|
Windows Potential Cloudflared Network Connection
|
Sysmon EventID 3
|
T1572
|
Hunting
|
Reverse Network Proxy
|
2026-05-13
|
|
Windows Level RMM PowerShell Script Installer
|
Powershell Script Block Logging 4104
|
T1219
|
Anomaly
|
Remote Monitoring and Management Software
|
2026-05-13
|
|
Windows Remote Access Software RMS Registry
|
Sysmon EventID 13
|
T1219
|
TTP
|
Azorult
|
2026-05-13
|
|
Windows Kerberos Coercion via DNS
|
Windows Event Log Security 5137, Windows Event Log Security 4662, Windows Event Log Security 5136
|
T1071.004
T1187
T1557.001
|
TTP
|
Suspicious DNS Traffic, Local Privilege Escalation With KrbRelayUp, Kerberos Coercion with DNS, Compromised Windows Host
|
2026-05-13
|
|
Windows DNS Query Request To TinyUrl
|
Sysmon EventID 22
|
T1105
|
Anomaly
|
Malicious Inno Setup Loader
|
2026-05-13
|
|
Windows Proxy Via Netsh
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1090.001
|
Anomaly
|
Volt Typhoon
|
2026-05-13
|
|
Windows RMM Tool Execution
|
Sysmon EventID 1
|
T1219
|
Anomaly
|
Remote Monitoring and Management Software, Suspicious User Agents, NetSupport RMM Tool Abuse
|
2026-05-13
|
|
Curl Execution with Percent Encoded URL
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688, Sysmon for Linux EventID 1
|
T1027
T1105
|
Anomaly
|
Living Off The Land, Ingress Tool Transfer, Compromised Windows Host
|
2026-05-13
|
|
Windows DLL Module Loaded in Temp Dir
|
Sysmon EventID 7
|
T1105
|
Hunting
|
SolarWinds WHD RCE Post Exploitation, Interlock Rat, Lokibot
|
2026-05-13
|
|
Windows TOR Client Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1090.003
|
Anomaly
|
Data Exfiltration, Compromised Windows Host, Data Protection, Command And Control, Windows Post-Exploitation
|
2026-05-13
|
|
Cisco NVM - Outbound Connection to Suspicious Port
|
Cisco Network Visibility Module Flow Data
|
T1571
|
Anomaly
|
Cisco Network Visibility Module Analytics
|
2026-05-13
|
|
Detect Remote Access Software Usage Registry
|
Sysmon EventID 13
|
T1219
|
Anomaly
|
Remote Monitoring and Management Software, Insider Threat, CISA AA24-241A, Scattered Lapsus$ Hunters, Seashell Blizzard, Cactus Ransomware, Ransomware, Scattered Spider, Command And Control, Gozi Malware
|
2026-05-13
|
|
BITSAdmin Download File
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1105
T1197
|
TTP
|
BITS Jobs, Hellcat Ransomware, Living Off The Land, Ingress Tool Transfer, GhostRedirector IIS Module and Rungan Backdoor, Scattered Spider, DarkSide Ransomware, APT37 Rustonotto and FadeStealer, Gozi Malware, Flax Typhoon
|
2026-05-13
|
|
Windows SSH Proxy Command
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1059.001
T1105
T1572
|
Anomaly
|
Living Off The Land, ZDI-CAN-25373 Windows Shortcut Exploit Abused as Zero-Day, Hellcat Ransomware
|
2026-05-13
|
|
Windows Devtunnels Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1090
|
Anomaly
|
Reverse Network Proxy
|
2026-05-13
|
|
LOLBAS With Network Traffic
|
Sysmon EventID 3
|
T1105
T1218
T1567
|
TTP
|
Malicious Inno Setup Loader, Hellcat Ransomware, Living Off The Land, GhostRedirector IIS Module and Rungan Backdoor, NetSupport RMM Tool Abuse, Water Gamayun, APT37 Rustonotto and FadeStealer, Fake CAPTCHA Campaigns
|
2026-05-13
|
|
Windows Cabinet File Extraction Via Expand
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1105
|
TTP
|
APT37 Rustonotto and FadeStealer, NetSupport RMM Tool Abuse
|
2026-05-13
|
|
Windows Potential Cloudflared Tunnel Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1572
|
Anomaly
|
Reverse Network Proxy
|
2026-05-13
|
|
Windows Level RMM Watchdog Task Created
|
Windows Event Log Security 4698
|
T1053
T1219
|
Anomaly
|
Remote Monitoring and Management Software
|
2026-05-13
|
|
Windows Mail Protocol In Non-Common Process Path
|
Sysmon EventID 3
|
T1071.003
|
Anomaly
|
AgentTesla
|
2026-05-13
|
|
Windows ConvertTo-AADIntBackdoor Execution Via PowerShell Script
|
Powershell Script Block Logging 4104
|
T1071.001
T1078
T1212
T1482
|
TTP
|
Azure Active Directory Persistence, Azure Active Directory Account Takeover, Azure Active Directory Privilege Escalation
|
2026-05-13
|
|
Windows Process Execution From RDP Share
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1021.001
T1059
T1105
|
Anomaly
|
Hidden Cobra Malware
|
2026-05-13
|
|
Linux Ingress Tool Transfer Hunting
|
Sysmon for Linux EventID 1
|
T1105
|
Hunting
|
NPM Supply Chain Compromise, Axios Supply Chain Post Compromise, Ingress Tool Transfer, Linux Living Off The Land, XorDDos
|
2026-05-13
|
|
Windows Curl Upload to Remote Destination
|
CrowdStrike ProcessRollup2, Cisco Network Visibility Module Flow Data, Sysmon EventID 1, Windows Event Log Security 4688
|
T1105
|
TTP
|
NPM Supply Chain Compromise, Compromised Windows Host, Axios Supply Chain Post Compromise, Ingress Tool Transfer, Cisco Network Visibility Module Analytics, Microsoft WSUS CVE-2025-59287, PromptLock
|
2026-05-13
|
|
Cisco NVM - Suspicious File Download via Headless Browser
|
Cisco Network Visibility Module Flow Data
|
T1059
T1105
|
TTP
|
Cisco Network Visibility Module Analytics, BlankGrabber Stealer
|
2026-05-13
|
|
File Download or Read to Pipe Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688, Sysmon for Linux EventID 1
|
T1105
|
TTP
|
NPM Supply Chain Compromise, Compromised Windows Host, Ingress Tool Transfer, Linux Living Off The Land, Log4Shell CVE-2021-44228
|
2026-05-13
|
|
Windows Suspicious Defender Update Activity in INetCache
|
Sysmon EventID 23, Sysmon EventID 11
|
T1068
T1105
|
Anomaly
|
BlueHammer, Windows Persistence Techniques
|
2026-04-27
|
|
Windows Outlook Macro Security Modified
|
Sysmon EventID 13
|
T1008
T1137
|
TTP
|
NotDoor Malware, Windows Registry Abuse
|
2026-05-13
|
|
Windows Ldifde Directory Object Behavior
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1069.002
T1105
|
TTP
|
Volt Typhoon
|
2026-05-13
|
|
Potential Telegram API Request Via CommandLine
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1041
T1102.002
|
Anomaly
|
Hellcat Ransomware, BlankGrabber Stealer, 0bj3ctivity Stealer, Water Gamayun, XMRig
|
2026-05-13
|
|
WinRAR Spawning Shell Application
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1105
|
TTP
|
WinRAR Spoofing Attack CVE-2023-38831, Compromised Windows Host
|
2026-05-13
|
|
PowerShell WebRequest Using Memory Stream
|
Powershell Script Block Logging 4104
|
T1027.011
T1059.001
T1105
|
TTP
|
MoonPeak, Medusa Ransomware, PHP-CGI RCE Attack on Japanese Organizations, Malicious PowerShell
|
2026-05-13
|
|
Download Files Using Telegram
|
Sysmon EventID 15
|
T1105
|
TTP
|
Snake Keylogger, 0bj3ctivity Stealer, Water Gamayun, Crypto Stealer, Phemedrone Stealer, XMRig
|
2026-05-13
|
|
Log4Shell CVE-2021-44228 Exploitation
|
|
T1059
T1105
T1133
T1190
|
Correlation
|
CISA AA22-320A, Log4Shell CVE-2021-44228
|
2026-05-13
|
|
Windows File Download Via CertUtil
|
CrowdStrike ProcessRollup2, Cisco Network Visibility Module Flow Data, Sysmon EventID 1, Windows Event Log Security 4688
|
T1105
|
TTP
|
Compromised Windows Host, Forest Blizzard, Living Off The Land, Ingress Tool Transfer, ProxyNotShell, Cisco Network Visibility Module Analytics, CISA AA22-277A, DarkSide Ransomware, Flax Typhoon
|
2026-05-13
|
|
Windows Curl Download to Suspicious Path
|
CrowdStrike ProcessRollup2, Cisco Network Visibility Module Flow Data, Sysmon EventID 1, Windows Event Log Security 4688
|
T1105
|
TTP
|
China-Nexus Threat Activity, Black Basta Ransomware, Compromised Windows Host, Forest Blizzard, NPM Supply Chain Compromise, GhostRedirector IIS Module and Rungan Backdoor, Ingress Tool Transfer, Cisco Network Visibility Module Analytics, IcedID, APT37 Rustonotto and FadeStealer, Salt Typhoon
|
2026-05-13
|
|
Detect Remote Access Software Usage File
|
Sysmon EventID 11
|
T1219
|
Anomaly
|
Interlock Ransomware, GhostRedirector IIS Module and Rungan Backdoor, Insider Threat, CISA AA24-241A, Remote Monitoring and Management Software, Scattered Lapsus$ Hunters, Seashell Blizzard, Cactus Ransomware, Ransomware, Scattered Spider, Command And Control, Gozi Malware
|
2026-05-13
|
|
Linux Proxy Socks Curl
|
Sysmon for Linux EventID 1
|
T1090
T1095
|
TTP
|
Ingress Tool Transfer, Linux Living Off The Land
|
2026-06-04
|
|
Windows File Transfer Protocol In Non-Common Process Path
|
Sysmon EventID 3
|
T1071.003
|
Anomaly
|
Phantom Stealer, AgentTesla, Snake Keylogger, Hellcat Ransomware
|
2026-06-25
|
|
Windows Application Layer Protocol RMS Radmin Tool Namedpipe
|
Sysmon EventID 18, Sysmon EventID 17
|
T1071
|
TTP
|
Azorult
|
2026-05-13
|
|
Windows Devtunnels Image Loaded
|
Sysmon EventID 7
|
T1090
|
Anomaly
|
Reverse Network Proxy
|
2026-05-13
|
|
Detect Remote Access Software Usage Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1219
|
Anomaly
|
Interlock Ransomware, Remote Monitoring and Management Software, Insider Threat, CISA AA24-241A, GhostRedirector IIS Module and Rungan Backdoor, Scattered Lapsus$ Hunters, Seashell Blizzard, Cactus Ransomware, Ransomware, Scattered Spider, Storm-0501 Ransomware, Command And Control, Gozi Malware
|
2026-05-13
|
|
Windows Ngrok Reverse Proxy Usage
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1090
T1102
T1572
|
Anomaly
|
CISA AA24-241A, CISA AA22-320A, Reverse Network Proxy
|
2026-05-13
|
|
Linux Ngrok Reverse Proxy Usage
|
Sysmon for Linux EventID 1
|
T1090
T1102
T1572
|
Anomaly
|
Reverse Network Proxy
|
2026-05-13
|
|
Windows App Layer Protocol Wermgr Connect To NamedPipe
|
Sysmon EventID 18, Sysmon EventID 17
|
T1071
|
Anomaly
|
Qakbot
|
2026-05-13
|
|
PowerShell Script Block With URL Chain
|
Powershell Script Block Logging 4104
|
T1059.001
T1105
|
TTP
|
Malicious PowerShell, Hellcat Ransomware
|
2026-05-13
|
|
Windows AI Platform DNS Query
|
Sysmon EventID 22
|
T1071.004
|
Anomaly
|
SesameOp, LAMEHUG, PromptFlux
|
2026-05-13
|
|
Windows Ingress Tool Transfer Using Explorer
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1105
|
Anomaly
|
DarkCrystal RAT
|
2026-05-13
|
|
Windows Proxy Via Registry
|
Sysmon EventID 13
|
T1090.001
|
Anomaly
|
Volt Typhoon
|
2026-05-13
|
|
Detect Remote Access Software Usage FileInfo
|
Sysmon EventID 1
|
T1219
|
Anomaly
|
Interlock Ransomware, Remote Monitoring and Management Software, Insider Threat, Scattered Lapsus$ Hunters, Seashell Blizzard, Cactus Ransomware, Ransomware, Scattered Spider, Command And Control, Gozi Malware
|
2026-05-13
|
|
Windows Suspicious QEMU Execution
|
Sysmon EventID 1
|
T1001
T1036
T1204.002
T1564.006
|
TTP
|
Linux Rootkit, VoidLink Cloud-Native Linux Malware, Linux Living Off The Land, Compromised Linux Host, Linux Post-Exploitation, Linux Privilege Escalation
|
2026-05-13
|
|
Windows SoftEther VPN Masquerading as Legitimate Binary
|
Sysmon EventID 1
|
T1036
T1572
|
TTP
|
Linux Persistence Techniques, Flax Typhoon, Linux Privilege Escalation
|
2026-05-13
|
|
Cisco Isovalent - Curl Execution With Insecure Flags
|
Cisco Isovalent Process Exec
|
T1105
|
Anomaly
|
Cisco Isovalent Suspicious Activity
|
2026-05-13
|
|
Detect Certify Command Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1105
T1649
|
TTP
|
Ingress Tool Transfer, Compromised Windows Host, Windows Certificate Services
|
2026-05-13
|
|
Suspicious Curl Network Connection
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688, Sysmon for Linux EventID 1
|
T1105
|
TTP
|
Hellcat Ransomware, Ingress Tool Transfer, Linux Living Off The Land, GhostRedirector IIS Module and Rungan Backdoor, APT37 Rustonotto and FadeStealer, Silver Sparrow
|
2026-05-13
|
|
Windows File Download Via PowerShell
|
CrowdStrike ProcessRollup2, Cisco Network Visibility Module Flow Data, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059.001
T1105
|
Anomaly
|
Hermetic Wiper, GhostRedirector IIS Module and Rungan Backdoor, PHP-CGI RCE Attack on Japanese Organizations, SysAid On-Prem Software CVE-2023-47246 Vulnerability, Winter Vivern, IcedID, Malicious PowerShell, StealC Stealer, Tuoni, Ingress Tool Transfer, HAFNIUM Group, Data Destruction, Phemedrone Stealer, SolarWinds WHD RCE Post Exploitation, NPM Supply Chain Compromise, NetSupport RMM Tool Abuse, Cisco Network Visibility Module Analytics, Microsoft WSUS CVE-2025-59287, APT37 Rustonotto and FadeStealer, XWorm
|
2026-05-13
|
|
Windows PowGoop Beacon Decoding
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1001
T1059.001
|
TTP
|
Compromised Windows Host
|
2026-05-13
|
|
Windows App Layer Protocol Qakbot NamedPipe
|
Sysmon EventID 18, Sysmon EventID 17
|
T1071
|
Anomaly
|
Qakbot
|
2026-05-13
|
|
Windows SQL Spawning CertUtil
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1105
|
TTP
|
SQL Server Abuse, Storm-2460 CLFS Zero Day Exploitation, Flax Typhoon
|
2026-05-13
|
|
Windows Short Lived DNS Record
|
Windows Event Log Security 5137, Windows Event Log Security 5136
|
T1071.004
T1187
T1557.001
|
TTP
|
Suspicious DNS Traffic, Local Privilege Escalation With KrbRelayUp, Kerberos Coercion with DNS, Compromised Windows Host
|
2026-05-13
|
|
Windows Non-System Process Querying Definition Update
|
Sysmon EventID 22
|
T1068
T1071.001
|
Anomaly
|
RedSun, BlueHammer, Windows Privilege Escalation
|
2026-04-27
|
|
Linux Ingress Tool Transfer with Curl
|
Sysmon for Linux EventID 1
|
T1105
|
Anomaly
|
Ingress Tool Transfer, Linux Living Off The Land, XorDDos, NPM Supply Chain Compromise
|
2026-05-13
|
|
Windows Protocol Tunneling with Plink
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1021.004
T1572
|
TTP
|
CISA AA22-257A
|
2026-05-13
|
|
Windows Visual Basic Commandline Compiler DNSQuery
|
Sysmon EventID 22
|
T1071.004
|
TTP
|
Lokibot
|
2026-05-13
|
|
Living Off The Land Detection
|
|
T1059
T1105
T1133
T1190
|
Correlation
|
Living Off The Land, Hellcat Ransomware
|
2026-05-13
|
|
Linux Curl Upload File
|
Cisco Isovalent Process Exec, Sysmon for Linux EventID 1
|
T1105
|
TTP
|
Ingress Tool Transfer, Linux Living Off The Land, Data Exfiltration, NPM Supply Chain Compromise
|
2026-05-13
|
|
Windows Remote Access Software BRC4 Loaded Dll
|
Sysmon EventID 7
|
T1003
T1219
|
Anomaly
|
Brute Ratel C4
|
2026-05-13
|
|
Cisco NVM - Webserver Download From File Sharing Website
|
Cisco Network Visibility Module Flow Data
|
T1105
T1190
|
TTP
|
GhostRedirector IIS Module and Rungan Backdoor, Cisco Network Visibility Module Analytics
|
2026-05-13
|
|
Windows Credential Target Information Structure in Commandline
|
Sysmon EventID 1
|
T1071.004
T1187
T1557.001
|
TTP
|
Suspicious DNS Traffic, Local Privilege Escalation With KrbRelayUp, Kerberos Coercion with DNS, Compromised Windows Host
|
2026-05-13
|
|
Juniper Networks Remote Code Execution Exploit Detection
|
Suricata
|
T1059
T1105
T1190
|
TTP
|
Juniper JunOS Remote Code Execution
|
2026-05-13
|
|
HTTP Duplicated Header
|
Suricata
|
T1071.001
T1190
|
Anomaly
|
HTTP Request Smuggling
|
2026-05-13
|
|
Detect Remote Access Software Usage URL
|
Palo Alto Network Threat
|
T1219
|
Anomaly
|
Interlock Ransomware, Remote Monitoring and Management Software, Insider Threat, CISA AA24-241A, Scattered Lapsus$ Hunters, Ransomware, Command And Control
|
2026-05-13
|
|
HTTP Request to Reserved Name on IIS Server
|
Suricata
|
T1071.001
T1190
|
TTP
|
HTTP Request Smuggling
|
2026-05-13
|
|
HTTP Rapid POST with Mixed Status Codes
|
Nginx Access
|
T1071.001
T1190
T1595
|
Anomaly
|
HTTP Request Smuggling
|
2026-05-13
|
|
HTTP Scripting Tool User Agent
|
Nginx Access
|
T1071.001
|
Anomaly
|
Suspicious User Agents, HTTP Request Smuggling
|
2026-06-15
|
|
HTTP Possible Request Smuggling
|
Suricata
|
T1071.001
|
TTP
|
HTTP Request Smuggling
|
2026-05-13
|
|
Cisco IOS XE Tunnel Interface Configuration
|
Cisco IOS Logs
|
T1090
T1572
|
Anomaly
|
Salt Typhoon
|
2026-05-20
|
|
Ollama Abnormal Network Connectivity
|
Ollama Server
|
T1571
|
Anomaly
|
Suspicious Ollama Activities
|
2026-05-13
|
|
Microsoft Intune Device Health Scripts
|
Azure Monitor Activity
|
T1021.007
T1072
T1105
T1202
|
Hunting
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
Microsoft Intune Mobile Apps
|
Azure Monitor Activity
|
T1021.007
T1072
T1105
T1202
|
Hunting
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
Okta Non-Standard VPN Usage
|
Okta
|
T1078
T1090
T1572
|
TTP
|
Suspicious Okta Activity, Remote Employment Fraud
|
2026-05-13
|
|
Windows Multi hop Proxy TOR Website Query
|
Sysmon EventID 22
|
T1071.003
|
Anomaly
|
AgentTesla, Interlock Ransomware
|
2026-05-13
|
|
HTTP RMM User Agent
|
Suricata
|
T1071.001
T1219
|
Anomaly
|
Remote Monitoring and Management Software, Suspicious User Agents
|
2026-05-13
|
|
HTTP Malware User Agent
|
Suricata
|
T1071.001
|
TTP
|
Lumma Stealer, RedLine Stealer, Meduza Stealer, Lokibot, Suspicious User Agents, Crypto Stealer
|
2026-05-13
|
|
Cisco Secure Firewall - Lumma Stealer Outbound Connection Attempt
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1041
T1573.002
|
Anomaly
|
Lumma Stealer, Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
HTTP C2 Framework User Agent
|
Suricata
|
T1071.001
|
TTP
|
Tuoni, Malicious PowerShell, Spearphishing Attachments, Suspicious User Agents, Cobalt Strike, Brute Ratel C4, Meterpreter, BishopFox Sliver Adversary Emulation Framework
|
2026-05-13
|
|
Detect Remote Access Software Usage DNS
|
Sysmon EventID 22
|
T1219
|
Anomaly
|
Interlock Ransomware, Remote Monitoring and Management Software, Insider Threat, CISA AA24-241A, Scattered Lapsus$ Hunters, Ransomware, Scattered Spider, Command And Control
|
2026-05-13
|
|
Cisco Secure Firewall - Snort Rule Triggered Across Multiple Hosts
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1027
T1105
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Detect Large ICMP Traffic
|
Palo Alto Network Traffic, Cisco Secure Access Firewall
|
T1095
|
TTP
|
Backdoor Pingpong, China-Nexus Threat Activity, Command And Control, Cisco Secure Access Analytics
|
2026-05-13
|
|
HTTP PUA User Agent
|
Suricata
|
T1071.001
|
Anomaly
|
Local Privilege Escalation With KrbRelayUp, Cactus Ransomware, BlackSuit Ransomware, Suspicious User Agents
|
2026-05-13
|
|
Cisco Secure Firewall - Intrusion Events by Threat Activity
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1041
T1573.002
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics, ArcaneDoor
|
2026-05-13
|
|
Cisco Secure Firewall - Communication Over Suspicious Ports
|
Cisco Secure Firewall Threat Defense Connection Event
|
T1021
T1055
T1059.001
T1105
T1219
T1571
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
TOR Traffic
|
Palo Alto Network Traffic, Cisco Secure Firewall Threat Defense Connection Event
|
T1090.003
|
TTP
|
Cisco Secure Firewall Threat Defense Analytics, Interlock Ransomware, Prohibited Traffic Allowed or Protocol Mismatch, Ransomware, NOBELIUM Group, Command And Control
|
2026-05-13
|
|
Zeek x509 Certificate with Punycode
|
|
T1573
|
Hunting
|
OpenSSL CVE-2022-3602
|
2026-05-13
|
|
SSL Certificates with Punycode
|
|
T1573
|
Hunting
|
OpenSSL CVE-2022-3602
|
2026-05-13
|
|
Cisco Secure Firewall - Remote Access Software Usage Traffic
|
Cisco Secure Firewall Threat Defense Connection Event
|
T1219
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics, Interlock Ransomware, Remote Monitoring and Management Software, Insider Threat, Scattered Lapsus$ Hunters, Ransomware, Scattered Spider, Command And Control
|
2026-05-13
|
|
Cisco Secure Firewall - Malware File Downloaded
|
Cisco Secure Firewall Threat Defense File Event
|
T1105
T1203
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Windows DNS Query Request by Telegram Bot API
|
Sysmon EventID 22
|
T1071.004
T1102.002
|
Anomaly
|
Phantom Stealer, VIP Keylogger, BlankGrabber Stealer, 0bj3ctivity Stealer, Crypto Stealer
|
2026-06-25
|
|
Cisco Secure Firewall - Blacklisted SSL Certificate Fingerprint
|
Cisco Secure Firewall Threat Defense Connection Event
|
T1071.001
T1573.002
T1587.002
T1588.004
|
TTP
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Detect Remote Access Software Usage Traffic
|
Palo Alto Network Traffic
|
T1219
|
Anomaly
|
Interlock Ransomware, Remote Monitoring and Management Software, Insider Threat, Scattered Lapsus$ Hunters, Ransomware, Scattered Spider, Command And Control
|
2026-05-13
|
|
Cisco Secure Firewall - Lumma Stealer Download Attempt
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1041
T1573.002
|
Anomaly
|
Lumma Stealer, Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Cisco Secure Firewall - High Priority Intrusion Classification
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1003
T1071
T1078
T1190
T1203
|
TTP
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Cisco Secure Firewall - High EVE Threat Confidence
|
Cisco Secure Firewall Threat Defense Connection Event
|
T1041
T1071.001
T1105
T1573.002
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Cisco Secure Firewall - Repeated Malware Downloads
|
Cisco Secure Firewall Threat Defense File Event
|
T1027
T1105
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics, Hellcat Ransomware
|
2026-05-13
|
|
Cisco Secure Firewall - Wget or Curl Download
|
Cisco Secure Firewall Threat Defense Connection Event
|
T1053.003
T1059
T1071.001
T1105
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Windows Abused Web Services
|
Sysmon EventID 22
|
T1102
|
Anomaly
|
NjRAT, Malicious Inno Setup Loader, CISA AA24-241A, BlankGrabber Stealer
|
2026-05-13
|
|
Ngrok Reverse Proxy on Network
|
Sysmon EventID 22
|
T1090
T1102
T1572
|
Anomaly
|
CISA AA24-241A, CISA AA22-320A, Reverse Network Proxy
|
2026-05-13
|
|
Cisco Secure Firewall - File Download Over Uncommon Port
|
Cisco Secure Firewall Threat Defense File Event
|
T1105
T1571
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Detect Outbound SMB Traffic
|
Cisco Secure Firewall Threat Defense Connection Event, Cisco Secure Access Firewall
|
T1071.002
|
TTP
|
Cisco Secure Firewall Threat Defense Analytics, DHS Report TA18-074A, Hidden Cobra Malware, Cisco Secure Access Analytics, NOBELIUM Group
|
2026-05-13
|
|
DNS Kerberos Coercion
|
Sysmon EventID 22, Suricata
|
T1071.004
T1187
T1557.001
|
TTP
|
Suspicious DNS Traffic, Local Privilege Escalation With KrbRelayUp, Kerberos Coercion with DNS, Compromised Windows Host
|
2026-05-13
|
|
Cisco Secure Firewall - Connection to File Sharing Domain
|
Cisco Secure Firewall Threat Defense Connection Event
|
T1071.001
T1090.002
T1105
T1567.002
T1588.002
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Excessive DNS Failures
|
|
T1071.004
|
Anomaly
|
Suspicious DNS Traffic, Command And Control
|
2026-05-13
|
|
Cisco Secure Firewall - High Volume of Intrusion Events Per Host
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1059
T1071
T1595.002
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Cisco SA - Access to Anonymizer Services
|
Cisco Secure Access DNS
|
T1090.003
|
Anomaly
|
Cisco Secure Access Analytics
|
2026-06-09
|