GitHub Repo

Command and Control Detections

Name Data Source Technique Type Analytic Story Date
Windows Potential Cloudflared Network Connection Sysmon EventID 3 T1572 Hunting Reverse Network Proxy 2026-05-13
Windows Level RMM PowerShell Script Installer Powershell Script Block Logging 4104 T1219 Anomaly Remote Monitoring and Management Software 2026-05-13
Windows Remote Access Software RMS Registry Sysmon EventID 13 T1219 TTP Azorult 2026-05-13
Windows Kerberos Coercion via DNS Windows Event Log Security 5137, Windows Event Log Security 5136, Windows Event Log Security 4662 T1071.004 T1187 T1557.001 TTP Kerberos Coercion with DNS, Suspicious DNS Traffic, Compromised Windows Host, Local Privilege Escalation With KrbRelayUp 2026-05-13
Windows DNS Query Request To TinyUrl Sysmon EventID 22 T1105 Anomaly Malicious Inno Setup Loader 2026-05-13
Windows Proxy Via Netsh CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1090.001 Anomaly Volt Typhoon 2026-05-13
Windows RMM Tool Execution Sysmon EventID 1 T1219 Anomaly Remote Monitoring and Management Software, NetSupport RMM Tool Abuse, Suspicious User Agents 2026-05-13
Curl Execution with Percent Encoded URL Sysmon for Linux EventID 1, CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1027 T1105 Anomaly Living Off The Land, Ingress Tool Transfer, Compromised Windows Host 2026-05-13
Windows DLL Module Loaded in Temp Dir Sysmon EventID 7 T1105 Hunting Interlock Rat, SolarWinds WHD RCE Post Exploitation, Lokibot 2026-05-13
Windows TOR Client Execution CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1090.003 Anomaly Windows Post-Exploitation, Data Exfiltration, Data Protection, Compromised Windows Host, Command And Control 2026-05-13
Cisco NVM - Outbound Connection to Suspicious Port Cisco Network Visibility Module Flow Data T1571 Anomaly Cisco Network Visibility Module Analytics 2026-05-13
Detect Remote Access Software Usage Registry Sysmon EventID 13 T1219 Anomaly Remote Monitoring and Management Software, Gozi Malware, CISA AA24-241A, Scattered Spider, Scattered Lapsus$ Hunters, Cactus Ransomware, Command And Control, Insider Threat, Ransomware, Seashell Blizzard 2026-05-13
BITSAdmin Download File CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1105 T1197 TTP DarkSide Ransomware, Living Off The Land, Flax Typhoon, Hellcat Ransomware, Gozi Malware, Ingress Tool Transfer, GhostRedirector IIS Module and Rungan Backdoor, APT37 Rustonotto and FadeStealer, Scattered Spider, BITS Jobs 2026-05-13
Windows SSH Proxy Command CrowdStrike ProcessRollup2, Sysmon EventID 1 T1059.001 T1105 T1572 Anomaly Living Off The Land, Hellcat Ransomware, ZDI-CAN-25373 Windows Shortcut Exploit Abused as Zero-Day 2026-05-13
Windows Devtunnels Execution CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1090 Anomaly Reverse Network Proxy 2026-05-13
LOLBAS With Network Traffic Sysmon EventID 3 T1105 T1218 T1567 TTP Water Gamayun, Fake CAPTCHA Campaigns, Living Off The Land, Hellcat Ransomware, NetSupport RMM Tool Abuse, Malicious Inno Setup Loader, GhostRedirector IIS Module and Rungan Backdoor, APT37 Rustonotto and FadeStealer 2026-05-13
Windows Cabinet File Extraction Via Expand CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1105 TTP NetSupport RMM Tool Abuse, APT37 Rustonotto and FadeStealer 2026-05-13
Windows Potential Cloudflared Tunnel Execution CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1572 Anomaly Reverse Network Proxy 2026-05-13
Windows Level RMM Watchdog Task Created Windows Event Log Security 4698 T1053 T1219 Anomaly Remote Monitoring and Management Software 2026-05-13
Windows Mail Protocol In Non-Common Process Path Sysmon EventID 3 T1071.003 Anomaly AgentTesla 2026-05-13
Windows ConvertTo-AADIntBackdoor Execution Via PowerShell Script Powershell Script Block Logging 4104 T1071.001 T1078 T1212 T1482 TTP Azure Active Directory Account Takeover, Azure Active Directory Persistence, Azure Active Directory Privilege Escalation 2026-05-13
Windows Process Execution From RDP Share CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1021.001 T1059 T1105 Anomaly Hidden Cobra Malware 2026-05-13
Linux Ingress Tool Transfer Hunting Sysmon for Linux EventID 1 T1105 Hunting Axios Supply Chain Post Compromise, NPM Supply Chain Compromise, XorDDos, Ingress Tool Transfer, Linux Living Off The Land 2026-05-13
Windows Curl Upload to Remote Destination CrowdStrike ProcessRollup2, Cisco Network Visibility Module Flow Data, Sysmon EventID 1, Windows Event Log Security 4688 T1105 TTP Microsoft WSUS CVE-2025-59287, Cisco Network Visibility Module Analytics, PromptLock, Axios Supply Chain Post Compromise, NPM Supply Chain Compromise, Ingress Tool Transfer, Compromised Windows Host 2026-05-13
Cisco NVM - Suspicious File Download via Headless Browser Cisco Network Visibility Module Flow Data T1059 T1105 TTP BlankGrabber Stealer, Cisco Network Visibility Module Analytics 2026-05-13
File Download or Read to Pipe Execution Sysmon for Linux EventID 1, CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1105 TTP Log4Shell CVE-2021-44228, NPM Supply Chain Compromise, Ingress Tool Transfer, Linux Living Off The Land, Compromised Windows Host 2026-05-13
Windows Suspicious Defender Update Activity in INetCache Sysmon EventID 23, Sysmon EventID 11 T1068 T1105 Anomaly BlueHammer, Windows Persistence Techniques 2026-04-27
Windows Outlook Macro Security Modified Sysmon EventID 13 T1008 T1137 TTP Windows Registry Abuse, NotDoor Malware 2026-05-13
Windows Ldifde Directory Object Behavior CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1069.002 T1105 TTP Volt Typhoon 2026-05-13
Potential Telegram API Request Via CommandLine CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1041 T1102.002 Anomaly 0bj3ctivity Stealer, Water Gamayun, BlankGrabber Stealer, Hellcat Ransomware, XMRig 2026-05-13
WinRAR Spawning Shell Application CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1105 TTP Compromised Windows Host, WinRAR Spoofing Attack CVE-2023-38831 2026-05-13
PowerShell WebRequest Using Memory Stream Powershell Script Block Logging 4104 T1027.011 T1059.001 T1105 TTP Malicious PowerShell, PHP-CGI RCE Attack on Japanese Organizations, Medusa Ransomware, MoonPeak 2026-05-13
Download Files Using Telegram Sysmon EventID 15 T1105 TTP 0bj3ctivity Stealer, Water Gamayun, Phemedrone Stealer, Snake Keylogger, Crypto Stealer, XMRig 2026-05-13
Log4Shell CVE-2021-44228 Exploitation T1059 T1105 T1133 T1190 Correlation Log4Shell CVE-2021-44228, CISA AA22-320A 2026-05-13
Windows File Download Via CertUtil CrowdStrike ProcessRollup2, Cisco Network Visibility Module Flow Data, Sysmon EventID 1, Windows Event Log Security 4688 T1105 TTP Forest Blizzard, DarkSide Ransomware, Cisco Network Visibility Module Analytics, Living Off The Land, Flax Typhoon, Ingress Tool Transfer, Compromised Windows Host, CISA AA22-277A, ProxyNotShell 2026-05-13
Windows Curl Download to Suspicious Path CrowdStrike ProcessRollup2, Cisco Network Visibility Module Flow Data, Sysmon EventID 1, Windows Event Log Security 4688 T1105 TTP Forest Blizzard, Cisco Network Visibility Module Analytics, APT37 Rustonotto and FadeStealer, NPM Supply Chain Compromise, China-Nexus Threat Activity, Salt Typhoon, GhostRedirector IIS Module and Rungan Backdoor, Ingress Tool Transfer, Compromised Windows Host, Black Basta Ransomware, IcedID 2026-05-13
Detect Remote Access Software Usage File Sysmon EventID 11 T1219 Anomaly Remote Monitoring and Management Software, Gozi Malware, CISA AA24-241A, GhostRedirector IIS Module and Rungan Backdoor, Scattered Lapsus$ Hunters, Scattered Spider, Cactus Ransomware, Command And Control, Insider Threat, Interlock Ransomware, Ransomware, Seashell Blizzard 2026-05-13
Linux Proxy Socks Curl Sysmon for Linux EventID 1 T1090 T1095 TTP Ingress Tool Transfer, Linux Living Off The Land 2026-06-04
Windows File Transfer Protocol In Non-Common Process Path Sysmon EventID 3 T1071.003 Anomaly AgentTesla, Hellcat Ransomware, Snake Keylogger 2026-05-13
Windows Application Layer Protocol RMS Radmin Tool Namedpipe Sysmon EventID 17, Sysmon EventID 18 T1071 TTP Azorult 2026-05-13
Windows Devtunnels Image Loaded Sysmon EventID 7 T1090 Anomaly Reverse Network Proxy 2026-05-13
Detect Remote Access Software Usage Process CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1219 Anomaly Remote Monitoring and Management Software, Gozi Malware, Storm-0501 Ransomware, CISA AA24-241A, Scattered Spider, GhostRedirector IIS Module and Rungan Backdoor, Scattered Lapsus$ Hunters, Cactus Ransomware, Command And Control, Insider Threat, Interlock Ransomware, Ransomware, Seashell Blizzard 2026-05-13
Windows Ngrok Reverse Proxy Usage CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1090 T1102 T1572 Anomaly Reverse Network Proxy, CISA AA22-320A, CISA AA24-241A 2026-05-13
Linux Ngrok Reverse Proxy Usage Sysmon for Linux EventID 1 T1090 T1102 T1572 Anomaly Reverse Network Proxy 2026-05-13
Windows App Layer Protocol Wermgr Connect To NamedPipe Sysmon EventID 17, Sysmon EventID 18 T1071 Anomaly Qakbot 2026-05-13
PowerShell Script Block With URL Chain Powershell Script Block Logging 4104 T1059.001 T1105 TTP Malicious PowerShell, Hellcat Ransomware 2026-05-13
Windows AI Platform DNS Query Sysmon EventID 22 T1071.004 Anomaly SesameOp, LAMEHUG, PromptFlux 2026-05-13
Windows Ingress Tool Transfer Using Explorer CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1105 Anomaly DarkCrystal RAT 2026-05-13
Windows Proxy Via Registry Sysmon EventID 13 T1090.001 Anomaly Volt Typhoon 2026-05-13
Detect Remote Access Software Usage FileInfo Sysmon EventID 1 T1219 Anomaly Remote Monitoring and Management Software, Gozi Malware, Scattered Lapsus$ Hunters, Scattered Spider, Cactus Ransomware, Command And Control, Insider Threat, Interlock Ransomware, Ransomware, Seashell Blizzard 2026-05-13
Windows Suspicious QEMU Execution Sysmon EventID 1 T1001 T1036 T1204.002 T1564.006 TTP Linux Post-Exploitation, Linux Rootkit, Linux Living Off The Land, Compromised Linux Host, Linux Privilege Escalation, VoidLink Cloud-Native Linux Malware 2026-05-13
Windows SoftEther VPN Masquerading as Legitimate Binary Sysmon EventID 1 T1036 T1572 TTP Flax Typhoon, Linux Persistence Techniques, Linux Privilege Escalation 2026-05-13
Cisco Isovalent - Curl Execution With Insecure Flags Cisco Isovalent Process Exec T1105 Anomaly Cisco Isovalent Suspicious Activity 2026-05-13
Detect Certify Command Line Arguments CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1105 T1649 TTP Ingress Tool Transfer, Compromised Windows Host, Windows Certificate Services 2026-05-13
Suspicious Curl Network Connection Sysmon for Linux EventID 1, CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1105 TTP Hellcat Ransomware, GhostRedirector IIS Module and Rungan Backdoor, Ingress Tool Transfer, Linux Living Off The Land, APT37 Rustonotto and FadeStealer, Silver Sparrow 2026-05-13
Windows File Download Via PowerShell CrowdStrike ProcessRollup2, Cisco Network Visibility Module Flow Data, Sysmon EventID 1, Windows Event Log Security 4688 T1059.001 T1105 Anomaly SysAid On-Prem Software CVE-2023-47246 Vulnerability, Phemedrone Stealer, Hermetic Wiper, Tuoni, HAFNIUM Group, Microsoft WSUS CVE-2025-59287, Cisco Network Visibility Module Analytics, Malicious PowerShell, SolarWinds WHD RCE Post Exploitation, GhostRedirector IIS Module and Rungan Backdoor, Ingress Tool Transfer, IcedID, PHP-CGI RCE Attack on Japanese Organizations, NetSupport RMM Tool Abuse, XWorm, StealC Stealer, APT37 Rustonotto and FadeStealer, Winter Vivern, Data Destruction, NPM Supply Chain Compromise 2026-05-13
Windows PowGoop Beacon Decoding CrowdStrike ProcessRollup2, Sysmon EventID 1 T1001 T1059.001 TTP Compromised Windows Host 2026-05-13
Windows App Layer Protocol Qakbot NamedPipe Sysmon EventID 17, Sysmon EventID 18 T1071 Anomaly Qakbot 2026-05-13
Windows SQL Spawning CertUtil CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1105 TTP Flax Typhoon, SQL Server Abuse, Storm-2460 CLFS Zero Day Exploitation 2026-05-13
Windows Short Lived DNS Record Windows Event Log Security 5137, Windows Event Log Security 5136 T1071.004 T1187 T1557.001 TTP Kerberos Coercion with DNS, Suspicious DNS Traffic, Compromised Windows Host, Local Privilege Escalation With KrbRelayUp 2026-05-13
Windows Non-System Process Querying Definition Update Sysmon EventID 22 T1068 T1071.001 Anomaly BlueHammer, Windows Privilege Escalation, RedSun 2026-04-27
Linux Ingress Tool Transfer with Curl Sysmon for Linux EventID 1 T1105 Anomaly NPM Supply Chain Compromise, Ingress Tool Transfer, Linux Living Off The Land, XorDDos 2026-05-13
Windows Protocol Tunneling with Plink CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1021.004 T1572 TTP CISA AA22-257A 2026-05-13
Windows Visual Basic Commandline Compiler DNSQuery Sysmon EventID 22 T1071.004 TTP Lokibot 2026-05-13
Living Off The Land Detection T1059 T1105 T1133 T1190 Correlation Living Off The Land, Hellcat Ransomware 2026-05-13
Linux Curl Upload File Sysmon for Linux EventID 1, Cisco Isovalent Process Exec T1105 TTP Data Exfiltration, Ingress Tool Transfer, Linux Living Off The Land, NPM Supply Chain Compromise 2026-05-13
Windows Remote Access Software BRC4 Loaded Dll Sysmon EventID 7 T1003 T1219 Anomaly Brute Ratel C4 2026-05-13
Cisco NVM - Webserver Download From File Sharing Website Cisco Network Visibility Module Flow Data T1105 T1190 TTP GhostRedirector IIS Module and Rungan Backdoor, Cisco Network Visibility Module Analytics 2026-05-13
Windows Credential Target Information Structure in Commandline Sysmon EventID 1 T1071.004 T1187 T1557.001 TTP Kerberos Coercion with DNS, Suspicious DNS Traffic, Compromised Windows Host, Local Privilege Escalation With KrbRelayUp 2026-05-13
Juniper Networks Remote Code Execution Exploit Detection Suricata T1059 T1105 T1190 TTP Juniper JunOS Remote Code Execution 2026-05-13
HTTP Duplicated Header Suricata T1071.001 T1190 Anomaly HTTP Request Smuggling 2026-05-13
Detect Remote Access Software Usage URL Palo Alto Network Threat T1219 Anomaly Remote Monitoring and Management Software, CISA AA24-241A, Scattered Lapsus$ Hunters, Command And Control, Insider Threat, Interlock Ransomware, Ransomware 2026-05-13
HTTP Request to Reserved Name on IIS Server Suricata T1071.001 T1190 TTP HTTP Request Smuggling 2026-05-13
HTTP Rapid POST with Mixed Status Codes Nginx Access T1071.001 T1190 T1595 Anomaly HTTP Request Smuggling 2026-05-13
HTTP Scripting Tool User Agent Nginx Access T1071.001 Anomaly Suspicious User Agents, HTTP Request Smuggling 2026-06-15
HTTP Possible Request Smuggling Suricata T1071.001 TTP HTTP Request Smuggling 2026-05-13
Cisco IOS XE Tunnel Interface Configuration Cisco IOS Logs T1090 T1572 Anomaly Salt Typhoon 2026-05-20
Ollama Abnormal Network Connectivity Ollama Server T1571 Anomaly Suspicious Ollama Activities 2026-05-13
Microsoft Intune Device Health Scripts Azure Monitor Activity T1021.007 T1072 T1105 T1202 Hunting Azure Active Directory Account Takeover 2026-05-13
Microsoft Intune Mobile Apps Azure Monitor Activity T1021.007 T1072 T1105 T1202 Hunting Azure Active Directory Account Takeover 2026-05-13
Okta Non-Standard VPN Usage Okta T1078 T1090 T1572 TTP Suspicious Okta Activity, Remote Employment Fraud 2026-05-13
Windows Multi hop Proxy TOR Website Query Sysmon EventID 22 T1071.003 Anomaly Interlock Ransomware, AgentTesla 2026-05-13
HTTP RMM User Agent Suricata T1071.001 T1219 Anomaly Remote Monitoring and Management Software, Suspicious User Agents 2026-05-13
HTTP Malware User Agent Suricata T1071.001 TTP Meduza Stealer, RedLine Stealer, Suspicious User Agents, Crypto Stealer, Lumma Stealer, Lokibot 2026-05-13
Cisco Secure Firewall - Lumma Stealer Outbound Connection Attempt Cisco Secure Firewall Threat Defense Intrusion Event T1041 T1573.002 Anomaly Lumma Stealer, Cisco Secure Firewall Threat Defense Analytics 2026-05-13
HTTP C2 Framework User Agent Suricata T1071.001 TTP Cobalt Strike, Suspicious User Agents, Malicious PowerShell, Spearphishing Attachments, BishopFox Sliver Adversary Emulation Framework, Meterpreter, Brute Ratel C4, Tuoni 2026-05-13
Detect Remote Access Software Usage DNS Sysmon EventID 22 T1219 Anomaly Remote Monitoring and Management Software, CISA AA24-241A, Scattered Spider, Scattered Lapsus$ Hunters, Command And Control, Insider Threat, Interlock Ransomware, Ransomware 2026-05-13
Cisco Secure Firewall - Snort Rule Triggered Across Multiple Hosts Cisco Secure Firewall Threat Defense Intrusion Event T1027 T1105 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Detect Large ICMP Traffic Palo Alto Network Traffic, Cisco Secure Access Firewall T1095 TTP Backdoor Pingpong, Cisco Secure Access Analytics, China-Nexus Threat Activity, Command And Control 2026-05-13
HTTP PUA User Agent Suricata T1071.001 Anomaly Cactus Ransomware, Suspicious User Agents, BlackSuit Ransomware, Local Privilege Escalation With KrbRelayUp 2026-05-13
Cisco Secure Firewall - Intrusion Events by Threat Activity Cisco Secure Firewall Threat Defense Intrusion Event T1041 T1573.002 Anomaly ArcaneDoor, Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Cisco Secure Firewall - Communication Over Suspicious Ports Cisco Secure Firewall Threat Defense Connection Event T1021 T1055 T1059.001 T1105 T1219 T1571 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
TOR Traffic Palo Alto Network Traffic, Cisco Secure Firewall Threat Defense Connection Event T1090.003 TTP NOBELIUM Group, Prohibited Traffic Allowed or Protocol Mismatch, Command And Control, Interlock Ransomware, Cisco Secure Firewall Threat Defense Analytics, Ransomware 2026-05-13
Zeek x509 Certificate with Punycode T1573 Hunting OpenSSL CVE-2022-3602 2026-05-13
SSL Certificates with Punycode T1573 Hunting OpenSSL CVE-2022-3602 2026-05-13
Cisco Secure Firewall - Remote Access Software Usage Traffic Cisco Secure Firewall Threat Defense Connection Event T1219 Anomaly Remote Monitoring and Management Software, Scattered Lapsus$ Hunters, Scattered Spider, Command And Control, Insider Threat, Interlock Ransomware, Cisco Secure Firewall Threat Defense Analytics, Ransomware 2026-05-13
Cisco Secure Firewall - Malware File Downloaded Cisco Secure Firewall Threat Defense File Event T1105 T1203 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Windows DNS Query Request by Telegram Bot API Sysmon EventID 22 T1071.004 T1102.002 Anomaly 0bj3ctivity Stealer, VIP Keylogger, BlankGrabber Stealer, Crypto Stealer 2026-05-13
Cisco Secure Firewall - Blacklisted SSL Certificate Fingerprint Cisco Secure Firewall Threat Defense Connection Event T1071.001 T1573.002 T1587.002 T1588.004 TTP Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Detect Remote Access Software Usage Traffic Palo Alto Network Traffic T1219 Anomaly Remote Monitoring and Management Software, Scattered Lapsus$ Hunters, Scattered Spider, Command And Control, Insider Threat, Interlock Ransomware, Ransomware 2026-05-13
Cisco Secure Firewall - Lumma Stealer Download Attempt Cisco Secure Firewall Threat Defense Intrusion Event T1041 T1573.002 Anomaly Lumma Stealer, Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Cisco Secure Firewall - High Priority Intrusion Classification Cisco Secure Firewall Threat Defense Intrusion Event T1003 T1071 T1078 T1190 T1203 TTP Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Cisco Secure Firewall - High EVE Threat Confidence Cisco Secure Firewall Threat Defense Connection Event T1041 T1071.001 T1105 T1573.002 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Cisco Secure Firewall - Repeated Malware Downloads Cisco Secure Firewall Threat Defense File Event T1027 T1105 Anomaly Cisco Secure Firewall Threat Defense Analytics, Hellcat Ransomware 2026-05-13
Cisco Secure Firewall - Wget or Curl Download Cisco Secure Firewall Threat Defense Connection Event T1053.003 T1059 T1071.001 T1105 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Windows Abused Web Services Sysmon EventID 22 T1102 Anomaly Malicious Inno Setup Loader, CISA AA24-241A, BlankGrabber Stealer, NjRAT 2026-05-13
Ngrok Reverse Proxy on Network Sysmon EventID 22 T1090 T1102 T1572 Anomaly Reverse Network Proxy, CISA AA22-320A, CISA AA24-241A 2026-05-13
Cisco Secure Firewall - File Download Over Uncommon Port Cisco Secure Firewall Threat Defense File Event T1105 T1571 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Detect Outbound SMB Traffic Cisco Secure Access Firewall, Cisco Secure Firewall Threat Defense Connection Event T1071.002 TTP NOBELIUM Group, Cisco Secure Access Analytics, DHS Report TA18-074A, Hidden Cobra Malware, Cisco Secure Firewall Threat Defense Analytics 2026-05-13
DNS Kerberos Coercion Sysmon EventID 22, Suricata T1071.004 T1187 T1557.001 TTP Kerberos Coercion with DNS, Suspicious DNS Traffic, Compromised Windows Host, Local Privilege Escalation With KrbRelayUp 2026-05-13
Cisco Secure Firewall - Connection to File Sharing Domain Cisco Secure Firewall Threat Defense Connection Event T1071.001 T1090.002 T1105 T1567.002 T1588.002 Anomaly Scattered Lapsus$ Hunters, Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Excessive DNS Failures T1071.004 Anomaly Suspicious DNS Traffic, Command And Control 2026-05-13
Cisco Secure Firewall - High Volume of Intrusion Events Per Host Cisco Secure Firewall Threat Defense Intrusion Event T1059 T1071 T1595.002 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Cisco SA - Access to Anonymizer Services Cisco Secure Access DNS T1090.003 Anomaly Cisco Secure Access Analytics 2026-06-09