190
T1210
T1027
T1204
|
TTP
|
Cisco Secure Firewall Threat Defense Analytics, Lumma Stealer
|
2026-02-25
|
|
Cisco Secure Firewall - Lumma Stealer Download Attempt
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1041
T1573.002
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics, Lumma Stealer
|
2026-02-25
|
|
Cisco Secure Firewall - Lumma Stealer Outbound Connection Attempt
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1041
T1573.002
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics, Lumma Stealer
|
2026-02-25
|
|
Cisco Secure Firewall - Malware File Downloaded
|
Cisco Secure Firewall Threat Defense File Event
|
T1203
T1105
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-02-25
|
|
Cisco Secure Firewall - Oracle E-Business Suite Correlation
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1190
|
TTP
|
Cisco Secure Firewall Threat Defense Analytics, Oracle E-Business Suite Exploitation
|
2026-02-25
|
|
Cisco Secure Firewall - Oracle E-Business Suite Exploitation
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1190
|
TTP
|
Cisco Secure Firewall Threat Defense Analytics, Oracle E-Business Suite Exploitation
|
2026-02-25
|
|
Cisco Secure Firewall - Possibly Compromised Host
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1203
T1059
T1587.001
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-02-25
|
|
Cisco Secure Firewall - Privileged Command Execution via HTTP
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1059
T1505.003
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics, Salt Typhoon
|
2026-02-25
|
|
Cisco Secure Firewall - Rare Snort Rule Triggered
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1598
T1583.006
|
Hunting
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-02-25
|
|
Cisco Secure Firewall - React Server Components RCE Attempt
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1190
|
TTP
|
React2Shell
|
2026-02-25
|
|
Cisco Secure Firewall - Remote Access Software Usage Traffic
|
Cisco Secure Firewall Threat Defense Connection Event
|
T1219
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics, Command And Control, Insider Threat, Interlock Ransomware, Ransomware, Remote Monitoring and Management Software, Scattered Lapsus$ Hunters, Scattered Spider
|
2026-02-25
|
|
Cisco Secure Firewall - Repeated Blocked Connections
|
Cisco Secure Firewall Threat Defense Connection Event
|
T1018
T1046
T1110
T1203
T1595.002
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-02-25
|
|
Cisco Secure Firewall - Repeated Malware Downloads
|
Cisco Secure Firewall Threat Defense File Event
|
T1105
T1027
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics, Hellcat Ransomware
|
2026-02-25
|
|
Cisco Secure Firewall - Snort Rule Triggered Across Multiple Hosts
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1105
T1027
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-02-25
|
|
Cisco Secure Firewall - SSH Connection to Non-Standard Port
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1021.004
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics, Salt Typhoon
|
2026-02-25
|
|
Cisco Secure Firewall - SSH Connection to sshd_operns
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1021.004
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics, Salt Typhoon
|
2026-02-25
|
|
Cisco Secure Firewall - Static Tundra Smart Install Abuse
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1190
T1210
T1499
|
TTP
|
Cisco Secure Firewall Threat Defense Analytics, Cisco Smart Install Remote Code Execution CVE-2018-0171
|
2026-02-25
|
|
Cisco Secure Firewall - Veeam CVE-2023-27532 Exploitation Activity
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1190
T1210
T1059.001
T1003.001
|
TTP
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-02-25
|
|
Cisco Secure Firewall - Wget or Curl Download
|
Cisco Secure Firewall Threat Defense Connection Event
|
T1053.003
T1059
T1071.001
T1105
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-02-25
|
|
Cisco Smart Install Port Discovery and Status
|
Splunk Stream TCP
|
T1190
|
TTP
|
Cisco Smart Install Remote Code Execution CVE-2018-0171, Scattered Lapsus$ Hunters
|
2026-02-25
|
|
Cisco SNMP Community String Configuration Changes
|
Cisco IOS Logs
|
T1562.001
T1040
T1552
|
Anomaly
|
Cisco Smart Install Remote Code Execution CVE-2018-0171
|
2026-02-25
|
|
Cisco TFTP Server Configuration for Data Exfiltration
|
Cisco IOS Logs
|
T1567
T1005
|
TTP
|
Cisco Smart Install Remote Code Execution CVE-2018-0171
|
2026-02-25
|
|
Detect ARP Poisoning
|
Cisco IOS Logs
|
T1200
T1498
T1557.002
|
TTP
|
Router and Infrastructure Security
|
2026-02-25
|
|
Detect DGA domains using pretrained model in DSDL
|
|
T1568.002
|
Anomaly
|
Command And Control, DNS Hijacking, Data Exfiltration, Dynamic DNS, Suspicious DNS Traffic
|
2026-02-25
|
|
Detect DNS Data Exfiltration using pretrained model in DSDL
|
|
T1048.003
|
Anomaly
|
Command And Control, DNS Hijacking, Suspicious DNS Traffic, VoidLink Cloud-Native Linux Malware
|
2026-02-25
|
|
Detect DNS Query to Decommissioned S3 Bucket
|
Sysmon EventID 22
|
T1485
|
Anomaly
|
AWS S3 Bucket Security Monitoring, Data Destruction
|
2026-02-25
|
|
Detect IPv6 Network Infrastructure Threats
|
Cisco IOS Logs
|
T1200
T1498
T1557.002
|
TTP
|
Router and Infrastructure Security, Scattered Lapsus$ Hunters
|
2026-02-25
|
|
Detect Large ICMP Traffic
|
Palo Alto Network Traffic
|
T1095
|
TTP
|
Backdoor Pingpong, China-Nexus Threat Activity, Command And Control
|
2026-02-25
|
|
Detect Outbound LDAP Traffic
|
Cisco Secure Firewall Threat Defense Connection Event, Palo Alto Network Traffic
|
T1190
T1059
|
Hunting
|
Cisco Secure Firewall Threat Defense Analytics, Log4Shell CVE-2021-44228
|
2026-02-25
|
|
Detect Outbound SMB Traffic
|
Cisco Secure Firewall Threat Defense Connection Event
|
T1071.002
|
TTP
|
Cisco Secure Firewall Threat Defense Analytics, DHS Report TA18-074A, Hidden Cobra Malware, NOBELIUM Group
|
2026-02-25
|
|
Detect Port Security Violation
|
Cisco IOS Logs
|
T1200
T1498
T1557.002
|
TTP
|
Router and Infrastructure Security
|
2026-02-25
|
|
Detect Rogue DHCP Server
|
Cisco IOS Logs
|
T1200
T1498
T1557
|
TTP
|
Router and Infrastructure Security, Scattered Lapsus$ Hunters
|
2026-02-25
|
|
Detect SNICat SNI Exfiltration
|
|
T1041
|
TTP
|
Data Exfiltration
|
2026-02-25
|
|
Detect Software Download To Network Device
|
|
T1542.005
|
TTP
|
Router and Infrastructure Security
|
2026-02-25
|
|
Detect suspicious DNS TXT records using pretrained model in DSDL
|
|
T1568.002
|
Anomaly
|
Command And Control, DNS Hijacking, Suspicious DNS Traffic, VoidLink Cloud-Native Linux Malware
|
2026-02-25
|
|
Detect Traffic Mirroring
|
Cisco IOS Logs
|
T1020.001
T1200
T1498
|
TTP
|
Router and Infrastructure Security
|
2026-02-25
|
|
Detect Unauthorized Assets by MAC address
|
|
|
TTP
|
Asset Tracking
|
2026-02-25
|
|
Detect Windows DNS SIGRed via Zeek
|
|
T1203
|
TTP
|
Windows DNS SIGRed CVE-2020-1350
|
2026-02-25
|
|
Detect Zerologon via Zeek
|
|
T1190
|
TTP
|
Black Basta Ransomware, Detect Zerologon Attack, Rhysida Ransomware
|
2026-02-25
|
|
DNS Kerberos Coercion
|
Suricata, Sysmon EventID 22
|
T1557.001
T1187
T1071.004
|
TTP
|
Compromised Windows Host, Kerberos Coercion with DNS, Local Privilege Escalation With KrbRelayUp, Suspicious DNS Traffic
|
2026-02-25
|
|
DNS Query Length Outliers - MLTK
|
|
T1071.004
|
Anomaly
|
Command And Control, Hidden Cobra Malware, Suspicious DNS Traffic
|
2026-02-25
|
|
DNS Query Length With High Standard Deviation
|
Sysmon EventID 22
|
T1048.003
|
Anomaly
|
Command And Control, Hidden Cobra Malware, Suspicious DNS Traffic
|
2026-02-25
|
|
Excessive DNS Failures
|
|
T1071.004
|
Anomaly
|
Command And Control, Suspicious DNS Traffic
|
2026-02-25
|
|
F5 BIG-IP iControl REST Vulnerability CVE-2022-1388
|
Palo Alto Network Threat
|
T1190
T1133
|
TTP
|
CISA AA24-241A, F5 BIG-IP Vulnerability CVE-2022-1388
|
2026-02-25
|
|
Hosts receiving high volume of network traffic from email server
|
|
T1114.002
|
Anomaly
|
Collection and Staging
|
2026-02-25
|
|
HTTP C2 Framework User Agent
|
Suricata
|
T1071.001
|
TTP
|
BishopFox Sliver Adversary Emulation Framework, Brute Ratel C4, Cobalt Strike, Malicious PowerShell, Meterpreter, Spearphishing Attachments, Suspicious User Agents, Tuoni
|
2026-02-25
|
|
HTTP Malware User Agent
|
Suricata
|
T1071.001
|
TTP
|
Crypto Stealer, Lokibot, Lumma Stealer, Meduza Stealer, RedLine Stealer, Suspicious User Agents
|
2026-02-25
|
|
HTTP PUA User Agent
|
Suricata
|
T1071.001
|
Anomaly
|
BlackSuit Ransomware, Cactus Ransomware, Local Privilege Escalation With KrbRelayUp, Suspicious User Agents
|
2026-02-25
|
|
HTTP RMM User Agent
|
Suricata
|
T1071.001
T1219
|
Anomaly
|
Remote Monitoring and Management Software, Suspicious User Agents
|
2026-02-25
|
|
Internal Horizontal Port Scan
|
AWS CloudWatchLogs VPCflow, Cisco Secure Firewall Threat Defense Connection Event
|
T1046
|
TTP
|
China-Nexus Threat Activity, Cisco Secure Firewall Threat Defense Analytics, Network Discovery, Scattered Lapsus$ Hunters
|
2026-02-25
|
|
Internal Vulnerability Scan
|
|
T1595.002
T1046
|
TTP
|
Network Discovery, Scattered Lapsus$ Hunters
|
2026-02-25
|
|
Large Volume of DNS ANY Queries
|
|
T1498.002
|
Anomaly
|
DNS Amplification Attacks
|
2026-02-25
|
|
Ngrok Reverse Proxy on Network
|
Sysmon EventID 22
|
T1572
T1090
T1102
|
Anomaly
|
CISA AA22-320A, CISA AA24-241A, Reverse Network Proxy
|
2026-02-25
|
|
Prohibited Network Traffic Allowed
|
Cisco Secure Firewall Threat Defense Connection Event
|
T1048
|
TTP
|
Cisco Secure Firewall Threat Defense Analytics, Command And Control, Prohibited Traffic Allowed or Protocol Mismatch, Ransomware
|
2026-02-25
|
|
Protocols passing authentication in cleartext
|
Cisco Secure Firewall Threat Defense Connection Event
|
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics, Scattered Lapsus$ Hunters, Use of Cleartext Protocols
|
2026-02-25
|
|
Remote Desktop Network Traffic
|
Zeek Conn
|
T1021.001
|
Anomaly
|
Active Directory Lateral Movement, Hidden Cobra Malware, Ryuk Ransomware, SamSam Ransomware, Windows RDP Artifacts and Defense Evasion
|
2026-02-25
|
|
Rundll32 DNSQuery
|
Sysmon EventID 22
|
T1218.011
|
TTP
|
IcedID, Living Off The Land
|
2026-02-25
|
|
SMB Traffic Spike
|
|
T1021.002
|
Anomaly
|
DHS Report TA18-074A, Emotet Malware DHS Report TA18-201A, Hidden Cobra Malware, Ransomware
|
2026-02-25
|
|
SMB Traffic Spike - MLTK
|
|
T1021.002
|
Anomaly
|
DHS Report TA18-074A, Emotet Malware DHS Report TA18-201A, Hidden Cobra Malware, Ransomware
|
2026-02-25
|
|
SSL Certificates with Punycode
|
|
T1573
|
Hunting
|
OpenSSL CVE-2022-3602
|
2026-02-25
|
|
TOR Traffic
|
Cisco Secure Firewall Threat Defense Connection Event, Palo Alto Network Traffic
|
T1090.003
|
TTP
|
Cisco Secure Firewall Threat Defense Analytics, Command And Control, Interlock Ransomware, NOBELIUM Group, Prohibited Traffic Allowed or Protocol Mismatch, Ransomware
|
2026-02-25
|
|
Wermgr Process Connecting To IP Check Web Services
|
Sysmon EventID 22
|
T1590.005
|
TTP
|
Trickbot
|
2026-02-25
|
|
Windows Abused Web Services
|
Sysmon EventID 22
|
T1102
|
TTP
|
CISA AA24-241A, Malicious Inno Setup Loader, NjRAT
|
2026-02-25
|
|
Windows AD Replication Service Traffic
|
|
T1003.006
T1207
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-02-25
|
|
Windows AD Rogue Domain Controller Network Activity
|
|
T1207
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-02-25
|
|
Windows DNS Query Request by Telegram Bot API
|
Sysmon EventID 22
|
T1071.004
T1102.002
|
Anomaly
|
0bj3ctivity Stealer, Crypto Stealer
|
2026-02-25
|
|
Windows Gather Victim Network Info Through Ip Check Web Services
|
Sysmon EventID 22
|
T1590.005
|
Anomaly
|
0bj3ctivity Stealer, Azorult, Castle RAT, DarkCrystal RAT, Handala Wiper, Meduza Stealer, PXA Stealer, Phemedrone Stealer, Quasar RAT, Snake Keylogger, Water Gamayun
|
2026-02-25
|
|
Windows Multi hop Proxy TOR Website Query
|
Sysmon EventID 22
|
T1071.003
|
Anomaly
|
AgentTesla, Interlock Ransomware
|
2026-02-25
|
|
Windows Remote Desktop Network Bruteforce Attempt
|
Sysmon EventID 3
|
T1110.001
|
Anomaly
|
Compromised User Account, Ryuk Ransomware, SamSam Ransomware, Windows RDP Artifacts and Defense Evasion
|
2026-02-25
|
|
Zeek x509 Certificate with Punycode
|
|
T1573
|
Hunting
|
OpenSSL CVE-2022-3602
|
2026-02-25
|
|
Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint
|
Suricata
|
T1190
|
TTP
|
CISA AA24-241A, Ivanti Connect Secure VPN Vulnerabilities
|
2026-02-25
|
|
Adobe ColdFusion Access Control Bypass
|
Suricata
|
T1190
|
TTP
|
Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360
|
2026-02-25
|
|
Adobe ColdFusion Unauthenticated Arbitrary File Read
|
Suricata
|
T1190
|
TTP
|
Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360
|
2026-02-25
|
|
Cisco IOS XE Implant Access
|
Suricata
|
T1190
|
TTP
|
Cisco IOS XE Software Web Management User Interface vulnerability
|
2026-02-25
|
|
Citrix ADC and Gateway CitrixBleed 2 Memory Disclosure
|
Suricata
|
T1190
|
Anomaly
|
Citrix NetScaler ADC and NetScaler Gateway CVE-2025-5777
|
2026-02-25
|
|
Citrix ADC and Gateway Unauthorized Data Disclosure
|
Suricata
|
T1190
|
TTP
|
Citrix NetScaler ADC and NetScaler Gateway CVE-2023-4966, Scattered Lapsus$ Hunters
|
2026-02-25
|
|
Citrix ADC Exploitation CVE-2023-3519
|
Palo Alto Network Threat
|
T1190
|
Hunting
|
CISA AA24-241A, Citrix Netscaler ADC CVE-2023-3519
|
2026-02-25
|
|
Citrix ShareFile Exploitation CVE-2023-24489
|
Suricata
|
T1190
|
Hunting
|
Citrix ShareFile RCE CVE-2023-24489
|
2026-02-25
|
|
Confluence CVE-2023-22515 Trigger Vulnerability
|
Suricata
|
T1190
|
TTP
|
CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server
|
2026-02-25
|
|
Confluence Data Center and Server Privilege Escalation
|
Nginx Access
|
T1190
|
TTP
|
CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server, Confluence Data Center and Confluence Server Vulnerabilities
|
2026-02-25
|
|
Confluence Pre-Auth RCE via OGNL Injection CVE-2023-22527
|
Suricata
|
T1190
|
TTP
|
Confluence Data Center and Confluence Server Vulnerabilities
|
2026-02-25
|
|
Confluence Unauthenticated Remote Code Execution CVE-2022-26134
|
Palo Alto Network Threat
|
T1505
T1190
T1133
|
TTP
|
Atlassian Confluence Server and Data Center CVE-2022-26134, Confluence Data Center and Confluence Server Vulnerabilities
|
2026-02-25
|
|
ConnectWise ScreenConnect Authentication Bypass
|
Suricata
|
T1190
|
TTP
|
ConnectWise ScreenConnect Vulnerabilities, Seashell Blizzard
|
2026-02-25
|
|
Detect attackers scanning for vulnerable JBoss servers
|
|
T1082
T1133
|
TTP
|
JBoss Vulnerability, SamSam Ransomware
|
2026-02-25
|
|
Detect malicious requests to exploit JBoss servers
|
|
|
TTP
|
JBoss Vulnerability, SamSam Ransomware
|
2026-02-25
|
|
Detect Web Access to Decommissioned S3 Bucket
|
AWS Cloudfront
|
T1485
|
Anomaly
|
AWS S3 Bucket Security Monitoring, Data Destruction
|
2026-02-25
|
|
Exploit Public Facing Application via Apache Commons Text
|
Nginx Access
|
T1133
T1190
T1505.003
|
Anomaly
|
Text4Shell CVE-2022-42889
|
2026-02-25
|
|
Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952
|
Palo Alto Network Threat
|
T1190
T1133
|
TTP
|
Fortinet FortiNAC CVE-2022-39952, Hellcat Ransomware
|
2026-02-25
|
|
F5 TMUI Authentication Bypass
|
Suricata
|
|
TTP
|
F5 Authentication Bypass with TMUI
|
2026-02-25
|
|
Fortinet Appliance Auth bypass
|
Palo Alto Network Threat
|
T1190
T1133
|
TTP
|
CVE-2022-40684 Fortinet Appliance Auth bypass
|
2026-02-25
|
|
High Volume of Bytes Out to Url
|
Nginx Access
|
T1567
|
Anomaly
|
Data Exfiltration, Hellcat Ransomware
|
2026-02-25
|
|
HTTP Duplicated Header
|
Suricata
|
T1071.001
T1190
|
Anomaly
|
HTTP Request Smuggling
|
2026-02-25
|
|
HTTP Possible Request Smuggling
|
Suricata
|
T1071.001
|
TTP
|
HTTP Request Smuggling
|
2026-02-25
|
|
HTTP Rapid POST with Mixed Status Codes
|
Nginx Access
|
T1071.001
T1190
T1595
|
Anomaly
|
HTTP Request Smuggling
|
2026-02-25
|
|
HTTP Request to Reserved Name on IIS Server
|
Suricata
|
T1071.001
T1190
|
TTP
|
HTTP Request Smuggling
|
2026-02-25
|
|
HTTP Scripting Tool User Agent
|
Nginx Access
|
T1071.001
|
Anomaly
|
HTTP Request Smuggling, Suspicious User Agents
|
2026-02-25
|
|
Ivanti Connect Secure Command Injection Attempts
|
Suricata
|
T1190
|
TTP
|
CISA AA24-241A, Ivanti Connect Secure VPN Vulnerabilities
|
2026-02-25
|
|
Ivanti Connect Secure SSRF in SAML Component
|
Suricata
|
T1190
|
TTP
|
Ivanti Connect Secure VPN Vulnerabilities
|
2026-02-25
|
|
Ivanti Connect Secure System Information Access via Auth Bypass
|
Suricata
|
T1190
|
Anomaly
|
CISA AA24-241A, Ivanti Connect Secure VPN Vulnerabilities
|
2026-02-25
|
|
Ivanti EPM SQL Injection Remote Code Execution
|
Suricata
|
T1190
|
TTP
|
GhostRedirector IIS Module and Rungan Backdoor, Hellcat Ransomware, Ivanti EPM Vulnerabilities
|
2026-02-25
|
|
Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078
|
Suricata
|
T1190
T1133
|
TTP
|
Ivanti EPMM Remote Unauthenticated Access
|
2026-02-25
|
|
Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082
|
Suricata
|
T1190
T1133
|
TTP
|
Ivanti EPMM Remote Unauthenticated Access
|
2026-02-25
|
|
Ivanti Sentry Authentication Bypass
|
Suricata
|
T1190
|
TTP
|
Ivanti Sentry Authentication Bypass CVE-2023-38035
|
2026-02-25
|
|
Java Class File download by Java User Agent
|
Splunk Stream HTTP
|
T1190
|
TTP
|
Log4Shell CVE-2021-44228
|
2026-02-25
|
|
Jenkins Arbitrary File Read CVE-2024-23897
|
Nginx Access
|
T1190
|
TTP
|
Hellcat Ransomware, Jenkins Server Vulnerabilities
|
2026-02-25
|
|
JetBrains TeamCity Authentication Bypass CVE-2024-27198
|
Suricata
|
T1190
|
TTP
|
JetBrains TeamCity Vulnerabilities
|
2026-02-25
|
|
JetBrains TeamCity Authentication Bypass Suricata CVE-2024-27198
|
Suricata
|
T1190
|
TTP
|
Hellcat Ransomware, JetBrains TeamCity Vulnerabilities
|
2026-02-25
|
|
JetBrains TeamCity Limited Auth Bypass Suricata CVE-2024-27199
|
Suricata
|
T1190
|
TTP
|
JetBrains TeamCity Vulnerabilities
|
2026-02-25
|
|
JetBrains TeamCity RCE Attempt
|
Suricata
|
T1190
|
TTP
|
CISA AA23-347A, JetBrains TeamCity Unauthenticated RCE, JetBrains TeamCity Vulnerabilities
|
2026-02-25
|
|
Juniper Networks Remote Code Execution Exploit Detection
|
Suricata
|
T1190
T1105
T1059
|
TTP
|
Juniper JunOS Remote Code Execution
|
2026-02-25
|
|
Log4Shell JNDI Payload Injection Attempt
|
Nginx Access
|
T1190
T1133
|
Anomaly
|
CISA AA22-257A, CISA AA22-320A, Log4Shell CVE-2021-44228
|
2026-02-25
|
|
Log4Shell JNDI Payload Injection with Outbound Connection
|
|
T1190
T1133
|
Anomaly
|
CISA AA22-320A, Log4Shell CVE-2021-44228
|
2026-02-25
|
|
Microsoft SharePoint Server Elevation of Privilege
|
Suricata
|
T1068
|
TTP
|
Microsoft SharePoint Server Elevation of Privilege CVE-2023-29357
|
2026-02-25
|
|
Monitor Web Traffic For Brand Abuse
|
|
|
TTP
|
Brand Monitoring
|
2026-02-25
|
|
Multiple Archive Files Http Post Traffic
|
Splunk Stream HTTP
|
T1048.003
|
TTP
|
APT37 Rustonotto and FadeStealer, Command And Control, Data Exfiltration, Hellcat Ransomware
|
2026-02-25
|
|
Nginx ConnectWise ScreenConnect Authentication Bypass
|
Nginx Access
|
T1190
|
TTP
|
ConnectWise ScreenConnect Vulnerabilities, Hellcat Ransomware, Scattered Lapsus$ Hunters, Seashell Blizzard
|
2026-02-25
|
|
Plain HTTP POST Exfiltrated Data
|
Splunk Stream HTTP
|
T1048.003
|
TTP
|
APT37 Rustonotto and FadeStealer, Command And Control, Data Exfiltration
|
2026-02-25
|
|
ProxyShell ProxyNotShell Behavior Detected
|
|
T1190
T1133
|
Correlation
|
ProxyNotShell, ProxyShell, Seashell Blizzard
|
2026-02-25
|
|
SAP NetWeaver Visual Composer Exploitation Attempt
|
Suricata
|
T1190
|
Hunting
|
SAP NetWeaver Exploitation
|
2026-02-25
|
|
Spring4Shell Payload URL Request
|
Nginx Access
|
T1133
T1190
T1505.003
|
TTP
|
Spring4Shell CVE-2022-22965
|
2026-02-25
|
|
SQL Injection with Long URLs
|
|
T1190
|
TTP
|
GhostRedirector IIS Module and Rungan Backdoor, SQL Injection
|
2026-02-25
|
|
Supernova Webshell
|
|
T1505.003
T1133
|
TTP
|
Earth Alux, GhostRedirector IIS Module and Rungan Backdoor, NOBELIUM Group
|
2026-02-25
|
|
Tomcat Session Deserialization Attempt
|
Nginx Access
|
T1190
T1505.003
|
Anomaly
|
Apache Tomcat Session Deserialization Attacks
|
2026-02-25
|
|
Tomcat Session File Upload Attempt
|
Nginx Access
|
T1190
T1505.003
|
Anomaly
|
Apache Tomcat Session Deserialization Attacks
|
2026-02-25
|
|
VMWare Aria Operations Exploit Attempt
|
Palo Alto Network Threat
|
T1133
T1190
T1210
T1068
|
TTP
|
VMware Aria Operations vRealize CVE-2023-20887
|
2026-02-25
|
|
VMware Server Side Template Injection Hunt
|
Palo Alto Network Threat
|
T1190
T1133
|
Hunting
|
VMware Server Side Injection and Privilege Escalation
|
2026-02-25
|
|
VMware Workspace ONE Freemarker Server-side Template Injection
|
Palo Alto Network Threat
|
T1190
T1133
|
Anomaly
|
VMware Server Side Injection and Privilege Escalation
|
2026-02-25
|
|
Web JSP Request via URL
|
Nginx Access
|
T1133
T1190
T1505.003
|
TTP
|
Earth Alux, Spring4Shell CVE-2022-22965
|
2026-02-25
|
|
Web Remote ShellServlet Access
|
Nginx Access
|
T1190
|
TTP
|
CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server, GhostRedirector IIS Module and Rungan Backdoor
|
2026-02-25
|
|
Web Spring4Shell HTTP Request Class Module
|
Splunk Stream HTTP
|
T1190
T1133
|
TTP
|
Spring4Shell CVE-2022-22965
|
2026-02-25
|
|
Web Spring Cloud Function FunctionRouter
|
Splunk Stream HTTP
|
T1190
T1133
|
TTP
|
Spring4Shell CVE-2022-22965
|
2026-02-25
|
|
Windows Exchange Autodiscover SSRF Abuse
|
Windows IIS
|
T1190
T1133
|
TTP
|
BlackByte Ransomware, ProxyNotShell, ProxyShell, Seashell Blizzard
|
2026-02-25
|
|
Windows IIS Server PSWA Console Access
|
Windows IIS
|
T1190
|
Hunting
|
CISA AA24-241A
|
2026-02-25
|
|
Windows SharePoint Spinstall0 GET Request
|
Suricata
|
T1190
T1505.003
T1552
|
TTP
|
Microsoft SharePoint Vulnerabilities
|
2026-02-25
|
|
Windows SharePoint ToolPane Endpoint Exploitation Attempt
|
Suricata
|
T1190
T1505.003
|
TTP
|
Microsoft SharePoint Vulnerabilities
|
2026-02-25
|
|
WordPress Bricks Builder plugin RCE
|
Nginx Access
|
T1190
|
TTP
|
Hellcat Ransomware, WordPress Vulnerabilities
|
2026-02-25
|
|
WS FTP Remote Code Execution
|
Suricata
|
T1190
|
TTP
|
WS FTP Server Critical Vulnerabilities
|
2026-02-25
|
|
Zscaler Adware Activities Threat Blocked
|
|
T1566
|
Anomaly
|
Zscaler Browser Proxy Threats
|
2026-02-25
|
|
Zscaler Behavior Analysis Threat Blocked
|
|
T1566
|
Anomaly
|
Zscaler Browser Proxy Threats
|
2026-02-25
|
|
Zscaler CryptoMiner Downloaded Threat Blocked
|
|
T1566
|
Anomaly
|
Zscaler Browser Proxy Threats
|
2026-02-25
|
|
Zscaler Employment Search Web Activity
|
|
T1566
|
Anomaly
|
Zscaler Browser Proxy Threats
|
2026-02-25
|
|
Zscaler Exploit Threat Blocked
|
|
T1566
|
TTP
|
Zscaler Browser Proxy Threats
|
2026-02-25
|
|
Zscaler Legal Liability Threat Blocked
|
|
T1566
|
Anomaly
|
Zscaler Browser Proxy Threats
|
2026-02-25
|
|
Zscaler Malware Activity Threat Blocked
|
|
T1566
|
Anomaly
|
Zscaler Browser Proxy Threats
|
2026-02-25
|
|
Zscaler Phishing Activity Threat Blocked
|
|
T1566
|
Anomaly
|
Hellcat Ransomware, Zscaler Browser Proxy Threats
|
2026-02-25
|
|
Zscaler Potentially Abused File Download
|
|
T1566
|
Anomaly
|
Zscaler Browser Proxy Threats
|
2026-02-25
|
|
Zscaler Privacy Risk Destinations Threat Blocked
|
|
T1566
|
Anomaly
|
Zscaler Browser Proxy Threats
|
2026-02-25
|
|
Zscaler Scam Destinations Threat Blocked
|
|
T1566
|
Anomaly
|
Zscaler Browser Proxy Threats
|
2026-02-25
|
|
Zscaler Virus Download threat blocked
|
|
T1566
|
Anomaly
|
Zscaler Browser Proxy Threats
|
2026-02-25
|
|
Windows DLL Side-Loading In Calc
|
Sysmon EventID 7
|
T1574.001
|
TTP
|
Earth Alux, Qakbot
|
2026-02-23
|
|
Windows DLL Side-Loading Process Child Of Calc
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1574.001
|
Anomaly
|
Earth Alux, Qakbot
|
2026-02-23
|
|
Windows Process Injection into Commonly Abused Processes
|
Sysmon EventID 10
|
T1055.002
|
Anomaly
|
APT37 Rustonotto and FadeStealer, BishopFox Sliver Adversary Emulation Framework, Earth Alux, SAP NetWeaver Exploitation
|
2026-02-23
|
|
Windows Process Injection Remote Thread
|
Sysmon EventID 8
|
T1055.002
|
TTP
|
Earth Alux, Graceful Wipe Out Attack, Qakbot, Warzone RAT, Water Gamayun
|
2026-02-23
|
|
Executables Or Script Creation In Suspicious Path
|
Sysmon EventID 11
|
T1036
|
Anomaly
|
AcidPour, AgentTesla, Amadey, AsyncRAT, Azorult, BlackByte Ransomware, Brute Ratel C4, CISA AA23-347A, Cactus Ransomware, Castle RAT, Chaos Ransomware, China-Nexus Threat Activity, Crypto Stealer, DarkCrystal RAT, DarkGate Malware, Data Destruction, Derusbi, Double Zero Destructor, DynoWiper, Earth Alux, GhostRedirector IIS Module and Rungan Backdoor, Graceful Wipe Out Attack, Handala Wiper, Hermetic Wiper, IcedID, Industroyer2, Interlock Ransomware, Interlock Rat, LockBit Ransomware, Lokibot, Meduza Stealer, MoonPeak, NailaoLocker Ransomware, NjRAT, PlugX, PromptLock, Qakbot, Quasar RAT, RedLine Stealer, Remcos, Rhysida Ransomware, Salt Typhoon, SesameOp, Snake Keylogger, SnappyBee, Swift Slicer, SystemBC, Trickbot, ValleyRAT, Volt Typhoon, Warzone RAT, WhisperGate, WinDealer RAT, XML Runner Loader, XMRig
|
2026-02-12
|
|
Rubeus Command Line Parameters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1550.003
T1558.003
T1558.004
|
TTP
|
Active Directory Kerberos Attacks, Active Directory Privilege Escalation, BlackSuit Ransomware, CISA AA23-347A, Scattered Lapsus$ Hunters, ZOVWiper
|
2026-02-12
|
|
Rubeus Kerberos Ticket Exports Through Winlogon Access
|
Sysmon EventID 10
|
T1550.003
|
TTP
|
Active Directory Kerberos Attacks, BlackSuit Ransomware, CISA AA23-347A, Scattered Lapsus$ Hunters, ZOVWiper
|
2026-02-12
|
|
Windows High File Deletion Frequency
|
Sysmon EventID 23, Sysmon EventID 26
|
T1485
|
Anomaly
|
APT37 Rustonotto and FadeStealer, Black Basta Ransomware, Clop Ransomware, DarkCrystal RAT, Data Destruction, DynoWiper, Handala Wiper, Interlock Ransomware, Medusa Ransomware, NailaoLocker Ransomware, Sandworm Tools, Swift Slicer, WhisperGate, ZOVWiper
|
2026-02-12
|
|
Windows Indicator Removal Via Rmdir
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1070
|
Anomaly
|
APT37 Rustonotto and FadeStealer, DarkGate Malware, ZOVWiper
|
2026-02-12
|
|
Windows System Shutdown CommandLine
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1529
|
Anomaly
|
DarkCrystal RAT, DarkGate Malware, MoonPeak, NjRAT, Quasar RAT, Sandworm Tools, Scattered Lapsus$ Hunters, XWorm, ZOVWiper
|
2026-02-12
|
|
Linux apt-get Privilege Escalation
|
Cisco Isovalent Process Exec, Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Cisco Isovalent Suspicious Activity, Linux Living Off The Land, Linux Privilege Escalation
|
2026-02-10
|
|
Linux APT Privilege Escalation
|
Cisco Isovalent Process Exec, Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-02-10
|
|
Disable Defender AntiVirus Registry
|
Sysmon EventID 13
|
T1562.001
|
TTP
|
Black Basta Ransomware, CISA AA24-241A, Cactus Ransomware, IcedID, SolarWinds WHD RCE Post Exploitation, Windows Registry Abuse
|
2026-02-09
|
|
Disable Defender BlockAtFirstSeen Feature
|
Sysmon EventID 13
|
T1562.001
|
TTP
|
Azorult, CISA AA23-347A, IcedID, SolarWinds WHD RCE Post Exploitation, Windows Registry Abuse
|
2026-02-09
|
|
Disable Windows Behavior Monitoring
|
Sysmon EventID 13
|
T1562.001
|
TTP
|
Azorult, Black Basta Ransomware, CISA AA23-347A, Cactus Ransomware, NetSupport RMM Tool Abuse, Ransomware, RedLine Stealer, Revil Ransomware, Scattered Lapsus$ Hunters, SolarWinds WHD RCE Post Exploitation, Storm-0501 Ransomware, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2026-02-09
|
|
Malicious PowerShell Process - Encoded Command
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1027
|
Hunting
|
CISA AA22-320A, Crypto Stealer, DarkCrystal RAT, Data Destruction, GhostRedirector IIS Module and Rungan Backdoor, Hermetic Wiper, Lumma Stealer, Malicious PowerShell, Microsoft SharePoint Vulnerabilities, Microsoft WSUS CVE-2025-59287, NOBELIUM Group, Qakbot, Sandworm Tools, Scattered Spider, SolarWinds WHD RCE Post Exploitation, Volt Typhoon, WhisperGate
|
2026-02-09
|
|
Scheduled Task Deleted Or Created via CMD
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1053.005
|
TTP
|
0bj3ctivity Stealer, APT37 Rustonotto and FadeStealer, AgentTesla, Amadey, AsyncRAT, Azorult, CISA AA22-257A, CISA AA23-347A, CISA AA24-241A, China-Nexus Threat Activity, DHS Report TA18-074A, DarkCrystal RAT, Living Off The Land, Lokibot, Medusa Ransomware, MoonPeak, NOBELIUM Group, NetSupport RMM Tool Abuse, NjRAT, Phemedrone Stealer, PlugX, Prestige Ransomware, Qakbot, Quasar RAT, RedLine Stealer, Remcos, Rhysida Ransomware, Salt Typhoon, Sandworm Tools, Scattered Spider, Scheduled Tasks, ShrinkLocker, SolarWinds WHD RCE Post Exploitation, Trickbot, ValleyRAT, Windows Persistence Techniques, Winter Vivern, XWorm
|
2026-02-09
|
|
Set Default PowerShell Execution Policy To Unrestricted or Bypass
|
Sysmon EventID 13
|
T1059.001
|
TTP
|
Credential Dumping, DarkGate Malware, Data Destruction, HAFNIUM Group, Hermetic Wiper, Malicious PowerShell, SolarWinds WHD RCE Post Exploitation, SystemBC
|
2026-02-09
|
|
Suspicious Scheduled Task from Public Directory
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1053.005
|
Anomaly
|
APT37 Rustonotto and FadeStealer, Azorult, CISA AA23-347A, CISA AA24-241A, China-Nexus Threat Activity, Crypto Stealer, DarkCrystal RAT, Living Off The Land, Lokibot, Malicious Inno Setup Loader, Medusa Ransomware, MoonPeak, NetSupport RMM Tool Abuse, Quasar RAT, Ransomware, Ryuk Ransomware, Salt Typhoon, Scattered Spider, Scheduled Tasks, SolarWinds WHD RCE Post Exploitation, Windows Persistence Techniques, XWorm
|
2026-02-09
|
|
System Information Discovery Detection
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1082
|
TTP
|
BlackSuit Ransomware, Cleo File Transfer Software, Gozi Malware, Interlock Ransomware, LAMEHUG, Medusa Ransomware, NetSupport RMM Tool Abuse, SolarWinds WHD RCE Post Exploitation, Windows Discovery Techniques
|
2026-02-09
|
|
Windows Cmdline Tool Execution From Non-Shell Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059.007
|
Anomaly
|
CISA AA22-277A, CISA AA23-347A, DarkGate Malware, FIN7, Gozi Malware, Medusa Ransomware, Qakbot, Rhysida Ransomware, SolarWinds WHD RCE Post Exploitation, Tuoni, Volt Typhoon, Water Gamayun
|
2026-02-09
|
|
Windows DisableAntiSpyware Registry
|
Sysmon EventID 13
|
T1562.001
|
TTP
|
Azorult, CISA AA22-264A, CISA AA23-347A, RedLine Stealer, Ryuk Ransomware, SolarWinds WHD RCE Post Exploitation, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2026-02-09
|
|
Windows DLL Module Loaded in Temp Dir
|
Sysmon EventID 7
|
T1105
|
Hunting
|
Interlock Rat, Lokibot, SolarWinds WHD RCE Post Exploitation
|
2026-02-09
|
|
Windows File Download Via PowerShell
|
Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059.001
T1105
|
Anomaly
|
APT37 Rustonotto and FadeStealer, Cisco Network Visibility Module Analytics, Data Destruction, GhostRedirector IIS Module and Rungan Backdoor, HAFNIUM Group, Hermetic Wiper, IcedID, Ingress Tool Transfer, Malicious PowerShell, Microsoft WSUS CVE-2025-59287, NPM Supply Chain Compromise, NetSupport RMM Tool Abuse, PHP-CGI RCE Attack on Japanese Organizations, Phemedrone Stealer, SolarWinds WHD RCE Post Exploitation, StealC Stealer, SysAid On-Prem Software CVE-2023-47246 Vulnerability, Tuoni, Winter Vivern, XWorm
|
2026-02-09
|
|
Windows Group Discovery Via Net
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1069.001
T1069.002
|
Hunting
|
Active Directory Discovery, Azorult, Cleo File Transfer Software, Graceful Wipe Out Attack, IcedID, Medusa Ransomware, Microsoft WSUS CVE-2025-59287, Prestige Ransomware, Rhysida Ransomware, SolarWinds WHD RCE Post Exploitation, Volt Typhoon, Windows Discovery Techniques, Windows Post-Exploitation
|
2026-02-09
|
|
Windows Hijack Execution Flow Version Dll Side Load
|
Sysmon EventID 7
|
T1574.001
|
Anomaly
|
Brute Ratel C4, Malicious Inno Setup Loader, SolarWinds WHD RCE Post Exploitation, XWorm
|
2026-02-09
|
|
Windows HTTP Network Communication From MSIExec
|
Cisco Network Visibility Module Flow Data, Sysmon EventID 1, Sysmon EventID 3
|
T1218.007
|
Anomaly
|
APT37 Rustonotto and FadeStealer, Cisco Network Visibility Module Analytics, GhostRedirector IIS Module and Rungan Backdoor, SolarWinds WHD RCE Post Exploitation, Water Gamayun, Windows System Binary Proxy Execution MSIExec
|
2026-02-09
|
|
Windows Known Abused DLL Loaded Suspiciously
|
Sysmon EventID 7
|
T1574.001
|
TTP
|
Living Off The Land, SolarWinds WHD RCE Post Exploitation, Windows Defense Evasion Tactics
|
2026-02-09
|
|
Windows Modify Registry Disable WinDefender Notifications
|
Sysmon EventID 13
|
T1112
|
TTP
|
CISA AA23-347A, RedLine Stealer, SolarWinds WHD RCE Post Exploitation
|
2026-02-09
|
|
Windows MSIExec Remote Download
|
Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.007
|
TTP
|
Cisco Network Visibility Module Analytics, SolarWinds WHD RCE Post Exploitation, StealC Stealer, Water Gamayun, Windows System Binary Proxy Execution MSIExec
|
2026-02-09
|
|
Windows Process Execution From ProgramData
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1036.005
|
Hunting
|
APT37 Rustonotto and FadeStealer, China-Nexus Threat Activity, GhostRedirector IIS Module and Rungan Backdoor, Salt Typhoon, SnappyBee, SolarWinds WHD RCE Post Exploitation, StealC Stealer, XWorm
|
2026-02-09
|
|
Windows Scheduled Task with Highest Privileges
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1053.005
|
TTP
|
AsyncRAT, CISA AA23-347A, Castle RAT, Compromised Windows Host, NetSupport RMM Tool Abuse, Quasar RAT, RedLine Stealer, Scheduled Tasks, SolarWinds WHD RCE Post Exploitation, XWorm
|
2026-02-09
|
|
Windows Scheduled Task with Suspicious Command
|
Windows Event Log Security 4698, Windows Event Log Security 4700, Windows Event Log Security 4702
|
T1053.005
|
TTP
|
APT37 Rustonotto and FadeStealer, Quasar RAT, Ransomware, Ryuk Ransomware, Scheduled Tasks, Seashell Blizzard, SolarWinds WHD RCE Post Exploitation, Windows Persistence Techniques
|
2026-02-09
|
|
Windows Schtasks Create Run As System
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1053.005
|
TTP
|
Castle RAT, Medusa Ransomware, Qakbot, Scheduled Tasks, SolarWinds WHD RCE Post Exploitation, Windows Persistence Techniques
|
2026-02-09
|
|
Windows Service Creation Using Registry Entry
|
Sysmon EventID 13
|
T1574.011
|
Anomaly
|
Active Directory Lateral Movement, Brute Ratel C4, CISA AA23-347A, China-Nexus Threat Activity, Crypto Stealer, Derusbi, PlugX, Salt Typhoon, SnappyBee, SolarWinds WHD RCE Post Exploitation, Suspicious Windows Registry Activities, Windows Persistence Techniques, Windows Registry Abuse
|
2026-02-09
|
|
Windows Unsigned DLL Side-Loading
|
Sysmon EventID 7
|
T1574.001
|
Anomaly
|
China-Nexus Threat Activity, Derusbi, Earth Alux, NjRAT, Salt Typhoon, SolarWinds WHD RCE Post Exploitation, Warzone RAT
|
2026-02-09
|
|
Windows Unsigned DLL Side-Loading In Same Process Path
|
Sysmon EventID 7
|
T1574.001
|
TTP
|
China-Nexus Threat Activity, DarkGate Malware, Derusbi, Lokibot, Malicious Inno Setup Loader, NailaoLocker Ransomware, PlugX, Salt Typhoon, SnappyBee, SolarWinds WHD RCE Post Exploitation, XWorm
|
2026-02-09
|
|
WinEvent Windows Task Scheduler Event Action Started
|
Windows Event Log TaskScheduler 200, Windows Event Log TaskScheduler 201
|
T1053.005
|
Hunting
|
Amadey, AsyncRAT, BlackSuit Ransomware, CISA AA22-257A, CISA AA24-241A, DarkCrystal RAT, Data Destruction, IcedID, Industroyer2, Malicious Inno Setup Loader, PlugX, Prestige Ransomware, Qakbot, Remcos, Sandworm Tools, Scheduled Tasks, SolarWinds WHD RCE Post Exploitation, SystemBC, ValleyRAT, Windows Persistence Techniques, Winter Vivern
|
2026-02-09
|
|
MCP Filesystem Server Suspicious Extension Write
|
MCP Server
|
T1059
|
Hunting
|
Suspicious MCP Activities
|
2026-02-05
|
|
Executables Or Script Creation In Temp Path
|
Sysmon EventID 11
|
T1036
|
Anomaly
|
APT37 Rustonotto and FadeStealer, AcidPour, AgentTesla, Amadey, AsyncRAT, Azorult, BlackByte Ransomware, Brute Ratel C4, CISA AA23-347A, Chaos Ransomware, China-Nexus Threat Activity, Crypto Stealer, DarkCrystal RAT, DarkGate Malware, Data Destruction, Derusbi, Double Zero Destructor, Graceful Wipe Out Attack, Handala Wiper, Hermetic Wiper, IcedID, Industroyer2, Interlock Rat, LockBit Ransomware, Lokibot, Meduza Stealer, MoonPeak, NjRAT, PlugX, PromptFlux, PromptLock, Qakbot, RedLine Stealer, Remcos, Rhysida Ransomware, Salt Typhoon, SesameOp, Snake Keylogger, SnappyBee, Swift Slicer, Trickbot, ValleyRAT, Volt Typhoon, Warzone RAT, WhisperGate, WinDealer RAT, XML Runner Loader, XMRig
|
2026-02-03
|
|
Windows MMC Loaded Script Engine DLL
|
Sysmon EventID 7
|
T1620
|
Anomaly
|
XML Runner Loader
|
2026-02-03
|
|
Curl Execution with Percent Encoded URL
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon for Linux EventID 1, Windows Event Log Security 4688
|
T1027
T1105
|
Anomaly
|
Compromised Windows Host, Ingress Tool Transfer, Living Off The Land
|
2026-02-02
|
|
Kerberos Pre-Authentication Flag Disabled in UserAccountControl
|
Windows Event Log Security 4738
|
T1558.004
|
TTP
|
Active Directory Kerberos Attacks, BlackSuit Ransomware
|
2026-02-02
|
|
Windows TOR Client Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1090.003
|
Anomaly
|
Command And Control, Compromised Windows Host, Data Exfiltration, Data Protection, Windows Post-Exploitation
|
2026-02-02
|
|
Headless Browser Usage
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1497
T1564.003
|
Anomaly
|
Browser Hijacking, Forest Blizzard
|
2026-01-29
|
|
Windows Chromium Process Loaded Extension via Command-Line
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1185
|
Anomaly
|
Browser Hijacking
|
2026-01-29
|
|
Internal Horizontal Port Scan NMAP Top 20
|
AWS CloudWatchLogs VPCflow, Cisco Secure Firewall Threat Defense Connection Event
|
T1046
|
TTP
|
China-Nexus Threat Activity, Cisco Secure Firewall Threat Defense Analytics, Network Discovery, Scattered Lapsus$ Hunters
|
2026-01-29
|
|
Internal Vertical Port Scan
|
AWS CloudWatchLogs VPCflow, Cisco Secure Firewall Threat Defense Connection Event
|
T1046
|
TTP
|
China-Nexus Threat Activity, Cisco Secure Firewall Threat Defense Analytics, Network Discovery, Scattered Lapsus$ Hunters
|
2026-01-29
|
|
Protocol or Port Mismatch
|
Cisco Secure Firewall Threat Defense Connection Event
|
T1048.003
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics, Command And Control, Prohibited Traffic Allowed or Protocol Mismatch
|
2026-01-29
|
|
Detect Outlook exe writing a zip file
|
Sysmon EventID 1, Sysmon EventID 11
|
T1566.001
|
Anomaly
|
APT37 Rustonotto and FadeStealer, Amadey, Meduza Stealer, PXA Stealer, Remcos, Spearphishing Attachments
|
2026-01-23
|
|
Process Creating LNK file in Suspicious Location
|
Sysmon EventID 11
|
T1566.002
|
Anomaly
|
APT37 Rustonotto and FadeStealer, Amadey, Gozi Malware, IcedID, Qakbot, Spearphishing Attachments
|
2026-01-23
|
|
Windows Registry Delete Task SD
|
Sysmon EventID 12
|
T1053.005
T1562
|
Anomaly
|
Scheduled Tasks, Windows Persistence Techniques, Windows Registry Abuse
|
2026-01-23
|
|
PaperCut NG Remote Web Access Attempt
|
Suricata
|
T1190
T1133
|
TTP
|
PaperCut MF NG Vulnerability
|
2026-01-23
|
|
Cisco Privileged Account Creation with HTTP Command Execution
|
|
T1021.004
T1136
T1078
|
Correlation
|
Cisco Secure Firewall Threat Defense Analytics, Salt Typhoon
|
2026-01-22
|
|
Detect hosts connecting to dynamic domain providers
|
Sysmon EventID 22
|
T1189
|
TTP
|
Command And Control, DNS Hijacking, Data Protection, Dynamic DNS, Prohibited Traffic Allowed or Protocol Mismatch, Suspicious DNS Traffic
|
2026-01-22
|
|
Cisco Secure Firewall - Blacklisted SSL Certificate Fingerprint
|
Cisco Secure Firewall Threat Defense Connection Event
|
T1587.002
T1588.004
T1071.001
T1573.002
|
TTP
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-01-21
|
|
Cisco Secure Firewall - High EVE Threat Confidence
|
Cisco Secure Firewall Threat Defense Connection Event
|
T1041
T1071.001
T1105
T1573.002
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-01-21
|
|
Cisco Secure Firewall - Intrusion Events by Threat Activity
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1041
T1573.002
|
Anomaly
|
ArcaneDoor, Cisco Secure Firewall Threat Defense Analytics
|
2026-01-21
|
|
Cisco Secure Firewall - Potential Data Exfiltration
|
Cisco Secure Firewall Threat Defense Connection Event
|
T1041
T1567.002
T1048.003
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-01-21
|
|
Detect RClone Command-Line Usage
|
Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1020
|
TTP
|
Black Basta Ransomware, Cactus Ransomware, Cisco Network Visibility Module Analytics, DarkSide Ransomware, Hellcat Ransomware, Ransomware, Storm-0501 Ransomware
|
2026-01-20
|
|
Impacket Lateral Movement Commandline Parameters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1021.002
T1021.003
T1047
T1543.003
|
TTP
|
Active Directory Lateral Movement, CISA AA22-277A, Compromised Windows Host, Data Destruction, Gozi Malware, Graceful Wipe Out Attack, Industroyer2, Prestige Ransomware, Storm-0501 Ransomware, Volt Typhoon, WhisperGate
|
2026-01-20
|
|
Impacket Lateral Movement WMIExec Commandline Parameters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1021.002
T1021.003
T1047
T1543.003
|
TTP
|
Active Directory Lateral Movement, CISA AA22-277A, Compromised Windows Host, Data Destruction, Gozi Malware, Graceful Wipe Out Attack, Industroyer2, Prestige Ransomware, Storm-0501 Ransomware, Volt Typhoon, WhisperGate
|
2026-01-20
|
|
Linux Auditd Preload Hijack Via Preload File
|
Linux Auditd Cwd, Linux Auditd Path
|
T1574.006
|
TTP
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, VoidLink Cloud-Native Linux Malware
|
2026-01-20
|
|
Detect Remote Access Software Usage File
|
Sysmon EventID 11
|
T1219
|
Anomaly
|
CISA AA24-241A, Cactus Ransomware, Command And Control, GhostRedirector IIS Module and Rungan Backdoor, Gozi Malware, Insider Threat, Interlock Ransomware, Ransomware, Remote Monitoring and Management Software, Scattered Lapsus$ Hunters, Scattered Spider, Seashell Blizzard
|
2026-01-19
|
|
Windows DotNet Binary in Non Standard Path
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1036.003
T1218.004
|
TTP
|
Data Destruction, Masquerading - Rename System Utilities, Ransomware, Signed Binary Proxy Execution InstallUtil, Unusual Processes, WhisperGate
|
2026-01-19
|
|
3CX Supply Chain Attack Network Indicators
|
Sysmon EventID 22
|
T1195.002
|
TTP
|
3CX Supply Chain Attack
|
2026-01-19
|
|
Detect Remote Access Software Usage DNS
|
Sysmon EventID 22
|
T1219
|
Anomaly
|
CISA AA24-241A, Command And Control, Insider Threat, Interlock Ransomware, Ransomware, Remote Monitoring and Management Software, Scattered Lapsus$ Hunters, Scattered Spider
|
2026-01-19
|
|
Detect Remote Access Software Usage Traffic
|
Palo Alto Network Traffic
|
T1219
|
Anomaly
|
Command And Control, Insider Threat, Interlock Ransomware, Ransomware, Remote Monitoring and Management Software, Scattered Lapsus$ Hunters, Scattered Spider
|
2026-01-19
|
|
Detect Remote Access Software Usage URL
|
Palo Alto Network Threat
|
T1219
|
Anomaly
|
CISA AA24-241A, Command And Control, Insider Threat, Interlock Ransomware, Ransomware, Remote Monitoring and Management Software, Scattered Lapsus$ Hunters
|
2026-01-19
|
|
File with Samsam Extension
|
Sysmon EventID 11
|
|
TTP
|
Hellcat Ransomware, SamSam Ransomware
|
2026-01-17
|
|
O365 New MFA Method Registered
|
O365 Update user.
|
T1098.005
|
TTP
|
Office 365 Persistence Mechanisms
|
2026-01-16
|
|
Common Ransomware Notes
|
Sysmon EventID 11
|
T1485
|
Hunting
|
Black Basta Ransomware, Chaos Ransomware, Clop Ransomware, Hellcat Ransomware, Interlock Ransomware, LockBit Ransomware, Medusa Ransomware, NailaoLocker Ransomware, Ransomware, Rhysida Ransomware, Ryuk Ransomware, SamSam Ransomware, Storm-0501 Ransomware, Termite Ransomware
|
2026-01-16
|
|
Detect Rare Executables
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1204
|
Anomaly
|
China-Nexus Threat Activity, Crypto Stealer, Rhysida Ransomware, Salt Typhoon, SnappyBee, Unusual Processes
|
2026-01-15
|
|
Cisco Duo Bulk Policy Deletion
|
Cisco Duo Administrator
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-01-14
|
|
Detect Password Spray Attempts
|
Windows Event Log Security 4625
|
T1110.003
|
TTP
|
Active Directory Password Spraying, Compromised User Account
|
2026-01-14
|
|
Suspicious Email Attachment Extensions
|
|
T1566.001
|
Anomaly
|
Data Destruction, Emotet Malware DHS Report TA18-201A, Hermetic Wiper, Suspicious Emails
|
2026-01-14
|
|
Azure AD Service Principal Privilege Escalation
|
Azure Active Directory Add app role assignment to service principal
|
T1098.003
|
TTP
|
Azure Active Directory Privilege Escalation
|
2026-01-14
|
|
Kubernetes Anomalous Inbound Network Activity from Process
|
|
T1204
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2026-01-14
|
|
Kubernetes Anomalous Inbound Outbound Network IO
|
|
T1204
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2026-01-14
|
|
Kubernetes Anomalous Inbound to Outbound Network IO Ratio
|
|
T1204
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2026-01-14
|
|
Kubernetes Anomalous Outbound Network Activity from Process
|
|
T1204
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2026-01-14
|
|
Kubernetes Anomalous Traffic on Network Edge
|
|
T1204
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2026-01-14
|
|
Kubernetes Nginx Ingress LFI
|
|
T1212
|
TTP
|
Dev Sec Ops
|
2026-01-14
|
|
Kubernetes Nginx Ingress RFI
|
|
T1212
|
TTP
|
Dev Sec Ops
|
2026-01-14
|
|
Kubernetes Process with Anomalous Resource Utilisation
|
|
T1204
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2026-01-14
|
|
Kubernetes Process with Resource Ratio Anomalies
|
|
T1204
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2026-01-14
|
|
O365 Email Suspicious Search Behavior
|
Office 365 Universal Audit Log
|
T1114.002
T1552
|
Anomaly
|
CISA AA22-320A, Compromised User Account, Office 365 Account Takeover, Office 365 Collection Techniques
|
2026-01-14
|
|
O365 SharePoint Suspicious Search Behavior
|
Office 365 Universal Audit Log
|
T1213.002
T1552
|
Anomaly
|
CISA AA22-320A, Compromised User Account, Office 365 Account Takeover, Office 365 Collection Techniques
|
2026-01-14
|
|
7zip CommandLine To SMB Share Path
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1560.001
|
Hunting
|
Ransomware
|
2026-01-14
|
|
Add DefaultUser And Password In Registry
|
Sysmon EventID 12, Sysmon EventID 13
|
T1552.002
|
Anomaly
|
BlackMatter Ransomware
|
2026-01-14
|
|
Allow Operation with Consent Admin
|
Sysmon EventID 13
|
T1548
|
TTP
|
Azorult, MoonPeak, Ransomware, Windows Registry Abuse
|
2026-01-14
|
|
Auto Admin Logon Registry Entry
|
Sysmon EventID 13
|
T1552.002
|
TTP
|
BlackMatter Ransomware, Windows Registry Abuse
|
2026-01-14
|
|
Create Remote Thread In Shell Application
|
Sysmon EventID 8
|
T1055
|
TTP
|
IcedID, Qakbot, Warzone RAT
|
2026-01-14
|
|
Credential Dumping via Copy Command from Shadow Copy
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1003.003
|
TTP
|
Compromised Windows Host, Credential Dumping
|
2026-01-14
|
|
Detect Baron Samedit CVE-2021-3156
|
|
T1068
|
TTP
|
Baron Samedit CVE-2021-3156
|
2026-01-14
|
|
Detect Baron Samedit CVE-2021-3156 via OSQuery
|
|
T1068
|
TTP
|
Baron Samedit CVE-2021-3156
|
2026-01-14
|
|
Detect Path Interception By Creation Of program exe
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1574.009
|
TTP
|
Scattered Lapsus$ Hunters, Windows Persistence Techniques
|
2026-01-14
|
|
Disable Security Logs Using MiniNt Registry
|
Sysmon EventID 13
|
T1112
|
TTP
|
CISA AA23-347A, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2026-01-14
|
|
Disable Show Hidden Files
|
Sysmon EventID 13
|
T1112
T1562.001
T1564.001
|
Anomaly
|
Azorult, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2026-01-14
|
|
Disable Windows App Hotkeys
|
Sysmon EventID 13
|
T1112
T1562.001
|
TTP
|
Windows Registry Abuse, XMRig
|
2026-01-14
|
|
Drop IcedID License dat
|
Sysmon EventID 11
|
T1204.002
|
Hunting
|
IcedID
|
2026-01-14
|
|
Enable RDP In Other Port Number
|
Sysmon EventID 13
|
T1021
|
TTP
|
Interlock Ransomware, Prohibited Traffic Allowed or Protocol Mismatch, Windows RDP Artifacts and Defense Evasion, Windows Registry Abuse
|
2026-01-14
|
|
Enable WDigest UseLogonCredential Registry
|
Sysmon EventID 13
|
T1112
T1003
|
TTP
|
CISA AA22-320A, Credential Dumping, Windows Registry Abuse
|
2026-01-14
|
|
Enumerate Users Local Group Using Telegram
|
Windows Event Log Security 4798
|
T1087
|
TTP
|
Compromised Windows Host, Water Gamayun, XMRig
|
2026-01-14
|
|
ETW Registry Disabled
|
Sysmon EventID 13
|
T1127
T1562.006
|
TTP
|
CISA AA23-347A, Data Destruction, Hermetic Wiper, Windows Persistence Techniques, Windows Privilege Escalation, Windows Registry Abuse
|
2026-01-14
|
|
Hide User Account From Sign-In Screen
|
Sysmon EventID 13
|
T1562.001
|
TTP
|
Azorult, Warzone RAT, Windows Registry Abuse, XMRig
|
2026-01-14
|
|
IcedID Exfiltrated Archived File Creation
|
Sysmon EventID 11
|
T1560.001
|
Hunting
|
APT37 Rustonotto and FadeStealer, IcedID
|
2026-01-14
|
|
Logon Script Event Trigger Execution
|
Sysmon EventID 13
|
T1037.001
|
TTP
|
Data Destruction, Hermetic Wiper, Windows Persistence Techniques, Windows Privilege Escalation
|
2026-01-14
|
|
Malicious PowerShell Process With Obfuscation Techniques
|
Sysmon EventID 1
|
T1059.001
|
TTP
|
Data Destruction, GhostRedirector IIS Module and Rungan Backdoor, Hellcat Ransomware, Hermetic Wiper, Malicious PowerShell
|
2026-01-14
|
|
Powershell Remote Thread To Known Windows Process
|
Sysmon EventID 8
|
T1055
|
TTP
|
Trickbot
|
2026-01-14
|
|
Powershell Remove Windows Defender Directory
|
Powershell Script Block Logging 4104
|
T1562.001
|
TTP
|
Data Destruction, WhisperGate
|
2026-01-14
|
|
Process Deleting Its Process File Path
|
Sysmon EventID 1
|
T1070
|
TTP
|
Clop Ransomware, Data Destruction, Remcos, WhisperGate
|
2026-01-14
|
|
Remcos client registry install entry
|
Sysmon EventID 12, Sysmon EventID 13
|
T1112
|
TTP
|
Remcos, Windows Registry Abuse
|
2026-01-14
|
|
Remcos RAT File Creation in Remcos Folder
|
Sysmon EventID 11
|
T1113
|
TTP
|
Remcos
|
2026-01-14
|
|
Revil Registry Entry
|
Sysmon EventID 12, Sysmon EventID 13
|
T1112
|
TTP
|
Ransomware, Revil Ransomware, Windows Registry Abuse
|
2026-01-14
|
|
Rundll32 Create Remote Thread To A Process
|
Sysmon EventID 8
|
T1055
|
TTP
|
IcedID, Living Off The Land
|
2026-01-14
|
|
Rundll32 CreateRemoteThread In Browser
|
Sysmon EventID 8
|
T1055
|
TTP
|
IcedID, Living Off The Land
|
2026-01-14
|
|
Screensaver Event Trigger Execution
|
Sysmon EventID 13
|
T1546.002
|
TTP
|
Data Destruction, Hermetic Wiper, Windows Persistence Techniques, Windows Privilege Escalation, Windows Registry Abuse
|
2026-01-14
|
|
Shim Database Installation With Suspicious Parameters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1546.011
|
TTP
|
Compromised Windows Host, Windows Persistence Techniques
|
2026-01-14
|
|
SilentCleanup UAC Bypass
|
Sysmon EventID 13
|
T1548.002
|
TTP
|
MoonPeak, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2026-01-14
|
|
Spoolsv Suspicious Loaded Modules
|
Sysmon EventID 7
|
T1547.012
|
TTP
|
Black Basta Ransomware, PrintNightmare CVE-2021-34527
|
2026-01-14
|
|
Spoolsv Suspicious Process Access
|
Sysmon EventID 10
|
T1068
|
TTP
|
Black Basta Ransomware, PrintNightmare CVE-2021-34527
|
2026-01-14
|
|
Spoolsv Writing a DLL
|
Sysmon EventID 1, Sysmon EventID 11, Windows Event Log Security 4688
|
T1547.012
|
TTP
|
Black Basta Ransomware, Compromised Windows Host, PrintNightmare CVE-2021-34527
|
2026-01-14
|
|
Sqlite Module In Temp Folder
|
Sysmon EventID 11
|
T1005
|
TTP
|
IcedID, Lokibot
|
2026-01-14
|
|
Suspicious Image Creation In Appdata Folder
|
Sysmon EventID 1, Sysmon EventID 11
|
T1113
|
TTP
|
APT37 Rustonotto and FadeStealer, Remcos
|
2026-01-14
|
|
Suspicious WAV file in Appdata Folder
|
Sysmon EventID 1, Sysmon EventID 11, Windows Event Log Security 4688
|
T1113
|
TTP
|
Remcos
|
2026-01-14
|
|
Time Provider Persistence Registry
|
Sysmon EventID 13
|
T1547.003
|
TTP
|
Data Destruction, Hermetic Wiper, Windows Persistence Techniques, Windows Privilege Escalation, Windows Registry Abuse
|
2026-01-14
|
|
Trickbot Named Pipe
|
Sysmon EventID 17, Sysmon EventID 18
|
T1055
|
TTP
|
Hellcat Ransomware, Trickbot
|
2026-01-14
|
|
UAC Bypass MMC Load Unsigned Dll
|
Sysmon EventID 7
|
T1218.014
T1548.002
|
TTP
|
Windows Defense Evasion Tactics
|
2026-01-14
|
|
Windows AD Dangerous Deny ACL Modification
|
Windows Event Log Security 5136
|
T1222.001
T1484
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-01-14
|
|
Windows AD Dangerous Group ACL Modification
|
Windows Event Log Security 5136
|
T1222.001
T1484
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-01-14
|
|
Windows AD Dangerous User ACL Modification
|
Windows Event Log Security 5136
|
T1222.001
T1484
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-01-14
|
|
Windows AD Domain Root ACL Deletion
|
Windows Event Log Security 5136
|
T1222.001
T1484
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-01-14
|
|
Windows AD Domain Root ACL Modification
|
Windows Event Log Security 5136
|
T1222.001
T1484
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-01-14
|
|
Windows AD Hidden OU Creation
|
Windows Event Log Security 5136
|
T1222.001
T1484
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-01-14
|
|
Windows AD Same Domain SID History Addition
|
Windows Event Log Security 4738, Windows Event Log Security 4742
|
T1134.005
|
TTP
|
Compromised Windows Host, Sneaky Active Directory Persistence Tricks, Windows Persistence Techniques
|
2026-01-14
|
|
Windows Alternate DataStream - Base64 Content
|
Sysmon EventID 15
|
T1564.004
|
TTP
|
APT37 Rustonotto and FadeStealer, Windows Defense Evasion Tactics
|
2026-01-14
|
|
Windows Alternate DataStream - Executable Content
|
Sysmon EventID 15
|
T1564.004
|
TTP
|
Windows Defense Evasion Tactics
|
2026-01-14
|
|
Windows App Layer Protocol Qakbot NamedPipe
|
Sysmon EventID 17, Sysmon EventID 18
|
T1071
|
Anomaly
|
Qakbot
|
2026-01-14
|
|
Windows App Layer Protocol Wermgr Connect To NamedPipe
|
Sysmon EventID 17, Sysmon EventID 18
|
T1071
|
Anomaly
|
Qakbot
|
2026-01-14
|
|
Windows Cached Domain Credentials Reg Query
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1003.005
|
Anomaly
|
Prestige Ransomware, Windows Post-Exploitation
|
2026-01-14
|
|
Windows Credentials from Password Stores Chrome Copied in TEMP Dir
|
Sysmon EventID 11
|
T1555.003
|
TTP
|
Braodo Stealer, Scattered Lapsus$ Hunters
|
2026-01-14
|
|
Windows Credentials from Web Browsers Saved in TEMP Folder
|
Sysmon EventID 11
|
T1555.003
|
TTP
|
Braodo Stealer, Scattered Lapsus$ Hunters
|
2026-01-14
|
|
Windows Credentials in Registry Reg Query
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1552.002
|
Anomaly
|
Prestige Ransomware, Windows Post-Exploitation
|
2026-01-14
|
|
Windows Default Rdp File Deletion
|
Sysmon EventID 23, Sysmon EventID 26
|
T1070.004
|
Anomaly
|
Windows RDP Artifacts and Defense Evasion
|
2026-01-14
|
|
Windows Disable Lock Workstation Feature Through Registry
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Ransomware, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2026-01-14
|
|
Windows Disable Memory Crash Dump
|
Sysmon EventID 13
|
T1485
|
TTP
|
Data Destruction, Hermetic Wiper, Ransomware, Windows Registry Abuse
|
2026-01-14
|
|
Windows Hide Notification Features Through Registry
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Ransomware, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2026-01-14
|
|
Windows Impair Defenses Disable AV AutoStart via Registry
|
Sysmon EventID 13
|
T1112
|
TTP
|
Scattered Lapsus$ Hunters, ValleyRAT
|
2026-01-14
|
|
Windows Known GraphicalProton Loaded Modules
|
Sysmon EventID 7
|
T1574.001
|
Anomaly
|
CISA AA23-347A, Hellcat Ransomware, Water Gamayun
|
2026-01-14
|
|
Windows Masquerading Explorer As Child Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1574.001
|
TTP
|
Compromised Windows Host, Qakbot, Water Gamayun
|
2026-01-14
|
|
Windows Modify Registry Default Icon Setting
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
LockBit Ransomware
|
2026-01-14
|
|
Windows Modify Registry Qakbot Binary Data Registry
|
Sysmon EventID 1, Sysmon EventID 13
|
T1112
|
Anomaly
|
Qakbot
|
2026-01-14
|
|
Windows Modify Registry Utilize ProgIDs
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
ValleyRAT
|
2026-01-14
|
|
Windows Modify Registry ValleyRAT C2 Config
|
Sysmon EventID 13
|
T1112
|
TTP
|
ValleyRAT
|
2026-01-14
|
|
Windows Modify Registry ValleyRat PWN Reg Entry
|
Sysmon EventID 13
|
T1112
|
TTP
|
ValleyRAT
|
2026-01-14
|
|
Windows Modify Registry With MD5 Reg Key Name
|
Sysmon EventID 13
|
T1112
|
TTP
|
NjRAT
|
2026-01-14
|
|
Windows Modify Show Compress Color And Info Tip Registry
|
Sysmon EventID 13
|
T1112
|
TTP
|
Data Destruction, Hermetic Wiper, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2026-01-14
|
|
Windows Multiple NTLM Null Domain Authentications
|
NTLM Operational 8004, NTLM Operational 8005, NTLM Operational 8006
|
T1110.003
|
TTP
|
Active Directory Password Spraying
|
2026-01-14
|
|
Windows New Custom Security Descriptor Set On EventLog Channel
|
Sysmon EventID 13
|
T1562.002
|
Anomaly
|
Defense Evasion or Unauthorized Access Via SDDL Tampering, LockBit Ransomware
|
2026-01-14
|
|
Windows Njrat Fileless Storage via Registry
|
Sysmon EventID 13
|
T1027.011
|
TTP
|
NjRAT
|
2026-01-14
|
|
Windows Non Discord App Access Discord LevelDB
|
Windows Event Log Security 4663
|
T1012
|
Anomaly
|
PXA Stealer, Snake Keylogger, StealC Stealer
|
2026-01-14
|
|
Windows Phishing Outlook Drop Dll In FORM Dir
|
Sysmon EventID 1, Sysmon EventID 11
|
T1566
|
TTP
|
Outlook RCE CVE-2024-21378
|
2026-01-14
|
|
Windows PowerShell Script Block With Malicious String
|
Powershell Script Block Logging 4104
|
T1059.001
|
TTP
|
Malicious PowerShell
|
2026-01-14
|
|
Windows Privilege Escalation System Process Without System Parent
|
Sysmon EventID 1
|
T1068
T1548
T1134
|
TTP
|
BlackSuit Ransomware, Windows Privilege Escalation
|
2026-01-14
|
|
Windows Privilege Escalation User Process Spawn System Process
|
Sysmon EventID 1
|
T1068
T1548
T1134
|
TTP
|
BlackSuit Ransomware, Compromised Windows Host, GhostRedirector IIS Module and Rungan Backdoor, Windows Privilege Escalation
|
2026-01-14
|
|
Windows Process Injection Of Wermgr to Known Browser
|
Sysmon EventID 8
|
T1055.001
|
TTP
|
Qakbot
|
2026-01-14
|
|
Windows Proxy Via Registry
|
Sysmon EventID 13
|
T1090.001
|
Anomaly
|
Volt Typhoon
|
2026-01-14
|
|
Windows Rundll32 Load DLL in Temp Dir
|
Sysmon EventID 1
|
T1218.011
|
Anomaly
|
Interlock Rat
|
2026-01-14
|
|
Windows Scheduled Task Service Spawned Shell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1053.005
T1059
|
TTP
|
Windows Persistence Techniques
|
2026-01-14
|
|
Windows Scheduled Tasks for CompMgmtLauncher or Eventvwr
|
Windows Event Log Security 4698
|
T1053
|
TTP
|
ValleyRAT, Water Gamayun
|
2026-01-14
|
|
Windows Screen Capture in TEMP folder
|
Sysmon EventID 11
|
T1113
|
TTP
|
APT37 Rustonotto and FadeStealer, Braodo Stealer, Crypto Stealer, Hellcat Ransomware, StealC Stealer
|
2026-01-14
|
|
Windows Security Support Provider Reg Query
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1547.005
|
Anomaly
|
Prestige Ransomware, Sneaky Active Directory Persistence Tricks, Windows Post-Exploitation
|
2026-01-14
|
|
Windows Unusual NTLM Authentication Destinations By Source
|
NTLM Operational 8004, NTLM Operational 8005, NTLM Operational 8006
|
T1110.003
|
Anomaly
|
Active Directory Password Spraying
|
2026-01-14
|
|
Windows Unusual NTLM Authentication Destinations By User
|
NTLM Operational 8004, NTLM Operational 8005, NTLM Operational 8006
|
T1110.003
|
Anomaly
|
Active Directory Password Spraying
|
2026-01-14
|
|
Windows Unusual NTLM Authentication Users By Destination
|
NTLM Operational 8004, NTLM Operational 8005, NTLM Operational 8006
|
T1110.003
|
Anomaly
|
Active Directory Password Spraying
|
2026-01-14
|
|
Windows Unusual NTLM Authentication Users By Source
|
NTLM Operational 8004, NTLM Operational 8005, NTLM Operational 8006
|
T1110.003
|
Anomaly
|
Active Directory Password Spraying
|
2026-01-14
|
|
WSReset UAC Bypass
|
Sysmon EventID 12, Sysmon EventID 13
|
T1548.002
|
TTP
|
Living Off The Land, MoonPeak, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2026-01-14
|
|
Detect Windows DNS SIGRed via Splunk Stream
|
|
T1203
|
TTP
|
Windows DNS SIGRed CVE-2020-1350
|
2026-01-14
|
|
Detect F5 TMUI RCE CVE-2020-5902
|
|
T1190
|
TTP
|
F5 TMUI RCE CVE-2020-5902
|
2026-01-14
|
|
M365 Copilot Jailbreak Attempts
|
M365 Exported eDiscovery Prompts
|
T1562.001
|
Anomaly
|
Suspicious Microsoft 365 Copilot Activities
|
2026-01-13
|
|
Detect mshta inline hta execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.005
|
TTP
|
APT37 Rustonotto and FadeStealer, Compromised Windows Host, Gozi Malware, Living Off The Land, Suspicious MSHTA Activity, XWorm
|
2026-01-13
|
|
Windows MSHTA Writing to World Writable Path
|
Sysmon EventID 11
|
T1218.005
|
TTP
|
APT29 Diplomatic Deceptions with WINELOADER, Suspicious MSHTA Activity, XWorm
|
2026-01-13
|
|
Windows Unsigned MS DLL Side-Loading
|
Sysmon EventID 7
|
T1574.001
T1547
|
Anomaly
|
APT29 Diplomatic Deceptions with WINELOADER, China-Nexus Threat Activity, Derusbi, Earth Alux, Salt Typhoon, XWorm
|
2026-01-13
|
|
Modification Of Wallpaper
|
Sysmon EventID 13
|
T1491
|
TTP
|
Black Basta Ransomware, BlackMatter Ransomware, Brute Ratel C4, LockBit Ransomware, Ransomware, Revil Ransomware, Rhysida Ransomware, Windows Registry Abuse, ZOVWiper
|
2026-01-12
|
|
Windows Chrome Auto-Update Disabled via Registry
|
Sysmon EventID 13
|
T1185
|
Anomaly
|
Browser Hijacking
|
2026-01-12
|
|
Windows Chrome Enable Extension Loading via Command-Line
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1185
|
Anomaly
|
Browser Hijacking
|
2026-01-12
|
|
Windows Chrome Extension Allowed Registry Modification
|
Sysmon EventID 13
|
T1185
|
Anomaly
|
Browser Hijacking
|
2026-01-12
|
|
Windows Command and Scripting Interpreter Hunting Path Traversal
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059
|
Hunting
|
Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190, Windows Defense Evasion Tactics
|
2026-01-10
|
|
Cisco Isovalent - Shell Execution
|
Cisco Isovalent Process Exec
|
T1543
|
Anomaly
|
Cisco Isovalent Suspicious Activity
|
2026-01-05
|
|
DLLHost with no Command Line Arguments with Network
|
Sysmon EventID 1, Sysmon EventID 3
|
T1055
|
TTP
|
BlackByte Ransomware, Cactus Ransomware, Cobalt Strike, Earth Alux, Graceful Wipe Out Attack, Storm-2460 CLFS Zero Day Exploitation
|
2026-01-01
|
|
Rundll32 with no Command Line Arguments with Network
|
Sysmon EventID 1, Sysmon EventID 3
|
T1218.011
|
TTP
|
BlackByte Ransomware, BlackSuit Ransomware, Cactus Ransomware, Cobalt Strike, Compromised Windows Host, Graceful Wipe Out Attack, PrintNightmare CVE-2021-34527, Suspicious Rundll32 Activity
|
2026-01-01
|
|
SearchProtocolHost with no Command Line with Network
|
Sysmon EventID 1, Sysmon EventID 3
|
T1055
|
TTP
|
BlackByte Ransomware, Cactus Ransomware, Cobalt Strike, Compromised Windows Host, Graceful Wipe Out Attack, Hellcat Ransomware
|
2026-01-01
|
|
Single Letter Process On Endpoint
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1204.002
|
TTP
|
Compromised Windows Host, DHS Report TA18-074A
|
2025-12-29
|
|
Windows Suspicious Driver Loaded Path
|
Sysmon EventID 6
|
T1543.003
|
TTP
|
APT37 Rustonotto and FadeStealer, AgentTesla, BlackByte Ransomware, CISA AA22-320A, Interlock Ransomware, Snake Keylogger, XMRig
|
2025-12-19
|
|
Windows Curl Download to Suspicious Path
|
Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1105
|
TTP
|
APT37 Rustonotto and FadeStealer, Black Basta Ransomware, China-Nexus Threat Activity, Cisco Network Visibility Module Analytics, Compromised Windows Host, Forest Blizzard, GhostRedirector IIS Module and Rungan Backdoor, IcedID, Ingress Tool Transfer, NPM Supply Chain Compromise, Salt Typhoon
|
2025-12-18
|
|
Windows Curl Upload to Remote Destination
|
Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1105
|
TTP
|
Cisco Network Visibility Module Analytics, Compromised Windows Host, Ingress Tool Transfer, Microsoft WSUS CVE-2025-59287, NPM Supply Chain Compromise, PromptLock
|
2025-12-18
|
|
Windows LOLBAS Executed Outside Expected Path
|
Sysmon EventID 1, Windows Event Log Security 4688
|
T1036.005
T1218.011
|
Anomaly
|
Living Off The Land, Masquerading - Rename System Utilities, Windows Defense Evasion Tactics
|
2025-12-18
|
|
Windows Boot or Logon Autostart Execution In Startup Folder
|
Sysmon EventID 11
|
T1547.001
|
Anomaly
|
APT37 Rustonotto and FadeStealer, Chaos Ransomware, Crypto Stealer, Gozi Malware, Interlock Ransomware, NjRAT, PromptFlux, Quasar RAT, RedLine Stealer, XWorm
|
2025-12-17
|
|
Non Chrome Process Accessing Chrome Default Dir
|
Windows Event Log Security 4663
|
T1555.003
|
Anomaly
|
3CX Supply Chain Attack, AgentTesla, CISA AA23-347A, China-Nexus Threat Activity, DarkGate Malware, FIN7, Lokibot, Malicious Inno Setup Loader, NjRAT, Phemedrone Stealer, Quasar RAT, RedLine Stealer, Remcos, Salt Typhoon, Snake Keylogger, SnappyBee, StealC Stealer, Warzone RAT
|
2025-12-16
|
|
Non Firefox Process Access Firefox Profile Dir
|
Windows Event Log Security 4663
|
T1555.003
|
Anomaly
|
0bj3ctivity Stealer, 3CX Supply Chain Attack, AgentTesla, Azorult, CISA AA23-347A, China-Nexus Threat Activity, DarkGate Malware, FIN7, Lokibot, Malicious Inno Setup Loader, NjRAT, Phemedrone Stealer, Quasar RAT, RedLine Stealer, Remcos, Salt Typhoon, Snake Keylogger, SnappyBee, StealC Stealer, Warzone RAT
|
2025-12-16
|
|
Windows Credential Access From Browser Password Store
|
Windows Event Log Security 4663
|
T1012
|
Anomaly
|
0bj3ctivity Stealer, Braodo Stealer, China-Nexus Threat Activity, Earth Alux, Malicious Inno Setup Loader, Meduza Stealer, MoonPeak, PXA Stealer, Quasar RAT, Salt Typhoon, Scattered Lapsus$ Hunters, Scattered Spider, Snake Keylogger, SnappyBee, StealC Stealer
|
2025-12-16
|
|
Windows Credentials from Password Stores Chrome Extension Access
|
Windows Event Log Security 4663
|
T1012
|
Anomaly
|
0bj3ctivity Stealer, Amadey, Braodo Stealer, CISA AA23-347A, DarkGate Malware, Malicious Inno Setup Loader, Meduza Stealer, MoonPeak, Phemedrone Stealer, RedLine Stealer, StealC Stealer
|
2025-12-16
|
|
Windows Credentials from Password Stores Chrome LocalState Access
|
Windows Event Log Security 4663
|
T1012
|
Anomaly
|
0bj3ctivity Stealer, Amadey, Braodo Stealer, China-Nexus Threat Activity, DarkGate Malware, Earth Alux, Lokibot, Malicious Inno Setup Loader, Meduza Stealer, MoonPeak, NjRAT, PXA Stealer, Phemedrone Stealer, Quasar RAT, RedLine Stealer, Salt Typhoon, Scattered Lapsus$ Hunters, Snake Keylogger, SnappyBee, StealC Stealer, Warzone RAT
|
2025-12-16
|
|
Windows Credentials from Password Stores Chrome Login Data Access
|
Windows Event Log Security 4663
|
T1012
|
Anomaly
|
0bj3ctivity Stealer, Amadey, Braodo Stealer, China-Nexus Threat Activity, DarkGate Malware, Earth Alux, Lokibot, Malicious Inno Setup Loader, Meduza Stealer, MoonPeak, NjRAT, PXA Stealer, Phemedrone Stealer, Quasar RAT, RedLine Stealer, Salt Typhoon, Scattered Lapsus$ Hunters, Snake Keylogger, SnappyBee, StealC Stealer, Warzone RAT
|
2025-12-16
|
|
Windows Query Registry UnInstall Program List
|
Windows Event Log Security 4663
|
T1012
|
Anomaly
|
Meduza Stealer, RedLine Stealer, StealC Stealer
|
2025-12-16
|
|
Windows Unsecured Outlook Credentials Access In Registry
|
Windows Event Log Security 4663
|
T1552
|
Anomaly
|
0bj3ctivity Stealer, Lokibot, Meduza Stealer, Snake Keylogger, StealC Stealer
|
2025-12-16
|
|
Windows Unusual Process Load Mozilla NSS-Mozglue Module
|
Sysmon EventID 7
|
T1218.003
|
Anomaly
|
0bj3ctivity Stealer, Lokibot, Quasar RAT, StealC Stealer
|
2025-12-16
|
|
Detect Regasm with no Command Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.009
|
TTP
|
Handala Wiper, Living Off The Land, Suspicious Regsvcs Regasm Activity
|
2025-12-15
|
|
Detect Regsvcs with No Command Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.009
|
TTP
|
Living Off The Land, Suspicious Regsvcs Regasm Activity
|
2025-12-15
|
|
Esentutl SAM Copy
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1003.002
|
Hunting
|
Credential Dumping, Living Off The Land
|
2025-12-15
|
|
Network Discovery Using Route Windows App
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1016.001
|
Hunting
|
Active Directory Discovery, CISA AA22-277A, Prestige Ransomware, Qakbot, Windows Post-Exploitation
|
2025-12-15
|
|
Runas Execution in CommandLine
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1134.001
|
Hunting
|
Data Destruction, Hermetic Wiper, Quasar RAT, Windows Privilege Escalation
|
2025-12-15
|
|
Suspicious DLLHost no Command Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1055
|
TTP
|
BlackByte Ransomware, Cactus Ransomware, Cobalt Strike, Graceful Wipe Out Attack
|
2025-12-15
|
|
Suspicious GPUpdate no Command Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1055
|
TTP
|
BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack, Hellcat Ransomware
|
2025-12-15
|
|
System Info Gathering Using Dxdiag Application
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1592
|
Hunting
|
Remcos
|
2025-12-15
|
|
Verclsid CLSID Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.012
|
Hunting
|
Unusual Processes
|
2025-12-15
|
|
Windows Diskshadow Proxy Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218
|
TTP
|
Living Off The Land
|
2025-12-15
|
|
Windows Office Product Spawned Uncommon Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1566.001
|
TTP
|
APT37 Rustonotto and FadeStealer, AgentTesla, Azorult, CVE-2023-21716 Word RTF Heap Corruption, CVE-2023-36884 Office and Windows HTML RCE Vulnerability, Compromised Windows Host, DarkCrystal RAT, FIN7, IcedID, NjRAT, PlugX, Qakbot, Remcos, Spearphishing Attachments, Trickbot, Warzone RAT
|
2025-12-15
|
|
Windows SQLCMD Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059.003
|
Hunting
|
GhostRedirector IIS Module and Rungan Backdoor, SQL Server Abuse
|
2025-12-15
|
|
Windows Suspicious Process File Path
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1543
T1036.005
|
TTP
|
AgentTesla, Amadey, AsyncRAT, Azorult, BlackByte Ransomware, Brute Ratel C4, CISA AA23-347A, Castle RAT, Chaos Ransomware, China-Nexus Threat Activity, DarkCrystal RAT, DarkGate Malware, Data Destruction, Double Zero Destructor, Earth Alux, GhostRedirector IIS Module and Rungan Backdoor, Graceful Wipe Out Attack, Handala Wiper, Hermetic Wiper, IcedID, Industroyer2, Interlock Ransomware, Interlock Rat, LockBit Ransomware, Lokibot, Malicious Inno Setup Loader, Meduza Stealer, MoonPeak, NailaoLocker Ransomware, Phemedrone Stealer, PlugX, Prestige Ransomware, PromptLock, Qakbot, Quasar RAT, RedLine Stealer, Remcos, Rhysida Ransomware, Salt Typhoon, SesameOp, SnappyBee, StealC Stealer, Swift Slicer, SystemBC, Trickbot, ValleyRAT, Volt Typhoon, Warzone RAT, Water Gamayun, WhisperGate, XMRig, XWorm
|
2025-12-15
|
|
Windows NirSoft Utilities
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1588.002
|
Hunting
|
Data Destruction, WhisperGate
|
2025-12-13
|
|
Registry Keys Used For Persistence
|
Sysmon EventID 13
|
T1547.001
|
TTP
|
0bj3ctivity Stealer, APT37 Rustonotto and FadeStealer, Amadey, AsyncRAT, Azorult, BlackByte Ransomware, BlackSuit Ransomware, Braodo Stealer, CISA AA23-347A, Cactus Ransomware, Castle RAT, Chaos Ransomware, China-Nexus Threat Activity, DHS Report TA18-074A, DarkCrystal RAT, DarkGate Malware, Derusbi, Emotet Malware DHS Report TA18-201A, IcedID, Interlock Ransomware, Lokibot, MoonPeak, NetSupport RMM Tool Abuse, NjRAT, Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns, Qakbot, Quasar RAT, Ransomware, RedLine Stealer, Remcos, Salt Typhoon, Snake Keylogger, SnappyBee, Sneaky Active Directory Persistence Tricks, Suspicious MSHTA Activity, Suspicious Windows Registry Activities, SystemBC, ValleyRAT, Warzone RAT, WinDealer RAT, Windows Persistence Techniques, Windows Registry Abuse, XWorm
|
2025-12-10
|
|
Windows Process Execution in Temp Dir
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1543
T1036.005
|
Anomaly
|
AgentTesla, Lokibot, NjRAT, PathWiper, PromptLock, Qakbot, Ransomware, Remcos, Ryuk Ransomware, SesameOp, Trickbot, XWorm
|
2025-12-10
|
|
Suspicious Process DNS Query Known Abuse Web Services
|
Sysmon EventID 22
|
T1059.005
|
TTP
|
Braodo Stealer, Cactus Ransomware, Data Destruction, Malicious Inno Setup Loader, Meduza Stealer, PXA Stealer, Phemedrone Stealer, RedLine Stealer, Remcos, Snake Keylogger, WhisperGate
|
2025-12-10
|
|
Linux Suspicious React or Next.js Child Process
|
Sysmon for Linux EventID 1
|
T1190
T1059.004
|
TTP
|
React2Shell
|
2025-12-05
|
|
Windows Access Token Manipulation SeDebugPrivilege
|
Windows Event Log Security 4703
|
T1134.002
|
Anomaly
|
AsyncRAT, Brute Ratel C4, CISA AA23-347A, China-Nexus Threat Activity, DarkGate Malware, Derusbi, GhostRedirector IIS Module and Rungan Backdoor, Lokibot, Meduza Stealer, PathWiper, PlugX, Salt Typhoon, Scattered Lapsus$ Hunters, SnappyBee, Tuoni, ValleyRAT, WinDealer RAT
|
2025-12-04
|
|
Azure AD High Number Of Failed Authentications For User
|
Azure Active Directory
|
T1110.001
|
TTP
|
Azure Active Directory Account Takeover, Compromised User Account
|
2025-12-01
|
|
Azure AD High Number Of Failed Authentications From Ip
|
Azure Active Directory
|
T1110.001
T1110.003
|
TTP
|
Azure Active Directory Account Takeover, Compromised User Account, NOBELIUM Group
|
2025-12-01
|
|
Linux Auditd Doas Conf File Creation
|
Linux Auditd Cwd, Linux Auditd Path
|
T1548.003
|
TTP
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation
|
2025-11-27
|
|
Linux Auditd Possible Access Or Modification Of Sshd Config File
|
Linux Auditd Cwd, Linux Auditd Path
|
T1098.004
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2025-11-27
|
|
Linux Auditd Possible Access To Sudoers File
|
Linux Auditd Cwd, Linux Auditd Path
|
T1548.003
|
Anomaly
|
China-Nexus Threat Activity, Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation, Salt Typhoon
|
2025-11-27
|
|
Linux Auditd Possible Append Cronjob Entry On Existing Cronjob File
|
Linux Auditd Cwd, Linux Auditd Path
|
T1053.003
|
Hunting
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks, XorDDos
|
2025-11-27
|
|
Linux Auditd Unix Shell Configuration Modification
|
Linux Auditd Cwd, Linux Auditd Path
|
T1546.004
|
TTP
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2025-11-27
|
|
Linux Magic SysRq Key Abuse
|
Linux Auditd Cwd, Linux Auditd Path
|
T1059.004
T1529
T1489
T1499
|
TTP
|
Compromised Linux Host
|
2025-11-27
|
|
File Download or Read to Pipe Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon for Linux EventID 1, Windows Event Log Security 4688
|
T1105
|
TTP
|
Compromised Windows Host, Ingress Tool Transfer, Linux Living Off The Land, Log4Shell CVE-2021-44228, NPM Supply Chain Compromise
|
2025-11-25
|
|
GitHub Workflow File Creation or Modification
|
Sysmon EventID 11, Sysmon for Linux EventID 11
|
T1574.006
T1554
T1195
|
Hunting
|
NPM Supply Chain Compromise
|
2025-11-25
|
|
Shai-Hulud 2 Exfiltration Artifact Files
|
Sysmon EventID 11, Sysmon for Linux EventID 11
|
T1074.001
T1552.001
T1195.002
|
TTP
|
NPM Supply Chain Compromise
|
2025-11-25
|
|
Shai-Hulud Workflow File Creation or Modification
|
Sysmon EventID 11, Sysmon for Linux EventID 11
|
T1574.006
T1554
T1195
|
TTP
|
NPM Supply Chain Compromise
|
2025-11-25
|
|
Windows Cabinet File Extraction Via Expand
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1105
|
TTP
|
APT37 Rustonotto and FadeStealer, NetSupport RMM Tool Abuse
|
2025-11-20
|
|
Windows Defender Exclusion Registry Entry
|
Sysmon EventID 13
|
T1562.001
|
TTP
|
Azorult, NetSupport RMM Tool Abuse, Qakbot, Remcos, ValleyRAT, Warzone RAT, Windows Defense Evasion Tactics, XWorm
|
2025-11-20
|
|
Windows File and Directory Enable ReadOnly Permissions
|
Sysmon EventID 1, Windows Event Log Security 4688
|
T1222.001
|
TTP
|
Crypto Stealer, NetSupport RMM Tool Abuse
|
2025-11-20
|
|
Windows Local LLM Framework Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1543
|
Hunting
|
Suspicious Local LLM Frameworks
|
2025-11-20
|
|
Windows Modify Registry Delete Firewall Rules
|
Sysmon EventID 12
|
T1112
|
TTP
|
CISA AA24-241A, NetSupport RMM Tool Abuse, ShrinkLocker
|
2025-11-20
|
|
Windows Modify Registry to Add or Modify Firewall Rule
|
Sysmon EventID 13, Sysmon EventID 14
|
T1112
|
Anomaly
|
CISA AA24-241A, NetSupport RMM Tool Abuse, ShrinkLocker
|
2025-11-20
|
|
Windows NetSupport RMM DLL Loaded By Uncommon Process
|
Sysmon EventID 7
|
T1036
|
Anomaly
|
NetSupport RMM Tool Abuse
|
2025-11-20
|
|
Windows RunMRU Registry Key or Value Deleted
|
Sysmon EventID 12
|
T1112
|
Anomaly
|
NetSupport RMM Tool Abuse
|
2025-11-20
|
|
Windows NirSoft Tool Bundle File Created
|
Sysmon EventID 11
|
T1588.002
|
Anomaly
|
Data Destruction, Unusual Processes, WhisperGate
|
2025-11-19
|
|
Windows PowerShell Process Implementing Manual Base64 Decoder
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1027.010
T1059.001
|
Anomaly
|
Compromised Windows Host, Deobfuscate-Decode Files or Information
|
2025-11-19
|
|
Windows PsTools Recon Usage
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1082
T1046
T1018
|
Anomaly
|
Compromised Windows Host
|
2025-11-19
|
|
LLM Model File Creation
|
Sysmon EventID 11
|
T1543
|
Hunting
|
Suspicious Local LLM Frameworks
|
2025-11-12
|
|
Local LLM Framework DNS Query
|
Sysmon EventID 22
|
T1590
|
Hunting
|
Suspicious Local LLM Frameworks
|
2025-11-12
|
|
Windows Svchost.exe Parent Process Anomaly
|
Sysmon EventID 1, Windows Event Log Security 4688
|
T1036.009
|
Anomaly
|
China-Nexus Threat Activity, SnappyBee
|
2025-11-07
|
|
Windows Anonymous Pipe Activity
|
Sysmon EventID 17, Sysmon EventID 18
|
T1559
|
Hunting
|
Castle RAT, China-Nexus Threat Activity, Interlock Rat, Salt Typhoon, SnappyBee
|
2025-10-31
|
|
Windows Browser Process Launched with Unusual Flags
|
Sysmon EventID 1
|
T1185
|
Anomaly
|
Castle RAT
|
2025-10-31
|
|
Windows Handle Duplication in Known UAC-Bypass Binaries
|
Sysmon EventID 10
|
T1134.001
|
Anomaly
|
Castle RAT
|
2025-10-31
|
|
Windows UAC Bypass Suspicious Child Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1548.002
|
TTP
|
Castle RAT, Living Off The Land, Windows Defense Evasion Tactics
|
2025-10-31
|
|
Possible Lateral Movement PowerShell Spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1021.003
T1021.006
T1047
T1053.005
T1059.001
T1218.014
T1543.003
|
TTP
|
Active Directory Lateral Movement, CISA AA24-241A, Data Destruction, Hermetic Wiper, Malicious PowerShell, Microsoft WSUS CVE-2025-59287, Scheduled Tasks
|
2025-10-24
|
|
O365 Mailbox Folder Read Permission Assigned
|
O365 ModifyFolderPermissions
|
T1098.002
|
TTP
|
Office 365 Collection Techniques
|
2025-10-21
|
|
Windows Process Writing File to World Writable Path
|
Sysmon EventID 11
|
T1218.005
|
Hunting
|
APT29 Diplomatic Deceptions with WINELOADER, PHP-CGI RCE Attack on Japanese Organizations, PathWiper
|
2025-10-21
|
|
Detect Regsvcs with Network Connection
|
Sysmon EventID 3
|
T1218.009
|
TTP
|
Hellcat Ransomware, Living Off The Land, Suspicious Regsvcs Regasm Activity
|
2025-10-20
|
|
Windows File Transfer Protocol In Non-Common Process Path
|
Sysmon EventID 3
|
T1071.003
|
Anomaly
|
AgentTesla, Hellcat Ransomware, Snake Keylogger
|
2025-10-20
|
|
Web or Application Server Spawning a Shell
|
Sysmon EventID 1, Sysmon for Linux EventID 1
|
T1190
T1133
|
TTP
|
BlackByte Ransomware, CISA AA22-257A, CISA AA22-264A, Cleo File Transfer Software, Data Destruction, Flax Typhoon, GhostRedirector IIS Module and Rungan Backdoor, HAFNIUM Group, Hermetic Wiper, Log4Shell CVE-2021-44228, Microsoft SharePoint Vulnerabilities, Microsoft WSUS CVE-2025-59287, PHP-CGI RCE Attack on Japanese Organizations, ProxyNotShell, ProxyShell, SAP NetWeaver Exploitation, Spring4Shell CVE-2022-22965, SysAid On-Prem Software CVE-2023-47246 Vulnerability, WS FTP Server Critical Vulnerabilities
|
2025-10-16
|
|
Windows SSH Proxy Command
|
Sysmon EventID 1, Windows Event Log Security 4688
|
T1572
T1059.001
T1105
|
Anomaly
|
Hellcat Ransomware, Living Off The Land, ZDI-CAN-25373 Windows Shortcut Exploit Abused as Zero-Day
|
2025-10-16
|
|
CrushFTP Server Side Template Injection
|
CrushFTP
|
T1190
|
TTP
|
CrushFTP Vulnerabilities, Hellcat Ransomware
|
2025-10-14
|
|
ESXi SSH Brute Force
|
VMWare ESXi Syslog
|
T1110
|
Anomaly
|
Black Basta Ransomware, ESXi Post Compromise, Hellcat Ransomware
|
2025-10-14
|
|
ESXi SSH Enabled
|
VMWare ESXi Syslog
|
T1021.004
|
TTP
|
Black Basta Ransomware, ESXi Post Compromise, Hellcat Ransomware
|
2025-10-14
|
|
PingID New MFA Method After Credential Reset
|
PingID
|
T1621
T1556.006
T1098.005
|
TTP
|
Compromised User Account, Scattered Lapsus$ Hunters
|
2025-10-14
|
|
Azure AD New MFA Method Registered
|
Azure Active Directory Update user
|
T1098.005
|
TTP
|
Azure Active Directory Persistence, Scattered Lapsus$ Hunters
|
2025-10-14
|
|
Gsuite Drive Share In External Email
|
G Suite Drive
|
T1567.002
|
Anomaly
|
Dev Sec Ops, Insider Threat, Scattered Lapsus$ Hunters
|
2025-10-14
|
|
O365 Privileged Role Assigned
|
Office 365 Universal Audit Log
|
T1098.003
|
TTP
|
Azure Active Directory Persistence, Scattered Lapsus$ Hunters
|
2025-10-14
|
|
O365 Privileged Role Assigned To Service Principal
|
Office 365 Universal Audit Log
|
T1098.003
|
TTP
|
Azure Active Directory Privilege Escalation, Scattered Lapsus$ Hunters
|
2025-10-14
|
|
Detect Remote Access Software Usage Registry
|
Sysmon EventID 13
|
T1219
|
Anomaly
|
CISA AA24-241A, Cactus Ransomware, Command And Control, Gozi Malware, Insider Threat, Ransomware, Remote Monitoring and Management Software, Scattered Lapsus$ Hunters, Scattered Spider, Seashell Blizzard
|
2025-10-14
|
|
High Frequency Copy Of Files In Network Share
|
Windows Event Log Security 5145
|
T1537
|
Anomaly
|
Hellcat Ransomware, Information Sabotage, Insider Threat
|
2025-10-14
|
|
PowerShell Loading DotNET into Memory via Reflection
|
Powershell Script Block Logging 4104
|
T1059.001
|
Anomaly
|
0bj3ctivity Stealer, AgentTesla, AsyncRAT, Data Destruction, Hellcat Ransomware, Hermetic Wiper, Malicious PowerShell, Winter Vivern
|
2025-10-14
|
|
Windows AD DSRM Account Changes
|
Sysmon EventID 13
|
T1098
|
TTP
|
Scattered Lapsus$ Hunters, Sneaky Active Directory Persistence Tricks, Windows Persistence Techniques, Windows Registry Abuse
|
2025-10-14
|
|
Windows Credentials Access via VaultCli Module
|
Sysmon EventID 7
|
T1555.004
|
Anomaly
|
Hellcat Ransomware, Meduza Stealer
|
2025-10-14
|
|
Windows Impair Defense Deny Security Software With Applocker
|
Sysmon EventID 13
|
T1562.001
|
TTP
|
Azorult, Scattered Lapsus$ Hunters
|
2025-10-14
|
|
Windows Impair Defense Disable Defender Firewall And Network
|
Sysmon EventID 13
|
T1562.001
|
TTP
|
Scattered Lapsus$ Hunters, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-10-14
|
|
Windows Impair Defense Disable Defender Protocol Recognition
|
Sysmon EventID 13
|
T1562.001
|
TTP
|
Scattered Lapsus$ Hunters, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-10-14
|
|
Windows Impair Defense Disable PUA Protection
|
Sysmon EventID 13
|
T1562.001
|
TTP
|
Scattered Lapsus$ Hunters, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-10-14
|
|
Windows Impair Defense Disable Win Defender Network Protection
|
Sysmon EventID 13
|
T1562.001
|
TTP
|
Scattered Lapsus$ Hunters, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-10-14
|
|
Windows Impair Defense Disable Win Defender Signature Retirement
|
Sysmon EventID 13
|
T1562.001
|
TTP
|
Scattered Lapsus$ Hunters, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-10-14
|
|
Windows LSA Secrets NoLMhash Registry
|
Sysmon EventID 13
|
T1003.004
|
TTP
|
CISA AA23-347A, Scattered Lapsus$ Hunters
|
2025-10-14
|
|
Windows Modify Registry Tamper Protection
|
Sysmon EventID 13
|
T1112
|
TTP
|
RedLine Stealer, Scattered Lapsus$ Hunters
|
2025-10-14
|
|
Windows New InProcServer32 Added
|
Sysmon EventID 13
|
T1112
|
Hunting
|
Hellcat Ransomware, Outlook RCE CVE-2024-21378
|
2025-10-14
|
|
Windows Non-System Account Targeting Lsass
|
Sysmon EventID 10
|
T1003.001
|
TTP
|
CISA AA23-347A, Credential Dumping, Lokibot, Scattered Lapsus$ Hunters
|
2025-10-14
|
|
Windows Possible Credential Dumping
|
Sysmon EventID 10
|
T1003.001
|
TTP
|
CISA AA22-257A, CISA AA22-264A, CISA AA23-347A, Credential Dumping, DarkSide Ransomware, Detect Zerologon Attack, Scattered Lapsus$ Hunters
|
2025-10-14
|
|
Windows SQL Server Startup Procedure
|
Windows Event Log Application 17135
|
T1505.001
|
Anomaly
|
Hellcat Ransomware, SQL Server Abuse
|
2025-10-14
|
|
CrushFTP Authentication Bypass Exploitation
|
CrushFTP
|
T1190
T1059.003
T1059.001
|
TTP
|
CrushFTP Vulnerabilities, Hellcat Ransomware
|
2025-10-14
|
|
Cisco ASA - Core Syslog Message Volume Drop
|
Cisco ASA Logs
|
T1562
|
Hunting
|
ArcaneDoor, Suspicious Cisco Adaptive Security Appliance Activity
|
2025-10-13
|
|
Advanced IP or Port Scanner Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1046
T1135
|
Anomaly
|
Windows Defense Evasion Tactics
|
2025-10-13
|
|
Windows Set Network Profile Category to Private via Registry
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Secret Blizzard
|
2025-10-07
|
|
Ollama Abnormal Service Crash Availability Attack
|
Ollama Server
|
T1489
|
Anomaly
|
Suspicious Ollama Activities
|
2025-10-05
|
|
Ollama Excessive API Requests
|
Ollama Server
|
T1498
|
Anomaly
|
Suspicious Ollama Activities
|
2025-10-05
|
|
Ollama Possible Memory Exhaustion Resource Abuse
|
Ollama Server
|
T1499
|
Anomaly
|
Suspicious Ollama Activities
|
2025-10-05
|
|
Ollama Possible Model Exfiltration Data Leakage
|
Ollama Server
|
T1048
|
Anomaly
|
Suspicious Ollama Activities
|
2025-10-05
|
|
Ollama Possible RCE via Model Loading
|
Ollama Server
|
T1190
|
Anomaly
|
Suspicious Ollama Activities
|
2025-10-05
|
|
Ollama Suspicious Prompt Injection Jailbreak
|
Ollama Server
|
T1190
T1059
|
Anomaly
|
Suspicious Ollama Activities
|
2025-10-05
|
|
Windows Unusual Intelliform Storage Registry Access
|
Windows Event Log Security 4663
|
T1552.001
|
Anomaly
|
Lokibot, Quasar RAT
|
2025-09-30
|
|
M365 Copilot Agentic Jailbreak Attack
|
M365 Exported eDiscovery Prompts
|
T1562
|
Anomaly
|
Suspicious Microsoft 365 Copilot Activities
|
2025-09-25
|
|
M365 Copilot Information Extraction Jailbreak Attack
|
M365 Exported eDiscovery Prompts
|
T1562
|
TTP
|
Suspicious Microsoft 365 Copilot Activities
|
2025-09-25
|
|
M365 Copilot Application Usage Pattern Anomalies
|
M365 Copilot Graph API
|
T1078
|
Anomaly
|
Suspicious Microsoft 365 Copilot Activities
|
2025-09-24
|
|
Windows Archive Collected Data via Powershell
|
Powershell Script Block Logging 4104
|
T1560
|
Anomaly
|
APT37 Rustonotto and FadeStealer, CISA AA23-347A
|
2025-09-18
|
|
Windows Input Capture Using Credential UI Dll
|
Sysmon EventID 7
|
T1056.002
|
Hunting
|
APT37 Rustonotto and FadeStealer, Brute Ratel C4
|
2025-09-18
|
|
Windows ISO LNK File Creation
|
Sysmon EventID 11
|
T1204.001
T1566.001
|
Hunting
|
APT37 Rustonotto and FadeStealer, AgentTesla, Amadey, Azorult, Brute Ratel C4, Gozi Malware, IcedID, Qakbot, Remcos, Spearphishing Attachments, Warzone RAT
|
2025-09-18
|
|
Windows Process Injection into Notepad
|
Sysmon EventID 10
|
T1055.002
|
Anomaly
|
APT37 Rustonotto and FadeStealer, BishopFox Sliver Adversary Emulation Framework, Earth Alux
|
2025-09-18
|
|
Windows Replication Through Removable Media
|
Sysmon EventID 11
|
T1091
|
TTP
|
APT37 Rustonotto and FadeStealer, Chaos Ransomware, China-Nexus Threat Activity, Derusbi, NjRAT, PlugX, Salt Typhoon
|
2025-09-18
|
|
Windows Service Created with Suspicious Service Path
|
Windows Event Log System 7045
|
T1569.002
|
TTP
|
APT37 Rustonotto and FadeStealer, Active Directory Lateral Movement, Brute Ratel C4, CISA AA23-347A, China-Nexus Threat Activity, Clop Ransomware, Crypto Stealer, Derusbi, Flax Typhoon, PlugX, Qakbot, Salt Typhoon, Snake Malware
|
2025-09-18
|
|
Windows User Execution Malicious URL Shortcut File
|
Sysmon EventID 11
|
T1204.002
|
Anomaly
|
APT37 Rustonotto and FadeStealer, Chaos Ransomware, NjRAT, Quasar RAT, Snake Keylogger, XWorm
|
2025-09-18
|
|
Detect Exchange Web Shell
|
Sysmon EventID 11
|
T1133
T1190
T1505.003
|
TTP
|
BlackByte Ransomware, CISA AA22-257A, Compromised Windows Host, GhostRedirector IIS Module and Rungan Backdoor, HAFNIUM Group, ProxyNotShell, ProxyShell, Seashell Blizzard
|
2025-09-16
|
|
Suspicious Process Executed From Container File
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1204.002
T1036.008
|
TTP
|
APT37 Rustonotto and FadeStealer, Amadey, GhostRedirector IIS Module and Rungan Backdoor, Remcos, Snake Keylogger, Unusual Processes, Water Gamayun
|
2025-09-16
|
|
Windows Modify Registry Disable Restricted Admin
|
Sysmon EventID 13
|
T1112
|
TTP
|
CISA AA23-347A, GhostRedirector IIS Module and Rungan Backdoor, Medusa Ransomware
|
2025-09-16
|
|
Windows PowerShell Invoke-Sqlcmd Execution
|
Powershell Script Block Logging 4104
|
T1059.001
T1059.003
|
Hunting
|
GhostRedirector IIS Module and Rungan Backdoor, SQL Server Abuse
|
2025-09-16
|
|
Windows Privilege Escalation Suspicious Process Elevation
|
Sysmon EventID 1
|
T1068
T1548
T1134
|
TTP
|
BlackSuit Ransomware, GhostRedirector IIS Module and Rungan Backdoor, Windows Privilege Escalation
|
2025-09-16
|
|
Windows InstallUtil Remote Network Connection
|
Cisco Network Visibility Module Flow Data, Sysmon EventID 1, Sysmon EventID 3
|
T1218.004
|
Anomaly
|
Cisco Network Visibility Module Analytics, Compromised Windows Host, Living Off The Land, Signed Binary Proxy Execution InstallUtil
|
2025-09-09
|
|
Windows InstallUtil URL in Command Line
|
Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.004
|
TTP
|
Cisco Network Visibility Module Analytics, Compromised Windows Host, Living Off The Land, Signed Binary Proxy Execution InstallUtil
|
2025-09-09
|
|
Windows Outlook LoadMacroProviderOnBoot Persistence
|
Sysmon EventID 13
|
T1112
T1137
|
TTP
|
NotDoor Malware, Windows Registry Abuse
|
2025-09-09
|
|
Windows Outlook Macro Created by Suspicious Process
|
Sysmon EventID 11
|
T1137
T1059.005
|
TTP
|
NotDoor Malware
|
2025-09-09
|
|
WMIC XSL Execution via URL
|
Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1220
|
TTP
|
Cisco Network Visibility Module Analytics, Compromised Windows Host, Suspicious WMI Use
|
2025-09-09
|
|
Cisco Smart Install Oversized Packet Detection
|
Splunk Stream TCP
|
T1190
|
TTP
|
Cisco Smart Install Remote Code Execution CVE-2018-0171
|
2025-09-09
|
|
Windows Outlook Dialogs Disabled from Unusual Process
|
Sysmon EventID 13
|
T1112
T1562
|
TTP
|
NotDoor Malware, Windows Registry Abuse
|
2025-09-08
|
|
Windows Outlook Macro Security Modified
|
Sysmon EventID 13
|
T1137
T1008
|
TTP
|
NotDoor Malware, Windows Registry Abuse
|
2025-09-08
|
|
Scheduled Task Creation on Remote Endpoint using At
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1053.002
|
TTP
|
0bj3ctivity Stealer, Active Directory Lateral Movement, Living Off The Land, Scheduled Tasks
|
2025-08-22
|
|
Disabling Windows Local Security Authority Defences via Registry
|
Sysmon EventID 13
|
T1556
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-08-20
|
|
Windows Access Token Winlogon Duplicate Handle In Uncommon Path
|
Sysmon EventID 10
|
T1134.001
|
Anomaly
|
Brute Ratel C4, PathWiper
|
2025-08-20
|
|
Windows Raw Access To Disk Volume Partition
|
Sysmon EventID 9
|
T1561.002
|
Anomaly
|
BlackByte Ransomware, CISA AA22-264A, Caddy Wiper, Data Destruction, Disk Wiper, Graceful Wipe Out Attack, Hermetic Wiper, NjRAT, PathWiper
|
2025-08-20
|
|
Windows Raw Access To Master Boot Record Drive
|
Sysmon EventID 9
|
T1561.002
|
TTP
|
BlackByte Ransomware, CISA AA22-264A, Caddy Wiper, Data Destruction, Disk Wiper, Graceful Wipe Out Attack, Hermetic Wiper, NjRAT, PathWiper, WhisperGate
|
2025-08-20
|
|
Windows RDP File Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1598.002
T1021.001
|
TTP
|
Interlock Ransomware, Spearphishing Attachments, Windows RDP Artifacts and Defense Evasion
|
2025-08-07
|
|
ESXi Firewall Disabled
|
VMWare ESXi Syslog
|
T1562.004
|
TTP
|
Black Basta Ransomware, China-Nexus Threat Activity, ESXi Post Compromise
|
2025-08-06
|
|
ESXi Malicious VIB Forced Install
|
VMWare ESXi Syslog
|
T1505.006
|
TTP
|
Black Basta Ransomware, China-Nexus Threat Activity, ESXi Post Compromise
|
2025-08-06
|
|
ESXi Sensitive Files Accessed
|
VMWare ESXi Syslog
|
T1003.008
T1005
|
TTP
|
Black Basta Ransomware, China-Nexus Threat Activity, ESXi Post Compromise
|
2025-08-06
|
|
ESXi VIB Acceptance Level Tampering
|
VMWare ESXi Syslog
|
T1562
|
TTP
|
Black Basta Ransomware, China-Nexus Threat Activity, ESXi Post Compromise
|
2025-08-06
|
|
ESXi VM Discovery
|
VMWare ESXi Syslog
|
T1673
|
TTP
|
Black Basta Ransomware, China-Nexus Threat Activity, ESXi Post Compromise
|
2025-08-06
|
|
Windows Advanced Installer MSIX with AI_STUBS Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218
T1553.005
T1204.002
|
TTP
|
MSIX Package Abuse
|
2025-08-05
|
|
Windows PowerShell Script From WindowsApps Directory
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059.001
T1204.002
|
TTP
|
MSIX Package Abuse, Malicious PowerShell
|
2025-08-05
|
|
Windows Modify Registry Disable RDP
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
ShrinkLocker, Windows RDP Artifacts and Defense Evasion
|
2025-08-01
|
|
Windows Remote Services Rdp Enable
|
Sysmon EventID 13
|
T1021.001
|
TTP
|
Azorult, BlackSuit Ransomware, Medusa Ransomware, Windows RDP Artifacts and Defense Evasion
|
2025-08-01
|
|
Windows Audit Policy Auditing Option Modified - Registry
|
Sysmon EventID 13
|
T1547.014
|
Anomaly
|
Windows Audit Policy Tampering
|
2025-07-30
|
|
Windows Impair Defense Overide Win Defender Phishing Filter
|
Sysmon EventID 13
|
T1562.001
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-07-30
|
|
Windows Phishing Recent ISO Exec Registry
|
Sysmon EventID 13
|
T1566.001
|
Hunting
|
AgentTesla, Azorult, Brute Ratel C4, Gozi Malware, IcedID, Qakbot, Remcos, Warzone RAT
|
2025-07-30
|
|
Windows Rdp AutomaticDestinations Deletion
|
Sysmon EventID 23, Sysmon EventID 26
|
T1070.004
|
Anomaly
|
Windows RDP Artifacts and Defense Evasion
|
2025-07-30
|
|
Windows RDP Bitmap Cache File Creation
|
Sysmon EventID 11
|
T1021.001
|
Anomaly
|
Windows RDP Artifacts and Defense Evasion
|
2025-07-30
|
|
Windows RDP Cache File Deletion
|
Sysmon EventID 23, Sysmon EventID 26
|
T1070.004
|
Anomaly
|
Windows RDP Artifacts and Defense Evasion
|
2025-07-30
|
|
Windows RDP Server Registry Deletion
|
Sysmon EventID 12, Sysmon EventID 13
|
T1070.004
|
Anomaly
|
Windows RDP Artifacts and Defense Evasion
|
2025-07-30
|
|
Windows RDP Server Registry Entry Created
|
Sysmon EventID 13
|
T1021.001
|
Anomaly
|
Windows RDP Artifacts and Defense Evasion
|
2025-07-30
|
|
Domain Account Discovery with Wmic
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1087.002
|
TTP
|
Active Directory Discovery, Interlock Ransomware
|
2025-07-28
|
|
Windows AD ServicePrincipalName Added To Domain Account
|
Windows Event Log Security 5136
|
T1098
|
TTP
|
Interlock Ransomware, Sneaky Active Directory Persistence Tricks
|
2025-07-28
|
|
Windows SharePoint Spinstall0 Webshell File Creation
|
Sysmon EventID 11
|
T1190
T1505.003
|
TTP
|
Microsoft SharePoint Vulnerabilities
|
2025-07-21
|
|
Windows Unusual FileZilla XML Config Access
|
Windows Event Log Security 4663
|
T1552.001
|
Anomaly
|
Quasar RAT
|
2025-07-16
|
|
ESXi Encryption Settings Modified
|
VMWare ESXi Syslog
|
T1562
|
TTP
|
Black Basta Ransomware, ESXi Post Compromise
|
2025-07-07
|
|
ESXi Account Modified
|
VMWare ESXi Syslog
|
T1136.001
T1078
T1098
|
Anomaly
|
Black Basta Ransomware, ESXi Post Compromise
|
2025-07-01
|
|
ESXi Audit Tampering
|
VMWare ESXi Syslog
|
T1562.003
T1070
|
TTP
|
Black Basta Ransomware, ESXi Post Compromise
|
2025-07-01
|
|
Detect Copy of ShadowCopy with Script Block Logging
|
Powershell Script Block Logging 4104
|
T1003.002
|
TTP
|
Credential Dumping, VanHelsing Ransomware
|
2025-06-24
|
|
GetWmiObject Ds Computer with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1018
|
TTP
|
Active Directory Discovery
|
2025-06-24
|
|
GetWmiObject Ds Group with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1069.002
|
TTP
|
Active Directory Discovery
|
2025-06-24
|
|
Powershell Remote Services Add TrustedHost
|
Powershell Script Block Logging 4104
|
T1021.006
|
TTP
|
DarkGate Malware
|
2025-06-24
|
|
Disable Defender Enhanced Notification
|
Sysmon EventID 13
|
T1562.001
|
TTP
|
Azorult, CISA AA23-347A, IcedID, Windows Registry Abuse
|
2025-06-10
|
|
Print Processor Registry Autostart
|
Sysmon EventID 13
|
T1547.012
|
TTP
|
Data Destruction, Hermetic Wiper, Windows Persistence Techniques, Windows Privilege Escalation
|
2025-06-10
|
|
Windows RunMRU Command Execution
|
Sysmon EventID 13
|
T1202
|
Anomaly
|
Fake CAPTCHA Campaigns, Lumma Stealer
|
2025-06-10
|
|
Geographic Improbable Location
|
Okta
|
T1078
|
Anomaly
|
Remote Employment Fraud
|
2025-06-03
|
|
Okta Non-Standard VPN Usage
|
Okta
|
T1078
T1572
T1090
|
TTP
|
Remote Employment Fraud, Suspicious Okta Activity
|
2025-06-03
|
|
Zoom High Video Latency
|
|
T1078
|
Anomaly
|
Remote Employment Fraud
|
2025-06-02
|
|
Windows DLL Search Order Hijacking Hunt with Sysmon
|
Sysmon EventID 7
|
T1574.001
|
Hunting
|
Living Off The Land, Malicious Inno Setup Loader, Qakbot, Windows Defense Evasion Tactics
|
2025-05-26
|
|
ESXi System Clock Manipulation
|
VMWare ESXi Syslog
|
T1070.006
|
TTP
|
Black Basta Ransomware, ESXi Post Compromise
|
2025-05-19
|
|
ESXi User Granted Admin Role
|
VMWare ESXi Syslog
|
T1098
T1078
|
TTP
|
Black Basta Ransomware, ESXi Post Compromise
|
2025-05-15
|
|
ESXi VM Exported via Remote Tool
|
VMWare ESXi Syslog
|
T1005
|
TTP
|
Black Basta Ransomware, ESXi Post Compromise
|
2025-05-15
|
|
ESXi System Information Discovery
|
VMWare ESXi Syslog
|
T1082
|
TTP
|
Black Basta Ransomware, ESXi Post Compromise
|
2025-05-14
|
|
ESXi External Root Login Activity
|
VMWare ESXi Syslog
|
T1078
|
Anomaly
|
Black Basta Ransomware, ESXi Post Compromise
|
2025-05-13
|
|
ESXi Loghost Config Tampering
|
VMWare ESXi Syslog
|
T1562
|
TTP
|
Black Basta Ransomware, ESXi Post Compromise
|
2025-05-13
|
|
ESXi Syslog Config Change
|
VMWare ESXi Syslog
|
T1562.003
|
TTP
|
Black Basta Ransomware, ESXi Post Compromise
|
2025-05-13
|
|
ESXi Bulk VM Termination
|
VMWare ESXi Syslog
|
T1673
T1529
T1499
|
TTP
|
Black Basta Ransomware, ESXi Post Compromise
|
2025-05-12
|
|
ESXi Download Errors
|
VMWare ESXi Syslog
|
T1601.001
T1562.001
|
Anomaly
|
Black Basta Ransomware, ESXi Post Compromise
|
2025-05-12
|
|
ESXi Lockdown Mode Disabled
|
VMWare ESXi Syslog
|
T1562
|
TTP
|
Black Basta Ransomware, ESXi Post Compromise
|
2025-05-12
|
|
ESXi Reverse Shell Patterns
|
VMWare ESXi Syslog
|
T1059
|
TTP
|
Black Basta Ransomware, ESXi Post Compromise
|
2025-05-12
|
|
ESXi Shell Access Enabled
|
VMWare ESXi Syslog
|
T1021
|
TTP
|
Black Basta Ransomware, ESXi Post Compromise
|
2025-05-12
|
|
ESXi Shared or Stolen Root Account
|
VMWare ESXi Syslog
|
T1078
|
Anomaly
|
Black Basta Ransomware, ESXi Post Compromise
|
2025-05-09
|
|
Okta Multiple Failed Requests to Access Applications
|
Okta
|
T1550.004
T1538
|
Hunting
|
Okta Account Takeover
|
2025-05-02
|
|
PingID Mismatch Auth Source and Verification Response
|
PingID
|
T1621
T1556.006
T1098.005
|
TTP
|
Compromised User Account
|
2025-05-02
|
|
PingID Multiple Failed MFA Requests For User
|
PingID
|
T1621
T1078
T1110
|
TTP
|
Compromised User Account
|
2025-05-02
|
|
PingID New MFA Method Registered For User
|
PingID
|
T1621
T1556.006
T1098.005
|
TTP
|
Compromised User Account
|
2025-05-02
|
|
Splunk App for Lookup File Editing RCE via User XSLT
|
|
T1210
|
Hunting
|
Splunk Vulnerabilities
|
2025-05-02
|
|
Splunk Authentication Token Exposure in Debug Log
|
|
T1654
|
TTP
|
Splunk Vulnerabilities
|
2025-05-02
|
|
Splunk Code Injection via custom dashboard leading to RCE
|
|
T1210
|
Hunting
|
Splunk Vulnerabilities
|
2025-05-02
|
|
Splunk Enterprise KV Store Incorrect Authorization
|
Splunk
|
T1548
|
Hunting
|
Splunk Vulnerabilities
|
2025-05-02
|
|
Splunk Information Disclosure on Account Login
|
Splunk
|
T1087
|
Hunting
|
Splunk Vulnerabilities
|
2025-05-02
|
|
Splunk Path Traversal In Splunk App For Lookup File Edit
|
Splunk
|
T1083
|
Hunting
|
Splunk Vulnerabilities
|
2025-05-02
|
|
Splunk RCE PDFgen Render
|
Splunk
|
T1210
|
TTP
|
Splunk Vulnerabilities
|
2025-05-02
|
|
Splunk RCE Through Arbitrary File Write to Windows System Root
|
Splunk
|
T1210
|
Hunting
|
Splunk Vulnerabilities
|
2025-05-02
|
|
Splunk RCE via User XSLT
|
|
T1210
|
Hunting
|
Splunk Vulnerabilities
|
2025-05-02
|
|
Splunk Sensitive Information Disclosure in DEBUG Logging Channels
|
Splunk
|
T1552
|
Hunting
|
Splunk Vulnerabilities
|
2025-05-02
|
|
Splunk User Enumeration Attempt
|
Splunk
|
T1078
|
TTP
|
Splunk Vulnerabilities
|
2025-05-02
|
|
Splunk XSS Privilege Escalation via Custom Urls in Dashboard
|
Splunk
|
T1189
|
Hunting
|
Splunk Vulnerabilities
|
2025-05-02
|
|
Azure AD Admin Consent Bypassed by Service Principal
|
Azure Active Directory Add app role assignment to service principal
|
T1098.003
|
TTP
|
Azure Active Directory Privilege Escalation, NOBELIUM Group
|
2025-05-02
|
|
Azure AD Authentication Failed During MFA Challenge
|
Azure Active Directory
|
T1078.004
T1586.003
T1621
|
TTP
|
Azure Active Directory Account Takeover
|
2025-05-02
|
|
Azure AD Block User Consent For Risky Apps Disabled
|
Azure Active Directory Update authorization policy
|
T1562
|
TTP
|
Azure Active Directory Account Takeover
|
2025-05-02
|
|
Azure AD FullAccessAsApp Permission Assigned
|
Azure Active Directory Update application
|
T1098.002
T1098.003
|
TTP
|
Azure Active Directory Persistence, NOBELIUM Group
|
2025-05-02
|
|
Azure AD OAuth Application Consent Granted By User
|
Azure Active Directory Consent to application
|
T1528
|
TTP
|
Azure Active Directory Account Takeover
|
2025-05-02
|
|
Azure AD Privileged Graph API Permission Assigned
|
Azure Active Directory Update application
|
T1003.002
|
TTP
|
Azure Active Directory Persistence, NOBELIUM Group
|
2025-05-02
|
|
Azure AD Tenant Wide Admin Consent Granted
|
Azure Active Directory Consent to application
|
T1098.003
|
TTP
|
Azure Active Directory Persistence, NOBELIUM Group
|
2025-05-02
|
|
Azure AD User Consent Blocked for Risky Application
|
Azure Active Directory Consent to application
|
T1528
|
TTP
|
Azure Active Directory Account Takeover
|
2025-05-02
|
|
O365 Admin Consent Bypassed by Service Principal
|
O365 Add app role assignment to service principal.
|
T1098.003
|
TTP
|
Office 365 Persistence Mechanisms
|
2025-05-02
|
|
O365 Advanced Audit Disabled
|
O365 Change user license.
|
T1562.008
|
TTP
|
Office 365 Persistence Mechanisms
|
2025-05-02
|
|
O365 Application Available To Other Tenants
|
Office 365 Universal Audit Log
|
T1098.003
|
TTP
|
Azure Active Directory Account Takeover, Azure Active Directory Persistence, Data Exfiltration
|
2025-05-02
|
|
O365 Application Registration Owner Added
|
O365 Add owner to application.
|
T1098
|
TTP
|
NOBELIUM Group, Office 365 Persistence Mechanisms
|
2025-05-02
|
|
O365 Block User Consent For Risky Apps Disabled
|
O365 Update authorization policy.
|
T1562
|
TTP
|
Office 365 Account Takeover
|
2025-05-02
|
|
O365 Bypass MFA via Trusted IP
|
O365 Set Company Information.
|
T1562.007
|
TTP
|
Office 365 Persistence Mechanisms
|
2025-05-02
|
|
O365 Cross-Tenant Access Change
|
Office 365 Universal Audit Log
|
T1484.002
|
TTP
|
Azure Active Directory Persistence
|
2025-05-02
|
|
O365 DLP Rule Triggered
|
Office 365 Universal Audit Log
|
T1048
T1567
|
Anomaly
|
Data Exfiltration
|
2025-05-02
|
|
O365 External Guest User Invited
|
Office 365 Universal Audit Log
|
T1136.003
|
TTP
|
Azure Active Directory Persistence
|
2025-05-02
|
|
O365 External Identity Policy Changed
|
Office 365 Universal Audit Log
|
T1136.003
|
TTP
|
Azure Active Directory Persistence
|
2025-05-02
|
|
O365 File Permissioned Application Consent Granted by User
|
O365 Consent to application.
|
T1528
|
TTP
|
Office 365 Account Takeover
|
2025-05-02
|
|
O365 FullAccessAsApp Permission Assigned
|
O365 Update application.
|
T1098.002
T1098.003
|
TTP
|
NOBELIUM Group, Office 365 Persistence Mechanisms
|
2025-05-02
|
|
O365 High Privilege Role Granted
|
O365 Add member to role.
|
T1098.003
|
TTP
|
Office 365 Persistence Mechanisms
|
2025-05-02
|
|
O365 Mail Permissioned Application Consent Granted by User
|
O365 Consent to application.
|
T1528
|
TTP
|
Office 365 Account Takeover
|
2025-05-02
|
|
O365 Mailbox Email Forwarding Enabled
|
|
T1114.003
|
TTP
|
Office 365 Collection Techniques
|
2025-05-02
|
|
O365 Mailbox Inbox Folder Shared with All Users
|
O365 ModifyFolderPermissions
|
T1114.002
|
TTP
|
Office 365 Persistence Mechanisms
|
2025-05-02
|
|
O365 Mailbox Read Access Granted to Application
|
O365 Update application.
|
T1098.003
T1114.002
|
TTP
|
Office 365 Persistence Mechanisms
|
2025-05-02
|
|
O365 Multiple Service Principals Created by SP
|
O365 Add service principal.
|
T1136.003
|
Anomaly
|
NOBELIUM Group, Office 365 Persistence Mechanisms
|
2025-05-02
|
|
O365 Multiple Service Principals Created by User
|
O365 Add service principal.
|
T1136.003
|
Anomaly
|
NOBELIUM Group, Office 365 Persistence Mechanisms
|
2025-05-02
|
|
O365 New Email Forwarding Rule Created
|
|
T1114.003
|
TTP
|
Office 365 Collection Techniques
|
2025-05-02
|
|
O365 New Email Forwarding Rule Enabled
|
|
T1114.003
|
TTP
|
Office 365 Collection Techniques
|
2025-05-02
|
|
O365 New Forwarding Mailflow Rule Created
|
|
T1114
|
TTP
|
Office 365 Collection Techniques
|
2025-05-02
|
|
O365 Privileged Graph API Permission Assigned
|
O365 Update application.
|
T1003.002
|
TTP
|
NOBELIUM Group, Office 365 Persistence Mechanisms
|
2025-05-02
|
|
O365 SharePoint Allowed Domains Policy Changed
|
Office 365 Universal Audit Log
|
T1136.003
|
TTP
|
Azure Active Directory Persistence
|
2025-05-02
|
|
O365 Tenant Wide Admin Consent Granted
|
O365 Consent to application.
|
T1098.003
|
TTP
|
NOBELIUM Group, Office 365 Persistence Mechanisms
|
2025-05-02
|
|
O365 User Consent Blocked for Risky Application
|
O365 Consent to application.
|
T1528
|
TTP
|
Office 365 Account Takeover
|
2025-05-02
|
|
Active Setup Registry Autostart
|
Sysmon EventID 13
|
T1547.014
|
TTP
|
Data Destruction, Hermetic Wiper, Windows Persistence Techniques, Windows Privilege Escalation
|
2025-05-02
|
|
Allow Inbound Traffic By Firewall Rule Registry
|
Sysmon EventID 13
|
T1021.001
|
TTP
|
Azorult, Medusa Ransomware, NjRAT, PlugX, Prohibited Traffic Allowed or Protocol Mismatch, Windows Registry Abuse
|
2025-05-02
|
|
Batch File Write to System32
|
Sysmon EventID 11
|
T1204.002
|
TTP
|
Compromised Windows Host, SamSam Ransomware
|
2025-05-02
|
|
CMLUA Or CMSTPLUA UAC Bypass
|
Sysmon EventID 7
|
T1218.003
|
TTP
|
DarkSide Ransomware, LockBit Ransomware, Ransomware, ValleyRAT
|
2025-05-02
|
|
ConnectWise ScreenConnect Path Traversal
|
Sysmon EventID 11
|
T1190
|
TTP
|
ConnectWise ScreenConnect Vulnerabilities, Seashell Blizzard
|
2025-05-02
|
|
ConnectWise ScreenConnect Path Traversal Windows SACL
|
Windows Event Log Security 4663
|
T1190
|
TTP
|
Compromised Windows Host, ConnectWise ScreenConnect Vulnerabilities, Seashell Blizzard
|
2025-05-02
|
|
Control Loading from World Writable Directory
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.002
|
TTP
|
Compromised Windows Host, Living Off The Land, Microsoft MSHTML Remote Code Execution CVE-2021-40444
|
2025-05-02
|
|
Detect RTLO In Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1036.002
|
TTP
|
Spearphishing Attachments
|
2025-05-02
|
|
Disable AMSI Through Registry
|
Sysmon EventID 13
|
T1562.001
|
TTP
|
CISA AA23-347A, Ransomware, Windows Registry Abuse
|
2025-05-02
|
|
Disable Defender MpEngine Registry
|
Sysmon EventID 13
|
T1562.001
|
TTP
|
IcedID, Windows Registry Abuse
|
2025-05-02
|
|
Disable Defender Spynet Reporting
|
Sysmon EventID 13
|
T1562.001
|
TTP
|
Azorult, CISA AA23-347A, IcedID, Qakbot, Windows Registry Abuse
|
2025-05-02
|
|
Disable Defender Submit Samples Consent Feature
|
Sysmon EventID 13
|
T1562.001
|
TTP
|
Azorult, CISA AA23-347A, IcedID, Windows Registry Abuse
|
2025-05-02
|
|
Disable ETW Through Registry
|
Sysmon EventID 13
|
T1562.001
|
TTP
|
CISA AA23-347A, Ransomware, Windows Registry Abuse
|
2025-05-02
|
|
Disable Registry Tool
|
Sysmon EventID 13
|
T1112
T1562.001
|
TTP
|
NjRAT, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-05-02
|
|
Disable UAC Remote Restriction
|
Sysmon EventID 13
|
T1548.002
|
TTP
|
CISA AA23-347A, Suspicious Windows Registry Activities, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-05-02
|
|
Disable Windows SmartScreen Protection
|
Sysmon EventID 13
|
T1562.001
|
TTP
|
CISA AA23-347A, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-05-02
|
|
Disabling CMD Application
|
Sysmon EventID 13
|
T1112
T1562.001
|
TTP
|
NjRAT, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-05-02
|
|
Disabling ControlPanel
|
Sysmon EventID 13
|
T1112
T1562.001
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-05-02
|
|
Disabling Defender Services
|
Sysmon EventID 13
|
T1562.001
|
TTP
|
IcedID, RedLine Stealer, Windows Registry Abuse
|
2025-05-02
|
|
Disabling FolderOptions Windows Feature
|
Sysmon EventID 13
|
T1562.001
|
TTP
|
CISA AA23-347A, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-05-02
|
|
Disabling NoRun Windows App
|
Sysmon EventID 13
|
T1112
T1562.001
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-05-02
|
|
Disabling Remote User Account Control
|
Sysmon EventID 13
|
T1548.002
|
TTP
|
AgentTesla, Azorult, Remcos, Suspicious Windows Registry Activities, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-05-02
|
|
Disabling SystemRestore In Registry
|
Sysmon EventID 13
|
T1490
|
TTP
|
NjRAT, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-05-02
|
|
Disabling Task Manager
|
Sysmon EventID 13
|
T1562.001
|
TTP
|
NjRAT, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-05-02
|
|
Domain Group Discovery With Wmic
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1069.002
|
Hunting
|
Active Directory Discovery
|
2025-05-02
|
|
Elevated Group Discovery With Wmic
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1069.002
|
TTP
|
Active Directory Discovery
|
2025-05-02
|
|
Eventvwr UAC Bypass
|
Sysmon EventID 13
|
T1548.002
|
TTP
|
IcedID, Living Off The Land, ValleyRAT, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-05-02
|
|
Excessive distinct processes from Windows Temp
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059
|
Anomaly
|
Meterpreter
|
2025-05-02
|
|
Excessive File Deletion In WinDefender Folder
|
Sysmon EventID 23, Sysmon EventID 26
|
T1485
|
TTP
|
BlackByte Ransomware, Data Destruction, WhisperGate
|
2025-05-02
|
|
Executable File Written in Administrative SMB Share
|
Windows Event Log Security 5145
|
T1021.002
|
TTP
|
Active Directory Lateral Movement, BlackSuit Ransomware, Compromised Windows Host, Data Destruction, Graceful Wipe Out Attack, Hermetic Wiper, IcedID, Industroyer2, Prestige Ransomware, Trickbot, VanHelsing Ransomware
|
2025-05-02
|
|
GetWmiObject Ds Computer with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1018
|
TTP
|
Active Directory Discovery
|
2025-05-02
|
|
GetWmiObject Ds Group with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1069.002
|
TTP
|
Active Directory Discovery
|
2025-05-02
|
|
GetWmiObject DS User with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1087.002
|
TTP
|
Active Directory Discovery
|
2025-05-02
|
|
GetWmiObject DS User with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1087.002
|
TTP
|
Active Directory Discovery
|
2025-05-02
|
|
Impacket Lateral Movement smbexec CommandLine Parameters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1021.002
T1021.003
T1047
T1543.003
|
TTP
|
Active Directory Lateral Movement, CISA AA22-277A, Compromised Windows Host, Data Destruction, Graceful Wipe Out Attack, Industroyer2, Prestige Ransomware, Volt Typhoon, WhisperGate
|
2025-05-02
|
|
Loading Of Dynwrapx Module
|
Sysmon EventID 7
|
T1055.001
|
TTP
|
AsyncRAT, Remcos
|
2025-05-02
|
|
Malicious InProcServer32 Modification
|
Sysmon EventID 12, Sysmon EventID 13
|
T1218.010
T1112
|
TTP
|
Remcos, Suspicious Regsvr32 Activity
|
2025-05-02
|
|
Monitor Registry Keys for Print Monitors
|
Sysmon EventID 13
|
T1547.010
|
TTP
|
Suspicious Windows Registry Activities, Windows Persistence Techniques, Windows Registry Abuse
|
2025-05-02
|
|
MS Exchange Mailbox Replication service writing Active Server Pages
|
Sysmon EventID 1, Sysmon EventID 11
|
T1133
T1190
T1505.003
|
TTP
|
BlackByte Ransomware, ProxyShell, Ransomware
|
2025-05-02
|
|
MS Scripting Process Loading Ldap Module
|
Sysmon EventID 7
|
T1059.007
|
Anomaly
|
FIN7
|
2025-05-02
|
|
MS Scripting Process Loading WMI Module
|
Sysmon EventID 7
|
T1059.007
|
Anomaly
|
FIN7
|
2025-05-02
|
|
MSI Module Loaded by Non-System Binary
|
Sysmon EventID 7
|
T1574.001
|
Hunting
|
Data Destruction, Hermetic Wiper, Windows Privilege Escalation
|
2025-05-02
|
|
Msmpeng Application DLL Side Loading
|
Sysmon EventID 11
|
T1574.001
|
TTP
|
Ransomware, Revil Ransomware
|
2025-05-02
|
|
NET Profiler UAC bypass
|
Sysmon EventID 13
|
T1548.002
|
TTP
|
Windows Defense Evasion Tactics
|
2025-05-02
|
|
Network Share Discovery Via Dir Command
|
Windows Event Log Security 5140
|
T1135
|
Hunting
|
IcedID
|
2025-05-02
|
|
Overwriting Accessibility Binaries
|
Sysmon EventID 11
|
T1546.008
|
TTP
|
Data Destruction, Flax Typhoon, Hermetic Wiper, Windows Privilege Escalation
|
2025-05-02
|
|
Possible Browser Pass View Parameter
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1555.003
|
Hunting
|
Remcos
|
2025-05-02
|
|
Potentially malicious code on commandline
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059.003
|
Anomaly
|
Suspicious Command-Line Executions
|
2025-05-02
|
|
Powershell COM Hijacking InprocServer32 Modification
|
Powershell Script Block Logging 4104
|
T1059.001
T1546.015
|
TTP
|
Malicious PowerShell
|
2025-05-02
|
|
Print Spooler Failed to Load a Plug-in
|
Windows Event Log Printservice 4909, Windows Event Log Printservice 808
|
T1547.012
|
TTP
|
Black Basta Ransomware, PrintNightmare CVE-2021-34527
|
2025-05-02
|
|
Process Execution via WMI
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1047
|
TTP
|
Suspicious WMI Use
|
2025-05-02
|
|
Registry Keys for Creating SHIM Databases
|
Sysmon EventID 13
|
T1546.011
|
TTP
|
Suspicious Windows Registry Activities, Windows Persistence Techniques, Windows Registry Abuse
|
2025-05-02
|
|
Registry Keys Used For Privilege Escalation
|
Sysmon EventID 13
|
T1546.012
|
TTP
|
Cloud Federated Credential Abuse, Data Destruction, Hermetic Wiper, Suspicious Windows Registry Activities, Windows Privilege Escalation, Windows Registry Abuse
|
2025-05-02
|
|
Remote System Discovery with Wmic
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1018
|
TTP
|
Active Directory Discovery
|
2025-05-02
|
|
Rundll32 Control RunDLL World Writable Directory
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.011
|
TTP
|
Compromised Windows Host, Living Off The Land, Microsoft MSHTML Remote Code Execution CVE-2021-40444, Suspicious Rundll32 Activity
|
2025-05-02
|
|
Ryuk Test Files Detected
|
Sysmon EventID 11
|
T1486
|
TTP
|
Ryuk Ransomware
|
2025-05-02
|
|
SAM Database File Access Attempt
|
Windows Event Log Security 4663
|
T1003.002
|
Hunting
|
Credential Dumping, Graceful Wipe Out Attack, Rhysida Ransomware
|
2025-05-02
|
|
Samsam Test File Write
|
Sysmon EventID 11
|
T1486
|
TTP
|
SamSam Ransomware
|
2025-05-02
|
|
Sdclt UAC Bypass
|
Sysmon EventID 12, Sysmon EventID 13
|
T1548.002
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-05-02
|
|
Shim Database File Creation
|
Sysmon EventID 11
|
T1546.011
|
TTP
|
Windows Persistence Techniques
|
2025-05-02
|
|
Spoolsv Writing a DLL - Sysmon
|
Sysmon EventID 11
|
T1547.012
|
TTP
|
Black Basta Ransomware, PrintNightmare CVE-2021-34527
|
2025-05-02
|
|
Suspicious msbuild path
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1036.003
T1127.001
|
TTP
|
BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack, Living Off The Land, Masquerading - Rename System Utilities, Storm-2460 CLFS Zero Day Exploitation, Trusted Developer Utilities Proxy Execution MSBuild
|
2025-05-02
|
|
Suspicious Regsvr32 Register Suspicious Path
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.010
|
TTP
|
China-Nexus Threat Activity, Derusbi, IcedID, Living Off The Land, Qakbot, Salt Typhoon, Suspicious Regsvr32 Activity
|
2025-05-02
|
|
UAC Bypass With Colorui COM Object
|
Sysmon EventID 7
|
T1218.003
|
TTP
|
LockBit Ransomware, Ransomware
|
2025-05-02
|
|
Wbemprox COM Object Execution
|
Sysmon EventID 7
|
T1218.003
|
TTP
|
LockBit Ransomware, Ransomware, Revil Ransomware
|
2025-05-02
|
|
Windows Access Token Manipulation Winlogon Duplicate Token Handle
|
Sysmon EventID 10
|
T1134.001
|
Hunting
|
Brute Ratel C4
|
2025-05-02
|
|
Windows AD AdminSDHolder ACL Modified
|
Windows Event Log Security 5136
|
T1546
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2025-05-02
|
|
Windows AD Cross Domain SID History Addition
|
Windows Event Log Security 4738, Windows Event Log Security 4742
|
T1134.005
|
TTP
|
Compromised Windows Host, Sneaky Active Directory Persistence Tricks
|
2025-05-02
|
|
Windows Admin Permission Discovery
|
Sysmon EventID 11
|
T1069.001
|
Anomaly
|
NjRAT
|
2025-05-02
|
|
Windows Administrative Shares Accessed On Multiple Hosts
|
Windows Event Log Security 5140, Windows Event Log Security 5145
|
T1135
|
TTP
|
Active Directory Lateral Movement, Active Directory Privilege Escalation
|
2025-05-02
|
|
Windows Application Layer Protocol RMS Radmin Tool Namedpipe
|
Sysmon EventID 17, Sysmon EventID 18
|
T1071
|
TTP
|
Azorult
|
2025-05-02
|
|
Windows Autostart Execution LSASS Driver Registry Modification
|
Sysmon EventID 13
|
T1547.008
|
TTP
|
Windows Registry Abuse
|
2025-05-02
|
|
Windows Bypass UAC via Pkgmgr Tool
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1548.002
|
Anomaly
|
Warzone RAT
|
2025-05-02
|
|
Windows Cisco Secure Endpoint Stop Immunet Service Via Sfc
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1562.001
|
Anomaly
|
Security Solution Tampering
|
2025-05-02
|
|
Windows Cisco Secure Endpoint Unblock File Via Sfc
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1562.001
|
Anomaly
|
Security Solution Tampering
|
2025-05-02
|
|
Windows Cisco Secure Endpoint Uninstall Immunet Service Via Sfc
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1562.001
|
Anomaly
|
Security Solution Tampering
|
2025-05-02
|
|
Windows Command and Scripting Interpreter Path Traversal Exec
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059
|
TTP
|
Compromised Windows Host, Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190, Windows Defense Evasion Tactics
|
2025-05-02
|
|
Windows ConsoleHost History File Deletion
|
Sysmon EventID 23, Sysmon EventID 26
|
T1070.003
|
Anomaly
|
Medusa Ransomware
|
2025-05-02
|
|
Windows Defacement Modify Transcodedwallpaper File
|
Sysmon EventID 1, Sysmon EventID 11
|
T1491
|
Anomaly
|
Brute Ratel C4
|
2025-05-02
|
|
Windows Defender ASR Registry Modification
|
Windows Event Log Defender 5007
|
T1112
|
Hunting
|
Windows Attack Surface Reduction
|
2025-05-02
|
|
Windows Defender ASR Rule Disabled
|
Windows Event Log Defender 5007
|
T1112
|
TTP
|
Windows Attack Surface Reduction
|
2025-05-02
|
|
Windows Deleted Registry By A Non Critical Process File Path
|
Sysmon EventID 1, Sysmon EventID 12
|
T1112
|
Anomaly
|
Data Destruction, Double Zero Destructor
|
2025-05-02
|
|
Windows Detect Network Scanner Behavior
|
Sysmon EventID 3
|
T1595.001
T1595.002
|
Anomaly
|
Network Discovery, Windows Discovery Techniques
|
2025-05-02
|
|
Windows Disable Change Password Through Registry
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Ransomware, Windows Defense Evasion Tactics
|
2025-05-02
|
|
Windows Disable LogOff Button Through Registry
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Ransomware, Windows Registry Abuse
|
2025-05-02
|
|
Windows Disable Shutdown Button Through Registry
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Ransomware, Windows Registry Abuse
|
2025-05-02
|
|
Windows Disable Windows Group Policy Features Through Registry
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
CISA AA23-347A, Ransomware, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-05-02
|
|
Windows Enable Win32 ScheduledJob via Registry
|
Sysmon EventID 13
|
T1053.005
|
Anomaly
|
Active Directory Lateral Movement, Scheduled Tasks
|
2025-05-02
|
|
Windows Explorer.exe Spawning PowerShell or Cmd
|
Sysmon EventID 1, Windows Event Log Security 4688
|
T1059.001
T1204.002
|
Hunting
|
ZDI-CAN-25373 Windows Shortcut Exploit Abused as Zero-Day
|
2025-05-02
|
|
Windows Explorer LNK Exploit Process Launch With Padding
|
Sysmon EventID 1, Windows Event Log Security 4688
|
T1059.001
T1204.002
|
TTP
|
ZDI-CAN-25373 Windows Shortcut Exploit Abused as Zero-Day
|
2025-05-02
|
|
Windows Gather Victim Identity SAM Info
|
Sysmon EventID 7
|
T1589.001
|
Hunting
|
Brute Ratel C4
|
2025-05-02
|
|
Windows Identify PowerShell Web Access IIS Pool
|
Windows Event Log Security 4648
|
T1190
|
Hunting
|
CISA AA24-241A
|
2025-05-02
|
|
Windows Impair Defense Change Win Defender Health Check Intervals
|
Sysmon EventID 13
|
T1562.001
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-05-02
|
|
Windows Impair Defense Change Win Defender Quick Scan Interval
|
Sysmon EventID 13
|
T1562.001
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-05-02
|
|
Windows Impair Defense Change Win Defender Throttle Rate
|
Sysmon EventID 13
|
T1562.001
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-05-02
|
|
Windows Impair Defense Change Win Defender Tracing Level
|
Sysmon EventID 13
|
T1562.001
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-05-02
|
|
Windows Impair Defense Configure App Install Control
|
Sysmon EventID 13
|
T1562.001
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-05-02
|
|
Windows Impair Defense Define Win Defender Threat Action
|
Sysmon EventID 13
|
T1562.001
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-05-02
|
|
Windows Impair Defense Delete Win Defender Context Menu
|
Sysmon EventID 13
|
T1562.001
|
Hunting
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-05-02
|
|
Windows Impair Defense Delete Win Defender Profile Registry
|
Sysmon EventID 13
|
T1562.001
|
Anomaly
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-05-02
|
|
Windows Impair Defense Disable Controlled Folder Access
|
Sysmon EventID 13
|
T1562.001
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-05-02
|
|
Windows Impair Defense Disable Realtime Signature Delivery
|
Sysmon EventID 13
|
T1562.001
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-05-02
|
|
Windows Impair Defense Disable Web Evaluation
|
Sysmon EventID 13
|
T1562.001
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-05-02
|
|
Windows Impair Defense Disable Win Defender App Guard
|
Sysmon EventID 13
|
T1562.001
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-05-02
|
|
Windows Impair Defense Disable Win Defender Compute File Hashes
|
Sysmon EventID 13
|
T1562.001
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-05-02
|
|
Windows Impair Defense Disable Win Defender Gen reports
|
Sysmon EventID 13
|
T1562.001
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-05-02
|
|
Windows Impair Defense Disable Win Defender Report Infection
|
Sysmon EventID 13
|
T1562.001
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-05-02
|
|
Windows Impair Defense Disable Win Defender Scan On Update
|
Sysmon EventID 13
|
T1562.001
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-05-02
|
|
Windows Impair Defense Override SmartScreen Prompt
|
Sysmon EventID 13
|
T1562.001
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-05-02
|
|
Windows Impair Defense Set Win Defender Smart Screen Level To Warn
|
Sysmon EventID 13
|
T1562.001
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-05-02
|
|
Windows Impair Defenses Disable Auto Logger Session
|
Sysmon EventID 13
|
T1562.001
|
Anomaly
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-05-02
|
|
Windows Impair Defenses Disable HVCI
|
Sysmon EventID 13
|
T1562.001
|
TTP
|
BlackLotus Campaign, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-05-02
|
|
Windows Impair Defenses Disable Win Defender Auto Logging
|
Sysmon EventID 13
|
T1562.001
|
Anomaly
|
CISA AA23-347A, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-05-02
|
|
Windows InProcServer32 New Outlook Form
|
Sysmon EventID 13
|
T1566
T1112
|
Anomaly
|
Outlook RCE CVE-2024-21378
|
2025-05-02
|
|
Windows InstallUtil Credential Theft
|
Sysmon EventID 7
|
T1218.004
|
TTP
|
Signed Binary Proxy Execution InstallUtil
|
2025-05-02
|
|
Windows InstallUtil in Non Standard Path
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1036.003
T1218.004
|
TTP
|
Data Destruction, Living Off The Land, Masquerading - Rename System Utilities, Ransomware, Signed Binary Proxy Execution InstallUtil, Unusual Processes, WhisperGate
|
2025-05-02
|
|
Windows InstallUtil Uninstall Option
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.004
|
TTP
|
Compromised Windows Host, Living Off The Land, Signed Binary Proxy Execution InstallUtil
|
2025-05-02
|
|
Windows Known Abused DLL Created
|
Sysmon EventID 11
|
T1574.001
|
Anomaly
|
Living Off The Land, Windows Defense Evasion Tactics
|
2025-05-02
|
|
Windows LOLBAS Executed As Renamed File
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1036.003
T1218.011
|
TTP
|
Living Off The Land, Masquerading - Rename System Utilities, Water Gamayun, Windows Defense Evasion Tactics
|
2025-05-02
|
|
Windows Modify Registry AuthenticationLevelOverride
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
DarkGate Malware
|
2025-05-02
|
|
Windows Modify Registry Auto Minor Updates
|
Sysmon EventID 13
|
T1112
|
Hunting
|
RedLine Stealer
|
2025-05-02
|
|
Windows Modify Registry Auto Update Notif
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
RedLine Stealer
|
2025-05-02
|
|
Windows Modify Registry Configure BitLocker
|
Sysmon EventID 13
|
T1112
|
TTP
|
ShrinkLocker
|
2025-05-02
|
|
Windows Modify Registry Disable Toast Notifications
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Azorult
|
2025-05-02
|
|
Windows Modify Registry Disable Win Defender Raw Write Notif
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Azorult, CISA AA23-347A
|
2025-05-02
|
|
Windows Modify Registry Disable Windows Security Center Notif
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Azorult, CISA AA23-347A
|
2025-05-02
|
|
Windows Modify Registry DisableRemoteDesktopAntiAlias
|
Sysmon EventID 13
|
T1112
|
TTP
|
DarkGate Malware
|
2025-05-02
|
|
Windows Modify Registry DisableSecuritySettings
|
Sysmon EventID 13
|
T1112
|
TTP
|
CISA AA23-347A, DarkGate Malware
|
2025-05-02
|
|
Windows Modify Registry Disabling WER Settings
|
Sysmon EventID 13
|
T1112
|
TTP
|
Azorult, CISA AA23-347A
|
2025-05-02
|
|
Windows Modify Registry DisAllow Windows App
|
Sysmon EventID 13
|
T1112
|
TTP
|
Azorult
|
2025-05-02
|
|
Windows Modify Registry Do Not Connect To Win Update
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
RedLine Stealer
|
2025-05-02
|
|
Windows Modify Registry DontShowUI
|
Sysmon EventID 13
|
T1112
|
TTP
|
DarkGate Malware
|
2025-05-02
|
|
Windows Modify Registry EnableLinkedConnections
|
Sysmon EventID 13
|
T1112
|
TTP
|
BlackByte Ransomware
|
2025-05-02
|
|
Windows Modify Registry LongPathsEnabled
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
BlackByte Ransomware
|
2025-05-02
|
|
Windows Modify Registry MaxConnectionPerServer
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Warzone RAT
|
2025-05-02
|
|
Windows Modify Registry No Auto Reboot With Logon User
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
RedLine Stealer
|
2025-05-02
|
|
Windows Modify Registry No Auto Update
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
CISA AA23-347A, RedLine Stealer
|
2025-05-02
|
|
Windows Modify Registry NoChangingWallPaper
|
Sysmon EventID 13
|
T1112
|
TTP
|
Rhysida Ransomware
|
2025-05-02
|
|
Windows Modify Registry on Smart Card Group Policy
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
ShrinkLocker
|
2025-05-02
|
|
Windows Modify Registry ProxyEnable
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
DarkGate Malware
|
2025-05-02
|
|
Windows Modify Registry ProxyServer
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
DarkGate Malware
|
2025-05-02
|
|
Windows Modify Registry Suppress Win Defender Notif
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Azorult, CISA AA23-347A
|
2025-05-02
|
|
Windows Modify Registry UpdateServiceUrlAlternate
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
RedLine Stealer
|
2025-05-02
|
|
Windows Modify Registry USeWuServer
|
Sysmon EventID 13
|
T1112
|
Hunting
|
RedLine Stealer
|
2025-05-02
|
|
Windows Modify Registry WuServer
|
Sysmon EventID 13
|
T1112
|
Hunting
|
RedLine Stealer
|
2025-05-02
|
|
Windows Modify Registry wuStatusServer
|
Sysmon EventID 13
|
T1112
|
Hunting
|
RedLine Stealer
|
2025-05-02
|
|
Windows Modify System Firewall with Notable Process Path
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1562.004
|
TTP
|
Compromised Windows Host, Medusa Ransomware, NjRAT
|
2025-05-02
|
|
Windows MOF Event Triggered Execution via WMI
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1546.003
|
TTP
|
Compromised Windows Host, Living Off The Land
|
2025-05-02
|
|
Windows MSC EvilTwin Directory Path Manipulation
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218
T1036.005
T1203
|
TTP
|
Living Off The Land, Water Gamayun, Windows Defense Evasion Tactics
|
2025-05-02
|
|
Windows New Default File Association Value Set
|
Sysmon EventID 13
|
T1546.001
|
Hunting
|
Data Destruction, Hermetic Wiper, Prestige Ransomware, Windows Persistence Techniques, Windows Privilege Escalation, Windows Registry Abuse
|
2025-05-02
|
|
Windows New EventLog ChannelAccess Registry Value Set
|
Sysmon EventID 13
|
T1562.002
|
Anomaly
|
Defense Evasion or Unauthorized Access Via SDDL Tampering, LockBit Ransomware
|
2025-05-02
|
|
Windows Office Product Loaded MSHTML Module
|
Sysmon EventID 7
|
T1566.001
|
Anomaly
|
CVE-2023-36884 Office and Windows HTML RCE Vulnerability, Microsoft MSHTML Remote Code Execution CVE-2021-40444, Spearphishing Attachments
|
2025-05-02
|
|
Windows Office Product Loading Taskschd DLL
|
Sysmon EventID 7
|
T1566.001
|
Anomaly
|
Spearphishing Attachments
|
2025-05-02
|
|
Windows Office Product Loading VBE7 DLL
|
Sysmon EventID 7
|
T1566.001
|
Anomaly
|
AgentTesla, Azorult, DarkCrystal RAT, IcedID, NjRAT, PlugX, Qakbot, Remcos, Spearphishing Attachments, Trickbot
|
2025-05-02
|
|
Windows Outlook WebView Registry Modification
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Suspicious Windows Registry Activities
|
2025-05-02
|
|
Windows Process Injection With Public Source Path
|
Sysmon EventID 8
|
T1055.002
|
Hunting
|
Brute Ratel C4, Earth Alux
|
2025-05-02
|
|
Windows Process With NamedPipe CommandLine
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1055
|
Anomaly
|
Windows Defense Evasion Tactics
|
2025-05-02
|
|
Windows Query Registry Browser List Application
|
Windows Event Log Security 4663
|
T1012
|
Anomaly
|
China-Nexus Threat Activity, RedLine Stealer, Salt Typhoon, SnappyBee
|
2025-05-02
|
|
Windows Registry BootExecute Modification
|
Sysmon EventID 13
|
T1542
T1547.001
|
TTP
|
Windows BootKits
|
2025-05-02
|
|
Windows Registry Certificate Added
|
Sysmon EventID 13
|
T1553.004
|
Anomaly
|
Windows Drivers, Windows Registry Abuse
|
2025-05-02
|
|
Windows Registry Dotnet ETW Disabled Via ENV Variable
|
Sysmon EventID 13
|
T1562.006
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2025-05-02
|
|
Windows Registry Modification for Safe Mode Persistence
|
Sysmon EventID 13
|
T1547.001
|
TTP
|
Ransomware, Windows Drivers, Windows Registry Abuse
|
2025-05-02
|
|
Windows Registry SIP Provider Modification
|
Sysmon EventID 13
|
T1553.003
|
TTP
|
Subvert Trust Controls SIP and Trust Provider Hijacking
|
2025-05-02
|
|
Windows Remote Access Software RMS Registry
|
Sysmon EventID 13
|
T1219
|
TTP
|
Azorult
|
2025-05-02
|
|
Windows Remote Create Service
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1543.003
|
Anomaly
|
Active Directory Lateral Movement, BlackSuit Ransomware, CISA AA23-347A
|
2025-05-02
|
|
Windows Remote Services Allow Remote Assistance
|
Sysmon EventID 13
|
T1021.001
|
Anomaly
|
Azorult
|
2025-05-02
|
|
Windows Rundll32 WebDAV Request
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1048.003
|
TTP
|
CVE-2023-23397 Outlook Elevation of Privilege
|
2025-05-02
|
|
Windows Scheduled Task DLL Module Loaded
|
Sysmon EventID 7
|
T1053
|
TTP
|
ValleyRAT
|
2025-05-02
|
|
Windows Service Creation on Remote Endpoint
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1543.003
|
TTP
|
Active Directory Lateral Movement, CISA AA23-347A, China-Nexus Threat Activity, Salt Typhoon, SnappyBee
|
2025-05-02
|
|
Windows Service Deletion In Registry
|
Sysmon EventID 13
|
T1489
|
Anomaly
|
Brute Ratel C4, Crypto Stealer, PlugX
|
2025-05-02
|
|
Windows Service Execution RemCom
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1569.002
|
TTP
|
Active Directory Discovery
|
2025-05-02
|
|
Windows Service Initiation on Remote Endpoint
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1543.003
|
TTP
|
Active Directory Lateral Movement, CISA AA23-347A
|
2025-05-02
|
|
Windows SIP Provider Inventory
|
|
T1553.003
|
Hunting
|
Subvert Trust Controls SIP and Trust Provider Hijacking
|
2025-05-02
|
|
Windows Snake Malware File Modification Crmlog
|
Sysmon EventID 11
|
T1027
|
TTP
|
Snake Malware
|
2025-05-02
|
|
Windows Snake Malware Kernel Driver Comadmin
|
Sysmon EventID 11
|
T1547.006
|
TTP
|
Snake Malware
|
2025-05-02
|
|
Windows Snake Malware Registry Modification wav OpenWithProgIds
|
Sysmon EventID 13
|
T1112
|
TTP
|
Snake Malware
|
2025-05-02
|
|
Windows Snake Malware Service Create
|
Windows Event Log System 7045
|
T1547.006
T1569.002
|
TTP
|
Compromised Windows Host, Snake Malware
|
2025-05-02
|
|
Windows SnappyBee Create Test Registry
|
Sysmon EventID 13
|
T1112
|
TTP
|
China-Nexus Threat Activity, Salt Typhoon, SnappyBee
|
2025-05-02
|
|
Windows SqlWriter SQLDumper DLL Sideload
|
Sysmon EventID 7
|
T1574.001
|
TTP
|
APT29 Diplomatic Deceptions with WINELOADER
|
2025-05-02
|
|
Windows Steal Authentication Certificates - ESC1 Abuse
|
Windows Event Log Security 4886, Windows Event Log Security 4887
|
T1649
|
TTP
|
Windows Certificate Services
|
2025-05-02
|
|
Windows Steal Authentication Certificates - ESC1 Authentication
|
Windows Event Log Security 4768, Windows Event Log Security 4887
|
T1649
T1550
|
TTP
|
Compromised Windows Host, Windows Certificate Services
|
2025-05-02
|
|
Windows Suspect Process With Authentication Traffic
|
Sysmon EventID 3
|
T1087.002
T1204.002
|
Anomaly
|
Active Directory Discovery
|
2025-05-02
|
|
Windows Unusual SysWOW64 Process Run System32 Executable
|
Sysmon EventID 1, Windows Event Log Security 4688
|
T1036.009
|
Anomaly
|
China-Nexus Threat Activity, DarkGate Malware, Salt Typhoon
|
2025-05-02
|
|
Windows WinDBG Spawning AutoIt3
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059
|
TTP
|
Compromised Windows Host, DarkGate Malware
|
2025-05-02
|
|
Windows WMI Impersonate Token
|
Sysmon EventID 10
|
T1047
|
Anomaly
|
Qakbot, Water Gamayun
|
2025-05-02
|
|
Windows WMIC Shadowcopy Delete
|
Sysmon EventID 1
|
T1490
|
Anomaly
|
Cactus Ransomware, Suspicious WMI Use, Volt Typhoon
|
2025-05-02
|
|
Winhlp32 Spawning a Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1055
|
TTP
|
Compromised Windows Host, Remcos
|
2025-05-02
|
|
XMRIG Driver Loaded
|
Sysmon EventID 6
|
T1543.003
|
TTP
|
CISA AA22-320A, Crypto Stealer, XMRig
|
2025-05-02
|
|
Suspicious Process With Discord DNS Query
|
Sysmon EventID 22
|
T1059.005
|
Anomaly
|
Cactus Ransomware, Data Destruction, PXA Stealer, WhisperGate
|
2025-05-02
|
|
Windows Spearphishing Attachment Connect To None MS Office Domain
|
Sysmon EventID 22
|
T1566.001
|
Hunting
|
AsyncRAT, Spearphishing Attachments
|
2025-05-02
|
|
CrushFTP Max Simultaneous Users From IP
|
CrushFTP
|
T1110.001
T1110.004
|
Anomaly
|
CrushFTP Vulnerabilities
|
2025-05-02
|
|
Hunting for Log4Shell
|
Nginx Access
|
T1190
T1133
|
Hunting
|
CISA AA22-320A, Log4Shell CVE-2021-44228
|
2025-05-02
|
|
Unusually Long Content-Type Length
|
|
|
Anomaly
|
Apache Struts Vulnerability
|
2025-05-02
|
