|
HTTP Scripting Tool User Agent
|
Nginx Access
|
T1071.001
|
Anomaly
|
Suspicious User Agents, HTTP Request Smuggling
|
2026-06-15
|
|
PTC Windchill Gateway Command Execution
|
Windchill Log4j
|
T1005
T1059
T1190
|
Anomaly
|
PTC Windchill Exploitation
|
2026-06-14
|
|
PTC Windchill GW READY OK Probe
|
Windchill Log4j
|
T1059
T1190
|
Anomaly
|
PTC Windchill Exploitation
|
2026-06-14
|
|
Splunk Secure Application Alerts for Runtime Security
|
|
N/A
|
Anomaly
|
Critical Alerts
|
2026-06-12
|
|
Windows Suspicious Process File Path
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1036.005
T1543
|
TTP
|
Rhysida Ransomware, GhostRedirector IIS Module and Rungan Backdoor, LockBit Ransomware, Void Manticore, VIP Keylogger, Meduza Stealer, Industroyer2, StealC Stealer, XWorm, Phemedrone Stealer, Qakbot, Salt Typhoon, AsyncRAT, MoonPeak, Azorult, PromptLock, IcedID, Malicious Inno Setup Loader, Earth Alux, Lokibot, Swift Slicer, Warzone RAT, WhisperGate, Water Gamayun, Handala Wiper, DarkGate Malware, Chaos Ransomware, Axios Supply Chain Post Compromise, Trickbot, RoguePlanet, Prestige Ransomware, Interlock Rat, SystemBC, RedLine Stealer, Hermetic Wiper, DarkCrystal RAT, Remcos, SnappyBee, CISA AA23-347A, Interlock Ransomware, Brute Ratel C4, Data Destruction, China-Nexus Threat Activity, ValleyRAT, XMRig, Quasar RAT, Double Zero Destructor, SesameOp, Castle RAT, BlackByte Ransomware, NailaoLocker Ransomware, Amadey, PlugX, AgentTesla, Graceful Wipe Out Attack, Volt Typhoon
|
2026-06-11
|
|
Executables Or Script Creation In Temp Path
|
Sysmon EventID 11
|
T1036
|
Anomaly
|
NjRAT, Rhysida Ransomware, Void Manticore, LockBit Ransomware, VIP Keylogger, Meduza Stealer, Industroyer2, Qakbot, Salt Typhoon, AsyncRAT, MoonPeak, Azorult, PromptLock, IcedID, AcidPour, Lokibot, Swift Slicer, APT37 Rustonotto and FadeStealer, Warzone RAT, WhisperGate, Handala Wiper, DarkGate Malware, Chaos Ransomware, Axios Supply Chain Post Compromise, Trickbot, RoguePlanet, PromptFlux, Interlock Rat, XML Runner Loader, Salat Stealer, RedLine Stealer, Hermetic Wiper, DarkCrystal RAT, Remcos, SnappyBee, CISA AA23-347A, Crypto Stealer, Brute Ratel C4, Data Destruction, China-Nexus Threat Activity, ValleyRAT, Double Zero Destructor, WinDealer RAT, XMRig, SesameOp, BlackByte Ransomware, Snake Keylogger, PlugX, Amadey, AgentTesla, Derusbi, Graceful Wipe Out Attack, Volt Typhoon
|
2026-06-11
|
|
Windows Wermgr Alternate Data Stream in Temp Dir
|
Sysmon EventID 15
|
T1564.004
|
Anomaly
|
RoguePlanet
|
2026-06-11
|
|
Regsvr32 Silent and Install Param Dll Loading
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.010
|
Anomaly
|
AsyncRAT, Hermetic Wiper, Living Off The Land, Suspicious Regsvr32 Activity, Remcos, Data Destruction
|
2026-06-09
|
|
Cisco SD-WAN Multiple Source IP vManage Admin SSH Authentication
|
Cisco SD-WAN Auth Log
|
T1595
|
Hunting
|
Cisco Catalyst SD-WAN Analytics
|
2026-06-09
|
|
Cisco SD-WAN Multiple SSH key Authentication from Same Source
|
Cisco SD-WAN Auth Log
|
T1595
|
Hunting
|
Cisco Catalyst SD-WAN Analytics
|
2026-06-09
|
|
Cisco SA - Automated Web Reconnaissance via HTTP Access Errors
|
Cisco Secure Access Proxy
|
T1595
|
Anomaly
|
Cisco Secure Access Analytics
|
2026-06-09
|
|
Cisco SA - Access to Anonymizer Services
|
Cisco Secure Access DNS
|
T1090.003
|
Anomaly
|
Cisco Secure Access Analytics
|
2026-06-09
|
|
Regsvr32 with Known Silent Switch Cmdline
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.010
|
Anomaly
|
Qakbot, AsyncRAT, IcedID, Suspicious Regsvr32 Activity, Living Off The Land, Remcos
|
2026-06-09
|
|
PowerShell 4104 Hunting
|
Powershell Script Block Logging 4104
|
T1059.001
|
Hunting
|
Malicious PowerShell, Rhysida Ransomware, GhostRedirector IIS Module and Rungan Backdoor, CISA AA24-241A, Cactus Ransomware, PHP-CGI RCE Attack on Japanese Organizations, XWorm, Cleo File Transfer Software, MuddyWater, Salt Typhoon, APT37 Rustonotto and FadeStealer, 0bj3ctivity Stealer, Water Gamayun, DarkGate Malware, Axios Supply Chain Post Compromise, Microsoft WSUS CVE-2025-59287, Hellcat Ransomware, Medusa Ransomware, SystemBC, Salat Stealer, Hermetic Wiper, CISA AA23-347A, Interlock Ransomware, Flax Typhoon, Data Destruction, China-Nexus Threat Activity, Lumma Stealer, Scattered Spider, Braodo Stealer
|
2026-06-08
|
|
Powershell Processing Stream Of Data
|
Powershell Script Block Logging 4104
|
T1059.001
|
TTP
|
Malicious PowerShell, PXA Stealer, Hellcat Ransomware, MuddyWater, AsyncRAT, MoonPeak, Medusa Ransomware, Salat Stealer, IcedID, Hermetic Wiper, Braodo Stealer, XWorm, Data Destruction
|
2026-06-08
|
|
Powershell Using memory As Backing Store
|
Powershell Script Block Logging 4104
|
T1059.001
|
TTP
|
Malicious PowerShell, MoonPeak, Medusa Ransomware, Salat Stealer, IcedID, Hermetic Wiper, Data Destruction
|
2026-06-08
|
|
Windows Obfuscated Files or Information via RAR SFX
|
Sysmon EventID 11
|
T1027.013
|
Anomaly
|
GhostRedirector IIS Module and Rungan Backdoor, Salat Stealer, Crypto Stealer, APT37 Rustonotto and FadeStealer
|
2026-06-08
|
|
Windows Process Execution From ProgramData
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1036.005
|
Hunting
|
China-Nexus Threat Activity, Salt Typhoon, GhostRedirector IIS Module and Rungan Backdoor, Salat Stealer, SolarWinds WHD RCE Post Exploitation, APT37 Rustonotto and FadeStealer, SnappyBee, StealC Stealer, XWorm, Axios Supply Chain Post Compromise
|
2026-06-08
|
|
Non Firefox Process Access Firefox Profile Dir
|
Windows Event Log Security 4663
|
T1555.003
|
Anomaly
|
NjRAT, VIP Keylogger, StealC Stealer, Phemedrone Stealer, Salt Typhoon, Azorult, Malicious Inno Setup Loader, Lokibot, 0bj3ctivity Stealer, Warzone RAT, DarkGate Malware, Salat Stealer, RedLine Stealer, Remcos, SnappyBee, CISA AA23-347A, FIN7, China-Nexus Threat Activity, BlankGrabber Stealer, Quasar RAT, Snake Keylogger, 3CX Supply Chain Attack, AgentTesla
|
2026-06-08
|
|
Powershell Disable Security Monitoring
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1685
|
TTP
|
BlankGrabber Stealer, Revil Ransomware, CISA AA24-241A, Salat Stealer, Ransomware
|
2026-06-08
|
|
Add or Set Windows Defender Exclusion
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1685
|
TTP
|
ValleyRAT, NetSupport RMM Tool Abuse, Salat Stealer, Windows Defense Evasion Tactics, CISA AA22-320A, Remcos, AgentTesla, WhisperGate, Compromised Windows Host, Crypto Stealer, XWorm, Data Destruction
|
2026-06-08
|
|
Firewall Allowed Program Enable
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1686
|
Anomaly
|
NjRAT, Azorult, Medusa Ransomware, Salat Stealer, Windows Defense Evasion Tactics, BlackByte Ransomware, PlugX
|
2026-06-08
|
|
Disable Defender Submit Samples Consent Feature
|
Sysmon EventID 13
|
T1685
|
TTP
|
BlankGrabber Stealer, Azorult, Windows Registry Abuse, Salat Stealer, IcedID, CISA AA23-347A
|
2026-06-08
|
|
Windows Process Execution in Temp Dir
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1036.005
T1543
|
Anomaly
|
NjRAT, Trickbot, RoguePlanet, Qakbot, Gh0st RAT, SesameOp, Ransomware, PromptLock, Salat Stealer, Lokibot, Ryuk Ransomware, Remcos, AgentTesla, XWorm, PathWiper, Axios Supply Chain Post Compromise
|
2026-06-08
|
|
Windows Defender Exclusion Registry Entry
|
Sysmon EventID 13
|
T1685
|
TTP
|
ValleyRAT, Qakbot, Azorult, NetSupport RMM Tool Abuse, Salat Stealer, Windows Defense Evasion Tactics, Remcos, Warzone RAT, XWorm
|
2026-06-08
|
|
Windows Event Log Cleared
|
Windows Event Log System 104, Windows Event Log Security 1102
|
T1685.005
|
TTP
|
Clop Ransomware, CISA AA22-264A, Windows Log Manipulation, Salat Stealer, ShrinkLocker, Ransomware, Compromised Windows Host
|
2026-06-08
|
|
Registry Keys Used For Persistence
|
Sysmon EventID 13
|
T1547.001
|
TTP
|
NjRAT, Suspicious MSHTA Activity, Cactus Ransomware, Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns, XWorm, Qakbot, Salt Typhoon, AsyncRAT, MoonPeak, Azorult, MuddyWater, Gh0st RAT, IcedID, Lokibot, BlackSuit Ransomware, APT37 Rustonotto and FadeStealer, Ransomware, Warzone RAT, 0bj3ctivity Stealer, DarkGate Malware, Chaos Ransomware, Axios Supply Chain Post Compromise, Emotet Malware DHS Report TA18-201A, DHS Report TA18-074A, Windows Persistence Techniques, SystemBC, Salat Stealer, Suspicious Windows Registry Activities, RedLine Stealer, DarkCrystal RAT, Remcos, SnappyBee, CISA AA23-347A, Interlock Ransomware, China-Nexus Threat Activity, ValleyRAT, Sneaky Active Directory Persistence Tricks, Quasar RAT, WinDealer RAT, NetSupport RMM Tool Abuse, Windows Registry Abuse, Castle RAT, BlackByte Ransomware, Snake Keylogger, Amadey, Braodo Stealer, Derusbi
|
2026-06-08
|
|
Powershell Windows Defender Exclusion Commands
|
Powershell Script Block Logging 4104
|
T1685
|
TTP
|
BlankGrabber Stealer, NetSupport RMM Tool Abuse, Salat Stealer, Windows Defense Evasion Tactics, CISA AA22-320A, Warzone RAT, Remcos, AgentTesla, WhisperGate, Data Destruction
|
2026-06-08
|
|
Disable Defender AntiVirus Registry
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, CISA AA24-241A, Salat Stealer, Black Basta Ransomware, IcedID, Cactus Ransomware, SolarWinds WHD RCE Post Exploitation
|
2026-06-08
|
|
Non Chrome Process Accessing Chrome Default Dir
|
Windows Event Log Security 4663
|
T1555.003
|
Anomaly
|
NjRAT, VIP Keylogger, StealC Stealer, Phemedrone Stealer, Salt Typhoon, Malicious Inno Setup Loader, Lokibot, Warzone RAT, DarkGate Malware, Salat Stealer, RedLine Stealer, Remcos, SnappyBee, CISA AA23-347A, FIN7, China-Nexus Threat Activity, BlankGrabber Stealer, Quasar RAT, Snake Keylogger, 3CX Supply Chain Attack, AgentTesla
|
2026-06-08
|
|
Windows Impair Defense Disable Web Evaluation
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, Salat Stealer, Windows Defense Evasion Tactics
|
2026-06-08
|
|
Windows Disable or Stop Browser Process
|
Sysmon EventID 1
|
T1685
|
TTP
|
Hellcat Ransomware, BlankGrabber Stealer, Scattered Lapsus$ Hunters, Castle RAT, Salat Stealer, Braodo Stealer
|
2026-06-08
|
|
Windows Credentials from Password Stores Chrome LocalState Access
|
Windows Event Log Security 4663
|
T1012
|
Anomaly
|
NjRAT, VIP Keylogger, Meduza Stealer, StealC Stealer, Phemedrone Stealer, Salt Typhoon, MoonPeak, Malicious Inno Setup Loader, Earth Alux, Lokibot, 0bj3ctivity Stealer, Warzone RAT, DarkGate Malware, PXA Stealer, Salat Stealer, RedLine Stealer, SnappyBee, China-Nexus Threat Activity, Scattered Lapsus$ Hunters, Quasar RAT, BlankGrabber Stealer, Amadey, Snake Keylogger, Braodo Stealer
|
2026-06-08
|
|
Disable Windows Behavior Monitoring
|
Sysmon EventID 13
|
T1685
|
TTP
|
Storm-0501 Ransomware, Scattered Lapsus$ Hunters, BlankGrabber Stealer, Azorult, Ransomware, Windows Registry Abuse, NetSupport RMM Tool Abuse, Salat Stealer, Windows Defense Evasion Tactics, Black Basta Ransomware, Cactus Ransomware, SolarWinds WHD RCE Post Exploitation, RedLine Stealer, Revil Ransomware, CISA AA23-347A
|
2026-06-08
|
|
Windows Credentials from Password Stores Chrome Login Data Access
|
Windows Event Log Security 4663
|
T1012
|
Anomaly
|
NjRAT, VIP Keylogger, Meduza Stealer, StealC Stealer, Phemedrone Stealer, Salt Typhoon, MoonPeak, Malicious Inno Setup Loader, Earth Alux, Lokibot, 0bj3ctivity Stealer, Warzone RAT, DarkGate Malware, PXA Stealer, Salat Stealer, RedLine Stealer, SnappyBee, China-Nexus Threat Activity, Scattered Lapsus$ Hunters, Quasar RAT, BlankGrabber Stealer, Amadey, Snake Keylogger, Braodo Stealer
|
2026-06-08
|
|
Windows Access Token Manipulation SeDebugPrivilege
|
Windows Event Log Security 4703
|
T1134.002
|
Anomaly
|
GhostRedirector IIS Module and Rungan Backdoor, Meduza Stealer, Gh0st RAT, Salt Typhoon, AsyncRAT, Tuoni, Lokibot, DarkGate Malware, PathWiper, Salat Stealer, SnappyBee, CISA AA23-347A, Brute Ratel C4, China-Nexus Threat Activity, ValleyRAT, Scattered Lapsus$ Hunters, WinDealer RAT, PlugX, Derusbi
|
2026-06-08
|
|
Windows Firewall Rule Added
|
Windows Event Log Security 4946
|
T1686
|
Anomaly
|
NetSupport RMM Tool Abuse, Salat Stealer, Medusa Ransomware, ShrinkLocker
|
2026-06-08
|
|
Disable Windows SmartScreen Protection
|
Sysmon EventID 13
|
T1685
|
TTP
|
CISA AA23-347A, Windows Registry Abuse, Salat Stealer, Windows Defense Evasion Tactics
|
2026-06-08
|
|
Powershell Fileless Script Contains Base64 Encoded Content
|
Powershell Script Block Logging 4104
|
T1027
T1059.001
|
TTP
|
Malicious PowerShell, NjRAT, GhostRedirector IIS Module and Rungan Backdoor, VIP Keylogger, XWorm, Winter Vivern, MuddyWater, AsyncRAT, IcedID, APT37 Rustonotto and FadeStealer, 0bj3ctivity Stealer, Axios Supply Chain Post Compromise, Microsoft WSUS CVE-2025-59287, Hellcat Ransomware, Medusa Ransomware, Salat Stealer, Hermetic Wiper, Data Destruction, NetSupport RMM Tool Abuse
|
2026-06-08
|
|
Windows Credential Access From Browser Password Store
|
Windows Event Log Security 4663
|
T1012
|
Anomaly
|
China-Nexus Threat Activity, PXA Stealer, Scattered Lapsus$ Hunters, Quasar RAT, Salt Typhoon, MoonPeak, 0bj3ctivity Stealer, BlankGrabber Stealer, Salat Stealer, Malicious Inno Setup Loader, Earth Alux, Scattered Spider, VIP Keylogger, Snake Keylogger, Meduza Stealer, Braodo Stealer, SnappyBee, StealC Stealer
|
2026-06-08
|
|
Windows Alternate DataStream - Process Execution
|
Windows Event Log Security 4688, Sysmon EventID 1
|
T1564.004
|
TTP
|
Compromised Windows Host, Windows Defense Evasion Tactics
|
2026-06-04
|
|
Linux Proxy Socks Curl
|
Sysmon for Linux EventID 1
|
T1090
T1095
|
TTP
|
Linux Living Off The Land, Ingress Tool Transfer
|
2026-06-04
|
|
PowerShell - Connect To Internet With Hidden Window
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1059.001
|
Hunting
|
Malicious PowerShell, HAFNIUM Group, Hermetic Wiper, Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns, Log4Shell CVE-2021-44228, AgentTesla, Data Destruction
|
2026-06-04
|
|
M365 Copilot Impersonation Jailbreak Attack
|
M365 Exported eDiscovery Prompts
|
T1685
|
TTP
|
Suspicious Microsoft 365 Copilot Activities
|
2026-06-04
|
|
Windows AD add Self to Group
|
Windows Event Log Security 4728
|
T1098
|
TTP
|
Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation, Medusa Ransomware
|
2026-06-01
|
|
Windows FFmpeg Audio and Video Device Discovery
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1125
|
Anomaly
|
Salat Stealer
|
2026-05-20
|
|
Windows FFmpeg DirectShow Video Capture
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1125
|
Anomaly
|
Salat Stealer
|
2026-05-20
|
|
Cisco IOS XE Guestshell Activation and Destroy
|
Cisco IOS Logs
|
T1059
T1611
|
Anomaly
|
Salt Typhoon
|
2026-05-20
|
|
Cisco IOS XE Remote Access Probe Burst
|
Cisco IOS Logs
|
T1018
T1021.004
T1046
|
Anomaly
|
Salt Typhoon
|
2026-05-20
|
|
Cisco IOS XE Request Platform Package Describe Shell Pattern
|
Cisco IOS Logs
|
T1059
T1190
|
TTP
|
Salt Typhoon
|
2026-05-20
|
|
Cisco IOS XE Reconnaissance Command Activity
|
Cisco IOS Logs
|
T1016
T1082
T1590
|
Anomaly
|
Salt Typhoon
|
2026-05-20
|
|
Cisco IOS XE Tunnel Interface Configuration
|
Cisco IOS Logs
|
T1090
T1572
|
Anomaly
|
Salt Typhoon
|
2026-05-20
|
|
Cisco IOS XE VTY Access Class Tampering
|
Cisco IOS Logs
|
T1021
T1562
|
Anomaly
|
Salt Typhoon
|
2026-05-20
|
|
Cisco IOS XE Log Clearing Sequence With Optional Loopback Removal
|
Cisco IOS Logs
|
T1070.001
T1562
|
Anomaly
|
Salt Typhoon
|
2026-05-20
|
|
Cisco IOS XE WebUI Programmatic Configuration
|
Cisco IOS Logs
|
T1078
T1190
|
Anomaly
|
Salt Typhoon
|
2026-05-19
|
|
Cisco IOS XE WebUI Login From IOSd Local Port
|
Cisco IOS Logs
|
T1078
T1190
|
TTP
|
Salt Typhoon
|
2026-05-19
|
|
Windows Cloud Files Filter Loaded by Uncommon Process
|
Sysmon EventID 7
|
T1543.003
|
Anomaly
|
BlueHammer, RedSun
|
2026-05-18
|
|
Splunk User Enumeration Attempt
|
Splunk
|
T1078
|
TTP
|
Splunk Vulnerabilities
|
2026-05-14
|
|
Splunk Sensitive Information Disclosure in DEBUG Logging Channels
|
Splunk
|
T1552
|
Hunting
|
Splunk Vulnerabilities
|
2026-05-14
|
|
Splunk Information Disclosure on Account Login
|
Splunk
|
T1087
|
Hunting
|
Splunk Vulnerabilities
|
2026-05-14
|
|
Splunk Code Injection via custom dashboard leading to RCE
|
|
T1210
|
Hunting
|
Splunk Vulnerabilities
|
2026-05-14
|
|
Splunk RCE PDFgen Render
|
Splunk
|
T1210
|
TTP
|
Splunk Vulnerabilities
|
2026-05-14
|
|
Splunk RCE Through Arbitrary File Write to Windows System Root
|
Splunk
|
T1210
|
Hunting
|
Splunk Vulnerabilities
|
2026-05-14
|
|
Splunk App for Lookup File Editing RCE via User XSLT
|
|
T1210
|
Hunting
|
Splunk Vulnerabilities
|
2026-05-14
|
|
Splunk XSS Privilege Escalation via Custom Urls in Dashboard
|
Splunk
|
T1189
|
Hunting
|
Splunk Vulnerabilities
|
2026-05-14
|
|
Splunk Authentication Token Exposure in Debug Log
|
|
T1654
|
TTP
|
Splunk Vulnerabilities
|
2026-05-14
|
|
Splunk Path Traversal In Splunk App For Lookup File Edit
|
Splunk
|
T1083
|
Hunting
|
Splunk Vulnerabilities
|
2026-05-14
|
|
Splunk Enterprise KV Store Incorrect Authorization
|
Splunk
|
T1548
|
Hunting
|
Splunk Vulnerabilities
|
2026-05-14
|
|
Splunk RCE via User XSLT
|
|
T1210
|
Hunting
|
Splunk Vulnerabilities
|
2026-05-14
|
|
Windows PowerShell Add Module to Global Assembly Cache
|
Powershell Script Block Logging 4104
|
T1505.004
|
TTP
|
IIS Components
|
2026-05-13
|
|
Windows Group Discovery Via Net
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1069.001
T1069.002
|
Hunting
|
Microsoft WSUS CVE-2025-59287, Windows Discovery Techniques, Prestige Ransomware, Azorult, Rhysida Ransomware, Medusa Ransomware, Cleo File Transfer Software, IcedID, SolarWinds WHD RCE Post Exploitation, Windows Post-Exploitation, Active Directory Discovery, Graceful Wipe Out Attack, Volt Typhoon
|
2026-05-13
|
|
CMLUA Or CMSTPLUA UAC Bypass
|
Sysmon EventID 7
|
T1218.003
|
TTP
|
Ransomware, ValleyRAT, LockBit Ransomware, DarkSide Ransomware
|
2026-05-13
|
|
Windows PowerShell Invoke-Sqlcmd Execution
|
Powershell Script Block Logging 4104
|
T1059.001
T1059.003
|
Hunting
|
GhostRedirector IIS Module and Rungan Backdoor, SQL Server Abuse
|
2026-05-13
|
|
Windows Potato Privilege Escalation Tool Execution
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1068
|
TTP
|
Windows Privilege Escalation
|
2026-05-13
|
|
Steal or Forge Authentication Certificates Behavior Identified
|
|
T1649
|
Correlation
|
Windows Certificate Services
|
2026-05-13
|
|
Windows InstallUtil URL in Command Line
|
Windows Event Log Security 4688, Sysmon EventID 1, Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2
|
T1218.004
|
TTP
|
Signed Binary Proxy Execution InstallUtil, Compromised Windows Host, Cisco Network Visibility Module Analytics, Living Off The Land
|
2026-05-13
|
|
Windows New Service Security Descriptor Set Via Sc.EXE
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1564
|
Anomaly
|
Defense Evasion or Unauthorized Access Via SDDL Tampering
|
2026-05-13
|
|
PaperCut NG Suspicious Behavior Debug Log
|
|
T1133
T1190
|
Hunting
|
PaperCut MF NG Vulnerability
|
2026-05-13
|
|
Windows Excel Spawning Microsoft Project Application
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1021.003
|
Anomaly
|
PathWiper
|
2026-05-13
|
|
Deleting Shadow Copies
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1490
|
TTP
|
SamSam Ransomware, VanHelsing Ransomware, Clop Ransomware, Termite Ransomware, CISA AA22-264A, Storm-2460 CLFS Zero Day Exploitation, Prestige Ransomware, Rhysida Ransomware, Void Manticore, LockBit Ransomware, Windows Log Manipulation, Medusa Ransomware, Black Basta Ransomware, Cactus Ransomware, Ransomware, Compromised Windows Host, DarkGate Malware, Chaos Ransomware
|
2026-05-13
|
|
Java Writing JSP File
|
Sysmon for Linux EventID 1, Sysmon for Linux EventID 11
|
T1133
T1190
|
TTP
|
SysAid On-Prem Software CVE-2023-47246 Vulnerability, Spring4Shell CVE-2022-22965, SAP NetWeaver Exploitation, Atlassian Confluence Server and Data Center CVE-2022-26134
|
2026-05-13
|
|
Windows Rasautou DLL Execution
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1055.001
T1218
|
TTP
|
Compromised Windows Host, Hellcat Ransomware, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Linux Auditd Service Restarted
|
Linux Auditd Proctitle
|
T1053.006
|
Anomaly
|
Scheduled Tasks, Linux Living Off The Land, AwfulShred, Linux Privilege Escalation, Gomir, Compromised Linux Host, Linux Persistence Techniques, Data Destruction
|
2026-05-13
|
|
Windows Credentials from Password Stores Deletion
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1555
|
TTP
|
NetSupport RMM Tool Abuse, Compromised Windows Host, DarkGate Malware
|
2026-05-13
|
|
Windows Impair Defense Set Win Defender Smart Screen Level To Warn
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Linux Auditd File Permission Modification Via Chmod
|
Linux Auditd Proctitle
|
T1222.002
|
Anomaly
|
China-Nexus Threat Activity, XorDDos, Salt Typhoon, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host, Linux Persistence Techniques, Axios Supply Chain Post Compromise
|
2026-05-13
|
|
USN Journal Deletion
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1070
|
TTP
|
Ransomware, Windows Log Manipulation
|
2026-05-13
|
|
Mshta spawning Rundll32 OR Regsvr32 Process
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.005
|
TTP
|
Trickbot, APT37 Rustonotto and FadeStealer, Living Off The Land, IcedID
|
2026-05-13
|
|
Logon Script Event Trigger Execution
|
Sysmon EventID 13
|
T1037.001
|
TTP
|
Windows Persistence Techniques, VIP Keylogger, Hermetic Wiper, Windows Privilege Escalation, Data Destruction
|
2026-05-13
|
|
Execution of File with Multiple Extensions
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1036.003
|
TTP
|
Windows File Extension and Association Abuse, Masquerading - Rename System Utilities, DarkGate Malware, AsyncRAT
|
2026-05-13
|
|
MSBuild Suspicious Spawned By Script Process
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1127.001
|
TTP
|
Storm-2460 CLFS Zero Day Exploitation, Trusted Developer Utilities Proxy Execution MSBuild
|
2026-05-13
|
|
Windows Anomalous Registry Value Length in Environment Key
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
VIP Keylogger
|
2026-05-13
|
|
Windows Password Policy Discovery with Net
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1201
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Potential Cloudflared Network Connection
|
Sysmon EventID 3
|
T1572
|
Hunting
|
Reverse Network Proxy
|
2026-05-13
|
|
Linux Auditd Find Credentials From Password Stores
|
Linux Auditd Execve
|
T1555.005
|
TTP
|
Hellcat Ransomware, Scattered Lapsus$ Hunters, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host, Linux Persistence Techniques
|
2026-05-13
|
|
Windows WMI Process And Service List
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1047
|
Anomaly
|
Windows Post-Exploitation, Prestige Ransomware
|
2026-05-13
|
|
Linux Auditd Add User Account
|
Linux Auditd Proctitle
|
T1136.001
|
Anomaly
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation
|
2026-05-13
|
|
Linux Auditd Unload Module Via Modprobe
|
Linux Auditd Execve
|
T1547.006
|
TTP
|
Linux Persistence Techniques, Compromised Linux Host, Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Reg exe Manipulating Windows Services Registry Keys
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1574.011
|
TTP
|
Windows Service Abuse, Windows Persistence Techniques, Living Off The Land
|
2026-05-13
|
|
Windows Gather Victim Identity SAM Info
|
Sysmon EventID 7
|
T1589.001
|
Hunting
|
Brute Ratel C4
|
2026-05-13
|
|
Windows Local Administrator Credential Stuffing
|
Windows Event Log Security 4624, Windows Event Log Security 4625
|
T1110.004
|
TTP
|
Active Directory Privilege Escalation, Scattered Lapsus$ Hunters, Active Directory Lateral Movement
|
2026-05-13
|
|
Suspicious Copy on System32
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1036.003
|
Anomaly
|
Qakbot, AsyncRAT, Water Gamayun, Unusual Processes, IcedID, Sandworm Tools, Compromised Windows Host, Volt Typhoon
|
2026-05-13
|
|
Spike in File Writes
|
Sysmon EventID 11
|
N/A
|
Anomaly
|
SamSam Ransomware, Rhysida Ransomware, Ransomware, Ryuk Ransomware
|
2026-05-13
|
|
Windows PowerShell WMI Win32 ScheduledJob
|
Powershell Script Block Logging 4104
|
T1059.001
|
TTP
|
Active Directory Lateral Movement
|
2026-05-13
|
|
Detect RTLO In Process
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1036.002
|
TTP
|
Spearphishing Attachments
|
2026-05-13
|
|
Detect RTLO In File Name
|
Sysmon EventID 11
|
T1036.002
|
TTP
|
Spearphishing Attachments
|
2026-05-13
|
|
Linux Preload Hijack Library Calls
|
Sysmon for Linux EventID 1
|
T1574.006
|
TTP
|
China-Nexus Threat Activity, Salt Typhoon, VoidLink Cloud-Native Linux Malware, Linux Privilege Escalation, Linux Persistence Techniques
|
2026-05-13
|
|
Windows Administrative Shares Accessed On Multiple Hosts
|
Windows Event Log Security 5145, Windows Event Log Security 5140
|
T1135
|
TTP
|
Active Directory Privilege Escalation, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows Impair Defense Disable Controlled Folder Access
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, BlankGrabber Stealer, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows MSIExec DLLRegisterServer
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.007
|
TTP
|
Windows System Binary Proxy Execution MSIExec, Water Gamayun
|
2026-05-13
|
|
Windows ESX Admins Group Creation Security Event
|
Windows Event Log Security 4737, Windows Event Log Security 4730, Windows Event Log Security 4727
|
T1136.001
T1136.002
|
TTP
|
VMware ESXi AD Integration Authentication Bypass CVE-2024-37085
|
2026-05-13
|
|
Windows TeamCity Payload Execution from Temp Directory
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1059
T1190
T1505.003
|
TTP
|
JetBrains TeamCity Unauthenticated RCE, JetBrains TeamCity Vulnerabilities
|
2026-05-13
|
|
Linux Obfuscated Files or Information Base64 Decode
|
Sysmon for Linux EventID 1
|
T1027
|
Anomaly
|
Linux Living Off The Land
|
2026-05-13
|
|
Linux Sudo OR Su Execution
|
Sysmon for Linux EventID 1
|
T1548.003
|
Hunting
|
VoidLink Cloud-Native Linux Malware, Linux Persistence Techniques, Linux Privilege Escalation
|
2026-05-13
|
|
Windows Screen Capture in TEMP folder
|
Sysmon EventID 11
|
T1113
|
TTP
|
Hellcat Ransomware, VIP Keylogger, APT37 Rustonotto and FadeStealer, Crypto Stealer, Braodo Stealer, StealC Stealer
|
2026-05-13
|
|
Windows Rundll32 with Non-Standard File Extension
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.011
|
Anomaly
|
Suspicious Rundll32 Activity, Gh0st RAT, Living Off The Land
|
2026-05-13
|
|
Windows AD Privileged Object Access Activity
|
Windows Event Log Security 4662
|
T1087.002
|
TTP
|
BlackSuit Ransomware, Active Directory Discovery
|
2026-05-13
|
|
Windows Defender ASR or Threat Configuration Tamper
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1685
|
TTP
|
Windows Defense Evasion Tactics
|
2026-05-13
|
|
Linux Auditd Base64 Decode Files
|
Linux Auditd Execve
|
T1140
|
Anomaly
|
Linux Persistence Techniques, Compromised Linux Host, Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Linux RPM Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
PowerShell Invoke WmiExec Usage
|
Powershell Script Block Logging 4104
|
T1047
|
TTP
|
Suspicious WMI Use, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Crowdstrike Medium Severity Alert
|
|
T1110
|
Anomaly
|
Compromised Windows Host
|
2026-05-13
|
|
Windows Level RMM PowerShell Script Installer
|
Powershell Script Block Logging 4104
|
T1219
|
Anomaly
|
Remote Monitoring and Management Software
|
2026-05-13
|
|
Detect Empire with PowerShell Script Block Logging
|
Powershell Script Block Logging 4104
|
T1059.001
|
TTP
|
Malicious PowerShell, Hellcat Ransomware, Hermetic Wiper, Data Destruction
|
2026-05-13
|
|
ICACLS Grant Command
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1222
|
Anomaly
|
XMRig, NetSupport RMM Tool Abuse, Ransomware, Defense Evasion or Unauthorized Access Via SDDL Tampering, Crypto Stealer
|
2026-05-13
|
|
Windows Crowdstrike RTR Script Execution
|
Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1059.001
|
Anomaly
|
Malicious PowerShell, Cobalt Strike, Living Off The Land, Suspicious MSHTA Activity
|
2026-05-13
|
|
Powershell Load Module in Meterpreter
|
Powershell Script Block Logging 4104
|
T1059.001
|
TTP
|
MetaSploit
|
2026-05-13
|
|
Windows Chromium Process Launched with Logging Disabled
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1497
|
Anomaly
|
Browser Hijacking
|
2026-05-13
|
|
Disable Windows App Hotkeys
|
Sysmon EventID 13
|
T1112
T1685
|
TTP
|
Windows Registry Abuse, XMRig
|
2026-05-13
|
|
GetWmiObject Ds Group with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1069.002
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Explorer.exe Spawning PowerShell or Cmd
|
Windows Event Log Security 4688, Sysmon EventID 1
|
T1059.001
T1204.002
|
Hunting
|
ZDI-CAN-25373 Windows Shortcut Exploit Abused as Zero-Day
|
2026-05-13
|
|
Suspicious Rundll32 StartW
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.011
|
TTP
|
Cobalt Strike, Trickbot, Hellcat Ransomware, BlackByte Ransomware, Suspicious Rundll32 Activity, Graceful Wipe Out Attack
|
2026-05-13
|
|
Windows Binary Execution from an Archive
|
Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1204.002
|
Anomaly
|
Spearphishing Attachments
|
2026-05-13
|
|
Linux Visudo Utility Execution
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2026-05-13
|
|
Windows PowerView Kerberos Service Ticket Request
|
Powershell Script Block Logging 4104
|
T1558.003
|
TTP
|
Active Directory Kerberos Attacks, Rhysida Ransomware
|
2026-05-13
|
|
Clop Ransomware Known Service Name
|
Windows Event Log System 7045
|
T1543
|
TTP
|
Clop Ransomware, Compromised Windows Host
|
2026-05-13
|
|
System User Discovery With Whoami
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1033
|
Hunting
|
Qakbot, Rhysida Ransomware, LAMEHUG, PHP-CGI RCE Attack on Japanese Organizations, Lotus Blossom Chrysalis Backdoor, CISA AA23-347A, Active Directory Discovery, Winter Vivern
|
2026-05-13
|
|
Windows Odbcconf Load Response File
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.008
|
TTP
|
Living Off The Land
|
2026-05-13
|
|
Windows Impair Defense Disable Win Defender Signature Retirement
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, Scattered Lapsus$ Hunters, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Audit Policy Auditing Option Disabled via Auditpol
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1685.001
|
TTP
|
Windows Audit Policy Tampering
|
2026-05-13
|
|
Windows AD Suspicious Attribute Modification
|
Windows Event Log Security 5136
|
T1222.001
T1550
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Spoolsv Writing a DLL - Sysmon
|
Sysmon EventID 11
|
T1547.012
|
TTP
|
PrintNightmare CVE-2021-34527, Black Basta Ransomware
|
2026-05-13
|
|
Execute Javascript With Jscript COM CLSID
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1059.005
|
TTP
|
Ransomware
|
2026-05-13
|
|
Linux Possible Access Or Modification Of sshd Config File
|
Sysmon for Linux EventID 1
|
T1098.004
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation, Linux Living Off The Land
|
2026-05-13
|
|
Windows Impair Defense Define Win Defender Threat Action
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows IOBit Unlocker Extension DLL Registration via Regsvr32
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.010
|
TTP
|
Compromised Windows Host
|
2026-05-13
|
|
Windows Modify Registry Do Not Connect To Win Update
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
RedLine Stealer
|
2026-05-13
|
|
Windows DnsAdmins New Member Added
|
Windows Event Log Security 4732
|
T1098
|
TTP
|
Active Directory Privilege Escalation
|
2026-05-13
|
|
Windows Drivers Loaded by Signature
|
Sysmon EventID 6
|
T1014
T1068
|
Hunting
|
CISA AA22-320A, AgentTesla, Windows Drivers, BlackByte Ransomware
|
2026-05-13
|
|
Cisco NVM - Rundll32 Abuse of MSHTML.DLL for Payload Download
|
Cisco Network Visibility Module Flow Data
|
T1218.005
|
Anomaly
|
Cisco Network Visibility Module Analytics
|
2026-05-13
|
|
Disabling SystemRestore In Registry
|
Sysmon EventID 13
|
T1490
|
TTP
|
NjRAT, Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Proxy Execution of .NET Utilities via Scripts
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218
|
Anomaly
|
VIP Keylogger
|
2026-05-13
|
|
Windows Remote Access Software RMS Registry
|
Sysmon EventID 13
|
T1219
|
TTP
|
Azorult
|
2026-05-13
|
|
Windows Large Number of Computer Service Tickets Requested
|
Windows Event Log Security 4769
|
T1078
T1135
|
Anomaly
|
Active Directory Privilege Escalation, Active Directory Lateral Movement
|
2026-05-13
|
|
Suspicious msbuild path
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1036.003
T1127.001
|
TTP
|
Cobalt Strike, Storm-2460 CLFS Zero Day Exploitation, Trusted Developer Utilities Proxy Execution MSBuild, BlackByte Ransomware, Masquerading - Rename System Utilities, Living Off The Land, Graceful Wipe Out Attack
|
2026-05-13
|
|
Windows ConsoleHost History File Deletion
|
Sysmon EventID 23, Sysmon EventID 26
|
T1070.003
|
Anomaly
|
Medusa Ransomware
|
2026-05-13
|
|
Linux DD File Overwrite
|
Sysmon for Linux EventID 1
|
T1485
|
TTP
|
Industroyer2, Data Destruction
|
2026-05-13
|
|
Remote Process Instantiation via WMI and PowerShell
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1047
|
TTP
|
Compromised Windows Host, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows Kerberos Coercion via DNS
|
Windows Event Log Security 5136, Windows Event Log Security 4662, Windows Event Log Security 5137
|
T1071.004
T1187
T1557.001
|
TTP
|
Suspicious DNS Traffic, Compromised Windows Host, Local Privilege Escalation With KrbRelayUp, Kerberos Coercion with DNS
|
2026-05-13
|
|
Detect Regsvr32 Application Control Bypass
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.010
|
TTP
|
Cobalt Strike, BlackByte Ransomware, PHP-CGI RCE Attack on Japanese Organizations, Suspicious Regsvr32 Activity, Living Off The Land, Compromised Windows Host, Graceful Wipe Out Attack
|
2026-05-13
|
|
Windows Entra User Management Via Azure CLI
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1078.004
T1098
T1136
|
Anomaly
|
Azure Active Directory Persistence
|
2026-05-13
|
|
Windows DNS Query Request To TinyUrl
|
Sysmon EventID 22
|
T1105
|
Anomaly
|
Malicious Inno Setup Loader
|
2026-05-13
|
|
Wscript Or Cscript Suspicious Child Process
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1055
T1134.004
T1543
|
Anomaly
|
FIN7, NjRAT, MuddyWater, Unusual Processes, VIP Keylogger, Axios Supply Chain Post Compromise, ShrinkLocker, Remcos, 0bj3ctivity Stealer, WhisperGate, XWorm, Data Destruction
|
2026-05-13
|
|
Windows Outlook Dialogs Disabled from Unusual Process
|
Sysmon EventID 13
|
T1112
T1685
|
TTP
|
NotDoor Malware, Windows Registry Abuse
|
2026-05-13
|
|
Common Ransomware Notes
|
Sysmon EventID 11
|
T1485
|
Hunting
|
SamSam Ransomware, Storm-0501 Ransomware, Clop Ransomware, Hellcat Ransomware, Rhysida Ransomware, LockBit Ransomware, Medusa Ransomware, Black Basta Ransomware, Ryuk Ransomware, NailaoLocker Ransomware, Ransomware, Interlock Ransomware, Termite Ransomware, Chaos Ransomware
|
2026-05-13
|
|
Windows Hosts File Access
|
Windows Event Log Security 4663
|
T1012
|
Anomaly
|
Gh0st RAT, BlankGrabber Stealer
|
2026-05-13
|
|
Windows Exfiltration Over C2 Via Invoke RestMethod
|
Powershell Script Block Logging 4104
|
T1041
|
TTP
|
Microsoft WSUS CVE-2025-59287, Hellcat Ransomware, APT37 Rustonotto and FadeStealer, Water Gamayun, Winter Vivern
|
2026-05-13
|
|
Print Spooler Adding A Printer Driver
|
Windows Event Log Printservice 316
|
T1547.012
|
TTP
|
PrintNightmare CVE-2021-34527, Black Basta Ransomware
|
2026-05-13
|
|
Windows Cisco Secure Endpoint Stop Immunet Service Via Sfc
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1685
|
Anomaly
|
Security Solution Tampering
|
2026-05-13
|
|
Rundll32 Control RunDLL Hunt
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.011
|
Hunting
|
Suspicious Rundll32 Activity, Living Off The Land, Microsoft MSHTML Remote Code Execution CVE-2021-40444
|
2026-05-13
|
|
Windows Process Injection into Commonly Abused Processes
|
Sysmon EventID 10
|
T1055.002
|
Anomaly
|
BishopFox Sliver Adversary Emulation Framework, Earth Alux, SAP NetWeaver Exploitation, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
Recon Using WMI Class
|
Powershell Script Block Logging 4104
|
T1059.001
T1592
|
Anomaly
|
Malicious PowerShell, Qakbot, Quasar RAT, AsyncRAT, MoonPeak, BlankGrabber Stealer, LockBit Ransomware, Malicious Inno Setup Loader, Scattered Spider, VIP Keylogger, Hermetic Wiper, Axios Supply Chain Post Compromise, Industroyer2, Data Destruction
|
2026-05-13
|
|
Domain Controller Discovery with Wmic
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1018
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Domain Account Discovery Via Get-NetComputer
|
Powershell Script Block Logging 4104
|
T1087.002
|
Anomaly
|
CISA AA23-347A
|
2026-05-13
|
|
Windows Remote Assistance Spawning Process
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1055
|
TTP
|
Compromised Windows Host, Unusual Processes
|
2026-05-13
|
|
Windows AD SID History Attribute Modified
|
Windows Event Log Security 5136
|
T1134.005
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Wmic Group Discovery
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1069.001
|
Anomaly
|
LAMEHUG, Active Directory Discovery
|
2026-05-13
|
|
Windows Steal or Forge Kerberos Tickets Klist
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1558
|
Hunting
|
Windows Post-Exploitation, Prestige Ransomware
|
2026-05-13
|
|
Windows SIP WinVerifyTrust Failed Trust Validation
|
Windows Event Log CAPI2 81
|
T1553.003
|
Anomaly
|
Subvert Trust Controls SIP and Trust Provider Hijacking
|
2026-05-13
|
|
Windows Modify Registry WuServer
|
Sysmon EventID 13
|
T1112
|
Hunting
|
RedLine Stealer
|
2026-05-13
|
|
Windows RDP Bitmap Cache File Creation
|
Sysmon EventID 11
|
T1021.001
|
Anomaly
|
Windows RDP Artifacts and Defense Evasion
|
2026-05-13
|
|
Windows Chromium process Launched with Disable Popup Blocking
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1497
|
Anomaly
|
Browser Hijacking
|
2026-05-13
|
|
Windows WSUS Spawning Shell
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1190
T1505.003
|
TTP
|
Microsoft WSUS CVE-2025-59287
|
2026-05-13
|
|
Windows Service Created with Suspicious Service Name
|
Windows Event Log System 7045
|
T1569.002
|
Anomaly
|
Clop Ransomware, Qakbot, Gh0st RAT, Tuoni, Active Directory Lateral Movement, Snake Malware, PlugX, CISA AA23-347A, Flax Typhoon, Brute Ratel C4
|
2026-05-13
|
|
Windows Credentials from Web Browsers Saved in TEMP Folder
|
Sysmon EventID 11
|
T1555.003
|
TTP
|
Braodo Stealer, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Windows Process With NamedPipe CommandLine
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1055
|
Anomaly
|
Windows Defense Evasion Tactics
|
2026-05-13
|
|
Malicious Powershell Executed As A Service
|
Windows Event Log System 7045
|
T1569.002
|
TTP
|
Rhysida Ransomware, Compromised Windows Host, Malicious PowerShell
|
2026-05-13
|
|
CMD Echo Pipe - Escalation
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1059.003
T1543.003
|
TTP
|
Cobalt Strike, Compromised Windows Host, BlackByte Ransomware, Graceful Wipe Out Attack
|
2026-05-13
|
|
User Discovery With Env Vars PowerShell
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1033
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Linux PHP Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Cisco Isovalent - Non Allowlisted Image Use
|
Cisco Isovalent Process Exec
|
T1204.003
|
Anomaly
|
Cisco Isovalent Suspicious Activity
|
2026-05-13
|
|
Windows BitLockerToGo with Network Activity
|
Sysmon EventID 22
|
T1218
|
Hunting
|
Lumma Stealer, Hellcat Ransomware
|
2026-05-13
|
|
Disable Defender BlockAtFirstSeen Feature
|
Sysmon EventID 13
|
T1685
|
TTP
|
Azorult, Windows Registry Abuse, IcedID, SolarWinds WHD RCE Post Exploitation, CISA AA23-347A
|
2026-05-13
|
|
Linux Account Manipulation Of SSH Config and Keys
|
Sysmon for Linux EventID 11
|
T1070.004
T1485
|
Anomaly
|
AcidRain, Hellcat Ransomware
|
2026-05-13
|
|
Windows Proxy Via Netsh
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1090.001
|
Anomaly
|
Volt Typhoon
|
2026-05-13
|
|
Windows SqlWriter SQLDumper DLL Sideload
|
Sysmon EventID 7
|
T1574.001
|
TTP
|
APT29 Diplomatic Deceptions with WINELOADER
|
2026-05-13
|
|
Windows GrimResource - MMC Process Accessing APDS DLL
|
Windows Event Log Security 4663
|
T1059.007
T1218.014
|
TTP
|
Compromised Windows Host
|
2026-05-13
|
|
MacOS - Re-opened Applications
|
Sysmon EventID 1
|
N/A
|
TTP
|
ColdRoot MacOS RAT
|
2026-05-13
|
|
Suspicious Scheduled Task from Public Directory
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1053.005
|
Anomaly
|
CISA AA24-241A, XWorm, Salt Typhoon, Scheduled Tasks, Azorult, MoonPeak, Malicious Inno Setup Loader, Lokibot, Ryuk Ransomware, SolarWinds WHD RCE Post Exploitation, APT37 Rustonotto and FadeStealer, Living Off The Land, Ransomware, Windows Persistence Techniques, Medusa Ransomware, DarkCrystal RAT, CISA AA23-347A, Crypto Stealer, China-Nexus Threat Activity, Quasar RAT, NetSupport RMM Tool Abuse, Scattered Spider
|
2026-05-13
|
|
MOVEit Empty Key Fingerprint Authentication Attempt
|
|
T1190
|
Hunting
|
Hellcat Ransomware, MOVEit Transfer Authentication Bypass
|
2026-05-13
|
|
Processes Tapping Keyboard Events
|
Osquery Results
|
N/A
|
TTP
|
ColdRoot MacOS RAT, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
Powershell Execute COM Object
|
Powershell Script Block Logging 4104
|
T1059.001
T1546.015
|
TTP
|
Ransomware, Malicious PowerShell, Hermetic Wiper, Data Destruction
|
2026-05-13
|
|
Linux Auditd Possible Access To Credential Files
|
Linux Auditd Proctitle
|
T1003.008
|
Anomaly
|
China-Nexus Threat Activity, Salt Typhoon, Linux Privilege Escalation, Compromised Linux Host, Linux Persistence Techniques, Axios Supply Chain Post Compromise
|
2026-05-13
|
|
Unload Sysmon Filter Driver
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1685
|
TTP
|
CISA AA23-347A, Disabling Security Tools
|
2026-05-13
|
|
WSReset UAC Bypass
|
Sysmon EventID 13, Sysmon EventID 12
|
T1548.002
|
TTP
|
MoonPeak, Windows Registry Abuse, Living Off The Land, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows RMM Tool Execution
|
Sysmon EventID 1
|
T1219
|
Anomaly
|
NetSupport RMM Tool Abuse, Remote Monitoring and Management Software, Suspicious User Agents
|
2026-05-13
|
|
Elevated Group Discovery with PowerView
|
Powershell Script Block Logging 4104
|
T1069.002
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Linux Doas Tool Execution
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2026-05-13
|
|
Auto Admin Logon Registry Entry
|
Sysmon EventID 13
|
T1552.002
|
TTP
|
Windows Registry Abuse, BlackMatter Ransomware
|
2026-05-13
|
|
DSQuery Domain Discovery
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1482
|
TTP
|
Domain Trust Discovery, Active Directory Discovery, Compromised Windows Host
|
2026-05-13
|
|
Windows Remote Management Execute Shell
|
Windows Event Log Security 4688, Sysmon EventID 1
|
T1021.006
|
Anomaly
|
Crypto Stealer
|
2026-05-13
|
|
Windows Service Stop Attempt
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1489
|
Hunting
|
Scattered Lapsus$ Hunters, Gh0st RAT, Graceful Wipe Out Attack, Prestige Ransomware
|
2026-05-13
|
|
System User Discovery With Query
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1033
|
Hunting
|
Active Directory Discovery, Medusa Ransomware
|
2026-05-13
|
|
Spoolsv Suspicious Process Access
|
Sysmon EventID 10
|
T1068
|
TTP
|
PrintNightmare CVE-2021-34527, Black Basta Ransomware
|
2026-05-13
|
|
MS Exchange Mailbox Replication service writing Active Server Pages
|
Sysmon EventID 11, Sysmon EventID 1
|
T1133
T1190
T1505.003
|
TTP
|
Ransomware, BlackByte Ransomware, ProxyShell
|
2026-05-13
|
|
Curl Execution with Percent Encoded URL
|
Sysmon EventID 1, Windows Event Log Security 4688, Sysmon for Linux EventID 1, CrowdStrike ProcessRollup2
|
T1027
T1105
|
Anomaly
|
Ingress Tool Transfer, Compromised Windows Host, Living Off The Land
|
2026-05-13
|
|
Windows Command and Scripting Interpreter Path Traversal Exec
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1059
|
TTP
|
Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190, Compromised Windows Host, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Detect Rundll32 Inline HTA Execution
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.005
|
TTP
|
NOBELIUM Group, APT37 Rustonotto and FadeStealer, Living Off The Land, Suspicious MSHTA Activity
|
2026-05-13
|
|
Mailsniper Invoke functions
|
Powershell Script Block Logging 4104
|
T1114.001
|
TTP
|
Data Exfiltration
|
2026-05-13
|
|
Windows Modify Registry DisAllow Windows App
|
Sysmon EventID 13
|
T1112
|
TTP
|
Azorult
|
2026-05-13
|
|
Windows Net System Service Discovery
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1007
|
Hunting
|
LAMEHUG, Gh0st RAT
|
2026-05-13
|
|
SecretDumps Offline NTDS Dumping Tool
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1003.003
|
TTP
|
Storm-0501 Ransomware, Rhysida Ransomware, Credential Dumping, Compromised Windows Host, Graceful Wipe Out Attack
|
2026-05-13
|
|
Impacket Lateral Movement Commandline Parameters
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1021.002
T1021.003
T1047
T1543.003
|
TTP
|
Storm-0501 Ransomware, Data Destruction, Prestige Ransomware, CISA AA22-277A, Active Directory Lateral Movement, Gozi Malware, Industroyer2, WhisperGate, Compromised Windows Host, Graceful Wipe Out Attack, Volt Typhoon
|
2026-05-13
|
|
Windows Azure PowerShell Module Installation Via PowerShell Script
|
Powershell Script Block Logging 4104
|
T1021.007
T1069.003
T1078
T1098
T1136.003
|
Anomaly
|
Azure Active Directory Privilege Escalation, Azure Active Directory Persistence, Azure Active Directory Account Takeover
|
2026-05-13
|
|
GetWmiObject DS User with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1087.002
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Unusual Intelliform Storage Registry Access
|
Windows Event Log Security 4663
|
T1552.001
|
Anomaly
|
Lokibot, Quasar RAT
|
2026-05-13
|
|
Windows Excessive Service Stop Attempt
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1489
|
TTP
|
Ransomware, BlackByte Ransomware, XMRig
|
2026-05-13
|
|
Windows Sensitive Group Discovery With Net
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1069.002
|
Anomaly
|
Microsoft WSUS CVE-2025-59287, Rhysida Ransomware, IcedID, BlackSuit Ransomware, Active Directory Discovery, Volt Typhoon
|
2026-05-13
|
|
Windows Office Product Spawned Child Process For Download
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1566.001
|
TTP
|
NjRAT, CVE-2023-36884 Office and Windows HTML RCE Vulnerability, Spearphishing Attachments, APT37 Rustonotto and FadeStealer, PlugX
|
2026-05-13
|
|
Powershell Enable SMB1Protocol Feature
|
Powershell Script Block Logging 4104
|
T1027.005
|
TTP
|
Ransomware, Malicious PowerShell, Hermetic Wiper, Data Destruction
|
2026-05-13
|
|
GetLocalUser with PowerShell
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1087.001
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Suspicious microsoft workflow compiler usage
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1127
|
TTP
|
Trusted Developer Utilities Proxy Execution, Living Off The Land
|
2026-05-13
|
|
Windows DLL Module Loaded in Temp Dir
|
Sysmon EventID 7
|
T1105
|
Hunting
|
Interlock Rat, Lokibot, SolarWinds WHD RCE Post Exploitation
|
2026-05-13
|
|
Windows Modify Registry EnableLinkedConnections
|
Sysmon EventID 13
|
T1112
|
TTP
|
BlackByte Ransomware
|
2026-05-13
|
|
Windows MSIX Package Interaction
|
Windows Event Log AppXPackaging 171
|
T1204.002
|
Hunting
|
MSIX Package Abuse
|
2026-05-13
|
|
Linux Auditd Preload Hijack Library Calls
|
Linux Auditd Execve
|
T1574.006
|
TTP
|
China-Nexus Threat Activity, Salt Typhoon, Linux Privilege Escalation, Compromised Linux Host, Linux Persistence Techniques
|
2026-05-13
|
|
Windows Unsigned MS DLL Side-Loading
|
Sysmon EventID 7
|
T1547
T1574.001
|
Anomaly
|
China-Nexus Threat Activity, Salt Typhoon, APT29 Diplomatic Deceptions with WINELOADER, Earth Alux, Derusbi, XWorm
|
2026-05-13
|
|
Kerberos Pre-Authentication Flag Disabled with PowerShell
|
Powershell Script Block Logging 4104
|
T1558.004
|
TTP
|
Active Directory Kerberos Attacks
|
2026-05-13
|
|
Linux Possible Append Command To Profile Config File
|
Sysmon for Linux EventID 1
|
T1546.004
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2026-05-13
|
|
MacOS Network Share Discovery
|
Osquery Results
|
T1135
|
Anomaly
|
MacOS Post-Exploitation
|
2026-05-13
|
|
Windows Impair Defense Override SmartScreen Prompt
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Impair Defense Overide Win Defender Phishing Filter
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Cisco Isovalent - Cron Job Creation
|
Cisco Isovalent Process Exec
|
T1053.003
T1053.007
|
Anomaly
|
Cisco Isovalent Suspicious Activity
|
2026-05-13
|
|
Child Processes of Spoolsv exe
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1068
|
TTP
|
Hermetic Wiper, Windows Privilege Escalation, Data Destruction
|
2026-05-13
|
|
Windows System Script Proxy Execution Syncappvpublishingserver
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1216
T1218
|
TTP
|
Living Off The Land
|
2026-05-13
|
|
Disabled Kerberos Pre-Authentication Discovery With PowerView
|
Powershell Script Block Logging 4104
|
T1558.004
|
TTP
|
Active Directory Kerberos Attacks, Interlock Ransomware
|
2026-05-13
|
|
Remote Process Instantiation via WinRM and Winrs
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1021.006
|
TTP
|
Active Directory Lateral Movement
|
2026-05-13
|
|
Trickbot Named Pipe
|
Sysmon EventID 18, Sysmon EventID 17
|
T1055
|
TTP
|
Trickbot, Hellcat Ransomware
|
2026-05-13
|
|
Linux Busybox Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Windows New Custom Security Descriptor Set On EventLog Channel
|
Sysmon EventID 13
|
T1685.001
|
Anomaly
|
Defense Evasion or Unauthorized Access Via SDDL Tampering, LockBit Ransomware
|
2026-05-13
|
|
Windows System Network Config Discovery Display DNS
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1016
|
Anomaly
|
Water Gamayun, Medusa Ransomware, Windows Post-Exploitation, Prestige Ransomware
|
2026-05-13
|
|
Windows File and Directory Permissions Enable Inheritance
|
Windows Event Log Security 4688, Sysmon EventID 1
|
T1222.001
|
Hunting
|
NetSupport RMM Tool Abuse, Crypto Stealer
|
2026-05-13
|
|
Windows Impair Defense Delete Win Defender Context Menu
|
Sysmon EventID 13
|
T1685
|
Hunting
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Default RDP File Creation By Non MSTSC Process
|
Sysmon EventID 11, Sysmon EventID 1
|
T1021.001
|
Anomaly
|
Windows RDP Artifacts and Defense Evasion
|
2026-05-13
|
|
Windows AD Short Lived Domain Account ServicePrincipalName
|
Windows Event Log Security 5136
|
T1098
|
TTP
|
Interlock Ransomware, Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Detect New Local Admin account
|
Windows Event Log Security 4732, Windows Event Log Security 4720
|
T1136.001
|
TTP
|
HAFNIUM Group, Scattered Lapsus$ Hunters, DHS Report TA18-074A, CISA AA22-257A, CISA AA24-241A
|
2026-05-13
|
|
Get ADDefaultDomainPasswordPolicy with Powershell Script Block
|
Powershell Script Block Logging 4104
|
T1201
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Odbcconf Load DLL
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.008
|
TTP
|
Living Off The Land
|
2026-05-13
|
|
Advanced IP or Port Scanner Execution
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1046
T1135
|
Anomaly
|
Windows Defense Evasion Tactics
|
2026-05-13
|
|
Linux Auditd At Application Execution
|
Linux Auditd Syscall
|
T1053.002
|
Anomaly
|
Scheduled Tasks, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host, Linux Persistence Techniques
|
2026-05-13
|
|
Windows Security Account Manager Stopped
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1489
|
TTP
|
Scattered Lapsus$ Hunters, Compromised Windows Host, Ryuk Ransomware
|
2026-05-13
|
|
Windows Impair Defenses Disable HVCI
|
Sysmon EventID 13
|
T1685
|
TTP
|
BlackLotus Campaign, Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Cisco NVM - Susp Script From Archive Triggering Network Activity
|
Cisco Network Visibility Module Flow Data
|
T1059.005
T1204.002
|
Anomaly
|
Cisco Network Visibility Module Analytics
|
2026-05-13
|
|
Windows Scheduled Task with Highest Privileges
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1053.005
|
TTP
|
Quasar RAT, AsyncRAT, Scheduled Tasks, NetSupport RMM Tool Abuse, Castle RAT, SolarWinds WHD RCE Post Exploitation, RedLine Stealer, CISA AA23-347A, Compromised Windows Host, XWorm
|
2026-05-13
|
|
Windows InProcServer32 New Outlook Form
|
Sysmon EventID 13
|
T1112
T1566
|
Anomaly
|
Outlook RCE CVE-2024-21378
|
2026-05-13
|
|
Detect Regasm Spawning a Process
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.009
|
TTP
|
Void Manticore, Living Off The Land, Snake Keylogger, Suspicious Regsvcs Regasm Activity, Compromised Windows Host, Handala Wiper, DarkGate Malware
|
2026-05-13
|
|
Short Lived Scheduled Task
|
Windows Event Log Security 4699, Windows Event Log Security 4698
|
T1053.005
|
TTP
|
CISA AA22-257A, Scheduled Tasks, Active Directory Lateral Movement, CISA AA23-347A, Compromised Windows Host
|
2026-05-13
|
|
Windows AD Cross Domain SID History Addition
|
Windows Event Log Security 4738, Windows Event Log Security 4742
|
T1134.005
|
TTP
|
Sneaky Active Directory Persistence Tricks, Compromised Windows Host
|
2026-05-13
|
|
Disabling Firewall with Netsh
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1685
|
Anomaly
|
BlackByte Ransomware, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows TOR Client Execution
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1090.003
|
Anomaly
|
Command And Control, Data Exfiltration, Windows Post-Exploitation, Compromised Windows Host, Data Protection
|
2026-05-13
|
|
GetNetTcpconnection with PowerShell
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1049
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Audit Policy Cleared via Auditpol
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1685.001
|
TTP
|
Windows Audit Policy Tampering
|
2026-05-13
|
|
Linux Cpulimit Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Windows Compatibility Telemetry Suspicious Child Process
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1053.005
T1546
|
TTP
|
Windows Persistence Techniques
|
2026-05-13
|
|
Linux Auditd Data Transfer Size Limits Via Split
|
Linux Auditd Execve
|
T1030
|
Anomaly
|
Hellcat Ransomware, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host, Linux Persistence Techniques
|
2026-05-13
|
|
Enable RDP In Other Port Number
|
Sysmon EventID 13
|
T1021
|
TTP
|
Windows RDP Artifacts and Defense Evasion, Interlock Ransomware, Windows Registry Abuse, Prohibited Traffic Allowed or Protocol Mismatch
|
2026-05-13
|
|
Linux Service File Created In Systemd Directory
|
Sysmon for Linux EventID 11
|
T1053.006
|
Anomaly
|
China-Nexus Threat Activity, Scheduled Tasks, Linux Living Off The Land, VoidLink Cloud-Native Linux Malware, Linux Privilege Escalation, Gomir, Linux Persistence Techniques
|
2026-05-13
|
|
Windows AutoIt3 Execution
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1059
|
TTP
|
Handala Wiper, Void Manticore, Crypto Stealer, DarkGate Malware
|
2026-05-13
|
|
Windows Diskshadow Proxy Execution
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218
|
TTP
|
Living Off The Land
|
2026-05-13
|
|
Windows PowerShell FakeCAPTCHA Clipboard Execution
|
Windows Event Log Security 4688, Sysmon EventID 1, Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2
|
T1059.001
T1059.003
T1204.001
|
TTP
|
Fake CAPTCHA Campaigns, Scattered Lapsus$ Hunters, NetSupport RMM Tool Abuse, Interlock Ransomware, Cisco Network Visibility Module Analytics
|
2026-05-13
|
|
Linux Auditd Sysmon Service Stop
|
Linux Auditd Service Stop
|
T1489
|
Anomaly
|
Linux Persistence Techniques, Compromised Linux Host, Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Windows Office Product Spawned Rundll32 With No DLL
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1566.001
|
TTP
|
Prestige Ransomware, CVE-2023-36884 Office and Windows HTML RCE Vulnerability, Spearphishing Attachments, Compromised Windows Host, Crypto Stealer, Graceful Wipe Out Attack
|
2026-05-13
|
|
Domain Group Discovery With Wmic
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1069.002
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Admon Default Group Policy Object Modified
|
Windows Active Directory Admon
|
T1484.001
|
TTP
|
Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation
|
2026-05-13
|
|
Schtasks scheduling job on remote system
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1053.005
|
TTP
|
Phemedrone Stealer, Quasar RAT, Prestige Ransomware, Scheduled Tasks, NOBELIUM Group, Active Directory Lateral Movement, RedLine Stealer, Living Off The Land, Compromised Windows Host
|
2026-05-13
|
|
Windows PowerShell Export Certificate
|
Powershell Script Block Logging 4104
|
T1552.004
T1649
|
Anomaly
|
Windows Certificate Services
|
2026-05-13
|
|
Windows MSIExec Spawn WinDBG
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.007
|
TTP
|
Compromised Windows Host, DarkGate Malware
|
2026-05-13
|
|
Windows Modify Registry Disable WinDefender Notifications
|
Sysmon EventID 13
|
T1112
|
TTP
|
CISA AA23-347A, RedLine Stealer, SolarWinds WHD RCE Post Exploitation
|
2026-05-13
|
|
Cisco Isovalent - Shell Execution
|
Cisco Isovalent Process Exec
|
T1543
|
Anomaly
|
Cisco Isovalent Suspicious Activity
|
2026-05-13
|
|
Windows Suspicious VMWare Tools Child Process
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1059
|
TTP
|
China-Nexus Threat Activity, ESXi Post Compromise
|
2026-05-13
|
|
Windows AppX Deployment Full Trust Package Installation
|
Windows Event Log AppXDeployment-Server 400
|
T1204.002
T1553.005
|
Hunting
|
MSIX Package Abuse
|
2026-05-13
|
|
Outbound Network Connection from Java Using Default Ports
|
Sysmon EventID 3, Sysmon EventID 1
|
T1133
T1190
|
TTP
|
Log4Shell CVE-2021-44228
|
2026-05-13
|
|
Windows Powershell RemoteSigned File
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1059.001
|
Anomaly
|
Amadey
|
2026-05-13
|
|
Detect Rare Executables
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1204
|
Anomaly
|
China-Nexus Threat Activity, Salt Typhoon, Rhysida Ransomware, Unusual Processes, SnappyBee, Crypto Stealer
|
2026-05-13
|
|
Potential password in username
|
Linux Secure
|
T1078.003
T1552.001
|
Hunting
|
Credential Dumping, Insider Threat
|
2026-05-13
|
|
Cisco NVM - Outbound Connection to Suspicious Port
|
Cisco Network Visibility Module Flow Data
|
T1571
|
Anomaly
|
Cisco Network Visibility Module Analytics
|
2026-05-13
|
|
MacOS AMOS Stealer - Virtual Machine Check Activity
|
Osquery Results
|
T1059.002
|
Anomaly
|
AMOS Stealer, Hellcat Ransomware
|
2026-05-13
|
|
Linux Service Started Or Enabled
|
Sysmon for Linux EventID 1
|
T1053.006
|
Anomaly
|
Scheduled Tasks, Linux Living Off The Land, Linux Privilege Escalation, Gomir, Linux Persistence Techniques
|
2026-05-13
|
|
SLUI Spawning a Process
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1548.002
|
TTP
|
Compromised Windows Host, DarkSide Ransomware, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Linux Docker Root Directory Mount
|
Sysmon for Linux EventID 1
|
T1611
|
TTP
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Linux Auditd Hardware Addition Swapoff
|
Linux Auditd Execve
|
T1200
|
Anomaly
|
Compromised Linux Host, AwfulShred, Scattered Lapsus$ Hunters, Data Destruction
|
2026-05-13
|
|
Windows Impair Defense Delete Win Defender Profile Registry
|
Sysmon EventID 13
|
T1685
|
Anomaly
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows AD Object Owner Updated
|
Windows Event Log Security 5136
|
T1222.001
T1484
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Services Escalate Exe
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1548
|
TTP
|
Cobalt Strike, BlackByte Ransomware, CISA AA23-347A, Compromised Windows Host, Graceful Wipe Out Attack
|
2026-05-13
|
|
Linux Auditd Shred Overwrite Command
|
Linux Auditd Proctitle
|
T1485
|
TTP
|
AwfulShred, Linux Privilege Escalation, Compromised Linux Host, Industroyer2, Linux Persistence Techniques, Data Destruction
|
2026-05-13
|
|
Creation of Shadow Copy
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1003.003
|
TTP
|
Credential Dumping, Compromised Windows Host, Volt Typhoon
|
2026-05-13
|
|
Linux Auditd Possible Append Cronjob Entry On Existing Cronjob File
|
Linux Auditd Path, Linux Auditd Cwd
|
T1053.003
|
Hunting
|
XorDDos, Scheduled Tasks, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host, Linux Persistence Techniques
|
2026-05-13
|
|
Windows Office Product Spawned Control
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1566.001
|
TTP
|
Compromised Windows Host, Spearphishing Attachments, Microsoft MSHTML Remote Code Execution CVE-2021-40444
|
2026-05-13
|
|
Windows Wmic CPU Discovery
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1082
|
Anomaly
|
LAMEHUG
|
2026-05-13
|
|
Windows OneDrive Share Mounted via Net
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1567.002
|
Anomaly
|
Data Exfiltration
|
2026-05-13
|
|
Windows Registry Entries Exported Via Reg
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1012
|
Hunting
|
CISA AA23-347A, Windows Post-Exploitation, Prestige Ransomware
|
2026-05-13
|
|
Detect Remote Access Software Usage Registry
|
Sysmon EventID 13
|
T1219
|
Anomaly
|
Command And Control, Seashell Blizzard, Scattered Lapsus$ Hunters, CISA AA24-241A, Gozi Malware, Insider Threat, Scattered Spider, Cactus Ransomware, Ransomware, Remote Monitoring and Management Software
|
2026-05-13
|
|
Linux Edit Cron Table Parameter
|
Sysmon for Linux EventID 1
|
T1053.003
|
Hunting
|
Scheduled Tasks, Linux Persistence Techniques, Linux Privilege Escalation, Linux Living Off The Land
|
2026-05-13
|
|
Windows Non Discord App Access Discord LevelDB
|
Windows Event Log Security 4663
|
T1012
|
Anomaly
|
PXA Stealer, StealC Stealer, BlankGrabber Stealer, Snake Keylogger
|
2026-05-13
|
|
Windows AppCertDLL Modification Via Command Line
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1546.009
|
Anomaly
|
Windows Persistence Techniques, Windows Privilege Escalation
|
2026-05-13
|
|
Kerberos Service Ticket Request Using RC4 Encryption
|
Windows Event Log Security 4769
|
T1558.001
|
TTP
|
Active Directory Kerberos Attacks, Active Directory Privilege Escalation, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Print Spooler Failed to Load a Plug-in
|
Windows Event Log Printservice 4909, Windows Event Log Printservice 808
|
T1547.012
|
TTP
|
PrintNightmare CVE-2021-34527, Black Basta Ransomware
|
2026-05-13
|
|
Windows Chrome Auto-Update Disabled via Registry
|
Sysmon EventID 13
|
T1185
|
Anomaly
|
Browser Hijacking
|
2026-05-13
|
|
WMI Permanent Event Subscription
|
|
T1047
|
TTP
|
Suspicious WMI Use
|
2026-05-13
|
|
Disable Defender Enhanced Notification
|
Sysmon EventID 13
|
T1685
|
TTP
|
Azorult, CISA AA23-347A, Windows Registry Abuse, IcedID
|
2026-05-13
|
|
GetWmiObject User Account with PowerShell
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1087.001
|
Hunting
|
Water Gamayun, Active Directory Discovery, Winter Vivern
|
2026-05-13
|
|
PowerShell Get LocalGroup Discovery
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1069.001
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Multiple NTLM Null Domain Authentications
|
NTLM Operational 8005, NTLM Operational 8004, NTLM Operational 8006
|
T1110.003
|
TTP
|
Active Directory Password Spraying
|
2026-05-13
|
|
GetCurrent User with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1033
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Modify ACL permission To Files Or Folder
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1222
|
Anomaly
|
Defense Evasion or Unauthorized Access Via SDDL Tampering, Crypto Stealer, XMRig
|
2026-05-13
|
|
Windows PowerShell ScheduleTask
|
Powershell Script Block Logging 4104
|
T1053.005
T1059.001
|
Anomaly
|
Scheduled Tasks, Scattered Spider
|
2026-05-13
|
|
Windows Global Object Access Audit List Cleared Via Auditpol
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1685.001
|
TTP
|
Windows Audit Policy Tampering
|
2026-05-13
|
|
Dump LSASS via procdump
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1003.001
|
TTP
|
HAFNIUM Group, Storm-2460 CLFS Zero Day Exploitation, CISA AA22-257A, Credential Dumping, Seashell Blizzard, Compromised Windows Host
|
2026-05-13
|
|
Windows Modify Registry to Add or Modify Firewall Rule
|
Sysmon EventID 13, Sysmon EventID 14
|
T1112
|
Anomaly
|
NetSupport RMM Tool Abuse, CISA AA24-241A, ShrinkLocker
|
2026-05-13
|
|
BITSAdmin Download File
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1105
T1197
|
TTP
|
Hellcat Ransomware, GhostRedirector IIS Module and Rungan Backdoor, DarkSide Ransomware, Gozi Malware, Scattered Spider, APT37 Rustonotto and FadeStealer, Living Off The Land, Ingress Tool Transfer, Flax Typhoon, BITS Jobs
|
2026-05-13
|
|
Windows Account Discovery With NetUser PreauthNotRequire
|
Powershell Script Block Logging 4104
|
T1087
|
Hunting
|
CISA AA23-347A
|
2026-05-13
|
|
Windows SSH Proxy Command
|
Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1059.001
T1105
T1572
|
Anomaly
|
Living Off The Land, ZDI-CAN-25373 Windows Shortcut Exploit Abused as Zero-Day, Hellcat Ransomware
|
2026-05-13
|
|
Windows Modify Registry DisableSecuritySettings
|
Sysmon EventID 13
|
T1112
|
TTP
|
CISA AA23-347A, DarkGate Malware
|
2026-05-13
|
|
Windows System File on Disk
|
Sysmon EventID 11
|
T1068
|
Hunting
|
Windows Drivers, CISA AA22-264A, Crypto Stealer
|
2026-05-13
|
|
Detect SharpHound File Modifications
|
Sysmon EventID 11
|
T1069.001
T1069.002
T1087.001
T1087.002
T1482
|
TTP
|
Ransomware, BlackSuit Ransomware, Windows Discovery Techniques
|
2026-05-13
|
|
Disable Show Hidden Files
|
Sysmon EventID 13
|
T1112
T1564.001
T1685
|
Anomaly
|
Azorult, Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Rundll32 Apply User Settings Changes
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.011
|
Anomaly
|
Rhysida Ransomware
|
2026-05-13
|
|
Possible Browser Pass View Parameter
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1555.003
|
Hunting
|
Remcos
|
2026-05-13
|
|
Network Traffic to Active Directory Web Services Protocol
|
Sysmon EventID 3
|
T1069.001
T1069.002
T1087.001
T1087.002
T1482
|
Hunting
|
Windows Discovery Techniques
|
2026-05-13
|
|
Windows AD Domain Root ACL Deletion
|
Windows Event Log Security 5136
|
T1222.001
T1484
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Windows Vulnerable Driver Loaded
|
Sysmon EventID 6
|
T1543.003
|
Hunting
|
BlackByte Ransomware, Void Manticore, Windows Drivers
|
2026-05-13
|
|
Modification Of Wallpaper
|
Sysmon EventID 13
|
T1491
|
TTP
|
Rhysida Ransomware, Ransomware, LockBit Ransomware, Windows Registry Abuse, ZOVWiper, Black Basta Ransomware, BlackMatter Ransomware, Revil Ransomware, Brute Ratel C4
|
2026-05-13
|
|
Windows SpeechRuntime COM Hijacking DLL Load
|
Sysmon EventID 7
|
T1021.003
|
TTP
|
Compromised Windows Host, Scattered Lapsus$ Hunters, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows System Time Discovery W32tm Delay
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1124
|
Anomaly
|
DarkCrystal RAT
|
2026-05-13
|
|
Linux Add User Account
|
Cisco Isovalent Process Exec, Sysmon for Linux EventID 1
|
T1136.001
|
Hunting
|
Linux Persistence Techniques, Linux Privilege Escalation, Cisco Isovalent Suspicious Activity
|
2026-05-13
|
|
Domain Controller Discovery with Nltest
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1018
|
TTP
|
Rhysida Ransomware, NetSupport RMM Tool Abuse, Medusa Ransomware, BlackSuit Ransomware, CISA AA23-347A, Active Directory Discovery
|
2026-05-13
|
|
Linux Telnet Authentication Bypass
|
Sysmon for Linux EventID 1
|
T1548
|
TTP
|
Telnetd CVE-2026-24061
|
2026-05-13
|
|
Windows HTTP Network Communication From MSIExec
|
Sysmon EventID 3, Sysmon EventID 1, Cisco Network Visibility Module Flow Data
|
T1218.007
|
Anomaly
|
GhostRedirector IIS Module and Rungan Backdoor, SolarWinds WHD RCE Post Exploitation, APT37 Rustonotto and FadeStealer, Windows System Binary Proxy Execution MSIExec, Water Gamayun, Cisco Network Visibility Module Analytics
|
2026-05-13
|
|
Cisco NVM - Suspicious Network Connection to IP Lookup Service API
|
Cisco Network Visibility Module Flow Data
|
T1016
T1590.005
|
Anomaly
|
BlankGrabber Stealer, Castle RAT, Cisco Network Visibility Module Analytics
|
2026-05-13
|
|
Linux Doas Conf File Creation
|
Sysmon for Linux EventID 11
|
T1548.003
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2026-05-13
|
|
Windows Filtering Platform Policy Added to Block EDR Process
|
Sysmon EventID 13
|
T1685
|
TTP
|
Security Solution Tampering, Disabling Security Tools
|
2026-05-13
|
|
Windows Office Product Loading VBE7 DLL
|
Sysmon EventID 7
|
T1566.001
|
Anomaly
|
Trickbot, NjRAT, Qakbot, MuddyWater, Azorult, Spearphishing Attachments, IcedID, DarkCrystal RAT, PlugX, Remcos, AgentTesla
|
2026-05-13
|
|
Windows PsTools Recon Usage
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1018
T1046
T1082
|
Anomaly
|
Compromised Windows Host
|
2026-05-13
|
|
Linux Auditd Doas Conf File Creation
|
Linux Auditd Path, Linux Auditd Cwd
|
T1548.003
|
TTP
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation
|
2026-05-13
|
|
Windows Data Destruction Recursive Exec Files Deletion
|
Sysmon EventID 23, Sysmon EventID 26
|
T1485
|
TTP
|
Void Manticore, Disk Wiper, Swift Slicer, Handala Wiper, Data Destruction
|
2026-05-13
|
|
Windows Service Creation on Remote Endpoint
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1543.003
|
TTP
|
China-Nexus Threat Activity, Salt Typhoon, Active Directory Lateral Movement, SnappyBee, CISA AA23-347A
|
2026-05-13
|
|
Linux OpenVPN Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Windows PowerView SPN Discovery
|
Powershell Script Block Logging 4104
|
T1558.003
|
TTP
|
Rhysida Ransomware, CISA AA23-347A, Interlock Ransomware, Active Directory Kerberos Attacks
|
2026-05-13
|
|
Windows AD Domain Controller Promotion
|
Windows Event Log Security 4742
|
T1207
|
TTP
|
Sneaky Active Directory Persistence Tricks, Compromised Windows Host
|
2026-05-13
|
|
Sdclt UAC Bypass
|
Sysmon EventID 13, Sysmon EventID 12
|
T1548.002
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Devtunnels Execution
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1090
|
Anomaly
|
Reverse Network Proxy
|
2026-05-13
|
|
Linux Deletion Of Cron Jobs
|
Sysmon for Linux EventID 11
|
T1070.004
T1485
|
Anomaly
|
AcidPour, AcidRain, Data Destruction
|
2026-05-13
|
|
Windows RunMRU Command Execution
|
Sysmon EventID 13
|
T1202
|
Anomaly
|
Lumma Stealer, Fake CAPTCHA Campaigns
|
2026-05-13
|
|
Windows Office Product Loading Taskschd DLL
|
Sysmon EventID 7
|
T1566.001
|
Anomaly
|
Spearphishing Attachments
|
2026-05-13
|
|
GetCurrent User with PowerShell
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1033
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Powershell Get LocalGroup Discovery with Script Block Logging
|
Powershell Script Block Logging 4104
|
T1069.001
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Svchost LOLBAS Execution Process Spawn
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1053.005
|
TTP
|
Scheduled Tasks, Living Off The Land, Active Directory Lateral Movement, Hellcat Ransomware
|
2026-05-13
|
|
Windows Terminating Lsass Process
|
Sysmon EventID 10
|
T1685
|
Anomaly
|
Scattered Lapsus$ Hunters, Double Zero Destructor, Data Destruction
|
2026-05-13
|
|
Windows Impair Defense Disable Win Defender App Guard
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
MacOS Hidden Files and Directories
|
Osquery Results
|
T1564.001
|
Anomaly
|
MacOS Persistence Techniques
|
2026-05-13
|
|
Windows COM Hijacking InprocServer32 Modification
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1546.015
|
TTP
|
Compromised Windows Host, Living Off The Land
|
2026-05-13
|
|
Windows Impair Defense Disable Win Defender Report Infection
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows SQL Server Startup Procedure
|
Windows Event Log Application 17135
|
T1505.001
|
Anomaly
|
SQL Server Abuse, Hellcat Ransomware
|
2026-05-13
|
|
Windows Chrome Enable Extension Loading via Command-Line
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1185
|
Anomaly
|
Browser Hijacking
|
2026-05-13
|
|
LOLBAS With Network Traffic
|
Sysmon EventID 3
|
T1105
T1218
T1567
|
TTP
|
Fake CAPTCHA Campaigns, Hellcat Ransomware, GhostRedirector IIS Module and Rungan Backdoor, NetSupport RMM Tool Abuse, Malicious Inno Setup Loader, APT37 Rustonotto and FadeStealer, Living Off The Land, Water Gamayun
|
2026-05-13
|
|
Windows Account Discovery for Sam Account Name
|
Powershell Script Block Logging 4104
|
T1087
|
Anomaly
|
CISA AA23-347A
|
2026-05-13
|
|
Linux Possible Append Command To At Allow Config File
|
Sysmon for Linux EventID 1
|
T1053.002
|
Anomaly
|
Scheduled Tasks, Linux Persistence Techniques, Linux Privilege Escalation
|
2026-05-13
|
|
Windows Impair Defense Disable Realtime Signature Delivery
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Hiding Files And Directories With Attrib exe
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1222.001
|
TTP
|
Windows Persistence Techniques, Azorult, Windows Defense Evasion Tactics, Malicious Inno Setup Loader, VIP Keylogger, Compromised Windows Host, Crypto Stealer
|
2026-05-13
|
|
Windows Command and Scripting Interpreter Hunting Path Traversal
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1059
|
Hunting
|
Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Hide User Account From Sign-In Screen
|
Sysmon EventID 13
|
T1685
|
TTP
|
Azorult, Windows Registry Abuse, XMRig, Warzone RAT
|
2026-05-13
|
|
Windows Modify Registry Disable Restricted Admin
|
Sysmon EventID 13
|
T1112
|
TTP
|
GhostRedirector IIS Module and Rungan Backdoor, CISA AA23-347A, Medusa Ransomware
|
2026-05-13
|
|
Windows Audit Policy Restored via Auditpol
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1685.001
|
Anomaly
|
Windows Audit Policy Tampering
|
2026-05-13
|
|
Windows Information Discovery Fsutil
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1082
|
Anomaly
|
Windows Post-Exploitation, Prestige Ransomware
|
2026-05-13
|
|
Windows User Disabled Via Net
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1531
|
Anomaly
|
XMRig
|
2026-05-13
|
|
Linux Possible Append Cronjob Entry on Existing Cronjob File
|
Sysmon for Linux EventID 1
|
T1053.003
|
Hunting
|
XorDDos, Scheduled Tasks, Linux Living Off The Land, Linux Privilege Escalation, Linux Persistence Techniques
|
2026-05-13
|
|
Windows Modify Registry ValleyRat PWN Reg Entry
|
Sysmon EventID 13
|
T1112
|
TTP
|
ValleyRAT
|
2026-05-13
|
|
Detect mshta inline hta execution
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.005
|
TTP
|
BlankGrabber Stealer, Gozi Malware, APT37 Rustonotto and FadeStealer, Living Off The Land, Suspicious MSHTA Activity, Compromised Windows Host, XWorm
|
2026-05-13
|
|
Windows Unusual Count Of Users Remotely Failed To Auth From Host
|
Windows Event Log Security 4625
|
T1110.003
|
Anomaly
|
Active Directory Password Spraying, Volt Typhoon
|
2026-05-13
|
|
Windows Suspicious React or Next.js Child Process
|
Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1059.001
T1059.003
T1190
|
TTP
|
React2Shell
|
2026-05-13
|
|
Windows Query Registry Browser List Application
|
Windows Event Log Security 4663
|
T1012
|
Anomaly
|
China-Nexus Threat Activity, SnappyBee, RedLine Stealer, Salt Typhoon
|
2026-05-13
|
|
Excessive number of service control start as disabled
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1685
|
Anomaly
|
Windows Defense Evasion Tactics
|
2026-05-13
|
|
Linux Auditd Whoami User Discovery
|
Linux Auditd Syscall
|
T1033
|
Anomaly
|
QuietVault, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host, Linux Persistence Techniques
|
2026-05-13
|
|
Detect Exchange Web Shell
|
Sysmon EventID 11
|
T1133
T1190
T1505.003
|
TTP
|
HAFNIUM Group, CISA AA22-257A, GhostRedirector IIS Module and Rungan Backdoor, BlackByte Ransomware, ProxyNotShell, Seashell Blizzard, ProxyShell, Compromised Windows Host
|
2026-05-13
|
|
Linux Node Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Windows Mimikatz Binary Execution
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1003
|
TTP
|
CISA AA22-320A, Sandworm Tools, Scattered Spider, Credential Dumping, CISA AA23-347A, Compromised Windows Host, Flax Typhoon, Volt Typhoon
|
2026-05-13
|
|
Enumerate Users Local Group Using Telegram
|
Windows Event Log Security 4798
|
T1087
|
TTP
|
Water Gamayun, Compromised Windows Host, XMRig
|
2026-05-13
|
|
Windows Audit Policy Excluded Category via Auditpol
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1685.001
|
Anomaly
|
Windows Audit Policy Tampering
|
2026-05-13
|
|
Windows Driver Inventory
|
|
T1068
|
Hunting
|
Windows Drivers
|
2026-05-13
|
|
Suspicious Process Executed From Container File
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1036.008
T1204.002
|
TTP
|
GhostRedirector IIS Module and Rungan Backdoor, Unusual Processes, APT37 Rustonotto and FadeStealer, Amadey, Snake Keylogger, Remcos, Water Gamayun
|
2026-05-13
|
|
Clop Common Exec Parameter
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1204
|
TTP
|
Clop Ransomware, Compromised Windows Host
|
2026-05-13
|
|
WinEvent Scheduled Task Created to Spawn Shell
|
Windows Event Log Security 4698
|
T1053.005
|
TTP
|
China-Nexus Threat Activity, Salt Typhoon, CISA AA22-257A, Scheduled Tasks, Windows Persistence Techniques, Castle RAT, Medusa Ransomware, SystemBC, Ryuk Ransomware, Windows Error Reporting Service Elevation of Privilege Vulnerability, Ransomware, 0bj3ctivity Stealer, Compromised Windows Host, Winter Vivern
|
2026-05-13
|
|
PowerShell Start-BitsTransfer
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1197
|
TTP
|
Gozi Malware, BITS Jobs
|
2026-05-13
|
|
AdsiSearcher Account Discovery
|
Powershell Script Block Logging 4104
|
T1087.002
|
TTP
|
Scattered Lapsus$ Hunters, Industroyer2, CISA AA23-347A, Active Directory Discovery, Data Destruction
|
2026-05-13
|
|
Excessive Usage of NSLOOKUP App
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1048
|
Anomaly
|
Command And Control, Suspicious DNS Traffic, Dynamic DNS, Data Exfiltration
|
2026-05-13
|
|
Windows Scheduled Task Created Via XML
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1053.005
|
Anomaly
|
Scheduled Tasks, MoonPeak, Malicious Inno Setup Loader, Lokibot, CISA AA23-347A, Winter Vivern
|
2026-05-13
|
|
Windows Cabinet File Extraction Via Expand
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1105
|
TTP
|
NetSupport RMM Tool Abuse, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
Windows Suspicious Child Process Spawned From WebServer
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1505.003
|
Anomaly
|
Microsoft WSUS CVE-2025-59287, HAFNIUM Group, CISA AA22-264A, CISA AA22-257A, GhostRedirector IIS Module and Rungan Backdoor, Microsoft SharePoint Vulnerabilities, Medusa Ransomware, SysAid On-Prem Software CVE-2023-47246 Vulnerability, BlackByte Ransomware, Citrix ShareFile RCE CVE-2023-24489, ProxyNotShell, WS FTP Server Critical Vulnerabilities, ProxyShell, Compromised Windows Host, Flax Typhoon
|
2026-05-13
|
|
Cisco Isovalent - Access To Cloud Metadata Service
|
Cisco Isovalent Process Connect
|
T1552.005
|
Anomaly
|
VoidLink Cloud-Native Linux Malware, Cisco Isovalent Suspicious Activity
|
2026-05-13
|
|
Windows NirSoft Tool Bundle File Created
|
Sysmon EventID 11
|
T1588.002
|
Anomaly
|
WhisperGate, Unusual Processes, Data Destruction
|
2026-05-13
|
|
Windows Potential Cloudflared Tunnel Execution
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1572
|
Anomaly
|
Reverse Network Proxy
|
2026-05-13
|
|
Network Share Discovery Via Dir Command
|
Windows Event Log Security 5140
|
T1135
|
Hunting
|
IcedID
|
2026-05-13
|
|
Set Default PowerShell Execution Policy To Unrestricted or Bypass
|
Sysmon EventID 13
|
T1059.001
|
TTP
|
HAFNIUM Group, Malicious PowerShell, SystemBC, Credential Dumping, SolarWinds WHD RCE Post Exploitation, Hermetic Wiper, DarkGate Malware, Data Destruction
|
2026-05-13
|
|
Notepad with no Command Line Arguments
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1055
|
TTP
|
BishopFox Sliver Adversary Emulation Framework
|
2026-05-13
|
|
Detect Password Spray Attack Behavior On User
|
Windows Event Log Security 4624, Windows Event Log Security 4625
|
T1110.003
|
TTP
|
Compromised User Account, Crypto Stealer
|
2026-05-13
|
|
Active Directory Privilege Escalation Identified
|
|
T1484
|
Correlation
|
Active Directory Privilege Escalation
|
2026-05-13
|
|
Single Letter Process On Endpoint
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1204.002
|
TTP
|
DHS Report TA18-074A, Compromised Windows Host
|
2026-05-13
|
|
Linux Setuid Using Chmod Utility
|
Sysmon for Linux EventID 1
|
T1548.001
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation, Linux Living Off The Land
|
2026-05-13
|
|
Windows Steal Authentication Certificates Export Certificate
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1649
|
Anomaly
|
Windows Certificate Services
|
2026-05-13
|
|
Linux Composer Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Windows Increase in User Modification Activity
|
Windows Event Log Security 4720
|
T1098
T1685
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Sdelete Application Execution
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1070.004
T1485
|
TTP
|
Scattered Spider, Void Manticore, Masquerading - Rename System Utilities
|
2026-05-13
|
|
Windows Downdate Registry Activity
|
Sysmon EventID 13, Sysmon EventID 14, Sysmon EventID 12
|
T1112
T1689
|
Anomaly
|
Windows Persistence Techniques
|
2026-05-13
|
|
Disabled Kerberos Pre-Authentication Discovery With Get-ADUser
|
Powershell Script Block Logging 4104
|
T1558.004
|
TTP
|
Active Directory Kerberos Attacks, CISA AA23-347A, BlackSuit Ransomware, Interlock Ransomware
|
2026-05-13
|
|
Windows Disable Change Password Through Registry
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Ransomware, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM
|
Windows Event Log Security 4776
|
T1110.003
|
Anomaly
|
Active Directory Password Spraying, Volt Typhoon
|
2026-05-13
|
|
Windows AD Self DACL Assignment
|
Windows Event Log Security 5136
|
T1098
T1484
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
NLTest Domain Trust Discovery
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1482
|
TTP
|
Storm-0501 Ransomware, Qakbot, Rhysida Ransomware, Medusa Ransomware, IcedID, Domain Trust Discovery, Ryuk Ransomware, Active Directory Discovery, Cleo File Transfer Software
|
2026-05-13
|
|
Windows Executable in Loaded Modules
|
Sysmon EventID 7
|
T1129
|
TTP
|
Lokibot, NjRAT
|
2026-05-13
|
|
Windows Level RMM Watchdog Task Created
|
Windows Event Log Security 4698
|
T1053
T1219
|
Anomaly
|
Remote Monitoring and Management Software
|
2026-05-13
|
|
Linux Auditd Edit Cron Table Parameter
|
Linux Auditd Syscall
|
T1053.003
|
Anomaly
|
Scheduled Tasks, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host, Linux Persistence Techniques
|
2026-05-13
|
|
Windows Excessive Usage Of Net App
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1531
|
Anomaly
|
XMRig, Prestige Ransomware, Azorult, Rhysida Ransomware, Windows Post-Exploitation, Ransomware, Graceful Wipe Out Attack
|
2026-05-13
|
|
Linux Service Restarted
|
Sysmon for Linux EventID 1
|
T1053.006
|
Anomaly
|
Scheduled Tasks, Linux Living Off The Land, AwfulShred, Linux Privilege Escalation, Gomir, Linux Persistence Techniques, Data Destruction
|
2026-05-13
|
|
ConnectWise ScreenConnect Path Traversal Windows SACL
|
Windows Event Log Security 4663
|
T1190
|
TTP
|
Seashell Blizzard, Compromised Windows Host, ConnectWise ScreenConnect Vulnerabilities
|
2026-05-13
|
|
Linux Auditd Kernel Module Enumeration
|
Linux Auditd Syscall
|
T1014
T1082
|
Anomaly
|
Compromised Linux Host, XorDDos, Linux Rootkit
|
2026-05-13
|
|
Cisco NVM - Curl Execution With Insecure Flags
|
Cisco Network Visibility Module Flow Data
|
T1197
|
Anomaly
|
Microsoft WSUS CVE-2025-59287, PromptLock, Cisco Network Visibility Module Analytics
|
2026-05-13
|
|
Windows Odbcconf Hunting
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.008
|
Hunting
|
Living Off The Land
|
2026-05-13
|
|
Windows Mail Protocol In Non-Common Process Path
|
Sysmon EventID 3
|
T1071.003
|
Anomaly
|
AgentTesla
|
2026-05-13
|
|
Network Connection Discovery With Arp
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1049
|
Hunting
|
Qakbot, Prestige Ransomware, IcedID, Windows Post-Exploitation, Interlock Ransomware, Active Directory Discovery, Volt Typhoon
|
2026-05-13
|
|
Windows Computer Account Created by Computer Account
|
Windows Event Log Security 4741
|
T1558
|
TTP
|
Active Directory Kerberos Attacks, Local Privilege Escalation With KrbRelayUp
|
2026-05-13
|
|
Elevated Group Discovery With Wmic
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1069.002
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Cobalt Strike PowerShell Loader
|
Powershell Script Block Logging 4104
|
T1059.001
T1608
|
TTP
|
Cobalt Strike
|
2026-05-13
|
|
Windows Multiple Invalid Users Fail To Authenticate Using Kerberos
|
Windows Event Log Security 4768
|
T1110.003
|
TTP
|
Active Directory Kerberos Attacks, Active Directory Password Spraying, Volt Typhoon
|
2026-05-13
|
|
Windows System User Discovery Via Quser
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1033
|
Hunting
|
Crypto Stealer, Windows Post-Exploitation, Prestige Ransomware
|
2026-05-13
|
|
Windows File Without Extension In Critical Folder
|
Sysmon EventID 11
|
T1485
|
TTP
|
Hermetic Wiper, Data Destruction
|
2026-05-13
|
|
Windows Command Shell DCRat ForkBomb Payload
|
Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1059.003
|
TTP
|
Compromised Windows Host, DarkCrystal RAT
|
2026-05-13
|
|
Creation of lsass Dump with Taskmgr
|
Sysmon EventID 11
|
T1003.001
|
TTP
|
Scattered Lapsus$ Hunters, CISA AA22-257A, Credential Dumping, Cactus Ransomware, Seashell Blizzard
|
2026-05-13
|
|
NET Profiler UAC bypass
|
Sysmon EventID 13
|
T1548.002
|
TTP
|
Windows Defense Evasion Tactics
|
2026-05-13
|
|
Excessive Attempt To Disable Services
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1489
|
Anomaly
|
Azorult, XMRig
|
2026-05-13
|
|
Disable UAC Remote Restriction
|
Sysmon EventID 13
|
T1548.002
|
TTP
|
CISA AA23-347A, Windows Registry Abuse, Suspicious Windows Registry Activities, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Shell Process from CrushFTP
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1059.001
T1059.003
T1190
T1505
|
TTP
|
CrushFTP Vulnerabilities
|
2026-05-13
|
|
Windows Scheduled Task DLL Module Loaded
|
Sysmon EventID 7
|
T1053
|
TTP
|
ValleyRAT
|
2026-05-13
|
|
Windows Default Group Policy Object Modified with GPME
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1484.001
|
TTP
|
Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation
|
2026-05-13
|
|
Detect Renamed WinRAR
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1560.001
|
Hunting
|
China-Nexus Threat Activity, Collection and Staging, Salt Typhoon, CISA AA22-277A
|
2026-05-13
|
|
Windows AD Dangerous User ACL Modification
|
Windows Event Log Security 5136
|
T1222.001
T1484
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Get ADUserResultantPasswordPolicy with Powershell
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1201
|
TTP
|
CISA AA23-347A, Active Directory Discovery
|
2026-05-13
|
|
Windows Impair Defense Disable Win Defender Scan On Update
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Excessive File Deletion In WinDefender Folder
|
Sysmon EventID 23, Sysmon EventID 26
|
T1485
|
TTP
|
BlackByte Ransomware, WhisperGate, Data Destruction
|
2026-05-13
|
|
WMIC XSL Execution via URL
|
Windows Event Log Security 4688, Sysmon EventID 1, Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2
|
T1220
|
TTP
|
Compromised Windows Host, Suspicious WMI Use, Cisco Network Visibility Module Analytics
|
2026-05-13
|
|
Windows AD DSRM Account Changes
|
Sysmon EventID 13
|
T1098
|
TTP
|
Windows Persistence Techniques, Sneaky Active Directory Persistence Tricks, Windows Registry Abuse, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Access LSASS Memory for Dump Creation
|
Sysmon EventID 10
|
T1003.001
|
TTP
|
Scattered Lapsus$ Hunters, Lokibot, Cactus Ransomware, Credential Dumping, CISA AA23-347A
|
2026-05-13
|
|
Detect Outlook exe writing a zip file
|
Sysmon EventID 11, Sysmon EventID 1
|
T1566.001
|
Anomaly
|
PXA Stealer, Spearphishing Attachments, APT37 Rustonotto and FadeStealer, Amadey, Meduza Stealer, Remcos
|
2026-05-13
|
|
Windows Disable Windows Event Logging Disable HTTP Logging
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1505.004
T1685.001
|
Anomaly
|
CISA AA23-347A, IIS Components, Compromised Windows Host, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows RDPClient Connection Sequence Events
|
Windows Event Log Microsoft Windows TerminalServices RDPClient 1024
|
T1133
|
Anomaly
|
Windows RDP Artifacts and Defense Evasion, Spearphishing Attachments
|
2026-05-13
|
|
Linux Install Kernel Module Using Modprobe Utility
|
Sysmon for Linux EventID 1
|
T1547.006
|
Anomaly
|
China-Nexus Threat Activity, Linux Rootkit, VoidLink Cloud-Native Linux Malware, Linux Privilege Escalation, Linux Persistence Techniques
|
2026-05-13
|
|
Windows Scheduled Tasks for CompMgmtLauncher or Eventvwr
|
Windows Event Log Security 4698
|
T1053
|
TTP
|
ValleyRAT, Water Gamayun
|
2026-05-13
|
|
Windows Multiple Invalid Users Failed To Authenticate Using NTLM
|
Windows Event Log Security 4776
|
T1110.003
|
TTP
|
Active Directory Password Spraying, Volt Typhoon
|
2026-05-13
|
|
Windows Modify Registry Regedit Silent Reg Import
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1112
|
Anomaly
|
Azorult
|
2026-05-13
|
|
Windows Credentials from Password Stores Chrome Extension Access
|
Windows Event Log Security 4663
|
T1012
|
Anomaly
|
Phemedrone Stealer, BlankGrabber Stealer, MoonPeak, Malicious Inno Setup Loader, RedLine Stealer, Amadey, Meduza Stealer, Braodo Stealer, 0bj3ctivity Stealer, CISA AA23-347A, StealC Stealer, DarkGate Malware
|
2026-05-13
|
|
Windows ConvertTo-AADIntBackdoor Execution Via PowerShell Script
|
Powershell Script Block Logging 4104
|
T1071.001
T1078
T1212
T1482
|
TTP
|
Azure Active Directory Privilege Escalation, Azure Active Directory Persistence, Azure Active Directory Account Takeover
|
2026-05-13
|
|
Windows Modify Registry With MD5 Reg Key Name
|
Sysmon EventID 13
|
T1112
|
TTP
|
NjRAT
|
2026-05-13
|
|
7zip CommandLine To SMB Share Path
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1560.001
|
Hunting
|
Ransomware
|
2026-05-13
|
|
Windows Process Execution From RDP Share
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1021.001
T1059
T1105
|
Anomaly
|
Hidden Cobra Malware
|
2026-05-13
|
|
Linux SSH Remote Services Script Execute
|
Sysmon for Linux EventID 1
|
T1021.004
|
TTP
|
VoidLink Cloud-Native Linux Malware, Linux Living Off The Land, Hellcat Ransomware
|
2026-05-13
|
|
Linux Decode Base64 to Shell
|
Cisco Isovalent Process Exec, Sysmon for Linux EventID 1
|
T1027
T1059.004
|
TTP
|
Linux Living Off The Land, Cisco Isovalent Suspicious Activity
|
2026-05-13
|
|
Ping Sleep Batch Command
|
Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1497.003
|
Anomaly
|
Gh0st RAT, Quasar RAT, Void Manticore, BlackByte Ransomware, Meduza Stealer, Warzone RAT, WhisperGate, Data Destruction
|
2026-05-13
|
|
Windows Known Abused DLL Created
|
Sysmon EventID 11
|
T1574.001
|
Anomaly
|
Living Off The Land, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Malicious PowerShell Process - Encoded Command
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1027
|
Hunting
|
Microsoft WSUS CVE-2025-59287, Malicious PowerShell, Qakbot, Data Destruction, Lumma Stealer, GhostRedirector IIS Module and Rungan Backdoor, Microsoft SharePoint Vulnerabilities, NOBELIUM Group, CISA AA22-320A, Sandworm Tools, Scattered Spider, SolarWinds WHD RCE Post Exploitation, Hermetic Wiper, DarkCrystal RAT, WhisperGate, Crypto Stealer, Volt Typhoon
|
2026-05-13
|
|
Recursive Delete of Directory In Batch CMD
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1070.004
|
TTP
|
Ransomware, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
Windows Event Triggered Image File Execution Options Injection
|
Windows Event Log Application 3000
|
T1546.012
|
Hunting
|
Windows Persistence Techniques
|
2026-05-13
|
|
Excessive Usage Of Taskkill
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1685
|
Anomaly
|
NjRAT, CISA AA22-264A, XMRig, BlankGrabber Stealer, CISA AA22-277A, Azorult, AgentTesla, Crypto Stealer
|
2026-05-13
|
|
Windows Credentials in Registry Reg Query
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1552.002
|
Anomaly
|
Windows Post-Exploitation, Prestige Ransomware
|
2026-05-13
|
|
Windows AD Domain Replication ACL Addition
|
Windows Event Log Security 5136
|
T1484
|
TTP
|
Sneaky Active Directory Persistence Tricks, Compromised Windows Host
|
2026-05-13
|
|
Windows Scheduled Task with Suspicious Command
|
Windows Event Log Security 4698, Windows Event Log Security 4700, Windows Event Log Security 4702
|
T1053.005
|
TTP
|
Quasar RAT, Scheduled Tasks, Windows Persistence Techniques, Ryuk Ransomware, SolarWinds WHD RCE Post Exploitation, APT37 Rustonotto and FadeStealer, Ransomware, Seashell Blizzard
|
2026-05-13
|
|
UAC Bypass MMC Load Unsigned Dll
|
Sysmon EventID 7
|
T1218.014
T1548.002
|
TTP
|
Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Increase in Group or Object Modification Activity
|
Windows Event Log Security 4663
|
T1098
T1685
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Linux Ingress Tool Transfer Hunting
|
Sysmon for Linux EventID 1
|
T1105
|
Hunting
|
XorDDos, Linux Living Off The Land, NPM Supply Chain Compromise, Ingress Tool Transfer, Axios Supply Chain Post Compromise
|
2026-05-13
|
|
Linux Auditd Find Ssh Private Keys
|
Linux Auditd Execve
|
T1552.004
|
Anomaly
|
Hellcat Ransomware, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host, Linux Persistence Techniques
|
2026-05-13
|
|
Windows Firewall Rule Deletion
|
Windows Event Log Security 4948
|
T1686
|
Anomaly
|
NetSupport RMM Tool Abuse, Medusa Ransomware, ShrinkLocker
|
2026-05-13
|
|
Linux Auditd Disable Or Modify System Firewall
|
Linux Auditd Service Stop
|
T1686
|
Anomaly
|
Linux Persistence Techniques, Compromised Linux Host, Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Linux Auditd Doas Tool Execution
|
Linux Auditd Syscall
|
T1548.003
|
Anomaly
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation
|
2026-05-13
|
|
Windows Kerberos Local Successful Logon
|
Windows Event Log Security 4624
|
T1558
|
TTP
|
Active Directory Kerberos Attacks, Compromised Windows Host, Local Privilege Escalation With KrbRelayUp, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Windows Replication Through Removable Media
|
Sysmon EventID 11
|
T1091
|
TTP
|
China-Nexus Threat Activity, NjRAT, Salt Typhoon, APT37 Rustonotto and FadeStealer, PlugX, Derusbi, Chaos Ransomware
|
2026-05-13
|
|
Process Creating LNK file in Suspicious Location
|
Sysmon EventID 11
|
T1566.002
|
Anomaly
|
Qakbot, BlankGrabber Stealer, Spearphishing Attachments, Gozi Malware, IcedID, APT37 Rustonotto and FadeStealer, Amadey
|
2026-05-13
|
|
Linux Csvtool Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Windows Cisco Secure Endpoint Unblock File Via Sfc
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1685
|
Anomaly
|
Security Solution Tampering
|
2026-05-13
|
|
Windows Vulnerable 3CX Software
|
Sysmon EventID 1
|
T1195.002
|
TTP
|
3CX Supply Chain Attack
|
2026-05-13
|
|
Rubeus Kerberos Ticket Exports Through Winlogon Access
|
Sysmon EventID 10
|
T1550.003
|
TTP
|
Scattered Lapsus$ Hunters, Active Directory Kerberos Attacks, ZOVWiper, BlackSuit Ransomware, CISA AA23-347A
|
2026-05-13
|
|
Web Servers Executing Suspicious Processes
|
Sysmon EventID 1
|
T1082
|
TTP
|
Apache Struts Vulnerability
|
2026-05-13
|
|
Windows Cisco Secure Endpoint Uninstall Immunet Service Via Sfc
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1685
|
Anomaly
|
Security Solution Tampering
|
2026-05-13
|
|
Windows Defender ASR Audit Events
|
Windows Event Log Defender 1126, Windows Event Log Defender 1125, Windows Event Log Defender 1134, Windows Event Log Defender 1122, Windows Event Log Defender 1132
|
T1059
T1566.001
T1566.002
|
Anomaly
|
Windows Attack Surface Reduction
|
2026-05-13
|
|
Windows Advanced Installer MSIX with AI_STUBS Execution
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1204.002
T1218
T1553.005
|
TTP
|
MSIX Package Abuse
|
2026-05-13
|
|
Linux NOPASSWD Entry In Sudoers File
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
China-Nexus Threat Activity, Linux Privilege Escalation, Linux Persistence Techniques, Salt Typhoon
|
2026-05-13
|
|
Detect Baron Samedit CVE-2021-3156 Segfault
|
|
T1068
|
TTP
|
Baron Samedit CVE-2021-3156
|
2026-05-13
|
|
Windows Service Create SliverC2
|
Windows Event Log System 7045
|
T1569.002
|
TTP
|
BishopFox Sliver Adversary Emulation Framework, Compromised Windows Host, Hellcat Ransomware
|
2026-05-13
|
|
Windows Event For Service Disabled
|
Windows Event Log System 7040
|
T1685
|
Hunting
|
RedLine Stealer, Windows Defense Evasion Tactics
|
2026-05-13
|
|
System Info Gathering Using Dxdiag Application
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1592
|
Hunting
|
Remcos
|
2026-05-13
|
|
Drop IcedID License dat
|
Sysmon EventID 11
|
T1204.002
|
Hunting
|
IcedID
|
2026-05-13
|
|
Eventvwr UAC Bypass
|
Sysmon EventID 13
|
T1548.002
|
TTP
|
ValleyRAT, Windows Registry Abuse, IcedID, Windows Defense Evasion Tactics, Living Off The Land
|
2026-05-13
|
|
Windows Suspicious File in EFI Volume
|
Sysmon EventID 11
|
T1490
T1542.001
|
TTP
|
Windows BootKits, BlackLotus Campaign, Sandworm Tools
|
2026-05-13
|
|
Windows SIP Provider Inventory
|
|
T1553.003
|
Hunting
|
Subvert Trust Controls SIP and Trust Provider Hijacking
|
2026-05-13
|
|
WMI Temporary Event Subscription
|
|
T1047
|
TTP
|
Suspicious WMI Use
|
2026-05-13
|
|
Windows Registry Payload Injection
|
Sysmon EventID 13
|
T1027.011
|
TTP
|
Unusual Processes
|
2026-05-13
|
|
Windows NetSupport RMM DLL Loaded By Uncommon Process
|
Sysmon EventID 7
|
T1036
|
Anomaly
|
NetSupport RMM Tool Abuse
|
2026-05-13
|
|
Windows Process Writing File to World Writable Path
|
Sysmon EventID 11
|
T1218.005
|
Hunting
|
APT29 Diplomatic Deceptions with WINELOADER, PHP-CGI RCE Attack on Japanese Organizations, PathWiper
|
2026-05-13
|
|
Windows Impair Defense Disable PUA Protection
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, Scattered Lapsus$ Hunters, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Linux Auditd File Permissions Modification Via Chattr
|
Linux Auditd Execve
|
T1222.002
|
Anomaly
|
Linux Persistence Techniques, Compromised Linux Host, Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Windows DLL Side-Loading In Calc
|
Sysmon EventID 7
|
T1574.001
|
TTP
|
Earth Alux, Qakbot
|
2026-05-13
|
|
Windows AD GPO Deleted
|
Windows Event Log Security 5136
|
T1484.001
T1685
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Windows Default Rdp File Unhidden
|
Sysmon EventID 1
|
T1021.001
|
Anomaly
|
Windows RDP Artifacts and Defense Evasion
|
2026-05-13
|
|
Linux File Creation In Init Boot Directory
|
Sysmon for Linux EventID 11
|
T1037.004
|
Anomaly
|
China-Nexus Threat Activity, XorDDos, Linux Privilege Escalation, Backdoor Pingpong, Linux Persistence Techniques
|
2026-05-13
|
|
Wermgr Process Spawned CMD Or Powershell Process
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1059
|
TTP
|
Trickbot, Qakbot
|
2026-05-13
|
|
Linux Deletion Of Services
|
Sysmon for Linux EventID 11
|
T1070.004
T1485
|
TTP
|
AcidPour, AcidRain, AwfulShred, Data Destruction
|
2026-05-13
|
|
Windows Curl Upload to Remote Destination
|
Windows Event Log Security 4688, Sysmon EventID 1, Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2
|
T1105
|
TTP
|
Microsoft WSUS CVE-2025-59287, PromptLock, NPM Supply Chain Compromise, Ingress Tool Transfer, Compromised Windows Host, Cisco Network Visibility Module Analytics, Axios Supply Chain Post Compromise
|
2026-05-13
|
|
Windows Shell or Script Execution From IIS Directory
|
Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1190
T1505.004
|
Anomaly
|
ProxyShell, ProxyNotShell
|
2026-05-13
|
|
Linux Persistence and Privilege Escalation Risk Behavior
|
|
T1548
|
Correlation
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2026-05-13
|
|
Print Processor Registry Autostart
|
Sysmon EventID 13
|
T1547.012
|
TTP
|
Windows Persistence Techniques, Hermetic Wiper, Windows Privilege Escalation, Data Destruction
|
2026-05-13
|
|
CrowdStrike Falcon Stream Alerts
|
CrowdStrike Falcon Stream Alert
|
N/A
|
Anomaly
|
Critical Alerts
|
2026-05-13
|
|
Linux Octave Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Windows Disable Internet Explorer Addons
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1176.001
|
Anomaly
|
Malicious Inno Setup Loader
|
2026-05-13
|
|
Disable ETW Through Registry
|
Sysmon EventID 13
|
T1685
|
TTP
|
Ransomware, CISA AA23-347A, Windows Registry Abuse
|
2026-05-13
|
|
Windows Modify Registry No Auto Update
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
CISA AA23-347A, RedLine Stealer
|
2026-05-13
|
|
Windows XLL File Creation Outside of Typical Location
|
Sysmon EventID 11
|
T1059
T1129
|
Anomaly
|
Spearphishing Attachments
|
2026-05-13
|
|
Network Connection Discovery With Netstat
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1049
|
Hunting
|
Qakbot, Prestige Ransomware, CISA AA22-277A, Medusa Ransomware, Windows Post-Exploitation, PlugX, CISA AA23-347A, Active Directory Discovery, Volt Typhoon
|
2026-05-13
|
|
Windows Office Product Dropped Cab or Inf File
|
Windows Event Log Security 4688, Sysmon EventID 11, Sysmon EventID 1
|
T1566.001
|
TTP
|
Compromised Windows Host, Spearphishing Attachments, APT37 Rustonotto and FadeStealer, Microsoft MSHTML Remote Code Execution CVE-2021-40444
|
2026-05-13
|
|
Detect Password Spray Attack Behavior From Source
|
Windows Event Log Security 4624, Windows Event Log Security 4625
|
T1110.003
|
TTP
|
Compromised User Account
|
2026-05-13
|
|
Cisco NVM - Suspicious File Download via Headless Browser
|
Cisco Network Visibility Module Flow Data
|
T1059
T1105
|
TTP
|
BlankGrabber Stealer, Cisco Network Visibility Module Analytics
|
2026-05-13
|
|
Detect Regsvcs Spawning a Process
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.009
|
TTP
|
Suspicious Regsvcs Regasm Activity, Compromised Windows Host, Living Off The Land
|
2026-05-13
|
|
Winhlp32 Spawning a Process
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1055
|
TTP
|
Remcos, Compromised Windows Host
|
2026-05-13
|
|
Get DomainPolicy with Powershell Script Block
|
Powershell Script Block Logging 4104
|
T1201
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Crowdstrike Admin With Duplicate Password
|
|
T1110
|
TTP
|
Compromised Windows Host
|
2026-05-13
|
|
SearchProtocolHost with no Command Line with Network
|
Sysmon EventID 3, Sysmon EventID 1
|
T1055
|
TTP
|
Cobalt Strike, Hellcat Ransomware, BlackByte Ransomware, Cactus Ransomware, Compromised Windows Host, Graceful Wipe Out Attack
|
2026-05-13
|
|
Windows Local LLM Framework Execution
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1543
|
Hunting
|
Suspicious Local LLM Frameworks
|
2026-05-13
|
|
Windows Set Custom DNS ServerLevelPlugin Via Dnscmd
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1574
|
Anomaly
|
Windows Persistence Techniques
|
2026-05-13
|
|
Windows Defender ASR Registry Modification
|
Windows Event Log Defender 5007
|
T1112
|
Hunting
|
Windows Attack Surface Reduction
|
2026-05-13
|
|
Windows Chrome Extension Allowed Registry Modification
|
Sysmon EventID 13
|
T1185
|
Anomaly
|
Browser Hijacking
|
2026-05-13
|
|
Windows Developer-Signed MSIX Package Installation
|
Windows Event Log AppXDeployment-Server 855
|
T1204.002
T1553.005
|
Anomaly
|
MSIX Package Abuse
|
2026-05-13
|
|
Get-DomainTrust with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1482
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Linux Deletion of SSL Certificate
|
Sysmon for Linux EventID 11
|
T1070.004
T1485
|
Anomaly
|
AcidPour, AcidRain
|
2026-05-13
|
|
Windows Get-AdComputer Unconstrained Delegation Discovery
|
Powershell Script Block Logging 4104
|
T1018
|
TTP
|
Active Directory Kerberos Attacks, Medusa Ransomware
|
2026-05-13
|
|
Windows SnappyBee Create Test Registry
|
Sysmon EventID 13
|
T1112
|
TTP
|
China-Nexus Threat Activity, SnappyBee, Salt Typhoon
|
2026-05-13
|
|
Kerberos Pre-Authentication Flag Disabled in UserAccountControl
|
Windows Event Log Security 4738
|
T1558.004
|
TTP
|
Active Directory Kerberos Attacks, BlackSuit Ransomware
|
2026-05-13
|
|
Windows LSA Secrets NoLMhash Registry
|
Sysmon EventID 13
|
T1003.004
|
TTP
|
CISA AA23-347A, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
MacOS LOLbin
|
Osquery Results
|
T1059.004
|
TTP
|
Hellcat Ransomware, Living Off The Land, Axios Supply Chain Post Compromise
|
2026-05-13
|
|
Suspicious Kerberos Service Ticket Request
|
Windows Event Log Security 4769
|
T1078.002
|
TTP
|
Active Directory Kerberos Attacks, Active Directory Privilege Escalation, sAMAccountName Spoofing and Domain Controller Impersonation
|
2026-05-13
|
|
Get ADUser with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1087.002
|
Hunting
|
CISA AA23-347A, Active Directory Discovery
|
2026-05-13
|
|
Linux Emacs Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Linux Auditd Auditd Service Stop
|
Linux Auditd Service Stop
|
T1489
|
Anomaly
|
Linux Persistence Techniques, Compromised Linux Host, Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Suspicious Regsvr32 Register Suspicious Path
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.010
|
TTP
|
China-Nexus Threat Activity, Qakbot, Salt Typhoon, IcedID, Suspicious Regsvr32 Activity, Living Off The Land, Derusbi
|
2026-05-13
|
|
Windows New InProcServer32 Added
|
Sysmon EventID 13
|
T1112
|
Hunting
|
Outlook RCE CVE-2024-21378, Hellcat Ransomware
|
2026-05-13
|
|
Windows Credentials from Password Stores Query
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1555
|
Anomaly
|
NetSupport RMM Tool Abuse, DarkGate Malware, Windows Post-Exploitation, Prestige Ransomware
|
2026-05-13
|
|
Windows AD Dangerous Group ACL Modification
|
Windows Event Log Security 5136
|
T1222.001
T1484
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Windows UAC Bypass Suspicious Child Process
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1548.002
|
TTP
|
Castle RAT, Living Off The Land, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Detect Path Interception By Creation Of program exe
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1574.009
|
TTP
|
Windows Persistence Techniques, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Get ADDefaultDomainPasswordPolicy with Powershell
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1201
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Execute Arbitrary Commands with MSDT
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218
|
TTP
|
Compromised Windows Host, Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190
|
2026-05-13
|
|
Detect Credential Dumping through LSASS access
|
Sysmon EventID 10
|
T1003.001
|
TTP
|
Detect Zerologon Attack, Scattered Lapsus$ Hunters, Lokibot, Credential Dumping, BlackSuit Ransomware, CISA AA23-347A
|
2026-05-13
|
|
Linux Auditd Setuid Using Setcap Utility
|
Linux Auditd Execve
|
T1548.001
|
TTP
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation
|
2026-05-13
|
|
Windows RDP Server Registry Entry Created
|
Sysmon EventID 13
|
T1021.001
|
Anomaly
|
Windows RDP Artifacts and Defense Evasion
|
2026-05-13
|
|
Windows Remote Create Service
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1543.003
|
Anomaly
|
CISA AA23-347A, BlackSuit Ransomware, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows Guest Account Enabled Via Net.EXE
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1078.001
|
Anomaly
|
Windows Persistence Techniques
|
2026-05-13
|
|
File Download or Read to Pipe Execution
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2, Sysmon for Linux EventID 1
|
T1105
|
TTP
|
Linux Living Off The Land, NPM Supply Chain Compromise, Log4Shell CVE-2021-44228, Ingress Tool Transfer, Compromised Windows Host
|
2026-05-13
|
|
Windows Known Abused DLL Loaded Suspiciously
|
Sysmon EventID 7
|
T1574.001
|
TTP
|
SolarWinds WHD RCE Post Exploitation, Living Off The Land, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos
|
Windows Event Log Security 4768
|
T1110.003
|
Anomaly
|
Active Directory Kerberos Attacks, Active Directory Password Spraying, Volt Typhoon
|
2026-05-13
|
|
Windows LAPS Password Gathering Via PowerShell Script
|
Powershell Script Block Logging 4104
|
T1003
T1552
|
Anomaly
|
Credential Dumping, Active Directory Privilege Escalation
|
2026-05-13
|
|
Windows Access Token Winlogon Duplicate Handle In Uncommon Path
|
Sysmon EventID 10
|
T1134.001
|
Anomaly
|
PathWiper, Brute Ratel C4
|
2026-05-13
|
|
Linux Make Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Linux Auditd Database File And Directory Discovery
|
Linux Auditd Execve
|
T1083
|
Anomaly
|
Linux Persistence Techniques, Compromised Linux Host, Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Windows PowerView AD Access Control List Enumeration
|
Powershell Script Block Logging 4104
|
T1069
T1078.002
|
TTP
|
Rhysida Ransomware, Active Directory Discovery, Active Directory Privilege Escalation
|
2026-05-13
|
|
Windows RDP Client Launched with Admin Session
|
Sysmon EventID 1
|
T1021.001
|
Anomaly
|
Windows RDP Artifacts and Defense Evasion
|
2026-05-13
|
|
Impacket Lateral Movement smbexec CommandLine Parameters
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1021.002
T1021.003
T1047
T1543.003
|
TTP
|
Data Destruction, Prestige Ransomware, CISA AA22-277A, Active Directory Lateral Movement, Industroyer2, WhisperGate, Compromised Windows Host, Graceful Wipe Out Attack, Volt Typhoon
|
2026-05-13
|
|
Windows Findstr GPP Discovery
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1552.006
|
TTP
|
Active Directory Privilege Escalation
|
2026-05-13
|
|
Detect Baron Samedit CVE-2021-3156 via OSQuery
|
|
T1068
|
TTP
|
Baron Samedit CVE-2021-3156
|
2026-05-13
|
|
Windows AD Same Domain SID History Addition
|
Windows Event Log Security 4738, Windows Event Log Security 4742
|
T1134.005
|
TTP
|
Windows Persistence Techniques, Sneaky Active Directory Persistence Tricks, Compromised Windows Host
|
2026-05-13
|
|
Recon AVProduct Through Pwh or WMI
|
Powershell Script Block Logging 4104
|
T1592
|
TTP
|
Malicious PowerShell, Qakbot, Quasar RAT, Prestige Ransomware, MoonPeak, Hermetic Wiper, Windows Post-Exploitation, Ransomware, XWorm, Data Destruction
|
2026-05-13
|
|
Windows Privileged Group Modification
|
Windows Event Log Security 4790, Windows Event Log Security 4756, Windows Event Log Security 4727, Windows Event Log Security 4754, Windows Event Log Security 4744, Windows Event Log Security 4749, Windows Event Log Security 4783, Windows Event Log Security 4759, Windows Event Log Security 4731
|
T1136.001
T1136.002
|
TTP
|
VMware ESXi AD Integration Authentication Bypass CVE-2024-37085, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Process Execution via WMI
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1047
|
TTP
|
Suspicious WMI Use
|
2026-05-13
|
|
Windows System User Privilege Discovery
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1033
|
Hunting
|
CISA AA23-347A
|
2026-05-13
|
|
Windows SubInAcl Execution
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1222.001
|
Anomaly
|
Defense Evasion or Unauthorized Access Via SDDL Tampering
|
2026-05-13
|
|
Windows File Share Discovery With Powerview
|
Powershell Script Block Logging 4104
|
T1135
|
TTP
|
Active Directory Discovery, Active Directory Privilege Escalation
|
2026-05-13
|
|
Linux Auditd Possible Access Or Modification Of Sshd Config File
|
Linux Auditd Path, Linux Auditd Cwd
|
T1098.004
|
Anomaly
|
Linux Persistence Techniques, Compromised Linux Host, Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Windows Change File Association Command To Notepad
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1546.001
|
TTP
|
Compromised Windows Host, Prestige Ransomware
|
2026-05-13
|
|
PetitPotam Suspicious Kerberos TGT Request
|
Windows Event Log Security 4768
|
T1003
|
TTP
|
PetitPotam NTLM Relay on Active Directory Certificate Services, Active Directory Kerberos Attacks
|
2026-05-13
|
|
Windows MSExchange Management Mailbox Cmdlet Usage
|
|
T1059.001
|
Anomaly
|
BlackByte Ransomware, ProxyShell, ProxyNotShell, Scattered Spider
|
2026-05-13
|
|
Windows Linked Policies In ADSI Discovery
|
Powershell Script Block Logging 4104
|
T1087.002
|
Anomaly
|
Industroyer2, Active Directory Discovery, Data Destruction
|
2026-05-13
|
|
Windows Impair Defense Disable Win Defender Compute File Hashes
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Impair Defense Change Win Defender Quick Scan Interval
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Multiple Accounts Deleted
|
Windows Event Log Security 4726
|
T1078
T1098
|
TTP
|
Azure Active Directory Persistence
|
2026-05-13
|
|
Rubeus Command Line Parameters
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1550.003
T1558.003
T1558.004
|
TTP
|
Scattered Lapsus$ Hunters, Active Directory Kerberos Attacks, ZOVWiper, BlackSuit Ransomware, Active Directory Privilege Escalation, CISA AA23-347A
|
2026-05-13
|
|
Disabling Defender Services
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, RedLine Stealer, IcedID
|
2026-05-13
|
|
Windows Time Based Evasion
|
Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1497.003
|
TTP
|
NjRAT, BlankGrabber Stealer
|
2026-05-13
|
|
MacOS plutil
|
Osquery Results
|
T1647
|
TTP
|
Living Off The Land
|
2026-05-13
|
|
Windows System Binary Proxy Execution Compiled HTML File Decompile
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.001
|
TTP
|
Suspicious Compiled HTML Activity, Compromised Windows Host, APT37 Rustonotto and FadeStealer, Living Off The Land
|
2026-05-13
|
|
Windows PowerSploit GPP Discovery
|
Powershell Script Block Logging 4104
|
T1552.006
|
TTP
|
Active Directory Privilege Escalation
|
2026-05-13
|
|
Cisco NVM - Suspicious Network Connection From Process With No Args
|
Cisco Network Visibility Module Flow Data
|
T1055
T1218
|
Anomaly
|
Cisco Network Visibility Module Analytics
|
2026-05-13
|
|
Windows Service Deletion In Registry
|
Sysmon EventID 13
|
T1489
|
Anomaly
|
Crypto Stealer, Brute Ratel C4, PlugX
|
2026-05-13
|
|
Windows Input Capture Using Credential UI Dll
|
Sysmon EventID 7
|
T1056.002
|
Hunting
|
APT37 Rustonotto and FadeStealer, Brute Ratel C4
|
2026-05-13
|
|
Get-ForestTrust with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1059.001
T1482
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Wmic Systeminfo Discovery
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1082
|
Anomaly
|
LAMEHUG, Lotus Blossom Chrysalis Backdoor, BlankGrabber Stealer
|
2026-05-13
|
|
Linux Find Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Windows Chromium Process with Disabled Extensions
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1497
|
Anomaly
|
Browser Hijacking
|
2026-05-13
|
|
Windows System Discovery Using ldap Nslookup
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1033
|
Anomaly
|
Qakbot
|
2026-05-13
|
|
Windows Modify Registry ProxyServer
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
DarkGate Malware
|
2026-05-13
|
|
Linux Disable Services
|
Sysmon for Linux EventID 1
|
T1489
|
TTP
|
Industroyer2, AwfulShred, Data Destruction
|
2026-05-13
|
|
Windows IIS Components Add New Module
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1505.004
|
Anomaly
|
GhostRedirector IIS Module and Rungan Backdoor, IIS Components
|
2026-05-13
|
|
Unusually Long Command Line
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
N/A
|
Anomaly
|
Ransomware, Unusual Processes, Suspicious Command-Line Executions, Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns
|
2026-05-13
|
|
Windows .Key File Creation in Root Directory
|
Sysmon EventID 11
|
T1486
|
Anomaly
|
Ransomware
|
2026-05-13
|
|
Create or delete windows shares using net exe
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1070.005
|
TTP
|
Hidden Cobra Malware, Prestige Ransomware, CISA AA22-277A, Windows Post-Exploitation, DarkGate Malware
|
2026-05-13
|
|
Windows Registry Delete Task SD
|
Sysmon EventID 12
|
T1053.005
T1685
|
Anomaly
|
Windows Persistence Techniques, Scheduled Tasks, Windows Registry Abuse
|
2026-05-13
|
|
Excessive number of taskhost processes
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1059
|
Anomaly
|
Meterpreter
|
2026-05-13
|
|
Conti Common Exec parameter
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1204
|
TTP
|
Ransomware, Compromised Windows Host, Hellcat Ransomware
|
2026-05-13
|
|
Windows Bluetooth Service Installed From Uncommon Location
|
Windows Event Log System 7045
|
T1036
T1543.003
|
Anomaly
|
Lotus Blossom Chrysalis Backdoor
|
2026-05-13
|
|
Get-DomainTrust with PowerShell
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1482
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Disable Registry Tool
|
Sysmon EventID 13
|
T1112
T1685
|
TTP
|
NjRAT, Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Impacket Lateral Movement WMIExec Commandline Parameters
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1021.002
T1021.003
T1047
T1543.003
|
TTP
|
Storm-0501 Ransomware, Data Destruction, Prestige Ransomware, CISA AA22-277A, Active Directory Lateral Movement, Gozi Malware, Industroyer2, WhisperGate, Compromised Windows Host, Graceful Wipe Out Attack, Volt Typhoon
|
2026-05-13
|
|
Windows Outlook LoadMacroProviderOnBoot Persistence
|
Sysmon EventID 13
|
T1112
T1137
|
TTP
|
NotDoor Malware, Windows Registry Abuse
|
2026-05-13
|
|
Linux Shred Overwrite Command
|
Sysmon for Linux EventID 1
|
T1485
|
TTP
|
AwfulShred, Linux Privilege Escalation, Industroyer2, Linux Persistence Techniques, Data Destruction
|
2026-05-13
|
|
Windows Impair Defense Disable Win Defender Network Protection
|
Sysmon EventID 13
|
T1685
|
TTP
|
BlankGrabber Stealer, Windows Registry Abuse, Scattered Lapsus$ Hunters, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Detect Copy of ShadowCopy with Script Block Logging
|
Powershell Script Block Logging 4104
|
T1003.002
|
TTP
|
VanHelsing Ransomware, Credential Dumping
|
2026-05-13
|
|
Process Deleting Its Process File Path
|
Sysmon EventID 1
|
T1070
|
TTP
|
Remcos, Clop Ransomware, WhisperGate, Data Destruction
|
2026-05-13
|
|
Schtasks used for forcing a reboot
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1053.005
|
TTP
|
Windows Persistence Techniques, Ransomware, Scheduled Tasks
|
2026-05-13
|
|
Windows Exfiltration Over C2 Via Powershell UploadString
|
Powershell Script Block Logging 4104
|
T1041
|
TTP
|
APT37 Rustonotto and FadeStealer, Winter Vivern
|
2026-05-13
|
|
Windows PowerShell Script Block With Malicious String
|
Powershell Script Block Logging 4104
|
T1059.001
|
TTP
|
Malicious PowerShell
|
2026-05-13
|
|
Crowdstrike Admin Weak Password Policy
|
|
T1110
|
TTP
|
Compromised Windows Host
|
2026-05-13
|
|
Windows Outlook Macro Security Modified
|
Sysmon EventID 13
|
T1008
T1137
|
TTP
|
NotDoor Malware, Windows Registry Abuse
|
2026-05-13
|
|
Windows Routing and Remote Access Service Registry Key Change
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Gh0st RAT
|
2026-05-13
|
|
Windows Compatibility Telemetry Tampering Through Registry
|
Sysmon EventID 13
|
T1053.005
T1546
|
TTP
|
Windows Persistence Techniques
|
2026-05-13
|
|
Windows Steal Authentication Certificates Export PfxCertificate
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1649
|
Anomaly
|
Windows Certificate Services
|
2026-05-13
|
|
Windows Remote Services Allow Rdp In Firewall
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1021.001
|
Anomaly
|
Azorult, Windows RDP Artifacts and Defense Evasion
|
2026-05-13
|
|
Rundll32 Create Remote Thread To A Process
|
Sysmon EventID 8
|
T1055
|
TTP
|
Living Off The Land, IcedID
|
2026-05-13
|
|
Windows Find Domain Organizational Units with GetDomainOU
|
Powershell Script Block Logging 4104
|
T1087.002
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Steal Authentication Certificates - ESC1 Authentication
|
Windows Event Log Security 4887, Windows Event Log Security 4768
|
T1550
T1649
|
TTP
|
Compromised Windows Host, Windows Certificate Services
|
2026-05-13
|
|
Windows Anonymous Pipe Activity
|
Sysmon EventID 18, Sysmon EventID 17
|
T1559
|
Hunting
|
China-Nexus Threat Activity, Salt Typhoon, Interlock Rat, Castle RAT, SnappyBee
|
2026-05-13
|
|
Linux Auditd Change File Owner To Root
|
Linux Auditd Proctitle
|
T1222.002
|
Anomaly
|
Linux Persistence Techniques, Compromised Linux Host, Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Windows Unusual NTLM Authentication Users By Destination
|
NTLM Operational 8005, NTLM Operational 8004, NTLM Operational 8006
|
T1110.003
|
Anomaly
|
Active Directory Password Spraying
|
2026-05-13
|
|
Windows Find Interesting ACL with FindInterestingDomainAcl
|
Powershell Script Block Logging 4104
|
T1087.002
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Cached Domain Credentials Reg Query
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1003.005
|
Anomaly
|
Windows Post-Exploitation, Prestige Ransomware
|
2026-05-13
|
|
Linux Auditd Sudo Or Su Execution
|
Linux Auditd Proctitle
|
T1548.003
|
Anomaly
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation
|
2026-05-13
|
|
Exchange PowerShell Abuse via SSRF
|
|
T1133
T1190
|
TTP
|
BlackByte Ransomware, ProxyShell, ProxyNotShell, Seashell Blizzard
|
2026-05-13
|
|
Windows Unusual Count Of Users Failed To Authenticate From Process
|
Windows Event Log Security 4625
|
T1110.003
|
Anomaly
|
Active Directory Password Spraying, Insider Threat, Volt Typhoon
|
2026-05-13
|
|
Detect Prohibited Applications Spawning cmd exe
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1059.003
|
Hunting
|
NOBELIUM Group, Suspicious Command-Line Executions, Suspicious Zoom Child Processes, Suspicious MSHTA Activity
|
2026-05-13
|
|
Windows Ldifde Directory Object Behavior
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1069.002
T1105
|
TTP
|
Volt Typhoon
|
2026-05-13
|
|
Remote Process Instantiation via DCOM and PowerShell
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1021.003
|
TTP
|
Compromised Windows Host, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows Process Executed From Removable Media
|
Sysmon EventID 13, Sysmon EventID 1
|
T1025
T1091
T1200
|
Anomaly
|
APT37 Rustonotto and FadeStealer, Data Protection
|
2026-05-13
|
|
Windows Phishing Recent ISO Exec Registry
|
Sysmon EventID 13
|
T1566.001
|
Hunting
|
Qakbot, Azorult, Gozi Malware, IcedID, Warzone RAT, Remcos, AgentTesla, Brute Ratel C4
|
2026-05-13
|
|
MacOS LoginHook Persistence
|
Osquery Results
|
T1037.002
|
TTP
|
MacOS Post-Exploitation
|
2026-05-13
|
|
Disabling FolderOptions Windows Feature
|
Sysmon EventID 13
|
T1685
|
TTP
|
CISA AA23-347A, Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Rundll32 Load DLL in Temp Dir
|
Sysmon EventID 1
|
T1218.011
|
Anomaly
|
Interlock Rat
|
2026-05-13
|
|
Linux Impair Defenses Process Kill
|
Sysmon for Linux EventID 1
|
T1685
|
Hunting
|
AwfulShred, Scattered Lapsus$ Hunters, Data Destruction
|
2026-05-13
|
|
Remote System Discovery with Adsisearcher
|
Powershell Script Block Logging 4104
|
T1018
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Linux Change File Owner To Root
|
Sysmon for Linux EventID 1
|
T1222.002
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation, Linux Living Off The Land
|
2026-05-13
|
|
Linux pkexec Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1068
|
TTP
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Windows Network Connection From Program In Suspect Location
|
Sysmon EventID 3
|
T1011
|
Anomaly
|
Compromised Windows Host
|
2026-05-13
|
|
Windows Powershell Import Applocker Policy
|
Powershell Script Block Logging 4104
|
T1059.001
T1685
|
TTP
|
Azorult
|
2026-05-13
|
|
Detect mshta renamed
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.005
|
Hunting
|
APT37 Rustonotto and FadeStealer, Living Off The Land, Suspicious MSHTA Activity
|
2026-05-13
|
|
Windows Service Create Kernel Mode Driver
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1068
T1543.003
|
TTP
|
CISA AA22-320A, Windows Drivers
|
2026-05-13
|
|
Windows Remote Image Load
|
Sysmon EventID 7
|
T1059
T1068
T1129
T1203
|
Anomaly
|
Ransomware, BlackByte Ransomware, LockBit Ransomware
|
2026-05-13
|
|
Windows SQL Server Configuration Option Hunt
|
Windows Event Log Application 15457
|
T1505.001
|
Hunting
|
SQL Server Abuse
|
2026-05-13
|
|
Remote System Discovery with Wmic
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1018
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Suspicious Named Pipe
|
Sysmon EventID 18, Sysmon EventID 17
|
T1021.002
T1055
T1559
|
TTP
|
Cobalt Strike, Trickbot, Hellcat Ransomware, Meterpreter, LockBit Ransomware, DarkSide Ransomware, Tuoni, Gozi Malware, BlackByte Ransomware, APT37 Rustonotto and FadeStealer, Remote Monitoring and Management Software, Graceful Wipe Out Attack, Brute Ratel C4
|
2026-05-13
|
|
Remote System Discovery with Dsquery
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1018
|
Anomaly
|
LAMEHUG, Active Directory Discovery
|
2026-05-13
|
|
Linux Auditd Insert Kernel Module Using Insmod Utility
|
Linux Auditd Syscall
|
T1547.006
|
Anomaly
|
XorDDos, Linux Rootkit, Linux Privilege Escalation, Compromised Linux Host, Linux Persistence Techniques
|
2026-05-13
|
|
Mmc LOLBAS Execution Process Spawn
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1021.003
T1218.014
|
TTP
|
XML Runner Loader, Water Gamayun, Living Off The Land, Active Directory Lateral Movement
|
2026-05-13
|
|
Potential Telegram API Request Via CommandLine
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1041
T1102.002
|
Anomaly
|
Hellcat Ransomware, BlankGrabber Stealer, XMRig, 0bj3ctivity Stealer, Water Gamayun
|
2026-05-13
|
|
Wbemprox COM Object Execution
|
Sysmon EventID 7
|
T1218.003
|
TTP
|
Ransomware, LockBit Ransomware, Revil Ransomware
|
2026-05-13
|
|
Linux Common Process For Elevation Control
|
Sysmon for Linux EventID 1
|
T1548.001
|
Hunting
|
China-Nexus Threat Activity, Salt Typhoon, Linux Living Off The Land, Linux Privilege Escalation, Linux Persistence Techniques, Axios Supply Chain Post Compromise
|
2026-05-13
|
|
Windows Indirect Command Execution Via pcalua
|
Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1202
|
TTP
|
Living Off The Land
|
2026-05-13
|
|
Detect Computer Changed with Anonymous Account
|
Windows Event Log Security 4742
|
T1210
|
Hunting
|
Detect Zerologon Attack
|
2026-05-13
|
|
Windows SharePoint Spinstall0 Webshell File Creation
|
Sysmon EventID 11
|
T1190
T1505.003
|
TTP
|
Microsoft SharePoint Vulnerabilities
|
2026-05-13
|
|
Disable Schedule Task
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1685
|
Anomaly
|
Living Off The Land, IcedID
|
2026-05-13
|
|
Linux Auditd Copy Fail Privilege Escalation
|
Linux Auditd Syscall
|
T1068
|
TTP
|
Linux Privilege Escalation
|
2026-05-13
|
|
Linux Indicator Removal Service File Deletion
|
Sysmon for Linux EventID 1
|
T1070.004
|
Anomaly
|
AwfulShred, Data Destruction
|
2026-05-13
|
|
GetWmiObject Ds Group with PowerShell
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1069.002
|
Anomaly
|
Active Directory Discovery
|
2026-05-13
|
|
RunDLL Loading DLL By Ordinal
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.011
|
TTP
|
Unusual Processes, Suspicious Rundll32 Activity, Living Off The Land, IcedID
|
2026-05-13
|
|
Windows Credential Dumping LSASS Memory Createdump
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1003.001
|
TTP
|
Credential Dumping, Compromised Windows Host, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Windows Powershell Cryptography Namespace
|
Powershell Script Block Logging 4104
|
T1059.001
|
Anomaly
|
VIP Keylogger, XWorm, AsyncRAT
|
2026-05-13
|
|
Suspicious WAV file in Appdata Folder
|
Windows Event Log Security 4688, Sysmon EventID 11, Sysmon EventID 1
|
T1113
|
TTP
|
Remcos
|
2026-05-13
|
|
Randomly Generated Scheduled Task Name
|
Windows Event Log Security 4698
|
T1053.005
|
Hunting
|
CISA AA22-257A, 0bj3ctivity Stealer, Scheduled Tasks, Active Directory Lateral Movement
|
2026-05-13
|
|
Linux Sudoers Tmp File Creation
|
Sysmon for Linux EventID 11
|
T1548.003
|
Anomaly
|
China-Nexus Threat Activity, Linux Privilege Escalation, Linux Persistence Techniques, Salt Typhoon
|
2026-05-13
|
|
WinRAR Spawning Shell Application
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1105
|
TTP
|
WinRAR Spoofing Attack CVE-2023-38831, Compromised Windows Host
|
2026-05-13
|
|
Windows Query Registry UnInstall Program List
|
Windows Event Log Security 4663
|
T1012
|
Anomaly
|
RedLine Stealer, StealC Stealer, Meduza Stealer
|
2026-05-13
|
|
Suspicious writes to windows Recycle Bin
|
Sysmon EventID 11, Sysmon EventID 1
|
T1036
|
TTP
|
Collection and Staging, PlugX
|
2026-05-13
|
|
Delete ShadowCopy With PowerShell
|
Powershell Script Block Logging 4104
|
T1490
|
TTP
|
VanHelsing Ransomware, Revil Ransomware, DarkSide Ransomware, Cactus Ransomware, Ransomware, DarkGate Malware
|
2026-05-13
|
|
Linux Adding Crontab Using List Parameter
|
Sysmon for Linux EventID 1
|
T1053.003
|
Hunting
|
Cisco Isovalent Suspicious Activity, Scheduled Tasks, Linux Living Off The Land, VoidLink Cloud-Native Linux Malware, Linux Privilege Escalation, Gomir, Industroyer2, Linux Persistence Techniques, Data Destruction
|
2026-05-13
|
|
Windows Modify Registry Qakbot Binary Data Registry
|
Sysmon EventID 13, Sysmon EventID 1
|
T1112
|
Anomaly
|
Qakbot
|
2026-05-13
|
|
Windows Get-Variable.EXE Execution from WindowsApps Folder
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1574.008
|
Anomaly
|
Windows Persistence Techniques
|
2026-05-13
|
|
PowerShell WebRequest Using Memory Stream
|
Powershell Script Block Logging 4104
|
T1027.011
T1059.001
T1105
|
TTP
|
MoonPeak, Malicious PowerShell, PHP-CGI RCE Attack on Japanese Organizations, Medusa Ransomware
|
2026-05-13
|
|
Windows Scheduled Task Created in a Group Policy Object
|
Windows Event Log Security 5145
|
T1053.005
T1484.001
|
TTP
|
Scheduled Tasks, Windows Persistence Techniques, Living Off The Land
|
2026-05-13
|
|
Windows Mshta Execution In Registry
|
Sysmon EventID 13
|
T1218.005
|
TTP
|
Windows Persistence Techniques, Suspicious Windows Registry Activities
|
2026-05-13
|
|
Windows Apache Benchmark Binary
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1059
|
Anomaly
|
MetaSploit
|
2026-05-13
|
|
Windows Registry Entries Restored Via Reg
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1012
|
Hunting
|
Windows Post-Exploitation, Prestige Ransomware
|
2026-05-13
|
|
Windows WinRAR Launched Outside Default Installation Directory
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1047
|
Anomaly
|
BlankGrabber Stealer
|
2026-05-13
|
|
Windows AdFind Exe
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1018
|
TTP
|
NOBELIUM Group, IcedID, BlackSuit Ransomware, Domain Trust Discovery, Graceful Wipe Out Attack
|
2026-05-13
|
|
Ntdsutil Export NTDS
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1003.003
|
TTP
|
HAFNIUM Group, Prestige Ransomware, Rhysida Ransomware, NetSupport RMM Tool Abuse, Credential Dumping, Living Off The Land, Volt Typhoon
|
2026-05-13
|
|
Download Files Using Telegram
|
Sysmon EventID 15
|
T1105
|
TTP
|
Phemedrone Stealer, XMRig, Snake Keylogger, 0bj3ctivity Stealer, Water Gamayun, Crypto Stealer
|
2026-05-13
|
|
LLM Model File Creation
|
Sysmon EventID 11
|
T1543
|
Hunting
|
Suspicious Local LLM Frameworks
|
2026-05-13
|
|
Windows Get Local Admin with FindLocalAdminAccess
|
Powershell Script Block Logging 4104
|
T1087.002
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Linux Suspicious React or Next.js Child Process
|
Sysmon for Linux EventID 1
|
T1059.004
T1190
|
TTP
|
React2Shell
|
2026-05-13
|
|
Windows Process Injection into Notepad
|
Sysmon EventID 10
|
T1055.002
|
Anomaly
|
BishopFox Sliver Adversary Emulation Framework, Earth Alux, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
Disabling ControlPanel
|
Sysmon EventID 13
|
T1112
T1685
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Modify Registry AuthenticationLevelOverride
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
DarkGate Malware
|
2026-05-13
|
|
Windows Network Connection Discovery Via Net
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1049
|
Hunting
|
Azorult, Active Directory Discovery, Windows Post-Exploitation, Prestige Ransomware
|
2026-05-13
|
|
Windows Files and Dirs Access Rights Modification Via Icacls
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1222.001
|
Anomaly
|
Defense Evasion or Unauthorized Access Via SDDL Tampering, Amadey
|
2026-05-13
|
|
Powershell Fileless Process Injection via GetProcAddress
|
Powershell Script Block Logging 4104
|
T1055
T1059.001
|
TTP
|
Malicious PowerShell, Hellcat Ransomware, Hermetic Wiper, Data Destruction
|
2026-05-13
|
|
Schtasks Run Task On Demand
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1053
|
Anomaly
|
XMRig, Qakbot, CISA AA22-257A, Scheduled Tasks, Medusa Ransomware, Industroyer2, Data Destruction
|
2026-05-13
|
|
Linux Deletion Of Init Daemon Script
|
Sysmon for Linux EventID 11
|
T1070.004
T1485
|
TTP
|
AcidPour, AcidRain, Data Destruction
|
2026-05-13
|
|
Windows Unsigned DLL Side-Loading In Same Process Path
|
Sysmon EventID 7
|
T1574.001
|
TTP
|
China-Nexus Threat Activity, Salt Typhoon, XWorm, Malicious Inno Setup Loader, Lokibot, NailaoLocker Ransomware, SolarWinds WHD RCE Post Exploitation, PlugX, SnappyBee, Derusbi, DarkGate Malware
|
2026-05-13
|
|
Shim Database File Creation
|
Sysmon EventID 11
|
T1546.011
|
TTP
|
Windows Persistence Techniques
|
2026-05-13
|
|
Windows Security And Backup Services Stop
|
Windows Event Log System 7036
|
T1490
|
TTP
|
Hellcat Ransomware, Scattered Lapsus$ Hunters, LockBit Ransomware, Compromised Windows Host, Ransomware, Termite Ransomware, BlackMatter Ransomware
|
2026-05-13
|
|
Windows Mark Of The Web Bypass
|
Sysmon EventID 23
|
T1553.005
|
TTP
|
Warzone RAT, Quasar RAT
|
2026-05-13
|
|
Windows Potential AppDomainManager Hijack Artifacts Creation
|
Sysmon EventID 11
|
T1574.014
|
Anomaly
|
SesameOp
|
2026-05-13
|
|
Linux Puppet Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Linux Auditd Setuid Using Chmod Utility
|
Linux Auditd Proctitle
|
T1548.001
|
Anomaly
|
Linux Persistence Techniques, Compromised Linux Host, Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Domain Group Discovery With Dsquery
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1069.002
|
Anomaly
|
LAMEHUG, Active Directory Discovery
|
2026-05-13
|
|
Linux Possible Access To Sudoers File
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
China-Nexus Threat Activity, Linux Privilege Escalation, Linux Persistence Techniques, Salt Typhoon
|
2026-05-13
|
|
GetDomainController with PowerShell
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1018
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Service Initiation on Remote Endpoint
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1543.003
|
TTP
|
CISA AA23-347A, Active Directory Lateral Movement
|
2026-05-13
|
|
Domain Account Discovery with Wmic
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1087.002
|
TTP
|
Interlock Ransomware, Active Directory Discovery
|
2026-05-13
|
|
Windows Unsecured Outlook Credentials Access In Registry
|
Windows Event Log Security 4663
|
T1552
|
Anomaly
|
VIP Keylogger, Lokibot, Snake Keylogger, Meduza Stealer, 0bj3ctivity Stealer, StealC Stealer
|
2026-05-13
|
|
Suspicious Rundll32 no Command Line Arguments
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.011
|
TTP
|
Cobalt Strike, Hellcat Ransomware, BlackByte Ransomware, Suspicious Rundll32 Activity, Graceful Wipe Out Attack, PrintNightmare CVE-2021-34527
|
2026-05-13
|
|
Windows RDP Login Session Was Established
|
Windows Event Log Security 4624
|
T1021.001
|
Anomaly
|
Windows RDP Artifacts and Defense Evasion, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Detect Regsvcs with Network Connection
|
Sysmon EventID 3
|
T1218.009
|
TTP
|
Suspicious Regsvcs Regasm Activity, Hellcat Ransomware, Living Off The Land
|
2026-05-13
|
|
Allow Inbound Traffic By Firewall Rule Registry
|
Sysmon EventID 13
|
T1021.001
|
TTP
|
NjRAT, Azorult, Windows Registry Abuse, Medusa Ransomware, PlugX, Prohibited Traffic Allowed or Protocol Mismatch
|
2026-05-13
|
|
Windows Disable Memory Crash Dump
|
Sysmon EventID 13
|
T1485
|
TTP
|
Ransomware, Windows Registry Abuse, Hermetic Wiper, Data Destruction
|
2026-05-13
|
|
Time Provider Persistence Registry
|
Sysmon EventID 13
|
T1547.003
|
TTP
|
Windows Persistence Techniques, Windows Registry Abuse, Hermetic Wiper, Windows Privilege Escalation, Data Destruction
|
2026-05-13
|
|
Domain Group Discovery with Adsisearcher
|
Powershell Script Block Logging 4104
|
T1069.002
|
TTP
|
Active Directory Discovery, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Windows Svchost.exe Parent Process Anomaly
|
Windows Event Log Security 4688, Sysmon EventID 1
|
T1036.009
|
Anomaly
|
China-Nexus Threat Activity, SnappyBee
|
2026-05-13
|
|
User Discovery With Env Vars PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1033
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Windows DLL Side-Loading Process Child Of Calc
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1574.001
|
Anomaly
|
Earth Alux, Qakbot
|
2026-05-13
|
|
Windows Regsvr32 Renamed Binary
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.010
|
TTP
|
Compromised Windows Host, Qakbot
|
2026-05-13
|
|
PowerShell Enable PowerShell Remoting
|
Powershell Script Block Logging 4104
|
T1059.001
|
Anomaly
|
Malicious PowerShell
|
2026-05-13
|
|
Enable WDigest UseLogonCredential Registry
|
Sysmon EventID 13
|
T1003
T1112
|
TTP
|
CISA AA22-320A, Credential Dumping, Windows Registry Abuse
|
2026-05-13
|
|
Detect Renamed 7-Zip
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1560.001
|
Hunting
|
Malicious Inno Setup Loader, Collection and Staging
|
2026-05-13
|
|
Jscript Execution Using Cscript App
|
Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1059.007
|
TTP
|
FIN7, Remcos
|
2026-05-13
|
|
Windows Gdrive Binary Activity
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1567
|
TTP
|
China-Nexus Threat Activity
|
2026-05-13
|
|
GetDomainComputer with PowerShell
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1018
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows System Reboot CommandLine
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1529
|
Hunting
|
NjRAT, Scattered Lapsus$ Hunters, Quasar RAT, MuddyWater, MoonPeak, XWorm, DarkCrystal RAT, DarkGate Malware
|
2026-05-13
|
|
Spoolsv Writing a DLL
|
Windows Event Log Security 4688, Sysmon EventID 11, Sysmon EventID 1
|
T1547.012
|
TTP
|
Compromised Windows Host, PrintNightmare CVE-2021-34527, Black Basta Ransomware
|
2026-05-13
|
|
Windows Enable PowerShell Web Access
|
Powershell Script Block Logging 4104
|
T1059.001
|
TTP
|
Malicious PowerShell, CISA AA24-241A
|
2026-05-13
|
|
WMI Recon Running Process Or Services
|
Powershell Script Block Logging 4104
|
T1592
|
Anomaly
|
Malicious PowerShell, Hermetic Wiper, Data Destruction
|
2026-05-13
|
|
Suspicious Rundll32 PluginInit
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.011
|
TTP
|
IcedID
|
2026-05-13
|
|
Log4Shell CVE-2021-44228 Exploitation
|
|
T1059
T1105
T1133
T1190
|
Correlation
|
CISA AA22-320A, Log4Shell CVE-2021-44228
|
2026-05-13
|
|
Linux Auditd Preload Hijack Via Preload File
|
Linux Auditd Path, Linux Auditd Cwd
|
T1574.006
|
TTP
|
VoidLink Cloud-Native Linux Malware, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host, Linux Persistence Techniques
|
2026-05-13
|
|
Windows Registry Dotnet ETW Disabled Via ENV Variable
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Impair Defense Deny Security Software With Applocker
|
Sysmon EventID 13
|
T1685
|
TTP
|
Azorult, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Windows Sensitive Registry Hive Dump Via CommandLine
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1003.002
|
TTP
|
Seashell Blizzard, CISA AA22-257A, Windows Registry Abuse, DarkSide Ransomware, Volt Typhoon, Credential Dumping, Industroyer2, CISA AA23-347A, Compromised Windows Host, Data Destruction
|
2026-05-13
|
|
Windows Enable Win32 ScheduledJob via Registry
|
Sysmon EventID 13
|
T1053.005
|
Anomaly
|
Scheduled Tasks, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows List ENV Variables Via SET Command From Uncommon Parent
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1055
|
Anomaly
|
Qakbot
|
2026-05-13
|
|
Windows Disable LogOff Button Through Registry
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Ransomware, Windows Registry Abuse
|
2026-05-13
|
|
Windows WinLogon with Public Network Connection
|
Sysmon EventID 3, Sysmon EventID 1
|
T1542.003
|
Hunting
|
BlackLotus Campaign
|
2026-05-13
|
|
Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos
|
Windows Event Log Security 4768
|
T1110.003
|
TTP
|
Active Directory Kerberos Attacks, Active Directory Password Spraying, Volt Typhoon
|
2026-05-13
|
|
Windows Special Privileged Logon On Multiple Hosts
|
Windows Event Log Security 4672
|
T1021.002
T1087
T1135
|
TTP
|
Compromised Windows Host, Active Directory Privilege Escalation, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows File Download Via CertUtil
|
Windows Event Log Security 4688, Sysmon EventID 1, Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2
|
T1105
|
TTP
|
Forest Blizzard, CISA AA22-277A, DarkSide Ransomware, ProxyNotShell, Living Off The Land, Cisco Network Visibility Module Analytics, Ingress Tool Transfer, Compromised Windows Host, Flax Typhoon
|
2026-05-13
|
|
Windows SQLCMD Execution
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1059.003
|
Hunting
|
GhostRedirector IIS Module and Rungan Backdoor, SQL Server Abuse
|
2026-05-13
|
|
Windows Time Based Evasion via Choice Exec
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1497.003
|
Anomaly
|
VIP Keylogger, 0bj3ctivity Stealer, Snake Keylogger
|
2026-05-13
|
|
WBAdmin Delete System Backups
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1490
|
TTP
|
Storm-0501 Ransomware, Storm-2460 CLFS Zero Day Exploitation, Prestige Ransomware, Ryuk Ransomware, Ransomware, Chaos Ransomware
|
2026-05-13
|
|
CertUtil With Decode Argument
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1140
|
TTP
|
Storm-2460 CLFS Zero Day Exploitation, Forest Blizzard, GhostRedirector IIS Module and Rungan Backdoor, APT29 Diplomatic Deceptions with WINELOADER, Deobfuscate-Decode Files or Information, Living Off The Land
|
2026-05-13
|
|
Windows AD Hidden OU Creation
|
Windows Event Log Security 5136
|
T1222.001
T1484
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Windows Disable Lock Workstation Feature Through Registry
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Ransomware, Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Linux Possible Cronjob Modification With Editor
|
Sysmon for Linux EventID 1
|
T1053.003
|
Hunting
|
XorDDos, Scheduled Tasks, Linux Living Off The Land, Linux Privilege Escalation, Linux Persistence Techniques
|
2026-05-13
|
|
Windows New Default File Association Value Set
|
Sysmon EventID 13
|
T1546.001
|
Hunting
|
Prestige Ransomware, Windows Persistence Techniques, Windows Registry Abuse, Hermetic Wiper, Windows Privilege Escalation, Data Destruction
|
2026-05-13
|
|
Windows PowerShell Export PfxCertificate
|
Powershell Script Block Logging 4104
|
T1552.004
T1649
|
Anomaly
|
Water Gamayun, Windows Certificate Services, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Linux Auditd Unix Shell Configuration Modification
|
Linux Auditd Path, Linux Auditd Cwd
|
T1546.004
|
TTP
|
QuietVault, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host, Linux Persistence Techniques
|
2026-05-13
|
|
Detect HTML Help URL in Command Line
|
Windows Event Log Security 4688, Sysmon EventID 1, Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2
|
T1218.001
|
TTP
|
Suspicious Compiled HTML Activity, APT37 Rustonotto and FadeStealer, Living Off The Land, Compromised Windows Host, Cisco Network Visibility Module Analytics
|
2026-05-13
|
|
Windows Scheduled Task with Suspicious Name
|
Windows Event Log Security 4698, Windows Event Log Security 4700, Windows Event Log Security 4702
|
T1053.005
|
TTP
|
Scheduled Tasks, Windows Persistence Techniques, Castle RAT, Ryuk Ransomware, APT37 Rustonotto and FadeStealer, Ransomware, 0bj3ctivity Stealer
|
2026-05-13
|
|
Linux System Network Discovery
|
Sysmon for Linux EventID 1, Osquery Results
|
T1016
|
Anomaly
|
Network Discovery, Industroyer2, VoidLink Cloud-Native Linux Malware, Data Destruction
|
2026-05-13
|
|
Suspicious GPUpdate no Command Line Arguments
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1055
|
TTP
|
BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack, Hellcat Ransomware
|
2026-05-13
|
|
Windows AD Privileged Account SID History Addition
|
Windows Event Log Security 4738, Windows Event Log Security 4742
|
T1134.005
|
TTP
|
Sneaky Active Directory Persistence Tricks, Compromised Windows Host
|
2026-05-13
|
|
Windows SpeechRuntime Suspicious Child Process
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1021.003
|
TTP
|
Compromised Windows Host, Active Directory Lateral Movement
|
2026-05-13
|
|
Crowdstrike Multiple LOW Severity Alerts
|
|
T1110
|
Anomaly
|
Compromised Windows Host
|
2026-05-13
|
|
Uninstall App Using MsiExec
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.007
|
TTP
|
Ransomware
|
2026-05-13
|
|
Windows Curl Download to Suspicious Path
|
Windows Event Log Security 4688, Sysmon EventID 1, Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2
|
T1105
|
TTP
|
China-Nexus Threat Activity, Salt Typhoon, Forest Blizzard, GhostRedirector IIS Module and Rungan Backdoor, NPM Supply Chain Compromise, Black Basta Ransomware, IcedID, APT37 Rustonotto and FadeStealer, Ingress Tool Transfer, Compromised Windows Host, Cisco Network Visibility Module Analytics
|
2026-05-13
|
|
Windows Impair Defense Change Win Defender Throttle Rate
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
ServicePrincipalNames Discovery with SetSPN
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1558.003
|
TTP
|
Active Directory Kerberos Attacks, Compromised Windows Host, Active Directory Discovery, Active Directory Privilege Escalation
|
2026-05-13
|
|
Windows Impair Defense Disable Defender Protocol Recognition
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, Scattered Lapsus$ Hunters, Windows Defense Evasion Tactics
|
2026-05-13
|
|
XMRIG Driver Loaded
|
Sysmon EventID 6
|
T1543.003
|
TTP
|
CISA AA22-320A, Crypto Stealer, XMRig
|
2026-05-13
|
|
Windows Wmic DiskDrive Discovery
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1082
|
Anomaly
|
LAMEHUG
|
2026-05-13
|
|
Cisco NVM - Non-Network Binary Making Network Connection
|
Cisco Network Visibility Module Flow Data
|
T1036
T1055
|
Anomaly
|
Cisco Network Visibility Module Analytics
|
2026-05-13
|
|
Windows AD Replication Request Initiated by User Account
|
Windows Event Log Security 4662, Windows Event Log Security 4624
|
T1003.006
|
TTP
|
Credential Dumping, Sneaky Active Directory Persistence Tricks, Compromised Windows Host
|
2026-05-13
|
|
Web or Application Server Spawning a Shell
|
Sysmon EventID 1, Sysmon for Linux EventID 1
|
T1133
T1190
|
TTP
|
GhostRedirector IIS Module and Rungan Backdoor, SAP NetWeaver Exploitation, PHP-CGI RCE Attack on Japanese Organizations, Log4Shell CVE-2021-44228, Cleo File Transfer Software, HAFNIUM Group, CISA AA22-264A, ProxyShell, Microsoft WSUS CVE-2025-59287, Microsoft SharePoint Vulnerabilities, SysAid On-Prem Software CVE-2023-47246 Vulnerability, Hermetic Wiper, ProxyNotShell, WS FTP Server Critical Vulnerabilities, Flax Typhoon, Data Destruction, CISA AA22-257A, BlackByte Ransomware, Spring4Shell CVE-2022-22965
|
2026-05-13
|
|
Windows Outlook WebView Registry Modification
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Suspicious Windows Registry Activities
|
2026-05-13
|
|
Windows AD ServicePrincipalName Added To Domain Account
|
Windows Event Log Security 5136
|
T1098
|
TTP
|
Interlock Ransomware, Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Linux Docker Shell Execution
|
Sysmon for Linux EventID 1
|
T1059.013
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Windows Impair Defense Disable Defender Firewall And Network
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, Scattered Lapsus$ Hunters, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Privilege Escalation Attempt Via MSI Rollback
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1068
|
TTP
|
Windows Privilege Escalation
|
2026-05-13
|
|
MOVEit Certificate Store Access Failure
|
|
T1190
|
Hunting
|
MOVEit Transfer Authentication Bypass
|
2026-05-13
|
|
Windows Archive Collected Data via Powershell
|
Powershell Script Block Logging 4104
|
T1560
|
Anomaly
|
CISA AA23-347A, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
Windows PowerView Constrained Delegation Discovery
|
Powershell Script Block Logging 4104
|
T1018
|
TTP
|
Rhysida Ransomware, CISA AA23-347A, Active Directory Kerberos Attacks
|
2026-05-13
|
|
Linux Auditd Kernel Module Using Rmmod Utility
|
Linux Auditd Syscall
|
T1547.006
|
TTP
|
Linux Persistence Techniques, Compromised Linux Host, Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Linux Auditd Auditd Daemon Shutdown
|
Linux Auditd Daemon End
|
T1685.004
|
Anomaly
|
Compromised Linux Host
|
2026-05-13
|
|
Unusual Number of Kerberos Service Tickets Requested
|
Windows Event Log Security 4769
|
T1558.003
|
Anomaly
|
Active Directory Kerberos Attacks
|
2026-05-13
|
|
Windows Cmdline Tool Execution From Non-Shell Process
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1059.007
|
Anomaly
|
FIN7, Qakbot, BlankGrabber Stealer, CISA AA22-277A, Gh0st RAT, Rhysida Ransomware, Medusa Ransomware, Gozi Malware, Tuoni, SolarWinds WHD RCE Post Exploitation, CISA AA23-347A, Water Gamayun, DarkGate Malware, Volt Typhoon
|
2026-05-13
|
|
Windows Office Product Spawned Uncommon Process
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1566.001
|
TTP
|
FIN7, NjRAT, Trickbot, Warzone RAT, CVE-2023-21716 Word RTF Heap Corruption, Qakbot, MuddyWater, Azorult, CVE-2023-36884 Office and Windows HTML RCE Vulnerability, Spearphishing Attachments, IcedID, APT37 Rustonotto and FadeStealer, DarkCrystal RAT, PlugX, Remcos, AgentTesla, Compromised Windows Host
|
2026-05-13
|
|
Windows Domain Admin Impersonation Indicator
|
Windows Event Log Security 4627
|
T1558
|
TTP
|
Active Directory Kerberos Attacks, Compromised Windows Host, Active Directory Privilege Escalation, Gozi Malware
|
2026-05-13
|
|
Disabling Remote User Account Control
|
Sysmon EventID 13
|
T1548.002
|
TTP
|
Azorult, Windows Registry Abuse, Windows Defense Evasion Tactics, Suspicious Windows Registry Activities, Remcos, AgentTesla
|
2026-05-13
|
|
System Information Discovery Detection
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1082
|
TTP
|
BlankGrabber Stealer, Windows Discovery Techniques, NetSupport RMM Tool Abuse, Medusa Ransomware, Gozi Malware, LAMEHUG, BlackSuit Ransomware, SolarWinds WHD RCE Post Exploitation, Lotus Blossom Chrysalis Backdoor, Interlock Ransomware, Cleo File Transfer Software
|
2026-05-13
|
|
GetDomainGroup with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1069.002
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows PowerShell Invoke-RestMethod IP Information Collection
|
Powershell Script Block Logging 4104
|
T1016
T1059.001
T1082
|
Anomaly
|
Water Gamayun
|
2026-05-13
|
|
Windows EFI Bootloader File Modification
|
Sysmon EventID 11
|
T1542.003
|
TTP
|
Windows BootKits
|
2026-05-13
|
|
Windows Identify PowerShell Web Access IIS Pool
|
Windows Event Log Security 4648
|
T1190
|
Hunting
|
CISA AA24-241A
|
2026-05-13
|
|
Mimikatz PassTheTicket CommandLine Parameters
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1550.003
|
TTP
|
Scattered Lapsus$ Hunters, Active Directory Kerberos Attacks, CISA AA22-320A, Sandworm Tools, CISA AA23-347A
|
2026-05-13
|
|
Unloading AMSI via Reflection
|
Powershell Script Block Logging 4104
|
T1059.001
T1685
|
TTP
|
Malicious PowerShell, Hermetic Wiper, Data Destruction
|
2026-05-13
|
|
ConnectWise ScreenConnect Path Traversal
|
Sysmon EventID 11
|
T1190
|
TTP
|
Seashell Blizzard, ConnectWise ScreenConnect Vulnerabilities
|
2026-05-13
|
|
Windows Chromium Browser Launched with Small Window Size
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1497
|
TTP
|
Browser Hijacking
|
2026-05-13
|
|
Windows Steal Authentication Certificates CryptoAPI
|
Windows Event Log CAPI2 70
|
T1649
|
Anomaly
|
Hellcat Ransomware, Windows Certificate Services
|
2026-05-13
|
|
Windows DISM Install PowerShell Web Access
|
Windows Event Log Security 4688, Sysmon EventID 1
|
T1548.002
|
TTP
|
CISA AA24-241A
|
2026-05-13
|
|
Rundll32 Shimcache Flush
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1112
|
TTP
|
Compromised Windows Host, Unusual Processes, Living Off The Land
|
2026-05-13
|
|
First Time Seen Running Windows Service
|
Windows Event Log System 7036
|
T1569.002
|
Anomaly
|
Windows Service Abuse, NOBELIUM Group, Orangeworm Attack Group
|
2026-05-13
|
|
Kerberos User Enumeration
|
Windows Event Log Security 4768
|
T1589.002
|
Anomaly
|
Active Directory Kerberos Attacks
|
2026-05-13
|
|
Windows BootLoader Inventory
|
|
T1542.001
|
Hunting
|
Windows BootKits, BlackLotus Campaign
|
2026-05-13
|
|
Excessive Usage Of SC Service Utility
|
Sysmon EventID 1
|
T1569.002
|
Anomaly
|
Ransomware, Azorult, Crypto Stealer
|
2026-05-13
|
|
Rundll32 with no Command Line Arguments with Network
|
Sysmon EventID 3, Sysmon EventID 1
|
T1218.011
|
TTP
|
Cobalt Strike, BlackByte Ransomware, BlackSuit Ransomware, Suspicious Rundll32 Activity, Cactus Ransomware, Compromised Windows Host, Graceful Wipe Out Attack, PrintNightmare CVE-2021-34527
|
2026-05-13
|
|
Windows Cisco Secure Endpoint Related Service Stopped
|
Windows Event Log System 7036
|
T1490
|
Anomaly
|
Security Solution Tampering, Hellcat Ransomware, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Cisco NVM - Suspicious Network Connection Initiated via MsXsl
|
Cisco Network Visibility Module Flow Data
|
T1220
|
Anomaly
|
Cisco Network Visibility Module Analytics
|
2026-05-13
|
|
Windows AppX Deployment Package Installation Success
|
Windows Event Log AppXDeployment-Server 854
|
T1204.002
|
Anomaly
|
MSIX Package Abuse
|
2026-05-13
|
|
Windows New EventLog ChannelAccess Registry Value Set
|
Sysmon EventID 13
|
T1685.001
|
Anomaly
|
Defense Evasion or Unauthorized Access Via SDDL Tampering, LockBit Ransomware
|
2026-05-13
|
|
Windows LOLBAS Executed As Renamed File
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1036.003
T1218.011
|
TTP
|
Water Gamayun, Masquerading - Rename System Utilities, Living Off The Land, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Export Certificate
|
Windows Event Log CertificateServicesClient 1007
|
T1552.004
T1649
|
Anomaly
|
Windows Certificate Services
|
2026-05-13
|
|
Windows Snake Malware File Modification Crmlog
|
Sysmon EventID 11
|
T1027
|
TTP
|
Snake Malware
|
2026-05-13
|
|
Windows Modify Registry UpdateServiceUrlAlternate
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
RedLine Stealer
|
2026-05-13
|
|
Windows WPDBusEnum Registry Key Modification
|
Sysmon EventID 13, Sysmon EventID 12
|
T1025
T1091
T1200
|
Anomaly
|
APT37 Rustonotto and FadeStealer, Data Protection
|
2026-05-13
|
|
Windows Unusual Process Load Mozilla NSS-Mozglue Module
|
Sysmon EventID 7
|
T1218.003
|
Anomaly
|
Quasar RAT, VIP Keylogger, Lokibot, 0bj3ctivity Stealer, StealC Stealer
|
2026-05-13
|
|
DNS Exfiltration Using Nslookup App
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1048
|
TTP
|
Command And Control, Data Exfiltration, Dynamic DNS, Suspicious DNS Traffic, Compromised Windows Host
|
2026-05-13
|
|
Linux Auditd Data Destruction Command
|
Linux Auditd Proctitle
|
T1485
|
TTP
|
Compromised Linux Host, AwfulShred, Data Destruction
|
2026-05-13
|
|
Windows System Shutdown CommandLine
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1529
|
Anomaly
|
NjRAT, Scattered Lapsus$ Hunters, Quasar RAT, MuddyWater, MoonPeak, XWorm, ZOVWiper, Sandworm Tools, DarkCrystal RAT, DarkGate Malware
|
2026-05-13
|
|
Windows Attempt To Stop Security Service
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1685
|
TTP
|
Trickbot, Azorult, WhisperGate, Disabling Security Tools, Graceful Wipe Out Attack, Data Destruction
|
2026-05-13
|
|
Detect HTML Help Using InfoTech Storage Handlers
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.001
|
TTP
|
Suspicious Compiled HTML Activity, Compromised Windows Host, APT37 Rustonotto and FadeStealer, Living Off The Land
|
2026-05-13
|
|
Excessive distinct processes from Windows Temp
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1059
|
Anomaly
|
Meterpreter
|
2026-05-13
|
|
Ransomware Notes bulk creation
|
Sysmon EventID 11
|
T1486
|
Anomaly
|
Clop Ransomware, Hellcat Ransomware, Rhysida Ransomware, LockBit Ransomware, DarkSide Ransomware, Medusa Ransomware, Black Basta Ransomware, Cactus Ransomware, NailaoLocker Ransomware, Interlock Ransomware, Termite Ransomware, BlackMatter Ransomware, Chaos Ransomware
|
2026-05-13
|
|
Windows AD DCShadow Privileges ACL Addition
|
Windows Event Log Security 5136
|
T1207
T1222.001
T1484
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Windows AD GPO Disabled
|
Windows Event Log Security 5136
|
T1484.001
T1685
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials
|
Windows Event Log Security 4648
|
T1110.003
|
TTP
|
Active Directory Password Spraying, Insider Threat, Volt Typhoon
|
2026-05-13
|
|
Services LOLBAS Execution Process Spawn
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1543.003
|
TTP
|
Hellcat Ransomware, Qakbot, Active Directory Lateral Movement, Living Off The Land, CISA AA23-347A
|
2026-05-13
|
|
Windows AD Replication Request Initiated from Unsanctioned Location
|
Windows Event Log Security 4662, Windows Event Log Security 4624
|
T1003.006
|
TTP
|
Credential Dumping, Sneaky Active Directory Persistence Tricks, Compromised Windows Host
|
2026-05-13
|
|
Windows AD Short Lived Domain Controller SPN Attribute
|
Windows Event Log Security 5136, Windows Event Log Security 4624
|
T1207
|
TTP
|
Sneaky Active Directory Persistence Tricks, Compromised Windows Host
|
2026-05-13
|
|
Windows Defacement Modify Transcodedwallpaper File
|
Sysmon EventID 11, Sysmon EventID 1
|
T1491
|
Anomaly
|
Brute Ratel C4
|
2026-05-13
|
|
Linux Auditd Install Kernel Module Using Modprobe Utility
|
Linux Auditd Syscall
|
T1547.006
|
Anomaly
|
China-Nexus Threat Activity, Linux Rootkit, Linux Privilege Escalation, Compromised Linux Host, Linux Persistence Techniques
|
2026-05-13
|
|
Linux AWK Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Windows Njrat Fileless Storage via Registry
|
Sysmon EventID 13
|
T1027.011
|
TTP
|
NjRAT
|
2026-05-13
|
|
Windows Modify Registry Risk Behavior
|
|
T1112
|
Correlation
|
Windows Registry Abuse
|
2026-05-13
|
|
Linux File Created In Kernel Driver Directory
|
Sysmon for Linux EventID 11
|
T1547.006
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation, Linux Rootkit
|
2026-05-13
|
|
Get DomainUser with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1087.002
|
TTP
|
CISA AA23-347A, Active Directory Discovery
|
2026-05-13
|
|
Windows Hidden Schedule Task Settings
|
Windows Event Log Security 4698
|
T1053
|
TTP
|
Hellcat Ransomware, CISA AA22-257A, Scheduled Tasks, Malicious Inno Setup Loader, Cactus Ransomware, Industroyer2, Compromised Windows Host, Active Directory Discovery, Data Destruction
|
2026-05-13
|
|
Windows Binary Proxy Execution Mavinject DLL Injection
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.013
|
TTP
|
Living Off The Land
|
2026-05-13
|
|
Windows System LogOff Commandline
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1529
|
Anomaly
|
Scattered Lapsus$ Hunters, NjRAT, XWorm, DarkCrystal RAT
|
2026-05-13
|
|
Windows InstallUtil Uninstall Option
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.004
|
TTP
|
Signed Binary Proxy Execution InstallUtil, Compromised Windows Host, Living Off The Land
|
2026-05-13
|
|
Windows EFI Volume Mount Attempt Via Mountvol
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1204.002
T1542
T1688
|
Anomaly
|
Compromised Windows Host
|
2026-05-13
|
|
Detect Certify With PowerShell Script Block Logging
|
Powershell Script Block Logging 4104
|
T1059.001
T1649
|
TTP
|
Malicious PowerShell, Windows Certificate Services
|
2026-05-13
|
|
Windows Non-System Account Targeting Lsass
|
Sysmon EventID 10
|
T1003.001
|
TTP
|
Lokibot, CISA AA23-347A, Credential Dumping, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Detect PsExec With accepteula Flag
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1021.002
|
TTP
|
SamSam Ransomware, HAFNIUM Group, VanHelsing Ransomware, Storm-0501 Ransomware, DHS Report TA18-074A, Rhysida Ransomware, DarkSide Ransomware, Medusa Ransomware, Active Directory Lateral Movement, IcedID, CISA AA22-320A, Sandworm Tools, BlackByte Ransomware, Cactus Ransomware, Seashell Blizzard, DarkGate Malware, Volt Typhoon
|
2026-05-13
|
|
Windows TeamCity Plugin Installed
|
Sysmon EventID 11
|
T1059
T1190
T1505.003
|
Anomaly
|
JetBrains TeamCity Unauthenticated RCE, JetBrains TeamCity Vulnerabilities
|
2026-05-13
|
|
Linux Auditd System Network Configuration Discovery
|
Linux Auditd Syscall
|
T1016
|
Anomaly
|
Linux Persistence Techniques, Compromised Linux Host, Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Crowdstrike High Identity Risk Severity
|
|
T1110
|
TTP
|
Compromised Windows Host
|
2026-05-13
|
|
Windows Indirect Command Execution Via forfiles
|
Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1202
|
TTP
|
Windows Post-Exploitation, Living Off The Land
|
2026-05-13
|
|
Windows MSIExec Unregister DLLRegisterServer
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.007
|
TTP
|
Windows System Binary Proxy Execution MSIExec
|
2026-05-13
|
|
Windows Hunting System Account Targeting Lsass
|
Sysmon EventID 10
|
T1003.001
|
Hunting
|
Lokibot, CISA AA23-347A, Credential Dumping, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Revil Registry Entry
|
Sysmon EventID 13, Sysmon EventID 12
|
T1112
|
TTP
|
Ransomware, Windows Registry Abuse, Revil Ransomware
|
2026-05-13
|
|
Suspicious DLLHost no Command Line Arguments
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1055
|
TTP
|
BlackByte Ransomware, Cactus Ransomware, Cobalt Strike, Graceful Wipe Out Attack
|
2026-05-13
|
|
GetAdGroup with PowerShell
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1069.002
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Detect Remote Access Software Usage File
|
Sysmon EventID 11
|
T1219
|
Anomaly
|
Command And Control, Seashell Blizzard, Scattered Lapsus$ Hunters, GhostRedirector IIS Module and Rungan Backdoor, CISA AA24-241A, Gozi Malware, Insider Threat, Scattered Spider, Cactus Ransomware, Ransomware, Remote Monitoring and Management Software, Interlock Ransomware
|
2026-05-13
|
|
Windows Eventlog Cleared Via Wevtutil
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1685.005
|
Anomaly
|
Clop Ransomware, Rhysida Ransomware, Windows Log Manipulation, ShrinkLocker, Ransomware, CISA AA23-347A
|
2026-05-13
|
|
Cisco NVM - MSHTML or MSHTA Network Execution Without URL in CLI
|
Cisco Network Visibility Module Flow Data
|
T1059.005
T1218.005
|
Anomaly
|
BlankGrabber Stealer, Cisco Network Visibility Module Analytics
|
2026-05-13
|
|
Windows User Execution Malicious URL Shortcut File
|
Sysmon EventID 11
|
T1204.002
|
Anomaly
|
NjRAT, Quasar RAT, APT37 Rustonotto and FadeStealer, Snake Keylogger, XWorm, Chaos Ransomware
|
2026-05-13
|
|
Linux File Creation In Profile Directory
|
Sysmon for Linux EventID 11
|
T1546.004
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2026-05-13
|
|
Windows Modify Registry Utilize ProgIDs
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
ValleyRAT
|
2026-05-13
|
|
Windows Sqlservr Spawning Shell
|
Windows Event Log Security 4688, Sysmon EventID 1
|
T1505.001
|
Hunting
|
SQL Server Abuse
|
2026-05-13
|
|
Windows Mustang Panda USB Tool Execution
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1020
T1204.002
T1574.001
|
TTP
|
Compromised Windows Host
|
2026-05-13
|
|
Windows Event Logging Service Has Shutdown
|
Windows Event Log Security 1100
|
T1685.005
|
Hunting
|
Ransomware, Clop Ransomware, Windows Log Manipulation, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Linux Auditd AI CLI Permission Override Activated
|
Linux Auditd Proctitle
|
T1480
|
Anomaly
|
QuietVault
|
2026-05-13
|
|
Windows File Transfer Protocol In Non-Common Process Path
|
Sysmon EventID 3
|
T1071.003
|
Anomaly
|
AgentTesla, Hellcat Ransomware, Snake Keylogger
|
2026-05-13
|
|
GetNetTcpconnection with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1049
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Linux Add Files In Known Crontab Directories
|
Sysmon for Linux EventID 11
|
T1053.003
|
Anomaly
|
XorDDos, Scheduled Tasks, Linux Living Off The Land, Linux Privilege Escalation, Linux Persistence Techniques
|
2026-05-13
|
|
Suspicious microsoft workflow compiler rename
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1036.003
T1127
|
Hunting
|
Cobalt Strike, BlackByte Ransomware, Masquerading - Rename System Utilities, Living Off The Land, Trusted Developer Utilities Proxy Execution, Graceful Wipe Out Attack
|
2026-05-13
|
|
Windows Credentials from Password Stores Creation
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1555
|
TTP
|
NetSupport RMM Tool Abuse, Compromised Windows Host, DarkGate Malware
|
2026-05-13
|
|
Create Remote Thread In Shell Application
|
Sysmon EventID 8
|
T1055
|
TTP
|
Warzone RAT, Qakbot, IcedID
|
2026-05-13
|
|
Allow Network Discovery In Firewall
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1686.001
|
TTP
|
NjRAT, Hellcat Ransomware, Ransomware, Medusa Ransomware, BlackByte Ransomware, Revil Ransomware
|
2026-05-13
|
|
Windows Remote Services Allow Remote Assistance
|
Sysmon EventID 13
|
T1021.001
|
Anomaly
|
Azorult
|
2026-05-13
|
|
Windows Unusual NTLM Authentication Destinations By Source
|
NTLM Operational 8005, NTLM Operational 8004, NTLM Operational 8006
|
T1110.003
|
Anomaly
|
Active Directory Password Spraying
|
2026-05-13
|
|
Disabling Task Manager
|
Sysmon EventID 13
|
T1685
|
TTP
|
NjRAT, Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Linux GNU Awk Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Linux Auditd Virtual Disk File And Directory Discovery
|
Linux Auditd Execve
|
T1083
|
Anomaly
|
Linux Persistence Techniques, Compromised Linux Host, Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Windows NorthStar C2 Agent Execution
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1204.002
T1547.001
T1608
|
TTP
|
Compromised Windows Host
|
2026-05-13
|
|
Potential System Network Configuration Discovery Activity
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1016
|
Anomaly
|
Unusual Processes
|
2026-05-13
|
|
Windows DLL Search Order Hijacking with iscsicpl
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1574.001
|
TTP
|
Compromised Windows Host, Living Off The Land, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos
|
Windows Event Log Security 4768
|
T1110.003
|
Anomaly
|
Active Directory Kerberos Attacks, Active Directory Password Spraying, Volt Typhoon
|
2026-05-13
|
|
Windows MSIExec Remote Download
|
Windows Event Log Security 4688, Sysmon EventID 1, Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2
|
T1218.007
|
Anomaly
|
SolarWinds WHD RCE Post Exploitation, Windows System Binary Proxy Execution MSIExec, Water Gamayun, StealC Stealer, Cisco Network Visibility Module Analytics
|
2026-05-13
|
|
Windows ComputerDefaults Spawning a Process
|
Sysmon EventID 1
|
T1548.002
|
TTP
|
Castle RAT, BlankGrabber Stealer
|
2026-05-13
|
|
Screensaver Event Trigger Execution
|
Sysmon EventID 13
|
T1546.002
|
TTP
|
Windows Persistence Techniques, Windows Registry Abuse, Hermetic Wiper, Windows Privilege Escalation, Data Destruction
|
2026-05-13
|
|
Windows Remote Host Computer Management Access
|
Windows Event Log Security 4688, Sysmon EventID 1
|
T1021.006
|
Anomaly
|
Medusa Ransomware
|
2026-05-13
|
|
Check Elevated CMD using whoami
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1033
|
TTP
|
FIN7
|
2026-05-13
|
|
Windows Remote Services Rdp Enable
|
Sysmon EventID 13
|
T1021.001
|
TTP
|
Azorult, Windows RDP Artifacts and Defense Evasion, BlackSuit Ransomware, Medusa Ransomware
|
2026-05-13
|
|
Linux Deleting Critical Directory Using RM Command
|
Sysmon for Linux EventID 1
|
T1485
|
TTP
|
Industroyer2, AwfulShred, Data Destruction
|
2026-05-13
|
|
Windows Security Support Provider Reg Query
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1547.005
|
Anomaly
|
Sneaky Active Directory Persistence Tricks, Windows Post-Exploitation, Prestige Ransomware
|
2026-05-13
|
|
Windows Registry BootExecute Modification
|
Sysmon EventID 13
|
T1542
T1547.001
|
TTP
|
Windows BootKits
|
2026-05-13
|
|
Detect Regasm with Network Connection
|
Sysmon EventID 3
|
T1218.009
|
TTP
|
Hellcat Ransomware, Void Manticore, Living Off The Land, Suspicious Regsvcs Regasm Activity, Handala Wiper
|
2026-05-13
|
|
System Processes Run From Unexpected Locations
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1036.003
|
Anomaly
|
Qakbot, Unusual Processes, Masquerading - Rename System Utilities, Windows Error Reporting Service Elevation of Privilege Vulnerability, Ransomware, DarkGate Malware, Suspicious Command-Line Executions
|
2026-05-13
|
|
Vbscript Execution Using Wscript App
|
Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1059.005
|
TTP
|
FIN7, Remcos, AsyncRAT
|
2026-05-13
|
|
Windows Firewall Rule Modification
|
Windows Event Log Security 4947
|
T1686
|
Anomaly
|
NetSupport RMM Tool Abuse, Medusa Ransomware, ShrinkLocker
|
2026-05-13
|
|
Windows Registry SIP Provider Modification
|
Sysmon EventID 13
|
T1553.003
|
TTP
|
Subvert Trust Controls SIP and Trust Provider Hijacking
|
2026-05-13
|
|
Windows Application Layer Protocol RMS Radmin Tool Namedpipe
|
Sysmon EventID 18, Sysmon EventID 17
|
T1071
|
TTP
|
Azorult
|
2026-05-13
|
|
Get DomainUser with PowerShell
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1087.002
|
TTP
|
CISA AA23-347A, Active Directory Discovery
|
2026-05-13
|
|
Windows Modify Registry MaxConnectionPerServer
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Warzone RAT
|
2026-05-13
|
|
Crowdstrike User with Duplicate Password
|
|
T1110
|
Anomaly
|
Compromised Windows Host
|
2026-05-13
|
|
Powershell Remote Thread To Known Windows Process
|
Sysmon EventID 8
|
T1055
|
TTP
|
Trickbot
|
2026-05-13
|
|
Windows Registry Certificate Added
|
Sysmon EventID 13
|
T1553.004
|
Anomaly
|
Windows Drivers, Windows Registry Abuse
|
2026-05-13
|
|
Get ADUserResultantPasswordPolicy with Powershell Script Block
|
Powershell Script Block Logging 4104
|
T1201
|
TTP
|
CISA AA23-347A, Active Directory Discovery
|
2026-05-13
|
|
Linux Ruby Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Malicious InProcServer32 Modification
|
Sysmon EventID 13, Sysmon EventID 12
|
T1112
T1218.010
|
TTP
|
Remcos, Suspicious Regsvr32 Activity
|
2026-05-13
|
|
Detect Baron Samedit CVE-2021-3156
|
|
T1068
|
TTP
|
Baron Samedit CVE-2021-3156
|
2026-05-13
|
|
Windows Indicator Removal Via Rmdir
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1070
|
Anomaly
|
DarkGate Malware, ZOVWiper, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
Disable Logs Using WevtUtil
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1685.005
|
TTP
|
Ransomware, Rhysida Ransomware, CISA AA23-347A
|
2026-05-13
|
|
Windows Credentials Access via VaultCli Module
|
Sysmon EventID 7
|
T1555.004
|
Anomaly
|
Hellcat Ransomware, Meduza Stealer
|
2026-05-13
|
|
Windows Rundll32 Execution With Log.DLL
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1574
|
Anomaly
|
Lotus Blossom Chrysalis Backdoor
|
2026-05-13
|
|
GitHub Workflow File Creation or Modification
|
Sysmon EventID 11, Sysmon for Linux EventID 11
|
T1195
T1554
T1574.006
|
Hunting
|
NPM Supply Chain Compromise
|
2026-05-13
|
|
Windows AD Domain Root ACL Modification
|
Windows Event Log Security 5136
|
T1222.001
T1484
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Windows Devtunnels Image Loaded
|
Sysmon EventID 7
|
T1090
|
Anomaly
|
Reverse Network Proxy
|
2026-05-13
|
|
Windows Modify Registry USeWuServer
|
Sysmon EventID 13
|
T1112
|
Hunting
|
RedLine Stealer
|
2026-05-13
|
|
Windows Delete or Modify System Firewall
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1686
|
Hunting
|
NjRAT, ShrinkLocker
|
2026-05-13
|
|
Detect Remote Access Software Usage Process
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1219
|
Anomaly
|
Command And Control, Seashell Blizzard, Storm-0501 Ransomware, Scattered Lapsus$ Hunters, GhostRedirector IIS Module and Rungan Backdoor, CISA AA24-241A, Gozi Malware, Insider Threat, Scattered Spider, Cactus Ransomware, Ransomware, Remote Monitoring and Management Software, Interlock Ransomware
|
2026-05-13
|
|
Windows Ngrok Reverse Proxy Usage
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1090
T1102
T1572
|
Anomaly
|
CISA AA22-320A, CISA AA24-241A, Reverse Network Proxy
|
2026-05-13
|
|
Windows Unusual NTLM Authentication Destinations By User
|
NTLM Operational 8005, NTLM Operational 8004, NTLM Operational 8006
|
T1110.003
|
Anomaly
|
Active Directory Password Spraying
|
2026-05-13
|
|
Linux Auditd File And Directory Discovery
|
Linux Auditd Execve
|
T1083
|
Anomaly
|
Linux Persistence Techniques, Compromised Linux Host, Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Linux Auditd Auditd Daemon Abort
|
Linux Auditd Daemon Abort
|
T1685.004
|
Anomaly
|
Compromised Linux Host
|
2026-05-13
|
|
Windows Process Injection Wermgr Child Process
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1055
|
Anomaly
|
Qakbot, Windows Error Reporting Service Elevation of Privilege Vulnerability
|
2026-05-13
|
|
Possible Lateral Movement PowerShell Spawn
|
Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1021.003
T1021.006
T1047
T1053.005
T1059.001
T1218.014
T1543.003
|
Anomaly
|
Microsoft WSUS CVE-2025-59287, Malicious PowerShell, Scheduled Tasks, CISA AA24-241A, Active Directory Lateral Movement, Hermetic Wiper, Data Destruction
|
2026-05-13
|
|
Windows Possible Credential Dumping
|
Sysmon EventID 10
|
T1003.001
|
TTP
|
Detect Zerologon Attack, CISA AA22-264A, Scattered Lapsus$ Hunters, CISA AA22-257A, DarkSide Ransomware, Credential Dumping, CISA AA23-347A
|
2026-05-13
|
|
Suspicious SearchProtocolHost no Command Line Arguments
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1055
|
TTP
|
Cobalt Strike, Hellcat Ransomware, BlackByte Ransomware, Cactus Ransomware, Graceful Wipe Out Attack
|
2026-05-13
|
|
Active Setup Registry Autostart
|
Sysmon EventID 13
|
T1547.014
|
TTP
|
Windows Persistence Techniques, Hermetic Wiper, Windows Privilege Escalation, Data Destruction
|
2026-05-13
|
|
BCDEdit Failure Recovery Modification
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1490
|
TTP
|
Storm-2460 CLFS Zero Day Exploitation, Void Manticore, Ryuk Ransomware, Ransomware, Compromised Windows Host
|
2026-05-13
|
|
Windows Registry Modification for Safe Mode Persistence
|
Sysmon EventID 13
|
T1547.001
|
TTP
|
Ransomware, Windows Drivers, Windows Registry Abuse
|
2026-05-13
|
|
Runas Execution in CommandLine
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1134.001
|
Hunting
|
Windows Privilege Escalation, Hermetic Wiper, Quasar RAT, Data Destruction
|
2026-05-13
|
|
Allow File And Printing Sharing In Firewall
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1686.001
|
TTP
|
Ransomware, BlackByte Ransomware, Hellcat Ransomware
|
2026-05-13
|
|
Suspicious MSBuild Rename
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1036.003
T1127.001
|
Hunting
|
Cobalt Strike, Storm-2460 CLFS Zero Day Exploitation, Trusted Developer Utilities Proxy Execution MSBuild, BlackByte Ransomware, Masquerading - Rename System Utilities, Living Off The Land, Graceful Wipe Out Attack
|
2026-05-13
|
|
Windows PowerShell Process Implementing Manual Base64 Decoder
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1027.010
T1059.001
|
Anomaly
|
Compromised Windows Host, Deobfuscate-Decode Files or Information
|
2026-05-13
|
|
Detect Mimikatz With PowerShell Script Block Logging
|
Powershell Script Block Logging 4104
|
T1003
T1059.001
|
TTP
|
Malicious PowerShell, CISA AA22-264A, Hellcat Ransomware, CISA AA22-320A, Sandworm Tools, Scattered Spider, Hermetic Wiper, CISA AA23-347A, Data Destruction
|
2026-05-13
|
|
Windows UAC Bypass Suspicious Escalation Behavior
|
Sysmon EventID 1
|
T1548.002
|
TTP
|
Compromised Windows Host, Living Off The Land, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Active Directory Lateral Movement Identified
|
|
T1210
|
Correlation
|
Active Directory Lateral Movement
|
2026-05-13
|
|
Suspicious mshta child process
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.005
|
TTP
|
Lumma Stealer, MuddyWater, Living Off The Land, Suspicious MSHTA Activity
|
2026-05-13
|
|
BITS Job Persistence
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1197
|
TTP
|
Living Off The Land, BITS Jobs
|
2026-05-13
|
|
Disable Defender Spynet Reporting
|
Sysmon EventID 13
|
T1685
|
TTP
|
Qakbot, Azorult, Windows Registry Abuse, IcedID, CISA AA23-347A
|
2026-05-13
|
|
Detect HTML Help Renamed
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.001
|
Hunting
|
Suspicious Compiled HTML Activity, APT37 Rustonotto and FadeStealer, Living Off The Land
|
2026-05-13
|
|
Linux Stdout Redirection To Dev Null File
|
Sysmon for Linux EventID 1
|
T1686
|
Anomaly
|
Industroyer2, Cyclops Blink, Data Destruction
|
2026-05-13
|
|
Windows Modify Registry Tamper Protection
|
Sysmon EventID 13
|
T1112
|
TTP
|
RedLine Stealer, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Certutil exe certificate extraction
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1649
|
TTP
|
Storm-2460 CLFS Zero Day Exploitation, Cloud Federated Credential Abuse, Windows Persistence Techniques, Living Off The Land, Compromised Windows Host, Windows Certificate Services
|
2026-05-13
|
|
Malicious PowerShell Process - Execution Policy Bypass
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1059.001
|
Anomaly
|
China-Nexus Threat Activity, HAFNIUM Group, BlankGrabber Stealer, Salt Typhoon, AsyncRAT, DHS Report TA18-074A, MuddyWater, APT37 Rustonotto and FadeStealer, DarkCrystal RAT, 0bj3ctivity Stealer, XWorm, Volt Typhoon
|
2026-05-13
|
|
WMI Permanent Event Subscription - Sysmon
|
Sysmon EventID 21
|
T1546.003
|
TTP
|
Suspicious WMI Use
|
2026-05-13
|
|
Windows Gather Victim Host Information Camera
|
Powershell Script Block Logging 4104
|
T1592.001
|
Anomaly
|
DarkCrystal RAT
|
2026-05-13
|
|
Cisco NVM - Installation of Typosquatted Python Package
|
Cisco Network Visibility Module Flow Data
|
T1059
|
TTP
|
Cisco Network Visibility Module Analytics
|
2026-05-13
|
|
Linux Ngrok Reverse Proxy Usage
|
Sysmon for Linux EventID 1
|
T1090
T1102
T1572
|
Anomaly
|
Reverse Network Proxy
|
2026-05-13
|
|
GetAdGroup with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1069.002
|
Hunting
|
Active Directory Discovery, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Control Loading from World Writable Directory
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.002
|
TTP
|
Compromised Windows Host, Living Off The Land, Microsoft MSHTML Remote Code Execution CVE-2021-40444
|
2026-05-13
|
|
GetDomainController with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1018
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Rundll32 WebDAV Request
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1048.003
|
Hunting
|
CVE-2023-23397 Outlook Elevation of Privilege
|
2026-05-13
|
|
Suspicious Rundll32 dllregisterserver
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.011
|
TTP
|
Suspicious Rundll32 Activity, Living Off The Land, IcedID
|
2026-05-13
|
|
Windows RunMRU Registry Key or Value Deleted
|
Sysmon EventID 12
|
T1112
|
Anomaly
|
NetSupport RMM Tool Abuse
|
2026-05-13
|
|
Windows Disable Shutdown Button Through Registry
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Ransomware, Windows Registry Abuse
|
2026-05-13
|
|
Linux System Reboot Via System Request Key
|
Sysmon for Linux EventID 1
|
T1529
|
TTP
|
AwfulShred, Data Destruction
|
2026-05-13
|
|
Windows Rundll32 WebDav With Network Connection
|
Sysmon EventID 3, Sysmon EventID 1
|
T1048.003
|
TTP
|
CVE-2023-23397 Outlook Elevation of Privilege
|
2026-05-13
|
|
MacOS Gatekeeper Bypass
|
Osquery Results
|
T1553.001
|
Anomaly
|
MacOS Persistence Techniques, MacOS Privilege Escalation, MacOS Post-Exploitation
|
2026-05-13
|
|
Linux Auditd Possible Access To Sudoers File
|
Linux Auditd Path, Linux Auditd Cwd
|
T1548.003
|
Anomaly
|
China-Nexus Threat Activity, Salt Typhoon, Linux Privilege Escalation, Compromised Linux Host, Linux Persistence Techniques
|
2026-05-13
|
|
Detect Renamed RClone
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1020
|
Hunting
|
Ransomware, Cactus Ransomware, DarkSide Ransomware, Black Basta Ransomware
|
2026-05-13
|
|
Windows Steal Authentication Certificates CS Backup
|
Windows Event Log Security 4876
|
T1649
|
Anomaly
|
Windows Certificate Services
|
2026-05-13
|
|
Windows Executable Masquerading as Benign File Types
|
Sysmon EventID 29
|
T1036.008
|
Anomaly
|
NetSupport RMM Tool Abuse
|
2026-05-13
|
|
Crowdstrike Privilege Escalation For Non-Admin User
|
|
T1110
|
Anomaly
|
Compromised Windows Host
|
2026-05-13
|
|
Windows Suspicious Driver Loaded Path
|
Sysmon EventID 6
|
T1543.003
|
TTP
|
XMRig, CISA AA22-320A, BlackByte Ransomware, APT37 Rustonotto and FadeStealer, Snake Keylogger, AgentTesla, Interlock Ransomware
|
2026-05-13
|
|
Windows Schtasks Create Run As System
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1053.005
|
TTP
|
Qakbot, Windows Persistence Techniques, Scheduled Tasks, Castle RAT, Medusa Ransomware, SolarWinds WHD RCE Post Exploitation
|
2026-05-13
|
|
Linux Auditd Data Transfer Size Limits Via Split Syscall
|
Linux Auditd Syscall
|
T1030
|
Anomaly
|
Linux Persistence Techniques, Compromised Linux Host, Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Disabling Windows Local Security Authority Defences via Registry
|
Sysmon EventID 13
|
T1556
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Cisco Isovalent - Nsenter Usage in Kubernetes Pod
|
Cisco Isovalent Process Exec
|
T1543
|
Anomaly
|
Cisco Isovalent Suspicious Activity
|
2026-05-13
|
|
Windows Renamed Powershell Execution
|
Sysmon EventID 1
|
T1036.003
|
TTP
|
Hellcat Ransomware, XWorm, Axios Supply Chain Post Compromise
|
2026-05-13
|
|
PowerShell Invoke CIMMethod CIMSession
|
Powershell Script Block Logging 4104
|
T1047
|
Anomaly
|
Malicious PowerShell, Scattered Lapsus$ Hunters, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows Modify Registry Suppress Win Defender Notif
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Azorult, CISA AA23-347A
|
2026-05-13
|
|
Suspicious Reg exe Process
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1112
|
Anomaly
|
DHS Report TA18-074A, Disabling Security Tools, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Wermgr Process Create Executable File
|
Sysmon EventID 11
|
T1027
|
TTP
|
Trickbot
|
2026-05-13
|
|
Windows Wmic Memory Chip Discovery
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1082
|
Anomaly
|
LAMEHUG
|
2026-05-13
|
|
Windows Process With NetExec Command Line Parameters
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1550.003
T1558.003
T1558.004
|
TTP
|
Active Directory Kerberos Attacks, Active Directory Privilege Escalation
|
2026-05-13
|
|
Windows Screen Capture Via Powershell
|
Powershell Script Block Logging 4104
|
T1113
|
TTP
|
BlankGrabber Stealer, Water Gamayun, APT37 Rustonotto and FadeStealer, Winter Vivern
|
2026-05-13
|
|
Remote WMI Command Attempt
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1047
|
TTP
|
Graceful Wipe Out Attack, IcedID, Living Off The Land, CISA AA23-347A, Suspicious WMI Use, Volt Typhoon
|
2026-05-13
|
|
Windows Group Policy Object Created
|
Windows Event Log Security 5136, Windows Event Log Security 5137
|
T1078.002
T1484.001
|
TTP
|
Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation
|
2026-05-13
|
|
Windows PowerShell IIS Components WebGlobalModule Usage
|
Powershell Script Block Logging 4104
|
T1505.004
|
Anomaly
|
GhostRedirector IIS Module and Rungan Backdoor, IIS Components
|
2026-05-13
|
|
Windows AD Short Lived Server Object
|
Windows Event Log Security 5137, Windows Event Log Security 5141
|
T1207
|
TTP
|
Sneaky Active Directory Persistence Tricks, Compromised Windows Host
|
2026-05-13
|
|
Windows Admon Group Policy Object Created
|
Windows Active Directory Admon
|
T1484.001
|
TTP
|
Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation
|
2026-05-13
|
|
Detection of tools built by NirSoft
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1072
|
Anomaly
|
Emotet Malware DHS Report TA18-201A
|
2026-05-13
|
|
Sunburst Correlation DLL and Network Event
|
Sysmon EventID 22, Sysmon EventID 7
|
T1203
|
TTP
|
NOBELIUM Group
|
2026-05-13
|
|
Windows Modify Registry ProxyEnable
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
DarkGate Malware
|
2026-05-13
|
|
Windows Multiple Account Passwords Changed
|
Windows Event Log Security 4724
|
T1078
T1098
|
TTP
|
Azure Active Directory Persistence
|
2026-05-13
|
|
MacOS Keychains Dumped
|
Osquery Results
|
T1555.001
|
TTP
|
MacOS Privilege Escalation
|
2026-05-13
|
|
Windows File and Directory Enable ReadOnly Permissions
|
Windows Event Log Security 4688, Sysmon EventID 1
|
T1222.001
|
TTP
|
NetSupport RMM Tool Abuse, Crypto Stealer
|
2026-05-13
|
|
Excessive Usage Of Cacls App
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1222
|
Anomaly
|
XMRig, Prestige Ransomware, Azorult, Windows Post-Exploitation, Defense Evasion or Unauthorized Access Via SDDL Tampering, Crypto Stealer
|
2026-05-13
|
|
Credential Dumping via Copy Command from Shadow Copy
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1003.003
|
TTP
|
Credential Dumping, Compromised Windows Host
|
2026-05-13
|
|
Interactive Session on Remote Endpoint with PowerShell
|
Powershell Script Block Logging 4104
|
T1021.006
|
TTP
|
Active Directory Lateral Movement
|
2026-05-13
|
|
Windows MSHTA Writing to World Writable Path
|
Sysmon EventID 11
|
T1218.005
|
TTP
|
APT29 Diplomatic Deceptions with WINELOADER, XWorm, Suspicious MSHTA Activity
|
2026-05-13
|
|
Windows Defender ASR Rule Disabled
|
Windows Event Log Defender 5007
|
T1112
|
TTP
|
Windows Attack Surface Reduction
|
2026-05-13
|
|
Rundll32 Control RunDLL World Writable Directory
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.011
|
TTP
|
Compromised Windows Host, Suspicious Rundll32 Activity, Living Off The Land, Microsoft MSHTML Remote Code Execution CVE-2021-40444
|
2026-05-13
|
|
Windows AD Privileged Group Modification
|
Windows Event Log Security 4728
|
T1098
|
TTP
|
Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation
|
2026-05-13
|
|
Cisco NVM - Suspicious Download From File Sharing Website
|
Cisco Network Visibility Module Flow Data
|
T1197
|
Anomaly
|
BlankGrabber Stealer, APT37 Rustonotto and FadeStealer, Cisco Network Visibility Module Analytics
|
2026-05-13
|
|
Linux Auditd Osquery Service Stop
|
Linux Auditd Service Stop
|
T1489
|
Anomaly
|
Linux Persistence Techniques, Compromised Linux Host, Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Windows Privilege Escalation System Process Without System Parent
|
Sysmon EventID 1
|
T1068
T1134
T1548
|
TTP
|
BlackSuit Ransomware, Windows Privilege Escalation
|
2026-05-13
|
|
Windows EventLog Recon Activity Using Log Query Utilities
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1654
|
Anomaly
|
BlankGrabber Stealer, Windows Discovery Techniques
|
2026-05-13
|
|
Detect Renamed PSExec
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1569.002
|
Hunting
|
China-Nexus Threat Activity, HAFNIUM Group, SamSam Ransomware, VanHelsing Ransomware, Salt Typhoon, DHS Report TA18-074A, Rhysida Ransomware, DarkSide Ransomware, Medusa Ransomware, Active Directory Lateral Movement, CISA AA22-320A, BlackByte Ransomware, Sandworm Tools, Cactus Ransomware, DarkGate Malware
|
2026-05-13
|
|
WinRM Spawning a Process
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1190
|
TTP
|
Microsoft WSUS CVE-2025-59287, Rhysida Ransomware, CISA AA23-347A, Unusual Processes
|
2026-05-13
|
|
Windows Archive Collected Data via Rar
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1560.001
|
Anomaly
|
China-Nexus Threat Activity, DarkGate Malware, Salt Typhoon, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
Windows Rapid Authentication On Multiple Hosts
|
Windows Event Log Security 4624
|
T1003.002
|
TTP
|
Active Directory Privilege Escalation, Active Directory Lateral Movement
|
2026-05-13
|
|
SAM Database File Access Attempt
|
Windows Event Log Security 4663
|
T1003.002
|
Hunting
|
Rhysida Ransomware, Credential Dumping, Graceful Wipe Out Attack
|
2026-05-13
|
|
Windows Service Create RemComSvc
|
Windows Event Log System 7045
|
T1543.003
|
Anomaly
|
Active Directory Discovery
|
2026-05-13
|
|
Windows KrbRelayUp Service Creation
|
Windows Event Log System 7045
|
T1543.003
|
TTP
|
Compromised Windows Host, Local Privilege Escalation With KrbRelayUp
|
2026-05-13
|
|
Windows Process Injection In Non-Service SearchIndexer
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1055
|
TTP
|
Qakbot
|
2026-05-13
|
|
Windows SQL Server xp_cmdshell Config Change
|
Windows Event Log Application 15457
|
T1505.001
|
TTP
|
Seashell Blizzard, GhostRedirector IIS Module and Rungan Backdoor, SQL Server Abuse
|
2026-05-13
|
|
GetAdComputer with PowerShell
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1018
|
Hunting
|
Active Directory Discovery, Medusa Ransomware
|
2026-05-13
|
|
Windows MSIExec Spawn Discovery Command
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.007
|
Anomaly
|
Windows System Binary Proxy Execution MSIExec, Water Gamayun, StealC Stealer, Medusa Ransomware
|
2026-05-13
|
|
Windows Impair Defense Configure App Install Control
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Modify Registry DisableRemoteDesktopAntiAlias
|
Sysmon EventID 13
|
T1112
|
TTP
|
DarkGate Malware
|
2026-05-13
|
|
Remcos client registry install entry
|
Sysmon EventID 13, Sysmon EventID 12
|
T1112
|
TTP
|
Remcos, Windows Registry Abuse
|
2026-05-13
|
|
Resize ShadowStorage volume
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1490
|
TTP
|
VanHelsing Ransomware, Clop Ransomware, Medusa Ransomware, BlackByte Ransomware, Compromised Windows Host
|
2026-05-13
|
|
Windows File and Directory Permissions Remove Inheritance
|
Windows Event Log Security 4688, Sysmon EventID 1
|
T1222.001
|
Anomaly
|
Crypto Stealer
|
2026-05-13
|
|
Windows Wmic Network Discovery
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1082
|
Anomaly
|
LAMEHUG
|
2026-05-13
|
|
Windows DNS Gather Network Info
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1590.002
|
Anomaly
|
Sandworm Tools, Volt Typhoon
|
2026-05-13
|
|
Linux Auditd Clipboard Data Copy
|
Linux Auditd Execve
|
T1115
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land
|
2026-05-13
|
|
Windows App Layer Protocol Wermgr Connect To NamedPipe
|
Sysmon EventID 18, Sysmon EventID 17
|
T1071
|
Anomaly
|
Qakbot
|
2026-05-13
|
|
Permission Modification using Takeown App
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1222
|
Anomaly
|
Ransomware, Sandworm Tools, Crypto Stealer, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Linux Indicator Removal Clear Cache
|
Sysmon for Linux EventID 1
|
T1070
|
TTP
|
AwfulShred, Data Destruction
|
2026-05-13
|
|
Get WMIObject Group Discovery with Script Block Logging
|
Powershell Script Block Logging 4104
|
T1069.001
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Boot or Logon Autostart Execution In Startup Folder
|
Sysmon EventID 11
|
T1547.001
|
Anomaly
|
NjRAT, BlankGrabber Stealer, Quasar RAT, Gozi Malware, RedLine Stealer, APT37 Rustonotto and FadeStealer, PromptFlux, Interlock Ransomware, Crypto Stealer, XWorm, Chaos Ransomware
|
2026-05-13
|
|
Linux Gem Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Windows Office Product Spawned MSDT
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1566.001
|
TTP
|
Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190, Compromised Windows Host, Spearphishing Attachments
|
2026-05-13
|
|
Linux c89 Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Windows BitLockerToGo Process Execution
|
Windows Event Log Security 4688, Sysmon EventID 1
|
T1218
|
Hunting
|
Lumma Stealer
|
2026-05-13
|
|
PowerShell Script Block With URL Chain
|
Powershell Script Block Logging 4104
|
T1059.001
T1105
|
TTP
|
Malicious PowerShell, Hellcat Ransomware
|
2026-05-13
|
|
Linux Insert Kernel Module Using Insmod Utility
|
Sysmon for Linux EventID 1
|
T1547.006
|
Anomaly
|
XorDDos, Linux Persistence Techniques, Linux Rootkit, Linux Privilege Escalation
|
2026-05-13
|
|
Windows Office Product Loaded MSHTML Module
|
Sysmon EventID 7
|
T1566.001
|
Anomaly
|
MuddyWater, CVE-2023-36884 Office and Windows HTML RCE Vulnerability, Spearphishing Attachments, Microsoft MSHTML Remote Code Execution CVE-2021-40444
|
2026-05-13
|
|
Windows Impair Defense Change Win Defender Health Check Intervals
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows IIS Components Get-WebGlobalModule Module Query
|
Powershell Installed IIS Modules
|
T1505.004
|
Hunting
|
GhostRedirector IIS Module and Rungan Backdoor, IIS Components, WS FTP Server Critical Vulnerabilities
|
2026-05-13
|
|
Suspicious wevtutil Usage
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1685.005
|
TTP
|
Storm-0501 Ransomware, Clop Ransomware, Storm-2460 CLFS Zero Day Exploitation, Rhysida Ransomware, VoidLink Cloud-Native Linux Malware, Windows Log Manipulation, Scattered Spider, ShrinkLocker, Ransomware, CISA AA23-347A
|
2026-05-13
|
|
Windows Default Cobalt Strike PowerShell Beacon
|
Powershell Script Block Logging 4104
|
T1059.001
T1204.002
|
TTP
|
Cobalt Strike
|
2026-05-13
|
|
Windows Impair Defense Disable Win Defender Gen reports
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Modify Registry Configure BitLocker
|
Sysmon EventID 13
|
T1112
|
TTP
|
ShrinkLocker
|
2026-05-13
|
|
Suspicious PlistBuddy Usage
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1543.001
|
TTP
|
Silver Sparrow
|
2026-05-13
|
|
Windows Admin Permission Discovery
|
Sysmon EventID 11
|
T1069.001
|
Anomaly
|
NjRAT
|
2026-05-13
|
|
Windows Important Audit Policy Disabled
|
Windows Event Log Security 4719
|
T1685
|
TTP
|
Windows Audit Policy Tampering
|
2026-05-13
|
|
Windows PowerShell Get CIMInstance Remote Computer
|
Powershell Script Block Logging 4104
|
T1059.001
|
Anomaly
|
Active Directory Lateral Movement
|
2026-05-13
|
|
Windows Modify Registry on Smart Card Group Policy
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
ShrinkLocker
|
2026-05-13
|
|
Linux Auditd Private Keys and Certificate Enumeration
|
Linux Auditd Execve
|
T1552.004
|
Anomaly
|
Linux Persistence Techniques, Compromised Linux Host, Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Linux Auditd Service Started
|
Linux Auditd Proctitle
|
T1569.002
|
Anomaly
|
Linux Persistence Techniques, Compromised Linux Host, Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Windows Modify Registry Disable Toast Notifications
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Azorult
|
2026-05-13
|
|
Detect WMI Event Subscription Persistence
|
Sysmon EventID 20
|
T1546.003
|
TTP
|
Hellcat Ransomware, Suspicious WMI Use
|
2026-05-13
|
|
Windows Computer Account With SPN
|
Windows Event Log Security 4741
|
T1558
|
TTP
|
Active Directory Kerberos Attacks, Compromised Windows Host, Local Privilege Escalation With KrbRelayUp
|
2026-05-13
|
|
Windows Browser Process Launched with Unusual Flags
|
Sysmon EventID 1
|
T1185
|
Anomaly
|
Castle RAT
|
2026-05-13
|
|
Suspicious mshta spawn
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.005
|
TTP
|
APT37 Rustonotto and FadeStealer, Living Off The Land, Suspicious MSHTA Activity
|
2026-05-13
|
|
Windows AI Platform DNS Query
|
Sysmon EventID 22
|
T1071.004
|
Anomaly
|
PromptFlux, LAMEHUG, SesameOp
|
2026-05-13
|
|
Windows Process Injection Remote Thread
|
Sysmon EventID 8
|
T1055.002
|
TTP
|
Qakbot, Earth Alux, Warzone RAT, Water Gamayun, Graceful Wipe Out Attack
|
2026-05-13
|
|
Linux Auditd Find Credentials From Password Managers
|
Linux Auditd Execve
|
T1555.005
|
TTP
|
Scattered Lapsus$ Hunters, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host, Linux Persistence Techniques
|
2026-05-13
|
|
Linux Magic SysRq Key Abuse
|
Linux Auditd Path, Linux Auditd Cwd
|
T1059.004
T1489
T1499
T1529
|
TTP
|
Compromised Linux Host
|
2026-05-13
|
|
Windows Unusual Count Of Users Failed To Authenticate Using NTLM
|
Windows Event Log Security 4776
|
T1110.003
|
Anomaly
|
Active Directory Password Spraying, Volt Typhoon
|
2026-05-13
|
|
Disable Security Logs Using MiniNt Registry
|
Sysmon EventID 13
|
T1112
|
TTP
|
CISA AA23-347A, Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Identify Protocol Handlers
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1059
|
Hunting
|
Living Off The Land
|
2026-05-13
|
|
Windows SQL Server Extended Procedure DLL Loading Hunt
|
Windows Event Log Application 8128
|
T1059.009
T1505.001
|
Hunting
|
SQL Server Abuse
|
2026-05-13
|
|
Windows New Deny Permission Set On Service SD Via Sc.EXE
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1564
|
Anomaly
|
Defense Evasion or Unauthorized Access Via SDDL Tampering
|
2026-05-13
|
|
Windows MSC EvilTwin Directory Path Manipulation
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1036.005
T1203
T1218
|
TTP
|
Water Gamayun, Living Off The Land, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Azure Storage Utility Execution Via CLI
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1567.002
|
Anomaly
|
Data Exfiltration
|
2026-05-13
|
|
Windows InstallUtil in Non Standard Path
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1036.003
T1218.004
|
TTP
|
Unusual Processes, Masquerading - Rename System Utilities, Living Off The Land, Ransomware, WhisperGate, Signed Binary Proxy Execution InstallUtil, Data Destruction
|
2026-05-13
|
|
Windows Steal Authentication Certificates - ESC1 Abuse
|
Windows Event Log Security 4887, Windows Event Log Security 4886
|
T1649
|
TTP
|
Windows Certificate Services
|
2026-05-13
|
|
Linux Gdrive Binary Activity
|
Sysmon for Linux EventID 1
|
T1567
|
TTP
|
China-Nexus Threat Activity
|
2026-05-13
|
|
Windows Process Injection Of Wermgr to Known Browser
|
Sysmon EventID 8
|
T1055.001
|
TTP
|
Qakbot
|
2026-05-13
|
|
Windows Detect Network Scanner Behavior
|
Sysmon EventID 3
|
T1595.001
T1595.002
|
Anomaly
|
Network Discovery, Windows Discovery Techniques
|
2026-05-13
|
|
Windows Execution of Microsoft MSC File In Suspicious Path
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.014
|
Anomaly
|
XML Runner Loader
|
2026-05-13
|
|
Windows RDP Server Registry Deletion
|
Sysmon EventID 13, Sysmon EventID 12
|
T1070.004
|
Anomaly
|
Windows RDP Artifacts and Defense Evasion
|
2026-05-13
|
|
Windows Modify Registry Disable RDP
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Windows RDP Artifacts and Defense Evasion, ShrinkLocker
|
2026-05-13
|
|
Windows Post Exploitation Risk Behavior
|
|
T1003
T1012
T1016
T1049
T1069
T1082
T1115
T1552
|
Correlation
|
Windows Post-Exploitation
|
2026-05-13
|
|
Windows Unusual SysWOW64 Process Run System32 Executable
|
Windows Event Log Security 4688, Sysmon EventID 1
|
T1036.009
|
Anomaly
|
China-Nexus Threat Activity, DarkGate Malware, Salt Typhoon
|
2026-05-13
|
|
Windows Modify Registry Auto Update Notif
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
RedLine Stealer
|
2026-05-13
|
|
Revil Common Exec Parameter
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1204
|
TTP
|
Ransomware, Revil Ransomware
|
2026-05-13
|
|
Windows RDP Cache File Deletion
|
Sysmon EventID 23, Sysmon EventID 26
|
T1070.004
|
Anomaly
|
Windows RDP Artifacts and Defense Evasion
|
2026-05-13
|
|
Linux Iptables Firewall Modification
|
Sysmon for Linux EventID 1
|
T1686
|
Anomaly
|
China-Nexus Threat Activity, Sandworm Tools, Backdoor Pingpong, Cyclops Blink
|
2026-05-13
|
|
Windows Network Share Interaction Via Net
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1039
T1135
|
Hunting
|
Network Discovery, Active Directory Discovery, Active Directory Privilege Escalation
|
2026-05-13
|
|
Detect Regsvcs with No Command Line Arguments
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.009
|
TTP
|
Suspicious Regsvcs Regasm Activity, Living Off The Land
|
2026-05-13
|
|
XSL Script Execution With WMIC
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1220
|
TTP
|
FIN7, Suspicious WMI Use
|
2026-05-13
|
|
Windows Symlink Evaluation Change via Fsutil
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1222.001
|
Anomaly
|
Windows Post-Exploitation
|
2026-05-13
|
|
GetLocalUser with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1059.001
T1087.001
|
Hunting
|
Malicious PowerShell, Active Directory Discovery
|
2026-05-13
|
|
Windows Audit Policy Disabled via Legacy Auditpol
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1685.001
|
Anomaly
|
Windows Audit Policy Tampering
|
2026-05-13
|
|
Windows Ingress Tool Transfer Using Explorer
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1105
|
Anomaly
|
DarkCrystal RAT
|
2026-05-13
|
|
Powershell Remove Windows Defender Directory
|
Powershell Script Block Logging 4104
|
T1685
|
TTP
|
WhisperGate, Data Destruction
|
2026-05-13
|
|
MacOS Account Created
|
Osquery Results
|
T1136
|
Anomaly
|
MacOS Persistence Techniques
|
2026-05-13
|
|
ServicePrincipalNames Discovery with PowerShell
|
Powershell Script Block Logging 4104
|
T1558.003
|
TTP
|
Malicious PowerShell, Hellcat Ransomware, Active Directory Kerberos Attacks, Active Directory Privilege Escalation, Active Directory Discovery
|
2026-05-13
|
|
Windows Multiple Accounts Disabled
|
Windows Event Log Security 4725
|
T1078
T1098
|
TTP
|
Azure Active Directory Persistence
|
2026-05-13
|
|
Windows Proxy Via Registry
|
Sysmon EventID 13
|
T1090.001
|
Anomaly
|
Volt Typhoon
|
2026-05-13
|
|
Windows BitLocker Suspicious Command Usage
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1486
T1490
|
TTP
|
ShrinkLocker
|
2026-05-13
|
|
Windows RDP Connection Successful
|
Windows Event Log RemoteConnectionManager 1149
|
T1563.002
|
Hunting
|
NetSupport RMM Tool Abuse, Active Directory Lateral Movement, BlackByte Ransomware, Windows RDP Artifacts and Defense Evasion, Interlock Ransomware
|
2026-05-13
|
|
Windows SymbolicLink-Testing-Tools Utility Execution
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1222
T1564.004
|
TTP
|
Windows Persistence Techniques, Windows Post-Exploitation, Windows Privilege Escalation
|
2026-05-13
|
|
Windows Impair Defenses Disable Win Defender Auto Logging
|
Sysmon EventID 13
|
T1685
|
Anomaly
|
CISA AA23-347A, Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Root Domain linked policies Discovery
|
Powershell Script Block Logging 4104
|
T1087.002
|
Anomaly
|
Industroyer2, Active Directory Discovery, Data Destruction
|
2026-05-13
|
|
Detect Remote Access Software Usage FileInfo
|
Sysmon EventID 1
|
T1219
|
Anomaly
|
Command And Control, Seashell Blizzard, Scattered Lapsus$ Hunters, Gozi Malware, Insider Threat, Scattered Spider, Cactus Ransomware, Ransomware, Remote Monitoring and Management Software, Interlock Ransomware
|
2026-05-13
|
|
Windows Universal Data Link File Creation
|
Sysmon EventID 11
|
T1204.002
T1566.001
|
Anomaly
|
Spearphishing Attachments
|
2026-05-13
|
|
Windows Indirect Command Execution Via Series Of Forfiles
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1202
|
Anomaly
|
Windows Post-Exploitation, Prestige Ransomware
|
2026-05-13
|
|
Windows Defender ASR Block Events
|
Windows Event Log Defender 1121, Windows Event Log Defender 1126, Windows Event Log Defender 1131, Windows Event Log Defender 1129, Windows Event Log Defender 1133
|
T1059
T1566.001
T1566.002
|
Anomaly
|
Windows Attack Surface Reduction
|
2026-05-13
|
|
Allow Inbound Traffic In Firewall Rule
|
Powershell Script Block Logging 4104
|
T1021.001
|
TTP
|
NetSupport RMM Tool Abuse, Prohibited Traffic Allowed or Protocol Mismatch
|
2026-05-13
|
|
Kerberos TGT Request Using RC4 Encryption
|
Windows Event Log Security 4768
|
T1550
|
TTP
|
Active Directory Kerberos Attacks, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Windows Privilege Escalation Suspicious Process Elevation
|
Sysmon EventID 1
|
T1068
T1134
T1548
|
TTP
|
GhostRedirector IIS Module and Rungan Backdoor, BlackSuit Ransomware, Windows Privilege Escalation
|
2026-05-13
|
|
Windows Command Obfuscation with Environment Variable Substrings
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1027.010
|
Anomaly
|
Malicious PowerShell
|
2026-05-13
|
|
Linux Data Destruction Command
|
Sysmon for Linux EventID 1
|
T1485
|
TTP
|
AwfulShred, Data Destruction
|
2026-05-13
|
|
Kerberoasting spn request with RC4 encryption
|
Windows Event Log Security 4769
|
T1558.003
|
TTP
|
Active Directory Kerberos Attacks, Hermetic Wiper, Compromised Windows Host, Windows Privilege Escalation, Data Destruction
|
2026-05-13
|
|
Windows Alternate DataStream - Base64 Content
|
Sysmon EventID 15
|
T1564.004
|
TTP
|
APT37 Rustonotto and FadeStealer, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Service Stop Win Updates
|
Windows Event Log System 7040
|
T1489
|
Anomaly
|
CISA AA23-347A, RedLine Stealer
|
2026-05-13
|
|
MacOS Data Chunking
|
Osquery Results
|
T1030
|
Anomaly
|
MacOS Post-Exploitation
|
2026-05-13
|
|
Windows Create Local Account
|
Windows Event Log Security 4720
|
T1136.001
|
Anomaly
|
GhostRedirector IIS Module and Rungan Backdoor, Active Directory Password Spraying, CISA AA24-241A, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Create Remote Thread into LSASS
|
Sysmon EventID 8
|
T1003.001
|
TTP
|
BlackSuit Ransomware, Credential Dumping, Lokibot
|
2026-05-13
|
|
Windows WBAdmin File Recovery From Backup
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1490
T1565.001
|
Anomaly
|
Credential Dumping
|
2026-05-13
|
|
FodHelper UAC Bypass
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1112
T1548.002
|
TTP
|
ValleyRAT, BlankGrabber Stealer, Windows Defense Evasion Tactics, IcedID, Compromised Windows Host
|
2026-05-13
|
|
Windows PowerShell Disable HTTP Logging
|
Powershell Script Block Logging 4104
|
T1505.004
T1685.001
|
TTP
|
IIS Components, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows ClipBoard Data via Get-ClipBoard
|
Powershell Script Block Logging 4104
|
T1115
|
Anomaly
|
BlankGrabber Stealer, Windows Post-Exploitation, Prestige Ransomware
|
2026-05-13
|
|
Windows Spearphishing Attachment Onenote Spawn Mshta
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1566.001
|
TTP
|
Compromised Windows Host, Spearphishing Attachments, APT37 Rustonotto and FadeStealer, AsyncRAT
|
2026-05-13
|
|
WinEvent Scheduled Task Created Within Public Path
|
Windows Event Log Security 4698
|
T1053.005
|
TTP
|
Industroyer2, XWorm, Winter Vivern, Salt Typhoon, AsyncRAT, Scheduled Tasks, IcedID, Malicious Inno Setup Loader, Ryuk Ransomware, APT37 Rustonotto and FadeStealer, Ransomware, 0bj3ctivity Stealer, Prestige Ransomware, Windows Persistence Techniques, Medusa Ransomware, Active Directory Lateral Movement, SystemBC, Remcos, CISA AA23-347A, Compromised Windows Host, Data Destruction, China-Nexus Threat Activity, ValleyRAT, Quasar RAT, CISA AA22-257A, Castle RAT, PlugX
|
2026-05-13
|
|
Remote Desktop Process Running On System
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1021.001
|
Hunting
|
Windows RDP Artifacts and Defense Evasion, Hidden Cobra Malware, Active Directory Lateral Movement
|
2026-05-13
|
|
MacOS Kextload Usage
|
Osquery Results
|
T1543
|
TTP
|
MacOS Privilege Escalation, MacOS Persistence Techniques
|
2026-05-13
|
|
Windows MpCmdRun RemoveDefinitions Execution
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1685
|
Anomaly
|
BlankGrabber Stealer
|
2026-05-13
|
|
Windows Scheduled Task Service Spawned Shell
|
Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1053.005
T1059
|
TTP
|
Windows Persistence Techniques
|
2026-05-13
|
|
Windows Modify Registry Disable Windows Security Center Notif
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Azorult, CISA AA23-347A
|
2026-05-13
|
|
Windows Computer Account Requesting Kerberos Ticket
|
Windows Event Log Security 4768
|
T1558
|
TTP
|
Active Directory Kerberos Attacks, Local Privilege Escalation With KrbRelayUp
|
2026-05-13
|
|
Rundll32 LockWorkStation
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.011
|
Anomaly
|
Ransomware
|
2026-05-13
|
|
Anomalous usage of 7zip
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1560.001
|
Anomaly
|
Cobalt Strike, NOBELIUM Group, BlackByte Ransomware, BlackSuit Ransomware, Graceful Wipe Out Attack
|
2026-05-13
|
|
Get-ForestTrust with PowerShell
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1482
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Processes Killed By Industroyer2 Malware
|
Sysmon EventID 5
|
T1489
|
Anomaly
|
Industroyer2, Data Destruction
|
2026-05-13
|
|
Unusual Number of Computer Service Tickets Requested
|
Windows Event Log Security 4769
|
T1078
|
Hunting
|
Active Directory Kerberos Attacks, Active Directory Privilege Escalation, Scattered Lapsus$ Hunters, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows Suspicious C2 Named Pipe
|
Sysmon EventID 18, Sysmon EventID 17
|
T1021.002
T1055
T1559
|
TTP
|
Storm-0501 Ransomware, Cobalt Strike, Trickbot, Hellcat Ransomware, Meterpreter, LockBit Ransomware, DarkSide Ransomware, Tuoni, Gozi Malware, BlackByte Ransomware, APT37 Rustonotto and FadeStealer, Remote Monitoring and Management Software, Graceful Wipe Out Attack, Brute Ratel C4
|
2026-05-13
|
|
Windows Process Injection With Public Source Path
|
Sysmon EventID 8
|
T1055.002
|
Hunting
|
Earth Alux, Brute Ratel C4
|
2026-05-13
|
|
GetAdComputer with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1018
|
Hunting
|
CISA AA22-320A, Active Directory Discovery, Medusa Ransomware, Gozi Malware
|
2026-05-13
|
|
Hunting 3CXDesktopApp Software
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1195.002
|
Hunting
|
3CX Supply Chain Attack
|
2026-05-13
|
|
Windows Suspicious QEMU Execution
|
Sysmon EventID 1
|
T1001
T1036
T1204.002
T1564.006
|
TTP
|
Linux Rootkit, Linux Post-Exploitation, Linux Living Off The Land, VoidLink Cloud-Native Linux Malware, Linux Privilege Escalation, Compromised Linux Host
|
2026-05-13
|
|
Process Writing DynamicWrapperX
|
Sysmon EventID 11
|
T1059
T1559.001
|
Hunting
|
Remcos
|
2026-05-13
|
|
Cisco Isovalent - Kprobe Spike
|
Cisco Isovalent Process Kprobe
|
T1068
|
Hunting
|
VoidLink Cloud-Native Linux Malware, Cisco Isovalent Suspicious Activity
|
2026-05-13
|
|
Windows Certutil Root Certificate Addition
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1587.003
|
TTP
|
Secret Blizzard
|
2026-05-13
|
|
Short Lived Windows Accounts
|
Windows Event Log System 4726, Windows Event Log System 4720
|
T1078.003
T1136.001
|
TTP
|
GhostRedirector IIS Module and Rungan Backdoor, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows MSI Rollback Script Deleted By Non-Msiexec Process
|
Sysmon EventID 23
|
T1068
T1218.007
|
TTP
|
Windows Privilege Escalation
|
2026-05-13
|
|
Remote Process Instantiation via DCOM and PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1021.003
|
TTP
|
Active Directory Lateral Movement
|
2026-05-13
|
|
Add DefaultUser And Password In Registry
|
Sysmon EventID 13, Sysmon EventID 12
|
T1552.002
|
Anomaly
|
BlackMatter Ransomware
|
2026-05-13
|
|
Scheduled Task Initiation on Remote Endpoint
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1053.005
|
TTP
|
Scheduled Tasks, Medusa Ransomware, Active Directory Lateral Movement, Living Off The Land, Seashell Blizzard
|
2026-05-13
|
|
Windows NirSoft AdvancedRun
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1588.002
|
TTP
|
Ransomware, WhisperGate, Unusual Processes, Data Destruction
|
2026-05-13
|
|
Exchange PowerShell Module Usage
|
Powershell Script Block Logging 4104
|
T1059.001
|
TTP
|
CISA AA22-264A, CISA AA22-277A, BlackByte Ransomware, Scattered Spider, ProxyNotShell, ProxyShell
|
2026-05-13
|
|
Windows CAB File on Disk
|
Sysmon EventID 11
|
T1566.001
|
Anomaly
|
DarkGate Malware, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
Windows PaperCut NG Spawn Shell
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1059
T1133
T1190
|
TTP
|
Compromised Windows Host, PaperCut MF NG Vulnerability
|
2026-05-13
|
|
Windows Private Keys Discovery
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1552.004
|
Anomaly
|
Windows Post-Exploitation, Prestige Ransomware
|
2026-05-13
|
|
Windows Phishing PDF File Executes URL Link
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1566.001
|
Anomaly
|
Spearphishing Attachments, Snake Keylogger, MuddyWater
|
2026-05-13
|
|
Windows Hijack Execution Flow Version Dll Side Load
|
Sysmon EventID 7
|
T1574.001
|
Anomaly
|
Malicious Inno Setup Loader, SolarWinds WHD RCE Post Exploitation, XWorm, Brute Ratel C4
|
2026-05-13
|
|
PowerShell PInvoke Process Injection API Chain
|
Powershell Script Block Logging 4104
|
T1055.001
T1055.003
T1055.004
T1055.012
T1055.013
T1059.001
T1620
|
TTP
|
VIP Keylogger
|
2026-05-13
|
|
Loading Of Dynwrapx Module
|
Sysmon EventID 7
|
T1055.001
|
TTP
|
Remcos, AsyncRAT
|
2026-05-13
|
|
Windows WMI Process Call Create
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1047
|
Hunting
|
Qakbot, IcedID, Cactus Ransomware, CISA AA23-347A, Suspicious WMI Use, Volt Typhoon
|
2026-05-13
|
|
Windows ConHost with Headless Argument
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1564.003
T1564.006
|
TTP
|
Compromised Windows Host, Spearphishing Attachments
|
2026-05-13
|
|
Shim Database Installation With Suspicious Parameters
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1546.011
|
TTP
|
Windows Persistence Techniques, Compromised Windows Host
|
2026-05-13
|
|
Windows Alternate DataStream - Executable Content
|
Sysmon EventID 15
|
T1564.004
|
TTP
|
Windows Defense Evasion Tactics
|
2026-05-13
|
|
PowerShell Environment Variable Execution
|
Powershell Script Block Logging 4104
|
T1059.001
|
Anomaly
|
VIP Keylogger
|
2026-05-13
|
|
Windows Modify Registry No Auto Reboot With Logon User
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
RedLine Stealer
|
2026-05-13
|
|
Windows Unusual FileZilla XML Config Access
|
Windows Event Log Security 4663
|
T1552.001
|
Anomaly
|
Quasar RAT
|
2026-05-13
|
|
Rundll32 Process Creating Exe Dll Files
|
Sysmon EventID 11
|
T1218.011
|
TTP
|
Gh0st RAT, Living Off The Land, IcedID
|
2026-05-13
|
|
Overwriting Accessibility Binaries
|
Sysmon EventID 11
|
T1546.008
|
TTP
|
Flax Typhoon, Hermetic Wiper, Windows Privilege Escalation, Data Destruction
|
2026-05-13
|
|
Suspicious PlistBuddy Usage via OSquery
|
Osquery Results
|
T1543.001
|
TTP
|
Silver Sparrow
|
2026-05-13
|
|
Windows Create Local Administrator Account Via Net
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1136.001
|
Anomaly
|
Scattered Lapsus$ Hunters, DHS Report TA18-074A, Azorult, CISA AA22-257A, GhostRedirector IIS Module and Rungan Backdoor, CISA AA24-241A, Medusa Ransomware, DarkGate Malware
|
2026-05-13
|
|
Schedule Task with HTTP Command Arguments
|
Windows Event Log Security 4698
|
T1053
|
TTP
|
Hellcat Ransomware, Windows Persistence Techniques, Scheduled Tasks, Living Off The Land, Compromised Windows Host, Winter Vivern
|
2026-05-13
|
|
Windows Raw Access To Master Boot Record Drive
|
Sysmon EventID 9
|
T1561.002
|
TTP
|
NjRAT, CISA AA22-264A, Void Manticore, BlackByte Ransomware, Disk Wiper, Hermetic Wiper, Caddy Wiper, WhisperGate, Graceful Wipe Out Attack, PathWiper, Data Destruction
|
2026-05-13
|
|
Ryuk Wake on LAN Command
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1059.003
|
TTP
|
Compromised Windows Host, Hellcat Ransomware, Ryuk Ransomware
|
2026-05-13
|
|
Windows IIS Components New Module Added
|
Windows IIS 29
|
T1505.004
|
TTP
|
GhostRedirector IIS Module and Rungan Backdoor, IIS Components
|
2026-05-13
|
|
Windows Masquerading Msdtc Process
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1036
|
TTP
|
Compromised Windows Host, PlugX
|
2026-05-13
|
|
Windows Access Token Manipulation Winlogon Duplicate Token Handle
|
Sysmon EventID 10
|
T1134.001
|
Hunting
|
Brute Ratel C4
|
2026-05-13
|
|
Windows Modify Registry Auto Minor Updates
|
Sysmon EventID 13
|
T1112
|
Hunting
|
RedLine Stealer
|
2026-05-13
|
|
Windows MOF Event Triggered Execution via WMI
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1546.003
|
TTP
|
Compromised Windows Host, Living Off The Land
|
2026-05-13
|
|
Windows RMM Named Pipe
|
Sysmon EventID 18, Sysmon EventID 17
|
T1021.002
T1055
T1559
|
Anomaly
|
Command And Control, Seashell Blizzard, Scattered Lapsus$ Hunters, GhostRedirector IIS Module and Rungan Backdoor, CISA AA24-241A, Gozi Malware, Insider Threat, Scattered Spider, Cactus Ransomware, Ransomware, Remote Monitoring and Management Software, Interlock Ransomware
|
2026-05-13
|
|
High Frequency Copy Of Files In Network Share
|
Windows Event Log Security 5145
|
T1537
|
Anomaly
|
Information Sabotage, Insider Threat, Hellcat Ransomware
|
2026-05-13
|
|
Windows SoftEther VPN Masquerading as Legitimate Binary
|
Sysmon EventID 1
|
T1036
T1572
|
TTP
|
Linux Persistence Techniques, Flax Typhoon, Linux Privilege Escalation
|
2026-05-13
|
|
MacOS List Firewall Rules
|
Osquery Results
|
T1016
|
Anomaly
|
Network Discovery
|
2026-05-13
|
|
Detect AzureHound File Modifications
|
Sysmon EventID 11
|
T1069.001
T1069.002
T1087.001
T1087.002
T1482
|
TTP
|
Windows Discovery Techniques
|
2026-05-13
|
|
Windows Process Commandline Discovery
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1057
|
Hunting
|
CISA AA23-347A
|
2026-05-13
|
|
Bcdedit Command Back To Normal Mode Boot
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1490
|
TTP
|
BlackMatter Ransomware, Black Basta Ransomware
|
2026-05-13
|
|
GetWmiObject Ds Computer with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1018
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Modify Registry Default Icon Setting
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
LockBit Ransomware
|
2026-05-13
|
|
Windows Snake Malware Registry Modification wav OpenWithProgIds
|
Sysmon EventID 13
|
T1112
|
TTP
|
Snake Malware
|
2026-05-13
|
|
Disabling CMD Application
|
Sysmon EventID 13
|
T1112
T1685
|
TTP
|
NjRAT, Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows TinyCC Shellcode Execution
|
Windows Event Log Security 4688, Sysmon EventID 1
|
T1027
T1036
T1059.003
|
TTP
|
Lotus Blossom Chrysalis Backdoor
|
2026-05-13
|
|
Suspicious Computer Account Name Change
|
Windows Event Log Security 4781
|
T1078.002
|
TTP
|
Scattered Lapsus$ Hunters, Compromised Windows Host, Active Directory Privilege Escalation, sAMAccountName Spoofing and Domain Controller Impersonation
|
2026-05-13
|
|
Windows InstallUtil Credential Theft
|
Sysmon EventID 7
|
T1218.004
|
TTP
|
Signed Binary Proxy Execution InstallUtil
|
2026-05-13
|
|
Windows AD Abnormal Object Access Activity
|
Windows Event Log Security 4662
|
T1087.002
|
Anomaly
|
BlackSuit Ransomware, Active Directory Discovery
|
2026-05-13
|
|
Linux Clipboard Data Copy
|
Sysmon for Linux EventID 1
|
T1115
|
Anomaly
|
Linux Living Off The Land
|
2026-05-13
|
|
Cisco Isovalent - Late Process Execution
|
Cisco Isovalent Process Exec
|
T1543
|
Anomaly
|
Cisco Isovalent Suspicious Activity
|
2026-05-13
|
|
Executables Or Script Creation In Suspicious Path
|
Sysmon EventID 11
|
T1036
|
Anomaly
|
NjRAT, Rhysida Ransomware, GhostRedirector IIS Module and Rungan Backdoor, LockBit Ransomware, Void Manticore, VIP Keylogger, Cactus Ransomware, Meduza Stealer, Industroyer2, Qakbot, Salt Typhoon, AsyncRAT, MoonPeak, Azorult, PromptLock, IcedID, Earth Alux, AcidPour, Lokibot, Swift Slicer, Warzone RAT, WhisperGate, Handala Wiper, DarkGate Malware, Chaos Ransomware, Axios Supply Chain Post Compromise, Trickbot, Interlock Rat, XML Runner Loader, SystemBC, RedLine Stealer, Hermetic Wiper, DarkCrystal RAT, DynoWiper, Remcos, SnappyBee, CISA AA23-347A, Interlock Ransomware, Crypto Stealer, Brute Ratel C4, Data Destruction, China-Nexus Threat Activity, ValleyRAT, XMRig, Quasar RAT, Double Zero Destructor, WinDealer RAT, SesameOp, Castle RAT, BlackByte Ransomware, NailaoLocker Ransomware, Snake Keylogger, PlugX, Amadey, AgentTesla, Derusbi, Graceful Wipe Out Attack, Volt Typhoon
|
2026-05-13
|
|
Schedule Task with Rundll32 Command Trigger
|
Windows Event Log Security 4698
|
T1053
|
TTP
|
Trickbot, Windows Persistence Techniques, Scheduled Tasks, Castle RAT, IcedID, Living Off The Land, Compromised Windows Host
|
2026-05-13
|
|
Windows AD Dangerous Deny ACL Modification
|
Windows Event Log Security 5136
|
T1222.001
T1484
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Windows USBSTOR Registry Key Modification
|
Sysmon EventID 13, Sysmon EventID 12
|
T1025
T1091
T1200
|
Anomaly
|
APT37 Rustonotto and FadeStealer, Data Protection
|
2026-05-13
|
|
Crowdstrike User Weak Password Policy
|
|
T1110
|
Anomaly
|
Compromised Windows Host
|
2026-05-13
|
|
Cisco Isovalent - Curl Execution With Insecure Flags
|
Cisco Isovalent Process Exec
|
T1105
|
Anomaly
|
Cisco Isovalent Suspicious Activity
|
2026-05-13
|
|
Powershell COM Hijacking InprocServer32 Modification
|
Powershell Script Block Logging 4104
|
T1059.001
T1546.015
|
TTP
|
Malicious PowerShell
|
2026-05-13
|
|
Linux APT Privilege Escalation
|
Cisco Isovalent Process Exec, Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Windows Modify Show Compress Color And Info Tip Registry
|
Sysmon EventID 13
|
T1112
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse, Hermetic Wiper, Data Destruction
|
2026-05-13
|
|
Suspicious Ticket Granting Ticket Request
|
Windows Event Log Security 4768, Windows Event Log Security 4781
|
T1078.002
|
Hunting
|
Active Directory Kerberos Attacks, Active Directory Privilege Escalation, sAMAccountName Spoofing and Domain Controller Impersonation
|
2026-05-13
|
|
MS Scripting Process Loading WMI Module
|
Sysmon EventID 7
|
T1059.007
|
Anomaly
|
FIN7
|
2026-05-13
|
|
Monitor Registry Keys for Print Monitors
|
Sysmon EventID 13
|
T1547.010
|
TTP
|
Windows Persistence Techniques, Windows Registry Abuse, Suspicious Windows Registry Activities
|
2026-05-13
|
|
Windows System Network Connections Discovery Netsh
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1049
|
Anomaly
|
BlankGrabber Stealer, Prestige Ransomware, VIP Keylogger, Snake Keylogger, Windows Post-Exploitation
|
2026-05-13
|
|
Detect RClone Command-Line Usage
|
Windows Event Log Security 4688, Sysmon EventID 1, Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2
|
T1020
|
TTP
|
Storm-0501 Ransomware, Hellcat Ransomware, DarkSide Ransomware, Black Basta Ransomware, Cactus Ransomware, Ransomware, Cisco Network Visibility Module Analytics
|
2026-05-13
|
|
Get DomainPolicy with Powershell
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1201
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Suspicious Linux Discovery Commands
|
Sysmon for Linux EventID 1
|
T1059.004
|
TTP
|
VoidLink Cloud-Native Linux Malware, Linux Post-Exploitation
|
2026-05-13
|
|
Windows Disable Notification Center
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
CISA AA23-347A, Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Phishing Outlook Drop Dll In FORM Dir
|
Sysmon EventID 11, Sysmon EventID 1
|
T1566
|
TTP
|
Outlook RCE CVE-2024-21378
|
2026-05-13
|
|
Windows Impair Defenses Disable Auto Logger Session
|
Sysmon EventID 13
|
T1685
|
Anomaly
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Batch File Write to System32
|
Sysmon EventID 11
|
T1204.002
|
TTP
|
SamSam Ransomware, Compromised Windows Host
|
2026-05-13
|
|
Detect Use of cmd exe to Launch Script Interpreters
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1059.003
|
Anomaly
|
Azorult, Emotet Malware DHS Report TA18-201A, Suspicious Command-Line Executions
|
2026-05-13
|
|
Windows Deleted Registry By A Non Critical Process File Path
|
Sysmon EventID 12, Sysmon EventID 1
|
T1112
|
Anomaly
|
Double Zero Destructor, Data Destruction
|
2026-05-13
|
|
Linux Auditd Dd File Overwrite
|
Linux Auditd Proctitle
|
T1485
|
TTP
|
Compromised Linux Host, Industroyer2, Data Destruction
|
2026-05-13
|
|
CSC Net On The Fly Compilation
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1027.004
|
Hunting
|
Windows Defense Evasion Tactics
|
2026-05-13
|
|
Process Kill Base On File Path
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1685
|
TTP
|
XMRig
|
2026-05-13
|
|
Windows AD Domain Controller Audit Policy Disabled
|
Windows Event Log Security 4719
|
T1685
|
TTP
|
Windows Audit Policy Tampering
|
2026-05-13
|
|
Get WMIObject Group Discovery
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1069.001
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Windows DotNet Binary in Non Standard Path
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1036.003
T1218.004
|
TTP
|
Unusual Processes, Masquerading - Rename System Utilities, Ransomware, WhisperGate, Signed Binary Proxy Execution InstallUtil, Data Destruction
|
2026-05-13
|
|
Windows BitDefender Submission Wizard DLL Sideloading
|
Sysmon EventID 7
|
T1574
|
TTP
|
Lotus Blossom Chrysalis Backdoor
|
2026-05-13
|
|
Detect Certify Command Line Arguments
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1105
T1649
|
TTP
|
Ingress Tool Transfer, Compromised Windows Host, Windows Certificate Services
|
2026-05-13
|
|
Windows ESX Admins Group Creation via PowerShell
|
Powershell Script Block Logging 4104
|
T1136.001
T1136.002
|
TTP
|
VMware ESXi AD Integration Authentication Bypass CVE-2024-37085
|
2026-05-13
|
|
Windows Hide Notification Features Through Registry
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Ransomware, Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Suspicious Curl Network Connection
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2, Sysmon for Linux EventID 1
|
T1105
|
TTP
|
Hellcat Ransomware, GhostRedirector IIS Module and Rungan Backdoor, Linux Living Off The Land, Silver Sparrow, APT37 Rustonotto and FadeStealer, Ingress Tool Transfer
|
2026-05-13
|
|
Windows Metasploit Confluence Plugin Execution
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1190
T1505.003
T1608
|
TTP
|
Confluence Data Center and Confluence Server Vulnerabilities
|
2026-05-13
|
|
Windows File Download Via PowerShell
|
Windows Event Log Security 4688, Sysmon EventID 1, Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2
|
T1059.001
T1105
|
Anomaly
|
Malicious PowerShell, GhostRedirector IIS Module and Rungan Backdoor, PHP-CGI RCE Attack on Japanese Organizations, StealC Stealer, XWorm, Winter Vivern, HAFNIUM Group, Phemedrone Stealer, Tuoni, IcedID, SolarWinds WHD RCE Post Exploitation, APT37 Rustonotto and FadeStealer, Microsoft WSUS CVE-2025-59287, SysAid On-Prem Software CVE-2023-47246 Vulnerability, Hermetic Wiper, Ingress Tool Transfer, Data Destruction, NetSupport RMM Tool Abuse, NPM Supply Chain Compromise, Cisco Network Visibility Module Analytics
|
2026-05-13
|
|
Windows PuTTY Suite Utility Execution
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1021.004
|
Anomaly
|
Command And Control, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows User Deletion Via Net
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1531
|
Anomaly
|
DarkGate Malware, XMRig, Graceful Wipe Out Attack
|
2026-05-13
|
|
Windows Service Execution RemCom
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1569.002
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Application Whitelisting Bypass Attempt via Rundll32
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.011
|
TTP
|
Compromised Windows Host, Suspicious Rundll32 Activity, Living Off The Land
|
2026-05-13
|
|
Windows Excessive Disabled Services Event
|
Windows Event Log System 7040
|
T1685
|
TTP
|
CISA AA23-347A, Compromised Windows Host, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows LOLBAS Executed Outside Expected Path
|
Windows Event Log Security 4688, Sysmon EventID 1
|
T1036.005
T1218.011
|
Anomaly
|
Masquerading - Rename System Utilities, Living Off The Land, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Powershell Logoff User via Quser
|
Powershell Script Block Logging 4104
|
T1059.001
T1531
|
Anomaly
|
Crypto Stealer
|
2026-05-13
|
|
CMD Carry Out String Command Parameter
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1059.003
|
Hunting
|
NjRAT, Rhysida Ransomware, Log4Shell CVE-2021-44228, StealC Stealer, Winter Vivern, Qakbot, Gh0st RAT, AsyncRAT, Azorult, IcedID, Malicious Inno Setup Loader, Living Off The Land, Warzone RAT, WhisperGate, 0bj3ctivity Stealer, DarkGate Malware, Chaos Ransomware, Interlock Rat, RedLine Stealer, ProxyNotShell, Hermetic Wiper, DarkCrystal RAT, CISA AA23-347A, Crypto Stealer, Data Destruction, Quasar RAT, PlugX
|
2026-05-13
|
|
Linux High Frequency Of File Deletion In Etc Folder
|
Sysmon for Linux EventID 11
|
T1070.004
T1485
|
Anomaly
|
AcidRain, Data Destruction
|
2026-05-13
|
|
Windows Powershell History File Deletion
|
Powershell Script Block Logging 4104
|
T1059.003
T1070.003
|
Anomaly
|
Medusa Ransomware
|
2026-05-13
|
|
Remote Process Instantiation via WinRM and PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1021.006
|
TTP
|
Active Directory Lateral Movement
|
2026-05-13
|
|
Linux At Allow Config File Creation
|
Sysmon for Linux EventID 11
|
T1053.003
|
Anomaly
|
Scheduled Tasks, Linux Persistence Techniques, Linux Privilege Escalation, Linux Living Off The Land
|
2026-05-13
|
|
Attacker Tools On Endpoint
|
Windows Event Log Security 4688, Sysmon EventID 1, Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2
|
T1003
T1036.005
T1595
|
TTP
|
SamSam Ransomware, CISA AA22-264A, XMRig, Unusual Processes, Scattered Spider, PHP-CGI RCE Attack on Japanese Organizations, Compromised Windows Host, Cisco Network Visibility Module Analytics
|
2026-05-13
|
|
Domain Account Discovery with Dsquery
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1087.002
|
Anomaly
|
LAMEHUG, Active Directory Discovery
|
2026-05-13
|
|
Windows Software Discovery Via PowerShell
|
Powershell Script Block Logging 4104
|
T1012
T1059.001
T1518
|
Anomaly
|
Windows Discovery Techniques
|
2026-05-13
|
|
Windows Office Product Dropped Uncommon File
|
Sysmon EventID 11, Sysmon EventID 1
|
T1566.001
|
Anomaly
|
FIN7, CVE-2023-21716 Word RTF Heap Corruption, AgentTesla, PlugX, Warzone RAT, Compromised Windows Host
|
2026-05-13
|
|
Windows Account Discovery for None Disable User Account
|
Powershell Script Block Logging 4104
|
T1087.001
|
Hunting
|
CISA AA23-347A
|
2026-05-13
|
|
Icacls Deny Command
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1222
|
Anomaly
|
XMRig, Azorult, Sandworm Tools, Defense Evasion or Unauthorized Access Via SDDL Tampering, Compromised Windows Host, Crypto Stealer
|
2026-05-13
|
|
Msmpeng Application DLL Side Loading
|
Sysmon EventID 11
|
T1574.001
|
TTP
|
Ransomware, Revil Ransomware
|
2026-05-13
|
|
Windows Privilege Escalation User Process Spawn System Process
|
Sysmon EventID 1
|
T1068
T1134
T1548
|
TTP
|
BlackSuit Ransomware, GhostRedirector IIS Module and Rungan Backdoor, Compromised Windows Host, Windows Privilege Escalation
|
2026-05-13
|
|
Windows MsiExec HideWindow Rundll32 Execution
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.007
|
TTP
|
Water Gamayun, Qakbot
|
2026-05-13
|
|
Windows Raw Access To Disk Volume Partition
|
Sysmon EventID 9
|
T1561.002
|
Anomaly
|
NjRAT, CISA AA22-264A, Void Manticore, BlackByte Ransomware, Disk Wiper, Hermetic Wiper, Caddy Wiper, Graceful Wipe Out Attack, PathWiper, Data Destruction
|
2026-05-13
|
|
Windows Credentials from Password Stores Chrome Copied in TEMP Dir
|
Sysmon EventID 11
|
T1555.003
|
TTP
|
Braodo Stealer, BlankGrabber Stealer, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Windows AD DSRM Password Reset
|
Windows Event Log Security 4794
|
T1098
|
TTP
|
Sneaky Active Directory Persistence Tricks, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Windows AppX Deployment Unsigned Package Installation
|
Windows Event Log AppXDeployment-Server 855
|
T1204.002
T1553.005
|
TTP
|
MSIX Package Abuse
|
2026-05-13
|
|
GetDomainComputer with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1018
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows AD GPO New CSE Addition
|
Windows Event Log Security 5136
|
T1222.001
T1484.001
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
IcedID Exfiltrated Archived File Creation
|
Sysmon EventID 11
|
T1560.001
|
Hunting
|
APT37 Rustonotto and FadeStealer, IcedID
|
2026-05-13
|
|
Remote Process Instantiation via WMI and PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1047
|
TTP
|
Active Directory Lateral Movement
|
2026-05-13
|
|
Windows WMI Reconnaissance Class Query
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1047
|
Anomaly
|
BlankGrabber Stealer
|
2026-05-13
|
|
MS Scripting Process Loading Ldap Module
|
Sysmon EventID 7
|
T1059.007
|
Anomaly
|
FIN7
|
2026-05-13
|
|
Windows PowGoop Beacon Decoding
|
Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1001
T1059.001
|
TTP
|
Compromised Windows Host
|
2026-05-13
|
|
Detect Excessive Account Lockouts From Endpoint
|
|
T1078.002
|
Anomaly
|
Active Directory Password Spraying
|
2026-05-13
|
|
Linux GDB Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Windows Audit Policy Security Descriptor Tampering via Auditpol
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1685.001
|
Anomaly
|
Windows Audit Policy Tampering
|
2026-05-13
|
|
Suspicious IcedID Rundll32 Cmdline
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.011
|
TTP
|
Living Off The Land, IcedID
|
2026-05-13
|
|
Windows Parent PID Spoofing with Explorer
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1134.004
|
TTP
|
Compromised Windows Host, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows PowerShell MSIX Package Installation
|
Powershell Script Block Logging 4104
|
T1059.001
T1547.001
|
TTP
|
Malicious PowerShell, MSIX Package Abuse
|
2026-05-13
|
|
Linux Hardware Addition SwapOff
|
Sysmon for Linux EventID 1
|
T1200
|
Anomaly
|
AwfulShred, Scattered Lapsus$ Hunters, Data Destruction
|
2026-05-13
|
|
Windows Debugger Tool Execution
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1036
|
Hunting
|
DarkGate Malware, PlugX
|
2026-05-13
|
|
First Time Seen Child Process of Zoom
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1068
|
Anomaly
|
Suspicious Zoom Child Processes
|
2026-05-13
|
|
Scheduled Task Deleted Or Created via CMD
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1053.005
|
Anomaly
|
NjRAT, Rhysida Ransomware, CISA AA24-241A, PlugX, XWorm, Winter Vivern, Phemedrone Stealer, Qakbot, Salt Typhoon, AsyncRAT, Scheduled Tasks, Azorult, MoonPeak, Lokibot, SolarWinds WHD RCE Post Exploitation, APT37 Rustonotto and FadeStealer, Living Off The Land, 0bj3ctivity Stealer, Trickbot, Prestige Ransomware, DHS Report TA18-074A, Windows Persistence Techniques, Medusa Ransomware, RedLine Stealer, DarkCrystal RAT, Remcos, CISA AA23-347A, China-Nexus Threat Activity, ValleyRAT, Quasar RAT, CISA AA22-257A, NetSupport RMM Tool Abuse, NOBELIUM Group, Sandworm Tools, Scattered Spider, Amadey, ShrinkLocker, AgentTesla
|
2026-05-13
|
|
Windows AppLocker Block Events
|
|
T1218
|
Anomaly
|
Windows AppLocker
|
2026-05-13
|
|
Windows Raccine Scheduled Task Deletion
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1685
|
TTP
|
Ransomware, Compromised Windows Host
|
2026-05-13
|
|
Windows App Layer Protocol Qakbot NamedPipe
|
Sysmon EventID 18, Sysmon EventID 17
|
T1071
|
Anomaly
|
Qakbot
|
2026-05-13
|
|
Windows File Collection Via Copy Utilities
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1119
|
Anomaly
|
LAMEHUG
|
2026-05-13
|
|
Registry Keys for Creating SHIM Databases
|
Sysmon EventID 13
|
T1546.011
|
TTP
|
Windows Persistence Techniques, Windows Registry Abuse, Suspicious Windows Registry Activities
|
2026-05-13
|
|
Unusual Number of Remote Endpoint Authentication Events
|
Windows Event Log Security 4624
|
T1078
|
Hunting
|
Active Directory Privilege Escalation, Active Directory Lateral Movement
|
2026-05-13
|
|
Prevent Automatic Repair Mode using Bcdedit
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1490
|
TTP
|
Ransomware, Void Manticore, Chaos Ransomware
|
2026-05-13
|
|
Windows Unsigned DLL Side-Loading
|
Sysmon EventID 7
|
T1574.001
|
Anomaly
|
China-Nexus Threat Activity, NjRAT, Salt Typhoon, Earth Alux, SolarWinds WHD RCE Post Exploitation, Warzone RAT, Derusbi
|
2026-05-13
|
|
Windows SQL Spawning CertUtil
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1105
|
TTP
|
SQL Server Abuse, Storm-2460 CLFS Zero Day Exploitation, Flax Typhoon
|
2026-05-13
|
|
Windows Short Lived DNS Record
|
Windows Event Log Security 5136, Windows Event Log Security 5137
|
T1071.004
T1187
T1557.001
|
TTP
|
Suspicious DNS Traffic, Compromised Windows Host, Local Privilege Escalation With KrbRelayUp, Kerberos Coercion with DNS
|
2026-05-13
|
|
Windows Disable Windows Group Policy Features Through Registry
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Ransomware, CISA AA23-347A, Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Server Software Component GACUtil Install to GAC
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1505.004
|
TTP
|
IIS Components
|
2026-05-13
|
|
Script Execution via WMI
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1047
|
TTP
|
Scattered Spider, Suspicious WMI Use
|
2026-05-13
|
|
Windows Suspect Process With Authentication Traffic
|
Sysmon EventID 3
|
T1087.002
T1204.002
|
Anomaly
|
Active Directory Discovery
|
2026-05-13
|
|
Disable Defender MpEngine Registry
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, IcedID
|
2026-05-13
|
|
DLLHost with no Command Line Arguments with Network
|
Sysmon EventID 3, Sysmon EventID 1
|
T1055
|
TTP
|
Cobalt Strike, Storm-2460 CLFS Zero Day Exploitation, BlackByte Ransomware, Earth Alux, Cactus Ransomware, Graceful Wipe Out Attack
|
2026-05-13
|
|
Linux Auditd Add User Account Type
|
Linux Auditd Add User
|
T1136.001
|
Anomaly
|
Linux Persistence Techniques, Compromised Linux Host, Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Windows WMI Impersonate Token
|
Sysmon EventID 10
|
T1047
|
Anomaly
|
Water Gamayun, Qakbot
|
2026-05-13
|
|
Windows Set Account Password Policy To Unlimited Via Net
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1489
|
Anomaly
|
Ransomware, BlackByte Ransomware, Crypto Stealer, XMRig
|
2026-05-13
|
|
Randomly Generated Windows Service Name
|
Windows Event Log System 7045
|
T1543.003
|
Hunting
|
BlackSuit Ransomware, Active Directory Lateral Movement
|
2026-05-13
|
|
Disabling NoRun Windows App
|
Sysmon EventID 13
|
T1112
T1685
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Default Group Policy Object Modified
|
Windows Event Log Security 5136
|
T1484.001
|
TTP
|
Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation
|
2026-05-13
|
|
WinEvent Windows Task Scheduler Event Action Started
|
Windows Event Log TaskScheduler 200, Windows Event Log TaskScheduler 201
|
T1053.005
|
Hunting
|
CISA AA24-241A, Industroyer2, Winter Vivern, Qakbot, AsyncRAT, Scheduled Tasks, IcedID, Malicious Inno Setup Loader, BlackSuit Ransomware, SolarWinds WHD RCE Post Exploitation, Prestige Ransomware, Windows Persistence Techniques, SystemBC, DarkCrystal RAT, Remcos, Data Destruction, ValleyRAT, CISA AA22-257A, Sandworm Tools, Amadey, PlugX
|
2026-05-13
|
|
Malicious PowerShell Process With Obfuscation Techniques
|
Sysmon EventID 1
|
T1059.001
|
TTP
|
Malicious PowerShell, Hellcat Ransomware, GhostRedirector IIS Module and Rungan Backdoor, Hermetic Wiper, Data Destruction
|
2026-05-13
|
|
Windows Masquerading Explorer As Child Process
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1574.001
|
TTP
|
Water Gamayun, Compromised Windows Host, Qakbot
|
2026-05-13
|
|
Linux High Frequency Of File Deletion In Boot Folder
|
Sysmon for Linux EventID 11
|
T1070.004
T1485
|
TTP
|
Industroyer2, AcidPour, Data Destruction
|
2026-05-13
|
|
Windows System Discovery Using Qwinsta
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1033
|
Hunting
|
Qakbot
|
2026-05-13
|
|
UAC Bypass With Colorui COM Object
|
Sysmon EventID 7
|
T1218.003
|
TTP
|
Ransomware, LockBit Ransomware
|
2026-05-13
|
|
Linux Sqlite3 Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Wmic NonInteractive App Uninstallation
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1685
|
Hunting
|
Azorult, IcedID
|
2026-05-13
|
|
MSI Module Loaded by Non-System Binary
|
Sysmon EventID 7
|
T1574.001
|
Hunting
|
Hermetic Wiper, Windows Privilege Escalation, Data Destruction
|
2026-05-13
|
|
Linux Ingress Tool Transfer with Curl
|
Sysmon for Linux EventID 1
|
T1105
|
Anomaly
|
NPM Supply Chain Compromise, Ingress Tool Transfer, XorDDos, Linux Living Off The Land
|
2026-05-13
|
|
Windows WinDBG Spawning AutoIt3
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1059
|
TTP
|
Compromised Windows Host, DarkGate Malware
|
2026-05-13
|
|
GPUpdate with no Command Line Arguments with Network
|
Sysmon EventID 3, Sysmon EventID 1
|
T1055
|
TTP
|
Cobalt Strike, Hellcat Ransomware, BlackByte Ransomware, Compromised Windows Host, Graceful Wipe Out Attack
|
2026-05-13
|
|
Get ADUser with PowerShell
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1087.002
|
Hunting
|
CISA AA23-347A, Active Directory Discovery
|
2026-05-13
|
|
Headless Browser Usage
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1497
T1564.003
|
Anomaly
|
Browser Hijacking, Forest Blizzard
|
2026-05-13
|
|
Detect Regasm with no Command Line Arguments
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.009
|
TTP
|
Suspicious Regsvcs Regasm Activity, Void Manticore, Handala Wiper, Living Off The Land
|
2026-05-13
|
|
Windows Modify Registry Disabling WER Settings
|
Sysmon EventID 13
|
T1112
|
TTP
|
Azorult, CISA AA23-347A
|
2026-05-13
|
|
Windows Protocol Tunneling with Plink
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1021.004
T1572
|
TTP
|
CISA AA22-257A
|
2026-05-13
|
|
Spoolsv Suspicious Loaded Modules
|
Sysmon EventID 7
|
T1547.012
|
TTP
|
PrintNightmare CVE-2021-34527, Black Basta Ransomware
|
2026-05-13
|
|
Windows Snake Malware Service Create
|
Windows Event Log System 7045
|
T1547.006
T1569.002
|
TTP
|
Snake Malware, Compromised Windows Host
|
2026-05-13
|
|
Windows Visual Basic Commandline Compiler DNSQuery
|
Sysmon EventID 22
|
T1071.004
|
TTP
|
Lokibot
|
2026-05-13
|
|
Windows MOVEit Transfer Writing ASPX
|
Sysmon EventID 11
|
T1133
T1190
|
TTP
|
MOVEit Transfer Critical Vulnerability, Hellcat Ransomware
|
2026-05-13
|
|
Network Discovery Using Route Windows App
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1016.001
|
Hunting
|
Qakbot, Prestige Ransomware, CISA AA22-277A, Windows Post-Exploitation, Active Directory Discovery
|
2026-05-13
|
|
Cisco Isovalent - Pods Running Offensive Tools
|
Cisco Isovalent Process Exec
|
T1204.003
|
Anomaly
|
Cisco Isovalent Suspicious Activity
|
2026-05-13
|
|
PowerShell Start or Stop Service
|
Powershell Script Block Logging 4104
|
T1059.001
|
Anomaly
|
Scattered Lapsus$ Hunters, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows PowerShell Process With Malicious String
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1059.001
|
TTP
|
Malicious PowerShell
|
2026-05-13
|
|
Windows Snake Malware Kernel Driver Comadmin
|
Sysmon EventID 11
|
T1547.006
|
TTP
|
Snake Malware
|
2026-05-13
|
|
Windows Modify Registry wuStatusServer
|
Sysmon EventID 13
|
T1112
|
Hunting
|
RedLine Stealer
|
2026-05-13
|
|
PowerShell Loading DotNET into Memory via Reflection
|
Powershell Script Block Logging 4104
|
T1059.001
|
Anomaly
|
Malicious PowerShell, Hellcat Ransomware, AsyncRAT, 0bj3ctivity Stealer, VIP Keylogger, Hermetic Wiper, Axios Supply Chain Post Compromise, AgentTesla, Winter Vivern, Data Destruction
|
2026-05-13
|
|
Detect SharpHound Command-Line Arguments
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1069.001
T1069.002
T1087.001
T1087.002
T1482
|
TTP
|
Ransomware, BlackSuit Ransomware, Windows Discovery Techniques
|
2026-05-13
|
|
Windows Multiple Users Remotely Failed To Authenticate From Host
|
Windows Event Log Security 4625
|
T1110.003
|
TTP
|
Active Directory Password Spraying, Volt Typhoon
|
2026-05-13
|
|
Windows High File Deletion Frequency
|
Sysmon EventID 23, Sysmon EventID 26
|
T1485
|
Anomaly
|
Interlock Ransomware, Clop Ransomware, Void Manticore, Medusa Ransomware, ZOVWiper, Black Basta Ransomware, Sandworm Tools, NailaoLocker Ransomware, Swift Slicer, DarkCrystal RAT, APT37 Rustonotto and FadeStealer, DynoWiper, WhisperGate, Handala Wiper, Data Destruction
|
2026-05-13
|
|
Allow Operation with Consent Admin
|
Sysmon EventID 13
|
T1548
|
TTP
|
Ransomware, Azorult, MoonPeak, Windows Registry Abuse
|
2026-05-13
|
|
Windows PowerShell Script From WindowsApps Directory
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1059.001
T1204.002
|
TTP
|
Malicious PowerShell, MSIX Package Abuse
|
2026-05-13
|
|
Windows Netspy Network Scanner Execution
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1018
T1595
|
Anomaly
|
Network Discovery, Windows Discovery Techniques
|
2026-05-13
|
|
Windows Theme File Creation in Unusual Location
|
Sysmon EventID 11
|
T1021.002
T1187
T1557.001
|
Anomaly
|
Spearphishing Attachments
|
2026-05-13
|
|
Windows Steal Authentication Certificates CertUtil Backup
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1649
|
Anomaly
|
Storm-2460 CLFS Zero Day Exploitation, Windows Certificate Services
|
2026-05-13
|
|
Common Ransomware Extensions
|
Sysmon EventID 11
|
T1485
|
TTP
|
SamSam Ransomware, Clop Ransomware, Prestige Ransomware, Rhysida Ransomware, LockBit Ransomware, Medusa Ransomware, Black Basta Ransomware, Ryuk Ransomware, NailaoLocker Ransomware, Ransomware, Interlock Ransomware, Termite Ransomware
|
2026-05-13
|
|
Shai-Hulud 2 Exfiltration Artifact Files
|
Sysmon EventID 11, Sysmon for Linux EventID 11
|
T1074.001
T1195.002
T1552.001
|
TTP
|
NPM Supply Chain Compromise
|
2026-05-13
|
|
Windows AppLocker Rare Application Launch Detection
|
|
T1218
|
Hunting
|
Windows AppLocker
|
2026-05-13
|
|
Windows PUA Named Pipe
|
Sysmon EventID 18, Sysmon EventID 17
|
T1021.002
T1055
T1559
|
Anomaly
|
SamSam Ransomware, HAFNIUM Group, VanHelsing Ransomware, DHS Report TA18-074A, Rhysida Ransomware, DarkSide Ransomware, Medusa Ransomware, Active Directory Lateral Movement, IcedID, CISA AA22-320A, BlackByte Ransomware, Sandworm Tools, Cactus Ransomware, Seashell Blizzard, DarkGate Malware, Volt Typhoon
|
2026-05-13
|
|
Windows Mock Trusted Directory MSC File Creation
|
Sysmon EventID 11
|
T1218.014
T1548.002
T1574
|
TTP
|
Windows Persistence Techniques, Windows Privilege Escalation
|
2026-05-13
|
|
Windows Password Managers Discovery
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1555.005
|
Anomaly
|
Scattered Spider, Scattered Lapsus$ Hunters, Windows Post-Exploitation, Prestige Ransomware
|
2026-05-13
|
|
Windows Chromium Process Loaded Extension via Command-Line
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1185
|
Anomaly
|
Browser Hijacking
|
2026-05-13
|
|
Powershell Remote Services Add TrustedHost
|
Powershell Script Block Logging 4104
|
T1021.006
|
TTP
|
DarkGate Malware
|
2026-05-13
|
|
Remcos RAT File Creation in Remcos Folder
|
Sysmon EventID 11
|
T1113
|
TTP
|
Remcos
|
2026-05-13
|
|
Windows Unusual Count Of Users Failed To Auth Using Kerberos
|
Windows Event Log Security 4771
|
T1110.003
|
Anomaly
|
Active Directory Kerberos Attacks, Active Directory Password Spraying, Volt Typhoon
|
2026-05-13
|
|
Windows Forest Discovery with GetForestDomain
|
Powershell Script Block Logging 4104
|
T1087.002
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows MMC Loaded Script Engine DLL
|
Sysmon EventID 7
|
T1620
|
Anomaly
|
XML Runner Loader
|
2026-05-13
|
|
Microsoft Defender ATP Alerts
|
MS Defender ATP Alerts
|
N/A
|
TTP
|
Critical Alerts
|
2026-05-13
|
|
Windows IIS Components Module Failed to Load
|
Windows Event Log Application 2282
|
T1505.004
|
Anomaly
|
IIS Components
|
2026-05-13
|
|
Clear Unallocated Sector Using Cipher App
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1070.004
|
TTP
|
Ransomware, Scattered Spider, Compromised Windows Host
|
2026-05-13
|
|
Shai-Hulud Workflow File Creation or Modification
|
Sysmon EventID 11, Sysmon for Linux EventID 11
|
T1195
T1554
T1574.006
|
TTP
|
NPM Supply Chain Compromise
|
2026-05-13
|
|
Windows Impair Defense Change Win Defender Tracing Level
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Mimikatz Crypto Export File Extensions
|
Sysmon EventID 11
|
T1649
|
Anomaly
|
Sandworm Tools, CISA AA23-347A, Windows Certificate Services
|
2026-05-13
|
|
Samsam Test File Write
|
Sysmon EventID 11
|
T1486
|
TTP
|
SamSam Ransomware
|
2026-05-13
|
|
Windows Modify Registry Disable Win Defender Raw Write Notif
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Azorult, CISA AA23-347A
|
2026-05-13
|
|
Windows Chromium Browser No Security Sandbox Process
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1497
|
TTP
|
Malicious Inno Setup Loader
|
2026-05-13
|
|
Windows Steal Authentication Certificates Certificate Request
|
Windows Event Log Security 4886
|
T1649
|
Anomaly
|
Windows Certificate Services
|
2026-05-13
|
|
Linux Possible Access To Credential Files
|
Sysmon for Linux EventID 1
|
T1003.008
|
Anomaly
|
China-Nexus Threat Activity, XorDDos, Salt Typhoon, Linux Privilege Escalation, Linux Persistence Techniques
|
2026-05-13
|
|
Linux Auditd Stop Services
|
Linux Auditd Service Stop
|
T1489
|
Hunting
|
Compromised Linux Host, Industroyer2, AwfulShred, Data Destruction
|
2026-05-13
|
|
Windows System Remote Discovery With Query
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1033
|
Hunting
|
Active Directory Discovery, Medusa Ransomware
|
2026-05-13
|
|
Creation of Shadow Copy with wmic and powershell
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1003.003
|
TTP
|
Credential Dumping, Compromised Windows Host, Living Off The Land, Volt Typhoon
|
2026-05-13
|
|
Windows Known GraphicalProton Loaded Modules
|
Sysmon EventID 7
|
T1574.001
|
Anomaly
|
CISA AA23-347A, Water Gamayun, Hellcat Ransomware
|
2026-05-13
|
|
Headless Browser Mockbin or Mocky Request
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1564.003
|
TTP
|
GhostRedirector IIS Module and Rungan Backdoor, Forest Blizzard
|
2026-05-13
|
|
Linux At Application Execution
|
Sysmon for Linux EventID 1
|
T1053.002
|
Anomaly
|
Cisco Isovalent Suspicious Activity, Scheduled Tasks, Linux Living Off The Land, Linux Privilege Escalation, Linux Persistence Techniques
|
2026-05-13
|
|
SLUI RunAs Elevated
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1548.002
|
TTP
|
Compromised Windows Host, DarkSide Ransomware, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Living Off The Land Detection
|
|
T1059
T1105
T1133
T1190
|
Correlation
|
Hellcat Ransomware, Living Off The Land
|
2026-05-13
|
|
Windows Disable or Modify Tools Via Taskkill
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1685
|
Anomaly
|
PXA Stealer, NjRAT, Crypto Stealer, BlankGrabber Stealer
|
2026-05-13
|
|
Windows MSTSC RDP Commandline
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1021.001
|
Anomaly
|
Windows RDP Artifacts and Defense Evasion, Medusa Ransomware
|
2026-05-13
|
|
Windows SQL Server Critical Procedures Enabled
|
Windows Event Log Application 15457
|
T1505.001
|
TTP
|
SQL Server Abuse
|
2026-05-13
|
|
Windows Common Abused Cmd Shell Risk Behavior
|
|
T1016
T1033
T1049
T1059
T1222
T1529
|
Correlation
|
FIN7, Microsoft WSUS CVE-2025-59287, Qakbot, Azorult, Netsh Abuse, Windows Defense Evasion Tactics, Sandworm Tools, Windows Post-Exploitation, DarkCrystal RAT, CISA AA23-347A, Disabling Security Tools, Volt Typhoon
|
2026-05-13
|
|
Windows PowerView Unconstrained Delegation Discovery
|
Powershell Script Block Logging 4104
|
T1018
|
TTP
|
Rhysida Ransomware, CISA AA23-347A, Active Directory Kerberos Attacks
|
2026-05-13
|
|
Suspicious MSBuild Spawn
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1127.001
|
TTP
|
Storm-2460 CLFS Zero Day Exploitation, Living Off The Land, Trusted Developer Utilities Proxy Execution MSBuild
|
2026-05-13
|
|
Windows Modify Registry DontShowUI
|
Sysmon EventID 13
|
T1112
|
TTP
|
DarkGate Malware
|
2026-05-13
|
|
Windows Vulnerable Driver Installed
|
Windows Event Log System 7045
|
T1543.003
|
TTP
|
Void Manticore, Windows Drivers
|
2026-05-13
|
|
Windows File Association Modification via Ftype
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1059.003
|
Anomaly
|
Windows File Extension and Association Abuse
|
2026-05-13
|
|
Scheduled Task Creation on Remote Endpoint using At
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1053.002
|
TTP
|
Scheduled Tasks, 0bj3ctivity Stealer, Living Off The Land, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows Bypass UAC via Pkgmgr Tool
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1548.002
|
Anomaly
|
Warzone RAT
|
2026-05-13
|
|
GetWmiObject Ds Computer with PowerShell
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1018
|
Anomaly
|
Active Directory Discovery
|
2026-05-13
|
|
Esentutl SAM Copy
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1003.002
|
Hunting
|
Credential Dumping, Living Off The Land
|
2026-05-13
|
|
Windows ISO LNK File Creation
|
Sysmon EventID 11
|
T1204.001
T1566.001
|
Hunting
|
Qakbot, Azorult, Spearphishing Attachments, Gozi Malware, IcedID, APT37 Rustonotto and FadeStealer, Amadey, Warzone RAT, Remcos, AgentTesla, Brute Ratel C4
|
2026-05-13
|
|
Windows Remote Service Rdpwinst Tool Execution
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1021.001
|
TTP
|
Azorult, Windows RDP Artifacts and Defense Evasion, Compromised Windows Host, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Remote Process Instantiation via WMI
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1047
|
TTP
|
China-Nexus Threat Activity, Salt Typhoon, Void Manticore, Active Directory Lateral Movement, Ransomware, CISA AA23-347A, Suspicious WMI Use
|
2026-05-13
|
|
Windows Account Access Removal via Logoff Exec
|
Sysmon EventID 1
|
T1059.001
T1531
|
Anomaly
|
Crypto Stealer
|
2026-05-13
|
|
Windows Archived Collected Data In TEMP Folder
|
Sysmon EventID 11
|
T1560
|
Anomaly
|
Braodo Stealer, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
Windows InstallUtil Remote Network Connection
|
Sysmon EventID 3, Sysmon EventID 1, Cisco Network Visibility Module Flow Data
|
T1218.004
|
Anomaly
|
Signed Binary Proxy Execution InstallUtil, Compromised Windows Host, Cisco Network Visibility Module Analytics, Living Off The Land
|
2026-05-13
|
|
Windows Audit Policy Auditing Option Modified - Registry
|
Sysmon EventID 13
|
T1547.014
|
Anomaly
|
Windows Audit Policy Tampering
|
2026-05-13
|
|
Windows Multiple Users Failed To Authenticate Using Kerberos
|
Windows Event Log Security 4771
|
T1110.003
|
TTP
|
Active Directory Kerberos Attacks, Active Directory Password Spraying, Volt Typhoon
|
2026-05-13
|
|
Windows PowerShell Module File Created
|
Sysmon EventID 11
|
T1059.001
T1129
T1574
|
Anomaly
|
Windows Persistence Techniques, Malicious PowerShell
|
2026-05-13
|
|
Linux Kworker Process In Writable Process Path
|
Sysmon for Linux EventID 1
|
T1036.004
|
Hunting
|
Sandworm Tools, Cyclops Blink
|
2026-05-13
|
|
Dump LSASS via comsvcs DLL
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1003.001
|
TTP
|
HAFNIUM Group, CISA AA22-264A, Scattered Lapsus$ Hunters, Data Destruction, Prestige Ransomware, CISA AA22-257A, Hellcat Ransomware, Credential Dumping, Suspicious Rundll32 Activity, Living Off The Land, Industroyer2, Compromised Windows Host, Flax Typhoon, Volt Typhoon
|
2026-05-13
|
|
ETW Registry Disabled
|
Sysmon EventID 13
|
T1127
T1685
|
TTP
|
Windows Persistence Techniques, Windows Registry Abuse, Hermetic Wiper, CISA AA23-347A, Windows Privilege Escalation, Data Destruction
|
2026-05-13
|
|
Windows Process Accessing Windows Recall Directory
|
Windows Event Log Security 4663
|
T1059
T1119
|
Anomaly
|
Windows Post-Exploitation
|
2026-05-13
|
|
File with Samsam Extension
|
Sysmon EventID 11
|
N/A
|
TTP
|
SamSam Ransomware, Hellcat Ransomware
|
2026-05-13
|
|
Windows Outlook Macro Created by Suspicious Process
|
Sysmon EventID 11
|
T1059.005
T1137
|
TTP
|
NotDoor Malware
|
2026-05-13
|
|
Detect Excessive User Account Lockouts
|
|
T1078.003
|
Anomaly
|
Active Directory Password Spraying, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Windows Modify Registry NoChangingWallPaper
|
Sysmon EventID 13
|
T1112
|
TTP
|
Rhysida Ransomware
|
2026-05-13
|
|
SilentCleanup UAC Bypass
|
Sysmon EventID 13
|
T1548.002
|
TTP
|
MoonPeak, Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Unusual File Creation in Confluence Directory
|
Sysmon EventID 11
|
T1190
T1608.001
T1608.002
|
Anomaly
|
Confluence Data Center and Confluence Server Vulnerabilities, CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server
|
2026-05-13
|
|
Windows Computer Account Changed to Domain Controller
|
Windows Event Log Security 4742
|
T1136.002
|
TTP
|
Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation
|
2026-05-13
|
|
Windows Modify Registry Delete Firewall Rules
|
Sysmon EventID 12
|
T1112
|
TTP
|
NetSupport RMM Tool Abuse, CISA AA24-241A, ShrinkLocker
|
2026-05-13
|
|
Linux Curl Upload File
|
Cisco Isovalent Process Exec, Sysmon for Linux EventID 1
|
T1105
|
TTP
|
Ingress Tool Transfer, Linux Living Off The Land, NPM Supply Chain Compromise, Data Exfiltration
|
2026-05-13
|
|
Change To Safe Mode With Network Config
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1490
|
TTP
|
BlackMatter Ransomware, Black Basta Ransomware
|
2026-05-13
|
|
Windows Unusual NTLM Authentication Users By Source
|
NTLM Operational 8005, NTLM Operational 8004, NTLM Operational 8006
|
T1110.003
|
Anomaly
|
Active Directory Password Spraying
|
2026-05-13
|
|
Detect MSHTA Url in Command Line
|
Windows Event Log Security 4688, Sysmon EventID 1, Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2
|
T1218.005
|
TTP
|
Lumma Stealer, NetSupport RMM Tool Abuse, APT37 Rustonotto and FadeStealer, Living Off The Land, Suspicious MSHTA Activity, Cisco Network Visibility Module Analytics, Compromised Windows Host, XWorm
|
2026-05-13
|
|
Executable File Written in Administrative SMB Share
|
Windows Event Log Security 5145
|
T1021.002
|
TTP
|
VanHelsing Ransomware, Trickbot, Prestige Ransomware, Active Directory Lateral Movement, IcedID, BlackSuit Ransomware, Hermetic Wiper, Industroyer2, Compromised Windows Host, Graceful Wipe Out Attack, Data Destruction
|
2026-05-13
|
|
Linux Auditd Nopasswd Entry In Sudoers File
|
Linux Auditd Proctitle
|
T1548.003
|
Anomaly
|
China-Nexus Threat Activity, Salt Typhoon, Linux Privilege Escalation, Compromised Linux Host, Linux Persistence Techniques
|
2026-05-13
|
|
Windows Product Key Registry Query
|
Windows Event Log Security 4663
|
T1012
|
Anomaly
|
BlankGrabber Stealer
|
2026-05-13
|
|
Linux Setuid Using Setcap Utility
|
Sysmon for Linux EventID 1
|
T1548.001
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2026-05-13
|
|
High Process Termination Frequency
|
Sysmon EventID 5
|
T1486
|
Anomaly
|
Clop Ransomware, Hellcat Ransomware, Rhysida Ransomware, LockBit Ransomware, Medusa Ransomware, BlackByte Ransomware, NailaoLocker Ransomware, Snake Keylogger, Interlock Ransomware, Termite Ransomware, Crypto Stealer
|
2026-05-13
|
|
Windows DiskCryptor Usage
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1486
|
Hunting
|
Ransomware
|
2026-05-13
|
|
GetWmiObject DS User with PowerShell
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1087.002
|
Anomaly
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Service Create with Tscon
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1543.003
T1563.002
|
TTP
|
Windows RDP Artifacts and Defense Evasion, Compromised Windows Host, Active Directory Lateral Movement
|
2026-05-13
|
|
GetDomainGroup with PowerShell
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1069.002
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Detect Certipy File Modifications
|
Sysmon EventID 11
|
T1560
T1649
|
TTP
|
Ingress Tool Transfer, Windows Certificate Services, Data Exfiltration
|
2026-05-13
|
|
Suspicious Image Creation In Appdata Folder
|
Sysmon EventID 11, Sysmon EventID 1
|
T1113
|
TTP
|
Remcos, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
Remote Process Instantiation via WinRM and PowerShell
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1021.006
|
TTP
|
Active Directory Lateral Movement
|
2026-05-13
|
|
Registry Keys Used For Privilege Escalation
|
Sysmon EventID 13
|
T1546.012
|
TTP
|
Windows Registry Abuse, Suspicious Windows Registry Activities, Hermetic Wiper, Cloud Federated Credential Abuse, Windows Privilege Escalation, Data Destruction
|
2026-05-13
|
|
Rundll32 CreateRemoteThread In Browser
|
Sysmon EventID 8
|
T1055
|
TTP
|
Living Off The Land, IcedID
|
2026-05-13
|
|
Windows Service Creation Using Registry Entry
|
Sysmon EventID 13
|
T1574.011
|
Anomaly
|
China-Nexus Threat Activity, Gh0st RAT, Salt Typhoon, Crypto Stealer, Windows Persistence Techniques, Windows Registry Abuse, Active Directory Lateral Movement, SolarWinds WHD RCE Post Exploitation, Suspicious Windows Registry Activities, PlugX, SnappyBee, CISA AA23-347A, Derusbi, Brute Ratel C4
|
2026-05-13
|
|
Windows ESX Admins Group Creation via Net
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1136.001
T1136.002
|
TTP
|
VMware ESXi AD Integration Authentication Bypass CVE-2024-37085
|
2026-05-13
|
|
Windows DISM Remove Defender
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1685
|
TTP
|
CISA AA23-347A, Compromised Windows Host, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Fsutil Zeroing File
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1070
|
TTP
|
Ransomware, LockBit Ransomware
|
2026-05-13
|
|
Windows AppLocker Privilege Escalation via Unauthorized Bypass
|
|
T1218
|
TTP
|
Windows AppLocker
|
2026-05-13
|
|
MacOS Log Removal
|
Osquery Results
|
T1070
|
TTP
|
MacOS Post-Exploitation
|
2026-05-13
|
|
GetWmiObject User Account with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1059.001
T1087.001
|
Hunting
|
Malicious PowerShell, Active Directory Discovery, Winter Vivern
|
2026-05-13
|
|
Windows Impair Defense Add Xml Applocker Rules
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1685
|
Hunting
|
Azorult
|
2026-05-13
|
|
Windows User Discovery Via Net
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1087.001
|
Hunting
|
Sandworm Tools, Active Directory Discovery, Medusa Ransomware
|
2026-05-13
|
|
Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials
|
Windows Event Log Security 4648
|
T1110.003
|
Anomaly
|
Active Directory Password Spraying, Insider Threat, Volt Typhoon
|
2026-05-13
|
|
Windows Default Rdp File Deletion
|
Sysmon EventID 23, Sysmon EventID 26
|
T1070.004
|
Anomaly
|
Windows RDP Artifacts and Defense Evasion
|
2026-05-13
|
|
Windows AD AdminSDHolder ACL Modified
|
Windows Event Log Security 5136
|
T1546
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Microsoft Defender Incident Alerts
|
MS365 Defender Incident Alerts
|
N/A
|
TTP
|
Critical Alerts
|
2026-05-13
|
|
Powershell Creating Thread Mutex
|
Powershell Script Block Logging 4104
|
T1027.005
T1059.001
|
TTP
|
Malicious PowerShell, Water Gamayun
|
2026-05-13
|
|
Windows Autostart Execution LSASS Driver Registry Modification
|
Sysmon EventID 13
|
T1547.008
|
TTP
|
Windows Registry Abuse
|
2026-05-13
|
|
Spoolsv Spawning Rundll32
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1547.012
|
TTP
|
Compromised Windows Host, PrintNightmare CVE-2021-34527, Black Basta Ransomware
|
2026-05-13
|
|
Windows Service Stop By Deletion
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1489
|
Hunting
|
Azorult, Crypto Stealer, Graceful Wipe Out Attack
|
2026-05-13
|
|
Windows Handle Duplication in Known UAC-Bypass Binaries
|
Sysmon EventID 10
|
T1134.001
|
Anomaly
|
Castle RAT
|
2026-05-13
|
|
Linux Kernel Module Enumeration
|
Sysmon for Linux EventID 1
|
T1014
T1082
|
Anomaly
|
XorDDos, Linux Rootkit
|
2026-05-13
|
|
Detect AzureHound Command-Line Arguments
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1069.001
T1069.002
T1087.001
T1087.002
T1482
|
TTP
|
Compromised Windows Host, Windows Discovery Techniques
|
2026-05-13
|
|
PowerShell Domain Enumeration
|
Powershell Script Block Logging 4104
|
T1059.001
|
TTP
|
Microsoft WSUS CVE-2025-59287, Malicious PowerShell, CISA AA23-347A, Hermetic Wiper, Interlock Ransomware, Data Destruction
|
2026-05-13
|
|
Windows DLL Search Order Hijacking Hunt with Sysmon
|
Sysmon EventID 7
|
T1574.001
|
Hunting
|
Malicious Inno Setup Loader, Qakbot, Living Off The Land, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Sqlite Module In Temp Folder
|
Sysmon EventID 11
|
T1005
|
TTP
|
Lokibot, IcedID
|
2026-05-13
|
|
Windows Rdp AutomaticDestinations Deletion
|
Sysmon EventID 23, Sysmon EventID 26
|
T1070.004
|
Anomaly
|
Windows RDP Artifacts and Defense Evasion
|
2026-05-13
|
|
Windows Multiple Users Failed To Authenticate From Host Using NTLM
|
Windows Event Log Security 4776
|
T1110.003
|
TTP
|
Active Directory Password Spraying, Volt Typhoon
|
2026-05-13
|
|
Windows Chromium Browser with Custom User Data Directory
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1497
|
Anomaly
|
Malicious Inno Setup Loader, Lokibot, StealC Stealer
|
2026-05-13
|
|
Windows NirSoft Utilities
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1588.002
|
Hunting
|
WhisperGate, Data Destruction
|
2026-05-13
|
|
Linux Auditd Hidden Files And Directories Creation
|
Linux Auditd Execve
|
T1083
|
Anomaly
|
Linux Persistence Techniques, Compromised Linux Host, Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Windows AppLocker Execution from Uncommon Locations
|
|
T1218
|
Hunting
|
Windows AppLocker
|
2026-05-13
|
|
Windows Potential Web Shell Creation For VMware Workspace ONE
|
Sysmon EventID 11
|
T1505.003
|
Anomaly
|
VMware ESXi AD Integration Authentication Bypass CVE-2024-37085, VMware Server Side Injection and Privilege Escalation, VMware Aria Operations vRealize CVE-2023-20887
|
2026-05-13
|
|
Detect SharpHound Usage
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1069.001
T1069.002
T1087.001
T1087.002
T1482
|
TTP
|
Ransomware, Windows Discovery Techniques
|
2026-05-13
|
|
Linux Auditd Auditd Daemon Start
|
Linux Auditd Daemon Start
|
T1685.004
|
Anomaly
|
Compromised Linux Host
|
2026-05-13
|
|
SchCache Change By App Connect And Create ADSI Object
|
Sysmon EventID 11
|
T1087.002
|
Anomaly
|
BlackMatter Ransomware
|
2026-05-13
|
|
Windows Explorer LNK Exploit Process Launch With Padding
|
Windows Event Log Security 4688, Sysmon EventID 1
|
T1059.001
T1204.002
|
TTP
|
ZDI-CAN-25373 Windows Shortcut Exploit Abused as Zero-Day
|
2026-05-13
|
|
Linux Unix Shell Enable All SysRq Functions
|
Sysmon for Linux EventID 1
|
T1059.004
|
Anomaly
|
AwfulShred, Data Destruction
|
2026-05-13
|
|
Windows Steal Authentication Certificates Certificate Issued
|
Windows Event Log Security 4887
|
T1649
|
Anomaly
|
Windows Certificate Services
|
2026-05-13
|
|
Windows Service Created with Suspicious Service Path
|
Windows Event Log System 7045
|
T1569.002
|
TTP
|
China-Nexus Threat Activity, Clop Ransomware, Qakbot, Salt Typhoon, Crypto Stealer, Gh0st RAT, Active Directory Lateral Movement, Snake Malware, APT37 Rustonotto and FadeStealer, PlugX, CISA AA23-347A, Derusbi, Flax Typhoon, Brute Ratel C4
|
2026-05-13
|
|
Cisco NVM - Rclone Execution With Network Activity
|
Cisco Network Visibility Module Flow Data
|
T1567.002
|
Anomaly
|
Scattered Lapsus$ Hunters, Cisco Network Visibility Module Analytics
|
2026-05-13
|
|
Unknown Process Using The Kerberos Protocol
|
Sysmon EventID 3, Sysmon EventID 1
|
T1550
|
TTP
|
Active Directory Kerberos Attacks, BlackSuit Ransomware
|
2026-05-13
|
|
Windows Defender ASR Rules Stacking
|
Windows Event Log Defender 1121, Windows Event Log Defender 1126, Windows Event Log Defender 1125, Windows Event Log Defender 1134, Windows Event Log Defender 1122, Windows Event Log Defender 1131, Windows Event Log Defender 5007, Windows Event Log Defender 1129, Windows Event Log Defender 1133
|
T1059
T1566.001
T1566.002
|
Hunting
|
Windows Attack Surface Reduction
|
2026-05-13
|
|
Wmiprvse LOLBAS Execution Process Spawn
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1047
|
TTP
|
Active Directory Lateral Movement
|
2026-05-13
|
|
Credential Dumping via Symlink to Shadow Copy
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1003.003
|
TTP
|
Credential Dumping, Compromised Windows Host
|
2026-05-13
|
|
Windows Modify System Firewall with Notable Process Path
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1686
|
TTP
|
NjRAT, Compromised Windows Host, Medusa Ransomware
|
2026-05-13
|
|
Crowdstrike Medium Identity Risk Severity
|
|
T1110
|
TTP
|
Compromised Windows Host
|
2026-05-13
|
|
Windows WinPEAS PowerShell Script Execution
|
Powershell Script Block Logging 4104
|
T1007
T1016
T1033
T1082
T1590
T1592.002
T1592.004
T1615
|
TTP
|
Windows Post-Exploitation
|
2026-05-13
|
|
Windows Remote Access Software BRC4 Loaded Dll
|
Sysmon EventID 7
|
T1003
T1219
|
Anomaly
|
Brute Ratel C4
|
2026-05-13
|
|
Local Account Discovery With Wmic
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1087.001
|
Hunting
|
Active Directory Discovery, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Windows WMIC Shadowcopy Delete
|
Sysmon EventID 1
|
T1490
|
Anomaly
|
Cactus Ransomware, Suspicious WMI Use, Volt Typhoon
|
2026-05-13
|
|
Windows ScManager Security Descriptor Tampering Via Sc.EXE
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1569.002
|
TTP
|
Defense Evasion or Unauthorized Access Via SDDL Tampering
|
2026-05-13
|
|
Windows Impair Defenses Disable AV AutoStart via Registry
|
Sysmon EventID 13
|
T1112
|
TTP
|
ValleyRAT, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Ryuk Test Files Detected
|
Sysmon EventID 11
|
T1486
|
TTP
|
Ryuk Ransomware
|
2026-05-13
|
|
Windows Set Network Profile Category to Private via Registry
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Secret Blizzard
|
2026-05-13
|
|
Local LLM Framework DNS Query
|
Sysmon EventID 22
|
T1590
|
Hunting
|
Suspicious Local LLM Frameworks
|
2026-05-13
|
|
Windows Driver Load Non-Standard Path
|
Windows Event Log System 7045
|
T1014
T1068
|
TTP
|
CISA AA22-320A, BlackByte Ransomware, BlackSuit Ransomware, AgentTesla, Windows Drivers
|
2026-05-13
|
|
Cisco NVM - Webserver Download From File Sharing Website
|
Cisco Network Visibility Module Flow Data
|
T1105
T1190
|
TTP
|
GhostRedirector IIS Module and Rungan Backdoor, Cisco Network Visibility Module Analytics
|
2026-05-13
|
|
Linux c99 Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Linux SSH Authorized Keys Modification
|
Sysmon for Linux EventID 1
|
T1098.004
|
Anomaly
|
VoidLink Cloud-Native Linux Malware, Linux Living Off The Land, Hellcat Ransomware
|
2026-05-13
|
|
PetitPotam Network Share Access Request
|
Windows Event Log Security 5145
|
T1187
|
TTP
|
PetitPotam NTLM Relay on Active Directory Certificate Services
|
2026-05-13
|
|
Windows Modify Registry LongPathsEnabled
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
BlackByte Ransomware
|
2026-05-13
|
|
Cisco Isovalent - Potential Escape to Host
|
Cisco Isovalent Process Exec
|
T1611
|
Anomaly
|
VoidLink Cloud-Native Linux Malware, Cisco Isovalent Suspicious Activity
|
2026-05-13
|
|
Verclsid CLSID Execution
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.012
|
Hunting
|
Unusual Processes
|
2026-05-13
|
|
Disable AMSI Through Registry
|
Sysmon EventID 13
|
T1685
|
TTP
|
Ransomware, CISA AA23-347A, Windows Registry Abuse
|
2026-05-13
|
|
Linux Medusa Rootkit
|
Sysmon for Linux EventID 11
|
T1014
T1589.001
|
TTP
|
China-Nexus Threat Activity, VoidLink Cloud-Native Linux Malware, Medusa Rootkit, Hellcat Ransomware
|
2026-05-13
|
|
Windows CrowdStrike Agent Registry Key Removal
|
Sysmon EventID 12
|
T1685
|
Anomaly
|
Security Solution Tampering, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Modify Registry ValleyRAT C2 Config
|
Sysmon EventID 13
|
T1112
|
TTP
|
ValleyRAT
|
2026-05-13
|
|
Windows SOAPHound Binary Execution
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1069.001
T1069.002
T1087.001
T1087.002
T1482
|
TTP
|
Compromised Windows Host, Windows Discovery Techniques
|
2026-05-13
|
|
Windows Credential Target Information Structure in Commandline
|
Sysmon EventID 1
|
T1071.004
T1187
T1557.001
|
TTP
|
Suspicious DNS Traffic, Compromised Windows Host, Local Privilege Escalation With KrbRelayUp, Kerberos Coercion with DNS
|
2026-05-13
|
|
Linux Stop Services
|
Sysmon for Linux EventID 1
|
T1489
|
TTP
|
Industroyer2, AwfulShred, Data Destruction
|
2026-05-13
|
|
Windows EDRSilencer Execution
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1685
|
Anomaly
|
Security Solution Tampering
|
2026-05-13
|
|
Wsmprovhost LOLBAS Execution Process Spawn
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1021.006
|
TTP
|
CISA AA24-241A, Active Directory Lateral Movement, Hellcat Ransomware
|
2026-05-13
|
|
Linux Possible Ssh Key File Creation
|
Sysmon for Linux EventID 11
|
T1098.004
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation, Linux Living Off The Land, Hellcat Ransomware
|
2026-05-13
|
|
Windows Audit Policy Disabled via Auditpol
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1685.001
|
Anomaly
|
Windows Audit Policy Tampering
|
2026-05-13
|
|
Suspicious SQLite3 LSQuarantine Behavior
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1074
|
TTP
|
Silver Sparrow
|
2026-05-13
|
|
Nishang PowershellTCPOneLine
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1059.001
|
TTP
|
HAFNIUM Group, Cleo File Transfer Software
|
2026-05-13
|
|
Windows Multiple Users Failed To Authenticate From Process
|
Windows Event Log Security 4625
|
T1110.003
|
TTP
|
Active Directory Password Spraying, Insider Threat, Volt Typhoon
|
2026-05-13
|
|
Windows RDP File Execution
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1021.001
T1598.002
|
TTP
|
Windows RDP Artifacts and Defense Evasion, Interlock Ransomware, Spearphishing Attachments
|
2026-05-13
|
|
Windows DisableAntiSpyware Registry
|
Sysmon EventID 13
|
T1685
|
TTP
|
CISA AA22-264A, Azorult, Windows Registry Abuse, Windows Defense Evasion Tactics, Ryuk Ransomware, SolarWinds WHD RCE Post Exploitation, RedLine Stealer, CISA AA23-347A
|
2026-05-13
|
|
Linux MySQL Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Windows PowerShell Script TabExpansion Direct Call
|
Powershell Script Block Logging 4104
|
T1059.001
T1129
|
Anomaly
|
Malicious PowerShell
|
2026-05-13
|
|
PaperCut NG Remote Web Access Attempt
|
Suricata
|
T1133
T1190
|
TTP
|
PaperCut MF NG Vulnerability
|
2026-05-13
|
|
Hunting for Log4Shell
|
Nginx Access
|
T1133
T1190
|
Hunting
|
CISA AA22-320A, Log4Shell CVE-2021-44228
|
2026-05-13
|
|
Windows IIS Server PSWA Console Access
|
Windows IIS
|
T1190
|
Hunting
|
CISA AA24-241A
|
2026-05-13
|
|
Zscaler Exploit Threat Blocked
|
|
T1566
|
TTP
|
Zscaler Browser Proxy Threats
|
2026-05-13
|
|
Zscaler Malware Activity Threat Blocked
|
|
T1566
|
Anomaly
|
Zscaler Browser Proxy Threats
|
2026-05-13
|
|
Web Remote ShellServlet Access
|
Nginx Access
|
T1190
|
TTP
|
GhostRedirector IIS Module and Rungan Backdoor, CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server
|
2026-05-13
|
|
Web Spring4Shell HTTP Request Class Module
|
Splunk Stream HTTP
|
T1133
T1190
|
TTP
|
Spring4Shell CVE-2022-22965
|
2026-05-13
|
|
Zscaler Behavior Analysis Threat Blocked
|
|
T1566
|
Anomaly
|
Zscaler Browser Proxy Threats
|
2026-05-13
|
|
SAP NetWeaver Visual Composer Exploitation Attempt
|
Suricata
|
T1190
|
Hunting
|
SAP NetWeaver Exploitation
|
2026-05-13
|
|
Unusually Long Content-Type Length
|
|
N/A
|
Anomaly
|
Apache Struts Vulnerability
|
2026-05-13
|
|
Log4Shell JNDI Payload Injection with Outbound Connection
|
|
T1133
T1190
|
Anomaly
|
CISA AA22-320A, Log4Shell CVE-2021-44228
|
2026-05-13
|
|
JetBrains TeamCity Authentication Bypass CVE-2024-27198
|
Suricata
|
T1190
|
TTP
|
JetBrains TeamCity Vulnerabilities
|
2026-05-13
|
|
Zscaler Phishing Activity Threat Blocked
|
|
T1566
|
Anomaly
|
Zscaler Browser Proxy Threats, Hellcat Ransomware
|
2026-05-13
|
|
Tomcat Session Deserialization Attempt
|
Nginx Access
|
T1190
T1505.003
|
Anomaly
|
Apache Tomcat Session Deserialization Attacks
|
2026-05-13
|
|
Zscaler Scam Destinations Threat Blocked
|
|
T1566
|
Anomaly
|
Zscaler Browser Proxy Threats
|
2026-05-13
|
|
Cisco IOS XE Implant Access
|
Suricata
|
T1190
|
TTP
|
Cisco IOS XE Software Web Management User Interface vulnerability
|
2026-05-13
|
|
Zscaler Virus Download threat blocked
|
|
T1566
|
Anomaly
|
Zscaler Browser Proxy Threats
|
2026-05-13
|
|
Zscaler Potentially Abused File Download
|
|
T1566
|
Anomaly
|
Zscaler Browser Proxy Threats
|
2026-05-13
|
|
Adobe ColdFusion Access Control Bypass
|
Suricata
|
T1190
|
Anomaly
|
Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360
|
2026-05-13
|
|
Juniper Networks Remote Code Execution Exploit Detection
|
Suricata
|
T1059
T1105
T1190
|
TTP
|
Juniper JunOS Remote Code Execution
|
2026-05-13
|
|
Adobe ColdFusion Unauthenticated Arbitrary File Read
|
Suricata
|
T1190
|
Anomaly
|
Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360
|
2026-05-13
|
|
Zscaler Employment Search Web Activity
|
|
T1566
|
Anomaly
|
Zscaler Browser Proxy Threats
|
2026-05-13
|
|
HTTP Duplicated Header
|
Suricata
|
T1071.001
T1190
|
Anomaly
|
HTTP Request Smuggling
|
2026-05-13
|
|
Ivanti EPM SQL Injection Remote Code Execution
|
Suricata
|
T1190
|
TTP
|
GhostRedirector IIS Module and Rungan Backdoor, Hellcat Ransomware, Ivanti EPM Vulnerabilities
|
2026-05-13
|
|
Spring4Shell Payload URL Request
|
Nginx Access
|
T1133
T1190
T1505.003
|
TTP
|
Spring4Shell CVE-2022-22965
|
2026-05-13
|
|
Ivanti Connect Secure Command Injection Attempts
|
Suricata
|
T1190
|
TTP
|
Ivanti Connect Secure VPN Vulnerabilities, CISA AA24-241A
|
2026-05-13
|
|
Confluence Pre-Auth RCE via OGNL Injection CVE-2023-22527
|
Suricata
|
T1190
|
TTP
|
Confluence Data Center and Confluence Server Vulnerabilities
|
2026-05-13
|
|
Detect Web Access to Decommissioned S3 Bucket
|
AWS Cloudfront
|
T1485
|
Anomaly
|
AWS S3 Bucket Security Monitoring, Data Destruction
|
2026-05-13
|
|
Ivanti Connect Secure SSRF in SAML Component
|
Suricata
|
T1190
|
TTP
|
Ivanti Connect Secure VPN Vulnerabilities
|
2026-05-13
|
|
Supernova Webshell
|
|
T1133
T1505.003
|
TTP
|
Earth Alux, GhostRedirector IIS Module and Rungan Backdoor, NOBELIUM Group
|
2026-05-13
|
|
Windows Exchange Autodiscover SSRF Abuse
|
Windows IIS
|
T1133
T1190
|
TTP
|
BlackByte Ransomware, ProxyShell, ProxyNotShell, Seashell Blizzard
|
2026-05-13
|
|
JetBrains TeamCity RCE Attempt
|
Suricata
|
T1190
|
TTP
|
CISA AA23-347A, JetBrains TeamCity Unauthenticated RCE, JetBrains TeamCity Vulnerabilities
|
2026-05-13
|
|
ProxyShell ProxyNotShell Behavior Detected
|
|
T1133
T1190
|
Correlation
|
Seashell Blizzard, ProxyShell, ProxyNotShell
|
2026-05-13
|
|
JetBrains TeamCity Limited Auth Bypass Suricata CVE-2024-27199
|
Suricata
|
T1190
|
TTP
|
JetBrains TeamCity Vulnerabilities
|
2026-05-13
|
|
Log4Shell JNDI Payload Injection Attempt
|
Nginx Access
|
T1133
T1190
|
Anomaly
|
CISA AA22-257A, CISA AA22-320A, Log4Shell CVE-2021-44228
|
2026-05-13
|
|
Detect attackers scanning for vulnerable JBoss servers
|
|
T1082
T1133
|
TTP
|
SamSam Ransomware, JBoss Vulnerability
|
2026-05-13
|
|
High Volume of Bytes Out to Url
|
Nginx Access
|
T1567
|
Anomaly
|
Hellcat Ransomware, Data Exfiltration
|
2026-05-13
|
|
Windows SharePoint Spinstall0 GET Request
|
Suricata
|
T1190
T1505.003
T1552
|
TTP
|
Microsoft SharePoint Vulnerabilities
|
2026-05-13
|
|
WS FTP Remote Code Execution
|
Suricata
|
T1190
|
TTP
|
WS FTP Server Critical Vulnerabilities
|
2026-05-13
|
|
Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint
|
Suricata
|
T1190
|
TTP
|
Ivanti Connect Secure VPN Vulnerabilities, CISA AA24-241A
|
2026-05-13
|
|
Zscaler Privacy Risk Destinations Threat Blocked
|
|
T1566
|
Anomaly
|
Zscaler Browser Proxy Threats
|
2026-05-13
|
|
VMWare Aria Operations Exploit Attempt
|
Palo Alto Network Threat
|
T1068
T1133
T1190
T1210
|
TTP
|
VMware Aria Operations vRealize CVE-2023-20887
|
2026-05-13
|
|
Nginx ConnectWise ScreenConnect Authentication Bypass
|
Nginx Access
|
T1190
|
TTP
|
Seashell Blizzard, Hellcat Ransomware, Scattered Lapsus$ Hunters, ConnectWise ScreenConnect Vulnerabilities
|
2026-05-13
|
|
Tomcat Session File Upload Attempt
|
Nginx Access
|
T1190
T1505.003
|
Anomaly
|
Apache Tomcat Session Deserialization Attacks
|
2026-05-13
|
|
Microsoft SharePoint Server Elevation of Privilege
|
Suricata
|
T1068
|
Anomaly
|
Microsoft SharePoint Server Elevation of Privilege CVE-2023-29357
|
2026-05-13
|
|
Detect F5 TMUI RCE CVE-2020-5902
|
|
T1190
|
TTP
|
F5 TMUI RCE CVE-2020-5902
|
2026-05-13
|
|
Fortinet Appliance Auth bypass
|
Palo Alto Network Threat
|
T1133
T1190
|
TTP
|
CVE-2022-40684 Fortinet Appliance Auth bypass
|
2026-05-13
|
|
Citrix ADC and Gateway CitrixBleed 2 Memory Disclosure
|
Suricata
|
T1190
|
Anomaly
|
Citrix NetScaler ADC and NetScaler Gateway CVE-2025-5777
|
2026-05-13
|
|
SQL Injection with Long URLs
|
|
T1190
|
TTP
|
SQL Injection, GhostRedirector IIS Module and Rungan Backdoor
|
2026-05-13
|
|
Detect Remote Access Software Usage URL
|
Palo Alto Network Threat
|
T1219
|
Anomaly
|
Command And Control, Scattered Lapsus$ Hunters, CISA AA24-241A, Insider Threat, Ransomware, Remote Monitoring and Management Software, Interlock Ransomware
|
2026-05-13
|
|
Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082
|
Suricata
|
T1133
T1190
|
TTP
|
Ivanti EPMM Remote Unauthenticated Access
|
2026-05-13
|
|
Web Spring Cloud Function FunctionRouter
|
Splunk Stream HTTP
|
T1133
T1190
|
TTP
|
Spring4Shell CVE-2022-22965
|
2026-05-13
|
|
Zscaler CryptoMiner Downloaded Threat Blocked
|
|
T1566
|
Anomaly
|
Zscaler Browser Proxy Threats
|
2026-05-13
|
|
Windows SharePoint ToolPane Endpoint Exploitation Attempt
|
Suricata
|
T1190
T1505.003
|
TTP
|
Microsoft SharePoint Vulnerabilities
|
2026-05-13
|
|
F5 TMUI Authentication Bypass
|
Suricata
|
N/A
|
TTP
|
F5 Authentication Bypass with TMUI
|
2026-05-13
|
|
HTTP Request to Reserved Name on IIS Server
|
Suricata
|
T1071.001
T1190
|
TTP
|
HTTP Request Smuggling
|
2026-05-13
|
|
Confluence CVE-2023-22515 Trigger Vulnerability
|
Suricata
|
T1190
|
TTP
|
CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server
|
2026-05-13
|
|
Jenkins Arbitrary File Read CVE-2024-23897
|
Nginx Access
|
T1190
|
TTP
|
Hellcat Ransomware, Jenkins Server Vulnerabilities
|
2026-05-13
|
|
Citrix ADC Exploitation CVE-2023-3519
|
Palo Alto Network Threat
|
T1190
|
Hunting
|
CISA AA24-241A, Citrix Netscaler ADC CVE-2023-3519
|
2026-05-13
|
|
Confluence Data Center and Server Privilege Escalation
|
Nginx Access
|
T1190
|
TTP
|
Confluence Data Center and Confluence Server Vulnerabilities, CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server
|
2026-05-13
|
|
Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952
|
Palo Alto Network Threat
|
T1133
T1190
|
TTP
|
Fortinet FortiNAC CVE-2022-39952, Hellcat Ransomware
|
2026-05-13
|
|
Monitor Web Traffic For Brand Abuse
|
|
N/A
|
TTP
|
Brand Monitoring
|
2026-05-13
|
|
Ivanti Connect Secure System Information Access via Auth Bypass
|
Suricata
|
T1190
|
Anomaly
|
Ivanti Connect Secure VPN Vulnerabilities, CISA AA24-241A
|
2026-05-13
|
|
Citrix ShareFile Exploitation CVE-2023-24489
|
Suricata
|
T1190
|
Hunting
|
Citrix ShareFile RCE CVE-2023-24489
|
2026-05-13
|
|
Java Class File download by Java User Agent
|
Splunk Stream HTTP
|
T1190
|
TTP
|
Log4Shell CVE-2021-44228
|
2026-05-13
|
|
Exploit Public Facing Application via Apache Commons Text
|
Nginx Access
|
T1133
T1190
T1505.003
|
Anomaly
|
Text4Shell CVE-2022-42889
|
2026-05-13
|
|
Citrix ADC and Gateway Unauthorized Data Disclosure
|
Suricata
|
T1190
|
TTP
|
Citrix NetScaler ADC and NetScaler Gateway CVE-2023-4966, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Confluence Unauthenticated Remote Code Execution CVE-2022-26134
|
Palo Alto Network Threat
|
T1133
T1190
T1505
|
TTP
|
Confluence Data Center and Confluence Server Vulnerabilities, Atlassian Confluence Server and Data Center CVE-2022-26134
|
2026-05-13
|
|
CrushFTP Authentication Bypass Exploitation
|
CrushFTP
|
T1059.001
T1059.003
T1190
|
TTP
|
CrushFTP Vulnerabilities, Hellcat Ransomware
|
2026-05-13
|
|
Plain HTTP POST Exfiltrated Data
|
Splunk Stream HTTP
|
T1048.003
|
TTP
|
Command And Control, Data Exfiltration, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
Detect malicious requests to exploit JBoss servers
|
|
N/A
|
TTP
|
SamSam Ransomware, JBoss Vulnerability
|
2026-05-13
|
|
Zscaler Adware Activities Threat Blocked
|
|
T1566
|
Anomaly
|
Zscaler Browser Proxy Threats
|
2026-05-13
|
|
HTTP Rapid POST with Mixed Status Codes
|
Nginx Access
|
T1071.001
T1190
T1595
|
Anomaly
|
HTTP Request Smuggling
|
2026-05-13
|
|
CrushFTP Max Simultaneous Users From IP
|
CrushFTP
|
T1110.001
T1110.004
|
Anomaly
|
CrushFTP Vulnerabilities
|
2026-05-13
|
|
Web JSP Request via URL
|
Nginx Access
|
T1133
T1190
T1505.003
|
TTP
|
Earth Alux, Spring4Shell CVE-2022-22965
|
2026-05-13
|
|
ConnectWise ScreenConnect Authentication Bypass
|
Suricata
|
T1190
|
TTP
|
Seashell Blizzard, ConnectWise ScreenConnect Vulnerabilities
|
2026-05-13
|
|
WordPress Bricks Builder plugin RCE
|
Nginx Access
|
T1190
|
TTP
|
WordPress Vulnerabilities, Hellcat Ransomware
|
2026-05-13
|
|
JetBrains TeamCity Authentication Bypass Suricata CVE-2024-27198
|
Suricata
|
T1190
|
TTP
|
Hellcat Ransomware, JetBrains TeamCity Vulnerabilities
|
2026-05-13
|
|
VMware Workspace ONE Freemarker Server-side Template Injection
|
Palo Alto Network Threat
|
T1133
T1190
|
Anomaly
|
VMware Server Side Injection and Privilege Escalation
|
2026-05-13
|
|
Zscaler Legal Liability Threat Blocked
|
|
T1566
|
Anomaly
|
Zscaler Browser Proxy Threats
|
2026-05-13
|
|
HTTP Possible Request Smuggling
|
Suricata
|
T1071.001
|
TTP
|
HTTP Request Smuggling
|
2026-05-13
|
|
Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078
|
Suricata
|
T1133
T1190
|
TTP
|
Ivanti EPMM Remote Unauthenticated Access
|
2026-05-13
|
|
VMware Server Side Template Injection Hunt
|
Palo Alto Network Threat
|
T1133
T1190
|
Hunting
|
VMware Server Side Injection and Privilege Escalation
|
2026-05-13
|
|
Multiple Archive Files Http Post Traffic
|
Splunk Stream HTTP
|
T1048.003
|
TTP
|
Command And Control, Hellcat Ransomware, Data Exfiltration, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
ESXi Syslog Config Change
|
VMWare ESXi Syslog
|
T1690
|
TTP
|
ESXi Post Compromise, Black Basta Ransomware
|
2026-05-13
|
|
Cisco ASA - Device File Copy to Remote Location
|
Cisco ASA Logs
|
T1005
T1041
T1048.003
|
Anomaly
|
Suspicious Cisco Adaptive Security Appliance Activity, ArcaneDoor
|
2026-05-13
|
|
ESXi Shared or Stolen Root Account
|
VMWare ESXi Syslog
|
T1078
|
Anomaly
|
ESXi Post Compromise, Black Basta Ransomware
|
2026-05-13
|
|
ESXi Bulk VM Termination
|
VMWare ESXi Syslog
|
T1499
T1529
T1673
|
TTP
|
ESXi Post Compromise, Black Basta Ransomware
|
2026-05-13
|
|
ESXi Lockdown Mode Disabled
|
VMWare ESXi Syslog
|
T1685
|
TTP
|
ESXi Post Compromise, Black Basta Ransomware
|
2026-05-13
|
|
ESXi Loghost Config Tampering
|
VMWare ESXi Syslog
|
T1685
|
TTP
|
ESXi Post Compromise, Black Basta Ransomware
|
2026-05-13
|
|
Okta Multiple Accounts Locked Out
|
Okta
|
T1110
|
Anomaly
|
Okta Account Takeover
|
2026-05-13
|
|
Cisco ASA - Logging Disabled via CLI
|
Cisco ASA Logs
|
T1685
|
TTP
|
Suspicious Cisco Adaptive Security Appliance Activity
|
2026-05-13
|
|
ESXi Encryption Settings Modified
|
VMWare ESXi Syslog
|
T1685
|
TTP
|
ESXi Post Compromise, Black Basta Ransomware
|
2026-05-13
|
|
ESXi Firewall Disabled
|
VMWare ESXi Syslog
|
T1686
|
TTP
|
China-Nexus Threat Activity, ESXi Post Compromise, Black Basta Ransomware
|
2026-05-13
|
|
Cisco ASA - New Local User Account Created
|
Cisco ASA Logs
|
T1078.003
T1136.001
|
Anomaly
|
Suspicious Cisco Adaptive Security Appliance Activity
|
2026-05-13
|
|
PingID New MFA Method Registered For User
|
PingID
|
T1098.005
T1556.006
T1621
|
TTP
|
Compromised User Account
|
2026-05-13
|
|
Okta Multi-Factor Authentication Disabled
|
Okta
|
T1556.006
|
TTP
|
Scattered Lapsus$ Hunters, Okta Account Takeover
|
2026-05-13
|
|
Okta Multiple Users Failing To Authenticate From Ip
|
Okta
|
T1110.003
|
Anomaly
|
Okta Account Takeover
|
2026-05-13
|
|
Cisco Duo Policy Allow Old Java
|
Cisco Duo Administrator
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
Cisco Duo Admin Login Unusual Os
|
Cisco Duo Activity
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
Cisco ASA - User Privilege Level Change
|
Cisco ASA Logs
|
T1078.003
T1098
|
Anomaly
|
Suspicious Cisco Adaptive Security Appliance Activity, ArcaneDoor
|
2026-05-13
|
|
ESXi SSH Brute Force
|
VMWare ESXi Syslog
|
T1110
|
Anomaly
|
ESXi Post Compromise, Hellcat Ransomware, Black Basta Ransomware
|
2026-05-13
|
|
ESXi Sensitive Files Accessed
|
VMWare ESXi Syslog
|
T1003.008
T1005
|
TTP
|
China-Nexus Threat Activity, ESXi Post Compromise, Black Basta Ransomware
|
2026-05-13
|
|
Okta Suspicious Use of a Session Cookie
|
Okta
|
T1539
|
Anomaly
|
Scattered Lapsus$ Hunters, Okta Account Takeover, Suspicious Okta Activity
|
2026-05-13
|
|
M365 Copilot Application Usage Pattern Anomalies
|
M365 Copilot Graph API
|
T1078
|
Anomaly
|
Suspicious Microsoft 365 Copilot Activities
|
2026-05-13
|
|
Zoom Rare Input Devices
|
|
T1123
|
Hunting
|
Remote Employment Fraud
|
2026-05-13
|
|
ESXi Shell Access Enabled
|
VMWare ESXi Syslog
|
T1021
|
TTP
|
ESXi Post Compromise, Black Basta Ransomware
|
2026-05-13
|
|
Detect Password Spray Attempts
|
Windows Event Log Security 4625
|
T1110.003
|
TTP
|
Compromised User Account, Active Directory Password Spraying
|
2026-05-13
|
|
Splunk AppDynamics Secure Application Alerts
|
Splunk AppDynamics Secure Application Alert
|
N/A
|
Anomaly
|
Critical Alerts
|
2026-05-13
|
|
Cisco Duo Policy Allow Devices Without Screen Lock
|
Cisco Duo Administrator
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
ESXi SSH Enabled
|
VMWare ESXi Syslog
|
T1021.004
|
TTP
|
ESXi Post Compromise, Hellcat Ransomware, Black Basta Ransomware
|
2026-05-13
|
|
M365 Copilot Failed Authentication Patterns
|
M365 Copilot Graph API
|
T1110
|
Anomaly
|
Suspicious Microsoft 365 Copilot Activities
|
2026-05-13
|
|
Okta New API Token Created
|
Okta
|
T1078.001
|
TTP
|
Scattered Lapsus$ Hunters, Okta Account Takeover
|
2026-05-13
|
|
M365 Copilot Non Compliant Devices Accessing M365 Copilot
|
M365 Copilot Graph API
|
T1685
|
Anomaly
|
Suspicious Microsoft 365 Copilot Activities
|
2026-05-13
|
|
Cisco Duo Policy Allow Old Flash
|
Cisco Duo Administrator
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
Cisco Duo Admin Login Unusual Country
|
Cisco Duo Activity
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
Cisco AI Defense Security Alerts by Application Name
|
Cisco AI Defense Alerts
|
N/A
|
Anomaly
|
Critical Alerts
|
2026-05-13
|
|
MCP Sensitive System File Search
|
MCP Server
|
T1552.001
|
Hunting
|
Suspicious MCP Activities
|
2026-05-13
|
|
M365 Copilot Jailbreak Attempts
|
M365 Exported eDiscovery Prompts
|
T1685
|
Anomaly
|
Suspicious Microsoft 365 Copilot Activities
|
2026-05-13
|
|
Ivanti VTM New Account Creation
|
Ivanti VTM Audit
|
T1190
|
TTP
|
Ivanti Virtual Traffic Manager CVE-2024-7593, Hellcat Ransomware, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Zoom High Video Latency
|
|
T1078
|
Anomaly
|
Remote Employment Fraud
|
2026-05-13
|
|
Okta Phishing Detection with FastPass Origin Check
|
Okta
|
T1078.001
T1556
|
TTP
|
Okta Account Takeover
|
2026-05-13
|
|
ESXi External Root Login Activity
|
VMWare ESXi Syslog
|
T1078
|
Anomaly
|
ESXi Post Compromise, Black Basta Ransomware
|
2026-05-13
|
|
Cisco ASA - User Account Deleted From Local Database
|
Cisco ASA Logs
|
T1070.008
T1531
|
Anomaly
|
Suspicious Cisco Adaptive Security Appliance Activity
|
2026-05-13
|
|
Cisco ASA - AAA Policy Tampering
|
Cisco ASA Logs
|
T1556.004
|
Anomaly
|
Suspicious Cisco Adaptive Security Appliance Activity
|
2026-05-13
|
|
Okta New Device Enrolled on Account
|
Okta
|
T1098.005
|
TTP
|
Scattered Lapsus$ Hunters, Okta Account Takeover
|
2026-05-13
|
|
PingID Multiple Failed MFA Requests For User
|
PingID
|
T1078
T1110
T1621
|
TTP
|
Compromised User Account
|
2026-05-13
|
|
Email servers sending high volume traffic to hosts
|
|
T1114.002
|
Anomaly
|
HAFNIUM Group, Collection and Staging
|
2026-05-13
|
|
No Windows Updates in a time frame
|
|
N/A
|
Hunting
|
Monitor for Updates
|
2026-05-13
|
|
Cisco Duo Bypass Code Generation
|
Cisco Duo Administrator
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
MCP Github Suspicious Operation
|
MCP Server
|
T1552.001
|
Hunting
|
Suspicious MCP Activities
|
2026-05-13
|
|
Cisco ASA - Logging Message Suppression
|
Cisco ASA Logs
|
T1070
T1685.001
|
Anomaly
|
Suspicious Cisco Adaptive Security Appliance Activity, ArcaneDoor
|
2026-05-13
|
|
Cisco ASA - Reconnaissance Command Activity
|
Cisco ASA Logs
|
T1082
T1590.001
T1590.005
|
Anomaly
|
Suspicious Cisco Adaptive Security Appliance Activity
|
2026-05-13
|
|
Cisco Duo Policy Skip 2FA for Other Countries
|
Cisco Duo Administrator
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
ESXi Account Modified
|
VMWare ESXi Syslog
|
T1078
T1098
T1136.001
|
Anomaly
|
ESXi Post Compromise, Black Basta Ransomware
|
2026-05-13
|
|
Okta IDP Lifecycle Modifications
|
Okta
|
T1087.004
|
Anomaly
|
Suspicious Okta Activity
|
2026-05-13
|
|
ESXi User Granted Admin Role
|
VMWare ESXi Syslog
|
T1078
T1098
|
TTP
|
ESXi Post Compromise, Black Basta Ransomware
|
2026-05-13
|
|
Ollama Abnormal Service Crash Availability Attack
|
Ollama Server
|
T1489
|
Anomaly
|
Suspicious Ollama Activities
|
2026-05-13
|
|
ESXi Reverse Shell Patterns
|
VMWare ESXi Syslog
|
T1059
|
TTP
|
ESXi Post Compromise, Black Basta Ransomware
|
2026-05-13
|
|
Email Attachments With Lots Of Spaces
|
|
T1036.008
T1566.001
|
Anomaly
|
Emotet Malware DHS Report TA18-201A, Suspicious Emails, Hermetic Wiper, Data Destruction
|
2026-05-13
|
|
Ollama Possible Memory Exhaustion Resource Abuse
|
Ollama Server
|
T1499
|
Anomaly
|
Suspicious Ollama Activities
|
2026-05-13
|
|
Ollama Possible RCE via Model Loading
|
Ollama Server
|
T1190
|
Anomaly
|
Suspicious Ollama Activities
|
2026-05-13
|
|
Detect HTML Help Spawn Child Process
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.001
|
TTP
|
Suspicious Compiled HTML Activity, APT37 Rustonotto and FadeStealer, Living Off The Land, AgentTesla, Compromised Windows Host
|
2026-05-13
|
|
Okta Suspicious Activity Reported
|
Okta
|
T1078.001
|
TTP
|
Okta Account Takeover
|
2026-05-13
|
|
ESXi System Clock Manipulation
|
VMWare ESXi Syslog
|
T1070.006
|
TTP
|
ESXi Post Compromise, Black Basta Ransomware
|
2026-05-13
|
|
Cisco ASA - Core Syslog Message Volume Drop
|
Cisco ASA Logs
|
T1685
|
Hunting
|
Suspicious Cisco Adaptive Security Appliance Activity, ArcaneDoor
|
2026-05-13
|
|
Zoom Rare Audio Devices
|
|
T1123
|
Hunting
|
Remote Employment Fraud
|
2026-05-13
|
|
Cisco ASA - Packet Capture Activity
|
Cisco ASA Logs
|
T1040
T1557
|
Anomaly
|
Suspicious Cisco Adaptive Security Appliance Activity, ArcaneDoor
|
2026-05-13
|
|
PingID New MFA Method After Credential Reset
|
PingID
|
T1098.005
T1556.006
T1621
|
TTP
|
Compromised User Account, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
ESXi VM Discovery
|
VMWare ESXi Syslog
|
T1673
|
TTP
|
China-Nexus Threat Activity, ESXi Post Compromise, Black Basta Ransomware
|
2026-05-13
|
|
Okta Multiple Failed MFA Requests For User
|
Okta
|
T1621
|
Anomaly
|
Scattered Lapsus$ Hunters, Okta Account Takeover
|
2026-05-13
|
|
Okta Risk Threshold Exceeded
|
Okta
|
T1078
T1110
|
Correlation
|
Suspicious Okta Activity, Okta Account Takeover, Okta MFA Exhaustion
|
2026-05-13
|
|
Okta Unauthorized Access to Application
|
Okta
|
T1087.004
|
Anomaly
|
Okta Account Takeover
|
2026-05-13
|
|
Suspicious Java Classes
|
|
T1190
|
Anomaly
|
Apache Struts Vulnerability
|
2026-05-13
|
|
MCP Prompt Injection
|
MCP Server
|
T1059
|
TTP
|
Suspicious MCP Activities
|
2026-05-13
|
|
Ollama Abnormal Network Connectivity
|
Ollama Server
|
T1571
|
Anomaly
|
Suspicious Ollama Activities
|
2026-05-13
|
|
Monitor Email For Brand Abuse
|
|
N/A
|
TTP
|
Brand Monitoring, Suspicious Emails, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Okta User Logins from Multiple Cities
|
Okta
|
T1586.003
|
Anomaly
|
Okta Account Takeover
|
2026-05-13
|
|
Cisco Duo Bulk Policy Deletion
|
Cisco Duo Administrator
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
Detect Distributed Password Spray Attempts
|
Azure Active Directory Sign-in activity
|
T1110.003
|
Hunting
|
Compromised User Account, Active Directory Password Spraying
|
2026-05-13
|
|
Ollama Suspicious Prompt Injection Jailbreak
|
Ollama Server
|
T1059
T1190
|
Anomaly
|
Suspicious Ollama Activities
|
2026-05-13
|
|
ESXi VIB Acceptance Level Tampering
|
VMWare ESXi Syslog
|
T1685
|
TTP
|
China-Nexus Threat Activity, ESXi Post Compromise, Black Basta Ransomware
|
2026-05-13
|
|
Suspicious Email Attachment Extensions
|
|
T1566.001
|
Anomaly
|
Emotet Malware DHS Report TA18-201A, Suspicious Emails, Hermetic Wiper, Data Destruction
|
2026-05-13
|
|
Cisco Duo Policy Allow Tampered Devices
|
Cisco Duo Administrator
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
Cisco Duo Set User Status to Bypass 2FA
|
Cisco Duo Administrator
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
Okta Multiple Failed Requests to Access Applications
|
Okta
|
T1538
T1550.004
|
Hunting
|
Okta Account Takeover
|
2026-05-13
|
|
Email files written outside of the Outlook directory
|
Sysmon EventID 11
|
T1114.001
|
TTP
|
Collection and Staging
|
2026-05-13
|
|
M365 Copilot Information Extraction Jailbreak Attack
|
M365 Exported eDiscovery Prompts
|
T1685
|
TTP
|
Suspicious Microsoft 365 Copilot Activities
|
2026-05-13
|
|
CrushFTP Server Side Template Injection
|
CrushFTP
|
T1190
|
TTP
|
CrushFTP Vulnerabilities, Hellcat Ransomware
|
2026-05-13
|
|
MCP Postgres Suspicious Query
|
MCP Server
|
T1555
|
Hunting
|
Suspicious MCP Activities
|
2026-05-13
|
|
Cisco Duo Policy Deny Access
|
Cisco Duo Administrator
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
Cisco Duo Policy Bypass 2FA
|
Cisco Duo Administrator
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
ESXi Malicious VIB Forced Install
|
VMWare ESXi Syslog
|
T1505.006
|
TTP
|
China-Nexus Threat Activity, ESXi Post Compromise, Black Basta Ransomware
|
2026-05-13
|
|
Okta Mismatch Between Source and Response for Verify Push Request
|
Okta
|
T1621
|
TTP
|
Scattered Lapsus$ Hunters, Okta Account Takeover, Okta MFA Exhaustion
|
2026-05-13
|
|
Cisco ASA - Logging Filters Configuration Tampering
|
Cisco ASA Logs
|
T1685
|
Anomaly
|
Suspicious Cisco Adaptive Security Appliance Activity
|
2026-05-13
|
|
MCP Filesystem Server Suspicious Extension Write
|
MCP Server
|
T1059
|
Hunting
|
Suspicious MCP Activities
|
2026-05-13
|
|
Okta MFA Exhaustion Hunt
|
Okta
|
T1110
|
Hunting
|
Scattered Lapsus$ Hunters, Okta Account Takeover, Okta MFA Exhaustion
|
2026-05-13
|
|
ESXi System Information Discovery
|
VMWare ESXi Syslog
|
T1082
|
TTP
|
ESXi Post Compromise, Black Basta Ransomware
|
2026-05-13
|
|
Okta Successful Single Factor Authentication
|
Okta
|
T1078.004
T1586.003
T1621
|
Anomaly
|
Okta Account Takeover
|
2026-05-13
|
|
ESXi Audit Tampering
|
VMWare ESXi Syslog
|
T1070
T1690
|
TTP
|
ESXi Post Compromise, Black Basta Ransomware
|
2026-05-13
|
|
Ollama Excessive API Requests
|
Ollama Server
|
T1498
|
Anomaly
|
Suspicious Ollama Activities
|
2026-05-13
|
|
M365 Copilot Session Origin Anomalies
|
M365 Copilot Graph API
|
T1078
|
Anomaly
|
Suspicious Microsoft 365 Copilot Activities
|
2026-05-13
|
|
M365 Copilot Agentic Jailbreak Attack
|
M365 Exported eDiscovery Prompts
|
T1685
|
Anomaly
|
Suspicious Microsoft 365 Copilot Activities
|
2026-05-13
|
|
ESXi VM Exported via Remote Tool
|
VMWare ESXi Syslog
|
T1005
|
TTP
|
ESXi Post Compromise, Black Basta Ransomware
|
2026-05-13
|
|
Cisco ASA - Device File Copy Activity
|
Cisco ASA Logs
|
T1005
T1530
|
Anomaly
|
Suspicious Cisco Adaptive Security Appliance Activity, ArcaneDoor
|
2026-05-13
|
|
Cisco ASA - User Account Lockout Threshold Exceeded
|
Cisco ASA Logs
|
T1110.001
T1110.003
|
Anomaly
|
Suspicious Cisco Adaptive Security Appliance Activity
|
2026-05-13
|
|
Cisco Duo Policy Allow Network Bypass 2FA
|
Cisco Duo Administrator
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
Zoom Rare Video Devices
|
|
T1123
|
Hunting
|
Remote Employment Fraud
|
2026-05-13
|
|
Detect New Login Attempts to Routers
|
|
N/A
|
TTP
|
Router and Infrastructure Security, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Ollama Possible API Endpoint Scan Reconnaissance
|
Ollama Server
|
T1595
|
Anomaly
|
Suspicious Ollama Activities
|
2026-05-13
|
|
Ollama Possible Model Exfiltration Data Leakage
|
Ollama Server
|
T1048
|
Anomaly
|
Suspicious Ollama Activities
|
2026-05-13
|
|
Okta Authentication Failed During MFA Challenge
|
Okta
|
T1078.004
T1586.003
T1621
|
TTP
|
Scattered Lapsus$ Hunters, Okta Account Takeover
|
2026-05-13
|
|
Okta ThreatInsight Threat Detected
|
Okta
|
T1078.004
|
Anomaly
|
Okta Account Takeover
|
2026-05-13
|
|
PingID Mismatch Auth Source and Verification Response
|
PingID
|
T1098.005
T1556.006
T1621
|
TTP
|
Compromised User Account
|
2026-05-13
|
|
Cisco Duo Admin Login Unusual Browser
|
Cisco Duo Activity
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
ESXi Download Errors
|
VMWare ESXi Syslog
|
T1601.001
T1685
|
Anomaly
|
ESXi Post Compromise, Black Basta Ransomware
|
2026-05-13
|
|
O365 ZAP Activity Detection
|
Office 365 Universal Audit Log
|
T1566.001
T1566.002
|
Anomaly
|
Suspicious Emails, Spearphishing Attachments
|
2026-05-13
|
|
AWS Defense Evasion Impair Security Services
|
AWS CloudTrail DeleteRule, AWS CloudTrail DeleteLoggingConfiguration, AWS CloudTrail DeleteAlarms, AWS CloudTrail DeleteLogStream, AWS CloudTrail DeleteIPSet, AWS CloudTrail DeleteWebACL, AWS CloudTrail DeleteDetector, AWS CloudTrail DeleteRuleGroup
|
T1685.002
|
TTP
|
AWS Defense Evasion
|
2026-05-13
|
|
O365 Excessive SSO logon errors
|
O365 UserLoginFailed
|
T1556
|
Anomaly
|
Office 365 Account Takeover, Cloud Federated Credential Abuse
|
2026-05-13
|
|
GCP Successful Single-Factor Authentication
|
Google Workspace
|
T1078.004
T1586.003
|
TTP
|
GCP Account Takeover, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Kubernetes Scanner Image Pulling
|
|
T1526
|
TTP
|
Dev Sec Ops
|
2026-05-13
|
|
O365 Email Transport Rule Changed
|
Office 365 Universal Audit Log
|
T1114.003
T1564.008
|
Anomaly
|
Office 365 Account Takeover, Data Exfiltration
|
2026-05-13
|
|
O365 Advanced Audit Disabled
|
O365 Change user license.
|
T1685.002
|
TTP
|
Office 365 Persistence Mechanisms
|
2026-05-13
|
|
ASL AWS IAM Successful Group Deletion
|
ASL AWS CloudTrail
|
T1069.003
T1098
|
Hunting
|
AWS IAM Privilege Escalation
|
2026-05-13
|
|
AWS SAML Update identity provider
|
AWS CloudTrail UpdateSAMLProvider
|
T1078
|
TTP
|
Cloud Federated Credential Abuse
|
2026-05-13
|
|
ASL AWS IAM AccessDenied Discovery Events
|
ASL AWS CloudTrail
|
T1580
|
Anomaly
|
Suspicious Cloud User Activities
|
2026-05-13
|
|
ASL AWS Disable Bucket Versioning
|
ASL AWS CloudTrail
|
T1490
|
Anomaly
|
Suspicious AWS S3 Activities, Data Exfiltration
|
2026-05-13
|
|
ASL AWS ECR Container Upload Unknown User
|
ASL AWS CloudTrail
|
T1204.003
|
Anomaly
|
Dev Sec Ops
|
2026-05-13
|
|
AWS Multiple Failed MFA Requests For User
|
AWS CloudTrail ConsoleLogin
|
T1586.003
T1621
|
Anomaly
|
AWS Identity and Access Management Account Takeover
|
2026-05-13
|
|
AWS Network Access Control List Created with All Open Ports
|
AWS CloudTrail ReplaceNetworkAclEntry, AWS CloudTrail CreateNetworkAclEntry
|
T1686.001
|
TTP
|
AWS Network ACL Activity
|
2026-05-13
|
|
O365 Cross-Tenant Access Change
|
Office 365 Universal Audit Log
|
T1484.002
|
TTP
|
Azure Active Directory Persistence
|
2026-05-13
|
|
Kubernetes newly seen UDP edge
|
|
T1204
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2026-05-13
|
|
GCP Detect gcploit framework
|
|
T1078
|
TTP
|
GCP Cross Account Activity
|
2026-05-13
|
|
Kubernetes Cron Job Creation
|
Kubernetes Audit
|
T1053.007
|
Anomaly
|
Kubernetes Security
|
2026-05-13
|
|
Cloud Provisioning Activity From Previously Unseen IP Address
|
AWS CloudTrail
|
T1078
|
Anomaly
|
Suspicious Cloud Provisioning Activities
|
2026-05-13
|
|
O365 Service Principal Privilege Escalation
|
O365 Add app role assignment grant to user.
|
T1098.003
|
TTP
|
Azure Active Directory Privilege Escalation, Office 365 Account Takeover
|
2026-05-13
|
|
Microsoft Intune Device Health Scripts
|
Azure Monitor Activity
|
T1021.007
T1072
T1105
T1202
|
Hunting
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
Azure AD Multiple Denied MFA Requests For User
|
Azure Active Directory Sign-in activity
|
T1621
|
TTP
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
Detect AWS Console Login by New User
|
AWS CloudTrail
|
T1552
T1586.003
|
Hunting
|
AWS Identity and Access Management Account Takeover, Suspicious Cloud Authentication Activities
|
2026-05-13
|
|
O365 SharePoint Suspicious Search Behavior
|
Office 365 Universal Audit Log
|
T1213.002
T1552
|
Anomaly
|
Compromised User Account, Office 365 Account Takeover, Office 365 Collection Techniques, CISA AA22-320A
|
2026-05-13
|
|
O365 File Permissioned Application Consent Granted by User
|
O365 Consent to application.
|
T1528
|
TTP
|
Office 365 Account Takeover
|
2026-05-13
|
|
O365 Email Reported By User Found Malicious
|
Office 365 Universal Audit Log
|
T1566.001
T1566.002
|
TTP
|
Suspicious Emails, Spearphishing Attachments
|
2026-05-13
|
|
ASL AWS New MFA Method Registered For User
|
ASL AWS CloudTrail
|
T1556.006
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2026-05-13
|
|
Kubernetes Nginx Ingress LFI
|
|
T1212
|
TTP
|
Dev Sec Ops
|
2026-05-13
|
|
O365 Email Security Feature Changed
|
Office 365 Universal Audit Log
|
T1685.002
|
TTP
|
Office 365 Account Takeover, Office 365 Persistence Mechanisms
|
2026-05-13
|
|
AWS Excessive Security Scanning
|
AWS CloudTrail
|
T1526
|
TTP
|
AWS User Monitoring
|
2026-05-13
|
|
GitHub Organizations Disable Dependabot
|
GitHub Organizations Audit Logs
|
T1195
T1685
|
Anomaly
|
GitHub Malicious Activity
|
2026-05-13
|
|
Azure AD Successful PowerShell Authentication
|
Azure Active Directory
|
T1078.004
T1586.003
|
TTP
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
Azure AD New Federated Domain Added
|
Azure Active Directory Set domain authentication
|
T1484.002
|
TTP
|
Storm-0501 Ransomware, Azure Active Directory Persistence, Hellcat Ransomware, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Gsuite Drive Share In External Email
|
G Suite Drive
|
T1567.002
|
Anomaly
|
Dev Sec Ops, Scattered Lapsus$ Hunters, Insider Threat
|
2026-05-13
|
|
AWS ECR Container Upload Outside Business Hours
|
AWS CloudTrail PutImage
|
T1204.003
|
Anomaly
|
Dev Sec Ops
|
2026-05-13
|
|
ASL AWS ECR Container Upload Outside Business Hours
|
ASL AWS CloudTrail
|
T1204.003
|
Anomaly
|
Dev Sec Ops
|
2026-05-13
|
|
AWS Exfiltration via Bucket Replication
|
AWS CloudTrail PutBucketReplication
|
T1537
|
TTP
|
Suspicious AWS S3 Activities, Data Exfiltration
|
2026-05-13
|
|
Kubernetes Shell Running on Worker Node with CPU Activity
|
|
T1204
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2026-05-13
|
|
O365 Multiple Service Principals Created by User
|
O365 Add service principal.
|
T1136.003
|
Anomaly
|
Office 365 Persistence Mechanisms, NOBELIUM Group
|
2026-05-13
|
|
Cloud Provisioning Activity From Previously Unseen City
|
AWS CloudTrail
|
T1078
|
Anomaly
|
Suspicious Cloud Provisioning Activities
|
2026-05-13
|
|
Gsuite Suspicious Shared File Name
|
G Suite Drive
|
T1566.001
|
Anomaly
|
Dev Sec Ops
|
2026-05-13
|
|
Detect Spike in AWS Security Hub Alerts for User
|
AWS Security Hub
|
N/A
|
Anomaly
|
Critical Alerts, AWS Security Hub Alerts
|
2026-05-13
|
|
ASL AWS Defense Evasion Delete CloudWatch Log Group
|
ASL AWS CloudTrail
|
T1685.002
|
TTP
|
AWS Defense Evasion
|
2026-05-13
|
|
Kubernetes Nginx Ingress RFI
|
|
T1212
|
TTP
|
Dev Sec Ops
|
2026-05-13
|
|
ASL AWS UpdateLoginProfile
|
ASL AWS CloudTrail
|
T1136.003
|
TTP
|
AWS IAM Privilege Escalation
|
2026-05-13
|
|
O365 Mailbox Email Forwarding Enabled
|
|
T1114.003
|
TTP
|
Office 365 Collection Techniques
|
2026-05-13
|
|
AWS Console Login Failed During MFA Challenge
|
AWS CloudTrail ConsoleLogin
|
T1586.003
T1621
|
TTP
|
Compromised User Account, AWS Identity and Access Management Account Takeover
|
2026-05-13
|
|
AWS Lambda UpdateFunctionCode
|
AWS CloudTrail
|
T1204
|
Hunting
|
Suspicious Cloud User Activities
|
2026-05-13
|
|
ASL AWS Detect Users creating keys with encrypt policy without MFA
|
ASL AWS CloudTrail
|
T1486
|
TTP
|
Ransomware Cloud
|
2026-05-13
|
|
O365 Multi-Source Failed Authentications Spike
|
O365 UserLoginFailed
|
T1110.003
T1110.004
T1586.003
|
Hunting
|
Office 365 Account Takeover, NOBELIUM Group
|
2026-05-13
|
|
O365 Privileged Role Assigned
|
Office 365 Universal Audit Log
|
T1098.003
|
TTP
|
Azure Active Directory Persistence, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Detect Spike in AWS Security Hub Alerts for EC2 Instance
|
AWS Security Hub
|
N/A
|
Anomaly
|
Critical Alerts, AWS Security Hub Alerts
|
2026-05-13
|
|
Azure AD AzureHound UserAgent Detected
|
Azure Active Directory MicrosoftGraphActivityLogs, Azure Active Directory NonInteractiveUserSignInLogs
|
T1087.004
T1526
|
TTP
|
Azure Active Directory Privilege Escalation, Compromised User Account
|
2026-05-13
|
|
AWS Concurrent Sessions From Different Ips
|
AWS CloudTrail DescribeEventAggregates
|
T1185
|
TTP
|
Compromised User Account, AWS Identity and Access Management Account Takeover, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
O365 Bypass MFA via Trusted IP
|
O365 Set Company Information.
|
T1686.001
|
TTP
|
Office 365 Persistence Mechanisms
|
2026-05-13
|
|
Azure AD External Guest User Invited
|
Azure Active Directory Invite external user
|
T1136.003
|
TTP
|
Azure Active Directory Persistence
|
2026-05-13
|
|
Microsoft Intune Mobile Apps
|
Azure Monitor Activity
|
T1021.007
T1072
T1105
T1202
|
Hunting
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
Kubernetes Scanning by Unauthenticated IP Address
|
Kubernetes Audit
|
T1046
|
Anomaly
|
Kubernetes Security
|
2026-05-13
|
|
AWS ECR Container Scanning Findings Low Informational Unknown
|
AWS CloudTrail DescribeImageScanFindings
|
T1204.003
|
Anomaly
|
Dev Sec Ops
|
2026-05-13
|
|
AWS Credential Access Failed Login
|
AWS CloudTrail ConsoleLogin
|
T1110.001
T1586.003
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2026-05-13
|
|
O365 Privileged Graph API Permission Assigned
|
O365 Update application.
|
T1003.002
|
TTP
|
Office 365 Persistence Mechanisms, NOBELIUM Group
|
2026-05-13
|
|
Kubernetes Falco Shell Spawned
|
Kubernetes Falco
|
T1204
|
Anomaly
|
Kubernetes Security
|
2026-05-13
|
|
AWS Exfiltration via EC2 Snapshot
|
AWS CloudTrail CreateSnapshot, AWS CloudTrail DeleteSnapshot, AWS CloudTrail ModifySnapshotAttribute, AWS CloudTrail DescribeSnapshotAttribute
|
T1537
|
TTP
|
Suspicious Cloud Instance Activities, Data Exfiltration
|
2026-05-13
|
|
Azure AD OAuth Application Consent Granted By User
|
Azure Active Directory Consent to application
|
T1528
|
TTP
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
AWS IAM AccessDenied Discovery Events
|
AWS CloudTrail
|
T1580
|
Anomaly
|
Suspicious Cloud User Activities
|
2026-05-13
|
|
Amazon EKS Kubernetes cluster scan detection
|
|
T1526
|
Hunting
|
Kubernetes Scanning Activity
|
2026-05-13
|
|
Kubernetes Abuse of Secret by Unusual Location
|
Kubernetes Audit
|
T1552.007
|
Anomaly
|
Kubernetes Security
|
2026-05-13
|
|
Detect Spike in blocked Outbound Traffic from your AWS
|
|
N/A
|
Anomaly
|
Command And Control, AWS Network ACL Activity, Suspicious AWS Traffic
|
2026-05-13
|
|
O365 PST export alert
|
O365
|
T1114
|
TTP
|
Office 365 Collection Techniques, Data Exfiltration
|
2026-05-13
|
|
GCP Multiple Users Failing To Authenticate From Ip
|
Google Workspace
|
T1110.003
T1110.004
T1586.003
|
Anomaly
|
GCP Account Takeover
|
2026-05-13
|
|
AWS Bedrock Delete Model Invocation Logging Configuration
|
AWS CloudTrail DeleteModelInvocationLoggingConfiguration
|
T1685.002
|
TTP
|
AWS Bedrock Security
|
2026-05-13
|
|
Cloud Compute Instance Created By Previously Unseen User
|
AWS CloudTrail
|
T1078.004
|
Anomaly
|
Cloud Cryptomining
|
2026-05-13
|
|
O365 High Number Of Failed Authentications for User
|
O365 UserLoginFailed
|
T1110.001
|
TTP
|
Office 365 Account Takeover
|
2026-05-13
|
|
Kubernetes Abuse of Secret by Unusual User Name
|
Kubernetes Audit
|
T1552.007
|
Anomaly
|
Kubernetes Security
|
2026-05-13
|
|
ASL AWS Multi-Factor Authentication Disabled
|
ASL AWS CloudTrail
|
T1556.006
T1586.003
T1621
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2026-05-13
|
|
GitHub Enterprise Disable IP Allow List
|
GitHub Enterprise Audit Logs
|
T1195
T1685
|
Anomaly
|
GitHub Malicious Activity
|
2026-05-13
|
|
O365 Add App Role Assignment Grant User
|
O365 Add app role assignment grant to user.
|
T1136.003
|
TTP
|
Office 365 Persistence Mechanisms, Cloud Federated Credential Abuse
|
2026-05-13
|
|
Azure AD Privileged Authentication Administrator Role Assigned
|
Azure Active Directory Add member to role
|
T1003.002
|
TTP
|
Azure Active Directory Privilege Escalation, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
AWS Defense Evasion Update Cloudtrail
|
AWS CloudTrail UpdateTrail
|
T1685.002
|
TTP
|
AWS Defense Evasion
|
2026-05-13
|
|
GitHub Organizations Repository Archived
|
GitHub Organizations Audit Logs
|
T1195
T1485
|
Anomaly
|
GitHub Malicious Activity, NPM Supply Chain Compromise
|
2026-05-13
|
|
Azure AD Service Principal Authentication
|
Azure Active Directory Sign-in activity
|
T1078.004
|
TTP
|
NOBELIUM Group, Azure Active Directory Account Takeover
|
2026-05-13
|
|
Kubernetes Anomalous Outbound Network Activity from Process
|
|
T1204
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2026-05-13
|
|
Azure AD Global Administrator Role Assigned
|
Azure Active Directory Add member to role
|
T1098.003
|
TTP
|
Azure Active Directory Privilege Escalation, Azure Active Directory Persistence, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
AWS IAM Assume Role Policy Brute Force
|
AWS CloudTrail
|
T1110
T1580
|
TTP
|
AWS IAM Privilege Escalation
|
2026-05-13
|
|
AWS Network Access Control List Deleted
|
AWS CloudTrail DeleteNetworkAclEntry
|
T1686.001
|
Anomaly
|
AWS Network ACL Activity
|
2026-05-13
|
|
O365 New Forwarding Mailflow Rule Created
|
|
T1114
|
TTP
|
Office 365 Collection Techniques
|
2026-05-13
|
|
O365 FullAccessAsApp Permission Assigned
|
O365 Update application.
|
T1098.002
T1098.003
|
TTP
|
Office 365 Persistence Mechanisms, NOBELIUM Group
|
2026-05-13
|
|
ASL AWS Create Access Key
|
ASL AWS CloudTrail
|
T1136.003
|
Hunting
|
AWS IAM Privilege Escalation, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Azure AD High Number Of Failed Authentications From Ip
|
Azure Active Directory
|
T1110.001
T1110.003
|
TTP
|
Compromised User Account, NOBELIUM Group, Azure Active Directory Account Takeover
|
2026-05-13
|
|
Azure AD Concurrent Sessions From Different Ips
|
Azure Active Directory
|
T1185
|
TTP
|
Compromised User Account, Scattered Lapsus$ Hunters, Azure Active Directory Account Takeover
|
2026-05-13
|
|
Azure AD PIM Role Assigned
|
Azure Active Directory
|
T1098.003
|
TTP
|
Azure Active Directory Privilege Escalation, Azure Active Directory Persistence, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Azure AD Tenant Wide Admin Consent Granted
|
Azure Active Directory Consent to application
|
T1098.003
|
TTP
|
Azure Active Directory Persistence, NOBELIUM Group
|
2026-05-13
|
|
Kubernetes Abuse of Secret by Unusual User Agent
|
Kubernetes Audit
|
T1552.007
|
Anomaly
|
Kubernetes Security
|
2026-05-13
|
|
O365 DLP Rule Triggered
|
Office 365 Universal Audit Log
|
T1048
T1567
|
Anomaly
|
Data Exfiltration
|
2026-05-13
|
|
AWS ECR Container Scanning Findings Medium
|
AWS CloudTrail DescribeImageScanFindings
|
T1204.003
|
Anomaly
|
Dev Sec Ops
|
2026-05-13
|
|
AWS Successful Single-Factor Authentication
|
AWS CloudTrail ConsoleLogin
|
T1078.004
T1586.003
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2026-05-13
|
|
AWS CreateLoginProfile
|
AWS CloudTrail CreateLoginProfile, AWS CloudTrail ConsoleLogin
|
T1136.003
|
TTP
|
AWS IAM Privilege Escalation
|
2026-05-13
|
|
AWS Bedrock Delete Knowledge Base
|
AWS CloudTrail DeleteKnowledgeBase
|
T1485
|
TTP
|
AWS Bedrock Security
|
2026-05-13
|
|
AWS Exfiltration via Anomalous GetObject API Activity
|
AWS CloudTrail GetObject
|
T1119
|
Anomaly
|
Data Exfiltration
|
2026-05-13
|
|
GitHub Organizations Delete Branch Ruleset
|
GitHub Organizations Audit Logs
|
T1195
T1685
|
Anomaly
|
GitHub Malicious Activity, NPM Supply Chain Compromise
|
2026-05-13
|
|
AWS Credential Access RDS Password reset
|
AWS CloudTrail ModifyDBInstance
|
T1110
T1586.003
|
TTP
|
AWS Identity and Access Management Account Takeover, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
ASL AWS Network Access Control List Created with All Open Ports
|
ASL AWS CloudTrail
|
T1686.001
|
TTP
|
AWS Network ACL Activity
|
2026-05-13
|
|
GitHub Enterprise Register Self Hosted Runner
|
GitHub Enterprise Audit Logs
|
T1195
T1685
|
Anomaly
|
GitHub Malicious Activity, NPM Supply Chain Compromise
|
2026-05-13
|
|
AWS Detect Users with KMS keys performing encryption S3
|
AWS CloudTrail
|
T1486
|
Anomaly
|
Ransomware Cloud
|
2026-05-13
|
|
ASL AWS Defense Evasion Update Cloudtrail
|
ASL AWS CloudTrail
|
T1685.002
|
TTP
|
AWS Defense Evasion
|
2026-05-13
|
|
O365 Email Send Attachments Excessive Volume
|
Office 365 Universal Audit Log
|
T1070.008
T1485
|
Anomaly
|
Office 365 Account Takeover, Suspicious Emails
|
2026-05-13
|
|
Azure AD Device Code Authentication
|
Azure Active Directory
|
T1528
T1566.002
|
TTP
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
AWS EC2 Snapshot Shared Externally
|
AWS CloudTrail ModifySnapshotAttribute
|
T1537
|
TTP
|
Suspicious Cloud Instance Activities, Data Exfiltration
|
2026-05-13
|
|
GitHub Enterprise Repository Deleted
|
GitHub Enterprise Audit Logs
|
T1195
T1485
|
Anomaly
|
GitHub Malicious Activity, NPM Supply Chain Compromise
|
2026-05-13
|
|
O365 Privileged Role Assigned To Service Principal
|
Office 365 Universal Audit Log
|
T1098.003
|
TTP
|
Azure Active Directory Privilege Escalation, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
O365 SharePoint Malware Detection
|
Office 365 Universal Audit Log
|
T1204.002
|
TTP
|
Office 365 Account Takeover, Azure Active Directory Persistence, Ransomware Cloud
|
2026-05-13
|
|
O365 Multiple Mailboxes Accessed via API
|
O365 MailItemsAccessed
|
T1114.002
|
TTP
|
Office 365 Collection Techniques, NOBELIUM Group
|
2026-05-13
|
|
AWS Disable Bucket Versioning
|
AWS CloudTrail PutBucketVersioning
|
T1490
|
Anomaly
|
Suspicious AWS S3 Activities, Data Exfiltration
|
2026-05-13
|
|
O365 Safe Links Detection
|
Office 365 Universal Audit Log
|
T1566.001
|
TTP
|
Office 365 Account Takeover, Spearphishing Attachments
|
2026-05-13
|
|
AWS Defense Evasion Delete CloudWatch Log Group
|
AWS CloudTrail DeleteLogGroup
|
T1685.002
|
TTP
|
AWS Defense Evasion
|
2026-05-13
|
|
GCP Multi-Factor Authentication Disabled
|
Google Workspace
|
T1556.006
T1586.003
|
TTP
|
GCP Account Takeover, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
GCP Unusual Number of Failed Authentications From Ip
|
Google Workspace
|
T1110.003
T1110.004
T1586.003
|
Anomaly
|
GCP Account Takeover
|
2026-05-13
|
|
Azure AD Multiple Service Principals Created by User
|
Azure Active Directory Add service principal
|
T1136.003
|
Anomaly
|
Azure Active Directory Persistence, NOBELIUM Group
|
2026-05-13
|
|
Kubernetes Previously Unseen Process
|
|
T1204
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2026-05-13
|
|
Kubernetes Abuse of Secret by Unusual User Group
|
Kubernetes Audit
|
T1552.007
|
Anomaly
|
Kubernetes Security
|
2026-05-13
|
|
Detect New Open S3 buckets
|
AWS CloudTrail
|
T1530
|
TTP
|
Suspicious AWS S3 Activities
|
2026-05-13
|
|
AWS Credential Access GetPasswordData
|
AWS CloudTrail GetPasswordData
|
T1110.001
T1586.003
|
Anomaly
|
AWS Identity and Access Management Account Takeover
|
2026-05-13
|
|
ASL AWS Defense Evasion Stop Logging Cloudtrail
|
ASL AWS CloudTrail
|
T1685.002
|
TTP
|
AWS Defense Evasion
|
2026-05-13
|
|
GitHub Enterprise Delete Branch Ruleset
|
GitHub Enterprise Audit Logs
|
T1195
T1685
|
Anomaly
|
GitHub Malicious Activity, NPM Supply Chain Compromise
|
2026-05-13
|
|
O365 Application Registration Owner Added
|
O365 Add owner to application.
|
T1098
|
TTP
|
Office 365 Persistence Mechanisms, NOBELIUM Group
|
2026-05-13
|
|
Azure AD User Consent Denied for OAuth Application
|
Azure Active Directory Sign-in activity
|
T1528
|
TTP
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
ASL AWS Concurrent Sessions From Different Ips
|
ASL AWS CloudTrail
|
T1185
|
Anomaly
|
Compromised User Account, AWS Identity and Access Management Account Takeover, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
AWS SetDefaultPolicyVersion
|
AWS CloudTrail SetDefaultPolicyVersion
|
T1078.004
|
TTP
|
AWS IAM Privilege Escalation
|
2026-05-13
|
|
O365 Security And Compliance Alert Triggered
|
|
T1078.004
|
TTP
|
Office 365 Account Takeover
|
2026-05-13
|
|
AWS Detect Users creating keys with encrypt policy without MFA
|
AWS CloudTrail CreateKey, AWS CloudTrail PutKeyPolicy
|
T1486
|
TTP
|
Ransomware Cloud
|
2026-05-13
|
|
AWS Multiple Users Failing To Authenticate From Ip
|
AWS CloudTrail ConsoleLogin
|
T1110.003
T1110.004
|
Anomaly
|
Compromised User Account, AWS Identity and Access Management Account Takeover
|
2026-05-13
|
|
ASL AWS Credential Access RDS Password reset
|
ASL AWS CloudTrail
|
T1110
T1586.003
|
TTP
|
AWS Identity and Access Management Account Takeover, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Kubernetes newly seen TCP edge
|
|
T1204
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2026-05-13
|
|
Circle CI Disable Security Job
|
CircleCI
|
T1554
|
Anomaly
|
Dev Sec Ops
|
2026-05-13
|
|
Gdrive suspicious file sharing
|
|
T1566
|
Hunting
|
Scattered Lapsus$ Hunters, Spearphishing Attachments, Data Exfiltration
|
2026-05-13
|
|
Detect S3 access from a new IP
|
|
T1530
|
Anomaly
|
Suspicious AWS S3 Activities
|
2026-05-13
|
|
AWS Successful Console Authentication From Multiple IPs
|
AWS CloudTrail ConsoleLogin
|
T1535
T1586
|
Anomaly
|
Compromised User Account, Suspicious AWS Login Activities
|
2026-05-13
|
|
GCP Authentication Failed During MFA Challenge
|
Google Workspace login_failure
|
T1078.004
T1586.003
T1621
|
TTP
|
GCP Account Takeover, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Azure AD Service Principal Privilege Escalation
|
Azure Active Directory Add app role assignment to service principal
|
T1098.003
|
TTP
|
Azure Active Directory Privilege Escalation
|
2026-05-13
|
|
ASL AWS Credential Access GetPasswordData
|
ASL AWS CloudTrail
|
T1110.001
T1586.003
|
Anomaly
|
AWS Identity and Access Management Account Takeover
|
2026-05-13
|
|
Kubernetes Anomalous Inbound to Outbound Network IO Ratio
|
|
T1204
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2026-05-13
|
|
O365 Email Suspicious Search Behavior
|
Office 365 Universal Audit Log
|
T1114.002
T1552
|
Anomaly
|
Compromised User Account, Office 365 Account Takeover, Office 365 Collection Techniques, CISA AA22-320A
|
2026-05-13
|
|
O365 OAuth App Mailbox Access via Graph API
|
O365 MailItemsAccessed
|
T1114.002
|
TTP
|
Office 365 Collection Techniques, NOBELIUM Group
|
2026-05-13
|
|
AWS Exfiltration via Batch Service
|
AWS CloudTrail JobCreated
|
T1119
|
TTP
|
Data Exfiltration
|
2026-05-13
|
|
O365 Service Principal New Client Credentials
|
O365
|
T1098.001
|
TTP
|
Office 365 Persistence Mechanisms, NOBELIUM Group
|
2026-05-13
|
|
Microsoft Intune Bulk Wipe
|
Azure Monitor Activity
|
T1561.001
|
TTP
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
GitHub Organizations Disable 2FA Requirement
|
GitHub Organizations Audit Logs
|
T1195
T1685
|
Anomaly
|
GitHub Malicious Activity
|
2026-05-13
|
|
O365 Mail Permissioned Application Consent Granted by User
|
O365 Consent to application.
|
T1528
|
TTP
|
Office 365 Account Takeover
|
2026-05-13
|
|
Gsuite Email Suspicious Subject With Attachment
|
G Suite Gmail
|
T1566.001
|
Anomaly
|
Dev Sec Ops
|
2026-05-13
|
|
O365 Email Password and Payroll Compromise Behavior
|
Office 365 Reporting Message Trace, Office 365 Universal Audit Log
|
T1070.008
T1114.001
T1485
|
TTP
|
Office 365 Account Takeover, Office 365 Collection Techniques, Suspicious Emails, Data Destruction
|
2026-05-13
|
|
AWS ECR Container Upload Unknown User
|
AWS CloudTrail PutImage
|
T1204.003
|
Anomaly
|
Dev Sec Ops
|
2026-05-13
|
|
Azure AD Multiple Failed MFA Requests For User
|
Azure Active Directory Sign-in activity
|
T1078.004
T1586.003
T1621
|
TTP
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
O365 New Federated Domain Added
|
O365
|
T1136.003
|
TTP
|
Office 365 Persistence Mechanisms, Cloud Federated Credential Abuse
|
2026-05-13
|
|
O365 Threat Intelligence Suspicious File Detected
|
Office 365 Universal Audit Log
|
T1204.002
|
TTP
|
Office 365 Account Takeover, Ransomware Cloud, Azure Active Directory Account Takeover
|
2026-05-13
|
|
Kubernetes Shell Running on Worker Node
|
|
T1204
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2026-05-13
|
|
Circle CI Disable Security Step
|
CircleCI
|
T1554
|
Anomaly
|
Dev Sec Ops
|
2026-05-13
|
|
O365 Mailbox Read Access Granted to Application
|
O365 Update application.
|
T1098.003
T1114.002
|
TTP
|
Office 365 Persistence Mechanisms
|
2026-05-13
|
|
O365 Block User Consent For Risky Apps Disabled
|
O365 Update authorization policy.
|
T1685
|
TTP
|
Office 365 Account Takeover
|
2026-05-13
|
|
GitHub Enterprise Disable Audit Log Event Stream
|
GitHub Enterprise Audit Logs
|
T1195
T1685.002
|
Anomaly
|
GitHub Malicious Activity, NPM Supply Chain Compromise
|
2026-05-13
|
|
O365 Exfiltration via File Sync Download
|
Office 365 Universal Audit Log
|
T1530
T1567
|
Anomaly
|
Office 365 Account Takeover, Data Exfiltration
|
2026-05-13
|
|
O365 Email Receive and Hard Delete Takeover Behavior
|
Office 365 Reporting Message Trace, Office 365 Universal Audit Log
|
T1070.008
T1114.001
T1485
|
Anomaly
|
Office 365 Account Takeover, Office 365 Collection Techniques, Suspicious Emails, Data Destruction
|
2026-05-13
|
|
O365 New MFA Method Registered
|
O365 Update user.
|
T1098.005
|
TTP
|
Office 365 Persistence Mechanisms
|
2026-05-13
|
|
O365 Disable MFA
|
O365 Disable Strong Authentication.
|
T1556
|
TTP
|
Office 365 Persistence Mechanisms
|
2026-05-13
|
|
O365 Added Service Principal
|
O365
|
T1136.003
|
TTP
|
Office 365 Persistence Mechanisms, NOBELIUM Group, Cloud Federated Credential Abuse
|
2026-05-13
|
|
AWS Bedrock Delete GuardRails
|
AWS CloudTrail DeleteGuardrail
|
T1685.002
|
TTP
|
AWS Bedrock Security
|
2026-05-13
|
|
ASL AWS Defense Evasion Impair Security Services
|
ASL AWS CloudTrail
|
T1685.002
|
Hunting
|
AWS Defense Evasion
|
2026-05-13
|
|
AWS High Number Of Failed Authentications For User
|
AWS CloudTrail ConsoleLogin
|
T1201
|
Anomaly
|
Compromised User Account, AWS Identity and Access Management Account Takeover
|
2026-05-13
|
|
AWS UpdateLoginProfile
|
AWS CloudTrail UpdateLoginProfile
|
T1136.003
|
TTP
|
AWS IAM Privilege Escalation
|
2026-05-13
|
|
Detect AWS Console Login by User from New Region
|
AWS CloudTrail
|
T1535
T1586.003
|
Hunting
|
Compromised User Account, Suspicious AWS Login Activities, Suspicious Cloud Authentication Activities, AWS Identity and Access Management Account Takeover
|
2026-05-13
|
|
Kubernetes Process with Resource Ratio Anomalies
|
|
T1204
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2026-05-13
|
|
Cloud Compute Instance Created In Previously Unused Region
|
AWS CloudTrail
|
T1535
|
Anomaly
|
Cloud Cryptomining
|
2026-05-13
|
|
Kubernetes Anomalous Inbound Outbound Network IO
|
|
T1204
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2026-05-13
|
|
ASL AWS Network Access Control List Deleted
|
ASL AWS CloudTrail
|
T1686.001
|
Anomaly
|
AWS Network ACL Activity, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Kubernetes Node Port Creation
|
Kubernetes Audit
|
T1204
|
Anomaly
|
Kubernetes Security
|
2026-05-13
|
|
O365 High Privilege Role Granted
|
O365 Add member to role.
|
T1098.003
|
TTP
|
Office 365 Persistence Mechanisms
|
2026-05-13
|
|
Azure AD Service Principal Created
|
Azure Active Directory Add service principal
|
T1136.003
|
TTP
|
Azure Active Directory Persistence, NOBELIUM Group
|
2026-05-13
|
|
Cloud Compute Instance Created With Previously Unseen Instance Type
|
AWS CloudTrail
|
T1578.002
|
Anomaly
|
Cloud Cryptomining
|
2026-05-13
|
|
O365 Email Hard Delete Excessive Volume
|
Office 365 Universal Audit Log
|
T1070.008
T1485
|
Anomaly
|
Office 365 Account Takeover, Suspicious Emails, Data Destruction
|
2026-05-13
|
|
Okta Non-Standard VPN Usage
|
Okta
|
T1078
T1090
T1572
|
TTP
|
Remote Employment Fraud, Suspicious Okta Activity
|
2026-05-13
|
|
ASL AWS IAM Delete Policy
|
ASL AWS CloudTrail
|
T1098
|
Hunting
|
AWS IAM Privilege Escalation
|
2026-05-13
|
|
Azure AD Block User Consent For Risky Apps Disabled
|
Azure Active Directory Update authorization policy
|
T1685
|
TTP
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
AWS AMI Attribute Modification for Exfiltration
|
AWS CloudTrail ModifyImageAttribute
|
T1537
|
TTP
|
Suspicious Cloud Instance Activities, Data Exfiltration
|
2026-05-13
|
|
Cloud Provisioning Activity From Previously Unseen Country
|
AWS CloudTrail
|
T1078
|
Anomaly
|
Suspicious Cloud Provisioning Activities
|
2026-05-13
|
|
Azure AD Service Principal Owner Added
|
Azure Active Directory Add owner to application
|
T1098
|
TTP
|
Azure Active Directory Privilege Escalation, Azure Active Directory Persistence, NOBELIUM Group
|
2026-05-13
|
|
Azure Runbook Webhook Created
|
Azure Audit Create or Update an Azure Automation webhook
|
T1078.004
|
TTP
|
Azure Active Directory Persistence
|
2026-05-13
|
|
AWS S3 Exfiltration Behavior Identified
|
|
T1537
|
Correlation
|
Suspicious Cloud Instance Activities, Data Exfiltration
|
2026-05-13
|
|
Detect AWS Console Login by User from New City
|
AWS CloudTrail
|
T1535
T1586.003
|
Hunting
|
Compromised User Account, Suspicious AWS Login Activities, Suspicious Cloud Authentication Activities, AWS Identity and Access Management Account Takeover
|
2026-05-13
|
|
Kubernetes Suspicious Image Pulling
|
Kubernetes Audit
|
T1526
|
Anomaly
|
Kubernetes Security
|
2026-05-13
|
|
AWS Defense Evasion Delete Cloudtrail
|
AWS CloudTrail DeleteTrail
|
T1685.002
|
TTP
|
AWS Defense Evasion
|
2026-05-13
|
|
ASL AWS EC2 Snapshot Shared Externally
|
ASL AWS CloudTrail
|
T1537
|
TTP
|
Suspicious Cloud Instance Activities, Data Exfiltration
|
2026-05-13
|
|
O365 Multiple OS Vendors Authenticating From User
|
Office 365 Universal Audit Log
|
T1110
|
TTP
|
Office 365 Account Takeover
|
2026-05-13
|
|
GitHub Organizations Disable Classic Branch Protection Rule
|
GitHub Organizations Audit Logs
|
T1195
T1685
|
Anomaly
|
GitHub Malicious Activity
|
2026-05-13
|
|
O365 SharePoint Allowed Domains Policy Changed
|
Office 365 Universal Audit Log
|
T1136.003
|
TTP
|
Azure Active Directory Persistence
|
2026-05-13
|
|
Kubernetes Previously Unseen Container Image Name
|
|
T1204
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2026-05-13
|
|
Microsoft Intune Manual Device Management
|
Azure Monitor Activity
|
T1021.007
T1072
T1529
|
Hunting
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
Kubernetes Anomalous Inbound Network Activity from Process
|
|
T1204
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2026-05-13
|
|
O365 Exfiltration via File Access
|
Office 365 Universal Audit Log
|
T1530
T1567
|
Anomaly
|
Office 365 Account Takeover, Data Exfiltration
|
2026-05-13
|
|
Kubernetes Pod With Host Network Attachment
|
Kubernetes Audit
|
T1204
|
Anomaly
|
Kubernetes Security
|
2026-05-13
|
|
O365 Email Suspicious Behavior Alert
|
Office 365 Universal Audit Log
|
T1114.003
|
TTP
|
Office 365 Account Takeover, Office 365 Collection Techniques, Suspicious Emails
|
2026-05-13
|
|
O365 Compliance Content Search Started
|
|
T1114.002
|
TTP
|
Office 365 Collection Techniques
|
2026-05-13
|
|
Azure AD PIM Role Assignment Activated
|
Azure Active Directory
|
T1098.003
|
TTP
|
Azure Active Directory Privilege Escalation, Azure Active Directory Persistence, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
O365 Email New Inbox Rule Created
|
Office 365 Universal Audit Log
|
T1114.003
T1564.008
|
Anomaly
|
Office 365 Collection Techniques
|
2026-05-13
|
|
AWS IAM Delete Policy
|
AWS CloudTrail DeletePolicy
|
T1098
|
Hunting
|
AWS IAM Privilege Escalation
|
2026-05-13
|
|
AWS Unusual Number of Failed Authentications From Ip
|
AWS CloudTrail ConsoleLogin
|
T1110.003
T1110.004
T1586.003
|
Anomaly
|
AWS Identity and Access Management Account Takeover
|
2026-05-13
|
|
Cloud Compute Instance Created With Previously Unseen Image
|
AWS CloudTrail
|
N/A
|
Anomaly
|
Cloud Cryptomining
|
2026-05-13
|
|
Detect New Open S3 Buckets over AWS CLI
|
AWS CloudTrail
|
T1530
|
TTP
|
Suspicious AWS S3 Activities
|
2026-05-13
|
|
O365 Multiple AppIDs and UserAgents Authentication Spike
|
O365 UserLoggedIn, O365 UserLoginFailed
|
T1078
|
Anomaly
|
Office 365 Account Takeover
|
2026-05-13
|
|
AWS High Number Of Failed Authentications From Ip
|
AWS CloudTrail ConsoleLogin
|
T1110.003
T1110.004
|
Anomaly
|
Compromised User Account, AWS Identity and Access Management Account Takeover
|
2026-05-13
|
|
GitHub Enterprise Modify Audit Log Event Stream
|
GitHub Enterprise Audit Logs
|
T1195
T1685.002
|
Anomaly
|
GitHub Malicious Activity, NPM Supply Chain Compromise
|
2026-05-13
|
|
Azure AD Multiple AppIDs and UserAgents Authentication Spike
|
Azure Active Directory Sign-in activity
|
T1078
|
Anomaly
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
GitHub Enterprise Disable Dependabot
|
GitHub Enterprise Audit Logs
|
T1195
T1685
|
Anomaly
|
GitHub Malicious Activity
|
2026-05-13
|
|
AWS Create Policy Version to allow all resources
|
AWS CloudTrail CreatePolicyVersion
|
T1078.004
|
TTP
|
AWS IAM Privilege Escalation
|
2026-05-13
|
|
Gsuite Email With Known Abuse Web Service Link
|
G Suite Gmail
|
T1566.001
|
Anomaly
|
Dev Sec Ops
|
2026-05-13
|
|
Cloud Instance Modified By Previously Unseen User
|
AWS CloudTrail
|
T1078.004
|
Anomaly
|
Suspicious Cloud Instance Activities
|
2026-05-13
|
|
Azure AD Multiple Service Principals Created by SP
|
Azure Active Directory Add service principal
|
T1136.003
|
Anomaly
|
Azure Active Directory Persistence, NOBELIUM Group
|
2026-05-13
|
|
AWS New MFA Method Registered For User
|
AWS CloudTrail CreateVirtualMFADevice
|
T1556.006
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2026-05-13
|
|
Kubernetes Create or Update Privileged Pod
|
Kubernetes Audit
|
T1204
|
Anomaly
|
Kubernetes Security
|
2026-05-13
|
|
O365 New Email Forwarding Rule Enabled
|
|
T1114.003
|
TTP
|
Office 365 Collection Techniques
|
2026-05-13
|
|
Azure AD New Custom Domain Added
|
Azure Active Directory Add unverified domain
|
T1484.002
|
TTP
|
Azure Active Directory Persistence
|
2026-05-13
|
|
O365 New Email Forwarding Rule Created
|
|
T1114.003
|
TTP
|
Office 365 Collection Techniques
|
2026-05-13
|
|
GitHub Enterprise Pause Audit Log Event Stream
|
GitHub Enterprise Audit Logs
|
T1195
T1685.002
|
Anomaly
|
GitHub Malicious Activity, NPM Supply Chain Compromise
|
2026-05-13
|
|
Azure AD Unusual Number of Failed Authentications From Ip
|
Azure Active Directory
|
T1110.003
T1110.004
T1586.003
|
Anomaly
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
AWS Defense Evasion PutBucketLifecycle
|
AWS CloudTrail PutBucketLifecycle
|
T1485.001
T1685.002
|
Hunting
|
AWS Defense Evasion
|
2026-05-13
|
|
Azure Automation Account Created
|
Azure Audit Create or Update an Azure Automation account
|
T1136.003
|
TTP
|
Azure Active Directory Persistence
|
2026-05-13
|
|
AWS IAM Failure Group Deletion
|
AWS CloudTrail DeleteGroup
|
T1098
|
Anomaly
|
AWS IAM Privilege Escalation
|
2026-05-13
|
|
Azure AD FullAccessAsApp Permission Assigned
|
Azure Active Directory Update application
|
T1098.002
T1098.003
|
TTP
|
Azure Active Directory Persistence, NOBELIUM Group
|
2026-05-13
|
|
Azure AD Service Principal Enumeration
|
Azure Active Directory MicrosoftGraphActivityLogs
|
T1087.004
T1526
|
TTP
|
Azure Active Directory Privilege Escalation, Compromised User Account
|
2026-05-13
|
|
Azure AD Multi-Factor Authentication Disabled
|
Azure Active Directory Disable Strong Authentication
|
T1556.006
T1586.003
|
TTP
|
Scattered Lapsus$ Hunters, Azure Active Directory Account Takeover
|
2026-05-13
|
|
O365 External Guest User Invited
|
Office 365 Universal Audit Log
|
T1136.003
|
TTP
|
Azure Active Directory Persistence
|
2026-05-13
|
|
Azure AD Successful Single-Factor Authentication
|
Azure Active Directory
|
T1078.004
T1586.003
|
TTP
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
O365 Excessive Authentication Failures Alert
|
|
T1110
|
Anomaly
|
Office 365 Account Takeover
|
2026-05-13
|
|
Kubernetes Pod Created in Default Namespace
|
Kubernetes Audit
|
T1204
|
Anomaly
|
Kubernetes Security
|
2026-05-13
|
|
Kubernetes AWS detect suspicious kubectl calls
|
Kubernetes Audit
|
N/A
|
Anomaly
|
Kubernetes Security
|
2026-05-13
|
|
AWS Defense Evasion Stop Logging Cloudtrail
|
AWS CloudTrail StopLogging
|
T1685.002
|
TTP
|
AWS Defense Evasion
|
2026-05-13
|
|
O365 Email Send and Hard Delete Exfiltration Behavior
|
Office 365 Reporting Message Trace, Office 365 Universal Audit Log
|
T1070.008
T1114.001
T1485
|
Anomaly
|
Office 365 Account Takeover, Office 365 Collection Techniques, Suspicious Emails, Data Destruction
|
2026-05-13
|
|
Kubernetes DaemonSet Deployed
|
Kubernetes Audit
|
T1204
|
Anomaly
|
Kubernetes Security
|
2026-05-13
|
|
O365 Mailbox Folder Read Permission Assigned
|
O365 ModifyFolderPermissions
|
T1098.002
|
TTP
|
Office 365 Collection Techniques
|
2026-05-13
|
|
Azure AD Service Principal New Client Credentials
|
Azure Active Directory
|
T1098.001
|
TTP
|
Azure Active Directory Privilege Escalation, Azure Active Directory Persistence, NOBELIUM Group, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Kubernetes Access Scanning
|
Kubernetes Audit
|
T1046
|
Anomaly
|
Kubernetes Security
|
2026-05-13
|
|
AWS ECR Container Scanning Findings High
|
AWS CloudTrail DescribeImageScanFindings
|
T1204.003
|
TTP
|
Dev Sec Ops
|
2026-05-13
|
|
Detect AWS Console Login by User from New Country
|
AWS CloudTrail
|
T1535
T1586.003
|
Hunting
|
Compromised User Account, Suspicious AWS Login Activities, Suspicious Cloud Authentication Activities, AWS Identity and Access Management Account Takeover
|
2026-05-13
|
|
GitHub Enterprise Disable Classic Branch Protection Rule
|
GitHub Enterprise Audit Logs
|
T1195
T1685
|
Anomaly
|
GitHub Malicious Activity
|
2026-05-13
|
|
GSuite Email Suspicious Attachment
|
G Suite Gmail
|
T1566.001
|
Anomaly
|
Dev Sec Ops
|
2026-05-13
|
|
O365 External Identity Policy Changed
|
Office 365 Universal Audit Log
|
T1136.003
|
TTP
|
Azure Active Directory Persistence
|
2026-05-13
|
|
Azure AD Multiple Users Failing To Authenticate From Ip
|
Azure Active Directory
|
T1110.003
T1110.004
T1586.003
|
Anomaly
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
O365 Threat Intelligence Suspicious Email Delivered
|
Office 365 Universal Audit Log
|
T1566.001
T1566.002
|
Anomaly
|
Suspicious Emails, Spearphishing Attachments
|
2026-05-13
|
|
ASL AWS Create Policy Version to allow all resources
|
ASL AWS CloudTrail
|
T1078.004
|
TTP
|
AWS IAM Privilege Escalation, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
AWS Exfiltration via DataSync Task
|
AWS CloudTrail CreateTask
|
T1119
|
TTP
|
Suspicious AWS S3 Activities, Hellcat Ransomware, Data Exfiltration
|
2026-05-13
|
|
Azure AD Application Administrator Role Assigned
|
Azure Active Directory Add member to role
|
T1098.003
|
TTP
|
Azure Active Directory Privilege Escalation, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Detect New Open GCP Storage Buckets
|
|
T1530
|
TTP
|
Suspicious GCP Storage Activities
|
2026-05-13
|
|
O365 Application Available To Other Tenants
|
Office 365 Universal Audit Log
|
T1098.003
|
TTP
|
Azure Active Directory Persistence, Azure Active Directory Account Takeover, Data Exfiltration
|
2026-05-13
|
|
Azure AD Privileged Role Assigned
|
Azure Active Directory Add member to role
|
T1098.003
|
TTP
|
Storm-0501 Ransomware, Azure Active Directory Persistence, NOBELIUM Group, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Azure AD Privileged Graph API Permission Assigned
|
Azure Active Directory Update application
|
T1003.002
|
TTP
|
Azure Active Directory Persistence, NOBELIUM Group
|
2026-05-13
|
|
O365 Multiple Service Principals Created by SP
|
O365 Add service principal.
|
T1136.003
|
Anomaly
|
Office 365 Persistence Mechanisms, NOBELIUM Group
|
2026-05-13
|
|
Kubernetes Process with Anomalous Resource Utilisation
|
|
T1204
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2026-05-13
|
|
Azure AD New MFA Method Registered
|
Azure Active Directory Update user
|
T1098.005
|
TTP
|
Azure Active Directory Persistence, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Cloud API Calls From Previously Unseen User Roles
|
AWS CloudTrail
|
T1078
|
Anomaly
|
Suspicious Cloud User Activities
|
2026-05-13
|
|
O365 Multiple Failed MFA Requests For User
|
O365 UserLoginFailed
|
T1621
|
TTP
|
Office 365 Account Takeover, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
ASL AWS Defense Evasion PutBucketLifecycle
|
ASL AWS CloudTrail
|
T1485.001
T1685.002
|
Hunting
|
AWS Defense Evasion
|
2026-05-13
|
|
GitHub Organizations Repository Deleted
|
GitHub Organizations Audit Logs
|
T1195
T1485
|
Anomaly
|
GitHub Malicious Activity, NPM Supply Chain Compromise
|
2026-05-13
|
|
O365 OAuth App Mailbox Access via EWS
|
O365 MailItemsAccessed
|
T1114.002
|
TTP
|
Office 365 Collection Techniques, NOBELIUM Group
|
2026-05-13
|
|
O365 Admin Consent Bypassed by Service Principal
|
O365 Add app role assignment to service principal.
|
T1098.003
|
TTP
|
Office 365 Persistence Mechanisms
|
2026-05-13
|
|
Azure AD New MFA Method Registered For User
|
Azure Active Directory User registered security info
|
T1556.006
|
TTP
|
Compromised User Account, Scattered Lapsus$ Hunters, Azure Active Directory Account Takeover
|
2026-05-13
|
|
AWS Bedrock Invoke Model Access Denied
|
AWS CloudTrail
|
T1078
T1550
|
TTP
|
AWS Bedrock Security
|
2026-05-13
|
|
Azure AD Privileged Role Assigned to Service Principal
|
Azure Active Directory Add member to role
|
T1098.003
|
TTP
|
Azure Active Directory Privilege Escalation, NOBELIUM Group, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
O365 ApplicationImpersonation Role Assigned
|
O365
|
T1098.002
|
TTP
|
Office 365 Collection Techniques, Office 365 Persistence Mechanisms, NOBELIUM Group
|
2026-05-13
|
|
Azure AD Multi-Source Failed Authentications Spike
|
Azure Active Directory
|
T1110.003
T1110.004
T1586.003
|
Hunting
|
NOBELIUM Group, Azure Active Directory Account Takeover
|
2026-05-13
|
|
AWS Password Policy Changes
|
AWS CloudTrail UpdateAccountPasswordPolicy, AWS CloudTrail GetAccountPasswordPolicy, AWS CloudTrail DeleteAccountPasswordPolicy
|
T1201
|
Hunting
|
Compromised User Account, AWS IAM Privilege Escalation
|
2026-05-13
|
|
ASL AWS Defense Evasion Delete Cloudtrail
|
ASL AWS CloudTrail
|
T1685.002
|
TTP
|
AWS Defense Evasion
|
2026-05-13
|
|
AWS IAM Successful Group Deletion
|
AWS CloudTrail DeleteGroup
|
T1069.003
T1098
|
Hunting
|
AWS IAM Privilege Escalation
|
2026-05-13
|
|
Azure AD User ImmutableId Attribute Updated
|
Azure Active Directory Update user
|
T1098
|
TTP
|
Azure Active Directory Persistence, Hellcat Ransomware
|
2026-05-13
|
|
Gsuite Outbound Email With Attachment To External Domain
|
G Suite Gmail
|
T1048.003
|
Hunting
|
Dev Sec Ops, Insider Threat
|
2026-05-13
|
|
Azure AD User Consent Blocked for Risky Application
|
Azure Active Directory Consent to application
|
T1528
|
TTP
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
Azure AD Admin Consent Bypassed by Service Principal
|
Azure Active Directory Add app role assignment to service principal
|
T1098.003
|
TTP
|
Azure Active Directory Privilege Escalation, NOBELIUM Group
|
2026-05-13
|
|
High Number of Login Failures from a single source
|
O365 UserLoginFailed
|
T1110.001
|
Anomaly
|
Office 365 Account Takeover
|
2026-05-13
|
|
Kubernetes Anomalous Traffic on Network Edge
|
|
T1204
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2026-05-13
|
|
O365 User Consent Blocked for Risky Application
|
O365 Consent to application.
|
T1528
|
TTP
|
Office 365 Account Takeover
|
2026-05-13
|
|
Kubernetes Process Running From New Path
|
|
T1204
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2026-05-13
|
|
O365 Email Reported By Admin Found Malicious
|
Office 365 Universal Audit Log
|
T1566.001
T1566.002
|
TTP
|
Suspicious Emails, Spearphishing Attachments
|
2026-05-13
|
|
GitHub Enterprise Remove Organization
|
GitHub Enterprise Audit Logs
|
T1195
T1485
|
Anomaly
|
GitHub Malicious Activity
|
2026-05-13
|
|
Detect Spike in S3 Bucket deletion
|
AWS CloudTrail
|
T1530
|
Anomaly
|
Suspicious AWS S3 Activities
|
2026-05-13
|
|
Kubernetes Unauthorized Access
|
Kubernetes Audit
|
T1204
|
Anomaly
|
Kubernetes Security
|
2026-05-13
|
|
ASL AWS SAML Update identity provider
|
ASL AWS CloudTrail
|
T1078
|
TTP
|
Cloud Federated Credential Abuse
|
2026-05-13
|
|
Azure Automation Runbook Created
|
Azure Audit Create or Update an Azure Automation Runbook
|
T1136.003
|
TTP
|
Azure Active Directory Persistence
|
2026-05-13
|
|
Microsoft Intune DeviceManagementConfigurationPolicies
|
Azure Monitor Activity
|
T1021.007
T1072
T1484
T1685
T1686
|
Hunting
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
AWS Multi-Factor Authentication Disabled
|
AWS CloudTrail DeleteVirtualMFADevice, AWS CloudTrail DeactivateMFADevice
|
T1556.006
T1586.003
T1621
|
TTP
|
AWS Identity and Access Management Account Takeover, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Azure AD User Enabled And Password Reset
|
Azure Active Directory Update user, Azure Active Directory Enable account, Azure Active Directory Reset password (by admin)
|
T1098
|
TTP
|
Azure Active Directory Persistence, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Gsuite suspicious calendar invite
|
|
T1566
|
Hunting
|
Spearphishing Attachments
|
2026-05-13
|
|
Amazon EKS Kubernetes Pod scan detection
|
|
T1526
|
Hunting
|
Kubernetes Scanning Activity
|
2026-05-13
|
|
GitHub Enterprise Disable 2FA Requirement
|
GitHub Enterprise Audit Logs
|
T1195
T1685
|
Anomaly
|
GitHub Malicious Activity
|
2026-05-13
|
|
Geographic Improbable Location
|
Okta
|
T1078
|
Anomaly
|
Remote Employment Fraud
|
2026-05-13
|
|
ASL AWS IAM Failure Group Deletion
|
ASL AWS CloudTrail
|
T1098
|
Anomaly
|
AWS IAM Privilege Escalation
|
2026-05-13
|
|
O365 Email Access By Security Administrator
|
Office 365 Universal Audit Log
|
T1114.002
T1567
|
TTP
|
Azure Active Directory Account Takeover, Office 365 Account Takeover, Data Exfiltration
|
2026-05-13
|
|
Cloud Provisioning Activity From Previously Unseen Region
|
AWS CloudTrail
|
T1078
|
Anomaly
|
Suspicious Cloud Provisioning Activities
|
2026-05-13
|
|
Azure AD Successful Authentication From Different Ips
|
Azure Active Directory
|
T1110.001
T1110.003
|
TTP
|
Compromised User Account, Azure Active Directory Account Takeover
|
2026-05-13
|
|
Risk Rule for Dev Sec Ops by Repository
|
|
T1204.003
|
Correlation
|
Dev Sec Ops
|
2026-05-13
|
|
GitHub Enterprise Repository Archived
|
GitHub Enterprise Audit Logs
|
T1195
T1485
|
Anomaly
|
GitHub Malicious Activity, NPM Supply Chain Compromise
|
2026-05-13
|
|
O365 Concurrent Sessions From Different Ips
|
O365 UserLoggedIn
|
T1185
|
TTP
|
Office 365 Account Takeover, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Azure AD Authentication Failed During MFA Challenge
|
Azure Active Directory
|
T1078.004
T1586.003
T1621
|
TTP
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
O365 Multiple Users Failing To Authenticate From Ip
|
O365 UserLoginFailed
|
T1110.003
T1110.004
T1586.003
|
TTP
|
Office 365 Account Takeover, NOBELIUM Group
|
2026-05-13
|
|
O365 Mailbox Inbox Folder Shared with All Users
|
O365 ModifyFolderPermissions
|
T1114.002
|
TTP
|
Office 365 Persistence Mechanisms
|
2026-05-13
|
|
Cloud Security Groups Modifications by User
|
AWS CloudTrail
|
T1578.005
|
Anomaly
|
Suspicious Cloud User Activities
|
2026-05-13
|
|
ASL AWS IAM Assume Role Policy Brute Force
|
ASL AWS CloudTrail
|
T1110
T1580
|
TTP
|
AWS IAM Privilege Escalation, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
GCP Multiple Failed MFA Requests For User
|
Google Workspace
|
T1078.004
T1586.003
T1621
|
TTP
|
GCP Account Takeover, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
O365 Tenant Wide Admin Consent Granted
|
O365 Consent to application.
|
T1098.003
|
TTP
|
Office 365 Persistence Mechanisms, NOBELIUM Group
|
2026-05-13
|
|
GCP Kubernetes cluster pod scan detection
|
|
T1526
|
Hunting
|
Kubernetes Scanning Activity, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
O365 Elevated Mailbox Permission Assigned
|
O365 Add-MailboxPermission
|
T1098.002
|
TTP
|
Office 365 Collection Techniques
|
2026-05-13
|
|
Azure Active Directory High Risk Sign-in
|
Azure Active Directory
|
T1110.003
T1586.003
|
TTP
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
AWS CreateAccessKey
|
AWS CloudTrail CreateAccessKey
|
T1136.003
|
Hunting
|
AWS IAM Privilege Escalation
|
2026-05-13
|
|
O365 User Consent Denied for OAuth Application
|
O365
|
T1528
|
TTP
|
Office 365 Account Takeover
|
2026-05-13
|
|
O365 Exfiltration via File Download
|
Office 365 Universal Audit Log
|
T1530
T1567
|
Anomaly
|
Office 365 Account Takeover, Data Exfiltration
|
2026-05-13
|
|
Detect GCP Storage access from a new IP
|
|
T1530
|
Anomaly
|
Suspicious GCP Storage Activities
|
2026-05-13
|
|
O365 Email Send and Hard Delete Suspicious Behavior
|
Office 365 Universal Audit Log
|
T1070.008
T1114.001
T1485
|
Anomaly
|
Office 365 Account Takeover, Office 365 Collection Techniques, Suspicious Emails, Data Destruction
|
2026-05-13
|
|
O365 Compliance Content Search Exported
|
|
T1114.002
|
TTP
|
Office 365 Collection Techniques
|
2026-05-13
|
|
O365 BEC Email Hiding Rule Created
|
|
T1564.008
|
TTP
|
Office 365 Account Takeover
|
2026-05-13
|
|
O365 Mailbox Folder Read Permission Granted
|
O365 ModifyFolderPermissions
|
T1098.002
|
TTP
|
Office 365 Collection Techniques
|
2026-05-13
|
|
Azure AD High Number Of Failed Authentications For User
|
Azure Active Directory
|
T1110.001
|
TTP
|
Compromised User Account, Azure Active Directory Account Takeover
|
2026-05-13
|
|
AWS Bedrock High Number List Foundation Model Failures
|
AWS CloudTrail
|
T1580
|
TTP
|
AWS Bedrock Security
|
2026-05-13
|
|
Prohibited Network Traffic Allowed
|
Cisco Secure Firewall Threat Defense Connection Event
|
T1048
|
TTP
|
Ransomware, Command And Control, Cisco Secure Firewall Threat Defense Analytics, Prohibited Traffic Allowed or Protocol Mismatch
|
2026-05-13
|
|
3CX Supply Chain Attack Network Indicators
|
Sysmon EventID 22
|
T1195.002
|
TTP
|
3CX Supply Chain Attack
|
2026-05-13
|
|
Windows Multi hop Proxy TOR Website Query
|
Sysmon EventID 22
|
T1071.003
|
Anomaly
|
AgentTesla, Interlock Ransomware
|
2026-05-13
|
|
Cisco Secure Firewall - Oracle E-Business Suite Correlation
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1190
|
TTP
|
Oracle E-Business Suite Exploitation, Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Internal Horizontal Port Scan NMAP Top 20
|
AWS CloudWatchLogs VPCflow, Cisco Secure Firewall Threat Defense Connection Event
|
T1046
|
TTP
|
China-Nexus Threat Activity, Network Discovery, Cisco Secure Firewall Threat Defense Analytics, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
HTTP RMM User Agent
|
Suricata
|
T1071.001
T1219
|
Anomaly
|
Remote Monitoring and Management Software, Suspicious User Agents
|
2026-05-13
|
|
Windows Remote Desktop Network Bruteforce Attempt
|
Cisco Secure Access Firewall, Sysmon EventID 3
|
T1110.001
|
Anomaly
|
SamSam Ransomware, Compromised User Account, Ryuk Ransomware, Windows RDP Artifacts and Defense Evasion, Cisco Secure Access Analytics
|
2026-05-13
|
|
HTTP Malware User Agent
|
Suricata
|
T1071.001
|
TTP
|
Lumma Stealer, Lokibot, RedLine Stealer, Meduza Stealer, Suspicious User Agents, Crypto Stealer
|
2026-05-13
|
|
Cisco Secure Firewall - Lumma Stealer Outbound Connection Attempt
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1041
T1573.002
|
Anomaly
|
Lumma Stealer, Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
DNS Query Length With High Standard Deviation
|
Sysmon EventID 22
|
T1048.003
|
Anomaly
|
Command And Control, Suspicious DNS Traffic, Hidden Cobra Malware
|
2026-05-13
|
|
Wermgr Process Connecting To IP Check Web Services
|
Sysmon EventID 22
|
T1590.005
|
TTP
|
Trickbot
|
2026-05-13
|
|
Cisco SD-WAN - Peering Activity
|
Cisco SD-WAN NTCE 1000001
|
T1190
|
Hunting
|
Cisco Catalyst SD-WAN Analytics
|
2026-05-13
|
|
Cisco Secure Firewall - Bits Network Activity
|
Cisco Secure Firewall Threat Defense Connection Event
|
N/A
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Remote Desktop Network Traffic
|
Zeek Conn
|
T1021.001
|
Anomaly
|
SamSam Ransomware, Hidden Cobra Malware, Active Directory Lateral Movement, Ryuk Ransomware, Windows RDP Artifacts and Defense Evasion
|
2026-05-13
|
|
Cisco Privileged Account Creation with HTTP Command Execution
|
|
T1021.004
T1078
T1136
|
Correlation
|
Cisco Secure Firewall Threat Defense Analytics, Salt Typhoon
|
2026-05-13
|
|
HTTP C2 Framework User Agent
|
Suricata
|
T1071.001
|
TTP
|
Cobalt Strike, Malicious PowerShell, Meterpreter, Spearphishing Attachments, Tuoni, BishopFox Sliver Adversary Emulation Framework, Suspicious User Agents, Brute Ratel C4
|
2026-05-13
|
|
Detect Remote Access Software Usage DNS
|
Sysmon EventID 22
|
T1219
|
Anomaly
|
Command And Control, Scattered Lapsus$ Hunters, CISA AA24-241A, Insider Threat, Scattered Spider, Ransomware, Remote Monitoring and Management Software, Interlock Ransomware
|
2026-05-13
|
|
Cisco Secure Firewall - Blocked Connection
|
Cisco Secure Firewall Threat Defense Connection Event
|
T1018
T1046
T1110
T1203
T1595.002
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Cisco Secure Firewall - Snort Rule Triggered Across Multiple Hosts
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1027
T1105
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Detect Large ICMP Traffic
|
Cisco Secure Access Firewall, Palo Alto Network Traffic
|
T1095
|
TTP
|
Command And Control, Backdoor Pingpong, China-Nexus Threat Activity, Cisco Secure Access Analytics
|
2026-05-13
|
|
Cisco Secure Firewall - Privileged Command Execution via HTTP
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1059
T1505.003
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics, Salt Typhoon
|
2026-05-13
|
|
HTTP PUA User Agent
|
Suricata
|
T1071.001
|
Anomaly
|
Cactus Ransomware, Suspicious User Agents, BlackSuit Ransomware, Local Privilege Escalation With KrbRelayUp
|
2026-05-13
|
|
Cisco Secure Firewall - React Server Components RCE Attempt
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1190
|
TTP
|
React2Shell
|
2026-05-13
|
|
Cisco Secure Firewall - Intrusion Events by Threat Activity
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1041
T1573.002
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics, ArcaneDoor
|
2026-05-13
|
|
Cisco Secure Firewall - Communication Over Suspicious Ports
|
Cisco Secure Firewall Threat Defense Connection Event
|
T1021
T1055
T1059.001
T1105
T1219
T1571
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Detect DNS Query to Decommissioned S3 Bucket
|
Sysmon EventID 22
|
T1485
|
Anomaly
|
AWS S3 Bucket Security Monitoring, Data Destruction
|
2026-05-13
|
|
Detect ARP Poisoning
|
Cisco IOS Logs
|
T1200
T1498
T1557.002
|
TTP
|
Router and Infrastructure Security
|
2026-05-13
|
|
Internal Horizontal Port Scan
|
AWS CloudWatchLogs VPCflow, Cisco Secure Firewall Threat Defense Connection Event
|
T1046
|
TTP
|
China-Nexus Threat Activity, Network Discovery, Cisco Secure Firewall Threat Defense Analytics, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Cisco Secure Firewall - Repeated Blocked Connections
|
Cisco Secure Firewall Threat Defense Connection Event
|
T1018
T1046
T1110
T1203
T1595.002
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Cisco Smart Install Oversized Packet Detection
|
Splunk Stream TCP
|
T1190
|
TTP
|
Cisco Smart Install Remote Code Execution CVE-2018-0171
|
2026-05-13
|
|
Cisco Smart Install Port Discovery and Status
|
Splunk Stream TCP
|
T1190
|
TTP
|
Cisco Smart Install Remote Code Execution CVE-2018-0171, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Cisco Secure Firewall - Potential Data Exfiltration
|
Cisco Secure Firewall Threat Defense Connection Event
|
T1041
T1048.003
T1567.002
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
TOR Traffic
|
Palo Alto Network Traffic, Cisco Secure Firewall Threat Defense Connection Event
|
T1090.003
|
TTP
|
Command And Control, NOBELIUM Group, Cisco Secure Firewall Threat Defense Analytics, Ransomware, Interlock Ransomware, Prohibited Traffic Allowed or Protocol Mismatch
|
2026-05-13
|
|
Cisco TFTP Server Configuration for Data Exfiltration
|
Cisco IOS Logs
|
T1005
T1567
|
TTP
|
Cisco Smart Install Remote Code Execution CVE-2018-0171
|
2026-05-13
|
|
Zeek x509 Certificate with Punycode
|
|
T1573
|
Hunting
|
OpenSSL CVE-2022-3602
|
2026-05-13
|
|
Cisco SD-WAN - Arbitrary File Overwrite Exploitation Activity
|
Cisco SD-WAN Service Proxy Access Logs
|
T1190
|
TTP
|
Cisco Catalyst SD-WAN Analytics
|
2026-05-13
|
|
SSL Certificates with Punycode
|
|
T1573
|
Hunting
|
OpenSSL CVE-2022-3602
|
2026-05-13
|
|
Detect Software Download To Network Device
|
|
T1542.005
|
TTP
|
Router and Infrastructure Security
|
2026-05-13
|
|
Cisco SD-WAN - Low Frequency Rogue Peer
|
Cisco SD-WAN NTCE 1000001
|
T1190
|
Anomaly
|
Cisco Catalyst SD-WAN Analytics
|
2026-05-13
|
|
Detect Zerologon via Zeek
|
|
T1190
|
TTP
|
Rhysida Ransomware, Detect Zerologon Attack, Black Basta Ransomware
|
2026-05-13
|
|
Detect SNICat SNI Exfiltration
|
|
T1041
|
TTP
|
Data Exfiltration
|
2026-05-13
|
|
Cisco Secure Firewall - Remote Access Software Usage Traffic
|
Cisco Secure Firewall Threat Defense Connection Event
|
T1219
|
Anomaly
|
Command And Control, Scattered Lapsus$ Hunters, Insider Threat, Scattered Spider, Cisco Secure Firewall Threat Defense Analytics, Ransomware, Remote Monitoring and Management Software, Interlock Ransomware
|
2026-05-13
|
|
Protocols passing authentication in cleartext
|
Cisco Secure Firewall Threat Defense Connection Event
|
N/A
|
Anomaly
|
Use of Cleartext Protocols, Cisco Secure Firewall Threat Defense Analytics, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
F5 BIG-IP iControl REST Vulnerability CVE-2022-1388
|
Palo Alto Network Threat
|
T1133
T1190
|
TTP
|
F5 BIG-IP Vulnerability CVE-2022-1388, CISA AA24-241A
|
2026-05-13
|
|
Cisco Secure Firewall - Malware File Downloaded
|
Cisco Secure Firewall Threat Defense File Event
|
T1105
T1203
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Internal Vulnerability Scan
|
|
T1046
T1595.002
|
TTP
|
Network Discovery, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Windows DNS Query Request by Telegram Bot API
|
Sysmon EventID 22
|
T1071.004
T1102.002
|
Anomaly
|
VIP Keylogger, 0bj3ctivity Stealer, Crypto Stealer, BlankGrabber Stealer
|
2026-05-13
|
|
Cisco Secure Firewall - Static Tundra Smart Install Abuse
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1190
T1210
T1499
|
TTP
|
Cisco Smart Install Remote Code Execution CVE-2018-0171, Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Suspicious Process With Discord DNS Query
|
Sysmon EventID 22
|
T1059.005
|
Anomaly
|
PXA Stealer, BlankGrabber Stealer, Cactus Ransomware, WhisperGate, Data Destruction
|
2026-05-13
|
|
Cisco Configuration Archive Logging Analysis
|
Cisco IOS Logs
|
T1098
T1505.003
T1685
|
Hunting
|
Cisco Smart Install Remote Code Execution CVE-2018-0171
|
2026-05-13
|
|
Cisco Secure Firewall - Blacklisted SSL Certificate Fingerprint
|
Cisco Secure Firewall Threat Defense Connection Event
|
T1071.001
T1573.002
T1587.002
T1588.004
|
TTP
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Rundll32 DNSQuery
|
Sysmon EventID 22
|
T1218.011
|
TTP
|
Living Off The Land, IcedID
|
2026-05-13
|
|
Detect Remote Access Software Usage Traffic
|
Palo Alto Network Traffic
|
T1219
|
Anomaly
|
Command And Control, Scattered Lapsus$ Hunters, Insider Threat, Scattered Spider, Ransomware, Remote Monitoring and Management Software, Interlock Ransomware
|
2026-05-13
|
|
Cisco Secure Firewall - Citrix NetScaler Memory Overread Attempt
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1059
T1203
|
TTP
|
Cisco Secure Firewall Threat Defense Analytics, Citrix NetScaler ADC and NetScaler Gateway CVE-2025-5777
|
2026-05-13
|
|
Cisco Privileged Account Creation with Suspicious SSH Activity
|
|
T1021.004
T1078
T1136
|
Correlation
|
Cisco Secure Firewall Threat Defense Analytics, Salt Typhoon
|
2026-05-13
|
|
Detect Rogue DHCP Server
|
Cisco IOS Logs
|
T1200
T1498
T1557
|
TTP
|
Router and Infrastructure Security, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Cisco Secure Firewall - Lumma Stealer Download Attempt
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1041
T1573.002
|
Anomaly
|
Lumma Stealer, Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Cisco Secure Firewall - High Priority Intrusion Classification
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1003
T1071
T1078
T1190
T1203
|
TTP
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Cisco Secure Firewall - Rare Snort Rule Triggered
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1583.006
T1598
|
Hunting
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Windows Gather Victim Network Info Through Ip Check Web Services
|
Sysmon EventID 22
|
T1590.005
|
Anomaly
|
PXA Stealer, Phemedrone Stealer, BlankGrabber Stealer, Quasar RAT, Azorult, Void Manticore, Castle RAT, VIP Keylogger, Snake Keylogger, DarkCrystal RAT, Meduza Stealer, 0bj3ctivity Stealer, Water Gamayun, Handala Wiper
|
2026-05-13
|
|
Internal Vertical Port Scan
|
AWS CloudWatchLogs VPCflow, Cisco Secure Firewall Threat Defense Connection Event
|
T1046
|
TTP
|
China-Nexus Threat Activity, Network Discovery, Cisco Secure Firewall Threat Defense Analytics, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Cisco IOS Suspicious Privileged Account Creation
|
Cisco IOS Logs
|
T1078
T1136
|
Anomaly
|
Cisco Smart Install Remote Code Execution CVE-2018-0171
|
2026-05-13
|
|
Suspicious Process DNS Query Known Abuse Web Services
|
Sysmon EventID 22
|
T1059.005
|
TTP
|
PXA Stealer, Phemedrone Stealer, BlankGrabber Stealer, Malicious Inno Setup Loader, Braodo Stealer, Cactus Ransomware, RedLine Stealer, Snake Keylogger, Meduza Stealer, Remcos, WhisperGate, Data Destruction
|
2026-05-13
|
|
Cisco Secure Firewall - High EVE Threat Confidence
|
Cisco Secure Firewall Threat Defense Connection Event
|
T1041
T1071.001
T1105
T1573.002
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Cisco Secure Firewall - Repeated Malware Downloads
|
Cisco Secure Firewall Threat Defense File Event
|
T1027
T1105
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics, Hellcat Ransomware
|
2026-05-13
|
|
Windows AD Replication Service Traffic
|
|
T1003.006
T1207
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Cisco Secure Firewall - SSH Connection to Non-Standard Port
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1021.004
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics, Salt Typhoon
|
2026-05-13
|
|
Windows AD Rogue Domain Controller Network Activity
|
|
T1207
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Cisco Network Interface Modifications
|
Cisco IOS Logs
|
T1021
T1133
T1556
|
Anomaly
|
Cisco Smart Install Remote Code Execution CVE-2018-0171
|
2026-05-13
|
|
Cisco Secure Firewall - Wget or Curl Download
|
Cisco Secure Firewall Threat Defense Connection Event
|
T1053.003
T1059
T1071.001
T1105
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Windows Abused Web Services
|
Sysmon EventID 22
|
T1102
|
Anomaly
|
Malicious Inno Setup Loader, NjRAT, CISA AA24-241A, BlankGrabber Stealer
|
2026-05-13
|
|
Detect Port Security Violation
|
Cisco IOS Logs
|
T1200
T1498
T1557.002
|
TTP
|
Router and Infrastructure Security
|
2026-05-13
|
|
Large Volume of DNS ANY Queries
|
|
T1498.002
|
Anomaly
|
DNS Amplification Attacks
|
2026-05-13
|
|
Ngrok Reverse Proxy on Network
|
Sysmon EventID 22
|
T1090
T1102
T1572
|
Anomaly
|
CISA AA22-320A, CISA AA24-241A, Reverse Network Proxy
|
2026-05-13
|
|
Detect Windows DNS SIGRed via Zeek
|
|
T1203
|
TTP
|
Windows DNS SIGRed CVE-2020-1350
|
2026-05-13
|
|
Detect hosts connecting to dynamic domain providers
|
Sysmon EventID 22
|
T1189
|
TTP
|
Command And Control, DNS Hijacking, Dynamic DNS, Suspicious DNS Traffic, Prohibited Traffic Allowed or Protocol Mismatch, Data Protection
|
2026-05-13
|
|
Cisco Secure Firewall - File Download Over Uncommon Port
|
Cisco Secure Firewall Threat Defense File Event
|
T1105
T1571
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Cisco Secure Firewall - Veeam CVE-2023-27532 Exploitation Activity
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1003.001
T1059.001
T1190
T1210
|
TTP
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Protocol or Port Mismatch
|
Cisco Secure Firewall Threat Defense Connection Event
|
T1048.003
|
Anomaly
|
Command And Control, Cisco Secure Firewall Threat Defense Analytics, Prohibited Traffic Allowed or Protocol Mismatch
|
2026-05-13
|
|
Detect Outbound SMB Traffic
|
Cisco Secure Access Firewall, Cisco Secure Firewall Threat Defense Connection Event
|
T1071.002
|
TTP
|
Hidden Cobra Malware, DHS Report TA18-074A, NOBELIUM Group, Cisco Secure Firewall Threat Defense Analytics, Cisco Secure Access Analytics
|
2026-05-13
|
|
Detect Unauthorized Assets by MAC address
|
|
N/A
|
TTP
|
Asset Tracking
|
2026-05-13
|
|
Cisco Secure Firewall - Oracle E-Business Suite Exploitation
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1190
|
TTP
|
Oracle E-Business Suite Exploitation, Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Cisco Secure Firewall - Binary File Type Download
|
Cisco Secure Firewall Threat Defense File Event
|
T1059
T1203
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Detect Traffic Mirroring
|
Cisco IOS Logs
|
T1020.001
T1200
T1498
|
TTP
|
Router and Infrastructure Security
|
2026-05-13
|
|
DNS Kerberos Coercion
|
Sysmon EventID 22, Suricata
|
T1071.004
T1187
T1557.001
|
TTP
|
Suspicious DNS Traffic, Compromised Windows Host, Local Privilege Escalation With KrbRelayUp, Kerberos Coercion with DNS
|
2026-05-13
|
|
Cisco Secure Firewall - Possibly Compromised Host
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1059
T1203
T1587.001
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Cisco Secure Firewall - Connection to File Sharing Domain
|
Cisco Secure Firewall Threat Defense Connection Event
|
T1071.001
T1090.002
T1105
T1567.002
T1588.002
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Excessive DNS Failures
|
|
T1071.004
|
Anomaly
|
Command And Control, Suspicious DNS Traffic
|
2026-05-13
|
|
Cisco SNMP Community String Configuration Changes
|
Cisco IOS Logs
|
T1040
T1552
T1685
|
Anomaly
|
Cisco Smart Install Remote Code Execution CVE-2018-0171
|
2026-05-13
|
|
Cisco Secure Firewall - Lumma Stealer Activity
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1027
T1190
T1204
T1210
|
TTP
|
Lumma Stealer, Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Windows Spearphishing Attachment Connect To None MS Office Domain
|
Sysmon EventID 22
|
T1566.001
|
Hunting
|
MuddyWater, Spearphishing Attachments, AsyncRAT
|
2026-05-13
|
|
Cisco SD-WAN - Uncommon User-Agent Multi-URI Activity
|
Cisco SD-WAN Service Proxy Access Logs
|
T1595
|
Hunting
|
Cisco Catalyst SD-WAN Analytics
|
2026-05-13
|
|
SMB Traffic Spike
|
|
T1021.002
|
Anomaly
|
Ransomware, Hidden Cobra Malware, Emotet Malware DHS Report TA18-201A, DHS Report TA18-074A
|
2026-05-13
|
|
Cisco Secure Firewall - High Volume of Intrusion Events Per Host
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1059
T1071
T1595.002
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Detect IPv6 Network Infrastructure Threats
|
Cisco IOS Logs
|
T1200
T1498
T1557.002
|
TTP
|
Router and Infrastructure Security, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Hosts receiving high volume of network traffic from email server
|
|
T1114.002
|
Anomaly
|
Collection and Staging
|
2026-05-13
|
|
Detect Windows DNS SIGRed via Splunk Stream
|
|
T1203
|
TTP
|
Windows DNS SIGRed CVE-2020-1350
|
2026-05-13
|
|
Detect Outbound LDAP Traffic
|
Cisco Secure Access Firewall, Palo Alto Network Traffic, Cisco Secure Firewall Threat Defense Connection Event
|
T1059
T1190
|
Hunting
|
Cisco Secure Firewall Threat Defense Analytics, Log4Shell CVE-2021-44228, Cisco Secure Access Analytics
|
2026-05-13
|
|
Cisco Secure Firewall - SSH Connection to sshd_operns
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1021.004
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics, Salt Typhoon
|
2026-05-13
|
|
Linux Suspicious Namespace Creation
|
Sysmon for Linux EventID 1, Linux Auditd Syscall
|
T1068
|
TTP
|
Linux Privilege Escalation
|
2026-05-12
|
|
Powershell Defender Threat Actions Set to Allow
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1059.001
|
TTP
|
Salat Stealer
|
2026-05-12
|
|
Linux Binary Launched Process with Null Argv
|
Linux Messages Syslog
|
T1068
|
TTP
|
Linux Privilege Escalation
|
2026-05-12
|
|
Linux PF_ALG Registration Outside of Boot Window
|
Linux Messages Syslog
|
T1068
|
TTP
|
Linux Privilege Escalation
|
2026-05-11
|
|
Linux Malformed Auth Entry
|
Linux Secure
|
T1068
|
Anomaly
|
Linux Privilege Escalation
|
2026-05-06
|
|
Windows Suspicious Child Process of TieringEngineService.exe
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1068
|
TTP
|
RedSun, Windows Privilege Escalation
|
2026-05-01
|
|
Windows VSSVC Process Accessing Defender Engine
|
Sysmon EventID 10
|
T1068
|
TTP
|
RedSun, Windows Privilege Escalation
|
2026-05-01
|
|
Windows Cloud Files Filter Log Created by Non-System Process
|
Sysmon EventID 11
|
T1068
|
TTP
|
RedSun, Windows Privilege Escalation
|
2026-05-01
|
|
Windows Suspicious Burst of Password Changes
|
Windows Event Log Security 4723, Windows Event Log Security 4724
|
T1068
|
TTP
|
BlueHammer, Windows Privilege Escalation
|
2026-04-29
|
|
Windows Suspicious Defender Engine or Signature Files Created
|
Sysmon EventID 11
|
T1068
|
Anomaly
|
BlueHammer, Windows Privilege Escalation
|
2026-04-27
|
|
Windows Suspicious Defender Update Activity in INetCache
|
Sysmon EventID 11, Sysmon EventID 23
|
T1068
T1105
|
Anomaly
|
Windows Persistence Techniques, BlueHammer
|
2026-04-27
|
|
Windows MsMpEng Writing to System32
|
Sysmon EventID 11, Sysmon EventID 15
|
T1068
T1543.003
|
TTP
|
BlueHammer, Windows Drivers, RedSun, Windows Privilege Escalation
|
2026-04-27
|
|
Windows Admin Password Changed by Non-Admin
|
Windows Event Log Security 4723
|
T1068
T1543.003
|
TTP
|
BlueHammer, Windows Privilege Escalation
|
2026-04-27
|
|
Windows Non-System Process Querying Definition Update
|
Sysmon EventID 22
|
T1068
T1071.001
|
Anomaly
|
BlueHammer, RedSun, Windows Privilege Escalation
|
2026-04-27
|