GitHub Repo

Command and Control Detections

Name Data Source Technique Type Analytic Story Date
Windows Potential Cloudflared Network Connection Sysmon EventID 3 T1572 Hunting Reverse Network Proxy 2026-05-13
Windows Level RMM PowerShell Script Installer Powershell Script Block Logging 4104 T1219 Anomaly Remote Monitoring and Management Software 2026-05-13
Windows Remote Access Software RMS Registry Sysmon EventID 13 T1219 TTP Azorult 2026-05-13
Windows Kerberos Coercion via DNS Windows Event Log Security 5137, Windows Event Log Security 4662, Windows Event Log Security 5136 T1071.004 T1187 T1557.001 TTP Suspicious DNS Traffic, Compromised Windows Host, Local Privilege Escalation With KrbRelayUp, Kerberos Coercion with DNS 2026-05-13
Windows DNS Query Request To TinyUrl Sysmon EventID 22 T1105 Anomaly Malicious Inno Setup Loader 2026-05-13
Windows Proxy Via Netsh Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2 T1090.001 Anomaly Volt Typhoon 2026-05-13
Windows RMM Tool Execution Sysmon EventID 1 T1219 Anomaly NetSupport RMM Tool Abuse, Remote Monitoring and Management Software, Suspicious User Agents 2026-05-13
Curl Execution with Percent Encoded URL Sysmon for Linux EventID 1, Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2 T1027 T1105 Anomaly Living Off The Land, Compromised Windows Host, Ingress Tool Transfer 2026-05-13
Windows DLL Module Loaded in Temp Dir Sysmon EventID 7 T1105 Hunting Interlock Rat, Lokibot, SolarWinds WHD RCE Post Exploitation 2026-05-13
Windows TOR Client Execution Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2 T1090.003 Anomaly Compromised Windows Host, Windows Post-Exploitation, Command And Control, Data Protection, Data Exfiltration 2026-05-13
Cisco NVM - Outbound Connection to Suspicious Port Cisco Network Visibility Module Flow Data T1571 Anomaly Cisco Network Visibility Module Analytics 2026-05-13
Detect Remote Access Software Usage Registry Sysmon EventID 13 T1219 Anomaly CISA AA24-241A, Ransomware, Seashell Blizzard, Insider Threat, Scattered Lapsus$ Hunters, Cactus Ransomware, Remote Monitoring and Management Software, Command And Control, Gozi Malware, Scattered Spider 2026-05-13
BITSAdmin Download File Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2 T1105 T1197 TTP DarkSide Ransomware, APT37 Rustonotto and FadeStealer, Ingress Tool Transfer, Flax Typhoon, BITS Jobs, Gozi Malware, Living Off The Land, Scattered Spider, Hellcat Ransomware, GhostRedirector IIS Module and Rungan Backdoor 2026-05-13
Windows SSH Proxy Command Sysmon EventID 1, CrowdStrike ProcessRollup2 T1059.001 T1105 T1572 Anomaly Living Off The Land, ZDI-CAN-25373 Windows Shortcut Exploit Abused as Zero-Day, Hellcat Ransomware 2026-05-13
Windows Devtunnels Execution Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2 T1090 Anomaly Reverse Network Proxy 2026-05-13
LOLBAS With Network Traffic Sysmon EventID 3 T1105 T1218 T1567 TTP Water Gamayun, NetSupport RMM Tool Abuse, APT37 Rustonotto and FadeStealer, Malicious Inno Setup Loader, Fake CAPTCHA Campaigns, Living Off The Land, Hellcat Ransomware, GhostRedirector IIS Module and Rungan Backdoor 2026-05-13
Windows Cabinet File Extraction Via Expand Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2 T1105 TTP NetSupport RMM Tool Abuse, APT37 Rustonotto and FadeStealer 2026-05-13
Windows Potential Cloudflared Tunnel Execution Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2 T1572 Anomaly Reverse Network Proxy 2026-05-13
Windows Level RMM Watchdog Task Created Windows Event Log Security 4698 T1053 T1219 Anomaly Remote Monitoring and Management Software 2026-05-13
Windows Mail Protocol In Non-Common Process Path Sysmon EventID 3 T1071.003 Anomaly AgentTesla 2026-05-13
Windows ConvertTo-AADIntBackdoor Execution Via PowerShell Script Powershell Script Block Logging 4104 T1071.001 T1078 T1212 T1482 TTP Azure Active Directory Persistence, Azure Active Directory Account Takeover, Azure Active Directory Privilege Escalation 2026-05-13
Windows Process Execution From RDP Share Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2 T1021.001 T1059 T1105 Anomaly Hidden Cobra Malware 2026-05-13
Linux Ingress Tool Transfer Hunting Sysmon for Linux EventID 1 T1105 Hunting Axios Supply Chain Post Compromise, Ingress Tool Transfer, NPM Supply Chain Compromise, XorDDos, Linux Living Off The Land 2026-05-13
Windows Curl Upload to Remote Destination Cisco Network Visibility Module Flow Data, Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2 T1105 TTP Compromised Windows Host, Cisco Network Visibility Module Analytics, Axios Supply Chain Post Compromise, Ingress Tool Transfer, PromptLock, NPM Supply Chain Compromise, Microsoft WSUS CVE-2025-59287 2026-05-13
Cisco NVM - Suspicious File Download via Headless Browser Cisco Network Visibility Module Flow Data T1059 T1105 TTP BlankGrabber Stealer, Cisco Network Visibility Module Analytics 2026-05-13
File Download or Read to Pipe Execution Sysmon for Linux EventID 1, Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2 T1105 TTP Log4Shell CVE-2021-44228, Compromised Windows Host, Ingress Tool Transfer, NPM Supply Chain Compromise, Linux Living Off The Land 2026-05-13
Windows Outlook Macro Security Modified Sysmon EventID 13 T1008 T1137 TTP Windows Registry Abuse, NotDoor Malware 2026-05-13
Windows Ldifde Directory Object Behavior Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2 T1069.002 T1105 TTP Volt Typhoon 2026-05-13
Potential Telegram API Request Via CommandLine Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2 T1041 T1102.002 Anomaly Water Gamayun, XMRig, 0bj3ctivity Stealer, BlankGrabber Stealer, Hellcat Ransomware 2026-05-13
WinRAR Spawning Shell Application Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2 T1105 TTP WinRAR Spoofing Attack CVE-2023-38831, Compromised Windows Host 2026-05-13
PowerShell WebRequest Using Memory Stream Powershell Script Block Logging 4104 T1027.011 T1059.001 T1105 TTP Medusa Ransomware, MoonPeak, Malicious PowerShell, PHP-CGI RCE Attack on Japanese Organizations 2026-05-13
Download Files Using Telegram Sysmon EventID 15 T1105 TTP Water Gamayun, Snake Keylogger, Crypto Stealer, XMRig, 0bj3ctivity Stealer, Phemedrone Stealer 2026-05-13
Log4Shell CVE-2021-44228 Exploitation T1059 T1105 T1133 T1190 Correlation CISA AA22-320A, Log4Shell CVE-2021-44228 2026-05-13
Windows File Download Via CertUtil Cisco Network Visibility Module Flow Data, Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2 T1105 TTP DarkSide Ransomware, Compromised Windows Host, Cisco Network Visibility Module Analytics, Ingress Tool Transfer, Forest Blizzard, ProxyNotShell, Flax Typhoon, CISA AA22-277A, Living Off The Land 2026-05-13
Windows Curl Download to Suspicious Path Cisco Network Visibility Module Flow Data, Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2 T1105 TTP Black Basta Ransomware, Compromised Windows Host, Cisco Network Visibility Module Analytics, APT37 Rustonotto and FadeStealer, China-Nexus Threat Activity, Ingress Tool Transfer, Forest Blizzard, NPM Supply Chain Compromise, Salt Typhoon, IcedID, GhostRedirector IIS Module and Rungan Backdoor 2026-05-13
Detect Remote Access Software Usage File Sysmon EventID 11 T1219 Anomaly CISA AA24-241A, Ransomware, Seashell Blizzard, Insider Threat, Interlock Ransomware, Scattered Lapsus$ Hunters, Cactus Ransomware, Remote Monitoring and Management Software, Command And Control, Gozi Malware, Scattered Spider, GhostRedirector IIS Module and Rungan Backdoor 2026-05-13
Linux Proxy Socks Curl Sysmon for Linux EventID 1 T1090 T1095 TTP Linux Living Off The Land, Ingress Tool Transfer 2026-05-13
Windows File Transfer Protocol In Non-Common Process Path Sysmon EventID 3 T1071.003 Anomaly Snake Keylogger, AgentTesla, Hellcat Ransomware 2026-05-13
Windows Application Layer Protocol RMS Radmin Tool Namedpipe Sysmon EventID 18, Sysmon EventID 17 T1071 TTP Azorult 2026-05-13
Windows Devtunnels Image Loaded Sysmon EventID 7 T1090 Anomaly Reverse Network Proxy 2026-05-13
Detect Remote Access Software Usage Process Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2 T1219 Anomaly GhostRedirector IIS Module and Rungan Backdoor, CISA AA24-241A, Ransomware, Seashell Blizzard, Insider Threat, Scattered Lapsus$ Hunters, Cactus Ransomware, Storm-0501 Ransomware, Remote Monitoring and Management Software, Command And Control, Gozi Malware, Scattered Spider, Interlock Ransomware 2026-05-13
Windows Ngrok Reverse Proxy Usage Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2 T1090 T1102 T1572 Anomaly CISA AA22-320A, CISA AA24-241A, Reverse Network Proxy 2026-05-13
Linux Ngrok Reverse Proxy Usage Sysmon for Linux EventID 1 T1090 T1102 T1572 Anomaly Reverse Network Proxy 2026-05-13
Windows App Layer Protocol Wermgr Connect To NamedPipe Sysmon EventID 18, Sysmon EventID 17 T1071 Anomaly Qakbot 2026-05-13
PowerShell Script Block With URL Chain Powershell Script Block Logging 4104 T1059.001 T1105 TTP Malicious PowerShell, Hellcat Ransomware 2026-05-13
Windows AI Platform DNS Query Sysmon EventID 22 T1071.004 Anomaly SesameOp, PromptFlux, LAMEHUG 2026-05-13
Windows Ingress Tool Transfer Using Explorer Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2 T1105 Anomaly DarkCrystal RAT 2026-05-13
Windows Proxy Via Registry Sysmon EventID 13 T1090.001 Anomaly Volt Typhoon 2026-05-13
Detect Remote Access Software Usage FileInfo Sysmon EventID 1 T1219 Anomaly Ransomware, Seashell Blizzard, Insider Threat, Scattered Lapsus$ Hunters, Cactus Ransomware, Remote Monitoring and Management Software, Command And Control, Gozi Malware, Scattered Spider, Interlock Ransomware 2026-05-13
Windows Suspicious QEMU Execution Sysmon EventID 1 T1001 T1036 T1204.002 T1564.006 TTP Linux Post-Exploitation, Compromised Linux Host, Linux Rootkit, Linux Privilege Escalation, Linux Living Off The Land, VoidLink Cloud-Native Linux Malware 2026-05-13
Windows SoftEther VPN Masquerading as Legitimate Binary Sysmon EventID 1 T1036 T1572 TTP Flax Typhoon, Linux Persistence Techniques, Linux Privilege Escalation 2026-05-13
Cisco Isovalent - Curl Execution With Insecure Flags Cisco Isovalent Process Exec T1105 Anomaly Cisco Isovalent Suspicious Activity 2026-05-13
Detect Certify Command Line Arguments Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2 T1105 T1649 TTP Windows Certificate Services, Compromised Windows Host, Ingress Tool Transfer 2026-05-13
Suspicious Curl Network Connection Sysmon for Linux EventID 1, Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2 T1105 TTP Silver Sparrow, APT37 Rustonotto and FadeStealer, Ingress Tool Transfer, Linux Living Off The Land, Hellcat Ransomware, GhostRedirector IIS Module and Rungan Backdoor 2026-05-13
Windows File Download Via PowerShell Cisco Network Visibility Module Flow Data, Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2 T1059.001 T1105 Anomaly Data Destruction, Phemedrone Stealer, PHP-CGI RCE Attack on Japanese Organizations, GhostRedirector IIS Module and Rungan Backdoor, APT37 Rustonotto and FadeStealer, Winter Vivern, StealC Stealer, HAFNIUM Group, Hermetic Wiper, SolarWinds WHD RCE Post Exploitation, Malicious PowerShell, Cisco Network Visibility Module Analytics, XWorm, Ingress Tool Transfer, NPM Supply Chain Compromise, SysAid On-Prem Software CVE-2023-47246 Vulnerability, Tuoni, IcedID, Microsoft WSUS CVE-2025-59287, NetSupport RMM Tool Abuse 2026-05-13
Windows PowGoop Beacon Decoding Sysmon EventID 1, CrowdStrike ProcessRollup2 T1001 T1059.001 TTP Compromised Windows Host 2026-05-13
Windows App Layer Protocol Qakbot NamedPipe Sysmon EventID 18, Sysmon EventID 17 T1071 Anomaly Qakbot 2026-05-13
Windows SQL Spawning CertUtil Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2 T1105 TTP SQL Server Abuse, Flax Typhoon, Storm-2460 CLFS Zero Day Exploitation 2026-05-13
Windows Short Lived DNS Record Windows Event Log Security 5137, Windows Event Log Security 5136 T1071.004 T1187 T1557.001 TTP Suspicious DNS Traffic, Compromised Windows Host, Local Privilege Escalation With KrbRelayUp, Kerberos Coercion with DNS 2026-05-13
Linux Ingress Tool Transfer with Curl Sysmon for Linux EventID 1 T1105 Anomaly XorDDos, NPM Supply Chain Compromise, Linux Living Off The Land, Ingress Tool Transfer 2026-05-13
Windows Protocol Tunneling with Plink Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2 T1021.004 T1572 TTP CISA AA22-257A 2026-05-13
Windows Visual Basic Commandline Compiler DNSQuery Sysmon EventID 22 T1071.004 TTP Lokibot 2026-05-13
Living Off The Land Detection T1059 T1105 T1133 T1190 Correlation Living Off The Land, Hellcat Ransomware 2026-05-13
Linux Curl Upload File Sysmon for Linux EventID 1, Cisco Isovalent Process Exec T1105 TTP Ingress Tool Transfer, NPM Supply Chain Compromise, Linux Living Off The Land, Data Exfiltration 2026-05-13
Windows Remote Access Software BRC4 Loaded Dll Sysmon EventID 7 T1003 T1219 Anomaly Brute Ratel C4 2026-05-13
Cisco NVM - Webserver Download From File Sharing Website Cisco Network Visibility Module Flow Data T1105 T1190 TTP Cisco Network Visibility Module Analytics, GhostRedirector IIS Module and Rungan Backdoor 2026-05-13
Windows Credential Target Information Structure in Commandline Sysmon EventID 1 T1071.004 T1187 T1557.001 TTP Suspicious DNS Traffic, Compromised Windows Host, Local Privilege Escalation With KrbRelayUp, Kerberos Coercion with DNS 2026-05-13
Juniper Networks Remote Code Execution Exploit Detection Suricata T1059 T1105 T1190 TTP Juniper JunOS Remote Code Execution 2026-05-13
HTTP Duplicated Header Suricata T1071.001 T1190 Anomaly HTTP Request Smuggling 2026-05-13
Detect Remote Access Software Usage URL Palo Alto Network Threat T1219 Anomaly CISA AA24-241A, Ransomware, Insider Threat, Scattered Lapsus$ Hunters, Remote Monitoring and Management Software, Command And Control, Interlock Ransomware 2026-05-13
HTTP Request to Reserved Name on IIS Server Suricata T1071.001 T1190 TTP HTTP Request Smuggling 2026-05-13
HTTP Rapid POST with Mixed Status Codes Nginx Access T1071.001 T1190 T1595 Anomaly HTTP Request Smuggling 2026-05-13
HTTP Scripting Tool User Agent Nginx Access T1071.001 Anomaly Suspicious User Agents, HTTP Request Smuggling 2026-05-13
HTTP Possible Request Smuggling Suricata T1071.001 TTP HTTP Request Smuggling 2026-05-13
Ollama Abnormal Network Connectivity Ollama Server T1571 Anomaly Suspicious Ollama Activities 2026-05-13
Microsoft Intune Device Health Scripts Azure Monitor Activity T1021.007 T1072 T1105 T1202 Hunting Azure Active Directory Account Takeover 2026-05-13
Microsoft Intune Mobile Apps Azure Monitor Activity T1021.007 T1072 T1105 T1202 Hunting Azure Active Directory Account Takeover 2026-05-13
Okta Non-Standard VPN Usage Okta T1078 T1090 T1572 TTP Remote Employment Fraud, Suspicious Okta Activity 2026-05-13
Windows Multi hop Proxy TOR Website Query Sysmon EventID 22 T1071.003 Anomaly AgentTesla, Interlock Ransomware 2026-05-13
HTTP RMM User Agent Suricata T1071.001 T1219 Anomaly Remote Monitoring and Management Software, Suspicious User Agents 2026-05-13
HTTP Malware User Agent Suricata T1071.001 TTP Meduza Stealer, Crypto Stealer, Suspicious User Agents, Lumma Stealer, RedLine Stealer, Lokibot 2026-05-13
Cisco Secure Firewall - Lumma Stealer Outbound Connection Attempt Cisco Secure Firewall Threat Defense Intrusion Event T1041 T1573.002 Anomaly Lumma Stealer, Cisco Secure Firewall Threat Defense Analytics 2026-05-13
HTTP C2 Framework User Agent Suricata T1071.001 TTP Brute Ratel C4, BishopFox Sliver Adversary Emulation Framework, Cobalt Strike, Suspicious User Agents, Malicious PowerShell, Tuoni, Meterpreter, Spearphishing Attachments 2026-05-13
Detect Remote Access Software Usage DNS Sysmon EventID 22 T1219 Anomaly CISA AA24-241A, Ransomware, Insider Threat, Scattered Lapsus$ Hunters, Remote Monitoring and Management Software, Command And Control, Scattered Spider, Interlock Ransomware 2026-05-13
Cisco Secure Firewall - Snort Rule Triggered Across Multiple Hosts Cisco Secure Firewall Threat Defense Intrusion Event T1027 T1105 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Detect Large ICMP Traffic Palo Alto Network Traffic, Cisco Secure Access Firewall T1095 TTP Cisco Secure Access Analytics, Command And Control, Backdoor Pingpong, China-Nexus Threat Activity 2026-05-13
HTTP PUA User Agent Suricata T1071.001 Anomaly Local Privilege Escalation With KrbRelayUp, BlackSuit Ransomware, Suspicious User Agents, Cactus Ransomware 2026-05-13
Cisco Secure Firewall - Intrusion Events by Threat Activity Cisco Secure Firewall Threat Defense Intrusion Event T1041 T1573.002 Anomaly ArcaneDoor, Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Cisco Secure Firewall - Communication Over Suspicious Ports Cisco Secure Firewall Threat Defense Connection Event T1021 T1055 T1059.001 T1105 T1219 T1571 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
TOR Traffic Palo Alto Network Traffic, Cisco Secure Firewall Threat Defense Connection Event T1090.003 TTP Ransomware, Interlock Ransomware, Command And Control, Prohibited Traffic Allowed or Protocol Mismatch, NOBELIUM Group, Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Zeek x509 Certificate with Punycode T1573 Hunting OpenSSL CVE-2022-3602 2026-05-13
SSL Certificates with Punycode T1573 Hunting OpenSSL CVE-2022-3602 2026-05-13
Cisco Secure Firewall - Remote Access Software Usage Traffic Cisco Secure Firewall Threat Defense Connection Event T1219 Anomaly Ransomware, Insider Threat, Interlock Ransomware, Scattered Lapsus$ Hunters, Remote Monitoring and Management Software, Command And Control, Scattered Spider, Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Cisco Secure Firewall - Malware File Downloaded Cisco Secure Firewall Threat Defense File Event T1105 T1203 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Windows DNS Query Request by Telegram Bot API Sysmon EventID 22 T1071.004 T1102.002 Anomaly Crypto Stealer, 0bj3ctivity Stealer, BlankGrabber Stealer, VIP Keylogger 2026-05-13
Cisco Secure Firewall - Blacklisted SSL Certificate Fingerprint Cisco Secure Firewall Threat Defense Connection Event T1071.001 T1573.002 T1587.002 T1588.004 TTP Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Detect Remote Access Software Usage Traffic Palo Alto Network Traffic T1219 Anomaly Ransomware, Insider Threat, Scattered Lapsus$ Hunters, Remote Monitoring and Management Software, Command And Control, Scattered Spider, Interlock Ransomware 2026-05-13
Cisco Secure Firewall - Lumma Stealer Download Attempt Cisco Secure Firewall Threat Defense Intrusion Event T1041 T1573.002 Anomaly Lumma Stealer, Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Cisco Secure Firewall - High Priority Intrusion Classification Cisco Secure Firewall Threat Defense Intrusion Event T1003 T1071 T1078 T1190 T1203 TTP Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Cisco Secure Firewall - High EVE Threat Confidence Cisco Secure Firewall Threat Defense Connection Event T1041 T1071.001 T1105 T1573.002 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Cisco Secure Firewall - Repeated Malware Downloads Cisco Secure Firewall Threat Defense File Event T1027 T1105 Anomaly Hellcat Ransomware, Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Cisco Secure Firewall - Wget or Curl Download Cisco Secure Firewall Threat Defense Connection Event T1053.003 T1059 T1071.001 T1105 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Windows Abused Web Services Sysmon EventID 22 T1102 Anomaly NjRAT, BlankGrabber Stealer, CISA AA24-241A, Malicious Inno Setup Loader 2026-05-13
Ngrok Reverse Proxy on Network Sysmon EventID 22 T1090 T1102 T1572 Anomaly CISA AA22-320A, CISA AA24-241A, Reverse Network Proxy 2026-05-13
Cisco Secure Firewall - File Download Over Uncommon Port Cisco Secure Firewall Threat Defense File Event T1105 T1571 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Detect Outbound SMB Traffic Cisco Secure Access Firewall, Cisco Secure Firewall Threat Defense Connection Event T1071.002 TTP DHS Report TA18-074A, Cisco Secure Access Analytics, Hidden Cobra Malware, NOBELIUM Group, Cisco Secure Firewall Threat Defense Analytics 2026-05-13
DNS Kerberos Coercion Sysmon EventID 22, Suricata T1071.004 T1187 T1557.001 TTP Suspicious DNS Traffic, Compromised Windows Host, Local Privilege Escalation With KrbRelayUp, Kerberos Coercion with DNS 2026-05-13
Cisco Secure Firewall - Connection to File Sharing Domain Cisco Secure Firewall Threat Defense Connection Event T1071.001 T1090.002 T1105 T1567.002 T1588.002 Anomaly Scattered Lapsus$ Hunters, Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Excessive DNS Failures T1071.004 Anomaly Command And Control, Suspicious DNS Traffic 2026-05-13
Cisco Secure Firewall - High Volume of Intrusion Events Per Host Cisco Secure Firewall Threat Defense Intrusion Event T1059 T1071 T1595.002 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13