Detections

Name	Data Source	Technique	Type	Analytic Story	Date
HTTP Scripting Tool User Agent	Nginx Access	T1071.001	Anomaly	Suspicious User Agents, HTTP Request Smuggling	2026-06-15
PTC Windchill Gateway Command Execution	Windchill Log4j	T1005 T1059 T1190	Anomaly	PTC Windchill Exploitation	2026-06-14
PTC Windchill GW READY OK Probe	Windchill Log4j	T1059 T1190	Anomaly	PTC Windchill Exploitation	2026-06-14
Splunk Secure Application Alerts for Runtime Security		N/A	Anomaly	Critical Alerts	2026-06-12
Windows Suspicious Process File Path	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1036.005 T1543	TTP	Remcos, Water Gamayun, RoguePlanet, NailaoLocker Ransomware, Earth Alux, Prestige Ransomware, Axios Supply Chain Post Compromise, Double Zero Destructor, WhisperGate, China-Nexus Threat Activity, ValleyRAT, Salt Typhoon, Warzone RAT, DarkCrystal RAT, Phemedrone Stealer, MoonPeak, Rhysida Ransomware, Hermetic Wiper, Volt Typhoon, Brute Ratel C4, Castle RAT, SesameOp, LockBit Ransomware, SystemBC, AgentTesla, Meduza Stealer, RedLine Stealer, Malicious Inno Setup Loader, GhostRedirector IIS Module and Rungan Backdoor, PlugX, IcedID, Azorult, Handala Wiper, Industroyer2, PromptLock, Quasar RAT, XWorm, Qakbot, SnappyBee, AsyncRAT, Interlock Rat, Chaos Ransomware, StealC Stealer, Interlock Ransomware, BlackByte Ransomware, Amadey, XMRig, Data Destruction, Void Manticore, Swift Slicer, CISA AA23-347A, Graceful Wipe Out Attack, Trickbot, DarkGate Malware, VIP Keylogger, Lokibot	2026-06-11
Executables Or Script Creation In Temp Path	Sysmon EventID 11	T1036	Anomaly	Remcos, PromptFlux, RoguePlanet, Axios Supply Chain Post Compromise, Double Zero Destructor, WhisperGate, China-Nexus Threat Activity, Derusbi, ValleyRAT, Warzone RAT, DarkCrystal RAT, Salt Typhoon, MoonPeak, Rhysida Ransomware, Snake Keylogger, Hermetic Wiper, Volt Typhoon, Brute Ratel C4, SesameOp, AcidPour, LockBit Ransomware, Meduza Stealer, AgentTesla, RedLine Stealer, WinDealer RAT, PlugX, Azorult, Handala Wiper, IcedID, Industroyer2, PromptLock, NjRAT, Qakbot, SnappyBee, Salat Stealer, AsyncRAT, Interlock Rat, Chaos Ransomware, APT37 Rustonotto and FadeStealer, BlackByte Ransomware, Amadey, XMRig, Data Destruction, Void Manticore, Swift Slicer, CISA AA23-347A, Graceful Wipe Out Attack, Trickbot, XML Runner Loader, Crypto Stealer, DarkGate Malware, VIP Keylogger, Lokibot	2026-06-11
Windows Wermgr Alternate Data Stream in Temp Dir	Sysmon EventID 15	T1564.004	Anomaly	RoguePlanet	2026-06-11
Regsvr32 Silent and Install Param Dll Loading	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.010	Anomaly	Remcos, Suspicious Regsvr32 Activity, Living Off The Land, Data Destruction, AsyncRAT, Hermetic Wiper	2026-06-09
Cisco SD-WAN Multiple Source IP vManage Admin SSH Authentication	Cisco SD-WAN Auth Log	T1595	Hunting	Cisco Catalyst SD-WAN Analytics	2026-06-09
Cisco SD-WAN Multiple SSH key Authentication from Same Source	Cisco SD-WAN Auth Log	T1595	Hunting	Cisco Catalyst SD-WAN Analytics	2026-06-09
Cisco SA - Automated Web Reconnaissance via HTTP Access Errors	Cisco Secure Access Proxy	T1595	Anomaly	Cisco Secure Access Analytics	2026-06-09
Cisco SA - Access to Anonymizer Services	Cisco Secure Access DNS	T1090.003	Anomaly	Cisco Secure Access Analytics	2026-06-09
Regsvr32 with Known Silent Switch Cmdline	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.010	Anomaly	Remcos, Suspicious Regsvr32 Activity, Living Off The Land, Qakbot, AsyncRAT, IcedID	2026-06-09
PowerShell 4104 Hunting	Powershell Script Block Logging 4104	T1059.001	Hunting	0bj3ctivity Stealer, Water Gamayun, Axios Supply Chain Post Compromise, China-Nexus Threat Activity, Salt Typhoon, Cleo File Transfer Software, Rhysida Ransomware, Lumma Stealer, Hermetic Wiper, SystemBC, Microsoft WSUS CVE-2025-59287, Malicious PowerShell, GhostRedirector IIS Module and Rungan Backdoor, Cactus Ransomware, MuddyWater, PHP-CGI RCE Attack on Japanese Organizations, Braodo Stealer, XWorm, Salat Stealer, APT37 Rustonotto and FadeStealer, Scattered Spider, Interlock Ransomware, Medusa Ransomware, Flax Typhoon, Data Destruction, Hellcat Ransomware, CISA AA23-347A, CISA AA24-241A, DarkGate Malware	2026-06-08
Powershell Processing Stream Of Data	Powershell Script Block Logging 4104	T1059.001	TTP	MuddyWater, Data Destruction, Hellcat Ransomware, Braodo Stealer, XWorm, Salat Stealer, Malicious PowerShell, AsyncRAT, PXA Stealer, MoonPeak, Hermetic Wiper, Medusa Ransomware, IcedID	2026-06-08
Powershell Using memory As Backing Store	Powershell Script Block Logging 4104	T1059.001	TTP	Data Destruction, Salat Stealer, Malicious PowerShell, MoonPeak, Hermetic Wiper, Medusa Ransomware, IcedID	2026-06-08
Windows Obfuscated Files or Information via RAR SFX	Sysmon EventID 11	T1027.013	Anomaly	APT37 Rustonotto and FadeStealer, GhostRedirector IIS Module and Rungan Backdoor, Salat Stealer, Crypto Stealer	2026-06-08
Windows Process Execution From ProgramData	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1036.005	Hunting	Axios Supply Chain Post Compromise, APT37 Rustonotto and FadeStealer, XWorm, China-Nexus Threat Activity, SnappyBee, Salt Typhoon, Salat Stealer, SolarWinds WHD RCE Post Exploitation, GhostRedirector IIS Module and Rungan Backdoor, StealC Stealer	2026-06-08
Non Firefox Process Access Firefox Profile Dir	Windows Event Log Security 4663	T1555.003	Anomaly	0bj3ctivity Stealer, Remcos, China-Nexus Threat Activity, Salt Typhoon, Warzone RAT, Phemedrone Stealer, FIN7, Snake Keylogger, AgentTesla, RedLine Stealer, Malicious Inno Setup Loader, 3CX Supply Chain Attack, Azorult, BlankGrabber Stealer, Quasar RAT, NjRAT, Salat Stealer, SnappyBee, StealC Stealer, CISA AA23-347A, DarkGate Malware, VIP Keylogger, Lokibot	2026-06-08
Powershell Disable Security Monitoring	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1685	TTP	BlankGrabber Stealer, Revil Ransomware, Salat Stealer, CISA AA24-241A, Ransomware	2026-06-08
Add or Set Windows Defender Exclusion	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1685	TTP	Remcos, AgentTesla, Data Destruction, NetSupport RMM Tool Abuse, XWorm, WhisperGate, ValleyRAT, Salat Stealer, Compromised Windows Host, Crypto Stealer, Windows Defense Evasion Tactics, CISA AA22-320A	2026-06-08
Firewall Allowed Program Enable	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1686	Anomaly	NjRAT, Salat Stealer, Azorult, Windows Defense Evasion Tactics, Medusa Ransomware, BlackByte Ransomware, PlugX	2026-06-08
Disable Defender Submit Samples Consent Feature	Sysmon EventID 13	T1685	TTP	BlankGrabber Stealer, Salat Stealer, CISA AA23-347A, Azorult, Windows Registry Abuse, IcedID	2026-06-08
Windows Process Execution in Temp Dir	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1036.005 T1543	Anomaly	Remcos, AgentTesla, PromptLock, RoguePlanet, Gh0st RAT, Axios Supply Chain Post Compromise, NjRAT, XWorm, Qakbot, SesameOp, Salat Stealer, Trickbot, PathWiper, Ryuk Ransomware, Ransomware, Lokibot	2026-06-08
Windows Defender Exclusion Registry Entry	Sysmon EventID 13	T1685	TTP	Remcos, NetSupport RMM Tool Abuse, XWorm, Qakbot, ValleyRAT, Salat Stealer, Warzone RAT, Windows Defense Evasion Tactics, Azorult	2026-06-08
Windows Event Log Cleared	Windows Event Log System 104, Windows Event Log Security 1102	T1685.005	TTP	Clop Ransomware, CISA AA22-264A, Salat Stealer, ShrinkLocker, Compromised Windows Host, Windows Log Manipulation, Ransomware	2026-06-08
Registry Keys Used For Persistence	Sysmon EventID 13	T1547.001	TTP	0bj3ctivity Stealer, Remcos, Windows Persistence Techniques, Axios Supply Chain Post Compromise, China-Nexus Threat Activity, Derusbi, Salt Typhoon, Warzone RAT, DarkCrystal RAT, ValleyRAT, MoonPeak, Snake Keylogger, Windows Registry Abuse, DHS Report TA18-074A, Castle RAT, SystemBC, Suspicious MSHTA Activity, RedLine Stealer, WinDealer RAT, Sneaky Active Directory Persistence Tricks, Suspicious Windows Registry Activities, Cactus Ransomware, MuddyWater, Azorult, IcedID, Quasar RAT, Gh0st RAT, Braodo Stealer, NetSupport RMM Tool Abuse, XWorm, Qakbot, NjRAT, SnappyBee, AsyncRAT, Salat Stealer, Chaos Ransomware, APT37 Rustonotto and FadeStealer, Interlock Ransomware, BlackByte Ransomware, Amadey, Emotet Malware DHS Report TA18-201A, CISA AA23-347A, Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns, Ransomware, DarkGate Malware, BlackSuit Ransomware, Lokibot	2026-06-08
Powershell Windows Defender Exclusion Commands	Powershell Script Block Logging 4104	T1685	TTP	Remcos, AgentTesla, BlankGrabber Stealer, Data Destruction, NetSupport RMM Tool Abuse, WhisperGate, Salat Stealer, Warzone RAT, Windows Defense Evasion Tactics, CISA AA22-320A	2026-06-08
Disable Defender AntiVirus Registry	Sysmon EventID 13	T1685	TTP	Salat Stealer, SolarWinds WHD RCE Post Exploitation, CISA AA24-241A, Cactus Ransomware, Black Basta Ransomware, Windows Registry Abuse, IcedID	2026-06-08
Non Chrome Process Accessing Chrome Default Dir	Windows Event Log Security 4663	T1555.003	Anomaly	Remcos, China-Nexus Threat Activity, Salt Typhoon, Warzone RAT, Phemedrone Stealer, FIN7, Snake Keylogger, AgentTesla, RedLine Stealer, Malicious Inno Setup Loader, 3CX Supply Chain Attack, BlankGrabber Stealer, Quasar RAT, NjRAT, Salat Stealer, SnappyBee, StealC Stealer, CISA AA23-347A, DarkGate Malware, VIP Keylogger, Lokibot	2026-06-08
Windows Impair Defense Disable Web Evaluation	Sysmon EventID 13	T1685	TTP	Windows Registry Abuse, Windows Defense Evasion Tactics, Salat Stealer	2026-06-08
Windows Disable or Stop Browser Process	Sysmon EventID 1	T1685	TTP	BlankGrabber Stealer, Braodo Stealer, Hellcat Ransomware, Castle RAT, Salat Stealer, Scattered Lapsus$ Hunters	2026-06-08
Windows Credentials from Password Stores Chrome LocalState Access	Windows Event Log Security 4663	T1012	Anomaly	0bj3ctivity Stealer, Earth Alux, China-Nexus Threat Activity, Salt Typhoon, Warzone RAT, Phemedrone Stealer, PXA Stealer, MoonPeak, Snake Keylogger, Meduza Stealer, RedLine Stealer, Malicious Inno Setup Loader, BlankGrabber Stealer, Quasar RAT, Braodo Stealer, NjRAT, Salat Stealer, SnappyBee, StealC Stealer, Scattered Lapsus$ Hunters, Amadey, DarkGate Malware, VIP Keylogger, Lokibot	2026-06-08
Disable Windows Behavior Monitoring	Sysmon EventID 13	T1685	TTP	BlankGrabber Stealer, Revil Ransomware, NetSupport RMM Tool Abuse, RedLine Stealer, Salat Stealer, CISA AA23-347A, Storm-0501 Ransomware, SolarWinds WHD RCE Post Exploitation, Scattered Lapsus$ Hunters, Cactus Ransomware, Black Basta Ransomware, Windows Registry Abuse, Windows Defense Evasion Tactics, Ransomware, Azorult	2026-06-08
Windows Credentials from Password Stores Chrome Login Data Access	Windows Event Log Security 4663	T1012	Anomaly	0bj3ctivity Stealer, Earth Alux, China-Nexus Threat Activity, Salt Typhoon, Warzone RAT, Phemedrone Stealer, PXA Stealer, MoonPeak, Snake Keylogger, Meduza Stealer, RedLine Stealer, Malicious Inno Setup Loader, BlankGrabber Stealer, Quasar RAT, Braodo Stealer, NjRAT, Salat Stealer, SnappyBee, StealC Stealer, Scattered Lapsus$ Hunters, Amadey, DarkGate Malware, VIP Keylogger, Lokibot	2026-06-08
Windows Access Token Manipulation SeDebugPrivilege	Windows Event Log Security 4703	T1134.002	Anomaly	China-Nexus Threat Activity, Derusbi, Salt Typhoon, ValleyRAT, Brute Ratel C4, Tuoni, Meduza Stealer, WinDealer RAT, GhostRedirector IIS Module and Rungan Backdoor, PathWiper, PlugX, Gh0st RAT, Salat Stealer, SnappyBee, AsyncRAT, Scattered Lapsus$ Hunters, CISA AA23-347A, DarkGate Malware, Lokibot	2026-06-08
Windows Firewall Rule Added	Windows Event Log Security 4946	T1686	Anomaly	NetSupport RMM Tool Abuse, ShrinkLocker, Salat Stealer, Medusa Ransomware	2026-06-08
Disable Windows SmartScreen Protection	Sysmon EventID 13	T1685	TTP	CISA AA23-347A, Windows Defense Evasion Tactics, Windows Registry Abuse, Salat Stealer	2026-06-08
Powershell Fileless Script Contains Base64 Encoded Content	Powershell Script Block Logging 4104	T1027 T1059.001	TTP	0bj3ctivity Stealer, Axios Supply Chain Post Compromise, Hermetic Wiper, Microsoft WSUS CVE-2025-59287, Malicious PowerShell, GhostRedirector IIS Module and Rungan Backdoor, MuddyWater, IcedID, NetSupport RMM Tool Abuse, NjRAT, XWorm, Salat Stealer, AsyncRAT, APT37 Rustonotto and FadeStealer, Winter Vivern, Medusa Ransomware, Data Destruction, Hellcat Ransomware, VIP Keylogger	2026-06-08
Windows Credential Access From Browser Password Store	Windows Event Log Security 4663	T1012	Anomaly	0bj3ctivity Stealer, Meduza Stealer, BlankGrabber Stealer, Quasar RAT, Earth Alux, Snake Keylogger, Braodo Stealer, Salat Stealer, China-Nexus Threat Activity, SnappyBee, Salt Typhoon, Malicious Inno Setup Loader, PXA Stealer, MoonPeak, StealC Stealer, Scattered Spider, Scattered Lapsus$ Hunters, VIP Keylogger	2026-06-08
Windows Alternate DataStream - Process Execution	Sysmon EventID 1, Windows Event Log Security 4688	T1564.004	TTP	Windows Defense Evasion Tactics, Compromised Windows Host	2026-06-04
Linux Proxy Socks Curl	Sysmon for Linux EventID 1	T1090 T1095	TTP	Ingress Tool Transfer, Linux Living Off The Land	2026-06-04
PowerShell - Connect To Internet With Hidden Window	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1059.001	Hunting	HAFNIUM Group, Log4Shell CVE-2021-44228, AgentTesla, Data Destruction, Malicious PowerShell, Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns, Hermetic Wiper	2026-06-04
M365 Copilot Impersonation Jailbreak Attack	M365 Exported eDiscovery Prompts	T1685	TTP	Suspicious Microsoft 365 Copilot Activities	2026-06-04
Windows AD add Self to Group	Windows Event Log Security 4728	T1098	TTP	Sneaky Active Directory Persistence Tricks, Medusa Ransomware, Active Directory Privilege Escalation	2026-06-01
Windows FFmpeg Audio and Video Device Discovery	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1125	Anomaly	Salat Stealer	2026-05-20
Windows FFmpeg DirectShow Video Capture	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1125	Anomaly	Salat Stealer	2026-05-20
Cisco IOS XE Guestshell Activation and Destroy	Cisco IOS Logs	T1059 T1611	Anomaly	Salt Typhoon	2026-05-20
Cisco IOS XE Remote Access Probe Burst	Cisco IOS Logs	T1018 T1021.004 T1046	Anomaly	Salt Typhoon	2026-05-20
Cisco IOS XE Request Platform Package Describe Shell Pattern	Cisco IOS Logs	T1059 T1190	TTP	Salt Typhoon	2026-05-20
Cisco IOS XE Reconnaissance Command Activity	Cisco IOS Logs	T1016 T1082 T1590	Anomaly	Salt Typhoon	2026-05-20
Cisco IOS XE Tunnel Interface Configuration	Cisco IOS Logs	T1090 T1572	Anomaly	Salt Typhoon	2026-05-20
Cisco IOS XE VTY Access Class Tampering	Cisco IOS Logs	T1021 T1562	Anomaly	Salt Typhoon	2026-05-20
Cisco IOS XE Log Clearing Sequence With Optional Loopback Removal	Cisco IOS Logs	T1070.001 T1562	Anomaly	Salt Typhoon	2026-05-20
Cisco IOS XE WebUI Programmatic Configuration	Cisco IOS Logs	T1078 T1190	Anomaly	Salt Typhoon	2026-05-19
Cisco IOS XE WebUI Login From IOSd Local Port	Cisco IOS Logs	T1078 T1190	TTP	Salt Typhoon	2026-05-19
Windows Cloud Files Filter Loaded by Uncommon Process	Sysmon EventID 7	T1543.003	Anomaly	BlueHammer, RedSun	2026-05-18
Splunk User Enumeration Attempt	Splunk	T1078	TTP	Splunk Vulnerabilities	2026-05-14
Splunk Sensitive Information Disclosure in DEBUG Logging Channels	Splunk	T1552	Hunting	Splunk Vulnerabilities	2026-05-14
Splunk Information Disclosure on Account Login	Splunk	T1087	Hunting	Splunk Vulnerabilities	2026-05-14
Splunk Code Injection via custom dashboard leading to RCE		T1210	Hunting	Splunk Vulnerabilities	2026-05-14
Splunk RCE PDFgen Render	Splunk	T1210	TTP	Splunk Vulnerabilities	2026-05-14
Splunk RCE Through Arbitrary File Write to Windows System Root	Splunk	T1210	Hunting	Splunk Vulnerabilities	2026-05-14
Splunk App for Lookup File Editing RCE via User XSLT		T1210	Hunting	Splunk Vulnerabilities	2026-05-14
Splunk XSS Privilege Escalation via Custom Urls in Dashboard	Splunk	T1189	Hunting	Splunk Vulnerabilities	2026-05-14
Splunk Authentication Token Exposure in Debug Log		T1654	TTP	Splunk Vulnerabilities	2026-05-14
Splunk Path Traversal In Splunk App For Lookup File Edit	Splunk	T1083	Hunting	Splunk Vulnerabilities	2026-05-14
Splunk Enterprise KV Store Incorrect Authorization	Splunk	T1548	Hunting	Splunk Vulnerabilities	2026-05-14
Splunk RCE via User XSLT		T1210	Hunting	Splunk Vulnerabilities	2026-05-14
Windows PowerShell Add Module to Global Assembly Cache	Powershell Script Block Logging 4104	T1505.004	TTP	IIS Components	2026-05-13
Windows Group Discovery Via Net	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1069.001 T1069.002	Hunting	Windows Discovery Techniques, Microsoft WSUS CVE-2025-59287, Windows Post-Exploitation, Prestige Ransomware, IcedID, Active Directory Discovery, Graceful Wipe Out Attack, SolarWinds WHD RCE Post Exploitation, Cleo File Transfer Software, Rhysida Ransomware, Volt Typhoon, Medusa Ransomware, Azorult	2026-05-13
CMLUA Or CMSTPLUA UAC Bypass	Sysmon EventID 7	T1218.003	TTP	Ransomware, DarkSide Ransomware, LockBit Ransomware, ValleyRAT	2026-05-13
Windows PowerShell Invoke-Sqlcmd Execution	Powershell Script Block Logging 4104	T1059.001 T1059.003	Hunting	GhostRedirector IIS Module and Rungan Backdoor, SQL Server Abuse	2026-05-13
Windows Potato Privilege Escalation Tool Execution	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1068	TTP	Windows Privilege Escalation	2026-05-13
Steal or Forge Authentication Certificates Behavior Identified		T1649	Correlation	Windows Certificate Services	2026-05-13
Windows InstallUtil URL in Command Line	CrowdStrike ProcessRollup2, Cisco Network Visibility Module Flow Data, Sysmon EventID 1, Windows Event Log Security 4688	T1218.004	TTP	Living Off The Land, Cisco Network Visibility Module Analytics, Signed Binary Proxy Execution InstallUtil, Compromised Windows Host	2026-05-13
Windows New Service Security Descriptor Set Via Sc.EXE	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1564	Anomaly	Defense Evasion or Unauthorized Access Via SDDL Tampering	2026-05-13
PaperCut NG Suspicious Behavior Debug Log		T1133 T1190	Hunting	PaperCut MF NG Vulnerability	2026-05-13
Windows Excel Spawning Microsoft Project Application	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1021.003	Anomaly	PathWiper	2026-05-13
Deleting Shadow Copies	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1490	TTP	Clop Ransomware, Storm-2460 CLFS Zero Day Exploitation, Prestige Ransomware, Void Manticore, CISA AA22-264A, SamSam Ransomware, Medusa Ransomware, Termite Ransomware, Chaos Ransomware, Compromised Windows Host, Rhysida Ransomware, Black Basta Ransomware, Windows Log Manipulation, Cactus Ransomware, VanHelsing Ransomware, Ransomware, DarkGate Malware, LockBit Ransomware	2026-05-13
Java Writing JSP File	Sysmon for Linux EventID 1, Sysmon for Linux EventID 11	T1133 T1190	TTP	Atlassian Confluence Server and Data Center CVE-2022-26134, SysAid On-Prem Software CVE-2023-47246 Vulnerability, Spring4Shell CVE-2022-22965, SAP NetWeaver Exploitation	2026-05-13
Windows Rasautou DLL Execution	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1055.001 T1218	TTP	Windows Defense Evasion Tactics, Hellcat Ransomware, Compromised Windows Host	2026-05-13
Linux Auditd Service Restarted	Linux Auditd Proctitle	T1053.006	Anomaly	Scheduled Tasks, AwfulShred, Data Destruction, Gomir, Linux Living Off The Land, Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation	2026-05-13
Windows Credentials from Password Stores Deletion	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1555	TTP	NetSupport RMM Tool Abuse, DarkGate Malware, Compromised Windows Host	2026-05-13
Windows Impair Defense Set Win Defender Smart Screen Level To Warn	Sysmon EventID 13	T1685	TTP	Windows Registry Abuse, Windows Defense Evasion Tactics	2026-05-13
Linux Auditd File Permission Modification Via Chmod	Linux Auditd Proctitle	T1222.002	Anomaly	Axios Supply Chain Post Compromise, XorDDos, China-Nexus Threat Activity, Salt Typhoon, Linux Living Off The Land, Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation	2026-05-13
USN Journal Deletion	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1070	TTP	Windows Log Manipulation, Ransomware	2026-05-13
Mshta spawning Rundll32 OR Regsvr32 Process	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.005	TTP	Living Off The Land, Trickbot, APT37 Rustonotto and FadeStealer, IcedID	2026-05-13
Logon Script Event Trigger Execution	Sysmon EventID 13	T1037.001	TTP	Windows Persistence Techniques, Data Destruction, Windows Privilege Escalation, Hermetic Wiper, VIP Keylogger	2026-05-13
Execution of File with Multiple Extensions	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1036.003	TTP	AsyncRAT, Masquerading - Rename System Utilities, DarkGate Malware, Windows File Extension and Association Abuse	2026-05-13
MSBuild Suspicious Spawned By Script Process	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1127.001	TTP	Storm-2460 CLFS Zero Day Exploitation, Trusted Developer Utilities Proxy Execution MSBuild	2026-05-13
Windows Anomalous Registry Value Length in Environment Key	Sysmon EventID 13	T1112	Anomaly	VIP Keylogger	2026-05-13
Windows Password Policy Discovery with Net	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1201	Hunting	Active Directory Discovery	2026-05-13
Windows Potential Cloudflared Network Connection	Sysmon EventID 3	T1572	Hunting	Reverse Network Proxy	2026-05-13
Linux Auditd Find Credentials From Password Stores	Linux Auditd Execve	T1555.005	TTP	Hellcat Ransomware, Linux Persistence Techniques, Linux Living Off The Land, Compromised Linux Host, Scattered Lapsus$ Hunters, Linux Privilege Escalation	2026-05-13
Windows WMI Process And Service List	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1047	Anomaly	Prestige Ransomware, Windows Post-Exploitation	2026-05-13
Linux Auditd Add User Account	Linux Auditd Proctitle	T1136.001	Anomaly	Linux Persistence Techniques, Compromised Linux Host, Linux Privilege Escalation	2026-05-13
Linux Auditd Unload Module Via Modprobe	Linux Auditd Execve	T1547.006	TTP	Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host	2026-05-13
Reg exe Manipulating Windows Services Registry Keys	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1574.011	TTP	Living Off The Land, Windows Service Abuse, Windows Persistence Techniques	2026-05-13
Windows Gather Victim Identity SAM Info	Sysmon EventID 7	T1589.001	Hunting	Brute Ratel C4	2026-05-13
Windows Local Administrator Credential Stuffing	Windows Event Log Security 4625, Windows Event Log Security 4624	T1110.004	TTP	Scattered Lapsus$ Hunters, Active Directory Privilege Escalation, Active Directory Lateral Movement	2026-05-13
Suspicious Copy on System32	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1036.003	Anomaly	Water Gamayun, Qakbot, AsyncRAT, Compromised Windows Host, Volt Typhoon, Unusual Processes, Sandworm Tools, IcedID	2026-05-13
Spike in File Writes	Sysmon EventID 11	N/A	Anomaly	Rhysida Ransomware, Ransomware, Ryuk Ransomware, SamSam Ransomware	2026-05-13
Windows PowerShell WMI Win32 ScheduledJob	Powershell Script Block Logging 4104	T1059.001	TTP	Active Directory Lateral Movement	2026-05-13
Detect RTLO In Process	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1036.002	TTP	Spearphishing Attachments	2026-05-13
Detect RTLO In File Name	Sysmon EventID 11	T1036.002	TTP	Spearphishing Attachments	2026-05-13
Linux Preload Hijack Library Calls	Sysmon for Linux EventID 1	T1574.006	TTP	China-Nexus Threat Activity, Salt Typhoon, Linux Persistence Techniques, Linux Privilege Escalation, VoidLink Cloud-Native Linux Malware	2026-05-13
Windows Administrative Shares Accessed On Multiple Hosts	Windows Event Log Security 5145, Windows Event Log Security 5140	T1135	TTP	Active Directory Privilege Escalation, Active Directory Lateral Movement	2026-05-13
Windows Impair Defense Disable Controlled Folder Access	Sysmon EventID 13	T1685	TTP	Windows Registry Abuse, Windows Defense Evasion Tactics, BlankGrabber Stealer	2026-05-13
Windows MSIExec DLLRegisterServer	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.007	TTP	Water Gamayun, Windows System Binary Proxy Execution MSIExec	2026-05-13
Windows ESX Admins Group Creation Security Event	Windows Event Log Security 4737, Windows Event Log Security 4730, Windows Event Log Security 4727	T1136.001 T1136.002	TTP	VMware ESXi AD Integration Authentication Bypass CVE-2024-37085	2026-05-13
Windows TeamCity Payload Execution from Temp Directory	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1059 T1190 T1505.003	TTP	JetBrains TeamCity Unauthenticated RCE, JetBrains TeamCity Vulnerabilities	2026-05-13
Linux Obfuscated Files or Information Base64 Decode	Sysmon for Linux EventID 1	T1027	Anomaly	Linux Living Off The Land	2026-05-13
Linux Sudo OR Su Execution	Sysmon for Linux EventID 1	T1548.003	Hunting	Linux Persistence Techniques, Linux Privilege Escalation, VoidLink Cloud-Native Linux Malware	2026-05-13
Windows Screen Capture in TEMP folder	Sysmon EventID 11	T1113	TTP	StealC Stealer, Braodo Stealer, Hellcat Ransomware, APT37 Rustonotto and FadeStealer, Crypto Stealer, VIP Keylogger	2026-05-13
Windows Rundll32 with Non-Standard File Extension	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.011	Anomaly	Gh0st RAT, Living Off The Land, Suspicious Rundll32 Activity	2026-05-13
Windows AD Privileged Object Access Activity	Windows Event Log Security 4662	T1087.002	TTP	BlackSuit Ransomware, Active Directory Discovery	2026-05-13
Windows Defender ASR or Threat Configuration Tamper	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1685	TTP	Windows Defense Evasion Tactics	2026-05-13
Linux Auditd Base64 Decode Files	Linux Auditd Execve	T1140	Anomaly	Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host	2026-05-13
Linux RPM Privilege Escalation	Sysmon for Linux EventID 1	T1548.003	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2026-05-13
PowerShell Invoke WmiExec Usage	Powershell Script Block Logging 4104	T1047	TTP	Scattered Lapsus$ Hunters, Suspicious WMI Use	2026-05-13
Crowdstrike Medium Severity Alert		T1110	Anomaly	Compromised Windows Host	2026-05-13
Windows Level RMM PowerShell Script Installer	Powershell Script Block Logging 4104	T1219	Anomaly	Remote Monitoring and Management Software	2026-05-13
Detect Empire with PowerShell Script Block Logging	Powershell Script Block Logging 4104	T1059.001	TTP	Hermetic Wiper, Malicious PowerShell, Data Destruction, Hellcat Ransomware	2026-05-13
ICACLS Grant Command	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1222	Anomaly	Defense Evasion or Unauthorized Access Via SDDL Tampering, NetSupport RMM Tool Abuse, Crypto Stealer, Ransomware, XMRig	2026-05-13
Windows Crowdstrike RTR Script Execution	CrowdStrike ProcessRollup2, Sysmon EventID 1	T1059.001	Anomaly	Living Off The Land, Malicious PowerShell, Suspicious MSHTA Activity, Cobalt Strike	2026-05-13
Powershell Load Module in Meterpreter	Powershell Script Block Logging 4104	T1059.001	TTP	MetaSploit	2026-05-13
Windows Chromium Process Launched with Logging Disabled	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1497	Anomaly	Browser Hijacking	2026-05-13
Disable Windows App Hotkeys	Sysmon EventID 13	T1112 T1685	TTP	Windows Registry Abuse, XMRig	2026-05-13
GetWmiObject Ds Group with PowerShell Script Block	Powershell Script Block Logging 4104	T1069.002	TTP	Active Directory Discovery	2026-05-13
Windows Explorer.exe Spawning PowerShell or Cmd	Sysmon EventID 1, Windows Event Log Security 4688	T1059.001 T1204.002	Hunting	ZDI-CAN-25373 Windows Shortcut Exploit Abused as Zero-Day	2026-05-13
Suspicious Rundll32 StartW	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.011	TTP	Cobalt Strike, Hellcat Ransomware, Graceful Wipe Out Attack, Trickbot, Suspicious Rundll32 Activity, BlackByte Ransomware	2026-05-13
Windows Binary Execution from an Archive	CrowdStrike ProcessRollup2, Sysmon EventID 1	T1204.002	Anomaly	Spearphishing Attachments	2026-05-13
Linux Visudo Utility Execution	Sysmon for Linux EventID 1	T1548.003	Anomaly	Linux Persistence Techniques, Linux Privilege Escalation	2026-05-13
Windows PowerView Kerberos Service Ticket Request	Powershell Script Block Logging 4104	T1558.003	TTP	Rhysida Ransomware, Active Directory Kerberos Attacks	2026-05-13
Clop Ransomware Known Service Name	Windows Event Log System 7045	T1543	TTP	Compromised Windows Host, Clop Ransomware	2026-05-13
System User Discovery With Whoami	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1033	Hunting	PHP-CGI RCE Attack on Japanese Organizations, Qakbot, Active Directory Discovery, CISA AA23-347A, Rhysida Ransomware, Winter Vivern, LAMEHUG, Lotus Blossom Chrysalis Backdoor	2026-05-13
Windows Odbcconf Load Response File	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.008	TTP	Living Off The Land	2026-05-13
Windows Impair Defense Disable Win Defender Signature Retirement	Sysmon EventID 13	T1685	TTP	Windows Registry Abuse, Windows Defense Evasion Tactics, Scattered Lapsus$ Hunters	2026-05-13
Windows Audit Policy Auditing Option Disabled via Auditpol	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1685.001	TTP	Windows Audit Policy Tampering	2026-05-13
Windows AD Suspicious Attribute Modification	Windows Event Log Security 5136	T1222.001 T1550	TTP	Sneaky Active Directory Persistence Tricks	2026-05-13
Spoolsv Writing a DLL - Sysmon	Sysmon EventID 11	T1547.012	TTP	Black Basta Ransomware, PrintNightmare CVE-2021-34527	2026-05-13
Execute Javascript With Jscript COM CLSID	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1059.005	TTP	Ransomware	2026-05-13
Linux Possible Access Or Modification Of sshd Config File	Sysmon for Linux EventID 1	T1098.004	Anomaly	Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation	2026-05-13
Windows Impair Defense Define Win Defender Threat Action	Sysmon EventID 13	T1685	TTP	Windows Registry Abuse, Windows Defense Evasion Tactics	2026-05-13
Windows IOBit Unlocker Extension DLL Registration via Regsvr32	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.010	TTP	Compromised Windows Host	2026-05-13
Windows Modify Registry Do Not Connect To Win Update	Sysmon EventID 13	T1112	Anomaly	RedLine Stealer	2026-05-13
Windows DnsAdmins New Member Added	Windows Event Log Security 4732	T1098	TTP	Active Directory Privilege Escalation	2026-05-13
Windows Drivers Loaded by Signature	Sysmon EventID 6	T1014 T1068	Hunting	CISA AA22-320A, Windows Drivers, AgentTesla, BlackByte Ransomware	2026-05-13
Cisco NVM - Rundll32 Abuse of MSHTML.DLL for Payload Download	Cisco Network Visibility Module Flow Data	T1218.005	Anomaly	Cisco Network Visibility Module Analytics	2026-05-13
Disabling SystemRestore In Registry	Sysmon EventID 13	T1490	TTP	Windows Registry Abuse, Windows Defense Evasion Tactics, NjRAT	2026-05-13
Windows Proxy Execution of .NET Utilities via Scripts	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218	Anomaly	VIP Keylogger	2026-05-13
Windows Remote Access Software RMS Registry	Sysmon EventID 13	T1219	TTP	Azorult	2026-05-13
Windows Large Number of Computer Service Tickets Requested	Windows Event Log Security 4769	T1078 T1135	Anomaly	Active Directory Privilege Escalation, Active Directory Lateral Movement	2026-05-13
Suspicious msbuild path	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1036.003 T1127.001	TTP	Masquerading - Rename System Utilities, Cobalt Strike, Storm-2460 CLFS Zero Day Exploitation, Living Off The Land, Graceful Wipe Out Attack, Trusted Developer Utilities Proxy Execution MSBuild, BlackByte Ransomware	2026-05-13
Windows ConsoleHost History File Deletion	Sysmon EventID 23, Sysmon EventID 26	T1070.003	Anomaly	Medusa Ransomware	2026-05-13
Linux DD File Overwrite	Sysmon for Linux EventID 1	T1485	TTP	Industroyer2, Data Destruction	2026-05-13
Remote Process Instantiation via WMI and PowerShell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1047	TTP	Active Directory Lateral Movement, Compromised Windows Host	2026-05-13
Windows Kerberos Coercion via DNS	Windows Event Log Security 5137, Windows Event Log Security 5136, Windows Event Log Security 4662	T1071.004 T1187 T1557.001	TTP	Kerberos Coercion with DNS, Suspicious DNS Traffic, Compromised Windows Host, Local Privilege Escalation With KrbRelayUp	2026-05-13
Detect Regsvr32 Application Control Bypass	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.010	TTP	Cobalt Strike, Suspicious Regsvr32 Activity, Living Off The Land, PHP-CGI RCE Attack on Japanese Organizations, Graceful Wipe Out Attack, Compromised Windows Host, BlackByte Ransomware	2026-05-13
Windows Entra User Management Via Azure CLI	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1078.004 T1098 T1136	Anomaly	Azure Active Directory Persistence	2026-05-13
Windows DNS Query Request To TinyUrl	Sysmon EventID 22	T1105	Anomaly	Malicious Inno Setup Loader	2026-05-13
Wscript Or Cscript Suspicious Child Process	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1055 T1134.004 T1543	Anomaly	0bj3ctivity Stealer, Remcos, Axios Supply Chain Post Compromise, Data Destruction, NjRAT, XWorm, WhisperGate, FIN7, ShrinkLocker, Unusual Processes, MuddyWater, VIP Keylogger	2026-05-13
Windows Outlook Dialogs Disabled from Unusual Process	Sysmon EventID 13	T1112 T1685	TTP	Windows Registry Abuse, NotDoor Malware	2026-05-13
Common Ransomware Notes	Sysmon EventID 11	T1485	Hunting	Clop Ransomware, NailaoLocker Ransomware, Hellcat Ransomware, SamSam Ransomware, Storm-0501 Ransomware, Black Basta Ransomware, Termite Ransomware, Chaos Ransomware, Rhysida Ransomware, Ryuk Ransomware, Interlock Ransomware, Ransomware, Medusa Ransomware, LockBit Ransomware	2026-05-13
Windows Hosts File Access	Windows Event Log Security 4663	T1012	Anomaly	Gh0st RAT, BlankGrabber Stealer	2026-05-13
Windows Exfiltration Over C2 Via Invoke RestMethod	Powershell Script Block Logging 4104	T1041	TTP	Microsoft WSUS CVE-2025-59287, Water Gamayun, Hellcat Ransomware, APT37 Rustonotto and FadeStealer, Winter Vivern	2026-05-13
Print Spooler Adding A Printer Driver	Windows Event Log Printservice 316	T1547.012	TTP	Black Basta Ransomware, PrintNightmare CVE-2021-34527	2026-05-13
Windows Cisco Secure Endpoint Stop Immunet Service Via Sfc	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1685	Anomaly	Security Solution Tampering	2026-05-13
Rundll32 Control RunDLL Hunt	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.011	Hunting	Living Off The Land, Microsoft MSHTML Remote Code Execution CVE-2021-40444, Suspicious Rundll32 Activity	2026-05-13
Windows Process Injection into Commonly Abused Processes	Sysmon EventID 10	T1055.002	Anomaly	Earth Alux, SAP NetWeaver Exploitation, BishopFox Sliver Adversary Emulation Framework, APT37 Rustonotto and FadeStealer	2026-05-13
Recon Using WMI Class	Powershell Script Block Logging 4104	T1059.001 T1592	Anomaly	Industroyer2, BlankGrabber Stealer, Quasar RAT, Axios Supply Chain Post Compromise, Data Destruction, VIP Keylogger, Qakbot, Malicious PowerShell, AsyncRAT, Malicious Inno Setup Loader, Scattered Spider, MoonPeak, Hermetic Wiper, LockBit Ransomware	2026-05-13
Domain Controller Discovery with Wmic	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1018	Hunting	Active Directory Discovery	2026-05-13
Windows Domain Account Discovery Via Get-NetComputer	Powershell Script Block Logging 4104	T1087.002	Anomaly	CISA AA23-347A	2026-05-13
Windows Remote Assistance Spawning Process	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1055	TTP	Unusual Processes, Compromised Windows Host	2026-05-13
Windows AD SID History Attribute Modified	Windows Event Log Security 5136	T1134.005	TTP	Sneaky Active Directory Persistence Tricks	2026-05-13
Wmic Group Discovery	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1069.001	Anomaly	LAMEHUG, Active Directory Discovery	2026-05-13
Windows Steal or Forge Kerberos Tickets Klist	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1558	Hunting	Prestige Ransomware, Windows Post-Exploitation	2026-05-13
Windows SIP WinVerifyTrust Failed Trust Validation	Windows Event Log CAPI2 81	T1553.003	Anomaly	Subvert Trust Controls SIP and Trust Provider Hijacking	2026-05-13
Windows Modify Registry WuServer	Sysmon EventID 13	T1112	Hunting	RedLine Stealer	2026-05-13
Windows RDP Bitmap Cache File Creation	Sysmon EventID 11	T1021.001	Anomaly	Windows RDP Artifacts and Defense Evasion	2026-05-13
Windows Chromium process Launched with Disable Popup Blocking	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1497	Anomaly	Browser Hijacking	2026-05-13
Windows WSUS Spawning Shell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1190 T1505.003	TTP	Microsoft WSUS CVE-2025-59287	2026-05-13
Windows Service Created with Suspicious Service Name	Windows Event Log System 7045	T1569.002	Anomaly	Snake Malware, Active Directory Lateral Movement, Clop Ransomware, Gh0st RAT, Flax Typhoon, Qakbot, CISA AA23-347A, Brute Ratel C4, Tuoni, PlugX	2026-05-13
Windows Credentials from Web Browsers Saved in TEMP Folder	Sysmon EventID 11	T1555.003	TTP	Scattered Lapsus$ Hunters, Braodo Stealer	2026-05-13
Windows Process With NamedPipe CommandLine	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1055	Anomaly	Windows Defense Evasion Tactics	2026-05-13
Malicious Powershell Executed As A Service	Windows Event Log System 7045	T1569.002	TTP	Malicious PowerShell, Compromised Windows Host, Rhysida Ransomware	2026-05-13
CMD Echo Pipe - Escalation	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1059.003 T1543.003	TTP	Graceful Wipe Out Attack, BlackByte Ransomware, Compromised Windows Host, Cobalt Strike	2026-05-13
User Discovery With Env Vars PowerShell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1033	Hunting	Active Directory Discovery	2026-05-13
Linux PHP Privilege Escalation	Sysmon for Linux EventID 1	T1548.003	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2026-05-13
Cisco Isovalent - Non Allowlisted Image Use	Cisco Isovalent Process Exec	T1204.003	Anomaly	Cisco Isovalent Suspicious Activity	2026-05-13
Windows BitLockerToGo with Network Activity	Sysmon EventID 22	T1218	Hunting	Lumma Stealer, Hellcat Ransomware	2026-05-13
Disable Defender BlockAtFirstSeen Feature	Sysmon EventID 13	T1685	TTP	CISA AA23-347A, Azorult, SolarWinds WHD RCE Post Exploitation, Windows Registry Abuse, IcedID	2026-05-13
Linux Account Manipulation Of SSH Config and Keys	Sysmon for Linux EventID 11	T1070.004 T1485	Anomaly	Hellcat Ransomware, AcidRain	2026-05-13
Windows Proxy Via Netsh	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1090.001	Anomaly	Volt Typhoon	2026-05-13
Windows SqlWriter SQLDumper DLL Sideload	Sysmon EventID 7	T1574.001	TTP	APT29 Diplomatic Deceptions with WINELOADER	2026-05-13
Windows GrimResource - MMC Process Accessing APDS DLL	Windows Event Log Security 4663	T1059.007 T1218.014	TTP	Compromised Windows Host	2026-05-13
MacOS - Re-opened Applications	Sysmon EventID 1	N/A	TTP	ColdRoot MacOS RAT	2026-05-13
Suspicious Scheduled Task from Public Directory	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1053.005	Anomaly	Scheduled Tasks, Windows Persistence Techniques, China-Nexus Threat Activity, Salt Typhoon, DarkCrystal RAT, MoonPeak, SolarWinds WHD RCE Post Exploitation, Malicious Inno Setup Loader, Azorult, Quasar RAT, Living Off The Land, NetSupport RMM Tool Abuse, XWorm, APT37 Rustonotto and FadeStealer, Scattered Spider, Medusa Ransomware, CISA AA23-347A, CISA AA24-241A, Ryuk Ransomware, Crypto Stealer, Ransomware, Lokibot	2026-05-13
MOVEit Empty Key Fingerprint Authentication Attempt		T1190	Hunting	Hellcat Ransomware, MOVEit Transfer Authentication Bypass	2026-05-13
Processes Tapping Keyboard Events	Osquery Results	N/A	TTP	ColdRoot MacOS RAT, APT37 Rustonotto and FadeStealer	2026-05-13
Powershell Execute COM Object	Powershell Script Block Logging 4104	T1059.001 T1546.015	TTP	Hermetic Wiper, Malicious PowerShell, Ransomware, Data Destruction	2026-05-13
Linux Auditd Possible Access To Credential Files	Linux Auditd Proctitle	T1003.008	Anomaly	Axios Supply Chain Post Compromise, China-Nexus Threat Activity, Salt Typhoon, Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation	2026-05-13
Unload Sysmon Filter Driver	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1685	TTP	CISA AA23-347A, Disabling Security Tools	2026-05-13
WSReset UAC Bypass	Sysmon EventID 13, Sysmon EventID 12	T1548.002	TTP	Living Off The Land, Windows Defense Evasion Tactics, Windows Registry Abuse, MoonPeak	2026-05-13
Windows RMM Tool Execution	Sysmon EventID 1	T1219	Anomaly	Remote Monitoring and Management Software, NetSupport RMM Tool Abuse, Suspicious User Agents	2026-05-13
Elevated Group Discovery with PowerView	Powershell Script Block Logging 4104	T1069.002	Hunting	Active Directory Discovery	2026-05-13
Linux Doas Tool Execution	Sysmon for Linux EventID 1	T1548.003	Anomaly	Linux Persistence Techniques, Linux Privilege Escalation	2026-05-13
Auto Admin Logon Registry Entry	Sysmon EventID 13	T1552.002	TTP	Windows Registry Abuse, BlackMatter Ransomware	2026-05-13
DSQuery Domain Discovery	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1482	TTP	Compromised Windows Host, Active Directory Discovery, Domain Trust Discovery	2026-05-13
Windows Remote Management Execute Shell	Sysmon EventID 1, Windows Event Log Security 4688	T1021.006	Anomaly	Crypto Stealer	2026-05-13
Windows Service Stop Attempt	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1489	Hunting	Graceful Wipe Out Attack, Prestige Ransomware, Scattered Lapsus$ Hunters, Gh0st RAT	2026-05-13
System User Discovery With Query	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1033	Hunting	Medusa Ransomware, Active Directory Discovery	2026-05-13
Spoolsv Suspicious Process Access	Sysmon EventID 10	T1068	TTP	Black Basta Ransomware, PrintNightmare CVE-2021-34527	2026-05-13
MS Exchange Mailbox Replication service writing Active Server Pages	Sysmon EventID 11, Sysmon EventID 1	T1133 T1190 T1505.003	TTP	ProxyShell, Ransomware, BlackByte Ransomware	2026-05-13
Curl Execution with Percent Encoded URL	Sysmon for Linux EventID 1, CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1027 T1105	Anomaly	Living Off The Land, Ingress Tool Transfer, Compromised Windows Host	2026-05-13
Windows Command and Scripting Interpreter Path Traversal Exec	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1059	TTP	Windows Defense Evasion Tactics, Compromised Windows Host, Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190	2026-05-13
Detect Rundll32 Inline HTA Execution	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.005	TTP	Living Off The Land, Suspicious MSHTA Activity, NOBELIUM Group, APT37 Rustonotto and FadeStealer	2026-05-13
Mailsniper Invoke functions	Powershell Script Block Logging 4104	T1114.001	TTP	Data Exfiltration	2026-05-13
Windows Modify Registry DisAllow Windows App	Sysmon EventID 13	T1112	TTP	Azorult	2026-05-13
Windows Net System Service Discovery	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1007	Hunting	Gh0st RAT, LAMEHUG	2026-05-13
SecretDumps Offline NTDS Dumping Tool	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1003.003	TTP	Graceful Wipe Out Attack, Storm-0501 Ransomware, Compromised Windows Host, Rhysida Ransomware, Credential Dumping	2026-05-13
Impacket Lateral Movement Commandline Parameters	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1021.002 T1021.003 T1047 T1543.003	TTP	Industroyer2, Active Directory Lateral Movement, Prestige Ransomware, Data Destruction, WhisperGate, Gozi Malware, Graceful Wipe Out Attack, Storm-0501 Ransomware, Compromised Windows Host, CISA AA22-277A, Volt Typhoon	2026-05-13
Windows Azure PowerShell Module Installation Via PowerShell Script	Powershell Script Block Logging 4104	T1021.007 T1069.003 T1078 T1098 T1136.003	Anomaly	Azure Active Directory Account Takeover, Azure Active Directory Persistence, Azure Active Directory Privilege Escalation	2026-05-13
GetWmiObject DS User with PowerShell Script Block	Powershell Script Block Logging 4104	T1087.002	TTP	Active Directory Discovery	2026-05-13
Windows Unusual Intelliform Storage Registry Access	Windows Event Log Security 4663	T1552.001	Anomaly	Quasar RAT, Lokibot	2026-05-13
Windows Excessive Service Stop Attempt	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1489	TTP	Ransomware, BlackByte Ransomware, XMRig	2026-05-13
Windows Sensitive Group Discovery With Net	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1069.002	Anomaly	Microsoft WSUS CVE-2025-59287, Active Directory Discovery, Rhysida Ransomware, Volt Typhoon, BlackSuit Ransomware, IcedID	2026-05-13
Windows Office Product Spawned Child Process For Download	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1566.001	TTP	NjRAT, Spearphishing Attachments, APT37 Rustonotto and FadeStealer, CVE-2023-36884 Office and Windows HTML RCE Vulnerability, PlugX	2026-05-13
Powershell Enable SMB1Protocol Feature	Powershell Script Block Logging 4104	T1027.005	TTP	Hermetic Wiper, Malicious PowerShell, Ransomware, Data Destruction	2026-05-13
GetLocalUser with PowerShell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1087.001	Hunting	Active Directory Discovery	2026-05-13
Suspicious microsoft workflow compiler usage	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1127	TTP	Trusted Developer Utilities Proxy Execution, Living Off The Land	2026-05-13
Windows DLL Module Loaded in Temp Dir	Sysmon EventID 7	T1105	Hunting	Interlock Rat, SolarWinds WHD RCE Post Exploitation, Lokibot	2026-05-13
Windows Modify Registry EnableLinkedConnections	Sysmon EventID 13	T1112	TTP	BlackByte Ransomware	2026-05-13
Windows MSIX Package Interaction	Windows Event Log AppXPackaging 171	T1204.002	Hunting	MSIX Package Abuse	2026-05-13
Linux Auditd Preload Hijack Library Calls	Linux Auditd Execve	T1574.006	TTP	China-Nexus Threat Activity, Salt Typhoon, Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation	2026-05-13
Windows Unsigned MS DLL Side-Loading	Sysmon EventID 7	T1547 T1574.001	Anomaly	Earth Alux, XWorm, Derusbi, China-Nexus Threat Activity, Salt Typhoon, APT29 Diplomatic Deceptions with WINELOADER	2026-05-13
Kerberos Pre-Authentication Flag Disabled with PowerShell	Powershell Script Block Logging 4104	T1558.004	TTP	Active Directory Kerberos Attacks	2026-05-13
Linux Possible Append Command To Profile Config File	Sysmon for Linux EventID 1	T1546.004	Anomaly	Linux Persistence Techniques, Linux Privilege Escalation	2026-05-13
MacOS Network Share Discovery	Osquery Results	T1135	Anomaly	MacOS Post-Exploitation	2026-05-13
Windows Impair Defense Override SmartScreen Prompt	Sysmon EventID 13	T1685	TTP	Windows Registry Abuse, Windows Defense Evasion Tactics	2026-05-13
Windows Impair Defense Overide Win Defender Phishing Filter	Sysmon EventID 13	T1685	TTP	Windows Registry Abuse, Windows Defense Evasion Tactics	2026-05-13
Cisco Isovalent - Cron Job Creation	Cisco Isovalent Process Exec	T1053.003 T1053.007	Anomaly	Cisco Isovalent Suspicious Activity	2026-05-13
Child Processes of Spoolsv exe	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1068	TTP	Hermetic Wiper, Data Destruction, Windows Privilege Escalation	2026-05-13
Windows System Script Proxy Execution Syncappvpublishingserver	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1216 T1218	TTP	Living Off The Land	2026-05-13
Disabled Kerberos Pre-Authentication Discovery With PowerView	Powershell Script Block Logging 4104	T1558.004	TTP	Interlock Ransomware, Active Directory Kerberos Attacks	2026-05-13
Remote Process Instantiation via WinRM and Winrs	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1021.006	TTP	Active Directory Lateral Movement	2026-05-13
Trickbot Named Pipe	Sysmon EventID 17, Sysmon EventID 18	T1055	TTP	Trickbot, Hellcat Ransomware	2026-05-13
Linux Busybox Privilege Escalation	Sysmon for Linux EventID 1	T1548.003	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2026-05-13
Windows New Custom Security Descriptor Set On EventLog Channel	Sysmon EventID 13	T1685.001	Anomaly	Defense Evasion or Unauthorized Access Via SDDL Tampering, LockBit Ransomware	2026-05-13
Windows System Network Config Discovery Display DNS	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1016	Anomaly	Prestige Ransomware, Medusa Ransomware, Water Gamayun, Windows Post-Exploitation	2026-05-13
Windows File and Directory Permissions Enable Inheritance	Sysmon EventID 1, Windows Event Log Security 4688	T1222.001	Hunting	NetSupport RMM Tool Abuse, Crypto Stealer	2026-05-13
Windows Impair Defense Delete Win Defender Context Menu	Sysmon EventID 13	T1685	Hunting	Windows Registry Abuse, Windows Defense Evasion Tactics	2026-05-13
Windows Default RDP File Creation By Non MSTSC Process	Sysmon EventID 11, Sysmon EventID 1	T1021.001	Anomaly	Windows RDP Artifacts and Defense Evasion	2026-05-13
Windows AD Short Lived Domain Account ServicePrincipalName	Windows Event Log Security 5136	T1098	TTP	Interlock Ransomware, Sneaky Active Directory Persistence Tricks	2026-05-13
Detect New Local Admin account	Windows Event Log Security 4720, Windows Event Log Security 4732	T1136.001	TTP	HAFNIUM Group, CISA AA24-241A, DHS Report TA18-074A, CISA AA22-257A, Scattered Lapsus$ Hunters	2026-05-13
Get ADDefaultDomainPasswordPolicy with Powershell Script Block	Powershell Script Block Logging 4104	T1201	Hunting	Active Directory Discovery	2026-05-13
Windows Odbcconf Load DLL	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.008	TTP	Living Off The Land	2026-05-13
Advanced IP or Port Scanner Execution	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1046 T1135	Anomaly	Windows Defense Evasion Tactics	2026-05-13
Linux Auditd At Application Execution	Linux Auditd Syscall	T1053.002	Anomaly	Scheduled Tasks, Linux Living Off The Land, Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation	2026-05-13
Windows Security Account Manager Stopped	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1489	TTP	Scattered Lapsus$ Hunters, Compromised Windows Host, Ryuk Ransomware	2026-05-13
Windows Impair Defenses Disable HVCI	Sysmon EventID 13	T1685	TTP	Windows Registry Abuse, BlackLotus Campaign, Windows Defense Evasion Tactics	2026-05-13
Cisco NVM - Susp Script From Archive Triggering Network Activity	Cisco Network Visibility Module Flow Data	T1059.005 T1204.002	Anomaly	Cisco Network Visibility Module Analytics	2026-05-13
Windows Scheduled Task with Highest Privileges	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1053.005	TTP	Scheduled Tasks, Quasar RAT, NetSupport RMM Tool Abuse, XWorm, RedLine Stealer, CISA AA23-347A, AsyncRAT, SolarWinds WHD RCE Post Exploitation, Compromised Windows Host, Castle RAT	2026-05-13
Windows InProcServer32 New Outlook Form	Sysmon EventID 13	T1112 T1566	Anomaly	Outlook RCE CVE-2024-21378	2026-05-13
Detect Regasm Spawning a Process	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.009	TTP	Handala Wiper, Living Off The Land, Void Manticore, Suspicious Regsvcs Regasm Activity, Compromised Windows Host, Snake Keylogger, DarkGate Malware	2026-05-13
Short Lived Scheduled Task	Windows Event Log Security 4698, Windows Event Log Security 4699	T1053.005	TTP	Scheduled Tasks, Active Directory Lateral Movement, CISA AA23-347A, Compromised Windows Host, CISA AA22-257A	2026-05-13
Windows AD Cross Domain SID History Addition	Windows Event Log Security 4742, Windows Event Log Security 4738	T1134.005	TTP	Sneaky Active Directory Persistence Tricks, Compromised Windows Host	2026-05-13
Disabling Firewall with Netsh	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1685	Anomaly	Windows Defense Evasion Tactics, BlackByte Ransomware	2026-05-13
Windows TOR Client Execution	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1090.003	Anomaly	Windows Post-Exploitation, Data Exfiltration, Data Protection, Compromised Windows Host, Command And Control	2026-05-13
GetNetTcpconnection with PowerShell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1049	Hunting	Active Directory Discovery	2026-05-13
Windows Audit Policy Cleared via Auditpol	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1685.001	TTP	Windows Audit Policy Tampering	2026-05-13
Linux Cpulimit Privilege Escalation	Sysmon for Linux EventID 1	T1548.003	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2026-05-13
Windows Compatibility Telemetry Suspicious Child Process	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1053.005 T1546	TTP	Windows Persistence Techniques	2026-05-13
Linux Auditd Data Transfer Size Limits Via Split	Linux Auditd Execve	T1030	Anomaly	Hellcat Ransomware, Linux Living Off The Land, Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation	2026-05-13
Enable RDP In Other Port Number	Sysmon EventID 13	T1021	TTP	Windows Registry Abuse, Windows RDP Artifacts and Defense Evasion, Prohibited Traffic Allowed or Protocol Mismatch, Interlock Ransomware	2026-05-13
Linux Service File Created In Systemd Directory	Sysmon for Linux EventID 11	T1053.006	Anomaly	Scheduled Tasks, Gomir, China-Nexus Threat Activity, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, VoidLink Cloud-Native Linux Malware	2026-05-13
Windows AutoIt3 Execution	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1059	TTP	Handala Wiper, Void Manticore, DarkGate Malware, Crypto Stealer	2026-05-13
Windows Diskshadow Proxy Execution	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218	TTP	Living Off The Land	2026-05-13
Windows PowerShell FakeCAPTCHA Clipboard Execution	CrowdStrike ProcessRollup2, Cisco Network Visibility Module Flow Data, Sysmon EventID 1, Windows Event Log Security 4688	T1059.001 T1059.003 T1204.001	TTP	Cisco Network Visibility Module Analytics, Fake CAPTCHA Campaigns, NetSupport RMM Tool Abuse, Interlock Ransomware, Scattered Lapsus$ Hunters	2026-05-13
Linux Auditd Sysmon Service Stop	Linux Auditd Service Stop	T1489	Anomaly	Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host	2026-05-13
Windows Office Product Spawned Rundll32 With No DLL	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1566.001	TTP	Prestige Ransomware, Graceful Wipe Out Attack, Spearphishing Attachments, Compromised Windows Host, Crypto Stealer, CVE-2023-36884 Office and Windows HTML RCE Vulnerability	2026-05-13
Domain Group Discovery With Wmic	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1069.002	Hunting	Active Directory Discovery	2026-05-13
Windows Admon Default Group Policy Object Modified	Windows Active Directory Admon	T1484.001	TTP	Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation	2026-05-13
Schtasks scheduling job on remote system	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1053.005	TTP	Scheduled Tasks, NOBELIUM Group, Active Directory Lateral Movement, Quasar RAT, Living Off The Land, Prestige Ransomware, RedLine Stealer, Phemedrone Stealer, Compromised Windows Host	2026-05-13
Windows PowerShell Export Certificate	Powershell Script Block Logging 4104	T1552.004 T1649	Anomaly	Windows Certificate Services	2026-05-13
Windows MSIExec Spawn WinDBG	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.007	TTP	DarkGate Malware, Compromised Windows Host	2026-05-13
Windows Modify Registry Disable WinDefender Notifications	Sysmon EventID 13	T1112	TTP	CISA AA23-347A, SolarWinds WHD RCE Post Exploitation, RedLine Stealer	2026-05-13
Cisco Isovalent - Shell Execution	Cisco Isovalent Process Exec	T1543	Anomaly	Cisco Isovalent Suspicious Activity	2026-05-13
Windows Suspicious VMWare Tools Child Process	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1059	TTP	ESXi Post Compromise, China-Nexus Threat Activity	2026-05-13
Windows AppX Deployment Full Trust Package Installation	Windows Event Log AppXDeployment-Server 400	T1204.002 T1553.005	Hunting	MSIX Package Abuse	2026-05-13
Outbound Network Connection from Java Using Default Ports	Sysmon EventID 1, Sysmon EventID 3	T1133 T1190	TTP	Log4Shell CVE-2021-44228	2026-05-13
Windows Powershell RemoteSigned File	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1059.001	Anomaly	Amadey	2026-05-13
Detect Rare Executables	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1204	Anomaly	China-Nexus Threat Activity, SnappyBee, Salt Typhoon, Rhysida Ransomware, Crypto Stealer, Unusual Processes	2026-05-13
Potential password in username	Linux Secure	T1078.003 T1552.001	Hunting	Insider Threat, Credential Dumping	2026-05-13
Cisco NVM - Outbound Connection to Suspicious Port	Cisco Network Visibility Module Flow Data	T1571	Anomaly	Cisco Network Visibility Module Analytics	2026-05-13
MacOS AMOS Stealer - Virtual Machine Check Activity	Osquery Results	T1059.002	Anomaly	Hellcat Ransomware, AMOS Stealer	2026-05-13
Linux Service Started Or Enabled	Sysmon for Linux EventID 1	T1053.006	Anomaly	Scheduled Tasks, Gomir, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2026-05-13
SLUI Spawning a Process	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1548.002	TTP	Windows Defense Evasion Tactics, DarkSide Ransomware, Compromised Windows Host	2026-05-13
Linux Docker Root Directory Mount	Sysmon for Linux EventID 1	T1611	TTP	Linux Living Off The Land, Linux Privilege Escalation	2026-05-13
Linux Auditd Hardware Addition Swapoff	Linux Auditd Execve	T1200	Anomaly	Scattered Lapsus$ Hunters, Data Destruction, Compromised Linux Host, AwfulShred	2026-05-13
Windows Impair Defense Delete Win Defender Profile Registry	Sysmon EventID 13	T1685	Anomaly	Windows Registry Abuse, Windows Defense Evasion Tactics	2026-05-13
Windows AD Object Owner Updated	Windows Event Log Security 5136	T1222.001 T1484	TTP	Sneaky Active Directory Persistence Tricks	2026-05-13
Services Escalate Exe	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1548	TTP	Cobalt Strike, Graceful Wipe Out Attack, CISA AA23-347A, Compromised Windows Host, BlackByte Ransomware	2026-05-13
Linux Auditd Shred Overwrite Command	Linux Auditd Proctitle	T1485	TTP	Industroyer2, AwfulShred, Data Destruction, Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation	2026-05-13
Creation of Shadow Copy	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1003.003	TTP	Volt Typhoon, Credential Dumping, Compromised Windows Host	2026-05-13
Linux Auditd Possible Append Cronjob Entry On Existing Cronjob File	Linux Auditd Cwd, Linux Auditd Path	T1053.003	Hunting	Scheduled Tasks, XorDDos, Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2026-05-13
Windows Office Product Spawned Control	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1566.001	TTP	Spearphishing Attachments, Microsoft MSHTML Remote Code Execution CVE-2021-40444, Compromised Windows Host	2026-05-13
Windows Wmic CPU Discovery	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1082	Anomaly	LAMEHUG	2026-05-13
Windows OneDrive Share Mounted via Net	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1567.002	Anomaly	Data Exfiltration	2026-05-13
Windows Registry Entries Exported Via Reg	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1012	Hunting	CISA AA23-347A, Prestige Ransomware, Windows Post-Exploitation	2026-05-13
Detect Remote Access Software Usage Registry	Sysmon EventID 13	T1219	Anomaly	Remote Monitoring and Management Software, Gozi Malware, CISA AA24-241A, Scattered Spider, Scattered Lapsus$ Hunters, Cactus Ransomware, Command And Control, Insider Threat, Ransomware, Seashell Blizzard	2026-05-13
Linux Edit Cron Table Parameter	Sysmon for Linux EventID 1	T1053.003	Hunting	Scheduled Tasks, Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation	2026-05-13
Windows Non Discord App Access Discord LevelDB	Windows Event Log Security 4663	T1012	Anomaly	Snake Keylogger, PXA Stealer, BlankGrabber Stealer, StealC Stealer	2026-05-13
Windows AppCertDLL Modification Via Command Line	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1546.009	Anomaly	Windows Privilege Escalation, Windows Persistence Techniques	2026-05-13
Kerberos Service Ticket Request Using RC4 Encryption	Windows Event Log Security 4769	T1558.001	TTP	Scattered Lapsus$ Hunters, Active Directory Privilege Escalation, Active Directory Kerberos Attacks	2026-05-13
Print Spooler Failed to Load a Plug-in	Windows Event Log Printservice 808, Windows Event Log Printservice 4909	T1547.012	TTP	Black Basta Ransomware, PrintNightmare CVE-2021-34527	2026-05-13
Windows Chrome Auto-Update Disabled via Registry	Sysmon EventID 13	T1185	Anomaly	Browser Hijacking	2026-05-13
WMI Permanent Event Subscription		T1047	TTP	Suspicious WMI Use	2026-05-13
Disable Defender Enhanced Notification	Sysmon EventID 13	T1685	TTP	CISA AA23-347A, Windows Registry Abuse, IcedID, Azorult	2026-05-13
GetWmiObject User Account with PowerShell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1087.001	Hunting	Winter Vivern, Water Gamayun, Active Directory Discovery	2026-05-13
PowerShell Get LocalGroup Discovery	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1069.001	Hunting	Active Directory Discovery	2026-05-13
Windows Multiple NTLM Null Domain Authentications	NTLM Operational 8005, NTLM Operational 8004, NTLM Operational 8006	T1110.003	TTP	Active Directory Password Spraying	2026-05-13
GetCurrent User with PowerShell Script Block	Powershell Script Block Logging 4104	T1033	Hunting	Active Directory Discovery	2026-05-13
Modify ACL permission To Files Or Folder	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1222	Anomaly	XMRig, Defense Evasion or Unauthorized Access Via SDDL Tampering, Crypto Stealer	2026-05-13
Windows PowerShell ScheduleTask	Powershell Script Block Logging 4104	T1053.005 T1059.001	Anomaly	Scattered Spider, Scheduled Tasks	2026-05-13
Windows Global Object Access Audit List Cleared Via Auditpol	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1685.001	TTP	Windows Audit Policy Tampering	2026-05-13
Dump LSASS via procdump	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1003.001	TTP	HAFNIUM Group, Storm-2460 CLFS Zero Day Exploitation, Compromised Windows Host, CISA AA22-257A, Seashell Blizzard, Credential Dumping	2026-05-13
Windows Modify Registry to Add or Modify Firewall Rule	Sysmon EventID 13, Sysmon EventID 14	T1112	Anomaly	CISA AA24-241A, NetSupport RMM Tool Abuse, ShrinkLocker	2026-05-13
BITSAdmin Download File	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1105 T1197	TTP	DarkSide Ransomware, Living Off The Land, Flax Typhoon, Hellcat Ransomware, Gozi Malware, Ingress Tool Transfer, GhostRedirector IIS Module and Rungan Backdoor, APT37 Rustonotto and FadeStealer, Scattered Spider, BITS Jobs	2026-05-13
Windows Account Discovery With NetUser PreauthNotRequire	Powershell Script Block Logging 4104	T1087	Hunting	CISA AA23-347A	2026-05-13
Windows SSH Proxy Command	CrowdStrike ProcessRollup2, Sysmon EventID 1	T1059.001 T1105 T1572	Anomaly	Living Off The Land, Hellcat Ransomware, ZDI-CAN-25373 Windows Shortcut Exploit Abused as Zero-Day	2026-05-13
Windows Modify Registry DisableSecuritySettings	Sysmon EventID 13	T1112	TTP	CISA AA23-347A, DarkGate Malware	2026-05-13
Windows System File on Disk	Sysmon EventID 11	T1068	Hunting	Windows Drivers, CISA AA22-264A, Crypto Stealer	2026-05-13
Detect SharpHound File Modifications	Sysmon EventID 11	T1069.001 T1069.002 T1087.001 T1087.002 T1482	TTP	Windows Discovery Techniques, Ransomware, BlackSuit Ransomware	2026-05-13
Disable Show Hidden Files	Sysmon EventID 13	T1112 T1564.001 T1685	Anomaly	Windows Registry Abuse, Windows Defense Evasion Tactics, Azorult	2026-05-13
Windows Rundll32 Apply User Settings Changes	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.011	Anomaly	Rhysida Ransomware	2026-05-13
Possible Browser Pass View Parameter	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1555.003	Hunting	Remcos	2026-05-13
Network Traffic to Active Directory Web Services Protocol	Sysmon EventID 3	T1069.001 T1069.002 T1087.001 T1087.002 T1482	Hunting	Windows Discovery Techniques	2026-05-13
Windows AD Domain Root ACL Deletion	Windows Event Log Security 5136	T1222.001 T1484	TTP	Sneaky Active Directory Persistence Tricks	2026-05-13
Windows Vulnerable Driver Loaded	Sysmon EventID 6	T1543.003	Hunting	Windows Drivers, Void Manticore, BlackByte Ransomware	2026-05-13
Modification Of Wallpaper	Sysmon EventID 13	T1491	TTP	ZOVWiper, Revil Ransomware, Black Basta Ransomware, Rhysida Ransomware, BlackMatter Ransomware, Windows Registry Abuse, Brute Ratel C4, Ransomware, LockBit Ransomware	2026-05-13
Windows SpeechRuntime COM Hijacking DLL Load	Sysmon EventID 7	T1021.003	TTP	Scattered Lapsus$ Hunters, Active Directory Lateral Movement, Compromised Windows Host	2026-05-13
Windows System Time Discovery W32tm Delay	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1124	Anomaly	DarkCrystal RAT	2026-05-13
Linux Add User Account	Sysmon for Linux EventID 1, Cisco Isovalent Process Exec	T1136.001	Hunting	Cisco Isovalent Suspicious Activity, Linux Persistence Techniques, Linux Privilege Escalation	2026-05-13
Domain Controller Discovery with Nltest	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1018	TTP	NetSupport RMM Tool Abuse, Active Directory Discovery, CISA AA23-347A, Rhysida Ransomware, Medusa Ransomware, BlackSuit Ransomware	2026-05-13
Linux Telnet Authentication Bypass	Sysmon for Linux EventID 1	T1548	TTP	Telnetd CVE-2026-24061	2026-05-13
Windows HTTP Network Communication From MSIExec	Cisco Network Visibility Module Flow Data, Sysmon EventID 1, Sysmon EventID 3	T1218.007	Anomaly	Water Gamayun, Cisco Network Visibility Module Analytics, SolarWinds WHD RCE Post Exploitation, GhostRedirector IIS Module and Rungan Backdoor, APT37 Rustonotto and FadeStealer, Windows System Binary Proxy Execution MSIExec	2026-05-13
Cisco NVM - Suspicious Network Connection to IP Lookup Service API	Cisco Network Visibility Module Flow Data	T1016 T1590.005	Anomaly	Castle RAT, BlankGrabber Stealer, Cisco Network Visibility Module Analytics	2026-05-13
Linux Doas Conf File Creation	Sysmon for Linux EventID 11	T1548.003	Anomaly	Linux Persistence Techniques, Linux Privilege Escalation	2026-05-13
Windows Filtering Platform Policy Added to Block EDR Process	Sysmon EventID 13	T1685	TTP	Security Solution Tampering, Disabling Security Tools	2026-05-13
Windows Office Product Loading VBE7 DLL	Sysmon EventID 7	T1566.001	Anomaly	AgentTesla, Remcos, PlugX, Qakbot, NjRAT, Azorult, Spearphishing Attachments, DarkCrystal RAT, Trickbot, MuddyWater, IcedID	2026-05-13
Windows PsTools Recon Usage	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1018 T1046 T1082	Anomaly	Compromised Windows Host	2026-05-13
Linux Auditd Doas Conf File Creation	Linux Auditd Cwd, Linux Auditd Path	T1548.003	TTP	Linux Persistence Techniques, Compromised Linux Host, Linux Privilege Escalation	2026-05-13
Windows Data Destruction Recursive Exec Files Deletion	Sysmon EventID 23, Sysmon EventID 26	T1485	TTP	Handala Wiper, Disk Wiper, Data Destruction, Void Manticore, Swift Slicer	2026-05-13
Windows Service Creation on Remote Endpoint	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1543.003	TTP	Active Directory Lateral Movement, China-Nexus Threat Activity, SnappyBee, CISA AA23-347A, Salt Typhoon	2026-05-13
Linux OpenVPN Privilege Escalation	Sysmon for Linux EventID 1	T1548.003	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2026-05-13
Windows PowerView SPN Discovery	Powershell Script Block Logging 4104	T1558.003	TTP	CISA AA23-347A, Interlock Ransomware, Rhysida Ransomware, Active Directory Kerberos Attacks	2026-05-13
Windows AD Domain Controller Promotion	Windows Event Log Security 4742	T1207	TTP	Sneaky Active Directory Persistence Tricks, Compromised Windows Host	2026-05-13
Sdclt UAC Bypass	Sysmon EventID 13, Sysmon EventID 12	T1548.002	TTP	Windows Registry Abuse, Windows Defense Evasion Tactics	2026-05-13
Windows Devtunnels Execution	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1090	Anomaly	Reverse Network Proxy	2026-05-13
Linux Deletion Of Cron Jobs	Sysmon for Linux EventID 11	T1070.004 T1485	Anomaly	Data Destruction, AcidRain, AcidPour	2026-05-13
Windows RunMRU Command Execution	Sysmon EventID 13	T1202	Anomaly	Lumma Stealer, Fake CAPTCHA Campaigns	2026-05-13
Windows Office Product Loading Taskschd DLL	Sysmon EventID 7	T1566.001	Anomaly	Spearphishing Attachments	2026-05-13
GetCurrent User with PowerShell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1033	Hunting	Active Directory Discovery	2026-05-13
Powershell Get LocalGroup Discovery with Script Block Logging	Powershell Script Block Logging 4104	T1069.001	Hunting	Active Directory Discovery	2026-05-13
Svchost LOLBAS Execution Process Spawn	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1053.005	TTP	Living Off The Land, Scheduled Tasks, Hellcat Ransomware, Active Directory Lateral Movement	2026-05-13
Windows Terminating Lsass Process	Sysmon EventID 10	T1685	Anomaly	Scattered Lapsus$ Hunters, Data Destruction, Double Zero Destructor	2026-05-13
Windows Impair Defense Disable Win Defender App Guard	Sysmon EventID 13	T1685	TTP	Windows Registry Abuse, Windows Defense Evasion Tactics	2026-05-13
MacOS Hidden Files and Directories	Osquery Results	T1564.001	Anomaly	MacOS Persistence Techniques	2026-05-13
Windows COM Hijacking InprocServer32 Modification	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1546.015	TTP	Living Off The Land, Compromised Windows Host	2026-05-13
Windows Impair Defense Disable Win Defender Report Infection	Sysmon EventID 13	T1685	TTP	Windows Registry Abuse, Windows Defense Evasion Tactics	2026-05-13
Windows SQL Server Startup Procedure	Windows Event Log Application 17135	T1505.001	Anomaly	Hellcat Ransomware, SQL Server Abuse	2026-05-13
Windows Chrome Enable Extension Loading via Command-Line	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1185	Anomaly	Browser Hijacking	2026-05-13
LOLBAS With Network Traffic	Sysmon EventID 3	T1105 T1218 T1567	TTP	Water Gamayun, Fake CAPTCHA Campaigns, Living Off The Land, Hellcat Ransomware, NetSupport RMM Tool Abuse, Malicious Inno Setup Loader, GhostRedirector IIS Module and Rungan Backdoor, APT37 Rustonotto and FadeStealer	2026-05-13
Windows Account Discovery for Sam Account Name	Powershell Script Block Logging 4104	T1087	Anomaly	CISA AA23-347A	2026-05-13
Linux Possible Append Command To At Allow Config File	Sysmon for Linux EventID 1	T1053.002	Anomaly	Scheduled Tasks, Linux Persistence Techniques, Linux Privilege Escalation	2026-05-13
Windows Impair Defense Disable Realtime Signature Delivery	Sysmon EventID 13	T1685	TTP	Windows Registry Abuse, Windows Defense Evasion Tactics	2026-05-13
Hiding Files And Directories With Attrib exe	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1222.001	TTP	Windows Persistence Techniques, Malicious Inno Setup Loader, Compromised Windows Host, Crypto Stealer, Windows Defense Evasion Tactics, VIP Keylogger, Azorult	2026-05-13
Windows Command and Scripting Interpreter Hunting Path Traversal	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1059	Hunting	Windows Defense Evasion Tactics, Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190	2026-05-13
Hide User Account From Sign-In Screen	Sysmon EventID 13	T1685	TTP	Windows Registry Abuse, Azorult, Warzone RAT, XMRig	2026-05-13
Windows Modify Registry Disable Restricted Admin	Sysmon EventID 13	T1112	TTP	CISA AA23-347A, GhostRedirector IIS Module and Rungan Backdoor, Medusa Ransomware	2026-05-13
Windows Audit Policy Restored via Auditpol	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1685.001	Anomaly	Windows Audit Policy Tampering	2026-05-13
Windows Information Discovery Fsutil	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1082	Anomaly	Prestige Ransomware, Windows Post-Exploitation	2026-05-13
Windows User Disabled Via Net	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1531	Anomaly	XMRig	2026-05-13
Linux Possible Append Cronjob Entry on Existing Cronjob File	Sysmon for Linux EventID 1	T1053.003	Hunting	Scheduled Tasks, XorDDos, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2026-05-13
Windows Modify Registry ValleyRat PWN Reg Entry	Sysmon EventID 13	T1112	TTP	ValleyRAT	2026-05-13
Detect mshta inline hta execution	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.005	TTP	Suspicious MSHTA Activity, BlankGrabber Stealer, Living Off The Land, XWorm, Gozi Malware, Compromised Windows Host, APT37 Rustonotto and FadeStealer	2026-05-13
Windows Unusual Count Of Users Remotely Failed To Auth From Host	Windows Event Log Security 4625	T1110.003	Anomaly	Active Directory Password Spraying, Volt Typhoon	2026-05-13
Windows Suspicious React or Next.js Child Process	CrowdStrike ProcessRollup2, Sysmon EventID 1	T1059.001 T1059.003 T1190	TTP	React2Shell	2026-05-13
Windows Query Registry Browser List Application	Windows Event Log Security 4663	T1012	Anomaly	Salt Typhoon, RedLine Stealer, China-Nexus Threat Activity, SnappyBee	2026-05-13
Excessive number of service control start as disabled	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1685	Anomaly	Windows Defense Evasion Tactics	2026-05-13
Linux Auditd Whoami User Discovery	Linux Auditd Syscall	T1033	Anomaly	Linux Living Off The Land, QuietVault, Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation	2026-05-13
Detect Exchange Web Shell	Sysmon EventID 11	T1133 T1190 T1505.003	TTP	HAFNIUM Group, ProxyShell, GhostRedirector IIS Module and Rungan Backdoor, Compromised Windows Host, BlackByte Ransomware, CISA AA22-257A, Seashell Blizzard, ProxyNotShell	2026-05-13
Linux Node Privilege Escalation	Sysmon for Linux EventID 1	T1548.003	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2026-05-13
Windows Mimikatz Binary Execution	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1003	TTP	Flax Typhoon, CISA AA23-347A, Compromised Windows Host, Scattered Spider, Volt Typhoon, CISA AA22-320A, Sandworm Tools, Credential Dumping	2026-05-13
Enumerate Users Local Group Using Telegram	Windows Event Log Security 4798	T1087	TTP	Water Gamayun, Compromised Windows Host, XMRig	2026-05-13
Windows Audit Policy Excluded Category via Auditpol	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1685.001	Anomaly	Windows Audit Policy Tampering	2026-05-13
Windows Driver Inventory		T1068	Hunting	Windows Drivers	2026-05-13
Suspicious Process Executed From Container File	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1036.008 T1204.002	TTP	Remcos, Water Gamayun, Snake Keylogger, GhostRedirector IIS Module and Rungan Backdoor, APT37 Rustonotto and FadeStealer, Unusual Processes, Amadey	2026-05-13
Clop Common Exec Parameter	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1204	TTP	Compromised Windows Host, Clop Ransomware	2026-05-13
WinEvent Scheduled Task Created to Spawn Shell	Windows Event Log Security 4698	T1053.005	TTP	0bj3ctivity Stealer, Scheduled Tasks, Winter Vivern, Windows Persistence Techniques, Windows Error Reporting Service Elevation of Privilege Vulnerability, Castle RAT, China-Nexus Threat Activity, Salt Typhoon, Compromised Windows Host, Ryuk Ransomware, CISA AA22-257A, Ransomware, Medusa Ransomware, SystemBC	2026-05-13
PowerShell Start-BitsTransfer	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1197	TTP	BITS Jobs, Gozi Malware	2026-05-13
AdsiSearcher Account Discovery	Powershell Script Block Logging 4104	T1087.002	TTP	Industroyer2, Data Destruction, Active Directory Discovery, CISA AA23-347A, Scattered Lapsus$ Hunters	2026-05-13
Excessive Usage of NSLOOKUP App	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1048	Anomaly	Command And Control, Suspicious DNS Traffic, Dynamic DNS, Data Exfiltration	2026-05-13
Windows Scheduled Task Created Via XML	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1053.005	Anomaly	Scheduled Tasks, CISA AA23-347A, Malicious Inno Setup Loader, MoonPeak, Winter Vivern, Lokibot	2026-05-13
Windows Cabinet File Extraction Via Expand	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1105	TTP	NetSupport RMM Tool Abuse, APT37 Rustonotto and FadeStealer	2026-05-13
Windows Suspicious Child Process Spawned From WebServer	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1505.003	Anomaly	HAFNIUM Group, Microsoft WSUS CVE-2025-59287, Citrix ShareFile RCE CVE-2023-24489, Flax Typhoon, SysAid On-Prem Software CVE-2023-47246 Vulnerability, CISA AA22-264A, Microsoft SharePoint Vulnerabilities, ProxyShell, GhostRedirector IIS Module and Rungan Backdoor, Compromised Windows Host, CISA AA22-257A, Medusa Ransomware, BlackByte Ransomware, WS FTP Server Critical Vulnerabilities, ProxyNotShell	2026-05-13
Cisco Isovalent - Access To Cloud Metadata Service	Cisco Isovalent Process Connect	T1552.005	Anomaly	Cisco Isovalent Suspicious Activity, VoidLink Cloud-Native Linux Malware	2026-05-13
Windows NirSoft Tool Bundle File Created	Sysmon EventID 11	T1588.002	Anomaly	Unusual Processes, Data Destruction, WhisperGate	2026-05-13
Windows Potential Cloudflared Tunnel Execution	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1572	Anomaly	Reverse Network Proxy	2026-05-13
Network Share Discovery Via Dir Command	Windows Event Log Security 5140	T1135	Hunting	IcedID	2026-05-13
Set Default PowerShell Execution Policy To Unrestricted or Bypass	Sysmon EventID 13	T1059.001	TTP	HAFNIUM Group, Data Destruction, Malicious PowerShell, SolarWinds WHD RCE Post Exploitation, Hermetic Wiper, DarkGate Malware, Credential Dumping, SystemBC	2026-05-13
Notepad with no Command Line Arguments	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1055	TTP	BishopFox Sliver Adversary Emulation Framework	2026-05-13
Detect Password Spray Attack Behavior On User	Windows Event Log Security 4625, Windows Event Log Security 4624	T1110.003	TTP	Compromised User Account, Crypto Stealer	2026-05-13
Active Directory Privilege Escalation Identified		T1484	Correlation	Active Directory Privilege Escalation	2026-05-13
Single Letter Process On Endpoint	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1204.002	TTP	DHS Report TA18-074A, Compromised Windows Host	2026-05-13
Linux Setuid Using Chmod Utility	Sysmon for Linux EventID 1	T1548.001	Anomaly	Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation	2026-05-13
Windows Steal Authentication Certificates Export Certificate	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1649	Anomaly	Windows Certificate Services	2026-05-13
Linux Composer Privilege Escalation	Sysmon for Linux EventID 1	T1548.003	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2026-05-13
Windows Increase in User Modification Activity	Windows Event Log Security 4720	T1098 T1685	TTP	Sneaky Active Directory Persistence Tricks	2026-05-13
Sdelete Application Execution	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1070.004 T1485	TTP	Scattered Spider, Masquerading - Rename System Utilities, Void Manticore	2026-05-13
Windows Downdate Registry Activity	Sysmon EventID 13, Sysmon EventID 12, Sysmon EventID 14	T1112 T1689	Anomaly	Windows Persistence Techniques	2026-05-13
Disabled Kerberos Pre-Authentication Discovery With Get-ADUser	Powershell Script Block Logging 4104	T1558.004	TTP	CISA AA23-347A, Interlock Ransomware, BlackSuit Ransomware, Active Directory Kerberos Attacks	2026-05-13
Windows Disable Change Password Through Registry	Sysmon EventID 13	T1112	Anomaly	Windows Defense Evasion Tactics, Ransomware	2026-05-13
Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM	Windows Event Log Security 4776	T1110.003	Anomaly	Active Directory Password Spraying, Volt Typhoon	2026-05-13
Windows AD Self DACL Assignment	Windows Event Log Security 5136	T1098 T1484	TTP	Sneaky Active Directory Persistence Tricks	2026-05-13
NLTest Domain Trust Discovery	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1482	TTP	Domain Trust Discovery, Qakbot, Active Directory Discovery, Storm-0501 Ransomware, Cleo File Transfer Software, Rhysida Ransomware, Ryuk Ransomware, Medusa Ransomware, IcedID	2026-05-13
Windows Executable in Loaded Modules	Sysmon EventID 7	T1129	TTP	NjRAT, Lokibot	2026-05-13
Windows Level RMM Watchdog Task Created	Windows Event Log Security 4698	T1053 T1219	Anomaly	Remote Monitoring and Management Software	2026-05-13
Linux Auditd Edit Cron Table Parameter	Linux Auditd Syscall	T1053.003	Anomaly	Scheduled Tasks, Linux Living Off The Land, Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation	2026-05-13
Windows Excessive Usage Of Net App	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1531	Anomaly	XMRig, Windows Post-Exploitation, Prestige Ransomware, Graceful Wipe Out Attack, Rhysida Ransomware, Ransomware, Azorult	2026-05-13
Linux Service Restarted	Sysmon for Linux EventID 1	T1053.006	Anomaly	Scheduled Tasks, AwfulShred, Data Destruction, Gomir, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2026-05-13
ConnectWise ScreenConnect Path Traversal Windows SACL	Windows Event Log Security 4663	T1190	TTP	Seashell Blizzard, ConnectWise ScreenConnect Vulnerabilities, Compromised Windows Host	2026-05-13
Linux Auditd Kernel Module Enumeration	Linux Auditd Syscall	T1014 T1082	Anomaly	Linux Rootkit, Compromised Linux Host, XorDDos	2026-05-13
Cisco NVM - Curl Execution With Insecure Flags	Cisco Network Visibility Module Flow Data	T1197	Anomaly	Microsoft WSUS CVE-2025-59287, PromptLock, Cisco Network Visibility Module Analytics	2026-05-13
Windows Odbcconf Hunting	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.008	Hunting	Living Off The Land	2026-05-13
Windows Mail Protocol In Non-Common Process Path	Sysmon EventID 3	T1071.003	Anomaly	AgentTesla	2026-05-13
Network Connection Discovery With Arp	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1049	Hunting	Windows Post-Exploitation, Prestige Ransomware, Qakbot, Active Directory Discovery, Interlock Ransomware, Volt Typhoon, IcedID	2026-05-13
Windows Computer Account Created by Computer Account	Windows Event Log Security 4741	T1558	TTP	Local Privilege Escalation With KrbRelayUp, Active Directory Kerberos Attacks	2026-05-13
Elevated Group Discovery With Wmic	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1069.002	TTP	Active Directory Discovery	2026-05-13
Windows Cobalt Strike PowerShell Loader	Powershell Script Block Logging 4104	T1059.001 T1608	TTP	Cobalt Strike	2026-05-13
Windows Multiple Invalid Users Fail To Authenticate Using Kerberos	Windows Event Log Security 4768	T1110.003	TTP	Active Directory Password Spraying, Volt Typhoon, Active Directory Kerberos Attacks	2026-05-13
Windows System User Discovery Via Quser	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1033	Hunting	Prestige Ransomware, Windows Post-Exploitation, Crypto Stealer	2026-05-13
Windows File Without Extension In Critical Folder	Sysmon EventID 11	T1485	TTP	Hermetic Wiper, Data Destruction	2026-05-13
Windows Command Shell DCRat ForkBomb Payload	CrowdStrike ProcessRollup2, Sysmon EventID 1	T1059.003	TTP	DarkCrystal RAT, Compromised Windows Host	2026-05-13
Creation of lsass Dump with Taskmgr	Sysmon EventID 11	T1003.001	TTP	Cactus Ransomware, CISA AA22-257A, Scattered Lapsus$ Hunters, Seashell Blizzard, Credential Dumping	2026-05-13
NET Profiler UAC bypass	Sysmon EventID 13	T1548.002	TTP	Windows Defense Evasion Tactics	2026-05-13
Excessive Attempt To Disable Services	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1489	Anomaly	Azorult, XMRig	2026-05-13
Disable UAC Remote Restriction	Sysmon EventID 13	T1548.002	TTP	CISA AA23-347A, Windows Defense Evasion Tactics, Windows Registry Abuse, Suspicious Windows Registry Activities	2026-05-13
Windows Shell Process from CrushFTP	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1059.001 T1059.003 T1190 T1505	TTP	CrushFTP Vulnerabilities	2026-05-13
Windows Scheduled Task DLL Module Loaded	Sysmon EventID 7	T1053	TTP	ValleyRAT	2026-05-13
Windows Default Group Policy Object Modified with GPME	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1484.001	TTP	Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation	2026-05-13
Detect Renamed WinRAR	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1560.001	Hunting	Salt Typhoon, Collection and Staging, China-Nexus Threat Activity, CISA AA22-277A	2026-05-13
Windows AD Dangerous User ACL Modification	Windows Event Log Security 5136	T1222.001 T1484	TTP	Sneaky Active Directory Persistence Tricks	2026-05-13
Get ADUserResultantPasswordPolicy with Powershell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1201	TTP	CISA AA23-347A, Active Directory Discovery	2026-05-13
Windows Impair Defense Disable Win Defender Scan On Update	Sysmon EventID 13	T1685	TTP	Windows Registry Abuse, Windows Defense Evasion Tactics	2026-05-13
Excessive File Deletion In WinDefender Folder	Sysmon EventID 23, Sysmon EventID 26	T1485	TTP	BlackByte Ransomware, Data Destruction, WhisperGate	2026-05-13
WMIC XSL Execution via URL	CrowdStrike ProcessRollup2, Cisco Network Visibility Module Flow Data, Sysmon EventID 1, Windows Event Log Security 4688	T1220	TTP	Cisco Network Visibility Module Analytics, Compromised Windows Host, Suspicious WMI Use	2026-05-13
Windows AD DSRM Account Changes	Sysmon EventID 13	T1098	TTP	Windows Registry Abuse, Sneaky Active Directory Persistence Tricks, Scattered Lapsus$ Hunters, Windows Persistence Techniques	2026-05-13
Access LSASS Memory for Dump Creation	Sysmon EventID 10	T1003.001	TTP	CISA AA23-347A, Cactus Ransomware, Scattered Lapsus$ Hunters, Credential Dumping, Lokibot	2026-05-13
Detect Outlook exe writing a zip file	Sysmon EventID 11, Sysmon EventID 1	T1566.001	Anomaly	Meduza Stealer, Remcos, Spearphishing Attachments, PXA Stealer, APT37 Rustonotto and FadeStealer, Amadey	2026-05-13
Windows Disable Windows Event Logging Disable HTTP Logging	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1505.004 T1685.001	Anomaly	CISA AA23-347A, Windows Defense Evasion Tactics, IIS Components, Compromised Windows Host	2026-05-13
Windows RDPClient Connection Sequence Events	Windows Event Log Microsoft Windows TerminalServices RDPClient 1024	T1133	Anomaly	Windows RDP Artifacts and Defense Evasion, Spearphishing Attachments	2026-05-13
Linux Install Kernel Module Using Modprobe Utility	Sysmon for Linux EventID 1	T1547.006	Anomaly	China-Nexus Threat Activity, Linux Rootkit, Linux Persistence Techniques, Linux Privilege Escalation, VoidLink Cloud-Native Linux Malware	2026-05-13
Windows Scheduled Tasks for CompMgmtLauncher or Eventvwr	Windows Event Log Security 4698	T1053	TTP	Water Gamayun, ValleyRAT	2026-05-13
Windows Multiple Invalid Users Failed To Authenticate Using NTLM	Windows Event Log Security 4776	T1110.003	TTP	Active Directory Password Spraying, Volt Typhoon	2026-05-13
Windows Modify Registry Regedit Silent Reg Import	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1112	Anomaly	Azorult	2026-05-13
Windows Credentials from Password Stores Chrome Extension Access	Windows Event Log Security 4663	T1012	Anomaly	0bj3ctivity Stealer, Meduza Stealer, BlankGrabber Stealer, Braodo Stealer, RedLine Stealer, CISA AA23-347A, Malicious Inno Setup Loader, Phemedrone Stealer, MoonPeak, StealC Stealer, DarkGate Malware, Amadey	2026-05-13
Windows ConvertTo-AADIntBackdoor Execution Via PowerShell Script	Powershell Script Block Logging 4104	T1071.001 T1078 T1212 T1482	TTP	Azure Active Directory Account Takeover, Azure Active Directory Persistence, Azure Active Directory Privilege Escalation	2026-05-13
Windows Modify Registry With MD5 Reg Key Name	Sysmon EventID 13	T1112	TTP	NjRAT	2026-05-13
7zip CommandLine To SMB Share Path	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1560.001	Hunting	Ransomware	2026-05-13
Windows Process Execution From RDP Share	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1021.001 T1059 T1105	Anomaly	Hidden Cobra Malware	2026-05-13
Linux SSH Remote Services Script Execute	Sysmon for Linux EventID 1	T1021.004	TTP	Hellcat Ransomware, Linux Living Off The Land, VoidLink Cloud-Native Linux Malware	2026-05-13
Linux Decode Base64 to Shell	Sysmon for Linux EventID 1, Cisco Isovalent Process Exec	T1027 T1059.004	TTP	Cisco Isovalent Suspicious Activity, Linux Living Off The Land	2026-05-13
Ping Sleep Batch Command	CrowdStrike ProcessRollup2, Sysmon EventID 1	T1497.003	Anomaly	Meduza Stealer, Quasar RAT, Gh0st RAT, Data Destruction, Void Manticore, WhisperGate, Warzone RAT, BlackByte Ransomware	2026-05-13
Windows Known Abused DLL Created	Sysmon EventID 11	T1574.001	Anomaly	Living Off The Land, Windows Defense Evasion Tactics	2026-05-13
Malicious PowerShell Process - Encoded Command	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1027	Hunting	Lumma Stealer, Microsoft WSUS CVE-2025-59287, NOBELIUM Group, Data Destruction, WhisperGate, Qakbot, Malicious PowerShell, SolarWinds WHD RCE Post Exploitation, DarkCrystal RAT, Scattered Spider, GhostRedirector IIS Module and Rungan Backdoor, Crypto Stealer, Hermetic Wiper, Volt Typhoon, CISA AA22-320A, Sandworm Tools, Microsoft SharePoint Vulnerabilities	2026-05-13
Recursive Delete of Directory In Batch CMD	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1070.004	TTP	Ransomware, APT37 Rustonotto and FadeStealer	2026-05-13
Windows Event Triggered Image File Execution Options Injection	Windows Event Log Application 3000	T1546.012	Hunting	Windows Persistence Techniques	2026-05-13
Excessive Usage Of Taskkill	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1685	Anomaly	XMRig, AgentTesla, BlankGrabber Stealer, CISA AA22-264A, NjRAT, Crypto Stealer, CISA AA22-277A, Azorult	2026-05-13
Windows Credentials in Registry Reg Query	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1552.002	Anomaly	Prestige Ransomware, Windows Post-Exploitation	2026-05-13
Windows AD Domain Replication ACL Addition	Windows Event Log Security 5136	T1484	TTP	Sneaky Active Directory Persistence Tricks, Compromised Windows Host	2026-05-13
Windows Scheduled Task with Suspicious Command	Windows Event Log Security 4698, Windows Event Log Security 4700, Windows Event Log Security 4702	T1053.005	TTP	Scheduled Tasks, Windows Persistence Techniques, Quasar RAT, SolarWinds WHD RCE Post Exploitation, Ryuk Ransomware, APT37 Rustonotto and FadeStealer, Ransomware, Seashell Blizzard	2026-05-13
UAC Bypass MMC Load Unsigned Dll	Sysmon EventID 7	T1218.014 T1548.002	TTP	Windows Defense Evasion Tactics	2026-05-13
Windows Increase in Group or Object Modification Activity	Windows Event Log Security 4663	T1098 T1685	TTP	Sneaky Active Directory Persistence Tricks	2026-05-13
Linux Ingress Tool Transfer Hunting	Sysmon for Linux EventID 1	T1105	Hunting	Axios Supply Chain Post Compromise, NPM Supply Chain Compromise, XorDDos, Ingress Tool Transfer, Linux Living Off The Land	2026-05-13
Linux Auditd Find Ssh Private Keys	Linux Auditd Execve	T1552.004	Anomaly	Hellcat Ransomware, Linux Living Off The Land, Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation	2026-05-13
Windows Firewall Rule Deletion	Windows Event Log Security 4948	T1686	Anomaly	NetSupport RMM Tool Abuse, ShrinkLocker, Medusa Ransomware	2026-05-13
Linux Auditd Disable Or Modify System Firewall	Linux Auditd Service Stop	T1686	Anomaly	Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host	2026-05-13
Linux Auditd Doas Tool Execution	Linux Auditd Syscall	T1548.003	Anomaly	Linux Persistence Techniques, Compromised Linux Host, Linux Privilege Escalation	2026-05-13
Windows Kerberos Local Successful Logon	Windows Event Log Security 4624	T1558	TTP	Scattered Lapsus$ Hunters, Compromised Windows Host, Active Directory Kerberos Attacks, Local Privilege Escalation With KrbRelayUp	2026-05-13
Windows Replication Through Removable Media	Sysmon EventID 11	T1091	TTP	NjRAT, Derusbi, China-Nexus Threat Activity, Salt Typhoon, Chaos Ransomware, APT37 Rustonotto and FadeStealer, PlugX	2026-05-13
Process Creating LNK file in Suspicious Location	Sysmon EventID 11	T1566.002	Anomaly	BlankGrabber Stealer, Gozi Malware, Qakbot, Spearphishing Attachments, APT37 Rustonotto and FadeStealer, Amadey, IcedID	2026-05-13
Linux Csvtool Privilege Escalation	Sysmon for Linux EventID 1	T1548.003	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2026-05-13
Windows Cisco Secure Endpoint Unblock File Via Sfc	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1685	Anomaly	Security Solution Tampering	2026-05-13
Windows Vulnerable 3CX Software	Sysmon EventID 1	T1195.002	TTP	3CX Supply Chain Attack	2026-05-13
Rubeus Kerberos Ticket Exports Through Winlogon Access	Sysmon EventID 10	T1550.003	TTP	ZOVWiper, CISA AA23-347A, Scattered Lapsus$ Hunters, BlackSuit Ransomware, Active Directory Kerberos Attacks	2026-05-13
Web Servers Executing Suspicious Processes	Sysmon EventID 1	T1082	TTP	Apache Struts Vulnerability	2026-05-13
Windows Cisco Secure Endpoint Uninstall Immunet Service Via Sfc	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1685	Anomaly	Security Solution Tampering	2026-05-13
Windows Defender ASR Audit Events	Windows Event Log Defender 1126, Windows Event Log Defender 1125, Windows Event Log Defender 1122, Windows Event Log Defender 1134, Windows Event Log Defender 1132	T1059 T1566.001 T1566.002	Anomaly	Windows Attack Surface Reduction	2026-05-13
Windows Advanced Installer MSIX with AI_STUBS Execution	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1204.002 T1218 T1553.005	TTP	MSIX Package Abuse	2026-05-13
Linux NOPASSWD Entry In Sudoers File	Sysmon for Linux EventID 1	T1548.003	Anomaly	Salt Typhoon, Linux Persistence Techniques, Linux Privilege Escalation, China-Nexus Threat Activity	2026-05-13
Detect Baron Samedit CVE-2021-3156 Segfault		T1068	TTP	Baron Samedit CVE-2021-3156	2026-05-13
Windows Service Create SliverC2	Windows Event Log System 7045	T1569.002	TTP	Hellcat Ransomware, Compromised Windows Host, BishopFox Sliver Adversary Emulation Framework	2026-05-13
Windows Event For Service Disabled	Windows Event Log System 7040	T1685	Hunting	Windows Defense Evasion Tactics, RedLine Stealer	2026-05-13
System Info Gathering Using Dxdiag Application	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1592	Hunting	Remcos	2026-05-13
Drop IcedID License dat	Sysmon EventID 11	T1204.002	Hunting	IcedID	2026-05-13
Eventvwr UAC Bypass	Sysmon EventID 13	T1548.002	TTP	Living Off The Land, ValleyRAT, Windows Registry Abuse, Windows Defense Evasion Tactics, IcedID	2026-05-13
Windows Suspicious File in EFI Volume	Sysmon EventID 11	T1490 T1542.001	TTP	BlackLotus Campaign, Windows BootKits, Sandworm Tools	2026-05-13
Windows SIP Provider Inventory		T1553.003	Hunting	Subvert Trust Controls SIP and Trust Provider Hijacking	2026-05-13
WMI Temporary Event Subscription		T1047	TTP	Suspicious WMI Use	2026-05-13
Windows Registry Payload Injection	Sysmon EventID 13	T1027.011	TTP	Unusual Processes	2026-05-13
Windows NetSupport RMM DLL Loaded By Uncommon Process	Sysmon EventID 7	T1036	Anomaly	NetSupport RMM Tool Abuse	2026-05-13
Windows Process Writing File to World Writable Path	Sysmon EventID 11	T1218.005	Hunting	PHP-CGI RCE Attack on Japanese Organizations, APT29 Diplomatic Deceptions with WINELOADER, PathWiper	2026-05-13
Windows Impair Defense Disable PUA Protection	Sysmon EventID 13	T1685	TTP	Windows Registry Abuse, Windows Defense Evasion Tactics, Scattered Lapsus$ Hunters	2026-05-13
Linux Auditd File Permissions Modification Via Chattr	Linux Auditd Execve	T1222.002	Anomaly	Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host	2026-05-13
Windows DLL Side-Loading In Calc	Sysmon EventID 7	T1574.001	TTP	Earth Alux, Qakbot	2026-05-13
Windows AD GPO Deleted	Windows Event Log Security 5136	T1484.001 T1685	TTP	Sneaky Active Directory Persistence Tricks	2026-05-13
Windows Default Rdp File Unhidden	Sysmon EventID 1	T1021.001	Anomaly	Windows RDP Artifacts and Defense Evasion	2026-05-13
Linux File Creation In Init Boot Directory	Sysmon for Linux EventID 11	T1037.004	Anomaly	Backdoor Pingpong, XorDDos, China-Nexus Threat Activity, Linux Persistence Techniques, Linux Privilege Escalation	2026-05-13
Wermgr Process Spawned CMD Or Powershell Process	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1059	TTP	Trickbot, Qakbot	2026-05-13
Linux Deletion Of Services	Sysmon for Linux EventID 11	T1070.004 T1485	TTP	Data Destruction, AcidRain, AcidPour, AwfulShred	2026-05-13
Windows Curl Upload to Remote Destination	CrowdStrike ProcessRollup2, Cisco Network Visibility Module Flow Data, Sysmon EventID 1, Windows Event Log Security 4688	T1105	TTP	Microsoft WSUS CVE-2025-59287, Cisco Network Visibility Module Analytics, PromptLock, Axios Supply Chain Post Compromise, NPM Supply Chain Compromise, Ingress Tool Transfer, Compromised Windows Host	2026-05-13
Windows Shell or Script Execution From IIS Directory	CrowdStrike ProcessRollup2, Sysmon EventID 1	T1190 T1505.004	Anomaly	ProxyShell, ProxyNotShell	2026-05-13
Linux Persistence and Privilege Escalation Risk Behavior		T1548	Correlation	Linux Persistence Techniques, Linux Privilege Escalation	2026-05-13
Print Processor Registry Autostart	Sysmon EventID 13	T1547.012	TTP	Hermetic Wiper, Data Destruction, Windows Privilege Escalation, Windows Persistence Techniques	2026-05-13
CrowdStrike Falcon Stream Alerts	CrowdStrike Falcon Stream Alert	N/A	Anomaly	Critical Alerts	2026-05-13
Linux Octave Privilege Escalation	Sysmon for Linux EventID 1	T1548.003	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2026-05-13
Windows Disable Internet Explorer Addons	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1176.001	Anomaly	Malicious Inno Setup Loader	2026-05-13
Disable ETW Through Registry	Sysmon EventID 13	T1685	TTP	CISA AA23-347A, Windows Registry Abuse, Ransomware	2026-05-13
Windows Modify Registry No Auto Update	Sysmon EventID 13	T1112	Anomaly	CISA AA23-347A, RedLine Stealer	2026-05-13
Windows XLL File Creation Outside of Typical Location	Sysmon EventID 11	T1059 T1129	Anomaly	Spearphishing Attachments	2026-05-13
Network Connection Discovery With Netstat	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1049	Hunting	Windows Post-Exploitation, Prestige Ransomware, Volt Typhoon, Active Directory Discovery, Qakbot, CISA AA23-347A, CISA AA22-277A, Medusa Ransomware, PlugX	2026-05-13
Windows Office Product Dropped Cab or Inf File	Sysmon EventID 11, Sysmon EventID 1, Windows Event Log Security 4688	T1566.001	TTP	Spearphishing Attachments, Microsoft MSHTML Remote Code Execution CVE-2021-40444, Compromised Windows Host, APT37 Rustonotto and FadeStealer	2026-05-13
Detect Password Spray Attack Behavior From Source	Windows Event Log Security 4625, Windows Event Log Security 4624	T1110.003	TTP	Compromised User Account	2026-05-13
Cisco NVM - Suspicious File Download via Headless Browser	Cisco Network Visibility Module Flow Data	T1059 T1105	TTP	BlankGrabber Stealer, Cisco Network Visibility Module Analytics	2026-05-13
Detect Regsvcs Spawning a Process	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.009	TTP	Living Off The Land, Suspicious Regsvcs Regasm Activity, Compromised Windows Host	2026-05-13
Winhlp32 Spawning a Process	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1055	TTP	Remcos, Compromised Windows Host	2026-05-13
Get DomainPolicy with Powershell Script Block	Powershell Script Block Logging 4104	T1201	TTP	Active Directory Discovery	2026-05-13
Crowdstrike Admin With Duplicate Password		T1110	TTP	Compromised Windows Host	2026-05-13
SearchProtocolHost with no Command Line with Network	Sysmon EventID 1, Sysmon EventID 3	T1055	TTP	Cobalt Strike, Hellcat Ransomware, Graceful Wipe Out Attack, Compromised Windows Host, Cactus Ransomware, BlackByte Ransomware	2026-05-13
Windows Local LLM Framework Execution	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1543	Hunting	Suspicious Local LLM Frameworks	2026-05-13
Windows Set Custom DNS ServerLevelPlugin Via Dnscmd	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1574	Anomaly	Windows Persistence Techniques	2026-05-13
Windows Defender ASR Registry Modification	Windows Event Log Defender 5007	T1112	Hunting	Windows Attack Surface Reduction	2026-05-13
Windows Chrome Extension Allowed Registry Modification	Sysmon EventID 13	T1185	Anomaly	Browser Hijacking	2026-05-13
Windows Developer-Signed MSIX Package Installation	Windows Event Log AppXDeployment-Server 855	T1204.002 T1553.005	Anomaly	MSIX Package Abuse	2026-05-13
Get-DomainTrust with PowerShell Script Block	Powershell Script Block Logging 4104	T1482	TTP	Active Directory Discovery	2026-05-13
Linux Deletion of SSL Certificate	Sysmon for Linux EventID 11	T1070.004 T1485	Anomaly	AcidRain, AcidPour	2026-05-13
Windows Get-AdComputer Unconstrained Delegation Discovery	Powershell Script Block Logging 4104	T1018	TTP	Medusa Ransomware, Active Directory Kerberos Attacks	2026-05-13
Windows SnappyBee Create Test Registry	Sysmon EventID 13	T1112	TTP	Salt Typhoon, China-Nexus Threat Activity, SnappyBee	2026-05-13
Kerberos Pre-Authentication Flag Disabled in UserAccountControl	Windows Event Log Security 4738	T1558.004	TTP	BlackSuit Ransomware, Active Directory Kerberos Attacks	2026-05-13
Windows LSA Secrets NoLMhash Registry	Sysmon EventID 13	T1003.004	TTP	CISA AA23-347A, Scattered Lapsus$ Hunters	2026-05-13
MacOS LOLbin	Osquery Results	T1059.004	TTP	Living Off The Land, Hellcat Ransomware, Axios Supply Chain Post Compromise	2026-05-13
Suspicious Kerberos Service Ticket Request	Windows Event Log Security 4769	T1078.002	TTP	sAMAccountName Spoofing and Domain Controller Impersonation, Active Directory Privilege Escalation, Active Directory Kerberos Attacks	2026-05-13
Get ADUser with PowerShell Script Block	Powershell Script Block Logging 4104	T1087.002	Hunting	CISA AA23-347A, Active Directory Discovery	2026-05-13
Linux Emacs Privilege Escalation	Sysmon for Linux EventID 1	T1548.003	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2026-05-13
Linux Auditd Auditd Service Stop	Linux Auditd Service Stop	T1489	Anomaly	Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host	2026-05-13
Suspicious Regsvr32 Register Suspicious Path	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.010	TTP	Suspicious Regsvr32 Activity, Living Off The Land, Derusbi, Qakbot, Salt Typhoon, China-Nexus Threat Activity, IcedID	2026-05-13
Windows New InProcServer32 Added	Sysmon EventID 13	T1112	Hunting	Outlook RCE CVE-2024-21378, Hellcat Ransomware	2026-05-13
Windows Credentials from Password Stores Query	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1555	Anomaly	DarkGate Malware, Prestige Ransomware, NetSupport RMM Tool Abuse, Windows Post-Exploitation	2026-05-13
Windows AD Dangerous Group ACL Modification	Windows Event Log Security 5136	T1222.001 T1484	TTP	Sneaky Active Directory Persistence Tricks	2026-05-13
Windows UAC Bypass Suspicious Child Process	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1548.002	TTP	Living Off The Land, Windows Defense Evasion Tactics, Castle RAT	2026-05-13
Detect Path Interception By Creation Of program exe	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1574.009	TTP	Scattered Lapsus$ Hunters, Windows Persistence Techniques	2026-05-13
Get ADDefaultDomainPasswordPolicy with Powershell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1201	Hunting	Active Directory Discovery	2026-05-13
Windows Execute Arbitrary Commands with MSDT	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218	TTP	Compromised Windows Host, Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190	2026-05-13
Detect Credential Dumping through LSASS access	Sysmon EventID 10	T1003.001	TTP	CISA AA23-347A, Detect Zerologon Attack, Scattered Lapsus$ Hunters, Credential Dumping, BlackSuit Ransomware, Lokibot	2026-05-13
Linux Auditd Setuid Using Setcap Utility	Linux Auditd Execve	T1548.001	TTP	Linux Persistence Techniques, Compromised Linux Host, Linux Privilege Escalation	2026-05-13
Windows RDP Server Registry Entry Created	Sysmon EventID 13	T1021.001	Anomaly	Windows RDP Artifacts and Defense Evasion	2026-05-13
Windows Remote Create Service	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1543.003	Anomaly	CISA AA23-347A, Active Directory Lateral Movement, BlackSuit Ransomware	2026-05-13
Windows Guest Account Enabled Via Net.EXE	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1078.001	Anomaly	Windows Persistence Techniques	2026-05-13
File Download or Read to Pipe Execution	Sysmon for Linux EventID 1, CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1105	TTP	Log4Shell CVE-2021-44228, NPM Supply Chain Compromise, Ingress Tool Transfer, Linux Living Off The Land, Compromised Windows Host	2026-05-13
Windows Known Abused DLL Loaded Suspiciously	Sysmon EventID 7	T1574.001	TTP	Living Off The Land, Windows Defense Evasion Tactics, SolarWinds WHD RCE Post Exploitation	2026-05-13
Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos	Windows Event Log Security 4768	T1110.003	Anomaly	Active Directory Password Spraying, Volt Typhoon, Active Directory Kerberos Attacks	2026-05-13
Windows LAPS Password Gathering Via PowerShell Script	Powershell Script Block Logging 4104	T1003 T1552	Anomaly	Active Directory Privilege Escalation, Credential Dumping	2026-05-13
Windows Access Token Winlogon Duplicate Handle In Uncommon Path	Sysmon EventID 10	T1134.001	Anomaly	Brute Ratel C4, PathWiper	2026-05-13
Linux Make Privilege Escalation	Sysmon for Linux EventID 1	T1548.003	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2026-05-13
Linux Auditd Database File And Directory Discovery	Linux Auditd Execve	T1083	Anomaly	Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host	2026-05-13
Windows PowerView AD Access Control List Enumeration	Powershell Script Block Logging 4104	T1069 T1078.002	TTP	Active Directory Privilege Escalation, Active Directory Discovery, Rhysida Ransomware	2026-05-13
Windows RDP Client Launched with Admin Session	Sysmon EventID 1	T1021.001	Anomaly	Windows RDP Artifacts and Defense Evasion	2026-05-13
Impacket Lateral Movement smbexec CommandLine Parameters	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1021.002 T1021.003 T1047 T1543.003	TTP	Industroyer2, Active Directory Lateral Movement, Prestige Ransomware, Data Destruction, WhisperGate, Graceful Wipe Out Attack, Compromised Windows Host, CISA AA22-277A, Volt Typhoon	2026-05-13
Windows Findstr GPP Discovery	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1552.006	TTP	Active Directory Privilege Escalation	2026-05-13
Detect Baron Samedit CVE-2021-3156 via OSQuery		T1068	TTP	Baron Samedit CVE-2021-3156	2026-05-13
Windows AD Same Domain SID History Addition	Windows Event Log Security 4742, Windows Event Log Security 4738	T1134.005	TTP	Sneaky Active Directory Persistence Tricks, Compromised Windows Host, Windows Persistence Techniques	2026-05-13
Recon AVProduct Through Pwh or WMI	Powershell Script Block Logging 4104	T1592	TTP	Windows Post-Exploitation, Quasar RAT, Prestige Ransomware, Data Destruction, XWorm, Qakbot, Malicious PowerShell, MoonPeak, Hermetic Wiper, Ransomware	2026-05-13
Windows Privileged Group Modification	Windows Event Log Security 4790, Windows Event Log Security 4759, Windows Event Log Security 4744, Windows Event Log Security 4731, Windows Event Log Security 4749, Windows Event Log Security 4756, Windows Event Log Security 4727, Windows Event Log Security 4783, Windows Event Log Security 4754	T1136.001 T1136.002	TTP	Scattered Lapsus$ Hunters, VMware ESXi AD Integration Authentication Bypass CVE-2024-37085	2026-05-13
Process Execution via WMI	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1047	TTP	Suspicious WMI Use	2026-05-13
Windows System User Privilege Discovery	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1033	Hunting	CISA AA23-347A	2026-05-13
Windows SubInAcl Execution	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1222.001	Anomaly	Defense Evasion or Unauthorized Access Via SDDL Tampering	2026-05-13
Windows File Share Discovery With Powerview	Powershell Script Block Logging 4104	T1135	TTP	Active Directory Privilege Escalation, Active Directory Discovery	2026-05-13
Linux Auditd Possible Access Or Modification Of Sshd Config File	Linux Auditd Cwd, Linux Auditd Path	T1098.004	Anomaly	Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host	2026-05-13
Windows Change File Association Command To Notepad	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1546.001	TTP	Prestige Ransomware, Compromised Windows Host	2026-05-13
PetitPotam Suspicious Kerberos TGT Request	Windows Event Log Security 4768	T1003	TTP	PetitPotam NTLM Relay on Active Directory Certificate Services, Active Directory Kerberos Attacks	2026-05-13
Windows MSExchange Management Mailbox Cmdlet Usage		T1059.001	Anomaly	Scattered Spider, ProxyShell, BlackByte Ransomware, ProxyNotShell	2026-05-13
Windows Linked Policies In ADSI Discovery	Powershell Script Block Logging 4104	T1087.002	Anomaly	Industroyer2, Data Destruction, Active Directory Discovery	2026-05-13
Windows Impair Defense Disable Win Defender Compute File Hashes	Sysmon EventID 13	T1685	TTP	Windows Registry Abuse, Windows Defense Evasion Tactics	2026-05-13
Windows Impair Defense Change Win Defender Quick Scan Interval	Sysmon EventID 13	T1685	TTP	Windows Registry Abuse, Windows Defense Evasion Tactics	2026-05-13
Windows Multiple Accounts Deleted	Windows Event Log Security 4726	T1078 T1098	TTP	Azure Active Directory Persistence	2026-05-13
Rubeus Command Line Parameters	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1550.003 T1558.003 T1558.004	TTP	ZOVWiper, CISA AA23-347A, Active Directory Privilege Escalation, Scattered Lapsus$ Hunters, BlackSuit Ransomware, Active Directory Kerberos Attacks	2026-05-13
Disabling Defender Services	Sysmon EventID 13	T1685	TTP	Windows Registry Abuse, RedLine Stealer, IcedID	2026-05-13
Windows Time Based Evasion	CrowdStrike ProcessRollup2, Sysmon EventID 1	T1497.003	TTP	BlankGrabber Stealer, NjRAT	2026-05-13
MacOS plutil	Osquery Results	T1647	TTP	Living Off The Land	2026-05-13
Windows System Binary Proxy Execution Compiled HTML File Decompile	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.001	TTP	Living Off The Land, Compromised Windows Host, Suspicious Compiled HTML Activity, APT37 Rustonotto and FadeStealer	2026-05-13
Windows PowerSploit GPP Discovery	Powershell Script Block Logging 4104	T1552.006	TTP	Active Directory Privilege Escalation	2026-05-13
Cisco NVM - Suspicious Network Connection From Process With No Args	Cisco Network Visibility Module Flow Data	T1055 T1218	Anomaly	Cisco Network Visibility Module Analytics	2026-05-13
Windows Service Deletion In Registry	Sysmon EventID 13	T1489	Anomaly	Brute Ratel C4, Crypto Stealer, PlugX	2026-05-13
Windows Input Capture Using Credential UI Dll	Sysmon EventID 7	T1056.002	Hunting	Brute Ratel C4, APT37 Rustonotto and FadeStealer	2026-05-13
Get-ForestTrust with PowerShell Script Block	Powershell Script Block Logging 4104	T1059.001 T1482	TTP	Active Directory Discovery	2026-05-13
Windows Wmic Systeminfo Discovery	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1082	Anomaly	LAMEHUG, BlankGrabber Stealer, Lotus Blossom Chrysalis Backdoor	2026-05-13
Linux Find Privilege Escalation	Sysmon for Linux EventID 1	T1548.003	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2026-05-13
Windows Chromium Process with Disabled Extensions	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1497	Anomaly	Browser Hijacking	2026-05-13
Windows System Discovery Using ldap Nslookup	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1033	Anomaly	Qakbot	2026-05-13
Windows Modify Registry ProxyServer	Sysmon EventID 13	T1112	Anomaly	DarkGate Malware	2026-05-13
Linux Disable Services	Sysmon for Linux EventID 1	T1489	TTP	Industroyer2, Data Destruction, AwfulShred	2026-05-13
Windows IIS Components Add New Module	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1505.004	Anomaly	GhostRedirector IIS Module and Rungan Backdoor, IIS Components	2026-05-13
Unusually Long Command Line	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	N/A	Anomaly	Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns, Unusual Processes, Suspicious Command-Line Executions, Ransomware	2026-05-13
Windows .Key File Creation in Root Directory	Sysmon EventID 11	T1486	Anomaly	Ransomware	2026-05-13
Create or delete windows shares using net exe	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1070.005	TTP	Windows Post-Exploitation, Prestige Ransomware, CISA AA22-277A, Hidden Cobra Malware, DarkGate Malware	2026-05-13
Windows Registry Delete Task SD	Sysmon EventID 12	T1053.005 T1685	Anomaly	Windows Registry Abuse, Scheduled Tasks, Windows Persistence Techniques	2026-05-13
Excessive number of taskhost processes	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1059	Anomaly	Meterpreter	2026-05-13
Conti Common Exec parameter	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1204	TTP	Ransomware, Hellcat Ransomware, Compromised Windows Host	2026-05-13
Windows Bluetooth Service Installed From Uncommon Location	Windows Event Log System 7045	T1036 T1543.003	Anomaly	Lotus Blossom Chrysalis Backdoor	2026-05-13
Get-DomainTrust with PowerShell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1482	TTP	Active Directory Discovery	2026-05-13
Disable Registry Tool	Sysmon EventID 13	T1112 T1685	TTP	Windows Registry Abuse, Windows Defense Evasion Tactics, NjRAT	2026-05-13
Impacket Lateral Movement WMIExec Commandline Parameters	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1021.002 T1021.003 T1047 T1543.003	TTP	Industroyer2, Active Directory Lateral Movement, Prestige Ransomware, Data Destruction, WhisperGate, Gozi Malware, Graceful Wipe Out Attack, Storm-0501 Ransomware, Compromised Windows Host, CISA AA22-277A, Volt Typhoon	2026-05-13
Windows Outlook LoadMacroProviderOnBoot Persistence	Sysmon EventID 13	T1112 T1137	TTP	Windows Registry Abuse, NotDoor Malware	2026-05-13
Linux Shred Overwrite Command	Sysmon for Linux EventID 1	T1485	TTP	Industroyer2, AwfulShred, Data Destruction, Linux Persistence Techniques, Linux Privilege Escalation	2026-05-13
Windows Impair Defense Disable Win Defender Network Protection	Sysmon EventID 13	T1685	TTP	Windows Registry Abuse, Windows Defense Evasion Tactics, Scattered Lapsus$ Hunters, BlankGrabber Stealer	2026-05-13
Detect Copy of ShadowCopy with Script Block Logging	Powershell Script Block Logging 4104	T1003.002	TTP	VanHelsing Ransomware, Credential Dumping	2026-05-13
Process Deleting Its Process File Path	Sysmon EventID 1	T1070	TTP	Remcos, Data Destruction, WhisperGate, Clop Ransomware	2026-05-13
Schtasks used for forcing a reboot	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1053.005	TTP	Scheduled Tasks, Ransomware, Windows Persistence Techniques	2026-05-13
Windows Exfiltration Over C2 Via Powershell UploadString	Powershell Script Block Logging 4104	T1041	TTP	Winter Vivern, APT37 Rustonotto and FadeStealer	2026-05-13
Windows PowerShell Script Block With Malicious String	Powershell Script Block Logging 4104	T1059.001	TTP	Malicious PowerShell	2026-05-13
Crowdstrike Admin Weak Password Policy		T1110	TTP	Compromised Windows Host	2026-05-13
Windows Outlook Macro Security Modified	Sysmon EventID 13	T1008 T1137	TTP	Windows Registry Abuse, NotDoor Malware	2026-05-13
Windows Routing and Remote Access Service Registry Key Change	Sysmon EventID 13	T1112	Anomaly	Gh0st RAT	2026-05-13
Windows Compatibility Telemetry Tampering Through Registry	Sysmon EventID 13	T1053.005 T1546	TTP	Windows Persistence Techniques	2026-05-13
Windows Steal Authentication Certificates Export PfxCertificate	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1649	Anomaly	Windows Certificate Services	2026-05-13
Windows Remote Services Allow Rdp In Firewall	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1021.001	Anomaly	Windows RDP Artifacts and Defense Evasion, Azorult	2026-05-13
Rundll32 Create Remote Thread To A Process	Sysmon EventID 8	T1055	TTP	Living Off The Land, IcedID	2026-05-13
Windows Find Domain Organizational Units with GetDomainOU	Powershell Script Block Logging 4104	T1087.002	TTP	Active Directory Discovery	2026-05-13
Windows Steal Authentication Certificates - ESC1 Authentication	Windows Event Log Security 4887, Windows Event Log Security 4768	T1550 T1649	TTP	Compromised Windows Host, Windows Certificate Services	2026-05-13
Windows Anonymous Pipe Activity	Sysmon EventID 17, Sysmon EventID 18	T1559	Hunting	China-Nexus Threat Activity, SnappyBee, Salt Typhoon, Interlock Rat, Castle RAT	2026-05-13
Linux Auditd Change File Owner To Root	Linux Auditd Proctitle	T1222.002	Anomaly	Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host	2026-05-13
Windows Unusual NTLM Authentication Users By Destination	NTLM Operational 8005, NTLM Operational 8004, NTLM Operational 8006	T1110.003	Anomaly	Active Directory Password Spraying	2026-05-13
Windows Find Interesting ACL with FindInterestingDomainAcl	Powershell Script Block Logging 4104	T1087.002	TTP	Active Directory Discovery	2026-05-13
Windows Cached Domain Credentials Reg Query	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1003.005	Anomaly	Prestige Ransomware, Windows Post-Exploitation	2026-05-13
Linux Auditd Sudo Or Su Execution	Linux Auditd Proctitle	T1548.003	Anomaly	Linux Persistence Techniques, Compromised Linux Host, Linux Privilege Escalation	2026-05-13
Exchange PowerShell Abuse via SSRF		T1133 T1190	TTP	ProxyShell, Seashell Blizzard, BlackByte Ransomware, ProxyNotShell	2026-05-13
Windows Unusual Count Of Users Failed To Authenticate From Process	Windows Event Log Security 4625	T1110.003	Anomaly	Insider Threat, Active Directory Password Spraying, Volt Typhoon	2026-05-13
Detect Prohibited Applications Spawning cmd exe	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1059.003	Hunting	Suspicious MSHTA Activity, Suspicious Command-Line Executions, NOBELIUM Group, Suspicious Zoom Child Processes	2026-05-13
Windows Ldifde Directory Object Behavior	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1069.002 T1105	TTP	Volt Typhoon	2026-05-13
Remote Process Instantiation via DCOM and PowerShell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1021.003	TTP	Active Directory Lateral Movement, Compromised Windows Host	2026-05-13
Windows Process Executed From Removable Media	Sysmon EventID 13, Sysmon EventID 1	T1025 T1091 T1200	Anomaly	APT37 Rustonotto and FadeStealer, Data Protection	2026-05-13
Windows Phishing Recent ISO Exec Registry	Sysmon EventID 13	T1566.001	Hunting	AgentTesla, Remcos, IcedID, Qakbot, Gozi Malware, Warzone RAT, Brute Ratel C4, Azorult	2026-05-13
MacOS LoginHook Persistence	Osquery Results	T1037.002	TTP	MacOS Post-Exploitation	2026-05-13
Disabling FolderOptions Windows Feature	Sysmon EventID 13	T1685	TTP	CISA AA23-347A, Windows Defense Evasion Tactics, Windows Registry Abuse	2026-05-13
Windows Rundll32 Load DLL in Temp Dir	Sysmon EventID 1	T1218.011	Anomaly	Interlock Rat	2026-05-13
Linux Impair Defenses Process Kill	Sysmon for Linux EventID 1	T1685	Hunting	Scattered Lapsus$ Hunters, Data Destruction, AwfulShred	2026-05-13
Remote System Discovery with Adsisearcher	Powershell Script Block Logging 4104	T1018	TTP	Active Directory Discovery	2026-05-13
Linux Change File Owner To Root	Sysmon for Linux EventID 1	T1222.002	Anomaly	Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation	2026-05-13
Linux pkexec Privilege Escalation	Sysmon for Linux EventID 1	T1068	TTP	Linux Living Off The Land, Linux Privilege Escalation	2026-05-13
Windows Network Connection From Program In Suspect Location	Sysmon EventID 3	T1011	Anomaly	Compromised Windows Host	2026-05-13
Windows Powershell Import Applocker Policy	Powershell Script Block Logging 4104	T1059.001 T1685	TTP	Azorult	2026-05-13
Detect mshta renamed	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.005	Hunting	Living Off The Land, Suspicious MSHTA Activity, APT37 Rustonotto and FadeStealer	2026-05-13
Windows Service Create Kernel Mode Driver	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1068 T1543.003	TTP	CISA AA22-320A, Windows Drivers	2026-05-13
Windows Remote Image Load	Sysmon EventID 7	T1059 T1068 T1129 T1203	Anomaly	Ransomware, BlackByte Ransomware, LockBit Ransomware	2026-05-13
Windows SQL Server Configuration Option Hunt	Windows Event Log Application 15457	T1505.001	Hunting	SQL Server Abuse	2026-05-13
Remote System Discovery with Wmic	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1018	TTP	Active Directory Discovery	2026-05-13
Windows Suspicious Named Pipe	Sysmon EventID 17, Sysmon EventID 18	T1021.002 T1055 T1559	TTP	DarkSide Ransomware, Cobalt Strike, Remote Monitoring and Management Software, Hellcat Ransomware, Gozi Malware, LockBit Ransomware, Graceful Wipe Out Attack, Trickbot, APT37 Rustonotto and FadeStealer, Meterpreter, Brute Ratel C4, Tuoni, BlackByte Ransomware	2026-05-13
Remote System Discovery with Dsquery	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1018	Anomaly	LAMEHUG, Active Directory Discovery	2026-05-13
Linux Auditd Insert Kernel Module Using Insmod Utility	Linux Auditd Syscall	T1547.006	Anomaly	XorDDos, Linux Rootkit, Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation	2026-05-13
Mmc LOLBAS Execution Process Spawn	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1021.003 T1218.014	TTP	Living Off The Land, XML Runner Loader, Water Gamayun, Active Directory Lateral Movement	2026-05-13
Potential Telegram API Request Via CommandLine	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1041 T1102.002	Anomaly	0bj3ctivity Stealer, Water Gamayun, BlankGrabber Stealer, Hellcat Ransomware, XMRig	2026-05-13
Wbemprox COM Object Execution	Sysmon EventID 7	T1218.003	TTP	Ransomware, LockBit Ransomware, Revil Ransomware	2026-05-13
Linux Common Process For Elevation Control	Sysmon for Linux EventID 1	T1548.001	Hunting	Axios Supply Chain Post Compromise, China-Nexus Threat Activity, Salt Typhoon, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2026-05-13
Windows Indirect Command Execution Via pcalua	CrowdStrike ProcessRollup2, Sysmon EventID 1	T1202	TTP	Living Off The Land	2026-05-13
Detect Computer Changed with Anonymous Account	Windows Event Log Security 4742	T1210	Hunting	Detect Zerologon Attack	2026-05-13
Windows SharePoint Spinstall0 Webshell File Creation	Sysmon EventID 11	T1190 T1505.003	TTP	Microsoft SharePoint Vulnerabilities	2026-05-13
Disable Schedule Task	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1685	Anomaly	Living Off The Land, IcedID	2026-05-13
Linux Auditd Copy Fail Privilege Escalation	Linux Auditd Syscall	T1068	TTP	Linux Privilege Escalation	2026-05-13
Linux Indicator Removal Service File Deletion	Sysmon for Linux EventID 1	T1070.004	Anomaly	Data Destruction, AwfulShred	2026-05-13
GetWmiObject Ds Group with PowerShell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1069.002	Anomaly	Active Directory Discovery	2026-05-13
RunDLL Loading DLL By Ordinal	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.011	TTP	Living Off The Land, Unusual Processes, Suspicious Rundll32 Activity, IcedID	2026-05-13
Windows Credential Dumping LSASS Memory Createdump	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1003.001	TTP	Scattered Lapsus$ Hunters, Credential Dumping, Compromised Windows Host	2026-05-13
Windows Powershell Cryptography Namespace	Powershell Script Block Logging 4104	T1059.001	Anomaly	AsyncRAT, VIP Keylogger, XWorm	2026-05-13
Suspicious WAV file in Appdata Folder	Sysmon EventID 11, Sysmon EventID 1, Windows Event Log Security 4688	T1113	TTP	Remcos	2026-05-13
Randomly Generated Scheduled Task Name	Windows Event Log Security 4698	T1053.005	Hunting	0bj3ctivity Stealer, Scheduled Tasks, CISA AA22-257A, Active Directory Lateral Movement	2026-05-13
Linux Sudoers Tmp File Creation	Sysmon for Linux EventID 11	T1548.003	Anomaly	Salt Typhoon, Linux Persistence Techniques, Linux Privilege Escalation, China-Nexus Threat Activity	2026-05-13
WinRAR Spawning Shell Application	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1105	TTP	Compromised Windows Host, WinRAR Spoofing Attack CVE-2023-38831	2026-05-13
Windows Query Registry UnInstall Program List	Windows Event Log Security 4663	T1012	Anomaly	Meduza Stealer, RedLine Stealer, StealC Stealer	2026-05-13
Suspicious writes to windows Recycle Bin	Sysmon EventID 11, Sysmon EventID 1	T1036	TTP	Collection and Staging, PlugX	2026-05-13
Delete ShadowCopy With PowerShell	Powershell Script Block Logging 4104	T1490	TTP	DarkSide Ransomware, Revil Ransomware, Cactus Ransomware, VanHelsing Ransomware, Ransomware, DarkGate Malware	2026-05-13
Linux Adding Crontab Using List Parameter	Sysmon for Linux EventID 1	T1053.003	Hunting	Scheduled Tasks, Industroyer2, Data Destruction, Gomir, Cisco Isovalent Suspicious Activity, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, VoidLink Cloud-Native Linux Malware	2026-05-13
Windows Modify Registry Qakbot Binary Data Registry	Sysmon EventID 13, Sysmon EventID 1	T1112	Anomaly	Qakbot	2026-05-13
Windows Get-Variable.EXE Execution from WindowsApps Folder	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1574.008	Anomaly	Windows Persistence Techniques	2026-05-13
PowerShell WebRequest Using Memory Stream	Powershell Script Block Logging 4104	T1027.011 T1059.001 T1105	TTP	Malicious PowerShell, PHP-CGI RCE Attack on Japanese Organizations, Medusa Ransomware, MoonPeak	2026-05-13
Windows Scheduled Task Created in a Group Policy Object	Windows Event Log Security 5145	T1053.005 T1484.001	TTP	Living Off The Land, Scheduled Tasks, Windows Persistence Techniques	2026-05-13
Windows Mshta Execution In Registry	Sysmon EventID 13	T1218.005	TTP	Suspicious Windows Registry Activities, Windows Persistence Techniques	2026-05-13
Windows Apache Benchmark Binary	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1059	Anomaly	MetaSploit	2026-05-13
Windows Registry Entries Restored Via Reg	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1012	Hunting	Prestige Ransomware, Windows Post-Exploitation	2026-05-13
Windows WinRAR Launched Outside Default Installation Directory	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1047	Anomaly	BlankGrabber Stealer	2026-05-13
Windows AdFind Exe	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1018	TTP	NOBELIUM Group, Domain Trust Discovery, Graceful Wipe Out Attack, BlackSuit Ransomware, IcedID	2026-05-13
Ntdsutil Export NTDS	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1003.003	TTP	HAFNIUM Group, Living Off The Land, Prestige Ransomware, NetSupport RMM Tool Abuse, Rhysida Ransomware, Volt Typhoon, Credential Dumping	2026-05-13
Download Files Using Telegram	Sysmon EventID 15	T1105	TTP	0bj3ctivity Stealer, Water Gamayun, Phemedrone Stealer, Snake Keylogger, Crypto Stealer, XMRig	2026-05-13
LLM Model File Creation	Sysmon EventID 11	T1543	Hunting	Suspicious Local LLM Frameworks	2026-05-13
Windows Get Local Admin with FindLocalAdminAccess	Powershell Script Block Logging 4104	T1087.002	TTP	Active Directory Discovery	2026-05-13
Linux Suspicious React or Next.js Child Process	Sysmon for Linux EventID 1	T1059.004 T1190	TTP	React2Shell	2026-05-13
Windows Process Injection into Notepad	Sysmon EventID 10	T1055.002	Anomaly	Earth Alux, BishopFox Sliver Adversary Emulation Framework, APT37 Rustonotto and FadeStealer	2026-05-13
Disabling ControlPanel	Sysmon EventID 13	T1112 T1685	TTP	Windows Registry Abuse, Windows Defense Evasion Tactics	2026-05-13
Windows Modify Registry AuthenticationLevelOverride	Sysmon EventID 13	T1112	Anomaly	DarkGate Malware	2026-05-13
Windows Network Connection Discovery Via Net	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1049	Hunting	Prestige Ransomware, Windows Post-Exploitation, Active Directory Discovery, Azorult	2026-05-13
Windows Files and Dirs Access Rights Modification Via Icacls	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1222.001	Anomaly	Defense Evasion or Unauthorized Access Via SDDL Tampering, Amadey	2026-05-13
Powershell Fileless Process Injection via GetProcAddress	Powershell Script Block Logging 4104	T1055 T1059.001	TTP	Hermetic Wiper, Malicious PowerShell, Data Destruction, Hellcat Ransomware	2026-05-13
Schtasks Run Task On Demand	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1053	Anomaly	Scheduled Tasks, Industroyer2, Data Destruction, Qakbot, CISA AA22-257A, Medusa Ransomware, XMRig	2026-05-13
Linux Deletion Of Init Daemon Script	Sysmon for Linux EventID 11	T1070.004 T1485	TTP	Data Destruction, AcidRain, AcidPour	2026-05-13
Windows Unsigned DLL Side-Loading In Same Process Path	Sysmon EventID 7	T1574.001	TTP	NailaoLocker Ransomware, XWorm, China-Nexus Threat Activity, Derusbi, Salt Typhoon, SnappyBee, Malicious Inno Setup Loader, SolarWinds WHD RCE Post Exploitation, Lokibot, DarkGate Malware, PlugX	2026-05-13
Shim Database File Creation	Sysmon EventID 11	T1546.011	TTP	Windows Persistence Techniques	2026-05-13
Windows Security And Backup Services Stop	Windows Event Log System 7036	T1490	TTP	Hellcat Ransomware, Termite Ransomware, Scattered Lapsus$ Hunters, Compromised Windows Host, BlackMatter Ransomware, Ransomware, LockBit Ransomware	2026-05-13
Windows Mark Of The Web Bypass	Sysmon EventID 23	T1553.005	TTP	Quasar RAT, Warzone RAT	2026-05-13
Windows Potential AppDomainManager Hijack Artifacts Creation	Sysmon EventID 11	T1574.014	Anomaly	SesameOp	2026-05-13
Linux Puppet Privilege Escalation	Sysmon for Linux EventID 1	T1548.003	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2026-05-13
Linux Auditd Setuid Using Chmod Utility	Linux Auditd Proctitle	T1548.001	Anomaly	Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host	2026-05-13
Domain Group Discovery With Dsquery	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1069.002	Anomaly	LAMEHUG, Active Directory Discovery	2026-05-13
Linux Possible Access To Sudoers File	Sysmon for Linux EventID 1	T1548.003	Anomaly	Salt Typhoon, Linux Persistence Techniques, Linux Privilege Escalation, China-Nexus Threat Activity	2026-05-13
GetDomainController with PowerShell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1018	Hunting	Active Directory Discovery	2026-05-13
Windows Service Initiation on Remote Endpoint	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1543.003	TTP	CISA AA23-347A, Active Directory Lateral Movement	2026-05-13
Domain Account Discovery with Wmic	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1087.002	TTP	Interlock Ransomware, Active Directory Discovery	2026-05-13
Windows Unsecured Outlook Credentials Access In Registry	Windows Event Log Security 4663	T1552	Anomaly	0bj3ctivity Stealer, Meduza Stealer, StealC Stealer, Snake Keylogger, VIP Keylogger, Lokibot	2026-05-13
Suspicious Rundll32 no Command Line Arguments	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.011	TTP	Cobalt Strike, PrintNightmare CVE-2021-34527, Hellcat Ransomware, Graceful Wipe Out Attack, Suspicious Rundll32 Activity, BlackByte Ransomware	2026-05-13
Windows RDP Login Session Was Established	Windows Event Log Security 4624	T1021.001	Anomaly	Windows RDP Artifacts and Defense Evasion, Scattered Lapsus$ Hunters	2026-05-13
Detect Regsvcs with Network Connection	Sysmon EventID 3	T1218.009	TTP	Hellcat Ransomware, Living Off The Land, Suspicious Regsvcs Regasm Activity	2026-05-13
Allow Inbound Traffic By Firewall Rule Registry	Sysmon EventID 13	T1021.001	TTP	Prohibited Traffic Allowed or Protocol Mismatch, NjRAT, Azorult, Windows Registry Abuse, Medusa Ransomware, PlugX	2026-05-13
Windows Disable Memory Crash Dump	Sysmon EventID 13	T1485	TTP	Windows Registry Abuse, Hermetic Wiper, Ransomware, Data Destruction	2026-05-13
Time Provider Persistence Registry	Sysmon EventID 13	T1547.003	TTP	Windows Persistence Techniques, Data Destruction, Windows Privilege Escalation, Hermetic Wiper, Windows Registry Abuse	2026-05-13
Domain Group Discovery with Adsisearcher	Powershell Script Block Logging 4104	T1069.002	TTP	Scattered Lapsus$ Hunters, Active Directory Discovery	2026-05-13
Windows Svchost.exe Parent Process Anomaly	Sysmon EventID 1, Windows Event Log Security 4688	T1036.009	Anomaly	China-Nexus Threat Activity, SnappyBee	2026-05-13
User Discovery With Env Vars PowerShell Script Block	Powershell Script Block Logging 4104	T1033	Hunting	Active Directory Discovery	2026-05-13
Windows DLL Side-Loading Process Child Of Calc	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1574.001	Anomaly	Earth Alux, Qakbot	2026-05-13
Windows Regsvr32 Renamed Binary	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.010	TTP	Compromised Windows Host, Qakbot	2026-05-13
PowerShell Enable PowerShell Remoting	Powershell Script Block Logging 4104	T1059.001	Anomaly	Malicious PowerShell	2026-05-13
Enable WDigest UseLogonCredential Registry	Sysmon EventID 13	T1003 T1112	TTP	Windows Registry Abuse, CISA AA22-320A, Credential Dumping	2026-05-13
Detect Renamed 7-Zip	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1560.001	Hunting	Collection and Staging, Malicious Inno Setup Loader	2026-05-13
Jscript Execution Using Cscript App	CrowdStrike ProcessRollup2, Sysmon EventID 1	T1059.007	TTP	FIN7, Remcos	2026-05-13
Windows Gdrive Binary Activity	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1567	TTP	China-Nexus Threat Activity	2026-05-13
GetDomainComputer with PowerShell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1018	TTP	Active Directory Discovery	2026-05-13
Windows System Reboot CommandLine	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1529	Hunting	MuddyWater, Quasar RAT, XWorm, NjRAT, DarkCrystal RAT, MoonPeak, Scattered Lapsus$ Hunters, DarkGate Malware	2026-05-13
Spoolsv Writing a DLL	Sysmon EventID 11, Sysmon EventID 1, Windows Event Log Security 4688	T1547.012	TTP	Black Basta Ransomware, Compromised Windows Host, PrintNightmare CVE-2021-34527	2026-05-13
Windows Enable PowerShell Web Access	Powershell Script Block Logging 4104	T1059.001	TTP	Malicious PowerShell, CISA AA24-241A	2026-05-13
WMI Recon Running Process Or Services	Powershell Script Block Logging 4104	T1592	Anomaly	Hermetic Wiper, Malicious PowerShell, Data Destruction	2026-05-13
Suspicious Rundll32 PluginInit	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.011	TTP	IcedID	2026-05-13
Log4Shell CVE-2021-44228 Exploitation		T1059 T1105 T1133 T1190	Correlation	Log4Shell CVE-2021-44228, CISA AA22-320A	2026-05-13
Linux Auditd Preload Hijack Via Preload File	Linux Auditd Cwd, Linux Auditd Path	T1574.006	TTP	Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, VoidLink Cloud-Native Linux Malware	2026-05-13
Windows Registry Dotnet ETW Disabled Via ENV Variable	Sysmon EventID 13	T1685	TTP	Windows Registry Abuse, Windows Defense Evasion Tactics	2026-05-13
Windows Impair Defense Deny Security Software With Applocker	Sysmon EventID 13	T1685	TTP	Scattered Lapsus$ Hunters, Azorult	2026-05-13
Windows Sensitive Registry Hive Dump Via CommandLine	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1003.002	TTP	Industroyer2, DarkSide Ransomware, Data Destruction, CISA AA23-347A, Compromised Windows Host, Windows Registry Abuse, Volt Typhoon, CISA AA22-257A, Seashell Blizzard, Credential Dumping	2026-05-13
Windows Enable Win32 ScheduledJob via Registry	Sysmon EventID 13	T1053.005	Anomaly	Scheduled Tasks, Active Directory Lateral Movement	2026-05-13
Windows List ENV Variables Via SET Command From Uncommon Parent	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1055	Anomaly	Qakbot	2026-05-13
Windows Disable LogOff Button Through Registry	Sysmon EventID 13	T1112	Anomaly	Windows Registry Abuse, Ransomware	2026-05-13
Windows WinLogon with Public Network Connection	Sysmon EventID 1, Sysmon EventID 3	T1542.003	Hunting	BlackLotus Campaign	2026-05-13
Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos	Windows Event Log Security 4768	T1110.003	TTP	Active Directory Password Spraying, Volt Typhoon, Active Directory Kerberos Attacks	2026-05-13
Windows Special Privileged Logon On Multiple Hosts	Windows Event Log Security 4672	T1021.002 T1087 T1135	TTP	Active Directory Privilege Escalation, Active Directory Lateral Movement, Compromised Windows Host	2026-05-13
Windows File Download Via CertUtil	CrowdStrike ProcessRollup2, Cisco Network Visibility Module Flow Data, Sysmon EventID 1, Windows Event Log Security 4688	T1105	TTP	Forest Blizzard, DarkSide Ransomware, Cisco Network Visibility Module Analytics, Living Off The Land, Flax Typhoon, Ingress Tool Transfer, Compromised Windows Host, CISA AA22-277A, ProxyNotShell	2026-05-13
Windows SQLCMD Execution	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1059.003	Hunting	GhostRedirector IIS Module and Rungan Backdoor, SQL Server Abuse	2026-05-13
Windows Time Based Evasion via Choice Exec	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1497.003	Anomaly	0bj3ctivity Stealer, VIP Keylogger, Snake Keylogger	2026-05-13
WBAdmin Delete System Backups	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1490	TTP	Storm-2460 CLFS Zero Day Exploitation, Prestige Ransomware, Storm-0501 Ransomware, Chaos Ransomware, Ryuk Ransomware, Ransomware	2026-05-13
CertUtil With Decode Argument	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1140	TTP	Forest Blizzard, Deobfuscate-Decode Files or Information, Storm-2460 CLFS Zero Day Exploitation, Living Off The Land, GhostRedirector IIS Module and Rungan Backdoor, APT29 Diplomatic Deceptions with WINELOADER	2026-05-13
Windows AD Hidden OU Creation	Windows Event Log Security 5136	T1222.001 T1484	TTP	Sneaky Active Directory Persistence Tricks	2026-05-13
Windows Disable Lock Workstation Feature Through Registry	Sysmon EventID 13	T1112	Anomaly	Windows Registry Abuse, Windows Defense Evasion Tactics, Ransomware	2026-05-13
Linux Possible Cronjob Modification With Editor	Sysmon for Linux EventID 1	T1053.003	Hunting	Scheduled Tasks, XorDDos, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2026-05-13
Windows New Default File Association Value Set	Sysmon EventID 13	T1546.001	Hunting	Windows Persistence Techniques, Prestige Ransomware, Data Destruction, Windows Privilege Escalation, Hermetic Wiper, Windows Registry Abuse	2026-05-13
Windows PowerShell Export PfxCertificate	Powershell Script Block Logging 4104	T1552.004 T1649	Anomaly	Scattered Lapsus$ Hunters, Water Gamayun, Windows Certificate Services	2026-05-13
Linux Auditd Unix Shell Configuration Modification	Linux Auditd Cwd, Linux Auditd Path	T1546.004	TTP	Linux Living Off The Land, QuietVault, Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation	2026-05-13
Detect HTML Help URL in Command Line	CrowdStrike ProcessRollup2, Cisco Network Visibility Module Flow Data, Sysmon EventID 1, Windows Event Log Security 4688	T1218.001	TTP	Cisco Network Visibility Module Analytics, Living Off The Land, Suspicious Compiled HTML Activity, Compromised Windows Host, APT37 Rustonotto and FadeStealer	2026-05-13
Windows Scheduled Task with Suspicious Name	Windows Event Log Security 4698, Windows Event Log Security 4700, Windows Event Log Security 4702	T1053.005	TTP	0bj3ctivity Stealer, Scheduled Tasks, Windows Persistence Techniques, Castle RAT, Ryuk Ransomware, APT37 Rustonotto and FadeStealer, Ransomware	2026-05-13
Linux System Network Discovery	Sysmon for Linux EventID 1, Osquery Results	T1016	Anomaly	Industroyer2, Data Destruction, Network Discovery, VoidLink Cloud-Native Linux Malware	2026-05-13
Suspicious GPUpdate no Command Line Arguments	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1055	TTP	Graceful Wipe Out Attack, Hellcat Ransomware, BlackByte Ransomware, Cobalt Strike	2026-05-13
Windows AD Privileged Account SID History Addition	Windows Event Log Security 4742, Windows Event Log Security 4738	T1134.005	TTP	Sneaky Active Directory Persistence Tricks, Compromised Windows Host	2026-05-13
Windows SpeechRuntime Suspicious Child Process	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1021.003	TTP	Active Directory Lateral Movement, Compromised Windows Host	2026-05-13
Crowdstrike Multiple LOW Severity Alerts		T1110	Anomaly	Compromised Windows Host	2026-05-13
Uninstall App Using MsiExec	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.007	TTP	Ransomware	2026-05-13
Windows Curl Download to Suspicious Path	CrowdStrike ProcessRollup2, Cisco Network Visibility Module Flow Data, Sysmon EventID 1, Windows Event Log Security 4688	T1105	TTP	Forest Blizzard, Cisco Network Visibility Module Analytics, APT37 Rustonotto and FadeStealer, NPM Supply Chain Compromise, China-Nexus Threat Activity, Salt Typhoon, GhostRedirector IIS Module and Rungan Backdoor, Ingress Tool Transfer, Compromised Windows Host, Black Basta Ransomware, IcedID	2026-05-13
Windows Impair Defense Change Win Defender Throttle Rate	Sysmon EventID 13	T1685	TTP	Windows Registry Abuse, Windows Defense Evasion Tactics	2026-05-13
ServicePrincipalNames Discovery with SetSPN	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1558.003	TTP	Active Directory Privilege Escalation, Compromised Windows Host, Active Directory Discovery, Active Directory Kerberos Attacks	2026-05-13
Windows Impair Defense Disable Defender Protocol Recognition	Sysmon EventID 13	T1685	TTP	Windows Registry Abuse, Windows Defense Evasion Tactics, Scattered Lapsus$ Hunters	2026-05-13
XMRIG Driver Loaded	Sysmon EventID 6	T1543.003	TTP	XMRig, CISA AA22-320A, Crypto Stealer	2026-05-13
Windows Wmic DiskDrive Discovery	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1082	Anomaly	LAMEHUG	2026-05-13
Cisco NVM - Non-Network Binary Making Network Connection	Cisco Network Visibility Module Flow Data	T1036 T1055	Anomaly	Cisco Network Visibility Module Analytics	2026-05-13
Windows AD Replication Request Initiated by User Account	Windows Event Log Security 4624, Windows Event Log Security 4662	T1003.006	TTP	Sneaky Active Directory Persistence Tricks, Credential Dumping, Compromised Windows Host	2026-05-13
Web or Application Server Spawning a Shell	Sysmon for Linux EventID 1, Sysmon EventID 1	T1133 T1190	TTP	Log4Shell CVE-2021-44228, SysAid On-Prem Software CVE-2023-47246 Vulnerability, ProxyShell, Cleo File Transfer Software, Hermetic Wiper, CISA AA22-257A, HAFNIUM Group, Microsoft WSUS CVE-2025-59287, GhostRedirector IIS Module and Rungan Backdoor, Spring4Shell CVE-2022-22965, ProxyNotShell, PHP-CGI RCE Attack on Japanese Organizations, BlackByte Ransomware, WS FTP Server Critical Vulnerabilities, Microsoft SharePoint Vulnerabilities, Flax Typhoon, Data Destruction, CISA AA22-264A, SAP NetWeaver Exploitation	2026-05-13
Windows Outlook WebView Registry Modification	Sysmon EventID 13	T1112	Anomaly	Suspicious Windows Registry Activities	2026-05-13
Windows AD ServicePrincipalName Added To Domain Account	Windows Event Log Security 5136	T1098	TTP	Interlock Ransomware, Sneaky Active Directory Persistence Tricks	2026-05-13
Linux Docker Shell Execution	Sysmon for Linux EventID 1	T1059.013	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2026-05-13
Windows Impair Defense Disable Defender Firewall And Network	Sysmon EventID 13	T1685	TTP	Windows Registry Abuse, Windows Defense Evasion Tactics, Scattered Lapsus$ Hunters	2026-05-13
Windows Privilege Escalation Attempt Via MSI Rollback	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1068	TTP	Windows Privilege Escalation	2026-05-13
MOVEit Certificate Store Access Failure		T1190	Hunting	MOVEit Transfer Authentication Bypass	2026-05-13
Windows Archive Collected Data via Powershell	Powershell Script Block Logging 4104	T1560	Anomaly	CISA AA23-347A, APT37 Rustonotto and FadeStealer	2026-05-13
Windows PowerView Constrained Delegation Discovery	Powershell Script Block Logging 4104	T1018	TTP	CISA AA23-347A, Rhysida Ransomware, Active Directory Kerberos Attacks	2026-05-13
Linux Auditd Kernel Module Using Rmmod Utility	Linux Auditd Syscall	T1547.006	TTP	Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host	2026-05-13
Linux Auditd Auditd Daemon Shutdown	Linux Auditd Daemon End	T1685.004	Anomaly	Compromised Linux Host	2026-05-13
Unusual Number of Kerberos Service Tickets Requested	Windows Event Log Security 4769	T1558.003	Anomaly	Active Directory Kerberos Attacks	2026-05-13
Windows Cmdline Tool Execution From Non-Shell Process	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1059.007	Anomaly	DarkGate Malware, Water Gamayun, BlankGrabber Stealer, Gh0st RAT, Tuoni, Volt Typhoon, Qakbot, Gozi Malware, CISA AA23-347A, FIN7, SolarWinds WHD RCE Post Exploitation, Rhysida Ransomware, CISA AA22-277A, Medusa Ransomware	2026-05-13
Windows Office Product Spawned Uncommon Process	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1566.001	TTP	AgentTesla, Remcos, IcedID, NjRAT, PlugX, Qakbot, Warzone RAT, DarkCrystal RAT, FIN7, Spearphishing Attachments, Compromised Windows Host, Trickbot, APT37 Rustonotto and FadeStealer, CVE-2023-21716 Word RTF Heap Corruption, MuddyWater, CVE-2023-36884 Office and Windows HTML RCE Vulnerability, Azorult	2026-05-13
Windows Domain Admin Impersonation Indicator	Windows Event Log Security 4627	T1558	TTP	Active Directory Privilege Escalation, Compromised Windows Host, Gozi Malware, Active Directory Kerberos Attacks	2026-05-13
Disabling Remote User Account Control	Sysmon EventID 13	T1548.002	TTP	Remcos, AgentTesla, Suspicious Windows Registry Activities, Windows Registry Abuse, Windows Defense Evasion Tactics, Azorult	2026-05-13
System Information Discovery Detection	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1082	TTP	Windows Discovery Techniques, BlankGrabber Stealer, NetSupport RMM Tool Abuse, Gozi Malware, LAMEHUG, SolarWinds WHD RCE Post Exploitation, Cleo File Transfer Software, Interlock Ransomware, Medusa Ransomware, Lotus Blossom Chrysalis Backdoor, BlackSuit Ransomware	2026-05-13
GetDomainGroup with PowerShell Script Block	Powershell Script Block Logging 4104	T1069.002	TTP	Active Directory Discovery	2026-05-13
Windows PowerShell Invoke-RestMethod IP Information Collection	Powershell Script Block Logging 4104	T1016 T1059.001 T1082	Anomaly	Water Gamayun	2026-05-13
Windows EFI Bootloader File Modification	Sysmon EventID 11	T1542.003	TTP	Windows BootKits	2026-05-13
Windows Identify PowerShell Web Access IIS Pool	Windows Event Log Security 4648	T1190	Hunting	CISA AA24-241A	2026-05-13
Mimikatz PassTheTicket CommandLine Parameters	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1550.003	TTP	CISA AA23-347A, CISA AA22-320A, Scattered Lapsus$ Hunters, Sandworm Tools, Active Directory Kerberos Attacks	2026-05-13
Unloading AMSI via Reflection	Powershell Script Block Logging 4104	T1059.001 T1685	TTP	Hermetic Wiper, Malicious PowerShell, Data Destruction	2026-05-13
ConnectWise ScreenConnect Path Traversal	Sysmon EventID 11	T1190	TTP	Seashell Blizzard, ConnectWise ScreenConnect Vulnerabilities	2026-05-13
Windows Chromium Browser Launched with Small Window Size	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1497	TTP	Browser Hijacking	2026-05-13
Windows Steal Authentication Certificates CryptoAPI	Windows Event Log CAPI2 70	T1649	Anomaly	Hellcat Ransomware, Windows Certificate Services	2026-05-13
Windows DISM Install PowerShell Web Access	Sysmon EventID 1, Windows Event Log Security 4688	T1548.002	TTP	CISA AA24-241A	2026-05-13
Rundll32 Shimcache Flush	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1112	TTP	Living Off The Land, Unusual Processes, Compromised Windows Host	2026-05-13
First Time Seen Running Windows Service	Windows Event Log System 7036	T1569.002	Anomaly	NOBELIUM Group, Windows Service Abuse, Orangeworm Attack Group	2026-05-13
Kerberos User Enumeration	Windows Event Log Security 4768	T1589.002	Anomaly	Active Directory Kerberos Attacks	2026-05-13
Windows BootLoader Inventory		T1542.001	Hunting	BlackLotus Campaign, Windows BootKits	2026-05-13
Excessive Usage Of SC Service Utility	Sysmon EventID 1	T1569.002	Anomaly	Crypto Stealer, Ransomware, Azorult	2026-05-13
Rundll32 with no Command Line Arguments with Network	Sysmon EventID 1, Sysmon EventID 3	T1218.011	TTP	Cobalt Strike, PrintNightmare CVE-2021-34527, Graceful Wipe Out Attack, Compromised Windows Host, Suspicious Rundll32 Activity, Cactus Ransomware, BlackByte Ransomware, BlackSuit Ransomware	2026-05-13
Windows Cisco Secure Endpoint Related Service Stopped	Windows Event Log System 7036	T1490	Anomaly	Scattered Lapsus$ Hunters, Security Solution Tampering, Hellcat Ransomware	2026-05-13
Cisco NVM - Suspicious Network Connection Initiated via MsXsl	Cisco Network Visibility Module Flow Data	T1220	Anomaly	Cisco Network Visibility Module Analytics	2026-05-13
Windows AppX Deployment Package Installation Success	Windows Event Log AppXDeployment-Server 854	T1204.002	Anomaly	MSIX Package Abuse	2026-05-13
Windows New EventLog ChannelAccess Registry Value Set	Sysmon EventID 13	T1685.001	Anomaly	Defense Evasion or Unauthorized Access Via SDDL Tampering, LockBit Ransomware	2026-05-13
Windows LOLBAS Executed As Renamed File	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1036.003 T1218.011	TTP	Living Off The Land, Masquerading - Rename System Utilities, Windows Defense Evasion Tactics, Water Gamayun	2026-05-13
Windows Export Certificate	Windows Event Log CertificateServicesClient 1007	T1552.004 T1649	Anomaly	Windows Certificate Services	2026-05-13
Windows Snake Malware File Modification Crmlog	Sysmon EventID 11	T1027	TTP	Snake Malware	2026-05-13
Windows Modify Registry UpdateServiceUrlAlternate	Sysmon EventID 13	T1112	Anomaly	RedLine Stealer	2026-05-13
Windows WPDBusEnum Registry Key Modification	Sysmon EventID 13, Sysmon EventID 12	T1025 T1091 T1200	Anomaly	APT37 Rustonotto and FadeStealer, Data Protection	2026-05-13
Windows Unusual Process Load Mozilla NSS-Mozglue Module	Sysmon EventID 7	T1218.003	Anomaly	0bj3ctivity Stealer, Quasar RAT, StealC Stealer, VIP Keylogger, Lokibot	2026-05-13
DNS Exfiltration Using Nslookup App	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1048	TTP	Dynamic DNS, Data Exfiltration, Compromised Windows Host, Command And Control, Suspicious DNS Traffic	2026-05-13
Linux Auditd Data Destruction Command	Linux Auditd Proctitle	T1485	TTP	Data Destruction, Compromised Linux Host, AwfulShred	2026-05-13
Windows System Shutdown CommandLine	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1529	Anomaly	ZOVWiper, MuddyWater, Quasar RAT, XWorm, Sandworm Tools, NjRAT, DarkCrystal RAT, MoonPeak, Scattered Lapsus$ Hunters, DarkGate Malware	2026-05-13
Windows Attempt To Stop Security Service	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1685	TTP	Disabling Security Tools, Data Destruction, WhisperGate, Graceful Wipe Out Attack, Trickbot, Azorult	2026-05-13
Detect HTML Help Using InfoTech Storage Handlers	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.001	TTP	Living Off The Land, Compromised Windows Host, Suspicious Compiled HTML Activity, APT37 Rustonotto and FadeStealer	2026-05-13
Excessive distinct processes from Windows Temp	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1059	Anomaly	Meterpreter	2026-05-13
Ransomware Notes bulk creation	Sysmon EventID 11	T1486	Anomaly	DarkSide Ransomware, Clop Ransomware, NailaoLocker Ransomware, Hellcat Ransomware, Black Basta Ransomware, Termite Ransomware, Chaos Ransomware, Rhysida Ransomware, BlackMatter Ransomware, Cactus Ransomware, Interlock Ransomware, Medusa Ransomware, LockBit Ransomware	2026-05-13
Windows AD DCShadow Privileges ACL Addition	Windows Event Log Security 5136	T1207 T1222.001 T1484	TTP	Sneaky Active Directory Persistence Tricks	2026-05-13
Windows AD GPO Disabled	Windows Event Log Security 5136	T1484.001 T1685	TTP	Sneaky Active Directory Persistence Tricks	2026-05-13
Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials	Windows Event Log Security 4648	T1110.003	TTP	Insider Threat, Active Directory Password Spraying, Volt Typhoon	2026-05-13
Services LOLBAS Execution Process Spawn	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1543.003	TTP	Active Directory Lateral Movement, Living Off The Land, Hellcat Ransomware, Qakbot, CISA AA23-347A	2026-05-13
Windows AD Replication Request Initiated from Unsanctioned Location	Windows Event Log Security 4624, Windows Event Log Security 4662	T1003.006	TTP	Sneaky Active Directory Persistence Tricks, Credential Dumping, Compromised Windows Host	2026-05-13
Windows AD Short Lived Domain Controller SPN Attribute	Windows Event Log Security 4624, Windows Event Log Security 5136	T1207	TTP	Sneaky Active Directory Persistence Tricks, Compromised Windows Host	2026-05-13
Windows Defacement Modify Transcodedwallpaper File	Sysmon EventID 11, Sysmon EventID 1	T1491	Anomaly	Brute Ratel C4	2026-05-13
Linux Auditd Install Kernel Module Using Modprobe Utility	Linux Auditd Syscall	T1547.006	Anomaly	China-Nexus Threat Activity, Linux Rootkit, Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation	2026-05-13
Linux AWK Privilege Escalation	Sysmon for Linux EventID 1	T1548.003	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2026-05-13
Windows Njrat Fileless Storage via Registry	Sysmon EventID 13	T1027.011	TTP	NjRAT	2026-05-13
Windows Modify Registry Risk Behavior		T1112	Correlation	Windows Registry Abuse	2026-05-13
Linux File Created In Kernel Driver Directory	Sysmon for Linux EventID 11	T1547.006	Anomaly	Linux Rootkit, Linux Persistence Techniques, Linux Privilege Escalation	2026-05-13
Get DomainUser with PowerShell Script Block	Powershell Script Block Logging 4104	T1087.002	TTP	CISA AA23-347A, Active Directory Discovery	2026-05-13
Windows Hidden Schedule Task Settings	Windows Event Log Security 4698	T1053	TTP	Scheduled Tasks, Industroyer2, Data Destruction, Hellcat Ransomware, Active Directory Discovery, Malicious Inno Setup Loader, Compromised Windows Host, Cactus Ransomware, CISA AA22-257A	2026-05-13
Windows Binary Proxy Execution Mavinject DLL Injection	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.013	TTP	Living Off The Land	2026-05-13
Windows System LogOff Commandline	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1529	Anomaly	XWorm, DarkCrystal RAT, Scattered Lapsus$ Hunters, NjRAT	2026-05-13
Windows InstallUtil Uninstall Option	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.004	TTP	Living Off The Land, Signed Binary Proxy Execution InstallUtil, Compromised Windows Host	2026-05-13
Windows EFI Volume Mount Attempt Via Mountvol	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1204.002 T1542 T1688	Anomaly	Compromised Windows Host	2026-05-13
Detect Certify With PowerShell Script Block Logging	Powershell Script Block Logging 4104	T1059.001 T1649	TTP	Malicious PowerShell, Windows Certificate Services	2026-05-13
Windows Non-System Account Targeting Lsass	Sysmon EventID 10	T1003.001	TTP	CISA AA23-347A, Scattered Lapsus$ Hunters, Credential Dumping, Lokibot	2026-05-13
Detect PsExec With accepteula Flag	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1021.002	TTP	HAFNIUM Group, DarkGate Malware, Seashell Blizzard, Active Directory Lateral Movement, DarkSide Ransomware, Volt Typhoon, Sandworm Tools, SamSam Ransomware, Storm-0501 Ransomware, Rhysida Ransomware, Cactus Ransomware, VanHelsing Ransomware, DHS Report TA18-074A, CISA AA22-320A, Medusa Ransomware, BlackByte Ransomware, IcedID	2026-05-13
Windows TeamCity Plugin Installed	Sysmon EventID 11	T1059 T1190 T1505.003	Anomaly	JetBrains TeamCity Unauthenticated RCE, JetBrains TeamCity Vulnerabilities	2026-05-13
Linux Auditd System Network Configuration Discovery	Linux Auditd Syscall	T1016	Anomaly	Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host	2026-05-13
Crowdstrike High Identity Risk Severity		T1110	TTP	Compromised Windows Host	2026-05-13
Windows Indirect Command Execution Via forfiles	CrowdStrike ProcessRollup2, Sysmon EventID 1	T1202	TTP	Living Off The Land, Windows Post-Exploitation	2026-05-13
Windows MSIExec Unregister DLLRegisterServer	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.007	TTP	Windows System Binary Proxy Execution MSIExec	2026-05-13
Windows Hunting System Account Targeting Lsass	Sysmon EventID 10	T1003.001	Hunting	CISA AA23-347A, Scattered Lapsus$ Hunters, Credential Dumping, Lokibot	2026-05-13
Revil Registry Entry	Sysmon EventID 13, Sysmon EventID 12	T1112	TTP	Windows Registry Abuse, Ransomware, Revil Ransomware	2026-05-13
Suspicious DLLHost no Command Line Arguments	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1055	TTP	Graceful Wipe Out Attack, Cactus Ransomware, BlackByte Ransomware, Cobalt Strike	2026-05-13
GetAdGroup with PowerShell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1069.002	Hunting	Active Directory Discovery	2026-05-13
Detect Remote Access Software Usage File	Sysmon EventID 11	T1219	Anomaly	Remote Monitoring and Management Software, Gozi Malware, CISA AA24-241A, GhostRedirector IIS Module and Rungan Backdoor, Scattered Lapsus$ Hunters, Scattered Spider, Cactus Ransomware, Command And Control, Insider Threat, Interlock Ransomware, Ransomware, Seashell Blizzard	2026-05-13
Windows Eventlog Cleared Via Wevtutil	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1685.005	Anomaly	Clop Ransomware, CISA AA23-347A, ShrinkLocker, Rhysida Ransomware, Windows Log Manipulation, Ransomware	2026-05-13
Cisco NVM - MSHTML or MSHTA Network Execution Without URL in CLI	Cisco Network Visibility Module Flow Data	T1059.005 T1218.005	Anomaly	BlankGrabber Stealer, Cisco Network Visibility Module Analytics	2026-05-13
Windows User Execution Malicious URL Shortcut File	Sysmon EventID 11	T1204.002	Anomaly	Quasar RAT, APT37 Rustonotto and FadeStealer, XWorm, NjRAT, Chaos Ransomware, Snake Keylogger	2026-05-13
Linux File Creation In Profile Directory	Sysmon for Linux EventID 11	T1546.004	Anomaly	Linux Persistence Techniques, Linux Privilege Escalation	2026-05-13
Windows Modify Registry Utilize ProgIDs	Sysmon EventID 13	T1112	Anomaly	ValleyRAT	2026-05-13
Windows Sqlservr Spawning Shell	Sysmon EventID 1, Windows Event Log Security 4688	T1505.001	Hunting	SQL Server Abuse	2026-05-13
Windows Mustang Panda USB Tool Execution	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1020 T1204.002 T1574.001	TTP	Compromised Windows Host	2026-05-13
Windows Event Logging Service Has Shutdown	Windows Event Log Security 1100	T1685.005	Hunting	Windows Log Manipulation, Scattered Lapsus$ Hunters, Ransomware, Clop Ransomware	2026-05-13
Linux Auditd AI CLI Permission Override Activated	Linux Auditd Proctitle	T1480	Anomaly	QuietVault	2026-05-13
Windows File Transfer Protocol In Non-Common Process Path	Sysmon EventID 3	T1071.003	Anomaly	AgentTesla, Hellcat Ransomware, Snake Keylogger	2026-05-13
GetNetTcpconnection with PowerShell Script Block	Powershell Script Block Logging 4104	T1049	Hunting	Active Directory Discovery	2026-05-13
Linux Add Files In Known Crontab Directories	Sysmon for Linux EventID 11	T1053.003	Anomaly	Scheduled Tasks, XorDDos, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2026-05-13
Suspicious microsoft workflow compiler rename	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1036.003 T1127	Hunting	Masquerading - Rename System Utilities, Cobalt Strike, Living Off The Land, Trusted Developer Utilities Proxy Execution, Graceful Wipe Out Attack, BlackByte Ransomware	2026-05-13
Windows Credentials from Password Stores Creation	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1555	TTP	NetSupport RMM Tool Abuse, DarkGate Malware, Compromised Windows Host	2026-05-13
Create Remote Thread In Shell Application	Sysmon EventID 8	T1055	TTP	Warzone RAT, Qakbot, IcedID	2026-05-13
Allow Network Discovery In Firewall	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1686.001	TTP	Revil Ransomware, Hellcat Ransomware, NjRAT, Ransomware, Medusa Ransomware, BlackByte Ransomware	2026-05-13
Windows Remote Services Allow Remote Assistance	Sysmon EventID 13	T1021.001	Anomaly	Azorult	2026-05-13
Windows Unusual NTLM Authentication Destinations By Source	NTLM Operational 8005, NTLM Operational 8004, NTLM Operational 8006	T1110.003	Anomaly	Active Directory Password Spraying	2026-05-13
Disabling Task Manager	Sysmon EventID 13	T1685	TTP	Windows Registry Abuse, Windows Defense Evasion Tactics, NjRAT	2026-05-13
Linux GNU Awk Privilege Escalation	Sysmon for Linux EventID 1	T1548.003	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2026-05-13
Linux Auditd Virtual Disk File And Directory Discovery	Linux Auditd Execve	T1083	Anomaly	Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host	2026-05-13
Windows NorthStar C2 Agent Execution	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1204.002 T1547.001 T1608	TTP	Compromised Windows Host	2026-05-13
Potential System Network Configuration Discovery Activity	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1016	Anomaly	Unusual Processes	2026-05-13
Windows DLL Search Order Hijacking with iscsicpl	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1574.001	TTP	Living Off The Land, Windows Defense Evasion Tactics, Compromised Windows Host	2026-05-13
Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos	Windows Event Log Security 4768	T1110.003	Anomaly	Active Directory Password Spraying, Volt Typhoon, Active Directory Kerberos Attacks	2026-05-13
Windows MSIExec Remote Download	CrowdStrike ProcessRollup2, Cisco Network Visibility Module Flow Data, Sysmon EventID 1, Windows Event Log Security 4688	T1218.007	Anomaly	Water Gamayun, Cisco Network Visibility Module Analytics, SolarWinds WHD RCE Post Exploitation, StealC Stealer, Windows System Binary Proxy Execution MSIExec	2026-05-13
Windows ComputerDefaults Spawning a Process	Sysmon EventID 1	T1548.002	TTP	Castle RAT, BlankGrabber Stealer	2026-05-13
Screensaver Event Trigger Execution	Sysmon EventID 13	T1546.002	TTP	Windows Persistence Techniques, Data Destruction, Windows Privilege Escalation, Hermetic Wiper, Windows Registry Abuse	2026-05-13
Windows Remote Host Computer Management Access	Sysmon EventID 1, Windows Event Log Security 4688	T1021.006	Anomaly	Medusa Ransomware	2026-05-13
Check Elevated CMD using whoami	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1033	TTP	FIN7	2026-05-13
Windows Remote Services Rdp Enable	Sysmon EventID 13	T1021.001	TTP	Windows RDP Artifacts and Defense Evasion, Medusa Ransomware, BlackSuit Ransomware, Azorult	2026-05-13
Linux Deleting Critical Directory Using RM Command	Sysmon for Linux EventID 1	T1485	TTP	Industroyer2, Data Destruction, AwfulShred	2026-05-13
Windows Security Support Provider Reg Query	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1547.005	Anomaly	Prestige Ransomware, Windows Post-Exploitation, Sneaky Active Directory Persistence Tricks	2026-05-13
Windows Registry BootExecute Modification	Sysmon EventID 13	T1542 T1547.001	TTP	Windows BootKits	2026-05-13
Detect Regasm with Network Connection	Sysmon EventID 3	T1218.009	TTP	Handala Wiper, Living Off The Land, Void Manticore, Hellcat Ransomware, Suspicious Regsvcs Regasm Activity	2026-05-13
System Processes Run From Unexpected Locations	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1036.003	Anomaly	Masquerading - Rename System Utilities, Windows Error Reporting Service Elevation of Privilege Vulnerability, Qakbot, Suspicious Command-Line Executions, Unusual Processes, Ransomware, DarkGate Malware	2026-05-13
Vbscript Execution Using Wscript App	CrowdStrike ProcessRollup2, Sysmon EventID 1	T1059.005	TTP	AsyncRAT, FIN7, Remcos	2026-05-13
Windows Firewall Rule Modification	Windows Event Log Security 4947	T1686	Anomaly	NetSupport RMM Tool Abuse, ShrinkLocker, Medusa Ransomware	2026-05-13
Windows Registry SIP Provider Modification	Sysmon EventID 13	T1553.003	TTP	Subvert Trust Controls SIP and Trust Provider Hijacking	2026-05-13
Windows Application Layer Protocol RMS Radmin Tool Namedpipe	Sysmon EventID 17, Sysmon EventID 18	T1071	TTP	Azorult	2026-05-13
Get DomainUser with PowerShell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1087.002	TTP	CISA AA23-347A, Active Directory Discovery	2026-05-13
Windows Modify Registry MaxConnectionPerServer	Sysmon EventID 13	T1112	Anomaly	Warzone RAT	2026-05-13
Crowdstrike User with Duplicate Password		T1110	Anomaly	Compromised Windows Host	2026-05-13
Powershell Remote Thread To Known Windows Process	Sysmon EventID 8	T1055	TTP	Trickbot	2026-05-13
Windows Registry Certificate Added	Sysmon EventID 13	T1553.004	Anomaly	Windows Registry Abuse, Windows Drivers	2026-05-13
Get ADUserResultantPasswordPolicy with Powershell Script Block	Powershell Script Block Logging 4104	T1201	TTP	CISA AA23-347A, Active Directory Discovery	2026-05-13
Linux Ruby Privilege Escalation	Sysmon for Linux EventID 1	T1548.003	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2026-05-13
Malicious InProcServer32 Modification	Sysmon EventID 13, Sysmon EventID 12	T1112 T1218.010	TTP	Remcos, Suspicious Regsvr32 Activity	2026-05-13
Detect Baron Samedit CVE-2021-3156		T1068	TTP	Baron Samedit CVE-2021-3156	2026-05-13
Windows Indicator Removal Via Rmdir	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1070	Anomaly	ZOVWiper, DarkGate Malware, APT37 Rustonotto and FadeStealer	2026-05-13
Disable Logs Using WevtUtil	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1685.005	TTP	CISA AA23-347A, Ransomware, Rhysida Ransomware	2026-05-13
Windows Credentials Access via VaultCli Module	Sysmon EventID 7	T1555.004	Anomaly	Meduza Stealer, Hellcat Ransomware	2026-05-13
Windows Rundll32 Execution With Log.DLL	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1574	Anomaly	Lotus Blossom Chrysalis Backdoor	2026-05-13
GitHub Workflow File Creation or Modification	Sysmon EventID 11, Sysmon for Linux EventID 11	T1195 T1554 T1574.006	Hunting	NPM Supply Chain Compromise	2026-05-13
Windows AD Domain Root ACL Modification	Windows Event Log Security 5136	T1222.001 T1484	TTP	Sneaky Active Directory Persistence Tricks	2026-05-13
Windows Devtunnels Image Loaded	Sysmon EventID 7	T1090	Anomaly	Reverse Network Proxy	2026-05-13
Windows Modify Registry USeWuServer	Sysmon EventID 13	T1112	Hunting	RedLine Stealer	2026-05-13
Windows Delete or Modify System Firewall	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1686	Hunting	ShrinkLocker, NjRAT	2026-05-13
Detect Remote Access Software Usage Process	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1219	Anomaly	Remote Monitoring and Management Software, Gozi Malware, Storm-0501 Ransomware, CISA AA24-241A, Scattered Spider, GhostRedirector IIS Module and Rungan Backdoor, Scattered Lapsus$ Hunters, Cactus Ransomware, Command And Control, Insider Threat, Interlock Ransomware, Ransomware, Seashell Blizzard	2026-05-13
Windows Ngrok Reverse Proxy Usage	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1090 T1102 T1572	Anomaly	Reverse Network Proxy, CISA AA22-320A, CISA AA24-241A	2026-05-13
Windows Unusual NTLM Authentication Destinations By User	NTLM Operational 8005, NTLM Operational 8004, NTLM Operational 8006	T1110.003	Anomaly	Active Directory Password Spraying	2026-05-13
Linux Auditd File And Directory Discovery	Linux Auditd Execve	T1083	Anomaly	Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host	2026-05-13
Linux Auditd Auditd Daemon Abort	Linux Auditd Daemon Abort	T1685.004	Anomaly	Compromised Linux Host	2026-05-13
Windows Process Injection Wermgr Child Process	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1055	Anomaly	Windows Error Reporting Service Elevation of Privilege Vulnerability, Qakbot	2026-05-13
Possible Lateral Movement PowerShell Spawn	CrowdStrike ProcessRollup2, Sysmon EventID 1	T1021.003 T1021.006 T1047 T1053.005 T1059.001 T1218.014 T1543.003	Anomaly	Scheduled Tasks, Microsoft WSUS CVE-2025-59287, Active Directory Lateral Movement, Data Destruction, Malicious PowerShell, CISA AA24-241A, Hermetic Wiper	2026-05-13
Windows Possible Credential Dumping	Sysmon EventID 10	T1003.001	TTP	DarkSide Ransomware, CISA AA22-264A, CISA AA23-347A, Detect Zerologon Attack, CISA AA22-257A, Scattered Lapsus$ Hunters, Credential Dumping	2026-05-13
Suspicious SearchProtocolHost no Command Line Arguments	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1055	TTP	Cobalt Strike, Hellcat Ransomware, Graceful Wipe Out Attack, Cactus Ransomware, BlackByte Ransomware	2026-05-13
Active Setup Registry Autostart	Sysmon EventID 13	T1547.014	TTP	Hermetic Wiper, Data Destruction, Windows Privilege Escalation, Windows Persistence Techniques	2026-05-13
BCDEdit Failure Recovery Modification	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1490	TTP	Storm-2460 CLFS Zero Day Exploitation, Void Manticore, Compromised Windows Host, Ryuk Ransomware, Ransomware	2026-05-13
Windows Registry Modification for Safe Mode Persistence	Sysmon EventID 13	T1547.001	TTP	Windows Registry Abuse, Windows Drivers, Ransomware	2026-05-13
Runas Execution in CommandLine	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1134.001	Hunting	Quasar RAT, Hermetic Wiper, Data Destruction, Windows Privilege Escalation	2026-05-13
Allow File And Printing Sharing In Firewall	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1686.001	TTP	Ransomware, Hellcat Ransomware, BlackByte Ransomware	2026-05-13
Suspicious MSBuild Rename	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1036.003 T1127.001	Hunting	Masquerading - Rename System Utilities, Cobalt Strike, Storm-2460 CLFS Zero Day Exploitation, Living Off The Land, Graceful Wipe Out Attack, Trusted Developer Utilities Proxy Execution MSBuild, BlackByte Ransomware	2026-05-13
Windows PowerShell Process Implementing Manual Base64 Decoder	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1027.010 T1059.001	Anomaly	Deobfuscate-Decode Files or Information, Compromised Windows Host	2026-05-13
Detect Mimikatz With PowerShell Script Block Logging	Powershell Script Block Logging 4104	T1003 T1059.001	TTP	Data Destruction, Hellcat Ransomware, CISA AA22-264A, CISA AA23-347A, Malicious PowerShell, Scattered Spider, Hermetic Wiper, CISA AA22-320A, Sandworm Tools	2026-05-13
Windows UAC Bypass Suspicious Escalation Behavior	Sysmon EventID 1	T1548.002	TTP	Living Off The Land, Windows Defense Evasion Tactics, Compromised Windows Host	2026-05-13
Active Directory Lateral Movement Identified		T1210	Correlation	Active Directory Lateral Movement	2026-05-13
Suspicious mshta child process	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.005	TTP	Lumma Stealer, Living Off The Land, Suspicious MSHTA Activity, MuddyWater	2026-05-13
BITS Job Persistence	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1197	TTP	Living Off The Land, BITS Jobs	2026-05-13
Disable Defender Spynet Reporting	Sysmon EventID 13	T1685	TTP	Qakbot, CISA AA23-347A, Azorult, Windows Registry Abuse, IcedID	2026-05-13
Detect HTML Help Renamed	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.001	Hunting	Living Off The Land, Suspicious Compiled HTML Activity, APT37 Rustonotto and FadeStealer	2026-05-13
Linux Stdout Redirection To Dev Null File	Sysmon for Linux EventID 1	T1686	Anomaly	Industroyer2, Data Destruction, Cyclops Blink	2026-05-13
Windows Modify Registry Tamper Protection	Sysmon EventID 13	T1112	TTP	Scattered Lapsus$ Hunters, RedLine Stealer	2026-05-13
Certutil exe certificate extraction	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1649	TTP	Windows Persistence Techniques, Storm-2460 CLFS Zero Day Exploitation, Living Off The Land, Compromised Windows Host, Cloud Federated Credential Abuse, Windows Certificate Services	2026-05-13
Malicious PowerShell Process - Execution Policy Bypass	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1059.001	Anomaly	HAFNIUM Group, 0bj3ctivity Stealer, BlankGrabber Stealer, Volt Typhoon, XWorm, China-Nexus Threat Activity, Salt Typhoon, AsyncRAT, DarkCrystal RAT, APT37 Rustonotto and FadeStealer, DHS Report TA18-074A, MuddyWater	2026-05-13
WMI Permanent Event Subscription - Sysmon	Sysmon EventID 21	T1546.003	TTP	Suspicious WMI Use	2026-05-13
Windows Gather Victim Host Information Camera	Powershell Script Block Logging 4104	T1592.001	Anomaly	DarkCrystal RAT	2026-05-13
Cisco NVM - Installation of Typosquatted Python Package	Cisco Network Visibility Module Flow Data	T1059	TTP	Cisco Network Visibility Module Analytics	2026-05-13
Linux Ngrok Reverse Proxy Usage	Sysmon for Linux EventID 1	T1090 T1102 T1572	Anomaly	Reverse Network Proxy	2026-05-13
GetAdGroup with PowerShell Script Block	Powershell Script Block Logging 4104	T1069.002	Hunting	Scattered Lapsus$ Hunters, Active Directory Discovery	2026-05-13
Control Loading from World Writable Directory	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.002	TTP	Living Off The Land, Microsoft MSHTML Remote Code Execution CVE-2021-40444, Compromised Windows Host	2026-05-13
GetDomainController with PowerShell Script Block	Powershell Script Block Logging 4104	T1018	TTP	Active Directory Discovery	2026-05-13
Windows Rundll32 WebDAV Request	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1048.003	Hunting	CVE-2023-23397 Outlook Elevation of Privilege	2026-05-13
Suspicious Rundll32 dllregisterserver	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.011	TTP	Living Off The Land, Suspicious Rundll32 Activity, IcedID	2026-05-13
Windows RunMRU Registry Key or Value Deleted	Sysmon EventID 12	T1112	Anomaly	NetSupport RMM Tool Abuse	2026-05-13
Windows Disable Shutdown Button Through Registry	Sysmon EventID 13	T1112	Anomaly	Windows Registry Abuse, Ransomware	2026-05-13
Linux System Reboot Via System Request Key	Sysmon for Linux EventID 1	T1529	TTP	Data Destruction, AwfulShred	2026-05-13
Windows Rundll32 WebDav With Network Connection	Sysmon EventID 1, Sysmon EventID 3	T1048.003	TTP	CVE-2023-23397 Outlook Elevation of Privilege	2026-05-13
MacOS Gatekeeper Bypass	Osquery Results	T1553.001	Anomaly	MacOS Privilege Escalation, MacOS Post-Exploitation, MacOS Persistence Techniques	2026-05-13
Linux Auditd Possible Access To Sudoers File	Linux Auditd Cwd, Linux Auditd Path	T1548.003	Anomaly	China-Nexus Threat Activity, Salt Typhoon, Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation	2026-05-13
Detect Renamed RClone	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1020	Hunting	Ransomware, DarkSide Ransomware, Cactus Ransomware, Black Basta Ransomware	2026-05-13
Windows Steal Authentication Certificates CS Backup	Windows Event Log Security 4876	T1649	Anomaly	Windows Certificate Services	2026-05-13
Windows Executable Masquerading as Benign File Types	Sysmon EventID 29	T1036.008	Anomaly	NetSupport RMM Tool Abuse	2026-05-13
Crowdstrike Privilege Escalation For Non-Admin User		T1110	Anomaly	Compromised Windows Host	2026-05-13
Windows Suspicious Driver Loaded Path	Sysmon EventID 6	T1543.003	TTP	AgentTesla, APT37 Rustonotto and FadeStealer, Snake Keylogger, Interlock Ransomware, CISA AA22-320A, BlackByte Ransomware, XMRig	2026-05-13
Windows Schtasks Create Run As System	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1053.005	TTP	Scheduled Tasks, Windows Persistence Techniques, Qakbot, SolarWinds WHD RCE Post Exploitation, Castle RAT, Medusa Ransomware	2026-05-13
Linux Auditd Data Transfer Size Limits Via Split Syscall	Linux Auditd Syscall	T1030	Anomaly	Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host	2026-05-13
Disabling Windows Local Security Authority Defences via Registry	Sysmon EventID 13	T1556	TTP	Windows Registry Abuse, Windows Defense Evasion Tactics	2026-05-13
Cisco Isovalent - Nsenter Usage in Kubernetes Pod	Cisco Isovalent Process Exec	T1543	Anomaly	Cisco Isovalent Suspicious Activity	2026-05-13
Windows Renamed Powershell Execution	Sysmon EventID 1	T1036.003	TTP	Axios Supply Chain Post Compromise, Hellcat Ransomware, XWorm	2026-05-13
PowerShell Invoke CIMMethod CIMSession	Powershell Script Block Logging 4104	T1047	Anomaly	Malicious PowerShell, Scattered Lapsus$ Hunters, Active Directory Lateral Movement	2026-05-13
Windows Modify Registry Suppress Win Defender Notif	Sysmon EventID 13	T1112	Anomaly	CISA AA23-347A, Azorult	2026-05-13
Suspicious Reg exe Process	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1112	Anomaly	Windows Defense Evasion Tactics, DHS Report TA18-074A, Disabling Security Tools	2026-05-13
Wermgr Process Create Executable File	Sysmon EventID 11	T1027	TTP	Trickbot	2026-05-13
Windows Wmic Memory Chip Discovery	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1082	Anomaly	LAMEHUG	2026-05-13
Windows Process With NetExec Command Line Parameters	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1550.003 T1558.003 T1558.004	TTP	Active Directory Privilege Escalation, Active Directory Kerberos Attacks	2026-05-13
Windows Screen Capture Via Powershell	Powershell Script Block Logging 4104	T1113	TTP	Winter Vivern, Water Gamayun, BlankGrabber Stealer, APT37 Rustonotto and FadeStealer	2026-05-13
Remote WMI Command Attempt	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1047	TTP	Living Off The Land, Graceful Wipe Out Attack, CISA AA23-347A, Suspicious WMI Use, Volt Typhoon, IcedID	2026-05-13
Windows Group Policy Object Created	Windows Event Log Security 5137, Windows Event Log Security 5136	T1078.002 T1484.001	TTP	Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation	2026-05-13
Windows PowerShell IIS Components WebGlobalModule Usage	Powershell Script Block Logging 4104	T1505.004	Anomaly	GhostRedirector IIS Module and Rungan Backdoor, IIS Components	2026-05-13
Windows AD Short Lived Server Object	Windows Event Log Security 5137, Windows Event Log Security 5141	T1207	TTP	Sneaky Active Directory Persistence Tricks, Compromised Windows Host	2026-05-13
Windows Admon Group Policy Object Created	Windows Active Directory Admon	T1484.001	TTP	Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation	2026-05-13
Detection of tools built by NirSoft	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1072	Anomaly	Emotet Malware DHS Report TA18-201A	2026-05-13
Sunburst Correlation DLL and Network Event	Sysmon EventID 22, Sysmon EventID 7	T1203	TTP	NOBELIUM Group	2026-05-13
Windows Modify Registry ProxyEnable	Sysmon EventID 13	T1112	Anomaly	DarkGate Malware	2026-05-13
Windows Multiple Account Passwords Changed	Windows Event Log Security 4724	T1078 T1098	TTP	Azure Active Directory Persistence	2026-05-13
MacOS Keychains Dumped	Osquery Results	T1555.001	TTP	MacOS Privilege Escalation	2026-05-13
Windows File and Directory Enable ReadOnly Permissions	Sysmon EventID 1, Windows Event Log Security 4688	T1222.001	TTP	NetSupport RMM Tool Abuse, Crypto Stealer	2026-05-13
Excessive Usage Of Cacls App	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1222	Anomaly	Windows Post-Exploitation, Prestige Ransomware, Defense Evasion or Unauthorized Access Via SDDL Tampering, Azorult, Crypto Stealer, XMRig	2026-05-13
Credential Dumping via Copy Command from Shadow Copy	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1003.003	TTP	Credential Dumping, Compromised Windows Host	2026-05-13
Interactive Session on Remote Endpoint with PowerShell	Powershell Script Block Logging 4104	T1021.006	TTP	Active Directory Lateral Movement	2026-05-13
Windows MSHTA Writing to World Writable Path	Sysmon EventID 11	T1218.005	TTP	Suspicious MSHTA Activity, APT29 Diplomatic Deceptions with WINELOADER, XWorm	2026-05-13
Windows Defender ASR Rule Disabled	Windows Event Log Defender 5007	T1112	TTP	Windows Attack Surface Reduction	2026-05-13
Rundll32 Control RunDLL World Writable Directory	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.011	TTP	Living Off The Land, Compromised Windows Host, Microsoft MSHTML Remote Code Execution CVE-2021-40444, Suspicious Rundll32 Activity	2026-05-13
Windows AD Privileged Group Modification	Windows Event Log Security 4728	T1098	TTP	Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation	2026-05-13
Cisco NVM - Suspicious Download From File Sharing Website	Cisco Network Visibility Module Flow Data	T1197	Anomaly	BlankGrabber Stealer, Cisco Network Visibility Module Analytics, APT37 Rustonotto and FadeStealer	2026-05-13
Linux Auditd Osquery Service Stop	Linux Auditd Service Stop	T1489	Anomaly	Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host	2026-05-13
Windows Privilege Escalation System Process Without System Parent	Sysmon EventID 1	T1068 T1134 T1548	TTP	Windows Privilege Escalation, BlackSuit Ransomware	2026-05-13
Windows EventLog Recon Activity Using Log Query Utilities	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1654	Anomaly	Windows Discovery Techniques, BlankGrabber Stealer	2026-05-13
Detect Renamed PSExec	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1569.002	Hunting	HAFNIUM Group, Active Directory Lateral Movement, DarkSide Ransomware, Sandworm Tools, China-Nexus Threat Activity, Medusa Ransomware, Salt Typhoon, SamSam Ransomware, Cactus Ransomware, Rhysida Ransomware, VanHelsing Ransomware, DHS Report TA18-074A, CISA AA22-320A, DarkGate Malware, BlackByte Ransomware	2026-05-13
WinRM Spawning a Process	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1190	TTP	CISA AA23-347A, Unusual Processes, Microsoft WSUS CVE-2025-59287, Rhysida Ransomware	2026-05-13
Windows Archive Collected Data via Rar	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1560.001	Anomaly	Salt Typhoon, DarkGate Malware, China-Nexus Threat Activity, APT37 Rustonotto and FadeStealer	2026-05-13
Windows Rapid Authentication On Multiple Hosts	Windows Event Log Security 4624	T1003.002	TTP	Active Directory Privilege Escalation, Active Directory Lateral Movement	2026-05-13
SAM Database File Access Attempt	Windows Event Log Security 4663	T1003.002	Hunting	Graceful Wipe Out Attack, Credential Dumping, Rhysida Ransomware	2026-05-13
Windows Service Create RemComSvc	Windows Event Log System 7045	T1543.003	Anomaly	Active Directory Discovery	2026-05-13
Windows KrbRelayUp Service Creation	Windows Event Log System 7045	T1543.003	TTP	Compromised Windows Host, Local Privilege Escalation With KrbRelayUp	2026-05-13
Windows Process Injection In Non-Service SearchIndexer	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1055	TTP	Qakbot	2026-05-13
Windows SQL Server xp_cmdshell Config Change	Windows Event Log Application 15457	T1505.001	TTP	GhostRedirector IIS Module and Rungan Backdoor, Seashell Blizzard, SQL Server Abuse	2026-05-13
GetAdComputer with PowerShell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1018	Hunting	Medusa Ransomware, Active Directory Discovery	2026-05-13
Windows MSIExec Spawn Discovery Command	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.007	Anomaly	Water Gamayun, Medusa Ransomware, Windows System Binary Proxy Execution MSIExec, StealC Stealer	2026-05-13
Windows Impair Defense Configure App Install Control	Sysmon EventID 13	T1685	TTP	Windows Registry Abuse, Windows Defense Evasion Tactics	2026-05-13
Windows Modify Registry DisableRemoteDesktopAntiAlias	Sysmon EventID 13	T1112	TTP	DarkGate Malware	2026-05-13
Remcos client registry install entry	Sysmon EventID 13, Sysmon EventID 12	T1112	TTP	Windows Registry Abuse, Remcos	2026-05-13
Resize ShadowStorage volume	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1490	TTP	Clop Ransomware, Compromised Windows Host, VanHelsing Ransomware, Medusa Ransomware, BlackByte Ransomware	2026-05-13
Windows File and Directory Permissions Remove Inheritance	Sysmon EventID 1, Windows Event Log Security 4688	T1222.001	Anomaly	Crypto Stealer	2026-05-13
Windows Wmic Network Discovery	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1082	Anomaly	LAMEHUG	2026-05-13
Windows DNS Gather Network Info	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1590.002	Anomaly	Volt Typhoon, Sandworm Tools	2026-05-13
Linux Auditd Clipboard Data Copy	Linux Auditd Execve	T1115	Anomaly	Linux Living Off The Land, Compromised Linux Host	2026-05-13
Windows App Layer Protocol Wermgr Connect To NamedPipe	Sysmon EventID 17, Sysmon EventID 18	T1071	Anomaly	Qakbot	2026-05-13
Permission Modification using Takeown App	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1222	Anomaly	Scattered Lapsus$ Hunters, Ransomware, Sandworm Tools, Crypto Stealer	2026-05-13
Linux Indicator Removal Clear Cache	Sysmon for Linux EventID 1	T1070	TTP	Data Destruction, AwfulShred	2026-05-13
Get WMIObject Group Discovery with Script Block Logging	Powershell Script Block Logging 4104	T1069.001	Hunting	Active Directory Discovery	2026-05-13
Windows Boot or Logon Autostart Execution In Startup Folder	Sysmon EventID 11	T1547.001	Anomaly	PromptFlux, BlankGrabber Stealer, Quasar RAT, APT37 Rustonotto and FadeStealer, XWorm, Gozi Malware, NjRAT, RedLine Stealer, Chaos Ransomware, Crypto Stealer, Interlock Ransomware	2026-05-13
Linux Gem Privilege Escalation	Sysmon for Linux EventID 1	T1548.003	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2026-05-13
Windows Office Product Spawned MSDT	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1566.001	TTP	Spearphishing Attachments, Compromised Windows Host, Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190	2026-05-13
Linux c89 Privilege Escalation	Sysmon for Linux EventID 1	T1548.003	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2026-05-13
Windows BitLockerToGo Process Execution	Sysmon EventID 1, Windows Event Log Security 4688	T1218	Hunting	Lumma Stealer	2026-05-13
PowerShell Script Block With URL Chain	Powershell Script Block Logging 4104	T1059.001 T1105	TTP	Malicious PowerShell, Hellcat Ransomware	2026-05-13
Linux Insert Kernel Module Using Insmod Utility	Sysmon for Linux EventID 1	T1547.006	Anomaly	Linux Privilege Escalation, Linux Rootkit, Linux Persistence Techniques, XorDDos	2026-05-13
Windows Office Product Loaded MSHTML Module	Sysmon EventID 7	T1566.001	Anomaly	CVE-2023-36884 Office and Windows HTML RCE Vulnerability, Spearphishing Attachments, MuddyWater, Microsoft MSHTML Remote Code Execution CVE-2021-40444	2026-05-13
Windows Impair Defense Change Win Defender Health Check Intervals	Sysmon EventID 13	T1685	TTP	Windows Registry Abuse, Windows Defense Evasion Tactics	2026-05-13
Windows IIS Components Get-WebGlobalModule Module Query	Powershell Installed IIS Modules	T1505.004	Hunting	GhostRedirector IIS Module and Rungan Backdoor, IIS Components, WS FTP Server Critical Vulnerabilities	2026-05-13
Suspicious wevtutil Usage	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1685.005	TTP	Clop Ransomware, Storm-2460 CLFS Zero Day Exploitation, CISA AA23-347A, Storm-0501 Ransomware, Scattered Spider, ShrinkLocker, Rhysida Ransomware, Windows Log Manipulation, Ransomware, VoidLink Cloud-Native Linux Malware	2026-05-13
Windows Default Cobalt Strike PowerShell Beacon	Powershell Script Block Logging 4104	T1059.001 T1204.002	TTP	Cobalt Strike	2026-05-13
Windows Impair Defense Disable Win Defender Gen reports	Sysmon EventID 13	T1685	TTP	Windows Registry Abuse, Windows Defense Evasion Tactics	2026-05-13
Windows Modify Registry Configure BitLocker	Sysmon EventID 13	T1112	TTP	ShrinkLocker	2026-05-13
Suspicious PlistBuddy Usage	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1543.001	TTP	Silver Sparrow	2026-05-13
Windows Admin Permission Discovery	Sysmon EventID 11	T1069.001	Anomaly	NjRAT	2026-05-13
Windows Important Audit Policy Disabled	Windows Event Log Security 4719	T1685	TTP	Windows Audit Policy Tampering	2026-05-13
Windows PowerShell Get CIMInstance Remote Computer	Powershell Script Block Logging 4104	T1059.001	Anomaly	Active Directory Lateral Movement	2026-05-13
Windows Modify Registry on Smart Card Group Policy	Sysmon EventID 13	T1112	Anomaly	ShrinkLocker	2026-05-13
Linux Auditd Private Keys and Certificate Enumeration	Linux Auditd Execve	T1552.004	Anomaly	Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host	2026-05-13
Linux Auditd Service Started	Linux Auditd Proctitle	T1569.002	Anomaly	Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host	2026-05-13
Windows Modify Registry Disable Toast Notifications	Sysmon EventID 13	T1112	Anomaly	Azorult	2026-05-13
Detect WMI Event Subscription Persistence	Sysmon EventID 20	T1546.003	TTP	Hellcat Ransomware, Suspicious WMI Use	2026-05-13
Windows Computer Account With SPN	Windows Event Log Security 4741	T1558	TTP	Compromised Windows Host, Active Directory Kerberos Attacks, Local Privilege Escalation With KrbRelayUp	2026-05-13
Windows Browser Process Launched with Unusual Flags	Sysmon EventID 1	T1185	Anomaly	Castle RAT	2026-05-13
Suspicious mshta spawn	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.005	TTP	Living Off The Land, Suspicious MSHTA Activity, APT37 Rustonotto and FadeStealer	2026-05-13
Windows AI Platform DNS Query	Sysmon EventID 22	T1071.004	Anomaly	SesameOp, LAMEHUG, PromptFlux	2026-05-13
Windows Process Injection Remote Thread	Sysmon EventID 8	T1055.002	TTP	Water Gamayun, Earth Alux, Qakbot, Graceful Wipe Out Attack, Warzone RAT	2026-05-13
Linux Auditd Find Credentials From Password Managers	Linux Auditd Execve	T1555.005	TTP	Linux Persistence Techniques, Linux Living Off The Land, Compromised Linux Host, Scattered Lapsus$ Hunters, Linux Privilege Escalation	2026-05-13
Linux Magic SysRq Key Abuse	Linux Auditd Cwd, Linux Auditd Path	T1059.004 T1489 T1499 T1529	TTP	Compromised Linux Host	2026-05-13
Windows Unusual Count Of Users Failed To Authenticate Using NTLM	Windows Event Log Security 4776	T1110.003	Anomaly	Active Directory Password Spraying, Volt Typhoon	2026-05-13
Disable Security Logs Using MiniNt Registry	Sysmon EventID 13	T1112	TTP	CISA AA23-347A, Windows Defense Evasion Tactics, Windows Registry Abuse	2026-05-13
Windows Identify Protocol Handlers	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1059	Hunting	Living Off The Land	2026-05-13
Windows SQL Server Extended Procedure DLL Loading Hunt	Windows Event Log Application 8128	T1059.009 T1505.001	Hunting	SQL Server Abuse	2026-05-13
Windows New Deny Permission Set On Service SD Via Sc.EXE	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1564	Anomaly	Defense Evasion or Unauthorized Access Via SDDL Tampering	2026-05-13
Windows MSC EvilTwin Directory Path Manipulation	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1036.005 T1203 T1218	TTP	Living Off The Land, Windows Defense Evasion Tactics, Water Gamayun	2026-05-13
Windows Azure Storage Utility Execution Via CLI	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1567.002	Anomaly	Data Exfiltration	2026-05-13
Windows InstallUtil in Non Standard Path	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1036.003 T1218.004	TTP	Masquerading - Rename System Utilities, Signed Binary Proxy Execution InstallUtil, Living Off The Land, Data Destruction, WhisperGate, Unusual Processes, Ransomware	2026-05-13
Windows Steal Authentication Certificates - ESC1 Abuse	Windows Event Log Security 4887, Windows Event Log Security 4886	T1649	TTP	Windows Certificate Services	2026-05-13
Linux Gdrive Binary Activity	Sysmon for Linux EventID 1	T1567	TTP	China-Nexus Threat Activity	2026-05-13
Windows Process Injection Of Wermgr to Known Browser	Sysmon EventID 8	T1055.001	TTP	Qakbot	2026-05-13
Windows Detect Network Scanner Behavior	Sysmon EventID 3	T1595.001 T1595.002	Anomaly	Windows Discovery Techniques, Network Discovery	2026-05-13
Windows Execution of Microsoft MSC File In Suspicious Path	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.014	Anomaly	XML Runner Loader	2026-05-13
Windows RDP Server Registry Deletion	Sysmon EventID 13, Sysmon EventID 12	T1070.004	Anomaly	Windows RDP Artifacts and Defense Evasion	2026-05-13
Windows Modify Registry Disable RDP	Sysmon EventID 13	T1112	Anomaly	Windows RDP Artifacts and Defense Evasion, ShrinkLocker	2026-05-13
Windows Post Exploitation Risk Behavior		T1003 T1012 T1016 T1049 T1069 T1082 T1115 T1552	Correlation	Windows Post-Exploitation	2026-05-13
Windows Unusual SysWOW64 Process Run System32 Executable	Sysmon EventID 1, Windows Event Log Security 4688	T1036.009	Anomaly	Salt Typhoon, DarkGate Malware, China-Nexus Threat Activity	2026-05-13
Windows Modify Registry Auto Update Notif	Sysmon EventID 13	T1112	Anomaly	RedLine Stealer	2026-05-13
Revil Common Exec Parameter	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1204	TTP	Ransomware, Revil Ransomware	2026-05-13
Windows RDP Cache File Deletion	Sysmon EventID 23, Sysmon EventID 26	T1070.004	Anomaly	Windows RDP Artifacts and Defense Evasion	2026-05-13
Linux Iptables Firewall Modification	Sysmon for Linux EventID 1	T1686	Anomaly	Backdoor Pingpong, Cyclops Blink, Sandworm Tools, China-Nexus Threat Activity	2026-05-13
Windows Network Share Interaction Via Net	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1039 T1135	Hunting	Network Discovery, Active Directory Privilege Escalation, Active Directory Discovery	2026-05-13
Detect Regsvcs with No Command Line Arguments	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.009	TTP	Living Off The Land, Suspicious Regsvcs Regasm Activity	2026-05-13
XSL Script Execution With WMIC	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1220	TTP	FIN7, Suspicious WMI Use	2026-05-13
Windows Symlink Evaluation Change via Fsutil	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1222.001	Anomaly	Windows Post-Exploitation	2026-05-13
GetLocalUser with PowerShell Script Block	Powershell Script Block Logging 4104	T1059.001 T1087.001	Hunting	Malicious PowerShell, Active Directory Discovery	2026-05-13
Windows Audit Policy Disabled via Legacy Auditpol	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1685.001	Anomaly	Windows Audit Policy Tampering	2026-05-13
Windows Ingress Tool Transfer Using Explorer	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1105	Anomaly	DarkCrystal RAT	2026-05-13
Powershell Remove Windows Defender Directory	Powershell Script Block Logging 4104	T1685	TTP	Data Destruction, WhisperGate	2026-05-13
MacOS Account Created	Osquery Results	T1136	Anomaly	MacOS Persistence Techniques	2026-05-13
ServicePrincipalNames Discovery with PowerShell	Powershell Script Block Logging 4104	T1558.003	TTP	Hellcat Ransomware, Active Directory Discovery, Malicious PowerShell, Active Directory Privilege Escalation, Active Directory Kerberos Attacks	2026-05-13
Windows Multiple Accounts Disabled	Windows Event Log Security 4725	T1078 T1098	TTP	Azure Active Directory Persistence	2026-05-13
Windows Proxy Via Registry	Sysmon EventID 13	T1090.001	Anomaly	Volt Typhoon	2026-05-13
Windows BitLocker Suspicious Command Usage	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1486 T1490	TTP	ShrinkLocker	2026-05-13
Windows RDP Connection Successful	Windows Event Log RemoteConnectionManager 1149	T1563.002	Hunting	Windows RDP Artifacts and Defense Evasion, Active Directory Lateral Movement, NetSupport RMM Tool Abuse, Interlock Ransomware, BlackByte Ransomware	2026-05-13
Windows SymbolicLink-Testing-Tools Utility Execution	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1222 T1564.004	TTP	Windows Privilege Escalation, Windows Persistence Techniques, Windows Post-Exploitation	2026-05-13
Windows Impair Defenses Disable Win Defender Auto Logging	Sysmon EventID 13	T1685	Anomaly	CISA AA23-347A, Windows Defense Evasion Tactics, Windows Registry Abuse	2026-05-13
Windows Root Domain linked policies Discovery	Powershell Script Block Logging 4104	T1087.002	Anomaly	Industroyer2, Data Destruction, Active Directory Discovery	2026-05-13
Detect Remote Access Software Usage FileInfo	Sysmon EventID 1	T1219	Anomaly	Remote Monitoring and Management Software, Gozi Malware, Scattered Lapsus$ Hunters, Scattered Spider, Cactus Ransomware, Command And Control, Insider Threat, Interlock Ransomware, Ransomware, Seashell Blizzard	2026-05-13
Windows Universal Data Link File Creation	Sysmon EventID 11	T1204.002 T1566.001	Anomaly	Spearphishing Attachments	2026-05-13
Windows Indirect Command Execution Via Series Of Forfiles	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1202	Anomaly	Prestige Ransomware, Windows Post-Exploitation	2026-05-13
Windows Defender ASR Block Events	Windows Event Log Defender 1126, Windows Event Log Defender 1129, Windows Event Log Defender 1131, Windows Event Log Defender 1121, Windows Event Log Defender 1133	T1059 T1566.001 T1566.002	Anomaly	Windows Attack Surface Reduction	2026-05-13
Allow Inbound Traffic In Firewall Rule	Powershell Script Block Logging 4104	T1021.001	TTP	Prohibited Traffic Allowed or Protocol Mismatch, NetSupport RMM Tool Abuse	2026-05-13
Kerberos TGT Request Using RC4 Encryption	Windows Event Log Security 4768	T1550	TTP	Scattered Lapsus$ Hunters, Active Directory Kerberos Attacks	2026-05-13
Windows Privilege Escalation Suspicious Process Elevation	Sysmon EventID 1	T1068 T1134 T1548	TTP	GhostRedirector IIS Module and Rungan Backdoor, Windows Privilege Escalation, BlackSuit Ransomware	2026-05-13
Windows Command Obfuscation with Environment Variable Substrings	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1027.010	Anomaly	Malicious PowerShell	2026-05-13
Linux Data Destruction Command	Sysmon for Linux EventID 1	T1485	TTP	Data Destruction, AwfulShred	2026-05-13
Kerberoasting spn request with RC4 encryption	Windows Event Log Security 4769	T1558.003	TTP	Data Destruction, Windows Privilege Escalation, Compromised Windows Host, Hermetic Wiper, Active Directory Kerberos Attacks	2026-05-13
Windows Alternate DataStream - Base64 Content	Sysmon EventID 15	T1564.004	TTP	Windows Defense Evasion Tactics, APT37 Rustonotto and FadeStealer	2026-05-13
Windows Service Stop Win Updates	Windows Event Log System 7040	T1489	Anomaly	CISA AA23-347A, RedLine Stealer	2026-05-13
MacOS Data Chunking	Osquery Results	T1030	Anomaly	MacOS Post-Exploitation	2026-05-13
Windows Create Local Account	Windows Event Log Security 4720	T1136.001	Anomaly	Scattered Lapsus$ Hunters, Active Directory Password Spraying, CISA AA24-241A, GhostRedirector IIS Module and Rungan Backdoor	2026-05-13
Create Remote Thread into LSASS	Sysmon EventID 8	T1003.001	TTP	Credential Dumping, BlackSuit Ransomware, Lokibot	2026-05-13
Windows WBAdmin File Recovery From Backup	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1490 T1565.001	Anomaly	Credential Dumping	2026-05-13
FodHelper UAC Bypass	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1112 T1548.002	TTP	BlankGrabber Stealer, ValleyRAT, Compromised Windows Host, Windows Defense Evasion Tactics, IcedID	2026-05-13
Windows PowerShell Disable HTTP Logging	Powershell Script Block Logging 4104	T1505.004 T1685.001	TTP	Windows Defense Evasion Tactics, IIS Components	2026-05-13
Windows ClipBoard Data via Get-ClipBoard	Powershell Script Block Logging 4104	T1115	Anomaly	Prestige Ransomware, Windows Post-Exploitation, BlankGrabber Stealer	2026-05-13
Windows Spearphishing Attachment Onenote Spawn Mshta	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1566.001	TTP	AsyncRAT, Spearphishing Attachments, Compromised Windows Host, APT37 Rustonotto and FadeStealer	2026-05-13
WinEvent Scheduled Task Created Within Public Path	Windows Event Log Security 4698	T1053.005	TTP	0bj3ctivity Stealer, Scheduled Tasks, Remcos, Active Directory Lateral Movement, Windows Persistence Techniques, Prestige Ransomware, China-Nexus Threat Activity, ValleyRAT, Salt Typhoon, Compromised Windows Host, CISA AA22-257A, Castle RAT, SystemBC, Malicious Inno Setup Loader, IcedID, PlugX, Industroyer2, Quasar RAT, XWorm, AsyncRAT, APT37 Rustonotto and FadeStealer, Winter Vivern, Medusa Ransomware, Data Destruction, CISA AA23-347A, Ryuk Ransomware, Ransomware	2026-05-13
Remote Desktop Process Running On System	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1021.001	Hunting	Windows RDP Artifacts and Defense Evasion, Hidden Cobra Malware, Active Directory Lateral Movement	2026-05-13
MacOS Kextload Usage	Osquery Results	T1543	TTP	MacOS Privilege Escalation, MacOS Persistence Techniques	2026-05-13
Windows MpCmdRun RemoveDefinitions Execution	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1685	Anomaly	BlankGrabber Stealer	2026-05-13
Windows Scheduled Task Service Spawned Shell	CrowdStrike ProcessRollup2, Sysmon EventID 1	T1053.005 T1059	TTP	Windows Persistence Techniques	2026-05-13
Windows Modify Registry Disable Windows Security Center Notif	Sysmon EventID 13	T1112	Anomaly	CISA AA23-347A, Azorult	2026-05-13
Windows Computer Account Requesting Kerberos Ticket	Windows Event Log Security 4768	T1558	TTP	Local Privilege Escalation With KrbRelayUp, Active Directory Kerberos Attacks	2026-05-13
Rundll32 LockWorkStation	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.011	Anomaly	Ransomware	2026-05-13
Anomalous usage of 7zip	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1560.001	Anomaly	NOBELIUM Group, Cobalt Strike, Graceful Wipe Out Attack, BlackByte Ransomware, BlackSuit Ransomware	2026-05-13
Get-ForestTrust with PowerShell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1482	TTP	Active Directory Discovery	2026-05-13
Windows Processes Killed By Industroyer2 Malware	Sysmon EventID 5	T1489	Anomaly	Industroyer2, Data Destruction	2026-05-13
Unusual Number of Computer Service Tickets Requested	Windows Event Log Security 4769	T1078	Hunting	Scattered Lapsus$ Hunters, Active Directory Privilege Escalation, Active Directory Lateral Movement, Active Directory Kerberos Attacks	2026-05-13
Windows Suspicious C2 Named Pipe	Sysmon EventID 17, Sysmon EventID 18	T1021.002 T1055 T1559	TTP	DarkSide Ransomware, Cobalt Strike, Remote Monitoring and Management Software, Hellcat Ransomware, Gozi Malware, LockBit Ransomware, Storm-0501 Ransomware, Graceful Wipe Out Attack, Trickbot, APT37 Rustonotto and FadeStealer, Meterpreter, Brute Ratel C4, Tuoni, BlackByte Ransomware	2026-05-13
Windows Process Injection With Public Source Path	Sysmon EventID 8	T1055.002	Hunting	Earth Alux, Brute Ratel C4	2026-05-13
GetAdComputer with PowerShell Script Block	Powershell Script Block Logging 4104	T1018	Hunting	CISA AA22-320A, Gozi Malware, Medusa Ransomware, Active Directory Discovery	2026-05-13
Hunting 3CXDesktopApp Software	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1195.002	Hunting	3CX Supply Chain Attack	2026-05-13
Windows Suspicious QEMU Execution	Sysmon EventID 1	T1001 T1036 T1204.002 T1564.006	TTP	Linux Post-Exploitation, Linux Rootkit, Linux Living Off The Land, Compromised Linux Host, Linux Privilege Escalation, VoidLink Cloud-Native Linux Malware	2026-05-13
Process Writing DynamicWrapperX	Sysmon EventID 11	T1059 T1559.001	Hunting	Remcos	2026-05-13
Cisco Isovalent - Kprobe Spike	Cisco Isovalent Process Kprobe	T1068	Hunting	Cisco Isovalent Suspicious Activity, VoidLink Cloud-Native Linux Malware	2026-05-13
Windows Certutil Root Certificate Addition	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1587.003	TTP	Secret Blizzard	2026-05-13
Short Lived Windows Accounts	Windows Event Log System 4720, Windows Event Log System 4726	T1078.003 T1136.001	TTP	GhostRedirector IIS Module and Rungan Backdoor, Active Directory Lateral Movement	2026-05-13
Windows MSI Rollback Script Deleted By Non-Msiexec Process	Sysmon EventID 23	T1068 T1218.007	TTP	Windows Privilege Escalation	2026-05-13
Remote Process Instantiation via DCOM and PowerShell Script Block	Powershell Script Block Logging 4104	T1021.003	TTP	Active Directory Lateral Movement	2026-05-13
Add DefaultUser And Password In Registry	Sysmon EventID 13, Sysmon EventID 12	T1552.002	Anomaly	BlackMatter Ransomware	2026-05-13
Scheduled Task Initiation on Remote Endpoint	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1053.005	TTP	Scheduled Tasks, Active Directory Lateral Movement, Living Off The Land, Medusa Ransomware, Seashell Blizzard	2026-05-13
Windows NirSoft AdvancedRun	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1588.002	TTP	Unusual Processes, Ransomware, WhisperGate, Data Destruction	2026-05-13
Exchange PowerShell Module Usage	Powershell Script Block Logging 4104	T1059.001	TTP	CISA AA22-264A, ProxyShell, Scattered Spider, CISA AA22-277A, BlackByte Ransomware, ProxyNotShell	2026-05-13
Windows CAB File on Disk	Sysmon EventID 11	T1566.001	Anomaly	DarkGate Malware, APT37 Rustonotto and FadeStealer	2026-05-13
Windows PaperCut NG Spawn Shell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1059 T1133 T1190	TTP	PaperCut MF NG Vulnerability, Compromised Windows Host	2026-05-13
Windows Private Keys Discovery	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1552.004	Anomaly	Prestige Ransomware, Windows Post-Exploitation	2026-05-13
Windows Phishing PDF File Executes URL Link	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1566.001	Anomaly	Spearphishing Attachments, MuddyWater, Snake Keylogger	2026-05-13
Windows Hijack Execution Flow Version Dll Side Load	Sysmon EventID 7	T1574.001	Anomaly	Malicious Inno Setup Loader, SolarWinds WHD RCE Post Exploitation, XWorm, Brute Ratel C4	2026-05-13
PowerShell PInvoke Process Injection API Chain	Powershell Script Block Logging 4104	T1055.001 T1055.003 T1055.004 T1055.012 T1055.013 T1059.001 T1620	TTP	VIP Keylogger	2026-05-13
Loading Of Dynwrapx Module	Sysmon EventID 7	T1055.001	TTP	AsyncRAT, Remcos	2026-05-13
Windows WMI Process Call Create	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1047	Hunting	Qakbot, CISA AA23-347A, Cactus Ransomware, Suspicious WMI Use, Volt Typhoon, IcedID	2026-05-13
Windows ConHost with Headless Argument	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1564.003 T1564.006	TTP	Spearphishing Attachments, Compromised Windows Host	2026-05-13
Shim Database Installation With Suspicious Parameters	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1546.011	TTP	Compromised Windows Host, Windows Persistence Techniques	2026-05-13
Windows Alternate DataStream - Executable Content	Sysmon EventID 15	T1564.004	TTP	Windows Defense Evasion Tactics	2026-05-13
PowerShell Environment Variable Execution	Powershell Script Block Logging 4104	T1059.001	Anomaly	VIP Keylogger	2026-05-13
Windows Modify Registry No Auto Reboot With Logon User	Sysmon EventID 13	T1112	Anomaly	RedLine Stealer	2026-05-13
Windows Unusual FileZilla XML Config Access	Windows Event Log Security 4663	T1552.001	Anomaly	Quasar RAT	2026-05-13
Rundll32 Process Creating Exe Dll Files	Sysmon EventID 11	T1218.011	TTP	Gh0st RAT, Living Off The Land, IcedID	2026-05-13
Overwriting Accessibility Binaries	Sysmon EventID 11	T1546.008	TTP	Hermetic Wiper, Flax Typhoon, Data Destruction, Windows Privilege Escalation	2026-05-13
Suspicious PlistBuddy Usage via OSquery	Osquery Results	T1543.001	TTP	Silver Sparrow	2026-05-13
Windows Create Local Administrator Account Via Net	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1136.001	Anomaly	DarkGate Malware, CISA AA24-241A, GhostRedirector IIS Module and Rungan Backdoor, DHS Report TA18-074A, CISA AA22-257A, Scattered Lapsus$ Hunters, Medusa Ransomware, Azorult	2026-05-13
Schedule Task with HTTP Command Arguments	Windows Event Log Security 4698	T1053	TTP	Scheduled Tasks, Windows Persistence Techniques, Living Off The Land, Hellcat Ransomware, Compromised Windows Host, Winter Vivern	2026-05-13
Windows Raw Access To Master Boot Record Drive	Sysmon EventID 9	T1561.002	TTP	Caddy Wiper, Disk Wiper, Data Destruction, Void Manticore, CISA AA22-264A, WhisperGate, NjRAT, Graceful Wipe Out Attack, PathWiper, Hermetic Wiper, BlackByte Ransomware	2026-05-13
Ryuk Wake on LAN Command	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1059.003	TTP	Hellcat Ransomware, Compromised Windows Host, Ryuk Ransomware	2026-05-13
Windows IIS Components New Module Added	Windows IIS 29	T1505.004	TTP	GhostRedirector IIS Module and Rungan Backdoor, IIS Components	2026-05-13
Windows Masquerading Msdtc Process	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1036	TTP	Compromised Windows Host, PlugX	2026-05-13
Windows Access Token Manipulation Winlogon Duplicate Token Handle	Sysmon EventID 10	T1134.001	Hunting	Brute Ratel C4	2026-05-13
Windows Modify Registry Auto Minor Updates	Sysmon EventID 13	T1112	Hunting	RedLine Stealer	2026-05-13
Windows MOF Event Triggered Execution via WMI	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1546.003	TTP	Living Off The Land, Compromised Windows Host	2026-05-13
Windows RMM Named Pipe	Sysmon EventID 17, Sysmon EventID 18	T1021.002 T1055 T1559	Anomaly	Remote Monitoring and Management Software, Gozi Malware, CISA AA24-241A, GhostRedirector IIS Module and Rungan Backdoor, Scattered Lapsus$ Hunters, Scattered Spider, Cactus Ransomware, Command And Control, Insider Threat, Interlock Ransomware, Ransomware, Seashell Blizzard	2026-05-13
High Frequency Copy Of Files In Network Share	Windows Event Log Security 5145	T1537	Anomaly	Insider Threat, Hellcat Ransomware, Information Sabotage	2026-05-13
Windows SoftEther VPN Masquerading as Legitimate Binary	Sysmon EventID 1	T1036 T1572	TTP	Flax Typhoon, Linux Persistence Techniques, Linux Privilege Escalation	2026-05-13
MacOS List Firewall Rules	Osquery Results	T1016	Anomaly	Network Discovery	2026-05-13
Detect AzureHound File Modifications	Sysmon EventID 11	T1069.001 T1069.002 T1087.001 T1087.002 T1482	TTP	Windows Discovery Techniques	2026-05-13
Windows Process Commandline Discovery	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1057	Hunting	CISA AA23-347A	2026-05-13
Bcdedit Command Back To Normal Mode Boot	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1490	TTP	BlackMatter Ransomware, Black Basta Ransomware	2026-05-13
GetWmiObject Ds Computer with PowerShell Script Block	Powershell Script Block Logging 4104	T1018	TTP	Active Directory Discovery	2026-05-13
Windows Modify Registry Default Icon Setting	Sysmon EventID 13	T1112	Anomaly	LockBit Ransomware	2026-05-13
Windows Snake Malware Registry Modification wav OpenWithProgIds	Sysmon EventID 13	T1112	TTP	Snake Malware	2026-05-13
Disabling CMD Application	Sysmon EventID 13	T1112 T1685	TTP	Windows Registry Abuse, Windows Defense Evasion Tactics, NjRAT	2026-05-13
Windows TinyCC Shellcode Execution	Sysmon EventID 1, Windows Event Log Security 4688	T1027 T1036 T1059.003	TTP	Lotus Blossom Chrysalis Backdoor	2026-05-13
Suspicious Computer Account Name Change	Windows Event Log Security 4781	T1078.002	TTP	sAMAccountName Spoofing and Domain Controller Impersonation, Scattered Lapsus$ Hunters, Active Directory Privilege Escalation, Compromised Windows Host	2026-05-13
Windows InstallUtil Credential Theft	Sysmon EventID 7	T1218.004	TTP	Signed Binary Proxy Execution InstallUtil	2026-05-13
Windows AD Abnormal Object Access Activity	Windows Event Log Security 4662	T1087.002	Anomaly	BlackSuit Ransomware, Active Directory Discovery	2026-05-13
Linux Clipboard Data Copy	Sysmon for Linux EventID 1	T1115	Anomaly	Linux Living Off The Land	2026-05-13
Cisco Isovalent - Late Process Execution	Cisco Isovalent Process Exec	T1543	Anomaly	Cisco Isovalent Suspicious Activity	2026-05-13
Executables Or Script Creation In Suspicious Path	Sysmon EventID 11	T1036	Anomaly	Remcos, NailaoLocker Ransomware, Earth Alux, Axios Supply Chain Post Compromise, DynoWiper, Double Zero Destructor, WhisperGate, China-Nexus Threat Activity, ValleyRAT, Salt Typhoon, Warzone RAT, DarkCrystal RAT, Derusbi, MoonPeak, Rhysida Ransomware, Snake Keylogger, Hermetic Wiper, Volt Typhoon, Brute Ratel C4, Castle RAT, SesameOp, LockBit Ransomware, SystemBC, AcidPour, AgentTesla, Meduza Stealer, RedLine Stealer, WinDealer RAT, GhostRedirector IIS Module and Rungan Backdoor, Cactus Ransomware, PlugX, IcedID, Azorult, Handala Wiper, Industroyer2, PromptLock, Quasar RAT, NjRAT, Qakbot, SnappyBee, AsyncRAT, Interlock Rat, Chaos Ransomware, Interlock Ransomware, BlackByte Ransomware, Amadey, XMRig, Data Destruction, Void Manticore, Swift Slicer, CISA AA23-347A, Graceful Wipe Out Attack, Trickbot, XML Runner Loader, Crypto Stealer, DarkGate Malware, VIP Keylogger, Lokibot	2026-05-13
Schedule Task with Rundll32 Command Trigger	Windows Event Log Security 4698	T1053	TTP	Scheduled Tasks, Windows Persistence Techniques, Living Off The Land, Trickbot, Compromised Windows Host, Castle RAT, IcedID	2026-05-13
Windows AD Dangerous Deny ACL Modification	Windows Event Log Security 5136	T1222.001 T1484	TTP	Sneaky Active Directory Persistence Tricks	2026-05-13
Windows USBSTOR Registry Key Modification	Sysmon EventID 13, Sysmon EventID 12	T1025 T1091 T1200	Anomaly	APT37 Rustonotto and FadeStealer, Data Protection	2026-05-13
Crowdstrike User Weak Password Policy		T1110	Anomaly	Compromised Windows Host	2026-05-13
Cisco Isovalent - Curl Execution With Insecure Flags	Cisco Isovalent Process Exec	T1105	Anomaly	Cisco Isovalent Suspicious Activity	2026-05-13
Powershell COM Hijacking InprocServer32 Modification	Powershell Script Block Logging 4104	T1059.001 T1546.015	TTP	Malicious PowerShell	2026-05-13
Linux APT Privilege Escalation	Sysmon for Linux EventID 1, Cisco Isovalent Process Exec	T1548.003	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2026-05-13
Windows Modify Show Compress Color And Info Tip Registry	Sysmon EventID 13	T1112	TTP	Windows Registry Abuse, Windows Defense Evasion Tactics, Data Destruction, Hermetic Wiper	2026-05-13
Suspicious Ticket Granting Ticket Request	Windows Event Log Security 4781, Windows Event Log Security 4768	T1078.002	Hunting	sAMAccountName Spoofing and Domain Controller Impersonation, Active Directory Privilege Escalation, Active Directory Kerberos Attacks	2026-05-13
MS Scripting Process Loading WMI Module	Sysmon EventID 7	T1059.007	Anomaly	FIN7	2026-05-13
Monitor Registry Keys for Print Monitors	Sysmon EventID 13	T1547.010	TTP	Windows Registry Abuse, Suspicious Windows Registry Activities, Windows Persistence Techniques	2026-05-13
Windows System Network Connections Discovery Netsh	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1049	Anomaly	Windows Post-Exploitation, BlankGrabber Stealer, Prestige Ransomware, Snake Keylogger, VIP Keylogger	2026-05-13
Detect RClone Command-Line Usage	CrowdStrike ProcessRollup2, Cisco Network Visibility Module Flow Data, Sysmon EventID 1, Windows Event Log Security 4688	T1020	TTP	DarkSide Ransomware, Cisco Network Visibility Module Analytics, Hellcat Ransomware, Storm-0501 Ransomware, Cactus Ransomware, Black Basta Ransomware, Ransomware	2026-05-13
Get DomainPolicy with Powershell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1201	TTP	Active Directory Discovery	2026-05-13
Suspicious Linux Discovery Commands	Sysmon for Linux EventID 1	T1059.004	TTP	Linux Post-Exploitation, VoidLink Cloud-Native Linux Malware	2026-05-13
Windows Disable Notification Center	Sysmon EventID 13	T1112	Anomaly	CISA AA23-347A, Windows Defense Evasion Tactics, Windows Registry Abuse	2026-05-13
Windows Phishing Outlook Drop Dll In FORM Dir	Sysmon EventID 11, Sysmon EventID 1	T1566	TTP	Outlook RCE CVE-2024-21378	2026-05-13
Windows Impair Defenses Disable Auto Logger Session	Sysmon EventID 13	T1685	Anomaly	Windows Registry Abuse, Windows Defense Evasion Tactics	2026-05-13
Batch File Write to System32	Sysmon EventID 11	T1204.002	TTP	Compromised Windows Host, SamSam Ransomware	2026-05-13
Detect Use of cmd exe to Launch Script Interpreters	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1059.003	Anomaly	Azorult, Suspicious Command-Line Executions, Emotet Malware DHS Report TA18-201A	2026-05-13
Windows Deleted Registry By A Non Critical Process File Path	Sysmon EventID 12, Sysmon EventID 1	T1112	Anomaly	Data Destruction, Double Zero Destructor	2026-05-13
Linux Auditd Dd File Overwrite	Linux Auditd Proctitle	T1485	TTP	Industroyer2, Compromised Linux Host, Data Destruction	2026-05-13
CSC Net On The Fly Compilation	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1027.004	Hunting	Windows Defense Evasion Tactics	2026-05-13
Process Kill Base On File Path	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1685	TTP	XMRig	2026-05-13
Windows AD Domain Controller Audit Policy Disabled	Windows Event Log Security 4719	T1685	TTP	Windows Audit Policy Tampering	2026-05-13
Get WMIObject Group Discovery	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1069.001	Hunting	Active Directory Discovery	2026-05-13
Windows DotNet Binary in Non Standard Path	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1036.003 T1218.004	TTP	Masquerading - Rename System Utilities, Signed Binary Proxy Execution InstallUtil, Data Destruction, WhisperGate, Unusual Processes, Ransomware	2026-05-13
Windows BitDefender Submission Wizard DLL Sideloading	Sysmon EventID 7	T1574	TTP	Lotus Blossom Chrysalis Backdoor	2026-05-13
Detect Certify Command Line Arguments	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1105 T1649	TTP	Ingress Tool Transfer, Compromised Windows Host, Windows Certificate Services	2026-05-13
Windows ESX Admins Group Creation via PowerShell	Powershell Script Block Logging 4104	T1136.001 T1136.002	TTP	VMware ESXi AD Integration Authentication Bypass CVE-2024-37085	2026-05-13
Windows Hide Notification Features Through Registry	Sysmon EventID 13	T1112	Anomaly	Windows Registry Abuse, Windows Defense Evasion Tactics, Ransomware	2026-05-13
Suspicious Curl Network Connection	Sysmon for Linux EventID 1, CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1105	TTP	Hellcat Ransomware, GhostRedirector IIS Module and Rungan Backdoor, Ingress Tool Transfer, Linux Living Off The Land, APT37 Rustonotto and FadeStealer, Silver Sparrow	2026-05-13
Windows Metasploit Confluence Plugin Execution	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1190 T1505.003 T1608	TTP	Confluence Data Center and Confluence Server Vulnerabilities	2026-05-13
Windows File Download Via PowerShell	CrowdStrike ProcessRollup2, Cisco Network Visibility Module Flow Data, Sysmon EventID 1, Windows Event Log Security 4688	T1059.001 T1105	Anomaly	SysAid On-Prem Software CVE-2023-47246 Vulnerability, Phemedrone Stealer, Hermetic Wiper, Tuoni, HAFNIUM Group, Microsoft WSUS CVE-2025-59287, Cisco Network Visibility Module Analytics, Malicious PowerShell, SolarWinds WHD RCE Post Exploitation, GhostRedirector IIS Module and Rungan Backdoor, Ingress Tool Transfer, IcedID, PHP-CGI RCE Attack on Japanese Organizations, NetSupport RMM Tool Abuse, XWorm, StealC Stealer, APT37 Rustonotto and FadeStealer, Winter Vivern, Data Destruction, NPM Supply Chain Compromise	2026-05-13
Windows PuTTY Suite Utility Execution	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1021.004	Anomaly	Active Directory Lateral Movement, Command And Control	2026-05-13
Windows User Deletion Via Net	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1531	Anomaly	Graceful Wipe Out Attack, DarkGate Malware, XMRig	2026-05-13
Windows Service Execution RemCom	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1569.002	TTP	Active Directory Discovery	2026-05-13
Windows Application Whitelisting Bypass Attempt via Rundll32	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.011	TTP	Living Off The Land, Compromised Windows Host, Suspicious Rundll32 Activity	2026-05-13
Windows Excessive Disabled Services Event	Windows Event Log System 7040	T1685	TTP	CISA AA23-347A, Windows Defense Evasion Tactics, Compromised Windows Host	2026-05-13
Windows LOLBAS Executed Outside Expected Path	Sysmon EventID 1, Windows Event Log Security 4688	T1036.005 T1218.011	Anomaly	Living Off The Land, Masquerading - Rename System Utilities, Windows Defense Evasion Tactics	2026-05-13
Windows Powershell Logoff User via Quser	Powershell Script Block Logging 4104	T1059.001 T1531	Anomaly	Crypto Stealer	2026-05-13
CMD Carry Out String Command Parameter	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1059.003	Hunting	0bj3ctivity Stealer, Log4Shell CVE-2021-44228, WhisperGate, Warzone RAT, DarkCrystal RAT, Rhysida Ransomware, Hermetic Wiper, RedLine Stealer, Malicious Inno Setup Loader, ProxyNotShell, IcedID, Azorult, PlugX, Quasar RAT, Living Off The Land, Gh0st RAT, NjRAT, Qakbot, AsyncRAT, Interlock Rat, Chaos Ransomware, StealC Stealer, Winter Vivern, Data Destruction, CISA AA23-347A, Crypto Stealer, DarkGate Malware	2026-05-13
Linux High Frequency Of File Deletion In Etc Folder	Sysmon for Linux EventID 11	T1070.004 T1485	Anomaly	Data Destruction, AcidRain	2026-05-13
Windows Powershell History File Deletion	Powershell Script Block Logging 4104	T1059.003 T1070.003	Anomaly	Medusa Ransomware	2026-05-13
Remote Process Instantiation via WinRM and PowerShell Script Block	Powershell Script Block Logging 4104	T1021.006	TTP	Active Directory Lateral Movement	2026-05-13
Linux At Allow Config File Creation	Sysmon for Linux EventID 11	T1053.003	Anomaly	Scheduled Tasks, Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation	2026-05-13
Attacker Tools On Endpoint	CrowdStrike ProcessRollup2, Cisco Network Visibility Module Flow Data, Sysmon EventID 1, Windows Event Log Security 4688	T1003 T1036.005 T1595	TTP	Cisco Network Visibility Module Analytics, PHP-CGI RCE Attack on Japanese Organizations, CISA AA22-264A, SamSam Ransomware, Compromised Windows Host, Scattered Spider, Unusual Processes, XMRig	2026-05-13
Domain Account Discovery with Dsquery	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1087.002	Anomaly	LAMEHUG, Active Directory Discovery	2026-05-13
Windows Software Discovery Via PowerShell	Powershell Script Block Logging 4104	T1012 T1059.001 T1518	Anomaly	Windows Discovery Techniques	2026-05-13
Windows Office Product Dropped Uncommon File	Sysmon EventID 11, Sysmon EventID 1	T1566.001	Anomaly	AgentTesla, Warzone RAT, FIN7, Compromised Windows Host, CVE-2023-21716 Word RTF Heap Corruption, PlugX	2026-05-13
Windows Account Discovery for None Disable User Account	Powershell Script Block Logging 4104	T1087.001	Hunting	CISA AA23-347A	2026-05-13
Icacls Deny Command	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1222	Anomaly	Defense Evasion or Unauthorized Access Via SDDL Tampering, Azorult, Compromised Windows Host, Crypto Stealer, Sandworm Tools, XMRig	2026-05-13
Msmpeng Application DLL Side Loading	Sysmon EventID 11	T1574.001	TTP	Ransomware, Revil Ransomware	2026-05-13
Windows Privilege Escalation User Process Spawn System Process	Sysmon EventID 1	T1068 T1134 T1548	TTP	GhostRedirector IIS Module and Rungan Backdoor, Windows Privilege Escalation, Compromised Windows Host, BlackSuit Ransomware	2026-05-13
Windows MsiExec HideWindow Rundll32 Execution	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.007	TTP	Water Gamayun, Qakbot	2026-05-13
Windows Raw Access To Disk Volume Partition	Sysmon EventID 9	T1561.002	Anomaly	Caddy Wiper, Disk Wiper, Data Destruction, Void Manticore, CISA AA22-264A, NjRAT, Graceful Wipe Out Attack, PathWiper, Hermetic Wiper, BlackByte Ransomware	2026-05-13
Windows Credentials from Password Stores Chrome Copied in TEMP Dir	Sysmon EventID 11	T1555.003	TTP	Scattered Lapsus$ Hunters, Braodo Stealer, BlankGrabber Stealer	2026-05-13
Windows AD DSRM Password Reset	Windows Event Log Security 4794	T1098	TTP	Sneaky Active Directory Persistence Tricks, Scattered Lapsus$ Hunters	2026-05-13
Windows AppX Deployment Unsigned Package Installation	Windows Event Log AppXDeployment-Server 855	T1204.002 T1553.005	TTP	MSIX Package Abuse	2026-05-13
GetDomainComputer with PowerShell Script Block	Powershell Script Block Logging 4104	T1018	TTP	Active Directory Discovery	2026-05-13
Windows AD GPO New CSE Addition	Windows Event Log Security 5136	T1222.001 T1484.001	TTP	Sneaky Active Directory Persistence Tricks	2026-05-13
IcedID Exfiltrated Archived File Creation	Sysmon EventID 11	T1560.001	Hunting	APT37 Rustonotto and FadeStealer, IcedID	2026-05-13
Remote Process Instantiation via WMI and PowerShell Script Block	Powershell Script Block Logging 4104	T1047	TTP	Active Directory Lateral Movement	2026-05-13
Windows WMI Reconnaissance Class Query	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1047	Anomaly	BlankGrabber Stealer	2026-05-13
MS Scripting Process Loading Ldap Module	Sysmon EventID 7	T1059.007	Anomaly	FIN7	2026-05-13
Windows PowGoop Beacon Decoding	CrowdStrike ProcessRollup2, Sysmon EventID 1	T1001 T1059.001	TTP	Compromised Windows Host	2026-05-13
Detect Excessive Account Lockouts From Endpoint		T1078.002	Anomaly	Active Directory Password Spraying	2026-05-13
Linux GDB Privilege Escalation	Sysmon for Linux EventID 1	T1548.003	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2026-05-13
Windows Audit Policy Security Descriptor Tampering via Auditpol	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1685.001	Anomaly	Windows Audit Policy Tampering	2026-05-13
Suspicious IcedID Rundll32 Cmdline	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.011	TTP	Living Off The Land, IcedID	2026-05-13
Windows Parent PID Spoofing with Explorer	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1134.004	TTP	Windows Defense Evasion Tactics, Compromised Windows Host	2026-05-13
Windows PowerShell MSIX Package Installation	Powershell Script Block Logging 4104	T1059.001 T1547.001	TTP	Malicious PowerShell, MSIX Package Abuse	2026-05-13
Linux Hardware Addition SwapOff	Sysmon for Linux EventID 1	T1200	Anomaly	Scattered Lapsus$ Hunters, Data Destruction, AwfulShred	2026-05-13
Windows Debugger Tool Execution	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1036	Hunting	DarkGate Malware, PlugX	2026-05-13
First Time Seen Child Process of Zoom	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1068	Anomaly	Suspicious Zoom Child Processes	2026-05-13
Scheduled Task Deleted Or Created via CMD	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1053.005	Anomaly	0bj3ctivity Stealer, Scheduled Tasks, Remcos, Windows Persistence Techniques, Prestige Ransomware, China-Nexus Threat Activity, ValleyRAT, Salt Typhoon, DarkCrystal RAT, Phemedrone Stealer, MoonPeak, Rhysida Ransomware, DHS Report TA18-074A, CISA AA22-257A, Sandworm Tools, AgentTesla, RedLine Stealer, SolarWinds WHD RCE Post Exploitation, Azorult, PlugX, NOBELIUM Group, Quasar RAT, Living Off The Land, NetSupport RMM Tool Abuse, XWorm, Qakbot, NjRAT, AsyncRAT, APT37 Rustonotto and FadeStealer, Scattered Spider, Winter Vivern, Medusa Ransomware, Amadey, CISA AA23-347A, CISA AA24-241A, Trickbot, ShrinkLocker, Lokibot	2026-05-13
Windows AppLocker Block Events		T1218	Anomaly	Windows AppLocker	2026-05-13
Windows Raccine Scheduled Task Deletion	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1685	TTP	Ransomware, Compromised Windows Host	2026-05-13
Windows App Layer Protocol Qakbot NamedPipe	Sysmon EventID 17, Sysmon EventID 18	T1071	Anomaly	Qakbot	2026-05-13
Windows File Collection Via Copy Utilities	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1119	Anomaly	LAMEHUG	2026-05-13
Registry Keys for Creating SHIM Databases	Sysmon EventID 13	T1546.011	TTP	Windows Registry Abuse, Suspicious Windows Registry Activities, Windows Persistence Techniques	2026-05-13
Unusual Number of Remote Endpoint Authentication Events	Windows Event Log Security 4624	T1078	Hunting	Active Directory Privilege Escalation, Active Directory Lateral Movement	2026-05-13
Prevent Automatic Repair Mode using Bcdedit	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1490	TTP	Ransomware, Chaos Ransomware, Void Manticore	2026-05-13
Windows Unsigned DLL Side-Loading	Sysmon EventID 7	T1574.001	Anomaly	Earth Alux, NjRAT, Derusbi, China-Nexus Threat Activity, Salt Typhoon, Warzone RAT, SolarWinds WHD RCE Post Exploitation	2026-05-13
Windows SQL Spawning CertUtil	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1105	TTP	Flax Typhoon, SQL Server Abuse, Storm-2460 CLFS Zero Day Exploitation	2026-05-13
Windows Short Lived DNS Record	Windows Event Log Security 5137, Windows Event Log Security 5136	T1071.004 T1187 T1557.001	TTP	Kerberos Coercion with DNS, Suspicious DNS Traffic, Compromised Windows Host, Local Privilege Escalation With KrbRelayUp	2026-05-13
Windows Disable Windows Group Policy Features Through Registry	Sysmon EventID 13	T1112	Anomaly	CISA AA23-347A, Windows Defense Evasion Tactics, Ransomware, Windows Registry Abuse	2026-05-13
Windows Server Software Component GACUtil Install to GAC	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1505.004	TTP	IIS Components	2026-05-13
Script Execution via WMI	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1047	TTP	Scattered Spider, Suspicious WMI Use	2026-05-13
Windows Suspect Process With Authentication Traffic	Sysmon EventID 3	T1087.002 T1204.002	Anomaly	Active Directory Discovery	2026-05-13
Disable Defender MpEngine Registry	Sysmon EventID 13	T1685	TTP	Windows Registry Abuse, IcedID	2026-05-13
DLLHost with no Command Line Arguments with Network	Sysmon EventID 1, Sysmon EventID 3	T1055	TTP	Storm-2460 CLFS Zero Day Exploitation, Cobalt Strike, Earth Alux, Graceful Wipe Out Attack, Cactus Ransomware, BlackByte Ransomware	2026-05-13
Linux Auditd Add User Account Type	Linux Auditd Add User	T1136.001	Anomaly	Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host	2026-05-13
Windows WMI Impersonate Token	Sysmon EventID 10	T1047	Anomaly	Water Gamayun, Qakbot	2026-05-13
Windows Set Account Password Policy To Unlimited Via Net	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1489	Anomaly	XMRig, Ransomware, BlackByte Ransomware, Crypto Stealer	2026-05-13
Randomly Generated Windows Service Name	Windows Event Log System 7045	T1543.003	Hunting	Active Directory Lateral Movement, BlackSuit Ransomware	2026-05-13
Disabling NoRun Windows App	Sysmon EventID 13	T1112 T1685	TTP	Windows Registry Abuse, Windows Defense Evasion Tactics	2026-05-13
Windows Default Group Policy Object Modified	Windows Event Log Security 5136	T1484.001	TTP	Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation	2026-05-13
WinEvent Windows Task Scheduler Event Action Started	Windows Event Log TaskScheduler 201, Windows Event Log TaskScheduler 200	T1053.005	Hunting	Scheduled Tasks, Remcos, Windows Persistence Techniques, Prestige Ransomware, ValleyRAT, DarkCrystal RAT, CISA AA22-257A, Sandworm Tools, SystemBC, SolarWinds WHD RCE Post Exploitation, Malicious Inno Setup Loader, IcedID, PlugX, Industroyer2, Qakbot, AsyncRAT, Winter Vivern, Amadey, Data Destruction, CISA AA24-241A, BlackSuit Ransomware	2026-05-13
Malicious PowerShell Process With Obfuscation Techniques	Sysmon EventID 1	T1059.001	TTP	Data Destruction, Hellcat Ransomware, Malicious PowerShell, GhostRedirector IIS Module and Rungan Backdoor, Hermetic Wiper	2026-05-13
Windows Masquerading Explorer As Child Process	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1574.001	TTP	Water Gamayun, Compromised Windows Host, Qakbot	2026-05-13
Linux High Frequency Of File Deletion In Boot Folder	Sysmon for Linux EventID 11	T1070.004 T1485	TTP	Industroyer2, Data Destruction, AcidPour	2026-05-13
Windows System Discovery Using Qwinsta	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1033	Hunting	Qakbot	2026-05-13
UAC Bypass With Colorui COM Object	Sysmon EventID 7	T1218.003	TTP	Ransomware, LockBit Ransomware	2026-05-13
Linux Sqlite3 Privilege Escalation	Sysmon for Linux EventID 1	T1548.003	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2026-05-13
Wmic NonInteractive App Uninstallation	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1685	Hunting	Azorult, IcedID	2026-05-13
MSI Module Loaded by Non-System Binary	Sysmon EventID 7	T1574.001	Hunting	Hermetic Wiper, Data Destruction, Windows Privilege Escalation	2026-05-13
Linux Ingress Tool Transfer with Curl	Sysmon for Linux EventID 1	T1105	Anomaly	NPM Supply Chain Compromise, Ingress Tool Transfer, Linux Living Off The Land, XorDDos	2026-05-13
Windows WinDBG Spawning AutoIt3	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1059	TTP	DarkGate Malware, Compromised Windows Host	2026-05-13
GPUpdate with no Command Line Arguments with Network	Sysmon EventID 1, Sysmon EventID 3	T1055	TTP	Cobalt Strike, Hellcat Ransomware, Graceful Wipe Out Attack, Compromised Windows Host, BlackByte Ransomware	2026-05-13
Get ADUser with PowerShell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1087.002	Hunting	CISA AA23-347A, Active Directory Discovery	2026-05-13
Headless Browser Usage	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1497 T1564.003	Anomaly	Forest Blizzard, Browser Hijacking	2026-05-13
Detect Regasm with no Command Line Arguments	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.009	TTP	Handala Wiper, Living Off The Land, Void Manticore, Suspicious Regsvcs Regasm Activity	2026-05-13
Windows Modify Registry Disabling WER Settings	Sysmon EventID 13	T1112	TTP	CISA AA23-347A, Azorult	2026-05-13
Windows Protocol Tunneling with Plink	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1021.004 T1572	TTP	CISA AA22-257A	2026-05-13
Spoolsv Suspicious Loaded Modules	Sysmon EventID 7	T1547.012	TTP	Black Basta Ransomware, PrintNightmare CVE-2021-34527	2026-05-13
Windows Snake Malware Service Create	Windows Event Log System 7045	T1547.006 T1569.002	TTP	Snake Malware, Compromised Windows Host	2026-05-13
Windows Visual Basic Commandline Compiler DNSQuery	Sysmon EventID 22	T1071.004	TTP	Lokibot	2026-05-13
Windows MOVEit Transfer Writing ASPX	Sysmon EventID 11	T1133 T1190	TTP	Hellcat Ransomware, MOVEit Transfer Critical Vulnerability	2026-05-13
Network Discovery Using Route Windows App	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1016.001	Hunting	Windows Post-Exploitation, Prestige Ransomware, Qakbot, Active Directory Discovery, CISA AA22-277A	2026-05-13
Cisco Isovalent - Pods Running Offensive Tools	Cisco Isovalent Process Exec	T1204.003	Anomaly	Cisco Isovalent Suspicious Activity	2026-05-13
PowerShell Start or Stop Service	Powershell Script Block Logging 4104	T1059.001	Anomaly	Scattered Lapsus$ Hunters, Active Directory Lateral Movement	2026-05-13
Windows PowerShell Process With Malicious String	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1059.001	TTP	Malicious PowerShell	2026-05-13
Windows Snake Malware Kernel Driver Comadmin	Sysmon EventID 11	T1547.006	TTP	Snake Malware	2026-05-13
Windows Modify Registry wuStatusServer	Sysmon EventID 13	T1112	Hunting	RedLine Stealer	2026-05-13
PowerShell Loading DotNET into Memory via Reflection	Powershell Script Block Logging 4104	T1059.001	Anomaly	0bj3ctivity Stealer, AgentTesla, Axios Supply Chain Post Compromise, Data Destruction, Hellcat Ransomware, AsyncRAT, Malicious PowerShell, Hermetic Wiper, Winter Vivern, VIP Keylogger	2026-05-13
Detect SharpHound Command-Line Arguments	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1069.001 T1069.002 T1087.001 T1087.002 T1482	TTP	Windows Discovery Techniques, Ransomware, BlackSuit Ransomware	2026-05-13
Windows Multiple Users Remotely Failed To Authenticate From Host	Windows Event Log Security 4625	T1110.003	TTP	Active Directory Password Spraying, Volt Typhoon	2026-05-13
Windows High File Deletion Frequency	Sysmon EventID 23, Sysmon EventID 26	T1485	Anomaly	Handala Wiper, ZOVWiper, Clop Ransomware, NailaoLocker Ransomware, APT37 Rustonotto and FadeStealer, Data Destruction, DynoWiper, WhisperGate, Void Manticore, Swift Slicer, Medusa Ransomware, DarkCrystal RAT, Black Basta Ransomware, Interlock Ransomware, Sandworm Tools	2026-05-13
Allow Operation with Consent Admin	Sysmon EventID 13	T1548	TTP	Windows Registry Abuse, Ransomware, MoonPeak, Azorult	2026-05-13
Windows PowerShell Script From WindowsApps Directory	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1059.001 T1204.002	TTP	Malicious PowerShell, MSIX Package Abuse	2026-05-13
Windows Netspy Network Scanner Execution	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1018 T1595	Anomaly	Windows Discovery Techniques, Network Discovery	2026-05-13
Windows Theme File Creation in Unusual Location	Sysmon EventID 11	T1021.002 T1187 T1557.001	Anomaly	Spearphishing Attachments	2026-05-13
Windows Steal Authentication Certificates CertUtil Backup	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1649	Anomaly	Storm-2460 CLFS Zero Day Exploitation, Windows Certificate Services	2026-05-13
Common Ransomware Extensions	Sysmon EventID 11	T1485	TTP	Clop Ransomware, NailaoLocker Ransomware, Prestige Ransomware, SamSam Ransomware, Black Basta Ransomware, Termite Ransomware, Rhysida Ransomware, Ryuk Ransomware, Interlock Ransomware, Ransomware, Medusa Ransomware, LockBit Ransomware	2026-05-13
Shai-Hulud 2 Exfiltration Artifact Files	Sysmon EventID 11, Sysmon for Linux EventID 11	T1074.001 T1195.002 T1552.001	TTP	NPM Supply Chain Compromise	2026-05-13
Windows AppLocker Rare Application Launch Detection		T1218	Hunting	Windows AppLocker	2026-05-13
Windows PUA Named Pipe	Sysmon EventID 17, Sysmon EventID 18	T1021.002 T1055 T1559	Anomaly	HAFNIUM Group, Seashell Blizzard, Active Directory Lateral Movement, DarkSide Ransomware, Volt Typhoon, Sandworm Tools, Medusa Ransomware, SamSam Ransomware, Cactus Ransomware, Rhysida Ransomware, VanHelsing Ransomware, DHS Report TA18-074A, CISA AA22-320A, DarkGate Malware, BlackByte Ransomware, IcedID	2026-05-13
Windows Mock Trusted Directory MSC File Creation	Sysmon EventID 11	T1218.014 T1548.002 T1574	TTP	Windows Privilege Escalation, Windows Persistence Techniques	2026-05-13
Windows Password Managers Discovery	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1555.005	Anomaly	Scattered Spider, Prestige Ransomware, Scattered Lapsus$ Hunters, Windows Post-Exploitation	2026-05-13
Windows Chromium Process Loaded Extension via Command-Line	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1185	Anomaly	Browser Hijacking	2026-05-13
Powershell Remote Services Add TrustedHost	Powershell Script Block Logging 4104	T1021.006	TTP	DarkGate Malware	2026-05-13
Remcos RAT File Creation in Remcos Folder	Sysmon EventID 11	T1113	TTP	Remcos	2026-05-13
Windows Unusual Count Of Users Failed To Auth Using Kerberos	Windows Event Log Security 4771	T1110.003	Anomaly	Active Directory Password Spraying, Volt Typhoon, Active Directory Kerberos Attacks	2026-05-13
Windows Forest Discovery with GetForestDomain	Powershell Script Block Logging 4104	T1087.002	TTP	Active Directory Discovery	2026-05-13
Windows MMC Loaded Script Engine DLL	Sysmon EventID 7	T1620	Anomaly	XML Runner Loader	2026-05-13
Microsoft Defender ATP Alerts	MS Defender ATP Alerts	N/A	TTP	Critical Alerts	2026-05-13
Windows IIS Components Module Failed to Load	Windows Event Log Application 2282	T1505.004	Anomaly	IIS Components	2026-05-13
Clear Unallocated Sector Using Cipher App	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1070.004	TTP	Scattered Spider, Ransomware, Compromised Windows Host	2026-05-13
Shai-Hulud Workflow File Creation or Modification	Sysmon EventID 11, Sysmon for Linux EventID 11	T1195 T1554 T1574.006	TTP	NPM Supply Chain Compromise	2026-05-13
Windows Impair Defense Change Win Defender Tracing Level	Sysmon EventID 13	T1685	TTP	Windows Registry Abuse, Windows Defense Evasion Tactics	2026-05-13
Windows Mimikatz Crypto Export File Extensions	Sysmon EventID 11	T1649	Anomaly	CISA AA23-347A, Sandworm Tools, Windows Certificate Services	2026-05-13
Samsam Test File Write	Sysmon EventID 11	T1486	TTP	SamSam Ransomware	2026-05-13
Windows Modify Registry Disable Win Defender Raw Write Notif	Sysmon EventID 13	T1112	Anomaly	CISA AA23-347A, Azorult	2026-05-13
Windows Chromium Browser No Security Sandbox Process	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1497	TTP	Malicious Inno Setup Loader	2026-05-13
Windows Steal Authentication Certificates Certificate Request	Windows Event Log Security 4886	T1649	Anomaly	Windows Certificate Services	2026-05-13
Linux Possible Access To Credential Files	Sysmon for Linux EventID 1	T1003.008	Anomaly	XorDDos, China-Nexus Threat Activity, Salt Typhoon, Linux Persistence Techniques, Linux Privilege Escalation	2026-05-13
Linux Auditd Stop Services	Linux Auditd Service Stop	T1489	Hunting	Industroyer2, AwfulShred, Compromised Linux Host, Data Destruction	2026-05-13
Windows System Remote Discovery With Query	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1033	Hunting	Medusa Ransomware, Active Directory Discovery	2026-05-13
Creation of Shadow Copy with wmic and powershell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1003.003	TTP	Living Off The Land, Volt Typhoon, Credential Dumping, Compromised Windows Host	2026-05-13
Windows Known GraphicalProton Loaded Modules	Sysmon EventID 7	T1574.001	Anomaly	CISA AA23-347A, Hellcat Ransomware, Water Gamayun	2026-05-13
Headless Browser Mockbin or Mocky Request	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1564.003	TTP	Forest Blizzard, GhostRedirector IIS Module and Rungan Backdoor	2026-05-13
Linux At Application Execution	Sysmon for Linux EventID 1	T1053.002	Anomaly	Scheduled Tasks, Cisco Isovalent Suspicious Activity, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2026-05-13
SLUI RunAs Elevated	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1548.002	TTP	Windows Defense Evasion Tactics, DarkSide Ransomware, Compromised Windows Host	2026-05-13
Living Off The Land Detection		T1059 T1105 T1133 T1190	Correlation	Living Off The Land, Hellcat Ransomware	2026-05-13
Windows Disable or Modify Tools Via Taskkill	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1685	Anomaly	PXA Stealer, BlankGrabber Stealer, NjRAT, Crypto Stealer	2026-05-13
Windows MSTSC RDP Commandline	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1021.001	Anomaly	Windows RDP Artifacts and Defense Evasion, Medusa Ransomware	2026-05-13
Windows SQL Server Critical Procedures Enabled	Windows Event Log Application 15457	T1505.001	TTP	SQL Server Abuse	2026-05-13
Windows Common Abused Cmd Shell Risk Behavior		T1016 T1033 T1049 T1059 T1222 T1529	Correlation	Microsoft WSUS CVE-2025-59287, Netsh Abuse, Windows Post-Exploitation, Disabling Security Tools, Qakbot, CISA AA23-347A, FIN7, DarkCrystal RAT, Volt Typhoon, Windows Defense Evasion Tactics, Sandworm Tools, Azorult	2026-05-13
Windows PowerView Unconstrained Delegation Discovery	Powershell Script Block Logging 4104	T1018	TTP	CISA AA23-347A, Rhysida Ransomware, Active Directory Kerberos Attacks	2026-05-13
Suspicious MSBuild Spawn	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1127.001	TTP	Living Off The Land, Storm-2460 CLFS Zero Day Exploitation, Trusted Developer Utilities Proxy Execution MSBuild	2026-05-13
Windows Modify Registry DontShowUI	Sysmon EventID 13	T1112	TTP	DarkGate Malware	2026-05-13
Windows Vulnerable Driver Installed	Windows Event Log System 7045	T1543.003	TTP	Windows Drivers, Void Manticore	2026-05-13
Windows File Association Modification via Ftype	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1059.003	Anomaly	Windows File Extension and Association Abuse	2026-05-13
Scheduled Task Creation on Remote Endpoint using At	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1053.002	TTP	0bj3ctivity Stealer, Living Off The Land, Scheduled Tasks, Active Directory Lateral Movement	2026-05-13
Windows Bypass UAC via Pkgmgr Tool	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1548.002	Anomaly	Warzone RAT	2026-05-13
GetWmiObject Ds Computer with PowerShell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1018	Anomaly	Active Directory Discovery	2026-05-13
Esentutl SAM Copy	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1003.002	Hunting	Living Off The Land, Credential Dumping	2026-05-13
Windows ISO LNK File Creation	Sysmon EventID 11	T1204.001 T1566.001	Hunting	AgentTesla, Remcos, Qakbot, Gozi Malware, Azorult, Spearphishing Attachments, Warzone RAT, APT37 Rustonotto and FadeStealer, Brute Ratel C4, Amadey, IcedID	2026-05-13
Windows Remote Service Rdpwinst Tool Execution	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1021.001	TTP	Windows RDP Artifacts and Defense Evasion, Scattered Lapsus$ Hunters, Compromised Windows Host, Azorult	2026-05-13
Remote Process Instantiation via WMI	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1047	TTP	Active Directory Lateral Movement, Void Manticore, China-Nexus Threat Activity, CISA AA23-347A, Salt Typhoon, Suspicious WMI Use, Ransomware	2026-05-13
Windows Account Access Removal via Logoff Exec	Sysmon EventID 1	T1059.001 T1531	Anomaly	Crypto Stealer	2026-05-13
Windows Archived Collected Data In TEMP Folder	Sysmon EventID 11	T1560	Anomaly	Braodo Stealer, APT37 Rustonotto and FadeStealer	2026-05-13
Windows InstallUtil Remote Network Connection	Cisco Network Visibility Module Flow Data, Sysmon EventID 1, Sysmon EventID 3	T1218.004	Anomaly	Living Off The Land, Cisco Network Visibility Module Analytics, Signed Binary Proxy Execution InstallUtil, Compromised Windows Host	2026-05-13
Windows Audit Policy Auditing Option Modified - Registry	Sysmon EventID 13	T1547.014	Anomaly	Windows Audit Policy Tampering	2026-05-13
Windows Multiple Users Failed To Authenticate Using Kerberos	Windows Event Log Security 4771	T1110.003	TTP	Active Directory Password Spraying, Volt Typhoon, Active Directory Kerberos Attacks	2026-05-13
Windows PowerShell Module File Created	Sysmon EventID 11	T1059.001 T1129 T1574	Anomaly	Malicious PowerShell, Windows Persistence Techniques	2026-05-13
Linux Kworker Process In Writable Process Path	Sysmon for Linux EventID 1	T1036.004	Hunting	Cyclops Blink, Sandworm Tools	2026-05-13
Dump LSASS via comsvcs DLL	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1003.001	TTP	HAFNIUM Group, Industroyer2, Living Off The Land, Prestige Ransomware, Data Destruction, Flax Typhoon, CISA AA22-264A, Hellcat Ransomware, Compromised Windows Host, Suspicious Rundll32 Activity, Volt Typhoon, CISA AA22-257A, Scattered Lapsus$ Hunters, Credential Dumping	2026-05-13
ETW Registry Disabled	Sysmon EventID 13	T1127 T1685	TTP	Windows Persistence Techniques, Data Destruction, Windows Privilege Escalation, CISA AA23-347A, Hermetic Wiper, Windows Registry Abuse	2026-05-13
Windows Process Accessing Windows Recall Directory	Windows Event Log Security 4663	T1059 T1119	Anomaly	Windows Post-Exploitation	2026-05-13
File with Samsam Extension	Sysmon EventID 11	N/A	TTP	Hellcat Ransomware, SamSam Ransomware	2026-05-13
Windows Outlook Macro Created by Suspicious Process	Sysmon EventID 11	T1059.005 T1137	TTP	NotDoor Malware	2026-05-13
Detect Excessive User Account Lockouts		T1078.003	Anomaly	Active Directory Password Spraying, Scattered Lapsus$ Hunters	2026-05-13
Windows Modify Registry NoChangingWallPaper	Sysmon EventID 13	T1112	TTP	Rhysida Ransomware	2026-05-13
SilentCleanup UAC Bypass	Sysmon EventID 13	T1548.002	TTP	Windows Registry Abuse, Windows Defense Evasion Tactics, MoonPeak	2026-05-13
Windows Unusual File Creation in Confluence Directory	Sysmon EventID 11	T1190 T1608.001 T1608.002	Anomaly	Confluence Data Center and Confluence Server Vulnerabilities, CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server	2026-05-13
Windows Computer Account Changed to Domain Controller	Windows Event Log Security 4742	T1136.002	TTP	Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation	2026-05-13
Windows Modify Registry Delete Firewall Rules	Sysmon EventID 12	T1112	TTP	CISA AA24-241A, NetSupport RMM Tool Abuse, ShrinkLocker	2026-05-13
Linux Curl Upload File	Sysmon for Linux EventID 1, Cisco Isovalent Process Exec	T1105	TTP	Data Exfiltration, Ingress Tool Transfer, Linux Living Off The Land, NPM Supply Chain Compromise	2026-05-13
Change To Safe Mode With Network Config	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1490	TTP	BlackMatter Ransomware, Black Basta Ransomware	2026-05-13
Windows Unusual NTLM Authentication Users By Source	NTLM Operational 8005, NTLM Operational 8004, NTLM Operational 8006	T1110.003	Anomaly	Active Directory Password Spraying	2026-05-13
Detect MSHTA Url in Command Line	CrowdStrike ProcessRollup2, Cisco Network Visibility Module Flow Data, Sysmon EventID 1, Windows Event Log Security 4688	T1218.005	TTP	Suspicious MSHTA Activity, Cisco Network Visibility Module Analytics, Living Off The Land, NetSupport RMM Tool Abuse, XWorm, Compromised Windows Host, APT37 Rustonotto and FadeStealer, Lumma Stealer	2026-05-13
Executable File Written in Administrative SMB Share	Windows Event Log Security 5145	T1021.002	TTP	Industroyer2, Active Directory Lateral Movement, Prestige Ransomware, Data Destruction, Graceful Wipe Out Attack, Trickbot, Compromised Windows Host, Hermetic Wiper, VanHelsing Ransomware, BlackSuit Ransomware, IcedID	2026-05-13
Linux Auditd Nopasswd Entry In Sudoers File	Linux Auditd Proctitle	T1548.003	Anomaly	China-Nexus Threat Activity, Salt Typhoon, Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation	2026-05-13
Windows Product Key Registry Query	Windows Event Log Security 4663	T1012	Anomaly	BlankGrabber Stealer	2026-05-13
Linux Setuid Using Setcap Utility	Sysmon for Linux EventID 1	T1548.001	Anomaly	Linux Persistence Techniques, Linux Privilege Escalation	2026-05-13
High Process Termination Frequency	Sysmon EventID 5	T1486	Anomaly	Clop Ransomware, NailaoLocker Ransomware, Snake Keylogger, Hellcat Ransomware, Termite Ransomware, Rhysida Ransomware, Crypto Stealer, BlackByte Ransomware, Interlock Ransomware, Medusa Ransomware, LockBit Ransomware	2026-05-13
Windows DiskCryptor Usage	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1486	Hunting	Ransomware	2026-05-13
GetWmiObject DS User with PowerShell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1087.002	Anomaly	Active Directory Discovery	2026-05-13
Windows Service Create with Tscon	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1543.003 T1563.002	TTP	Windows RDP Artifacts and Defense Evasion, Active Directory Lateral Movement, Compromised Windows Host	2026-05-13
GetDomainGroup with PowerShell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1069.002	TTP	Active Directory Discovery	2026-05-13
Detect Certipy File Modifications	Sysmon EventID 11	T1560 T1649	TTP	Data Exfiltration, Ingress Tool Transfer, Windows Certificate Services	2026-05-13
Suspicious Image Creation In Appdata Folder	Sysmon EventID 11, Sysmon EventID 1	T1113	TTP	Remcos, APT37 Rustonotto and FadeStealer	2026-05-13
Remote Process Instantiation via WinRM and PowerShell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1021.006	TTP	Active Directory Lateral Movement	2026-05-13
Registry Keys Used For Privilege Escalation	Sysmon EventID 13	T1546.012	TTP	Data Destruction, Windows Privilege Escalation, Windows Registry Abuse, Suspicious Windows Registry Activities, Hermetic Wiper, Cloud Federated Credential Abuse	2026-05-13
Rundll32 CreateRemoteThread In Browser	Sysmon EventID 8	T1055	TTP	Living Off The Land, IcedID	2026-05-13
Windows Service Creation Using Registry Entry	Sysmon EventID 13	T1574.011	Anomaly	Active Directory Lateral Movement, Windows Persistence Techniques, Gh0st RAT, China-Nexus Threat Activity, SnappyBee, CISA AA23-347A, Derusbi, SolarWinds WHD RCE Post Exploitation, Salt Typhoon, Suspicious Windows Registry Activities, Crypto Stealer, Windows Registry Abuse, Brute Ratel C4, PlugX	2026-05-13
Windows ESX Admins Group Creation via Net	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1136.001 T1136.002	TTP	VMware ESXi AD Integration Authentication Bypass CVE-2024-37085	2026-05-13
Windows DISM Remove Defender	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1685	TTP	CISA AA23-347A, Windows Defense Evasion Tactics, Compromised Windows Host	2026-05-13
Fsutil Zeroing File	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1070	TTP	Ransomware, LockBit Ransomware	2026-05-13
Windows AppLocker Privilege Escalation via Unauthorized Bypass		T1218	TTP	Windows AppLocker	2026-05-13
MacOS Log Removal	Osquery Results	T1070	TTP	MacOS Post-Exploitation	2026-05-13
GetWmiObject User Account with PowerShell Script Block	Powershell Script Block Logging 4104	T1059.001 T1087.001	Hunting	Malicious PowerShell, Winter Vivern, Active Directory Discovery	2026-05-13
Windows Impair Defense Add Xml Applocker Rules	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1685	Hunting	Azorult	2026-05-13
Windows User Discovery Via Net	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1087.001	Hunting	Sandworm Tools, Active Directory Discovery, Medusa Ransomware	2026-05-13
Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials	Windows Event Log Security 4648	T1110.003	Anomaly	Insider Threat, Active Directory Password Spraying, Volt Typhoon	2026-05-13
Windows Default Rdp File Deletion	Sysmon EventID 23, Sysmon EventID 26	T1070.004	Anomaly	Windows RDP Artifacts and Defense Evasion	2026-05-13
Windows AD AdminSDHolder ACL Modified	Windows Event Log Security 5136	T1546	TTP	Sneaky Active Directory Persistence Tricks	2026-05-13
Microsoft Defender Incident Alerts	MS365 Defender Incident Alerts	N/A	TTP	Critical Alerts	2026-05-13
Powershell Creating Thread Mutex	Powershell Script Block Logging 4104	T1027.005 T1059.001	TTP	Malicious PowerShell, Water Gamayun	2026-05-13
Windows Autostart Execution LSASS Driver Registry Modification	Sysmon EventID 13	T1547.008	TTP	Windows Registry Abuse	2026-05-13
Spoolsv Spawning Rundll32	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1547.012	TTP	Black Basta Ransomware, Compromised Windows Host, PrintNightmare CVE-2021-34527	2026-05-13
Windows Service Stop By Deletion	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1489	Hunting	Graceful Wipe Out Attack, Crypto Stealer, Azorult	2026-05-13
Windows Handle Duplication in Known UAC-Bypass Binaries	Sysmon EventID 10	T1134.001	Anomaly	Castle RAT	2026-05-13
Linux Kernel Module Enumeration	Sysmon for Linux EventID 1	T1014 T1082	Anomaly	Linux Rootkit, XorDDos	2026-05-13
Detect AzureHound Command-Line Arguments	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1069.001 T1069.002 T1087.001 T1087.002 T1482	TTP	Windows Discovery Techniques, Compromised Windows Host	2026-05-13
PowerShell Domain Enumeration	Powershell Script Block Logging 4104	T1059.001	TTP	Microsoft WSUS CVE-2025-59287, Data Destruction, CISA AA23-347A, Malicious PowerShell, Hermetic Wiper, Interlock Ransomware	2026-05-13
Windows DLL Search Order Hijacking Hunt with Sysmon	Sysmon EventID 7	T1574.001	Hunting	Living Off The Land, Windows Defense Evasion Tactics, Malicious Inno Setup Loader, Qakbot	2026-05-13
Sqlite Module In Temp Folder	Sysmon EventID 11	T1005	TTP	Lokibot, IcedID	2026-05-13
Windows Rdp AutomaticDestinations Deletion	Sysmon EventID 23, Sysmon EventID 26	T1070.004	Anomaly	Windows RDP Artifacts and Defense Evasion	2026-05-13
Windows Multiple Users Failed To Authenticate From Host Using NTLM	Windows Event Log Security 4776	T1110.003	TTP	Active Directory Password Spraying, Volt Typhoon	2026-05-13
Windows Chromium Browser with Custom User Data Directory	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1497	Anomaly	Malicious Inno Setup Loader, Lokibot, StealC Stealer	2026-05-13
Windows NirSoft Utilities	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1588.002	Hunting	Data Destruction, WhisperGate	2026-05-13
Linux Auditd Hidden Files And Directories Creation	Linux Auditd Execve	T1083	Anomaly	Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host	2026-05-13
Windows AppLocker Execution from Uncommon Locations		T1218	Hunting	Windows AppLocker	2026-05-13
Windows Potential Web Shell Creation For VMware Workspace ONE	Sysmon EventID 11	T1505.003	Anomaly	VMware ESXi AD Integration Authentication Bypass CVE-2024-37085, VMware Server Side Injection and Privilege Escalation, VMware Aria Operations vRealize CVE-2023-20887	2026-05-13
Detect SharpHound Usage	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1069.001 T1069.002 T1087.001 T1087.002 T1482	TTP	Windows Discovery Techniques, Ransomware	2026-05-13
Linux Auditd Auditd Daemon Start	Linux Auditd Daemon Start	T1685.004	Anomaly	Compromised Linux Host	2026-05-13
SchCache Change By App Connect And Create ADSI Object	Sysmon EventID 11	T1087.002	Anomaly	BlackMatter Ransomware	2026-05-13
Windows Explorer LNK Exploit Process Launch With Padding	Sysmon EventID 1, Windows Event Log Security 4688	T1059.001 T1204.002	TTP	ZDI-CAN-25373 Windows Shortcut Exploit Abused as Zero-Day	2026-05-13
Linux Unix Shell Enable All SysRq Functions	Sysmon for Linux EventID 1	T1059.004	Anomaly	Data Destruction, AwfulShred	2026-05-13
Windows Steal Authentication Certificates Certificate Issued	Windows Event Log Security 4887	T1649	Anomaly	Windows Certificate Services	2026-05-13
Windows Service Created with Suspicious Service Path	Windows Event Log System 7045	T1569.002	TTP	Snake Malware, Active Directory Lateral Movement, Clop Ransomware, Gh0st RAT, Flax Typhoon, APT37 Rustonotto and FadeStealer, China-Nexus Threat Activity, Qakbot, CISA AA23-347A, Derusbi, Salt Typhoon, Crypto Stealer, Brute Ratel C4, PlugX	2026-05-13
Cisco NVM - Rclone Execution With Network Activity	Cisco Network Visibility Module Flow Data	T1567.002	Anomaly	Scattered Lapsus$ Hunters, Cisco Network Visibility Module Analytics	2026-05-13
Unknown Process Using The Kerberos Protocol	Sysmon EventID 1, Sysmon EventID 3	T1550	TTP	BlackSuit Ransomware, Active Directory Kerberos Attacks	2026-05-13
Windows Defender ASR Rules Stacking	Windows Event Log Defender 1126, Windows Event Log Defender 5007, Windows Event Log Defender 1129, Windows Event Log Defender 1131, Windows Event Log Defender 1125, Windows Event Log Defender 1121, Windows Event Log Defender 1122, Windows Event Log Defender 1134, Windows Event Log Defender 1133	T1059 T1566.001 T1566.002	Hunting	Windows Attack Surface Reduction	2026-05-13
Wmiprvse LOLBAS Execution Process Spawn	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1047	TTP	Active Directory Lateral Movement	2026-05-13
Credential Dumping via Symlink to Shadow Copy	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1003.003	TTP	Credential Dumping, Compromised Windows Host	2026-05-13
Windows Modify System Firewall with Notable Process Path	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1686	TTP	Medusa Ransomware, NjRAT, Compromised Windows Host	2026-05-13
Crowdstrike Medium Identity Risk Severity		T1110	TTP	Compromised Windows Host	2026-05-13
Windows WinPEAS PowerShell Script Execution	Powershell Script Block Logging 4104	T1007 T1016 T1033 T1082 T1590 T1592.002 T1592.004 T1615	TTP	Windows Post-Exploitation	2026-05-13
Windows Remote Access Software BRC4 Loaded Dll	Sysmon EventID 7	T1003 T1219	Anomaly	Brute Ratel C4	2026-05-13
Local Account Discovery With Wmic	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1087.001	Hunting	Scattered Lapsus$ Hunters, Active Directory Discovery	2026-05-13
Windows WMIC Shadowcopy Delete	Sysmon EventID 1	T1490	Anomaly	Volt Typhoon, Cactus Ransomware, Suspicious WMI Use	2026-05-13
Windows ScManager Security Descriptor Tampering Via Sc.EXE	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1569.002	TTP	Defense Evasion or Unauthorized Access Via SDDL Tampering	2026-05-13
Windows Impair Defenses Disable AV AutoStart via Registry	Sysmon EventID 13	T1112	TTP	Scattered Lapsus$ Hunters, ValleyRAT	2026-05-13
Ryuk Test Files Detected	Sysmon EventID 11	T1486	TTP	Ryuk Ransomware	2026-05-13
Windows Set Network Profile Category to Private via Registry	Sysmon EventID 13	T1112	Anomaly	Secret Blizzard	2026-05-13
Local LLM Framework DNS Query	Sysmon EventID 22	T1590	Hunting	Suspicious Local LLM Frameworks	2026-05-13
Windows Driver Load Non-Standard Path	Windows Event Log System 7045	T1014 T1068	TTP	AgentTesla, Windows Drivers, CISA AA22-320A, BlackByte Ransomware, BlackSuit Ransomware	2026-05-13
Cisco NVM - Webserver Download From File Sharing Website	Cisco Network Visibility Module Flow Data	T1105 T1190	TTP	GhostRedirector IIS Module and Rungan Backdoor, Cisco Network Visibility Module Analytics	2026-05-13
Linux c99 Privilege Escalation	Sysmon for Linux EventID 1	T1548.003	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2026-05-13
Linux SSH Authorized Keys Modification	Sysmon for Linux EventID 1	T1098.004	Anomaly	Hellcat Ransomware, Linux Living Off The Land, VoidLink Cloud-Native Linux Malware	2026-05-13
PetitPotam Network Share Access Request	Windows Event Log Security 5145	T1187	TTP	PetitPotam NTLM Relay on Active Directory Certificate Services	2026-05-13
Windows Modify Registry LongPathsEnabled	Sysmon EventID 13	T1112	Anomaly	BlackByte Ransomware	2026-05-13
Cisco Isovalent - Potential Escape to Host	Cisco Isovalent Process Exec	T1611	Anomaly	Cisco Isovalent Suspicious Activity, VoidLink Cloud-Native Linux Malware	2026-05-13
Verclsid CLSID Execution	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.012	Hunting	Unusual Processes	2026-05-13
Disable AMSI Through Registry	Sysmon EventID 13	T1685	TTP	CISA AA23-347A, Windows Registry Abuse, Ransomware	2026-05-13
Linux Medusa Rootkit	Sysmon for Linux EventID 11	T1014 T1589.001	TTP	VoidLink Cloud-Native Linux Malware, Hellcat Ransomware, China-Nexus Threat Activity, Medusa Rootkit	2026-05-13
Windows CrowdStrike Agent Registry Key Removal	Sysmon EventID 12	T1685	Anomaly	Windows Defense Evasion Tactics, Security Solution Tampering	2026-05-13
Windows Modify Registry ValleyRAT C2 Config	Sysmon EventID 13	T1112	TTP	ValleyRAT	2026-05-13
Windows SOAPHound Binary Execution	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1069.001 T1069.002 T1087.001 T1087.002 T1482	TTP	Windows Discovery Techniques, Compromised Windows Host	2026-05-13
Windows Credential Target Information Structure in Commandline	Sysmon EventID 1	T1071.004 T1187 T1557.001	TTP	Kerberos Coercion with DNS, Suspicious DNS Traffic, Compromised Windows Host, Local Privilege Escalation With KrbRelayUp	2026-05-13
Linux Stop Services	Sysmon for Linux EventID 1	T1489	TTP	Industroyer2, Data Destruction, AwfulShred	2026-05-13
Windows EDRSilencer Execution	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1685	Anomaly	Security Solution Tampering	2026-05-13
Wsmprovhost LOLBAS Execution Process Spawn	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1021.006	TTP	CISA AA24-241A, Hellcat Ransomware, Active Directory Lateral Movement	2026-05-13
Linux Possible Ssh Key File Creation	Sysmon for Linux EventID 11	T1098.004	Anomaly	Linux Persistence Techniques, Hellcat Ransomware, Linux Living Off The Land, Linux Privilege Escalation	2026-05-13
Windows Audit Policy Disabled via Auditpol	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1685.001	Anomaly	Windows Audit Policy Tampering	2026-05-13
Suspicious SQLite3 LSQuarantine Behavior	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1074	TTP	Silver Sparrow	2026-05-13
Nishang PowershellTCPOneLine	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1059.001	TTP	HAFNIUM Group, Cleo File Transfer Software	2026-05-13
Windows Multiple Users Failed To Authenticate From Process	Windows Event Log Security 4625	T1110.003	TTP	Insider Threat, Active Directory Password Spraying, Volt Typhoon	2026-05-13
Windows RDP File Execution	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1021.001 T1598.002	TTP	Interlock Ransomware, Windows RDP Artifacts and Defense Evasion, Spearphishing Attachments	2026-05-13
Windows DisableAntiSpyware Registry	Sysmon EventID 13	T1685	TTP	RedLine Stealer, CISA AA22-264A, CISA AA23-347A, SolarWinds WHD RCE Post Exploitation, Ryuk Ransomware, Windows Registry Abuse, Windows Defense Evasion Tactics, Azorult	2026-05-13
Linux MySQL Privilege Escalation	Sysmon for Linux EventID 1	T1548.003	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2026-05-13
Windows PowerShell Script TabExpansion Direct Call	Powershell Script Block Logging 4104	T1059.001 T1129	Anomaly	Malicious PowerShell	2026-05-13
PaperCut NG Remote Web Access Attempt	Suricata	T1133 T1190	TTP	PaperCut MF NG Vulnerability	2026-05-13
Hunting for Log4Shell	Nginx Access	T1133 T1190	Hunting	Log4Shell CVE-2021-44228, CISA AA22-320A	2026-05-13
Windows IIS Server PSWA Console Access	Windows IIS	T1190	Hunting	CISA AA24-241A	2026-05-13
Zscaler Exploit Threat Blocked		T1566	TTP	Zscaler Browser Proxy Threats	2026-05-13
Zscaler Malware Activity Threat Blocked		T1566	Anomaly	Zscaler Browser Proxy Threats	2026-05-13
Web Remote ShellServlet Access	Nginx Access	T1190	TTP	CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server, GhostRedirector IIS Module and Rungan Backdoor	2026-05-13
Web Spring4Shell HTTP Request Class Module	Splunk Stream HTTP	T1133 T1190	TTP	Spring4Shell CVE-2022-22965	2026-05-13
Zscaler Behavior Analysis Threat Blocked		T1566	Anomaly	Zscaler Browser Proxy Threats	2026-05-13
SAP NetWeaver Visual Composer Exploitation Attempt	Suricata	T1190	Hunting	SAP NetWeaver Exploitation	2026-05-13
Unusually Long Content-Type Length		N/A	Anomaly	Apache Struts Vulnerability	2026-05-13
Log4Shell JNDI Payload Injection with Outbound Connection		T1133 T1190	Anomaly	Log4Shell CVE-2021-44228, CISA AA22-320A	2026-05-13
JetBrains TeamCity Authentication Bypass CVE-2024-27198	Suricata	T1190	TTP	JetBrains TeamCity Vulnerabilities	2026-05-13
Zscaler Phishing Activity Threat Blocked		T1566	Anomaly	Hellcat Ransomware, Zscaler Browser Proxy Threats	2026-05-13
Tomcat Session Deserialization Attempt	Nginx Access	T1190 T1505.003	Anomaly	Apache Tomcat Session Deserialization Attacks	2026-05-13
Zscaler Scam Destinations Threat Blocked		T1566	Anomaly	Zscaler Browser Proxy Threats	2026-05-13
Cisco IOS XE Implant Access	Suricata	T1190	TTP	Cisco IOS XE Software Web Management User Interface vulnerability	2026-05-13
Zscaler Virus Download threat blocked		T1566	Anomaly	Zscaler Browser Proxy Threats	2026-05-13
Zscaler Potentially Abused File Download		T1566	Anomaly	Zscaler Browser Proxy Threats	2026-05-13
Adobe ColdFusion Access Control Bypass	Suricata	T1190	Anomaly	Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360	2026-05-13
Juniper Networks Remote Code Execution Exploit Detection	Suricata	T1059 T1105 T1190	TTP	Juniper JunOS Remote Code Execution	2026-05-13
Adobe ColdFusion Unauthenticated Arbitrary File Read	Suricata	T1190	Anomaly	Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360	2026-05-13
Zscaler Employment Search Web Activity		T1566	Anomaly	Zscaler Browser Proxy Threats	2026-05-13
HTTP Duplicated Header	Suricata	T1071.001 T1190	Anomaly	HTTP Request Smuggling	2026-05-13
Ivanti EPM SQL Injection Remote Code Execution	Suricata	T1190	TTP	Ivanti EPM Vulnerabilities, GhostRedirector IIS Module and Rungan Backdoor, Hellcat Ransomware	2026-05-13
Spring4Shell Payload URL Request	Nginx Access	T1133 T1190 T1505.003	TTP	Spring4Shell CVE-2022-22965	2026-05-13
Ivanti Connect Secure Command Injection Attempts	Suricata	T1190	TTP	CISA AA24-241A, Ivanti Connect Secure VPN Vulnerabilities	2026-05-13
Confluence Pre-Auth RCE via OGNL Injection CVE-2023-22527	Suricata	T1190	TTP	Confluence Data Center and Confluence Server Vulnerabilities	2026-05-13
Detect Web Access to Decommissioned S3 Bucket	AWS Cloudfront	T1485	Anomaly	AWS S3 Bucket Security Monitoring, Data Destruction	2026-05-13
Ivanti Connect Secure SSRF in SAML Component	Suricata	T1190	TTP	Ivanti Connect Secure VPN Vulnerabilities	2026-05-13
Supernova Webshell		T1133 T1505.003	TTP	Earth Alux, GhostRedirector IIS Module and Rungan Backdoor, NOBELIUM Group	2026-05-13
Windows Exchange Autodiscover SSRF Abuse	Windows IIS	T1133 T1190	TTP	ProxyShell, Seashell Blizzard, BlackByte Ransomware, ProxyNotShell	2026-05-13
JetBrains TeamCity RCE Attempt	Suricata	T1190	TTP	JetBrains TeamCity Unauthenticated RCE, JetBrains TeamCity Vulnerabilities, CISA AA23-347A	2026-05-13
ProxyShell ProxyNotShell Behavior Detected		T1133 T1190	Correlation	ProxyShell, Seashell Blizzard, ProxyNotShell	2026-05-13
JetBrains TeamCity Limited Auth Bypass Suricata CVE-2024-27199	Suricata	T1190	TTP	JetBrains TeamCity Vulnerabilities	2026-05-13
Log4Shell JNDI Payload Injection Attempt	Nginx Access	T1133 T1190	Anomaly	Log4Shell CVE-2021-44228, CISA AA22-257A, CISA AA22-320A	2026-05-13
Detect attackers scanning for vulnerable JBoss servers		T1082 T1133	TTP	JBoss Vulnerability, SamSam Ransomware	2026-05-13
High Volume of Bytes Out to Url	Nginx Access	T1567	Anomaly	Data Exfiltration, Hellcat Ransomware	2026-05-13
Windows SharePoint Spinstall0 GET Request	Suricata	T1190 T1505.003 T1552	TTP	Microsoft SharePoint Vulnerabilities	2026-05-13
WS FTP Remote Code Execution	Suricata	T1190	TTP	WS FTP Server Critical Vulnerabilities	2026-05-13
Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint	Suricata	T1190	TTP	CISA AA24-241A, Ivanti Connect Secure VPN Vulnerabilities	2026-05-13
Zscaler Privacy Risk Destinations Threat Blocked		T1566	Anomaly	Zscaler Browser Proxy Threats	2026-05-13
VMWare Aria Operations Exploit Attempt	Palo Alto Network Threat	T1068 T1133 T1190 T1210	TTP	VMware Aria Operations vRealize CVE-2023-20887	2026-05-13
Nginx ConnectWise ScreenConnect Authentication Bypass	Nginx Access	T1190	TTP	Hellcat Ransomware, Scattered Lapsus$ Hunters, Seashell Blizzard, ConnectWise ScreenConnect Vulnerabilities	2026-05-13
Tomcat Session File Upload Attempt	Nginx Access	T1190 T1505.003	Anomaly	Apache Tomcat Session Deserialization Attacks	2026-05-13
Microsoft SharePoint Server Elevation of Privilege	Suricata	T1068	Anomaly	Microsoft SharePoint Server Elevation of Privilege CVE-2023-29357	2026-05-13
Detect F5 TMUI RCE CVE-2020-5902		T1190	TTP	F5 TMUI RCE CVE-2020-5902	2026-05-13
Fortinet Appliance Auth bypass	Palo Alto Network Threat	T1133 T1190	TTP	CVE-2022-40684 Fortinet Appliance Auth bypass	2026-05-13
Citrix ADC and Gateway CitrixBleed 2 Memory Disclosure	Suricata	T1190	Anomaly	Citrix NetScaler ADC and NetScaler Gateway CVE-2025-5777	2026-05-13
SQL Injection with Long URLs		T1190	TTP	SQL Injection, GhostRedirector IIS Module and Rungan Backdoor	2026-05-13
Detect Remote Access Software Usage URL	Palo Alto Network Threat	T1219	Anomaly	Remote Monitoring and Management Software, CISA AA24-241A, Scattered Lapsus$ Hunters, Command And Control, Insider Threat, Interlock Ransomware, Ransomware	2026-05-13
Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082	Suricata	T1133 T1190	TTP	Ivanti EPMM Remote Unauthenticated Access	2026-05-13
Web Spring Cloud Function FunctionRouter	Splunk Stream HTTP	T1133 T1190	TTP	Spring4Shell CVE-2022-22965	2026-05-13
Zscaler CryptoMiner Downloaded Threat Blocked		T1566	Anomaly	Zscaler Browser Proxy Threats	2026-05-13
Windows SharePoint ToolPane Endpoint Exploitation Attempt	Suricata	T1190 T1505.003	TTP	Microsoft SharePoint Vulnerabilities	2026-05-13
F5 TMUI Authentication Bypass	Suricata	N/A	TTP	F5 Authentication Bypass with TMUI	2026-05-13
HTTP Request to Reserved Name on IIS Server	Suricata	T1071.001 T1190	TTP	HTTP Request Smuggling	2026-05-13
Confluence CVE-2023-22515 Trigger Vulnerability	Suricata	T1190	TTP	CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server	2026-05-13
Jenkins Arbitrary File Read CVE-2024-23897	Nginx Access	T1190	TTP	Jenkins Server Vulnerabilities, Hellcat Ransomware	2026-05-13
Citrix ADC Exploitation CVE-2023-3519	Palo Alto Network Threat	T1190	Hunting	Citrix Netscaler ADC CVE-2023-3519, CISA AA24-241A	2026-05-13
Confluence Data Center and Server Privilege Escalation	Nginx Access	T1190	TTP	Confluence Data Center and Confluence Server Vulnerabilities, CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server	2026-05-13
Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952	Palo Alto Network Threat	T1133 T1190	TTP	Hellcat Ransomware, Fortinet FortiNAC CVE-2022-39952	2026-05-13
Monitor Web Traffic For Brand Abuse		N/A	TTP	Brand Monitoring	2026-05-13
Ivanti Connect Secure System Information Access via Auth Bypass	Suricata	T1190	Anomaly	CISA AA24-241A, Ivanti Connect Secure VPN Vulnerabilities	2026-05-13
Citrix ShareFile Exploitation CVE-2023-24489	Suricata	T1190	Hunting	Citrix ShareFile RCE CVE-2023-24489	2026-05-13
Java Class File download by Java User Agent	Splunk Stream HTTP	T1190	TTP	Log4Shell CVE-2021-44228	2026-05-13
Exploit Public Facing Application via Apache Commons Text	Nginx Access	T1133 T1190 T1505.003	Anomaly	Text4Shell CVE-2022-42889	2026-05-13
Citrix ADC and Gateway Unauthorized Data Disclosure	Suricata	T1190	TTP	Citrix NetScaler ADC and NetScaler Gateway CVE-2023-4966, Scattered Lapsus$ Hunters	2026-05-13
Confluence Unauthenticated Remote Code Execution CVE-2022-26134	Palo Alto Network Threat	T1133 T1190 T1505	TTP	Confluence Data Center and Confluence Server Vulnerabilities, Atlassian Confluence Server and Data Center CVE-2022-26134	2026-05-13
CrushFTP Authentication Bypass Exploitation	CrushFTP	T1059.001 T1059.003 T1190	TTP	CrushFTP Vulnerabilities, Hellcat Ransomware	2026-05-13
Plain HTTP POST Exfiltrated Data	Splunk Stream HTTP	T1048.003	TTP	Data Exfiltration, APT37 Rustonotto and FadeStealer, Command And Control	2026-05-13
Detect malicious requests to exploit JBoss servers		N/A	TTP	JBoss Vulnerability, SamSam Ransomware	2026-05-13
Zscaler Adware Activities Threat Blocked		T1566	Anomaly	Zscaler Browser Proxy Threats	2026-05-13
HTTP Rapid POST with Mixed Status Codes	Nginx Access	T1071.001 T1190 T1595	Anomaly	HTTP Request Smuggling	2026-05-13
CrushFTP Max Simultaneous Users From IP	CrushFTP	T1110.001 T1110.004	Anomaly	CrushFTP Vulnerabilities	2026-05-13
Web JSP Request via URL	Nginx Access	T1133 T1190 T1505.003	TTP	Earth Alux, Spring4Shell CVE-2022-22965	2026-05-13
ConnectWise ScreenConnect Authentication Bypass	Suricata	T1190	TTP	Seashell Blizzard, ConnectWise ScreenConnect Vulnerabilities	2026-05-13
WordPress Bricks Builder plugin RCE	Nginx Access	T1190	TTP	Hellcat Ransomware, WordPress Vulnerabilities	2026-05-13
JetBrains TeamCity Authentication Bypass Suricata CVE-2024-27198	Suricata	T1190	TTP	Hellcat Ransomware, JetBrains TeamCity Vulnerabilities	2026-05-13
VMware Workspace ONE Freemarker Server-side Template Injection	Palo Alto Network Threat	T1133 T1190	Anomaly	VMware Server Side Injection and Privilege Escalation	2026-05-13
Zscaler Legal Liability Threat Blocked		T1566	Anomaly	Zscaler Browser Proxy Threats	2026-05-13
HTTP Possible Request Smuggling	Suricata	T1071.001	TTP	HTTP Request Smuggling	2026-05-13
Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078	Suricata	T1133 T1190	TTP	Ivanti EPMM Remote Unauthenticated Access	2026-05-13
VMware Server Side Template Injection Hunt	Palo Alto Network Threat	T1133 T1190	Hunting	VMware Server Side Injection and Privilege Escalation	2026-05-13
Multiple Archive Files Http Post Traffic	Splunk Stream HTTP	T1048.003	TTP	Data Exfiltration, Hellcat Ransomware, APT37 Rustonotto and FadeStealer, Command And Control	2026-05-13
ESXi Syslog Config Change	VMWare ESXi Syslog	T1690	TTP	ESXi Post Compromise, Black Basta Ransomware	2026-05-13
Cisco ASA - Device File Copy to Remote Location	Cisco ASA Logs	T1005 T1041 T1048.003	Anomaly	ArcaneDoor, Suspicious Cisco Adaptive Security Appliance Activity	2026-05-13
ESXi Shared or Stolen Root Account	VMWare ESXi Syslog	T1078	Anomaly	ESXi Post Compromise, Black Basta Ransomware	2026-05-13
ESXi Bulk VM Termination	VMWare ESXi Syslog	T1499 T1529 T1673	TTP	ESXi Post Compromise, Black Basta Ransomware	2026-05-13
ESXi Lockdown Mode Disabled	VMWare ESXi Syslog	T1685	TTP	ESXi Post Compromise, Black Basta Ransomware	2026-05-13
ESXi Loghost Config Tampering	VMWare ESXi Syslog	T1685	TTP	ESXi Post Compromise, Black Basta Ransomware	2026-05-13
Okta Multiple Accounts Locked Out	Okta	T1110	Anomaly	Okta Account Takeover	2026-05-13
Cisco ASA - Logging Disabled via CLI	Cisco ASA Logs	T1685	TTP	Suspicious Cisco Adaptive Security Appliance Activity	2026-05-13
ESXi Encryption Settings Modified	VMWare ESXi Syslog	T1685	TTP	ESXi Post Compromise, Black Basta Ransomware	2026-05-13
ESXi Firewall Disabled	VMWare ESXi Syslog	T1686	TTP	China-Nexus Threat Activity, ESXi Post Compromise, Black Basta Ransomware	2026-05-13
Cisco ASA - New Local User Account Created	Cisco ASA Logs	T1078.003 T1136.001	Anomaly	Suspicious Cisco Adaptive Security Appliance Activity	2026-05-13
PingID New MFA Method Registered For User	PingID	T1098.005 T1556.006 T1621	TTP	Compromised User Account	2026-05-13
Okta Multi-Factor Authentication Disabled	Okta	T1556.006	TTP	Scattered Lapsus$ Hunters, Okta Account Takeover	2026-05-13
Okta Multiple Users Failing To Authenticate From Ip	Okta	T1110.003	Anomaly	Okta Account Takeover	2026-05-13
Cisco Duo Policy Allow Old Java	Cisco Duo Administrator	T1556	TTP	Cisco Duo Suspicious Activity	2026-05-13
Cisco Duo Admin Login Unusual Os	Cisco Duo Activity	T1556	TTP	Cisco Duo Suspicious Activity	2026-05-13
Cisco ASA - User Privilege Level Change	Cisco ASA Logs	T1078.003 T1098	Anomaly	ArcaneDoor, Suspicious Cisco Adaptive Security Appliance Activity	2026-05-13
ESXi SSH Brute Force	VMWare ESXi Syslog	T1110	Anomaly	Hellcat Ransomware, ESXi Post Compromise, Black Basta Ransomware	2026-05-13
ESXi Sensitive Files Accessed	VMWare ESXi Syslog	T1003.008 T1005	TTP	China-Nexus Threat Activity, ESXi Post Compromise, Black Basta Ransomware	2026-05-13
Okta Suspicious Use of a Session Cookie	Okta	T1539	Anomaly	Scattered Lapsus$ Hunters, Suspicious Okta Activity, Okta Account Takeover	2026-05-13
M365 Copilot Application Usage Pattern Anomalies	M365 Copilot Graph API	T1078	Anomaly	Suspicious Microsoft 365 Copilot Activities	2026-05-13
Zoom Rare Input Devices		T1123	Hunting	Remote Employment Fraud	2026-05-13
ESXi Shell Access Enabled	VMWare ESXi Syslog	T1021	TTP	ESXi Post Compromise, Black Basta Ransomware	2026-05-13
Detect Password Spray Attempts	Windows Event Log Security 4625	T1110.003	TTP	Active Directory Password Spraying, Compromised User Account	2026-05-13
Splunk AppDynamics Secure Application Alerts	Splunk AppDynamics Secure Application Alert	N/A	Anomaly	Critical Alerts	2026-05-13
Cisco Duo Policy Allow Devices Without Screen Lock	Cisco Duo Administrator	T1556	TTP	Cisco Duo Suspicious Activity	2026-05-13
ESXi SSH Enabled	VMWare ESXi Syslog	T1021.004	TTP	Hellcat Ransomware, ESXi Post Compromise, Black Basta Ransomware	2026-05-13
M365 Copilot Failed Authentication Patterns	M365 Copilot Graph API	T1110	Anomaly	Suspicious Microsoft 365 Copilot Activities	2026-05-13
Okta New API Token Created	Okta	T1078.001	TTP	Scattered Lapsus$ Hunters, Okta Account Takeover	2026-05-13
M365 Copilot Non Compliant Devices Accessing M365 Copilot	M365 Copilot Graph API	T1685	Anomaly	Suspicious Microsoft 365 Copilot Activities	2026-05-13
Cisco Duo Policy Allow Old Flash	Cisco Duo Administrator	T1556	TTP	Cisco Duo Suspicious Activity	2026-05-13
Cisco Duo Admin Login Unusual Country	Cisco Duo Activity	T1556	TTP	Cisco Duo Suspicious Activity	2026-05-13
Cisco AI Defense Security Alerts by Application Name	Cisco AI Defense Alerts	N/A	Anomaly	Critical Alerts	2026-05-13
MCP Sensitive System File Search	MCP Server	T1552.001	Hunting	Suspicious MCP Activities	2026-05-13
M365 Copilot Jailbreak Attempts	M365 Exported eDiscovery Prompts	T1685	Anomaly	Suspicious Microsoft 365 Copilot Activities	2026-05-13
Ivanti VTM New Account Creation	Ivanti VTM Audit	T1190	TTP	Scattered Lapsus$ Hunters, Ivanti Virtual Traffic Manager CVE-2024-7593, Hellcat Ransomware	2026-05-13
Zoom High Video Latency		T1078	Anomaly	Remote Employment Fraud	2026-05-13
Okta Phishing Detection with FastPass Origin Check	Okta	T1078.001 T1556	TTP	Okta Account Takeover	2026-05-13
ESXi External Root Login Activity	VMWare ESXi Syslog	T1078	Anomaly	ESXi Post Compromise, Black Basta Ransomware	2026-05-13
Cisco ASA - User Account Deleted From Local Database	Cisco ASA Logs	T1070.008 T1531	Anomaly	Suspicious Cisco Adaptive Security Appliance Activity	2026-05-13
Cisco ASA - AAA Policy Tampering	Cisco ASA Logs	T1556.004	Anomaly	Suspicious Cisco Adaptive Security Appliance Activity	2026-05-13
Okta New Device Enrolled on Account	Okta	T1098.005	TTP	Scattered Lapsus$ Hunters, Okta Account Takeover	2026-05-13
PingID Multiple Failed MFA Requests For User	PingID	T1078 T1110 T1621	TTP	Compromised User Account	2026-05-13
Email servers sending high volume traffic to hosts		T1114.002	Anomaly	HAFNIUM Group, Collection and Staging	2026-05-13
No Windows Updates in a time frame		N/A	Hunting	Monitor for Updates	2026-05-13
Cisco Duo Bypass Code Generation	Cisco Duo Administrator	T1556	TTP	Cisco Duo Suspicious Activity	2026-05-13
MCP Github Suspicious Operation	MCP Server	T1552.001	Hunting	Suspicious MCP Activities	2026-05-13
Cisco ASA - Logging Message Suppression	Cisco ASA Logs	T1070 T1685.001	Anomaly	ArcaneDoor, Suspicious Cisco Adaptive Security Appliance Activity	2026-05-13
Cisco ASA - Reconnaissance Command Activity	Cisco ASA Logs	T1082 T1590.001 T1590.005	Anomaly	Suspicious Cisco Adaptive Security Appliance Activity	2026-05-13
Cisco Duo Policy Skip 2FA for Other Countries	Cisco Duo Administrator	T1556	TTP	Cisco Duo Suspicious Activity	2026-05-13
ESXi Account Modified	VMWare ESXi Syslog	T1078 T1098 T1136.001	Anomaly	ESXi Post Compromise, Black Basta Ransomware	2026-05-13
Okta IDP Lifecycle Modifications	Okta	T1087.004	Anomaly	Suspicious Okta Activity	2026-05-13
ESXi User Granted Admin Role	VMWare ESXi Syslog	T1078 T1098	TTP	ESXi Post Compromise, Black Basta Ransomware	2026-05-13
Ollama Abnormal Service Crash Availability Attack	Ollama Server	T1489	Anomaly	Suspicious Ollama Activities	2026-05-13
ESXi Reverse Shell Patterns	VMWare ESXi Syslog	T1059	TTP	ESXi Post Compromise, Black Basta Ransomware	2026-05-13
Email Attachments With Lots Of Spaces		T1036.008 T1566.001	Anomaly	Hermetic Wiper, Suspicious Emails, Data Destruction, Emotet Malware DHS Report TA18-201A	2026-05-13
Ollama Possible Memory Exhaustion Resource Abuse	Ollama Server	T1499	Anomaly	Suspicious Ollama Activities	2026-05-13
Ollama Possible RCE via Model Loading	Ollama Server	T1190	Anomaly	Suspicious Ollama Activities	2026-05-13
Detect HTML Help Spawn Child Process	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.001	TTP	AgentTesla, Living Off The Land, Suspicious Compiled HTML Activity, Compromised Windows Host, APT37 Rustonotto and FadeStealer	2026-05-13
Okta Suspicious Activity Reported	Okta	T1078.001	TTP	Okta Account Takeover	2026-05-13
ESXi System Clock Manipulation	VMWare ESXi Syslog	T1070.006	TTP	ESXi Post Compromise, Black Basta Ransomware	2026-05-13
Cisco ASA - Core Syslog Message Volume Drop	Cisco ASA Logs	T1685	Hunting	ArcaneDoor, Suspicious Cisco Adaptive Security Appliance Activity	2026-05-13
Zoom Rare Audio Devices		T1123	Hunting	Remote Employment Fraud	2026-05-13
Cisco ASA - Packet Capture Activity	Cisco ASA Logs	T1040 T1557	Anomaly	ArcaneDoor, Suspicious Cisco Adaptive Security Appliance Activity	2026-05-13
PingID New MFA Method After Credential Reset	PingID	T1098.005 T1556.006 T1621	TTP	Scattered Lapsus$ Hunters, Compromised User Account	2026-05-13
ESXi VM Discovery	VMWare ESXi Syslog	T1673	TTP	China-Nexus Threat Activity, ESXi Post Compromise, Black Basta Ransomware	2026-05-13
Okta Multiple Failed MFA Requests For User	Okta	T1621	Anomaly	Scattered Lapsus$ Hunters, Okta Account Takeover	2026-05-13
Okta Risk Threshold Exceeded	Okta	T1078 T1110	Correlation	Suspicious Okta Activity, Okta MFA Exhaustion, Okta Account Takeover	2026-05-13
Okta Unauthorized Access to Application	Okta	T1087.004	Anomaly	Okta Account Takeover	2026-05-13
Suspicious Java Classes		T1190	Anomaly	Apache Struts Vulnerability	2026-05-13
MCP Prompt Injection	MCP Server	T1059	TTP	Suspicious MCP Activities	2026-05-13
Ollama Abnormal Network Connectivity	Ollama Server	T1571	Anomaly	Suspicious Ollama Activities	2026-05-13
Monitor Email For Brand Abuse		N/A	TTP	Scattered Lapsus$ Hunters, Suspicious Emails, Brand Monitoring	2026-05-13
Okta User Logins from Multiple Cities	Okta	T1586.003	Anomaly	Okta Account Takeover	2026-05-13
Cisco Duo Bulk Policy Deletion	Cisco Duo Administrator	T1556	TTP	Cisco Duo Suspicious Activity	2026-05-13
Detect Distributed Password Spray Attempts	Azure Active Directory Sign-in activity	T1110.003	Hunting	Active Directory Password Spraying, Compromised User Account	2026-05-13
Ollama Suspicious Prompt Injection Jailbreak	Ollama Server	T1059 T1190	Anomaly	Suspicious Ollama Activities	2026-05-13
ESXi VIB Acceptance Level Tampering	VMWare ESXi Syslog	T1685	TTP	China-Nexus Threat Activity, ESXi Post Compromise, Black Basta Ransomware	2026-05-13
Suspicious Email Attachment Extensions		T1566.001	Anomaly	Hermetic Wiper, Suspicious Emails, Data Destruction, Emotet Malware DHS Report TA18-201A	2026-05-13
Cisco Duo Policy Allow Tampered Devices	Cisco Duo Administrator	T1556	TTP	Cisco Duo Suspicious Activity	2026-05-13
Cisco Duo Set User Status to Bypass 2FA	Cisco Duo Administrator	T1556	TTP	Cisco Duo Suspicious Activity	2026-05-13
Okta Multiple Failed Requests to Access Applications	Okta	T1538 T1550.004	Hunting	Okta Account Takeover	2026-05-13
Email files written outside of the Outlook directory	Sysmon EventID 11	T1114.001	TTP	Collection and Staging	2026-05-13
M365 Copilot Information Extraction Jailbreak Attack	M365 Exported eDiscovery Prompts	T1685	TTP	Suspicious Microsoft 365 Copilot Activities	2026-05-13
CrushFTP Server Side Template Injection	CrushFTP	T1190	TTP	CrushFTP Vulnerabilities, Hellcat Ransomware	2026-05-13
MCP Postgres Suspicious Query	MCP Server	T1555	Hunting	Suspicious MCP Activities	2026-05-13
Cisco Duo Policy Deny Access	Cisco Duo Administrator	T1556	TTP	Cisco Duo Suspicious Activity	2026-05-13
Cisco Duo Policy Bypass 2FA	Cisco Duo Administrator	T1556	TTP	Cisco Duo Suspicious Activity	2026-05-13
ESXi Malicious VIB Forced Install	VMWare ESXi Syslog	T1505.006	TTP	China-Nexus Threat Activity, ESXi Post Compromise, Black Basta Ransomware	2026-05-13
Okta Mismatch Between Source and Response for Verify Push Request	Okta	T1621	TTP	Scattered Lapsus$ Hunters, Okta MFA Exhaustion, Okta Account Takeover	2026-05-13
Cisco ASA - Logging Filters Configuration Tampering	Cisco ASA Logs	T1685	Anomaly	Suspicious Cisco Adaptive Security Appliance Activity	2026-05-13
MCP Filesystem Server Suspicious Extension Write	MCP Server	T1059	Hunting	Suspicious MCP Activities	2026-05-13
Okta MFA Exhaustion Hunt	Okta	T1110	Hunting	Scattered Lapsus$ Hunters, Okta MFA Exhaustion, Okta Account Takeover	2026-05-13
ESXi System Information Discovery	VMWare ESXi Syslog	T1082	TTP	ESXi Post Compromise, Black Basta Ransomware	2026-05-13
Okta Successful Single Factor Authentication	Okta	T1078.004 T1586.003 T1621	Anomaly	Okta Account Takeover	2026-05-13
ESXi Audit Tampering	VMWare ESXi Syslog	T1070 T1690	TTP	ESXi Post Compromise, Black Basta Ransomware	2026-05-13
Ollama Excessive API Requests	Ollama Server	T1498	Anomaly	Suspicious Ollama Activities	2026-05-13
M365 Copilot Session Origin Anomalies	M365 Copilot Graph API	T1078	Anomaly	Suspicious Microsoft 365 Copilot Activities	2026-05-13
M365 Copilot Agentic Jailbreak Attack	M365 Exported eDiscovery Prompts	T1685	Anomaly	Suspicious Microsoft 365 Copilot Activities	2026-05-13
ESXi VM Exported via Remote Tool	VMWare ESXi Syslog	T1005	TTP	ESXi Post Compromise, Black Basta Ransomware	2026-05-13
Cisco ASA - Device File Copy Activity	Cisco ASA Logs	T1005 T1530	Anomaly	ArcaneDoor, Suspicious Cisco Adaptive Security Appliance Activity	2026-05-13
Cisco ASA - User Account Lockout Threshold Exceeded	Cisco ASA Logs	T1110.001 T1110.003	Anomaly	Suspicious Cisco Adaptive Security Appliance Activity	2026-05-13
Cisco Duo Policy Allow Network Bypass 2FA	Cisco Duo Administrator	T1556	TTP	Cisco Duo Suspicious Activity	2026-05-13
Zoom Rare Video Devices		T1123	Hunting	Remote Employment Fraud	2026-05-13
Detect New Login Attempts to Routers		N/A	TTP	Scattered Lapsus$ Hunters, Router and Infrastructure Security	2026-05-13
Ollama Possible API Endpoint Scan Reconnaissance	Ollama Server	T1595	Anomaly	Suspicious Ollama Activities	2026-05-13
Ollama Possible Model Exfiltration Data Leakage	Ollama Server	T1048	Anomaly	Suspicious Ollama Activities	2026-05-13
Okta Authentication Failed During MFA Challenge	Okta	T1078.004 T1586.003 T1621	TTP	Scattered Lapsus$ Hunters, Okta Account Takeover	2026-05-13
Okta ThreatInsight Threat Detected	Okta	T1078.004	Anomaly	Okta Account Takeover	2026-05-13
PingID Mismatch Auth Source and Verification Response	PingID	T1098.005 T1556.006 T1621	TTP	Compromised User Account	2026-05-13
Cisco Duo Admin Login Unusual Browser	Cisco Duo Activity	T1556	TTP	Cisco Duo Suspicious Activity	2026-05-13
ESXi Download Errors	VMWare ESXi Syslog	T1601.001 T1685	Anomaly	ESXi Post Compromise, Black Basta Ransomware	2026-05-13
O365 ZAP Activity Detection	Office 365 Universal Audit Log	T1566.001 T1566.002	Anomaly	Spearphishing Attachments, Suspicious Emails	2026-05-13
AWS Defense Evasion Impair Security Services	AWS CloudTrail DeleteRule, AWS CloudTrail DeleteDetector, AWS CloudTrail DeleteWebACL, AWS CloudTrail DeleteLogStream, AWS CloudTrail DeleteLoggingConfiguration, AWS CloudTrail DeleteRuleGroup, AWS CloudTrail DeleteIPSet, AWS CloudTrail DeleteAlarms	T1685.002	TTP	AWS Defense Evasion	2026-05-13
O365 Excessive SSO logon errors	O365 UserLoginFailed	T1556	Anomaly	Cloud Federated Credential Abuse, Office 365 Account Takeover	2026-05-13
GCP Successful Single-Factor Authentication	Google Workspace	T1078.004 T1586.003	TTP	Scattered Lapsus$ Hunters, GCP Account Takeover	2026-05-13
Kubernetes Scanner Image Pulling		T1526	TTP	Dev Sec Ops	2026-05-13
O365 Email Transport Rule Changed	Office 365 Universal Audit Log	T1114.003 T1564.008	Anomaly	Data Exfiltration, Office 365 Account Takeover	2026-05-13
O365 Advanced Audit Disabled	O365 Change user license.	T1685.002	TTP	Office 365 Persistence Mechanisms	2026-05-13
ASL AWS IAM Successful Group Deletion	ASL AWS CloudTrail	T1069.003 T1098	Hunting	AWS IAM Privilege Escalation	2026-05-13
AWS SAML Update identity provider	AWS CloudTrail UpdateSAMLProvider	T1078	TTP	Cloud Federated Credential Abuse	2026-05-13
ASL AWS IAM AccessDenied Discovery Events	ASL AWS CloudTrail	T1580	Anomaly	Suspicious Cloud User Activities	2026-05-13
ASL AWS Disable Bucket Versioning	ASL AWS CloudTrail	T1490	Anomaly	Suspicious AWS S3 Activities, Data Exfiltration	2026-05-13
ASL AWS ECR Container Upload Unknown User	ASL AWS CloudTrail	T1204.003	Anomaly	Dev Sec Ops	2026-05-13
AWS Multiple Failed MFA Requests For User	AWS CloudTrail ConsoleLogin	T1586.003 T1621	Anomaly	AWS Identity and Access Management Account Takeover	2026-05-13
AWS Network Access Control List Created with All Open Ports	AWS CloudTrail ReplaceNetworkAclEntry, AWS CloudTrail CreateNetworkAclEntry	T1686.001	TTP	AWS Network ACL Activity	2026-05-13
O365 Cross-Tenant Access Change	Office 365 Universal Audit Log	T1484.002	TTP	Azure Active Directory Persistence	2026-05-13
Kubernetes newly seen UDP edge		T1204	Anomaly	Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring	2026-05-13
GCP Detect gcploit framework		T1078	TTP	GCP Cross Account Activity	2026-05-13
Kubernetes Cron Job Creation	Kubernetes Audit	T1053.007	Anomaly	Kubernetes Security	2026-05-13
Cloud Provisioning Activity From Previously Unseen IP Address	AWS CloudTrail	T1078	Anomaly	Suspicious Cloud Provisioning Activities	2026-05-13
O365 Service Principal Privilege Escalation	O365 Add app role assignment grant to user.	T1098.003	TTP	Azure Active Directory Privilege Escalation, Office 365 Account Takeover	2026-05-13
Microsoft Intune Device Health Scripts	Azure Monitor Activity	T1021.007 T1072 T1105 T1202	Hunting	Azure Active Directory Account Takeover	2026-05-13
Azure AD Multiple Denied MFA Requests For User	Azure Active Directory Sign-in activity	T1621	TTP	Azure Active Directory Account Takeover	2026-05-13
Detect AWS Console Login by New User	AWS CloudTrail	T1552 T1586.003	Hunting	Suspicious Cloud Authentication Activities, AWS Identity and Access Management Account Takeover	2026-05-13
O365 SharePoint Suspicious Search Behavior	Office 365 Universal Audit Log	T1213.002 T1552	Anomaly	CISA AA22-320A, Compromised User Account, Office 365 Collection Techniques, Office 365 Account Takeover	2026-05-13
O365 File Permissioned Application Consent Granted by User	O365 Consent to application.	T1528	TTP	Office 365 Account Takeover	2026-05-13
O365 Email Reported By User Found Malicious	Office 365 Universal Audit Log	T1566.001 T1566.002	TTP	Spearphishing Attachments, Suspicious Emails	2026-05-13
ASL AWS New MFA Method Registered For User	ASL AWS CloudTrail	T1556.006	TTP	AWS Identity and Access Management Account Takeover	2026-05-13
Kubernetes Nginx Ingress LFI		T1212	TTP	Dev Sec Ops	2026-05-13
O365 Email Security Feature Changed	Office 365 Universal Audit Log	T1685.002	TTP	Office 365 Account Takeover, Office 365 Persistence Mechanisms	2026-05-13
AWS Excessive Security Scanning	AWS CloudTrail	T1526	TTP	AWS User Monitoring	2026-05-13
GitHub Organizations Disable Dependabot	GitHub Organizations Audit Logs	T1195 T1685	Anomaly	GitHub Malicious Activity	2026-05-13
Azure AD Successful PowerShell Authentication	Azure Active Directory	T1078.004 T1586.003	TTP	Azure Active Directory Account Takeover	2026-05-13
Azure AD New Federated Domain Added	Azure Active Directory Set domain authentication	T1484.002	TTP	Storm-0501 Ransomware, Scattered Lapsus$ Hunters, Azure Active Directory Persistence, Hellcat Ransomware	2026-05-13
Gsuite Drive Share In External Email	G Suite Drive	T1567.002	Anomaly	Insider Threat, Scattered Lapsus$ Hunters, Dev Sec Ops	2026-05-13
AWS ECR Container Upload Outside Business Hours	AWS CloudTrail PutImage	T1204.003	Anomaly	Dev Sec Ops	2026-05-13
ASL AWS ECR Container Upload Outside Business Hours	ASL AWS CloudTrail	T1204.003	Anomaly	Dev Sec Ops	2026-05-13
AWS Exfiltration via Bucket Replication	AWS CloudTrail PutBucketReplication	T1537	TTP	Suspicious AWS S3 Activities, Data Exfiltration	2026-05-13
Kubernetes Shell Running on Worker Node with CPU Activity		T1204	Anomaly	Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring	2026-05-13
O365 Multiple Service Principals Created by User	O365 Add service principal.	T1136.003	Anomaly	NOBELIUM Group, Office 365 Persistence Mechanisms	2026-05-13
Cloud Provisioning Activity From Previously Unseen City	AWS CloudTrail	T1078	Anomaly	Suspicious Cloud Provisioning Activities	2026-05-13
Gsuite Suspicious Shared File Name	G Suite Drive	T1566.001	Anomaly	Dev Sec Ops	2026-05-13
Detect Spike in AWS Security Hub Alerts for User	AWS Security Hub	N/A	Anomaly	Critical Alerts, AWS Security Hub Alerts	2026-05-13
ASL AWS Defense Evasion Delete CloudWatch Log Group	ASL AWS CloudTrail	T1685.002	TTP	AWS Defense Evasion	2026-05-13
Kubernetes Nginx Ingress RFI		T1212	TTP	Dev Sec Ops	2026-05-13
ASL AWS UpdateLoginProfile	ASL AWS CloudTrail	T1136.003	TTP	AWS IAM Privilege Escalation	2026-05-13
O365 Mailbox Email Forwarding Enabled		T1114.003	TTP	Office 365 Collection Techniques	2026-05-13
AWS Console Login Failed During MFA Challenge	AWS CloudTrail ConsoleLogin	T1586.003 T1621	TTP	Compromised User Account, AWS Identity and Access Management Account Takeover	2026-05-13
AWS Lambda UpdateFunctionCode	AWS CloudTrail	T1204	Hunting	Suspicious Cloud User Activities	2026-05-13
ASL AWS Detect Users creating keys with encrypt policy without MFA	ASL AWS CloudTrail	T1486	TTP	Ransomware Cloud	2026-05-13
O365 Multi-Source Failed Authentications Spike	O365 UserLoginFailed	T1110.003 T1110.004 T1586.003	Hunting	NOBELIUM Group, Office 365 Account Takeover	2026-05-13
O365 Privileged Role Assigned	Office 365 Universal Audit Log	T1098.003	TTP	Scattered Lapsus$ Hunters, Azure Active Directory Persistence	2026-05-13
Detect Spike in AWS Security Hub Alerts for EC2 Instance	AWS Security Hub	N/A	Anomaly	Critical Alerts, AWS Security Hub Alerts	2026-05-13
Azure AD AzureHound UserAgent Detected	Azure Active Directory NonInteractiveUserSignInLogs, Azure Active Directory MicrosoftGraphActivityLogs	T1087.004 T1526	TTP	Azure Active Directory Privilege Escalation, Compromised User Account	2026-05-13
AWS Concurrent Sessions From Different Ips	AWS CloudTrail DescribeEventAggregates	T1185	TTP	Scattered Lapsus$ Hunters, Compromised User Account, AWS Identity and Access Management Account Takeover	2026-05-13
O365 Bypass MFA via Trusted IP	O365 Set Company Information.	T1686.001	TTP	Office 365 Persistence Mechanisms	2026-05-13
Azure AD External Guest User Invited	Azure Active Directory Invite external user	T1136.003	TTP	Azure Active Directory Persistence	2026-05-13
Microsoft Intune Mobile Apps	Azure Monitor Activity	T1021.007 T1072 T1105 T1202	Hunting	Azure Active Directory Account Takeover	2026-05-13
Kubernetes Scanning by Unauthenticated IP Address	Kubernetes Audit	T1046	Anomaly	Kubernetes Security	2026-05-13
AWS ECR Container Scanning Findings Low Informational Unknown	AWS CloudTrail DescribeImageScanFindings	T1204.003	Anomaly	Dev Sec Ops	2026-05-13
AWS Credential Access Failed Login	AWS CloudTrail ConsoleLogin	T1110.001 T1586.003	TTP	AWS Identity and Access Management Account Takeover	2026-05-13
O365 Privileged Graph API Permission Assigned	O365 Update application.	T1003.002	TTP	NOBELIUM Group, Office 365 Persistence Mechanisms	2026-05-13
Kubernetes Falco Shell Spawned	Kubernetes Falco	T1204	Anomaly	Kubernetes Security	2026-05-13
AWS Exfiltration via EC2 Snapshot	AWS CloudTrail ModifySnapshotAttribute, AWS CloudTrail CreateSnapshot, AWS CloudTrail DeleteSnapshot, AWS CloudTrail DescribeSnapshotAttribute	T1537	TTP	Data Exfiltration, Suspicious Cloud Instance Activities	2026-05-13
Azure AD OAuth Application Consent Granted By User	Azure Active Directory Consent to application	T1528	TTP	Azure Active Directory Account Takeover	2026-05-13
AWS IAM AccessDenied Discovery Events	AWS CloudTrail	T1580	Anomaly	Suspicious Cloud User Activities	2026-05-13
Amazon EKS Kubernetes cluster scan detection		T1526	Hunting	Kubernetes Scanning Activity	2026-05-13
Kubernetes Abuse of Secret by Unusual Location	Kubernetes Audit	T1552.007	Anomaly	Kubernetes Security	2026-05-13
Detect Spike in blocked Outbound Traffic from your AWS		N/A	Anomaly	AWS Network ACL Activity, Suspicious AWS Traffic, Command And Control	2026-05-13
O365 PST export alert	O365	T1114	TTP	Data Exfiltration, Office 365 Collection Techniques	2026-05-13
GCP Multiple Users Failing To Authenticate From Ip	Google Workspace	T1110.003 T1110.004 T1586.003	Anomaly	GCP Account Takeover	2026-05-13
AWS Bedrock Delete Model Invocation Logging Configuration	AWS CloudTrail DeleteModelInvocationLoggingConfiguration	T1685.002	TTP	AWS Bedrock Security	2026-05-13
Cloud Compute Instance Created By Previously Unseen User	AWS CloudTrail	T1078.004	Anomaly	Cloud Cryptomining	2026-05-13
O365 High Number Of Failed Authentications for User	O365 UserLoginFailed	T1110.001	TTP	Office 365 Account Takeover	2026-05-13
Kubernetes Abuse of Secret by Unusual User Name	Kubernetes Audit	T1552.007	Anomaly	Kubernetes Security	2026-05-13
ASL AWS Multi-Factor Authentication Disabled	ASL AWS CloudTrail	T1556.006 T1586.003 T1621	TTP	AWS Identity and Access Management Account Takeover	2026-05-13
GitHub Enterprise Disable IP Allow List	GitHub Enterprise Audit Logs	T1195 T1685	Anomaly	GitHub Malicious Activity	2026-05-13
O365 Add App Role Assignment Grant User	O365 Add app role assignment grant to user.	T1136.003	TTP	Cloud Federated Credential Abuse, Office 365 Persistence Mechanisms	2026-05-13
Azure AD Privileged Authentication Administrator Role Assigned	Azure Active Directory Add member to role	T1003.002	TTP	Scattered Lapsus$ Hunters, Azure Active Directory Privilege Escalation	2026-05-13
AWS Defense Evasion Update Cloudtrail	AWS CloudTrail UpdateTrail	T1685.002	TTP	AWS Defense Evasion	2026-05-13
GitHub Organizations Repository Archived	GitHub Organizations Audit Logs	T1195 T1485	Anomaly	GitHub Malicious Activity, NPM Supply Chain Compromise	2026-05-13
Azure AD Service Principal Authentication	Azure Active Directory Sign-in activity	T1078.004	TTP	Azure Active Directory Account Takeover, NOBELIUM Group	2026-05-13
Kubernetes Anomalous Outbound Network Activity from Process		T1204	Anomaly	Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring	2026-05-13
Azure AD Global Administrator Role Assigned	Azure Active Directory Add member to role	T1098.003	TTP	Scattered Lapsus$ Hunters, Azure Active Directory Persistence, Azure Active Directory Privilege Escalation	2026-05-13
AWS IAM Assume Role Policy Brute Force	AWS CloudTrail	T1110 T1580	TTP	AWS IAM Privilege Escalation	2026-05-13
AWS Network Access Control List Deleted	AWS CloudTrail DeleteNetworkAclEntry	T1686.001	Anomaly	AWS Network ACL Activity	2026-05-13
O365 New Forwarding Mailflow Rule Created		T1114	TTP	Office 365 Collection Techniques	2026-05-13
O365 FullAccessAsApp Permission Assigned	O365 Update application.	T1098.002 T1098.003	TTP	NOBELIUM Group, Office 365 Persistence Mechanisms	2026-05-13
ASL AWS Create Access Key	ASL AWS CloudTrail	T1136.003	Hunting	Scattered Lapsus$ Hunters, AWS IAM Privilege Escalation	2026-05-13
Azure AD High Number Of Failed Authentications From Ip	Azure Active Directory	T1110.001 T1110.003	TTP	Azure Active Directory Account Takeover, NOBELIUM Group, Compromised User Account	2026-05-13
Azure AD Concurrent Sessions From Different Ips	Azure Active Directory	T1185	TTP	Azure Active Directory Account Takeover, Scattered Lapsus$ Hunters, Compromised User Account	2026-05-13
Azure AD PIM Role Assigned	Azure Active Directory	T1098.003	TTP	Scattered Lapsus$ Hunters, Azure Active Directory Persistence, Azure Active Directory Privilege Escalation	2026-05-13
Azure AD Tenant Wide Admin Consent Granted	Azure Active Directory Consent to application	T1098.003	TTP	Azure Active Directory Persistence, NOBELIUM Group	2026-05-13
Kubernetes Abuse of Secret by Unusual User Agent	Kubernetes Audit	T1552.007	Anomaly	Kubernetes Security	2026-05-13
O365 DLP Rule Triggered	Office 365 Universal Audit Log	T1048 T1567	Anomaly	Data Exfiltration	2026-05-13
AWS ECR Container Scanning Findings Medium	AWS CloudTrail DescribeImageScanFindings	T1204.003	Anomaly	Dev Sec Ops	2026-05-13
AWS Successful Single-Factor Authentication	AWS CloudTrail ConsoleLogin	T1078.004 T1586.003	TTP	AWS Identity and Access Management Account Takeover	2026-05-13
AWS CreateLoginProfile	AWS CloudTrail CreateLoginProfile, AWS CloudTrail ConsoleLogin	T1136.003	TTP	AWS IAM Privilege Escalation	2026-05-13
AWS Bedrock Delete Knowledge Base	AWS CloudTrail DeleteKnowledgeBase	T1485	TTP	AWS Bedrock Security	2026-05-13
AWS Exfiltration via Anomalous GetObject API Activity	AWS CloudTrail GetObject	T1119	Anomaly	Data Exfiltration	2026-05-13
GitHub Organizations Delete Branch Ruleset	GitHub Organizations Audit Logs	T1195 T1685	Anomaly	GitHub Malicious Activity, NPM Supply Chain Compromise	2026-05-13
AWS Credential Access RDS Password reset	AWS CloudTrail ModifyDBInstance	T1110 T1586.003	TTP	Scattered Lapsus$ Hunters, AWS Identity and Access Management Account Takeover	2026-05-13
ASL AWS Network Access Control List Created with All Open Ports	ASL AWS CloudTrail	T1686.001	TTP	AWS Network ACL Activity	2026-05-13
GitHub Enterprise Register Self Hosted Runner	GitHub Enterprise Audit Logs	T1195 T1685	Anomaly	GitHub Malicious Activity, NPM Supply Chain Compromise	2026-05-13
AWS Detect Users with KMS keys performing encryption S3	AWS CloudTrail	T1486	Anomaly	Ransomware Cloud	2026-05-13
ASL AWS Defense Evasion Update Cloudtrail	ASL AWS CloudTrail	T1685.002	TTP	AWS Defense Evasion	2026-05-13
O365 Email Send Attachments Excessive Volume	Office 365 Universal Audit Log	T1070.008 T1485	Anomaly	Suspicious Emails, Office 365 Account Takeover	2026-05-13
Azure AD Device Code Authentication	Azure Active Directory	T1528 T1566.002	TTP	Azure Active Directory Account Takeover	2026-05-13
AWS EC2 Snapshot Shared Externally	AWS CloudTrail ModifySnapshotAttribute	T1537	TTP	Data Exfiltration, Suspicious Cloud Instance Activities	2026-05-13
GitHub Enterprise Repository Deleted	GitHub Enterprise Audit Logs	T1195 T1485	Anomaly	GitHub Malicious Activity, NPM Supply Chain Compromise	2026-05-13
O365 Privileged Role Assigned To Service Principal	Office 365 Universal Audit Log	T1098.003	TTP	Scattered Lapsus$ Hunters, Azure Active Directory Privilege Escalation	2026-05-13
O365 SharePoint Malware Detection	Office 365 Universal Audit Log	T1204.002	TTP	Ransomware Cloud, Azure Active Directory Persistence, Office 365 Account Takeover	2026-05-13
O365 Multiple Mailboxes Accessed via API	O365 MailItemsAccessed	T1114.002	TTP	Office 365 Collection Techniques, NOBELIUM Group	2026-05-13
AWS Disable Bucket Versioning	AWS CloudTrail PutBucketVersioning	T1490	Anomaly	Suspicious AWS S3 Activities, Data Exfiltration	2026-05-13
O365 Safe Links Detection	Office 365 Universal Audit Log	T1566.001	TTP	Spearphishing Attachments, Office 365 Account Takeover	2026-05-13
AWS Defense Evasion Delete CloudWatch Log Group	AWS CloudTrail DeleteLogGroup	T1685.002	TTP	AWS Defense Evasion	2026-05-13
GCP Multi-Factor Authentication Disabled	Google Workspace	T1556.006 T1586.003	TTP	Scattered Lapsus$ Hunters, GCP Account Takeover	2026-05-13
GCP Unusual Number of Failed Authentications From Ip	Google Workspace	T1110.003 T1110.004 T1586.003	Anomaly	GCP Account Takeover	2026-05-13
Azure AD Multiple Service Principals Created by User	Azure Active Directory Add service principal	T1136.003	Anomaly	Azure Active Directory Persistence, NOBELIUM Group	2026-05-13
Kubernetes Previously Unseen Process		T1204	Anomaly	Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring	2026-05-13
Kubernetes Abuse of Secret by Unusual User Group	Kubernetes Audit	T1552.007	Anomaly	Kubernetes Security	2026-05-13
Detect New Open S3 buckets	AWS CloudTrail	T1530	TTP	Suspicious AWS S3 Activities	2026-05-13
AWS Credential Access GetPasswordData	AWS CloudTrail GetPasswordData	T1110.001 T1586.003	Anomaly	AWS Identity and Access Management Account Takeover	2026-05-13
ASL AWS Defense Evasion Stop Logging Cloudtrail	ASL AWS CloudTrail	T1685.002	TTP	AWS Defense Evasion	2026-05-13
GitHub Enterprise Delete Branch Ruleset	GitHub Enterprise Audit Logs	T1195 T1685	Anomaly	GitHub Malicious Activity, NPM Supply Chain Compromise	2026-05-13
O365 Application Registration Owner Added	O365 Add owner to application.	T1098	TTP	NOBELIUM Group, Office 365 Persistence Mechanisms	2026-05-13
Azure AD User Consent Denied for OAuth Application	Azure Active Directory Sign-in activity	T1528	TTP	Azure Active Directory Account Takeover	2026-05-13
ASL AWS Concurrent Sessions From Different Ips	ASL AWS CloudTrail	T1185	Anomaly	Scattered Lapsus$ Hunters, Compromised User Account, AWS Identity and Access Management Account Takeover	2026-05-13
AWS SetDefaultPolicyVersion	AWS CloudTrail SetDefaultPolicyVersion	T1078.004	TTP	AWS IAM Privilege Escalation	2026-05-13
O365 Security And Compliance Alert Triggered		T1078.004	TTP	Office 365 Account Takeover	2026-05-13
AWS Detect Users creating keys with encrypt policy without MFA	AWS CloudTrail PutKeyPolicy, AWS CloudTrail CreateKey	T1486	TTP	Ransomware Cloud	2026-05-13
AWS Multiple Users Failing To Authenticate From Ip	AWS CloudTrail ConsoleLogin	T1110.003 T1110.004	Anomaly	Compromised User Account, AWS Identity and Access Management Account Takeover	2026-05-13
ASL AWS Credential Access RDS Password reset	ASL AWS CloudTrail	T1110 T1586.003	TTP	Scattered Lapsus$ Hunters, AWS Identity and Access Management Account Takeover	2026-05-13
Kubernetes newly seen TCP edge		T1204	Anomaly	Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring	2026-05-13
Circle CI Disable Security Job	CircleCI	T1554	Anomaly	Dev Sec Ops	2026-05-13
Gdrive suspicious file sharing		T1566	Hunting	Spearphishing Attachments, Scattered Lapsus$ Hunters, Data Exfiltration	2026-05-13
Detect S3 access from a new IP		T1530	Anomaly	Suspicious AWS S3 Activities	2026-05-13
AWS Successful Console Authentication From Multiple IPs	AWS CloudTrail ConsoleLogin	T1535 T1586	Anomaly	Compromised User Account, Suspicious AWS Login Activities	2026-05-13
GCP Authentication Failed During MFA Challenge	Google Workspace login_failure	T1078.004 T1586.003 T1621	TTP	Scattered Lapsus$ Hunters, GCP Account Takeover	2026-05-13
Azure AD Service Principal Privilege Escalation	Azure Active Directory Add app role assignment to service principal	T1098.003	TTP	Azure Active Directory Privilege Escalation	2026-05-13
ASL AWS Credential Access GetPasswordData	ASL AWS CloudTrail	T1110.001 T1586.003	Anomaly	AWS Identity and Access Management Account Takeover	2026-05-13
Kubernetes Anomalous Inbound to Outbound Network IO Ratio		T1204	Anomaly	Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring	2026-05-13
O365 Email Suspicious Search Behavior	Office 365 Universal Audit Log	T1114.002 T1552	Anomaly	CISA AA22-320A, Compromised User Account, Office 365 Collection Techniques, Office 365 Account Takeover	2026-05-13
O365 OAuth App Mailbox Access via Graph API	O365 MailItemsAccessed	T1114.002	TTP	Office 365 Collection Techniques, NOBELIUM Group	2026-05-13
AWS Exfiltration via Batch Service	AWS CloudTrail JobCreated	T1119	TTP	Data Exfiltration	2026-05-13
O365 Service Principal New Client Credentials	O365	T1098.001	TTP	NOBELIUM Group, Office 365 Persistence Mechanisms	2026-05-13
Microsoft Intune Bulk Wipe	Azure Monitor Activity	T1561.001	TTP	Azure Active Directory Account Takeover	2026-05-13
GitHub Organizations Disable 2FA Requirement	GitHub Organizations Audit Logs	T1195 T1685	Anomaly	GitHub Malicious Activity	2026-05-13
O365 Mail Permissioned Application Consent Granted by User	O365 Consent to application.	T1528	TTP	Office 365 Account Takeover	2026-05-13
Gsuite Email Suspicious Subject With Attachment	G Suite Gmail	T1566.001	Anomaly	Dev Sec Ops	2026-05-13
O365 Email Password and Payroll Compromise Behavior	Office 365 Universal Audit Log, Office 365 Reporting Message Trace	T1070.008 T1114.001 T1485	TTP	Suspicious Emails, Office 365 Collection Techniques, Office 365 Account Takeover, Data Destruction	2026-05-13
AWS ECR Container Upload Unknown User	AWS CloudTrail PutImage	T1204.003	Anomaly	Dev Sec Ops	2026-05-13
Azure AD Multiple Failed MFA Requests For User	Azure Active Directory Sign-in activity	T1078.004 T1586.003 T1621	TTP	Azure Active Directory Account Takeover	2026-05-13
O365 New Federated Domain Added	O365	T1136.003	TTP	Cloud Federated Credential Abuse, Office 365 Persistence Mechanisms	2026-05-13
O365 Threat Intelligence Suspicious File Detected	Office 365 Universal Audit Log	T1204.002	TTP	Ransomware Cloud, Azure Active Directory Account Takeover, Office 365 Account Takeover	2026-05-13
Kubernetes Shell Running on Worker Node		T1204	Anomaly	Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring	2026-05-13
Circle CI Disable Security Step	CircleCI	T1554	Anomaly	Dev Sec Ops	2026-05-13
O365 Mailbox Read Access Granted to Application	O365 Update application.	T1098.003 T1114.002	TTP	Office 365 Persistence Mechanisms	2026-05-13
O365 Block User Consent For Risky Apps Disabled	O365 Update authorization policy.	T1685	TTP	Office 365 Account Takeover	2026-05-13
GitHub Enterprise Disable Audit Log Event Stream	GitHub Enterprise Audit Logs	T1195 T1685.002	Anomaly	GitHub Malicious Activity, NPM Supply Chain Compromise	2026-05-13
O365 Exfiltration via File Sync Download	Office 365 Universal Audit Log	T1530 T1567	Anomaly	Data Exfiltration, Office 365 Account Takeover	2026-05-13
O365 Email Receive and Hard Delete Takeover Behavior	Office 365 Universal Audit Log, Office 365 Reporting Message Trace	T1070.008 T1114.001 T1485	Anomaly	Suspicious Emails, Office 365 Collection Techniques, Office 365 Account Takeover, Data Destruction	2026-05-13
O365 New MFA Method Registered	O365 Update user.	T1098.005	TTP	Office 365 Persistence Mechanisms	2026-05-13
O365 Disable MFA	O365 Disable Strong Authentication.	T1556	TTP	Office 365 Persistence Mechanisms	2026-05-13
O365 Added Service Principal	O365	T1136.003	TTP	Cloud Federated Credential Abuse, NOBELIUM Group, Office 365 Persistence Mechanisms	2026-05-13
AWS Bedrock Delete GuardRails	AWS CloudTrail DeleteGuardrail	T1685.002	TTP	AWS Bedrock Security	2026-05-13
ASL AWS Defense Evasion Impair Security Services	ASL AWS CloudTrail	T1685.002	Hunting	AWS Defense Evasion	2026-05-13
AWS High Number Of Failed Authentications For User	AWS CloudTrail ConsoleLogin	T1201	Anomaly	Compromised User Account, AWS Identity and Access Management Account Takeover	2026-05-13
AWS UpdateLoginProfile	AWS CloudTrail UpdateLoginProfile	T1136.003	TTP	AWS IAM Privilege Escalation	2026-05-13
Detect AWS Console Login by User from New Region	AWS CloudTrail	T1535 T1586.003	Hunting	Suspicious Cloud Authentication Activities, Compromised User Account, Suspicious AWS Login Activities, AWS Identity and Access Management Account Takeover	2026-05-13
Kubernetes Process with Resource Ratio Anomalies		T1204	Anomaly	Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring	2026-05-13
Cloud Compute Instance Created In Previously Unused Region	AWS CloudTrail	T1535	Anomaly	Cloud Cryptomining	2026-05-13
Kubernetes Anomalous Inbound Outbound Network IO		T1204	Anomaly	Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring	2026-05-13
ASL AWS Network Access Control List Deleted	ASL AWS CloudTrail	T1686.001	Anomaly	AWS Network ACL Activity, Scattered Lapsus$ Hunters	2026-05-13
Kubernetes Node Port Creation	Kubernetes Audit	T1204	Anomaly	Kubernetes Security	2026-05-13
O365 High Privilege Role Granted	O365 Add member to role.	T1098.003	TTP	Office 365 Persistence Mechanisms	2026-05-13
Azure AD Service Principal Created	Azure Active Directory Add service principal	T1136.003	TTP	Azure Active Directory Persistence, NOBELIUM Group	2026-05-13
Cloud Compute Instance Created With Previously Unseen Instance Type	AWS CloudTrail	T1578.002	Anomaly	Cloud Cryptomining	2026-05-13
O365 Email Hard Delete Excessive Volume	Office 365 Universal Audit Log	T1070.008 T1485	Anomaly	Suspicious Emails, Office 365 Account Takeover, Data Destruction	2026-05-13
Okta Non-Standard VPN Usage	Okta	T1078 T1090 T1572	TTP	Suspicious Okta Activity, Remote Employment Fraud	2026-05-13
ASL AWS IAM Delete Policy	ASL AWS CloudTrail	T1098	Hunting	AWS IAM Privilege Escalation	2026-05-13
Azure AD Block User Consent For Risky Apps Disabled	Azure Active Directory Update authorization policy	T1685	TTP	Azure Active Directory Account Takeover	2026-05-13
AWS AMI Attribute Modification for Exfiltration	AWS CloudTrail ModifyImageAttribute	T1537	TTP	Data Exfiltration, Suspicious Cloud Instance Activities	2026-05-13
Cloud Provisioning Activity From Previously Unseen Country	AWS CloudTrail	T1078	Anomaly	Suspicious Cloud Provisioning Activities	2026-05-13
Azure AD Service Principal Owner Added	Azure Active Directory Add owner to application	T1098	TTP	Azure Active Directory Persistence, Azure Active Directory Privilege Escalation, NOBELIUM Group	2026-05-13
Azure Runbook Webhook Created	Azure Audit Create or Update an Azure Automation webhook	T1078.004	TTP	Azure Active Directory Persistence	2026-05-13
AWS S3 Exfiltration Behavior Identified		T1537	Correlation	Data Exfiltration, Suspicious Cloud Instance Activities	2026-05-13
Detect AWS Console Login by User from New City	AWS CloudTrail	T1535 T1586.003	Hunting	Suspicious Cloud Authentication Activities, Compromised User Account, Suspicious AWS Login Activities, AWS Identity and Access Management Account Takeover	2026-05-13
Kubernetes Suspicious Image Pulling	Kubernetes Audit	T1526	Anomaly	Kubernetes Security	2026-05-13
AWS Defense Evasion Delete Cloudtrail	AWS CloudTrail DeleteTrail	T1685.002	TTP	AWS Defense Evasion	2026-05-13
ASL AWS EC2 Snapshot Shared Externally	ASL AWS CloudTrail	T1537	TTP	Data Exfiltration, Suspicious Cloud Instance Activities	2026-05-13
O365 Multiple OS Vendors Authenticating From User	Office 365 Universal Audit Log	T1110	TTP	Office 365 Account Takeover	2026-05-13
GitHub Organizations Disable Classic Branch Protection Rule	GitHub Organizations Audit Logs	T1195 T1685	Anomaly	GitHub Malicious Activity	2026-05-13
O365 SharePoint Allowed Domains Policy Changed	Office 365 Universal Audit Log	T1136.003	TTP	Azure Active Directory Persistence	2026-05-13
Kubernetes Previously Unseen Container Image Name		T1204	Anomaly	Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring	2026-05-13
Microsoft Intune Manual Device Management	Azure Monitor Activity	T1021.007 T1072 T1529	Hunting	Azure Active Directory Account Takeover	2026-05-13
Kubernetes Anomalous Inbound Network Activity from Process		T1204	Anomaly	Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring	2026-05-13
O365 Exfiltration via File Access	Office 365 Universal Audit Log	T1530 T1567	Anomaly	Data Exfiltration, Office 365 Account Takeover	2026-05-13
Kubernetes Pod With Host Network Attachment	Kubernetes Audit	T1204	Anomaly	Kubernetes Security	2026-05-13
O365 Email Suspicious Behavior Alert	Office 365 Universal Audit Log	T1114.003	TTP	Suspicious Emails, Office 365 Collection Techniques, Office 365 Account Takeover	2026-05-13
O365 Compliance Content Search Started		T1114.002	TTP	Office 365 Collection Techniques	2026-05-13
Azure AD PIM Role Assignment Activated	Azure Active Directory	T1098.003	TTP	Scattered Lapsus$ Hunters, Azure Active Directory Persistence, Azure Active Directory Privilege Escalation	2026-05-13
O365 Email New Inbox Rule Created	Office 365 Universal Audit Log	T1114.003 T1564.008	Anomaly	Office 365 Collection Techniques	2026-05-13
AWS IAM Delete Policy	AWS CloudTrail DeletePolicy	T1098	Hunting	AWS IAM Privilege Escalation	2026-05-13
AWS Unusual Number of Failed Authentications From Ip	AWS CloudTrail ConsoleLogin	T1110.003 T1110.004 T1586.003	Anomaly	AWS Identity and Access Management Account Takeover	2026-05-13
Cloud Compute Instance Created With Previously Unseen Image	AWS CloudTrail	N/A	Anomaly	Cloud Cryptomining	2026-05-13
Detect New Open S3 Buckets over AWS CLI	AWS CloudTrail	T1530	TTP	Suspicious AWS S3 Activities	2026-05-13
O365 Multiple AppIDs and UserAgents Authentication Spike	O365 UserLoginFailed, O365 UserLoggedIn	T1078	Anomaly	Office 365 Account Takeover	2026-05-13
AWS High Number Of Failed Authentications From Ip	AWS CloudTrail ConsoleLogin	T1110.003 T1110.004	Anomaly	Compromised User Account, AWS Identity and Access Management Account Takeover	2026-05-13
GitHub Enterprise Modify Audit Log Event Stream	GitHub Enterprise Audit Logs	T1195 T1685.002	Anomaly	GitHub Malicious Activity, NPM Supply Chain Compromise	2026-05-13
Azure AD Multiple AppIDs and UserAgents Authentication Spike	Azure Active Directory Sign-in activity	T1078	Anomaly	Azure Active Directory Account Takeover	2026-05-13
GitHub Enterprise Disable Dependabot	GitHub Enterprise Audit Logs	T1195 T1685	Anomaly	GitHub Malicious Activity	2026-05-13
AWS Create Policy Version to allow all resources	AWS CloudTrail CreatePolicyVersion	T1078.004	TTP	AWS IAM Privilege Escalation	2026-05-13
Gsuite Email With Known Abuse Web Service Link	G Suite Gmail	T1566.001	Anomaly	Dev Sec Ops	2026-05-13
Cloud Instance Modified By Previously Unseen User	AWS CloudTrail	T1078.004	Anomaly	Suspicious Cloud Instance Activities	2026-05-13
Azure AD Multiple Service Principals Created by SP	Azure Active Directory Add service principal	T1136.003	Anomaly	Azure Active Directory Persistence, NOBELIUM Group	2026-05-13
AWS New MFA Method Registered For User	AWS CloudTrail CreateVirtualMFADevice	T1556.006	TTP	AWS Identity and Access Management Account Takeover	2026-05-13
Kubernetes Create or Update Privileged Pod	Kubernetes Audit	T1204	Anomaly	Kubernetes Security	2026-05-13
O365 New Email Forwarding Rule Enabled		T1114.003	TTP	Office 365 Collection Techniques	2026-05-13
Azure AD New Custom Domain Added	Azure Active Directory Add unverified domain	T1484.002	TTP	Azure Active Directory Persistence	2026-05-13
O365 New Email Forwarding Rule Created		T1114.003	TTP	Office 365 Collection Techniques	2026-05-13
GitHub Enterprise Pause Audit Log Event Stream	GitHub Enterprise Audit Logs	T1195 T1685.002	Anomaly	GitHub Malicious Activity, NPM Supply Chain Compromise	2026-05-13
Azure AD Unusual Number of Failed Authentications From Ip	Azure Active Directory	T1110.003 T1110.004 T1586.003	Anomaly	Azure Active Directory Account Takeover	2026-05-13
AWS Defense Evasion PutBucketLifecycle	AWS CloudTrail PutBucketLifecycle	T1485.001 T1685.002	Hunting	AWS Defense Evasion	2026-05-13
Azure Automation Account Created	Azure Audit Create or Update an Azure Automation account	T1136.003	TTP	Azure Active Directory Persistence	2026-05-13
AWS IAM Failure Group Deletion	AWS CloudTrail DeleteGroup	T1098	Anomaly	AWS IAM Privilege Escalation	2026-05-13
Azure AD FullAccessAsApp Permission Assigned	Azure Active Directory Update application	T1098.002 T1098.003	TTP	Azure Active Directory Persistence, NOBELIUM Group	2026-05-13
Azure AD Service Principal Enumeration	Azure Active Directory MicrosoftGraphActivityLogs	T1087.004 T1526	TTP	Azure Active Directory Privilege Escalation, Compromised User Account	2026-05-13
Azure AD Multi-Factor Authentication Disabled	Azure Active Directory Disable Strong Authentication	T1556.006 T1586.003	TTP	Azure Active Directory Account Takeover, Scattered Lapsus$ Hunters	2026-05-13
O365 External Guest User Invited	Office 365 Universal Audit Log	T1136.003	TTP	Azure Active Directory Persistence	2026-05-13
Azure AD Successful Single-Factor Authentication	Azure Active Directory	T1078.004 T1586.003	TTP	Azure Active Directory Account Takeover	2026-05-13
O365 Excessive Authentication Failures Alert		T1110	Anomaly	Office 365 Account Takeover	2026-05-13
Kubernetes Pod Created in Default Namespace	Kubernetes Audit	T1204	Anomaly	Kubernetes Security	2026-05-13
Kubernetes AWS detect suspicious kubectl calls	Kubernetes Audit	N/A	Anomaly	Kubernetes Security	2026-05-13
AWS Defense Evasion Stop Logging Cloudtrail	AWS CloudTrail StopLogging	T1685.002	TTP	AWS Defense Evasion	2026-05-13
O365 Email Send and Hard Delete Exfiltration Behavior	Office 365 Universal Audit Log, Office 365 Reporting Message Trace	T1070.008 T1114.001 T1485	Anomaly	Suspicious Emails, Office 365 Collection Techniques, Office 365 Account Takeover, Data Destruction	2026-05-13
Kubernetes DaemonSet Deployed	Kubernetes Audit	T1204	Anomaly	Kubernetes Security	2026-05-13
O365 Mailbox Folder Read Permission Assigned	O365 ModifyFolderPermissions	T1098.002	TTP	Office 365 Collection Techniques	2026-05-13
Azure AD Service Principal New Client Credentials	Azure Active Directory	T1098.001	TTP	Scattered Lapsus$ Hunters, Azure Active Directory Persistence, Azure Active Directory Privilege Escalation, NOBELIUM Group	2026-05-13
Kubernetes Access Scanning	Kubernetes Audit	T1046	Anomaly	Kubernetes Security	2026-05-13
AWS ECR Container Scanning Findings High	AWS CloudTrail DescribeImageScanFindings	T1204.003	TTP	Dev Sec Ops	2026-05-13
Detect AWS Console Login by User from New Country	AWS CloudTrail	T1535 T1586.003	Hunting	Suspicious Cloud Authentication Activities, Compromised User Account, Suspicious AWS Login Activities, AWS Identity and Access Management Account Takeover	2026-05-13
GitHub Enterprise Disable Classic Branch Protection Rule	GitHub Enterprise Audit Logs	T1195 T1685	Anomaly	GitHub Malicious Activity	2026-05-13
GSuite Email Suspicious Attachment	G Suite Gmail	T1566.001	Anomaly	Dev Sec Ops	2026-05-13
O365 External Identity Policy Changed	Office 365 Universal Audit Log	T1136.003	TTP	Azure Active Directory Persistence	2026-05-13
Azure AD Multiple Users Failing To Authenticate From Ip	Azure Active Directory	T1110.003 T1110.004 T1586.003	Anomaly	Azure Active Directory Account Takeover	2026-05-13
O365 Threat Intelligence Suspicious Email Delivered	Office 365 Universal Audit Log	T1566.001 T1566.002	Anomaly	Spearphishing Attachments, Suspicious Emails	2026-05-13
ASL AWS Create Policy Version to allow all resources	ASL AWS CloudTrail	T1078.004	TTP	Scattered Lapsus$ Hunters, AWS IAM Privilege Escalation	2026-05-13
AWS Exfiltration via DataSync Task	AWS CloudTrail CreateTask	T1119	TTP	Suspicious AWS S3 Activities, Data Exfiltration, Hellcat Ransomware	2026-05-13
Azure AD Application Administrator Role Assigned	Azure Active Directory Add member to role	T1098.003	TTP	Scattered Lapsus$ Hunters, Azure Active Directory Privilege Escalation	2026-05-13
Detect New Open GCP Storage Buckets		T1530	TTP	Suspicious GCP Storage Activities	2026-05-13
O365 Application Available To Other Tenants	Office 365 Universal Audit Log	T1098.003	TTP	Azure Active Directory Account Takeover, Azure Active Directory Persistence, Data Exfiltration	2026-05-13
Azure AD Privileged Role Assigned	Azure Active Directory Add member to role	T1098.003	TTP	Storm-0501 Ransomware, Scattered Lapsus$ Hunters, Azure Active Directory Persistence, NOBELIUM Group	2026-05-13
Azure AD Privileged Graph API Permission Assigned	Azure Active Directory Update application	T1003.002	TTP	Azure Active Directory Persistence, NOBELIUM Group	2026-05-13
O365 Multiple Service Principals Created by SP	O365 Add service principal.	T1136.003	Anomaly	NOBELIUM Group, Office 365 Persistence Mechanisms	2026-05-13
Kubernetes Process with Anomalous Resource Utilisation		T1204	Anomaly	Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring	2026-05-13
Azure AD New MFA Method Registered	Azure Active Directory Update user	T1098.005	TTP	Scattered Lapsus$ Hunters, Azure Active Directory Persistence	2026-05-13
Cloud API Calls From Previously Unseen User Roles	AWS CloudTrail	T1078	Anomaly	Suspicious Cloud User Activities	2026-05-13
O365 Multiple Failed MFA Requests For User	O365 UserLoginFailed	T1621	TTP	Scattered Lapsus$ Hunters, Office 365 Account Takeover	2026-05-13
ASL AWS Defense Evasion PutBucketLifecycle	ASL AWS CloudTrail	T1485.001 T1685.002	Hunting	AWS Defense Evasion	2026-05-13
GitHub Organizations Repository Deleted	GitHub Organizations Audit Logs	T1195 T1485	Anomaly	GitHub Malicious Activity, NPM Supply Chain Compromise	2026-05-13
O365 OAuth App Mailbox Access via EWS	O365 MailItemsAccessed	T1114.002	TTP	Office 365 Collection Techniques, NOBELIUM Group	2026-05-13
O365 Admin Consent Bypassed by Service Principal	O365 Add app role assignment to service principal.	T1098.003	TTP	Office 365 Persistence Mechanisms	2026-05-13
Azure AD New MFA Method Registered For User	Azure Active Directory User registered security info	T1556.006	TTP	Azure Active Directory Account Takeover, Scattered Lapsus$ Hunters, Compromised User Account	2026-05-13
AWS Bedrock Invoke Model Access Denied	AWS CloudTrail	T1078 T1550	TTP	AWS Bedrock Security	2026-05-13
Azure AD Privileged Role Assigned to Service Principal	Azure Active Directory Add member to role	T1098.003	TTP	Scattered Lapsus$ Hunters, Azure Active Directory Privilege Escalation, NOBELIUM Group	2026-05-13
O365 ApplicationImpersonation Role Assigned	O365	T1098.002	TTP	NOBELIUM Group, Office 365 Collection Techniques, Office 365 Persistence Mechanisms	2026-05-13
Azure AD Multi-Source Failed Authentications Spike	Azure Active Directory	T1110.003 T1110.004 T1586.003	Hunting	Azure Active Directory Account Takeover, NOBELIUM Group	2026-05-13
AWS Password Policy Changes	AWS CloudTrail DeleteAccountPasswordPolicy, AWS CloudTrail GetAccountPasswordPolicy, AWS CloudTrail UpdateAccountPasswordPolicy	T1201	Hunting	AWS IAM Privilege Escalation, Compromised User Account	2026-05-13
ASL AWS Defense Evasion Delete Cloudtrail	ASL AWS CloudTrail	T1685.002	TTP	AWS Defense Evasion	2026-05-13
AWS IAM Successful Group Deletion	AWS CloudTrail DeleteGroup	T1069.003 T1098	Hunting	AWS IAM Privilege Escalation	2026-05-13
Azure AD User ImmutableId Attribute Updated	Azure Active Directory Update user	T1098	TTP	Azure Active Directory Persistence, Hellcat Ransomware	2026-05-13
Gsuite Outbound Email With Attachment To External Domain	G Suite Gmail	T1048.003	Hunting	Insider Threat, Dev Sec Ops	2026-05-13
Azure AD User Consent Blocked for Risky Application	Azure Active Directory Consent to application	T1528	TTP	Azure Active Directory Account Takeover	2026-05-13
Azure AD Admin Consent Bypassed by Service Principal	Azure Active Directory Add app role assignment to service principal	T1098.003	TTP	Azure Active Directory Privilege Escalation, NOBELIUM Group	2026-05-13
High Number of Login Failures from a single source	O365 UserLoginFailed	T1110.001	Anomaly	Office 365 Account Takeover	2026-05-13
Kubernetes Anomalous Traffic on Network Edge		T1204	Anomaly	Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring	2026-05-13
O365 User Consent Blocked for Risky Application	O365 Consent to application.	T1528	TTP	Office 365 Account Takeover	2026-05-13
Kubernetes Process Running From New Path		T1204	Anomaly	Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring	2026-05-13
O365 Email Reported By Admin Found Malicious	Office 365 Universal Audit Log	T1566.001 T1566.002	TTP	Spearphishing Attachments, Suspicious Emails	2026-05-13
GitHub Enterprise Remove Organization	GitHub Enterprise Audit Logs	T1195 T1485	Anomaly	GitHub Malicious Activity	2026-05-13
Detect Spike in S3 Bucket deletion	AWS CloudTrail	T1530	Anomaly	Suspicious AWS S3 Activities	2026-05-13
Kubernetes Unauthorized Access	Kubernetes Audit	T1204	Anomaly	Kubernetes Security	2026-05-13
ASL AWS SAML Update identity provider	ASL AWS CloudTrail	T1078	TTP	Cloud Federated Credential Abuse	2026-05-13
Azure Automation Runbook Created	Azure Audit Create or Update an Azure Automation Runbook	T1136.003	TTP	Azure Active Directory Persistence	2026-05-13
Microsoft Intune DeviceManagementConfigurationPolicies	Azure Monitor Activity	T1021.007 T1072 T1484 T1685 T1686	Hunting	Azure Active Directory Account Takeover	2026-05-13
AWS Multi-Factor Authentication Disabled	AWS CloudTrail DeleteVirtualMFADevice, AWS CloudTrail DeactivateMFADevice	T1556.006 T1586.003 T1621	TTP	Scattered Lapsus$ Hunters, AWS Identity and Access Management Account Takeover	2026-05-13
Azure AD User Enabled And Password Reset	Azure Active Directory Reset password (by admin), Azure Active Directory Update user, Azure Active Directory Enable account	T1098	TTP	Scattered Lapsus$ Hunters, Azure Active Directory Persistence	2026-05-13
Gsuite suspicious calendar invite		T1566	Hunting	Spearphishing Attachments	2026-05-13
Amazon EKS Kubernetes Pod scan detection		T1526	Hunting	Kubernetes Scanning Activity	2026-05-13
GitHub Enterprise Disable 2FA Requirement	GitHub Enterprise Audit Logs	T1195 T1685	Anomaly	GitHub Malicious Activity	2026-05-13
Geographic Improbable Location	Okta	T1078	Anomaly	Remote Employment Fraud	2026-05-13
ASL AWS IAM Failure Group Deletion	ASL AWS CloudTrail	T1098	Anomaly	AWS IAM Privilege Escalation	2026-05-13
O365 Email Access By Security Administrator	Office 365 Universal Audit Log	T1114.002 T1567	TTP	Data Exfiltration, Azure Active Directory Account Takeover, Office 365 Account Takeover	2026-05-13
Cloud Provisioning Activity From Previously Unseen Region	AWS CloudTrail	T1078	Anomaly	Suspicious Cloud Provisioning Activities	2026-05-13
Azure AD Successful Authentication From Different Ips	Azure Active Directory	T1110.001 T1110.003	TTP	Azure Active Directory Account Takeover, Compromised User Account	2026-05-13
Risk Rule for Dev Sec Ops by Repository		T1204.003	Correlation	Dev Sec Ops	2026-05-13
GitHub Enterprise Repository Archived	GitHub Enterprise Audit Logs	T1195 T1485	Anomaly	GitHub Malicious Activity, NPM Supply Chain Compromise	2026-05-13
O365 Concurrent Sessions From Different Ips	O365 UserLoggedIn	T1185	TTP	Scattered Lapsus$ Hunters, Office 365 Account Takeover	2026-05-13
Azure AD Authentication Failed During MFA Challenge	Azure Active Directory	T1078.004 T1586.003 T1621	TTP	Azure Active Directory Account Takeover	2026-05-13
O365 Multiple Users Failing To Authenticate From Ip	O365 UserLoginFailed	T1110.003 T1110.004 T1586.003	TTP	NOBELIUM Group, Office 365 Account Takeover	2026-05-13
O365 Mailbox Inbox Folder Shared with All Users	O365 ModifyFolderPermissions	T1114.002	TTP	Office 365 Persistence Mechanisms	2026-05-13
Cloud Security Groups Modifications by User	AWS CloudTrail	T1578.005	Anomaly	Suspicious Cloud User Activities	2026-05-13
ASL AWS IAM Assume Role Policy Brute Force	ASL AWS CloudTrail	T1110 T1580	TTP	Scattered Lapsus$ Hunters, AWS IAM Privilege Escalation	2026-05-13
GCP Multiple Failed MFA Requests For User	Google Workspace	T1078.004 T1586.003 T1621	TTP	Scattered Lapsus$ Hunters, GCP Account Takeover	2026-05-13
O365 Tenant Wide Admin Consent Granted	O365 Consent to application.	T1098.003	TTP	NOBELIUM Group, Office 365 Persistence Mechanisms	2026-05-13
GCP Kubernetes cluster pod scan detection		T1526	Hunting	Scattered Lapsus$ Hunters, Kubernetes Scanning Activity	2026-05-13
O365 Elevated Mailbox Permission Assigned	O365 Add-MailboxPermission	T1098.002	TTP	Office 365 Collection Techniques	2026-05-13
Azure Active Directory High Risk Sign-in	Azure Active Directory	T1110.003 T1586.003	TTP	Azure Active Directory Account Takeover	2026-05-13
AWS CreateAccessKey	AWS CloudTrail CreateAccessKey	T1136.003	Hunting	AWS IAM Privilege Escalation	2026-05-13
O365 User Consent Denied for OAuth Application	O365	T1528	TTP	Office 365 Account Takeover	2026-05-13
O365 Exfiltration via File Download	Office 365 Universal Audit Log	T1530 T1567	Anomaly	Data Exfiltration, Office 365 Account Takeover	2026-05-13
Detect GCP Storage access from a new IP		T1530	Anomaly	Suspicious GCP Storage Activities	2026-05-13
O365 Email Send and Hard Delete Suspicious Behavior	Office 365 Universal Audit Log	T1070.008 T1114.001 T1485	Anomaly	Suspicious Emails, Office 365 Collection Techniques, Office 365 Account Takeover, Data Destruction	2026-05-13
O365 Compliance Content Search Exported		T1114.002	TTP	Office 365 Collection Techniques	2026-05-13
O365 BEC Email Hiding Rule Created		T1564.008	TTP	Office 365 Account Takeover	2026-05-13
O365 Mailbox Folder Read Permission Granted	O365 ModifyFolderPermissions	T1098.002	TTP	Office 365 Collection Techniques	2026-05-13
Azure AD High Number Of Failed Authentications For User	Azure Active Directory	T1110.001	TTP	Azure Active Directory Account Takeover, Compromised User Account	2026-05-13
AWS Bedrock High Number List Foundation Model Failures	AWS CloudTrail	T1580	TTP	AWS Bedrock Security	2026-05-13
Prohibited Network Traffic Allowed	Cisco Secure Firewall Threat Defense Connection Event	T1048	TTP	Cisco Secure Firewall Threat Defense Analytics, Prohibited Traffic Allowed or Protocol Mismatch, Ransomware, Command And Control	2026-05-13
3CX Supply Chain Attack Network Indicators	Sysmon EventID 22	T1195.002	TTP	3CX Supply Chain Attack	2026-05-13
Windows Multi hop Proxy TOR Website Query	Sysmon EventID 22	T1071.003	Anomaly	Interlock Ransomware, AgentTesla	2026-05-13
Cisco Secure Firewall - Oracle E-Business Suite Correlation	Cisco Secure Firewall Threat Defense Intrusion Event	T1190	TTP	Cisco Secure Firewall Threat Defense Analytics, Oracle E-Business Suite Exploitation	2026-05-13
Internal Horizontal Port Scan NMAP Top 20	AWS CloudWatchLogs VPCflow, Cisco Secure Firewall Threat Defense Connection Event	T1046	TTP	Scattered Lapsus$ Hunters, Cisco Secure Firewall Threat Defense Analytics, Network Discovery, China-Nexus Threat Activity	2026-05-13
HTTP RMM User Agent	Suricata	T1071.001 T1219	Anomaly	Remote Monitoring and Management Software, Suspicious User Agents	2026-05-13
Windows Remote Desktop Network Bruteforce Attempt	Cisco Secure Access Firewall, Sysmon EventID 3	T1110.001	Anomaly	Windows RDP Artifacts and Defense Evasion, SamSam Ransomware, Ryuk Ransomware, Cisco Secure Access Analytics, Compromised User Account	2026-05-13
HTTP Malware User Agent	Suricata	T1071.001	TTP	Meduza Stealer, RedLine Stealer, Suspicious User Agents, Crypto Stealer, Lumma Stealer, Lokibot	2026-05-13
Cisco Secure Firewall - Lumma Stealer Outbound Connection Attempt	Cisco Secure Firewall Threat Defense Intrusion Event	T1041 T1573.002	Anomaly	Lumma Stealer, Cisco Secure Firewall Threat Defense Analytics	2026-05-13
DNS Query Length With High Standard Deviation	Sysmon EventID 22	T1048.003	Anomaly	Suspicious DNS Traffic, Hidden Cobra Malware, Command And Control	2026-05-13
Wermgr Process Connecting To IP Check Web Services	Sysmon EventID 22	T1590.005	TTP	Trickbot	2026-05-13
Cisco SD-WAN - Peering Activity	Cisco SD-WAN NTCE 1000001	T1190	Hunting	Cisco Catalyst SD-WAN Analytics	2026-05-13
Cisco Secure Firewall - Bits Network Activity	Cisco Secure Firewall Threat Defense Connection Event	N/A	Anomaly	Cisco Secure Firewall Threat Defense Analytics	2026-05-13
Remote Desktop Network Traffic	Zeek Conn	T1021.001	Anomaly	Windows RDP Artifacts and Defense Evasion, Active Directory Lateral Movement, SamSam Ransomware, Ryuk Ransomware, Hidden Cobra Malware	2026-05-13
Cisco Privileged Account Creation with HTTP Command Execution		T1021.004 T1078 T1136	Correlation	Salt Typhoon, Cisco Secure Firewall Threat Defense Analytics	2026-05-13
HTTP C2 Framework User Agent	Suricata	T1071.001	TTP	Cobalt Strike, Suspicious User Agents, Malicious PowerShell, Spearphishing Attachments, BishopFox Sliver Adversary Emulation Framework, Meterpreter, Brute Ratel C4, Tuoni	2026-05-13
Detect Remote Access Software Usage DNS	Sysmon EventID 22	T1219	Anomaly	Remote Monitoring and Management Software, CISA AA24-241A, Scattered Spider, Scattered Lapsus$ Hunters, Command And Control, Insider Threat, Interlock Ransomware, Ransomware	2026-05-13
Cisco Secure Firewall - Blocked Connection	Cisco Secure Firewall Threat Defense Connection Event	T1018 T1046 T1110 T1203 T1595.002	Anomaly	Cisco Secure Firewall Threat Defense Analytics	2026-05-13
Cisco Secure Firewall - Snort Rule Triggered Across Multiple Hosts	Cisco Secure Firewall Threat Defense Intrusion Event	T1027 T1105	Anomaly	Cisco Secure Firewall Threat Defense Analytics	2026-05-13
Detect Large ICMP Traffic	Palo Alto Network Traffic, Cisco Secure Access Firewall	T1095	TTP	Backdoor Pingpong, Cisco Secure Access Analytics, China-Nexus Threat Activity, Command And Control	2026-05-13
Cisco Secure Firewall - Privileged Command Execution via HTTP	Cisco Secure Firewall Threat Defense Intrusion Event	T1059 T1505.003	Anomaly	Salt Typhoon, Cisco Secure Firewall Threat Defense Analytics	2026-05-13
HTTP PUA User Agent	Suricata	T1071.001	Anomaly	Cactus Ransomware, Suspicious User Agents, BlackSuit Ransomware, Local Privilege Escalation With KrbRelayUp	2026-05-13
Cisco Secure Firewall - React Server Components RCE Attempt	Cisco Secure Firewall Threat Defense Intrusion Event	T1190	TTP	React2Shell	2026-05-13
Cisco Secure Firewall - Intrusion Events by Threat Activity	Cisco Secure Firewall Threat Defense Intrusion Event	T1041 T1573.002	Anomaly	ArcaneDoor, Cisco Secure Firewall Threat Defense Analytics	2026-05-13
Cisco Secure Firewall - Communication Over Suspicious Ports	Cisco Secure Firewall Threat Defense Connection Event	T1021 T1055 T1059.001 T1105 T1219 T1571	Anomaly	Cisco Secure Firewall Threat Defense Analytics	2026-05-13
Detect DNS Query to Decommissioned S3 Bucket	Sysmon EventID 22	T1485	Anomaly	AWS S3 Bucket Security Monitoring, Data Destruction	2026-05-13
Detect ARP Poisoning	Cisco IOS Logs	T1200 T1498 T1557.002	TTP	Router and Infrastructure Security	2026-05-13
Internal Horizontal Port Scan	AWS CloudWatchLogs VPCflow, Cisco Secure Firewall Threat Defense Connection Event	T1046	TTP	Scattered Lapsus$ Hunters, Cisco Secure Firewall Threat Defense Analytics, Network Discovery, China-Nexus Threat Activity	2026-05-13
Cisco Secure Firewall - Repeated Blocked Connections	Cisco Secure Firewall Threat Defense Connection Event	T1018 T1046 T1110 T1203 T1595.002	Anomaly	Cisco Secure Firewall Threat Defense Analytics	2026-05-13
Cisco Smart Install Oversized Packet Detection	Splunk Stream TCP	T1190	TTP	Cisco Smart Install Remote Code Execution CVE-2018-0171	2026-05-13
Cisco Smart Install Port Discovery and Status	Splunk Stream TCP	T1190	TTP	Scattered Lapsus$ Hunters, Cisco Smart Install Remote Code Execution CVE-2018-0171	2026-05-13
Cisco Secure Firewall - Potential Data Exfiltration	Cisco Secure Firewall Threat Defense Connection Event	T1041 T1048.003 T1567.002	Anomaly	Cisco Secure Firewall Threat Defense Analytics	2026-05-13
TOR Traffic	Palo Alto Network Traffic, Cisco Secure Firewall Threat Defense Connection Event	T1090.003	TTP	NOBELIUM Group, Prohibited Traffic Allowed or Protocol Mismatch, Command And Control, Interlock Ransomware, Cisco Secure Firewall Threat Defense Analytics, Ransomware	2026-05-13
Cisco TFTP Server Configuration for Data Exfiltration	Cisco IOS Logs	T1005 T1567	TTP	Cisco Smart Install Remote Code Execution CVE-2018-0171	2026-05-13
Zeek x509 Certificate with Punycode		T1573	Hunting	OpenSSL CVE-2022-3602	2026-05-13
Cisco SD-WAN - Arbitrary File Overwrite Exploitation Activity	Cisco SD-WAN Service Proxy Access Logs	T1190	TTP	Cisco Catalyst SD-WAN Analytics	2026-05-13
SSL Certificates with Punycode		T1573	Hunting	OpenSSL CVE-2022-3602	2026-05-13
Detect Software Download To Network Device		T1542.005	TTP	Router and Infrastructure Security	2026-05-13
Cisco SD-WAN - Low Frequency Rogue Peer	Cisco SD-WAN NTCE 1000001	T1190	Anomaly	Cisco Catalyst SD-WAN Analytics	2026-05-13
Detect Zerologon via Zeek		T1190	TTP	Detect Zerologon Attack, Rhysida Ransomware, Black Basta Ransomware	2026-05-13
Detect SNICat SNI Exfiltration		T1041	TTP	Data Exfiltration	2026-05-13
Cisco Secure Firewall - Remote Access Software Usage Traffic	Cisco Secure Firewall Threat Defense Connection Event	T1219	Anomaly	Remote Monitoring and Management Software, Scattered Lapsus$ Hunters, Scattered Spider, Command And Control, Insider Threat, Interlock Ransomware, Cisco Secure Firewall Threat Defense Analytics, Ransomware	2026-05-13
Protocols passing authentication in cleartext	Cisco Secure Firewall Threat Defense Connection Event	N/A	Anomaly	Scattered Lapsus$ Hunters, Cisco Secure Firewall Threat Defense Analytics, Use of Cleartext Protocols	2026-05-13
F5 BIG-IP iControl REST Vulnerability CVE-2022-1388	Palo Alto Network Threat	T1133 T1190	TTP	CISA AA24-241A, F5 BIG-IP Vulnerability CVE-2022-1388	2026-05-13
Cisco Secure Firewall - Malware File Downloaded	Cisco Secure Firewall Threat Defense File Event	T1105 T1203	Anomaly	Cisco Secure Firewall Threat Defense Analytics	2026-05-13
Internal Vulnerability Scan		T1046 T1595.002	TTP	Scattered Lapsus$ Hunters, Network Discovery	2026-05-13
Windows DNS Query Request by Telegram Bot API	Sysmon EventID 22	T1071.004 T1102.002	Anomaly	0bj3ctivity Stealer, VIP Keylogger, BlankGrabber Stealer, Crypto Stealer	2026-05-13
Cisco Secure Firewall - Static Tundra Smart Install Abuse	Cisco Secure Firewall Threat Defense Intrusion Event	T1190 T1210 T1499	TTP	Cisco Secure Firewall Threat Defense Analytics, Cisco Smart Install Remote Code Execution CVE-2018-0171	2026-05-13
Suspicious Process With Discord DNS Query	Sysmon EventID 22	T1059.005	Anomaly	BlankGrabber Stealer, Data Destruction, WhisperGate, PXA Stealer, Cactus Ransomware	2026-05-13
Cisco Configuration Archive Logging Analysis	Cisco IOS Logs	T1098 T1505.003 T1685	Hunting	Cisco Smart Install Remote Code Execution CVE-2018-0171	2026-05-13
Cisco Secure Firewall - Blacklisted SSL Certificate Fingerprint	Cisco Secure Firewall Threat Defense Connection Event	T1071.001 T1573.002 T1587.002 T1588.004	TTP	Cisco Secure Firewall Threat Defense Analytics	2026-05-13
Rundll32 DNSQuery	Sysmon EventID 22	T1218.011	TTP	Living Off The Land, IcedID	2026-05-13
Detect Remote Access Software Usage Traffic	Palo Alto Network Traffic	T1219	Anomaly	Remote Monitoring and Management Software, Scattered Lapsus$ Hunters, Scattered Spider, Command And Control, Insider Threat, Interlock Ransomware, Ransomware	2026-05-13
Cisco Secure Firewall - Citrix NetScaler Memory Overread Attempt	Cisco Secure Firewall Threat Defense Intrusion Event	T1059 T1203	TTP	Citrix NetScaler ADC and NetScaler Gateway CVE-2025-5777, Cisco Secure Firewall Threat Defense Analytics	2026-05-13
Cisco Privileged Account Creation with Suspicious SSH Activity		T1021.004 T1078 T1136	Correlation	Salt Typhoon, Cisco Secure Firewall Threat Defense Analytics	2026-05-13
Detect Rogue DHCP Server	Cisco IOS Logs	T1200 T1498 T1557	TTP	Scattered Lapsus$ Hunters, Router and Infrastructure Security	2026-05-13
Cisco Secure Firewall - Lumma Stealer Download Attempt	Cisco Secure Firewall Threat Defense Intrusion Event	T1041 T1573.002	Anomaly	Lumma Stealer, Cisco Secure Firewall Threat Defense Analytics	2026-05-13
Cisco Secure Firewall - High Priority Intrusion Classification	Cisco Secure Firewall Threat Defense Intrusion Event	T1003 T1071 T1078 T1190 T1203	TTP	Cisco Secure Firewall Threat Defense Analytics	2026-05-13
Cisco Secure Firewall - Rare Snort Rule Triggered	Cisco Secure Firewall Threat Defense Intrusion Event	T1583.006 T1598	Hunting	Cisco Secure Firewall Threat Defense Analytics	2026-05-13
Windows Gather Victim Network Info Through Ip Check Web Services	Sysmon EventID 22	T1590.005	Anomaly	Handala Wiper, 0bj3ctivity Stealer, Meduza Stealer, Water Gamayun, BlankGrabber Stealer, Quasar RAT, Void Manticore, DarkCrystal RAT, Phemedrone Stealer, PXA Stealer, Snake Keylogger, Castle RAT, VIP Keylogger, Azorult	2026-05-13
Internal Vertical Port Scan	AWS CloudWatchLogs VPCflow, Cisco Secure Firewall Threat Defense Connection Event	T1046	TTP	Scattered Lapsus$ Hunters, Cisco Secure Firewall Threat Defense Analytics, Network Discovery, China-Nexus Threat Activity	2026-05-13
Cisco IOS Suspicious Privileged Account Creation	Cisco IOS Logs	T1078 T1136	Anomaly	Cisco Smart Install Remote Code Execution CVE-2018-0171	2026-05-13
Suspicious Process DNS Query Known Abuse Web Services	Sysmon EventID 22	T1059.005	TTP	Remcos, Meduza Stealer, BlankGrabber Stealer, Data Destruction, Braodo Stealer, WhisperGate, RedLine Stealer, Malicious Inno Setup Loader, Phemedrone Stealer, PXA Stealer, Cactus Ransomware, Snake Keylogger	2026-05-13
Cisco Secure Firewall - High EVE Threat Confidence	Cisco Secure Firewall Threat Defense Connection Event	T1041 T1071.001 T1105 T1573.002	Anomaly	Cisco Secure Firewall Threat Defense Analytics	2026-05-13
Cisco Secure Firewall - Repeated Malware Downloads	Cisco Secure Firewall Threat Defense File Event	T1027 T1105	Anomaly	Cisco Secure Firewall Threat Defense Analytics, Hellcat Ransomware	2026-05-13
Windows AD Replication Service Traffic		T1003.006 T1207	TTP	Sneaky Active Directory Persistence Tricks	2026-05-13
Cisco Secure Firewall - SSH Connection to Non-Standard Port	Cisco Secure Firewall Threat Defense Intrusion Event	T1021.004	Anomaly	Salt Typhoon, Cisco Secure Firewall Threat Defense Analytics	2026-05-13
Windows AD Rogue Domain Controller Network Activity		T1207	TTP	Sneaky Active Directory Persistence Tricks	2026-05-13
Cisco Network Interface Modifications	Cisco IOS Logs	T1021 T1133 T1556	Anomaly	Cisco Smart Install Remote Code Execution CVE-2018-0171	2026-05-13
Cisco Secure Firewall - Wget or Curl Download	Cisco Secure Firewall Threat Defense Connection Event	T1053.003 T1059 T1071.001 T1105	Anomaly	Cisco Secure Firewall Threat Defense Analytics	2026-05-13
Windows Abused Web Services	Sysmon EventID 22	T1102	Anomaly	Malicious Inno Setup Loader, CISA AA24-241A, BlankGrabber Stealer, NjRAT	2026-05-13
Detect Port Security Violation	Cisco IOS Logs	T1200 T1498 T1557.002	TTP	Router and Infrastructure Security	2026-05-13
Large Volume of DNS ANY Queries		T1498.002	Anomaly	DNS Amplification Attacks	2026-05-13
Ngrok Reverse Proxy on Network	Sysmon EventID 22	T1090 T1102 T1572	Anomaly	Reverse Network Proxy, CISA AA22-320A, CISA AA24-241A	2026-05-13
Detect Windows DNS SIGRed via Zeek		T1203	TTP	Windows DNS SIGRed CVE-2020-1350	2026-05-13
Detect hosts connecting to dynamic domain providers	Sysmon EventID 22	T1189	TTP	Prohibited Traffic Allowed or Protocol Mismatch, Dynamic DNS, Data Protection, Command And Control, Suspicious DNS Traffic, DNS Hijacking	2026-05-13
Cisco Secure Firewall - File Download Over Uncommon Port	Cisco Secure Firewall Threat Defense File Event	T1105 T1571	Anomaly	Cisco Secure Firewall Threat Defense Analytics	2026-05-13
Cisco Secure Firewall - Veeam CVE-2023-27532 Exploitation Activity	Cisco Secure Firewall Threat Defense Intrusion Event	T1003.001 T1059.001 T1190 T1210	TTP	Cisco Secure Firewall Threat Defense Analytics	2026-05-13
Protocol or Port Mismatch	Cisco Secure Firewall Threat Defense Connection Event	T1048.003	Anomaly	Prohibited Traffic Allowed or Protocol Mismatch, Cisco Secure Firewall Threat Defense Analytics, Command And Control	2026-05-13
Detect Outbound SMB Traffic	Cisco Secure Access Firewall, Cisco Secure Firewall Threat Defense Connection Event	T1071.002	TTP	NOBELIUM Group, Cisco Secure Access Analytics, DHS Report TA18-074A, Hidden Cobra Malware, Cisco Secure Firewall Threat Defense Analytics	2026-05-13
Detect Unauthorized Assets by MAC address		N/A	TTP	Asset Tracking	2026-05-13
Cisco Secure Firewall - Oracle E-Business Suite Exploitation	Cisco Secure Firewall Threat Defense Intrusion Event	T1190	TTP	Cisco Secure Firewall Threat Defense Analytics, Oracle E-Business Suite Exploitation	2026-05-13
Cisco Secure Firewall - Binary File Type Download	Cisco Secure Firewall Threat Defense File Event	T1059 T1203	Anomaly	Cisco Secure Firewall Threat Defense Analytics	2026-05-13
Detect Traffic Mirroring	Cisco IOS Logs	T1020.001 T1200 T1498	TTP	Router and Infrastructure Security	2026-05-13
DNS Kerberos Coercion	Sysmon EventID 22, Suricata	T1071.004 T1187 T1557.001	TTP	Kerberos Coercion with DNS, Suspicious DNS Traffic, Compromised Windows Host, Local Privilege Escalation With KrbRelayUp	2026-05-13
Cisco Secure Firewall - Possibly Compromised Host	Cisco Secure Firewall Threat Defense Intrusion Event	T1059 T1203 T1587.001	Anomaly	Cisco Secure Firewall Threat Defense Analytics	2026-05-13
Cisco Secure Firewall - Connection to File Sharing Domain	Cisco Secure Firewall Threat Defense Connection Event	T1071.001 T1090.002 T1105 T1567.002 T1588.002	Anomaly	Scattered Lapsus$ Hunters, Cisco Secure Firewall Threat Defense Analytics	2026-05-13
Excessive DNS Failures		T1071.004	Anomaly	Suspicious DNS Traffic, Command And Control	2026-05-13
Cisco SNMP Community String Configuration Changes	Cisco IOS Logs	T1040 T1552 T1685	Anomaly	Cisco Smart Install Remote Code Execution CVE-2018-0171	2026-05-13
Cisco Secure Firewall - Lumma Stealer Activity	Cisco Secure Firewall Threat Defense Intrusion Event	T1027 T1190 T1204 T1210	TTP	Lumma Stealer, Cisco Secure Firewall Threat Defense Analytics	2026-05-13
Windows Spearphishing Attachment Connect To None MS Office Domain	Sysmon EventID 22	T1566.001	Hunting	AsyncRAT, Spearphishing Attachments, MuddyWater	2026-05-13
Cisco SD-WAN - Uncommon User-Agent Multi-URI Activity	Cisco SD-WAN Service Proxy Access Logs	T1595	Hunting	Cisco Catalyst SD-WAN Analytics	2026-05-13
SMB Traffic Spike		T1021.002	Anomaly	DHS Report TA18-074A, Hidden Cobra Malware, Ransomware, Emotet Malware DHS Report TA18-201A	2026-05-13
Cisco Secure Firewall - High Volume of Intrusion Events Per Host	Cisco Secure Firewall Threat Defense Intrusion Event	T1059 T1071 T1595.002	Anomaly	Cisco Secure Firewall Threat Defense Analytics	2026-05-13
Detect IPv6 Network Infrastructure Threats	Cisco IOS Logs	T1200 T1498 T1557.002	TTP	Scattered Lapsus$ Hunters, Router and Infrastructure Security	2026-05-13
Hosts receiving high volume of network traffic from email server		T1114.002	Anomaly	Collection and Staging	2026-05-13
Detect Windows DNS SIGRed via Splunk Stream		T1203	TTP	Windows DNS SIGRed CVE-2020-1350	2026-05-13
Detect Outbound LDAP Traffic	Palo Alto Network Traffic, Cisco Secure Access Firewall, Cisco Secure Firewall Threat Defense Connection Event	T1059 T1190	Hunting	Log4Shell CVE-2021-44228, Cisco Secure Firewall Threat Defense Analytics, Cisco Secure Access Analytics	2026-05-13
Cisco Secure Firewall - SSH Connection to sshd_operns	Cisco Secure Firewall Threat Defense Intrusion Event	T1021.004	Anomaly	Salt Typhoon, Cisco Secure Firewall Threat Defense Analytics	2026-05-13
Linux Suspicious Namespace Creation	Sysmon for Linux EventID 1, Linux Auditd Syscall	T1068	TTP	Linux Privilege Escalation	2026-05-12
Powershell Defender Threat Actions Set to Allow	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1059.001	TTP	Salat Stealer	2026-05-12
Linux Binary Launched Process with Null Argv	Linux Messages Syslog	T1068	TTP	Linux Privilege Escalation	2026-05-12
Linux PF_ALG Registration Outside of Boot Window	Linux Messages Syslog	T1068	TTP	Linux Privilege Escalation	2026-05-11
Linux Malformed Auth Entry	Linux Secure	T1068	Anomaly	Linux Privilege Escalation	2026-05-06
Windows Suspicious Child Process of TieringEngineService.exe	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1068	TTP	Windows Privilege Escalation, RedSun	2026-05-01
Windows VSSVC Process Accessing Defender Engine	Sysmon EventID 10	T1068	TTP	Windows Privilege Escalation, RedSun	2026-05-01
Windows Cloud Files Filter Log Created by Non-System Process	Sysmon EventID 11	T1068	TTP	Windows Privilege Escalation, RedSun	2026-05-01
Windows Suspicious Burst of Password Changes	Windows Event Log Security 4723, Windows Event Log Security 4724	T1068	TTP	BlueHammer, Windows Privilege Escalation	2026-04-29
Windows Suspicious Defender Engine or Signature Files Created	Sysmon EventID 11	T1068	Anomaly	BlueHammer, Windows Privilege Escalation	2026-04-27
Windows Suspicious Defender Update Activity in INetCache	Sysmon EventID 23, Sysmon EventID 11	T1068 T1105	Anomaly	BlueHammer, Windows Persistence Techniques	2026-04-27
Windows MsMpEng Writing to System32	Sysmon EventID 15, Sysmon EventID 11	T1068 T1543.003	TTP	BlueHammer, Windows Drivers, Windows Privilege Escalation, RedSun	2026-04-27
Windows Admin Password Changed by Non-Admin	Windows Event Log Security 4723	T1068 T1543.003	TTP	BlueHammer, Windows Privilege Escalation	2026-04-27
Windows Non-System Process Querying Definition Update	Sysmon EventID 22	T1068 T1071.001	Anomaly	BlueHammer, Windows Privilege Escalation, RedSun	2026-04-27