|
Splunk Sensitive Information Disclosure in DEBUG Logging Channels
|
Splunk
|
T1552
|
Hunting
|
Splunk Vulnerabilities
|
2026-05-14
|
|
Steal or Forge Authentication Certificates Behavior Identified
|
|
T1649
|
Correlation
|
Windows Certificate Services
|
2026-05-13
|
|
Windows Credentials from Password Stores Deletion
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1555
|
TTP
|
DarkGate Malware, NetSupport RMM Tool Abuse, Compromised Windows Host
|
2026-05-13
|
|
Linux Auditd Find Credentials From Password Stores
|
Linux Auditd Execve
|
T1555.005
|
TTP
|
Compromised Linux Host, Scattered Lapsus$ Hunters, Linux Persistence Techniques, Linux Privilege Escalation, Linux Living Off The Land, Hellcat Ransomware
|
2026-05-13
|
|
Windows Local Administrator Credential Stuffing
|
Windows Event Log Security 4624, Windows Event Log Security 4625
|
T1110.004
|
TTP
|
Active Directory Privilege Escalation, Scattered Lapsus$ Hunters, Active Directory Lateral Movement
|
2026-05-13
|
|
Crowdstrike Medium Severity Alert
|
|
T1110
|
Anomaly
|
Compromised Windows Host
|
2026-05-13
|
|
Windows PowerView Kerberos Service Ticket Request
|
Powershell Script Block Logging 4104
|
T1558.003
|
TTP
|
Active Directory Kerberos Attacks, Rhysida Ransomware
|
2026-05-13
|
|
Windows Kerberos Coercion via DNS
|
Windows Event Log Security 5137, Windows Event Log Security 4662, Windows Event Log Security 5136
|
T1071.004
T1187
T1557.001
|
TTP
|
Suspicious DNS Traffic, Compromised Windows Host, Local Privilege Escalation With KrbRelayUp, Kerberos Coercion with DNS
|
2026-05-13
|
|
Windows Steal or Forge Kerberos Tickets Klist
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1558
|
Hunting
|
Prestige Ransomware, Windows Post-Exploitation
|
2026-05-13
|
|
Windows Credentials from Web Browsers Saved in TEMP Folder
|
Sysmon EventID 11
|
T1555.003
|
TTP
|
Braodo Stealer, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Linux Auditd Possible Access To Credential Files
|
Linux Auditd Proctitle
|
T1003.008
|
Anomaly
|
Compromised Linux Host, Axios Supply Chain Post Compromise, China-Nexus Threat Activity, Salt Typhoon, Linux Persistence Techniques, Linux Privilege Escalation
|
2026-05-13
|
|
Auto Admin Logon Registry Entry
|
Sysmon EventID 13
|
T1552.002
|
TTP
|
BlackMatter Ransomware, Windows Registry Abuse
|
2026-05-13
|
|
SecretDumps Offline NTDS Dumping Tool
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1003.003
|
TTP
|
Compromised Windows Host, Graceful Wipe Out Attack, Rhysida Ransomware, Storm-0501 Ransomware, Credential Dumping
|
2026-05-13
|
|
Windows Unusual Intelliform Storage Registry Access
|
Windows Event Log Security 4663
|
T1552.001
|
Anomaly
|
Quasar RAT, Lokibot
|
2026-05-13
|
|
Kerberos Pre-Authentication Flag Disabled with PowerShell
|
Powershell Script Block Logging 4104
|
T1558.004
|
TTP
|
Active Directory Kerberos Attacks
|
2026-05-13
|
|
Disabled Kerberos Pre-Authentication Discovery With PowerView
|
Powershell Script Block Logging 4104
|
T1558.004
|
TTP
|
Active Directory Kerberos Attacks, Interlock Ransomware
|
2026-05-13
|
|
Windows PowerShell Export Certificate
|
Powershell Script Block Logging 4104
|
T1552.004
T1649
|
Anomaly
|
Windows Certificate Services
|
2026-05-13
|
|
Potential password in username
|
Linux Secure
|
T1078.003
T1552.001
|
Hunting
|
Credential Dumping, Insider Threat
|
2026-05-13
|
|
Creation of Shadow Copy
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1003.003
|
TTP
|
Credential Dumping, Compromised Windows Host, Volt Typhoon
|
2026-05-13
|
|
Kerberos Service Ticket Request Using RC4 Encryption
|
Windows Event Log Security 4769
|
T1558.001
|
TTP
|
Active Directory Kerberos Attacks, Scattered Lapsus$ Hunters, Active Directory Privilege Escalation
|
2026-05-13
|
|
Windows Multiple NTLM Null Domain Authentications
|
NTLM Operational 8006, NTLM Operational 8005, NTLM Operational 8004
|
T1110.003
|
TTP
|
Active Directory Password Spraying
|
2026-05-13
|
|
Dump LSASS via procdump
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1003.001
|
TTP
|
Compromised Windows Host, Seashell Blizzard, Storm-2460 CLFS Zero Day Exploitation, HAFNIUM Group, CISA AA22-257A, Credential Dumping
|
2026-05-13
|
|
Possible Browser Pass View Parameter
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1555.003
|
Hunting
|
Remcos
|
2026-05-13
|
|
Windows PowerView SPN Discovery
|
Powershell Script Block Logging 4104
|
T1558.003
|
TTP
|
Rhysida Ransomware, Active Directory Kerberos Attacks, CISA AA23-347A, Interlock Ransomware
|
2026-05-13
|
|
Windows Unusual Count Of Users Remotely Failed To Auth From Host
|
Windows Event Log Security 4625
|
T1110.003
|
Anomaly
|
Volt Typhoon, Active Directory Password Spraying
|
2026-05-13
|
|
Windows Mimikatz Binary Execution
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1003
|
TTP
|
Sandworm Tools, Compromised Windows Host, Credential Dumping, Volt Typhoon, CISA AA22-320A, Flax Typhoon, Scattered Spider, CISA AA23-347A
|
2026-05-13
|
|
Cisco Isovalent - Access To Cloud Metadata Service
|
Cisco Isovalent Process Connect
|
T1552.005
|
Anomaly
|
Cisco Isovalent Suspicious Activity, VoidLink Cloud-Native Linux Malware
|
2026-05-13
|
|
Non Firefox Process Access Firefox Profile Dir
|
Windows Event Log Security 4663
|
T1555.003
|
Anomaly
|
AgentTesla, Azorult, Phemedrone Stealer, SnappyBee, StealC Stealer, Remcos, NjRAT, FIN7, Salt Typhoon, Malicious Inno Setup Loader, Quasar RAT, DarkGate Malware, Snake Keylogger, 3CX Supply Chain Attack, RedLine Stealer, China-Nexus Threat Activity, VIP Keylogger, Warzone RAT, 0bj3ctivity Stealer, BlankGrabber Stealer, CISA AA23-347A, Lokibot
|
2026-05-13
|
|
Detect Password Spray Attack Behavior On User
|
Windows Event Log Security 4624, Windows Event Log Security 4625
|
T1110.003
|
TTP
|
Crypto Stealer, Compromised User Account
|
2026-05-13
|
|
Windows Steal Authentication Certificates Export Certificate
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1649
|
Anomaly
|
Windows Certificate Services
|
2026-05-13
|
|
Disabled Kerberos Pre-Authentication Discovery With Get-ADUser
|
Powershell Script Block Logging 4104
|
T1558.004
|
TTP
|
Active Directory Kerberos Attacks, BlackSuit Ransomware, CISA AA23-347A, Interlock Ransomware
|
2026-05-13
|
|
Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM
|
Windows Event Log Security 4776
|
T1110.003
|
Anomaly
|
Volt Typhoon, Active Directory Password Spraying
|
2026-05-13
|
|
Windows Computer Account Created by Computer Account
|
Windows Event Log Security 4741
|
T1558
|
TTP
|
Active Directory Kerberos Attacks, Local Privilege Escalation With KrbRelayUp
|
2026-05-13
|
|
Windows Multiple Invalid Users Fail To Authenticate Using Kerberos
|
Windows Event Log Security 4768
|
T1110.003
|
TTP
|
Active Directory Kerberos Attacks, Volt Typhoon, Active Directory Password Spraying
|
2026-05-13
|
|
Creation of lsass Dump with Taskmgr
|
Sysmon EventID 11
|
T1003.001
|
TTP
|
Seashell Blizzard, Scattered Lapsus$ Hunters, Cactus Ransomware, CISA AA22-257A, Credential Dumping
|
2026-05-13
|
|
Access LSASS Memory for Dump Creation
|
Sysmon EventID 10
|
T1003.001
|
TTP
|
Scattered Lapsus$ Hunters, Cactus Ransomware, Credential Dumping, CISA AA23-347A, Lokibot
|
2026-05-13
|
|
Windows Multiple Invalid Users Failed To Authenticate Using NTLM
|
Windows Event Log Security 4776
|
T1110.003
|
TTP
|
Volt Typhoon, Active Directory Password Spraying
|
2026-05-13
|
|
Windows ConvertTo-AADIntBackdoor Execution Via PowerShell Script
|
Powershell Script Block Logging 4104
|
T1071.001
T1078
T1212
T1482
|
TTP
|
Azure Active Directory Persistence, Azure Active Directory Account Takeover, Azure Active Directory Privilege Escalation
|
2026-05-13
|
|
Windows Credentials in Registry Reg Query
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1552.002
|
Anomaly
|
Prestige Ransomware, Windows Post-Exploitation
|
2026-05-13
|
|
Linux Auditd Find Ssh Private Keys
|
Linux Auditd Execve
|
T1552.004
|
Anomaly
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation, Linux Living Off The Land, Hellcat Ransomware
|
2026-05-13
|
|
Windows Kerberos Local Successful Logon
|
Windows Event Log Security 4624
|
T1558
|
TTP
|
Active Directory Kerberos Attacks, Scattered Lapsus$ Hunters, Local Privilege Escalation With KrbRelayUp, Compromised Windows Host
|
2026-05-13
|
|
Detect Password Spray Attack Behavior From Source
|
Windows Event Log Security 4624, Windows Event Log Security 4625
|
T1110.003
|
TTP
|
Compromised User Account
|
2026-05-13
|
|
Crowdstrike Admin With Duplicate Password
|
|
T1110
|
TTP
|
Compromised Windows Host
|
2026-05-13
|
|
Kerberos Pre-Authentication Flag Disabled in UserAccountControl
|
Windows Event Log Security 4738
|
T1558.004
|
TTP
|
Active Directory Kerberos Attacks, BlackSuit Ransomware
|
2026-05-13
|
|
Windows LSA Secrets NoLMhash Registry
|
Sysmon EventID 13
|
T1003.004
|
TTP
|
Scattered Lapsus$ Hunters, CISA AA23-347A
|
2026-05-13
|
|
Windows Credentials from Password Stores Query
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1555
|
Anomaly
|
DarkGate Malware, NetSupport RMM Tool Abuse, Prestige Ransomware, Windows Post-Exploitation
|
2026-05-13
|
|
Detect Credential Dumping through LSASS access
|
Sysmon EventID 10
|
T1003.001
|
TTP
|
Detect Zerologon Attack, Scattered Lapsus$ Hunters, Credential Dumping, BlackSuit Ransomware, CISA AA23-347A, Lokibot
|
2026-05-13
|
|
Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos
|
Windows Event Log Security 4768
|
T1110.003
|
Anomaly
|
Active Directory Kerberos Attacks, Volt Typhoon, Active Directory Password Spraying
|
2026-05-13
|
|
Windows LAPS Password Gathering Via PowerShell Script
|
Powershell Script Block Logging 4104
|
T1003
T1552
|
Anomaly
|
Active Directory Privilege Escalation, Credential Dumping
|
2026-05-13
|
|
Windows Findstr GPP Discovery
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1552.006
|
TTP
|
Active Directory Privilege Escalation
|
2026-05-13
|
|
PetitPotam Suspicious Kerberos TGT Request
|
Windows Event Log Security 4768
|
T1003
|
TTP
|
Active Directory Kerberos Attacks, PetitPotam NTLM Relay on Active Directory Certificate Services
|
2026-05-13
|
|
Rubeus Command Line Parameters
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1550.003
T1558.003
T1558.004
|
TTP
|
Active Directory Privilege Escalation, Scattered Lapsus$ Hunters, ZOVWiper, Active Directory Kerberos Attacks, BlackSuit Ransomware, CISA AA23-347A
|
2026-05-13
|
|
Windows PowerSploit GPP Discovery
|
Powershell Script Block Logging 4104
|
T1552.006
|
TTP
|
Active Directory Privilege Escalation
|
2026-05-13
|
|
Windows Input Capture Using Credential UI Dll
|
Sysmon EventID 7
|
T1056.002
|
Hunting
|
Brute Ratel C4, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
Detect Copy of ShadowCopy with Script Block Logging
|
Powershell Script Block Logging 4104
|
T1003.002
|
TTP
|
Credential Dumping, VanHelsing Ransomware
|
2026-05-13
|
|
Crowdstrike Admin Weak Password Policy
|
|
T1110
|
TTP
|
Compromised Windows Host
|
2026-05-13
|
|
Windows Steal Authentication Certificates Export PfxCertificate
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1649
|
Anomaly
|
Windows Certificate Services
|
2026-05-13
|
|
Windows Steal Authentication Certificates - ESC1 Authentication
|
Windows Event Log Security 4887, Windows Event Log Security 4768
|
T1550
T1649
|
TTP
|
Windows Certificate Services, Compromised Windows Host
|
2026-05-13
|
|
Windows Unusual NTLM Authentication Users By Destination
|
NTLM Operational 8006, NTLM Operational 8005, NTLM Operational 8004
|
T1110.003
|
Anomaly
|
Active Directory Password Spraying
|
2026-05-13
|
|
Windows Cached Domain Credentials Reg Query
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1003.005
|
Anomaly
|
Prestige Ransomware, Windows Post-Exploitation
|
2026-05-13
|
|
Windows Unusual Count Of Users Failed To Authenticate From Process
|
Windows Event Log Security 4625
|
T1110.003
|
Anomaly
|
Insider Threat, Volt Typhoon, Active Directory Password Spraying
|
2026-05-13
|
|
Windows Credential Dumping LSASS Memory Createdump
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1003.001
|
TTP
|
Credential Dumping, Scattered Lapsus$ Hunters, Compromised Windows Host
|
2026-05-13
|
|
Ntdsutil Export NTDS
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1003.003
|
TTP
|
NetSupport RMM Tool Abuse, Rhysida Ransomware, Volt Typhoon, HAFNIUM Group, Prestige Ransomware, Living Off The Land, Credential Dumping
|
2026-05-13
|
|
Windows Unsecured Outlook Credentials Access In Registry
|
Windows Event Log Security 4663
|
T1552
|
Anomaly
|
Meduza Stealer, VIP Keylogger, StealC Stealer, 0bj3ctivity Stealer, Snake Keylogger, Lokibot
|
2026-05-13
|
|
Enable WDigest UseLogonCredential Registry
|
Sysmon EventID 13
|
T1003
T1112
|
TTP
|
Windows Registry Abuse, Credential Dumping, CISA AA22-320A
|
2026-05-13
|
|
Windows Sensitive Registry Hive Dump Via CommandLine
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1003.002
|
TTP
|
Compromised Windows Host, DarkSide Ransomware, Seashell Blizzard, Volt Typhoon, Data Destruction, Windows Registry Abuse, CISA AA22-257A, Industroyer2, Credential Dumping, CISA AA23-347A
|
2026-05-13
|
|
Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos
|
Windows Event Log Security 4768
|
T1110.003
|
TTP
|
Active Directory Kerberos Attacks, Volt Typhoon, Active Directory Password Spraying
|
2026-05-13
|
|
Windows PowerShell Export PfxCertificate
|
Powershell Script Block Logging 4104
|
T1552.004
T1649
|
Anomaly
|
Windows Certificate Services, Water Gamayun, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Crowdstrike Multiple LOW Severity Alerts
|
|
T1110
|
Anomaly
|
Compromised Windows Host
|
2026-05-13
|
|
ServicePrincipalNames Discovery with SetSPN
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1558.003
|
TTP
|
Active Directory Privilege Escalation, Active Directory Kerberos Attacks, Active Directory Discovery, Compromised Windows Host
|
2026-05-13
|
|
Windows AD Replication Request Initiated by User Account
|
Windows Event Log Security 4624, Windows Event Log Security 4662
|
T1003.006
|
TTP
|
Sneaky Active Directory Persistence Tricks, Credential Dumping, Compromised Windows Host
|
2026-05-13
|
|
Unusual Number of Kerberos Service Tickets Requested
|
Windows Event Log Security 4769
|
T1558.003
|
Anomaly
|
Active Directory Kerberos Attacks
|
2026-05-13
|
|
Windows Domain Admin Impersonation Indicator
|
Windows Event Log Security 4627
|
T1558
|
TTP
|
Active Directory Kerberos Attacks, Gozi Malware, Active Directory Privilege Escalation, Compromised Windows Host
|
2026-05-13
|
|
Windows Steal Authentication Certificates CryptoAPI
|
Windows Event Log CAPI2 70
|
T1649
|
Anomaly
|
Windows Certificate Services, Hellcat Ransomware
|
2026-05-13
|
|
Windows Export Certificate
|
Windows Event Log CertificateServicesClient 1007
|
T1552.004
T1649
|
Anomaly
|
Windows Certificate Services
|
2026-05-13
|
|
Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials
|
Windows Event Log Security 4648
|
T1110.003
|
TTP
|
Insider Threat, Volt Typhoon, Active Directory Password Spraying
|
2026-05-13
|
|
Windows AD Replication Request Initiated from Unsanctioned Location
|
Windows Event Log Security 4624, Windows Event Log Security 4662
|
T1003.006
|
TTP
|
Sneaky Active Directory Persistence Tricks, Credential Dumping, Compromised Windows Host
|
2026-05-13
|
|
Detect Certify With PowerShell Script Block Logging
|
Powershell Script Block Logging 4104
|
T1059.001
T1649
|
TTP
|
Windows Certificate Services, Malicious PowerShell
|
2026-05-13
|
|
Windows Non-System Account Targeting Lsass
|
Sysmon EventID 10
|
T1003.001
|
TTP
|
Credential Dumping, Scattered Lapsus$ Hunters, CISA AA23-347A, Lokibot
|
2026-05-13
|
|
Crowdstrike High Identity Risk Severity
|
|
T1110
|
TTP
|
Compromised Windows Host
|
2026-05-13
|
|
Windows Hunting System Account Targeting Lsass
|
Sysmon EventID 10
|
T1003.001
|
Hunting
|
Credential Dumping, Scattered Lapsus$ Hunters, CISA AA23-347A, Lokibot
|
2026-05-13
|
|
Windows Credentials from Password Stores Creation
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1555
|
TTP
|
DarkGate Malware, NetSupport RMM Tool Abuse, Compromised Windows Host
|
2026-05-13
|
|
Windows Unusual NTLM Authentication Destinations By Source
|
NTLM Operational 8006, NTLM Operational 8005, NTLM Operational 8004
|
T1110.003
|
Anomaly
|
Active Directory Password Spraying
|
2026-05-13
|
|
Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos
|
Windows Event Log Security 4768
|
T1110.003
|
Anomaly
|
Active Directory Kerberos Attacks, Volt Typhoon, Active Directory Password Spraying
|
2026-05-13
|
|
Crowdstrike User with Duplicate Password
|
|
T1110
|
Anomaly
|
Compromised Windows Host
|
2026-05-13
|
|
Windows Credentials Access via VaultCli Module
|
Sysmon EventID 7
|
T1555.004
|
Anomaly
|
Meduza Stealer, Hellcat Ransomware
|
2026-05-13
|
|
Windows Unusual NTLM Authentication Destinations By User
|
NTLM Operational 8006, NTLM Operational 8005, NTLM Operational 8004
|
T1110.003
|
Anomaly
|
Active Directory Password Spraying
|
2026-05-13
|
|
Windows Possible Credential Dumping
|
Sysmon EventID 10
|
T1003.001
|
TTP
|
CISA AA22-264A, Detect Zerologon Attack, DarkSide Ransomware, Scattered Lapsus$ Hunters, CISA AA22-257A, Credential Dumping, CISA AA23-347A
|
2026-05-13
|
|
Detect Mimikatz With PowerShell Script Block Logging
|
Powershell Script Block Logging 4104
|
T1003
T1059.001
|
TTP
|
CISA AA22-264A, Sandworm Tools, CISA AA22-320A, Data Destruction, Malicious PowerShell, Hermetic Wiper, Scattered Spider, CISA AA23-347A, Hellcat Ransomware
|
2026-05-13
|
|
Certutil exe certificate extraction
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1649
|
TTP
|
Compromised Windows Host, Windows Certificate Services, Windows Persistence Techniques, Storm-2460 CLFS Zero Day Exploitation, Living Off The Land, Cloud Federated Credential Abuse
|
2026-05-13
|
|
Windows Steal Authentication Certificates CS Backup
|
Windows Event Log Security 4876
|
T1649
|
Anomaly
|
Windows Certificate Services
|
2026-05-13
|
|
Crowdstrike Privilege Escalation For Non-Admin User
|
|
T1110
|
Anomaly
|
Compromised Windows Host
|
2026-05-13
|
|
Disabling Windows Local Security Authority Defences via Registry
|
Sysmon EventID 13
|
T1556
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Process With NetExec Command Line Parameters
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1550.003
T1558.003
T1558.004
|
TTP
|
Active Directory Kerberos Attacks, Active Directory Privilege Escalation
|
2026-05-13
|
|
MacOS Keychains Dumped
|
Osquery Results
|
T1555.001
|
TTP
|
MacOS Privilege Escalation
|
2026-05-13
|
|
Credential Dumping via Copy Command from Shadow Copy
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1003.003
|
TTP
|
Credential Dumping, Compromised Windows Host
|
2026-05-13
|
|
Windows Rapid Authentication On Multiple Hosts
|
Windows Event Log Security 4624
|
T1003.002
|
TTP
|
Active Directory Privilege Escalation, Active Directory Lateral Movement
|
2026-05-13
|
|
SAM Database File Access Attempt
|
Windows Event Log Security 4663
|
T1003.002
|
Hunting
|
Rhysida Ransomware, Credential Dumping, Graceful Wipe Out Attack
|
2026-05-13
|
|
Non Chrome Process Accessing Chrome Default Dir
|
Windows Event Log Security 4663
|
T1555.003
|
Anomaly
|
AgentTesla, Phemedrone Stealer, SnappyBee, StealC Stealer, Remcos, NjRAT, FIN7, Salt Typhoon, Malicious Inno Setup Loader, Quasar RAT, DarkGate Malware, Snake Keylogger, 3CX Supply Chain Attack, RedLine Stealer, China-Nexus Threat Activity, VIP Keylogger, Warzone RAT, BlankGrabber Stealer, CISA AA23-347A, Lokibot
|
2026-05-13
|
|
Linux Auditd Private Keys and Certificate Enumeration
|
Linux Auditd Execve
|
T1552.004
|
Anomaly
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation, Linux Living Off The Land
|
2026-05-13
|
|
Windows Computer Account With SPN
|
Windows Event Log Security 4741
|
T1558
|
TTP
|
Active Directory Kerberos Attacks, Local Privilege Escalation With KrbRelayUp, Compromised Windows Host
|
2026-05-13
|
|
Linux Auditd Find Credentials From Password Managers
|
Linux Auditd Execve
|
T1555.005
|
TTP
|
Compromised Linux Host, Scattered Lapsus$ Hunters, Linux Persistence Techniques, Linux Privilege Escalation, Linux Living Off The Land
|
2026-05-13
|
|
Windows Unusual Count Of Users Failed To Authenticate Using NTLM
|
Windows Event Log Security 4776
|
T1110.003
|
Anomaly
|
Volt Typhoon, Active Directory Password Spraying
|
2026-05-13
|
|
Windows Steal Authentication Certificates - ESC1 Abuse
|
Windows Event Log Security 4887, Windows Event Log Security 4886
|
T1649
|
TTP
|
Windows Certificate Services
|
2026-05-13
|
|
Windows Post Exploitation Risk Behavior
|
|
T1003
T1012
T1016
T1049
T1069
T1082
T1115
T1552
|
Correlation
|
Windows Post-Exploitation
|
2026-05-13
|
|
ServicePrincipalNames Discovery with PowerShell
|
Powershell Script Block Logging 4104
|
T1558.003
|
TTP
|
Active Directory Privilege Escalation, Active Directory Discovery, Malicious PowerShell, Active Directory Kerberos Attacks, Hellcat Ransomware
|
2026-05-13
|
|
Kerberoasting spn request with RC4 encryption
|
Windows Event Log Security 4769
|
T1558.003
|
TTP
|
Compromised Windows Host, Data Destruction, Windows Privilege Escalation, Hermetic Wiper, Active Directory Kerberos Attacks
|
2026-05-13
|
|
Create Remote Thread into LSASS
|
Sysmon EventID 8
|
T1003.001
|
TTP
|
Credential Dumping, BlackSuit Ransomware, Lokibot
|
2026-05-13
|
|
Windows Computer Account Requesting Kerberos Ticket
|
Windows Event Log Security 4768
|
T1558
|
TTP
|
Active Directory Kerberos Attacks, Local Privilege Escalation With KrbRelayUp
|
2026-05-13
|
|
Add DefaultUser And Password In Registry
|
Sysmon EventID 13, Sysmon EventID 12
|
T1552.002
|
Anomaly
|
BlackMatter Ransomware
|
2026-05-13
|
|
Windows Private Keys Discovery
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1552.004
|
Anomaly
|
Prestige Ransomware, Windows Post-Exploitation
|
2026-05-13
|
|
Windows Unusual FileZilla XML Config Access
|
Windows Event Log Security 4663
|
T1552.001
|
Anomaly
|
Quasar RAT
|
2026-05-13
|
|
Crowdstrike User Weak Password Policy
|
|
T1110
|
Anomaly
|
Compromised Windows Host
|
2026-05-13
|
|
Detect Certify Command Line Arguments
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1105
T1649
|
TTP
|
Windows Certificate Services, Compromised Windows Host, Ingress Tool Transfer
|
2026-05-13
|
|
Attacker Tools On Endpoint
|
Cisco Network Visibility Module Flow Data, Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1003
T1036.005
T1595
|
TTP
|
CISA AA22-264A, Compromised Windows Host, Cisco Network Visibility Module Analytics, XMRig, SamSam Ransomware, Scattered Spider, Unusual Processes, PHP-CGI RCE Attack on Japanese Organizations
|
2026-05-13
|
|
Windows Credentials from Password Stores Chrome Copied in TEMP Dir
|
Sysmon EventID 11
|
T1555.003
|
TTP
|
Braodo Stealer, Scattered Lapsus$ Hunters, BlankGrabber Stealer
|
2026-05-13
|
|
Windows Short Lived DNS Record
|
Windows Event Log Security 5137, Windows Event Log Security 5136
|
T1071.004
T1187
T1557.001
|
TTP
|
Suspicious DNS Traffic, Compromised Windows Host, Local Privilege Escalation With KrbRelayUp, Kerberos Coercion with DNS
|
2026-05-13
|
|
Windows Multiple Users Remotely Failed To Authenticate From Host
|
Windows Event Log Security 4625
|
T1110.003
|
TTP
|
Volt Typhoon, Active Directory Password Spraying
|
2026-05-13
|
|
Windows Theme File Creation in Unusual Location
|
Sysmon EventID 11
|
T1021.002
T1187
T1557.001
|
Anomaly
|
Spearphishing Attachments
|
2026-05-13
|
|
Windows Steal Authentication Certificates CertUtil Backup
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1649
|
Anomaly
|
Windows Certificate Services, Storm-2460 CLFS Zero Day Exploitation
|
2026-05-13
|
|
Shai-Hulud 2 Exfiltration Artifact Files
|
Sysmon EventID 11, Sysmon for Linux EventID 11
|
T1074.001
T1195.002
T1552.001
|
TTP
|
NPM Supply Chain Compromise
|
2026-05-13
|
|
Windows Password Managers Discovery
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1555.005
|
Anomaly
|
Scattered Spider, Scattered Lapsus$ Hunters, Prestige Ransomware, Windows Post-Exploitation
|
2026-05-13
|
|
Windows Unusual Count Of Users Failed To Auth Using Kerberos
|
Windows Event Log Security 4771
|
T1110.003
|
Anomaly
|
Active Directory Kerberos Attacks, Volt Typhoon, Active Directory Password Spraying
|
2026-05-13
|
|
Windows Mimikatz Crypto Export File Extensions
|
Sysmon EventID 11
|
T1649
|
Anomaly
|
CISA AA23-347A, Windows Certificate Services, Sandworm Tools
|
2026-05-13
|
|
Windows Steal Authentication Certificates Certificate Request
|
Windows Event Log Security 4886
|
T1649
|
Anomaly
|
Windows Certificate Services
|
2026-05-13
|
|
Linux Possible Access To Credential Files
|
Sysmon for Linux EventID 1
|
T1003.008
|
Anomaly
|
China-Nexus Threat Activity, Salt Typhoon, Linux Persistence Techniques, Linux Privilege Escalation, XorDDos
|
2026-05-13
|
|
Creation of Shadow Copy with wmic and powershell
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1003.003
|
TTP
|
Living Off The Land, Credential Dumping, Compromised Windows Host, Volt Typhoon
|
2026-05-13
|
|
Esentutl SAM Copy
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1003.002
|
Hunting
|
Credential Dumping, Living Off The Land
|
2026-05-13
|
|
Windows Multiple Users Failed To Authenticate Using Kerberos
|
Windows Event Log Security 4771
|
T1110.003
|
TTP
|
Active Directory Kerberos Attacks, Volt Typhoon, Active Directory Password Spraying
|
2026-05-13
|
|
Dump LSASS via comsvcs DLL
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1003.001
|
TTP
|
CISA AA22-264A, Compromised Windows Host, Credential Dumping, Flax Typhoon, Scattered Lapsus$ Hunters, Volt Typhoon, Hellcat Ransomware, Data Destruction, HAFNIUM Group, Prestige Ransomware, CISA AA22-257A, Industroyer2, Living Off The Land, Suspicious Rundll32 Activity
|
2026-05-13
|
|
Windows Unusual NTLM Authentication Users By Source
|
NTLM Operational 8006, NTLM Operational 8005, NTLM Operational 8004
|
T1110.003
|
Anomaly
|
Active Directory Password Spraying
|
2026-05-13
|
|
Detect Certipy File Modifications
|
Sysmon EventID 11
|
T1560
T1649
|
TTP
|
Windows Certificate Services, Ingress Tool Transfer, Data Exfiltration
|
2026-05-13
|
|
Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials
|
Windows Event Log Security 4648
|
T1110.003
|
Anomaly
|
Insider Threat, Volt Typhoon, Active Directory Password Spraying
|
2026-05-13
|
|
Windows Multiple Users Failed To Authenticate From Host Using NTLM
|
Windows Event Log Security 4776
|
T1110.003
|
TTP
|
Volt Typhoon, Active Directory Password Spraying
|
2026-05-13
|
|
Windows Steal Authentication Certificates Certificate Issued
|
Windows Event Log Security 4887
|
T1649
|
Anomaly
|
Windows Certificate Services
|
2026-05-13
|
|
Credential Dumping via Symlink to Shadow Copy
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1003.003
|
TTP
|
Credential Dumping, Compromised Windows Host
|
2026-05-13
|
|
Crowdstrike Medium Identity Risk Severity
|
|
T1110
|
TTP
|
Compromised Windows Host
|
2026-05-13
|
|
Windows Remote Access Software BRC4 Loaded Dll
|
Sysmon EventID 7
|
T1003
T1219
|
Anomaly
|
Brute Ratel C4
|
2026-05-13
|
|
PetitPotam Network Share Access Request
|
Windows Event Log Security 5145
|
T1187
|
TTP
|
PetitPotam NTLM Relay on Active Directory Certificate Services
|
2026-05-13
|
|
Windows Credential Target Information Structure in Commandline
|
Sysmon EventID 1
|
T1071.004
T1187
T1557.001
|
TTP
|
Suspicious DNS Traffic, Compromised Windows Host, Local Privilege Escalation With KrbRelayUp, Kerberos Coercion with DNS
|
2026-05-13
|
|
Windows Multiple Users Failed To Authenticate From Process
|
Windows Event Log Security 4625
|
T1110.003
|
TTP
|
Insider Threat, Volt Typhoon, Active Directory Password Spraying
|
2026-05-13
|
|
Windows SharePoint Spinstall0 GET Request
|
Suricata
|
T1190
T1505.003
T1552
|
TTP
|
Microsoft SharePoint Vulnerabilities
|
2026-05-13
|
|
CrushFTP Max Simultaneous Users From IP
|
CrushFTP
|
T1110.001
T1110.004
|
Anomaly
|
CrushFTP Vulnerabilities
|
2026-05-13
|
|
Okta Multiple Accounts Locked Out
|
Okta
|
T1110
|
Anomaly
|
Okta Account Takeover
|
2026-05-13
|
|
PingID New MFA Method Registered For User
|
PingID
|
T1098.005
T1556.006
T1621
|
TTP
|
Compromised User Account
|
2026-05-13
|
|
Okta Multi-Factor Authentication Disabled
|
Okta
|
T1556.006
|
TTP
|
Scattered Lapsus$ Hunters, Okta Account Takeover
|
2026-05-13
|
|
Okta Multiple Users Failing To Authenticate From Ip
|
Okta
|
T1110.003
|
Anomaly
|
Okta Account Takeover
|
2026-05-13
|
|
Cisco Duo Policy Allow Old Java
|
Cisco Duo Administrator
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
Cisco Duo Admin Login Unusual Os
|
Cisco Duo Activity
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
ESXi SSH Brute Force
|
VMWare ESXi Syslog
|
T1110
|
Anomaly
|
ESXi Post Compromise, Black Basta Ransomware, Hellcat Ransomware
|
2026-05-13
|
|
ESXi Sensitive Files Accessed
|
VMWare ESXi Syslog
|
T1003.008
T1005
|
TTP
|
ESXi Post Compromise, Black Basta Ransomware, China-Nexus Threat Activity
|
2026-05-13
|
|
Okta Suspicious Use of a Session Cookie
|
Okta
|
T1539
|
Anomaly
|
Scattered Lapsus$ Hunters, Okta Account Takeover, Suspicious Okta Activity
|
2026-05-13
|
|
Detect Password Spray Attempts
|
Windows Event Log Security 4625
|
T1110.003
|
TTP
|
Compromised User Account, Active Directory Password Spraying
|
2026-05-13
|
|
Cisco Duo Policy Allow Devices Without Screen Lock
|
Cisco Duo Administrator
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
M365 Copilot Failed Authentication Patterns
|
M365 Copilot Graph API
|
T1110
|
Anomaly
|
Suspicious Microsoft 365 Copilot Activities
|
2026-05-13
|
|
Cisco Duo Policy Allow Old Flash
|
Cisco Duo Administrator
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
Cisco Duo Admin Login Unusual Country
|
Cisco Duo Activity
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
MCP Sensitive System File Search
|
MCP Server
|
T1552.001
|
Hunting
|
Suspicious MCP Activities
|
2026-05-13
|
|
Okta Phishing Detection with FastPass Origin Check
|
Okta
|
T1078.001
T1556
|
TTP
|
Okta Account Takeover
|
2026-05-13
|
|
Cisco ASA - AAA Policy Tampering
|
Cisco ASA Logs
|
T1556.004
|
Anomaly
|
Suspicious Cisco Adaptive Security Appliance Activity
|
2026-05-13
|
|
PingID Multiple Failed MFA Requests For User
|
PingID
|
T1078
T1110
T1621
|
TTP
|
Compromised User Account
|
2026-05-13
|
|
Cisco Duo Bypass Code Generation
|
Cisco Duo Administrator
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
MCP Github Suspicious Operation
|
MCP Server
|
T1552.001
|
Hunting
|
Suspicious MCP Activities
|
2026-05-13
|
|
Cisco Duo Policy Skip 2FA for Other Countries
|
Cisco Duo Administrator
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
Cisco ASA - Packet Capture Activity
|
Cisco ASA Logs
|
T1040
T1557
|
Anomaly
|
ArcaneDoor, Suspicious Cisco Adaptive Security Appliance Activity
|
2026-05-13
|
|
PingID New MFA Method After Credential Reset
|
PingID
|
T1098.005
T1556.006
T1621
|
TTP
|
Compromised User Account, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Okta Multiple Failed MFA Requests For User
|
Okta
|
T1621
|
Anomaly
|
Scattered Lapsus$ Hunters, Okta Account Takeover
|
2026-05-13
|
|
Okta Risk Threshold Exceeded
|
Okta
|
T1078
T1110
|
Correlation
|
Okta MFA Exhaustion, Okta Account Takeover, Suspicious Okta Activity
|
2026-05-13
|
|
Cisco Duo Bulk Policy Deletion
|
Cisco Duo Administrator
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
Detect Distributed Password Spray Attempts
|
Azure Active Directory Sign-in activity
|
T1110.003
|
Hunting
|
Compromised User Account, Active Directory Password Spraying
|
2026-05-13
|
|
Cisco Duo Policy Allow Tampered Devices
|
Cisco Duo Administrator
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
Cisco Duo Set User Status to Bypass 2FA
|
Cisco Duo Administrator
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
MCP Postgres Suspicious Query
|
MCP Server
|
T1555
|
Hunting
|
Suspicious MCP Activities
|
2026-05-13
|
|
Cisco Duo Policy Deny Access
|
Cisco Duo Administrator
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
Cisco Duo Policy Bypass 2FA
|
Cisco Duo Administrator
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
Okta Mismatch Between Source and Response for Verify Push Request
|
Okta
|
T1621
|
TTP
|
Scattered Lapsus$ Hunters, Okta MFA Exhaustion, Okta Account Takeover
|
2026-05-13
|
|
Okta MFA Exhaustion Hunt
|
Okta
|
T1110
|
Hunting
|
Scattered Lapsus$ Hunters, Okta MFA Exhaustion, Okta Account Takeover
|
2026-05-13
|
|
Okta Successful Single Factor Authentication
|
Okta
|
T1078.004
T1586.003
T1621
|
Anomaly
|
Okta Account Takeover
|
2026-05-13
|
|
Cisco ASA - User Account Lockout Threshold Exceeded
|
Cisco ASA Logs
|
T1110.001
T1110.003
|
Anomaly
|
Suspicious Cisco Adaptive Security Appliance Activity
|
2026-05-13
|
|
Cisco Duo Policy Allow Network Bypass 2FA
|
Cisco Duo Administrator
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
Okta Authentication Failed During MFA Challenge
|
Okta
|
T1078.004
T1586.003
T1621
|
TTP
|
Scattered Lapsus$ Hunters, Okta Account Takeover
|
2026-05-13
|
|
PingID Mismatch Auth Source and Verification Response
|
PingID
|
T1098.005
T1556.006
T1621
|
TTP
|
Compromised User Account
|
2026-05-13
|
|
Cisco Duo Admin Login Unusual Browser
|
Cisco Duo Activity
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
O365 Excessive SSO logon errors
|
O365 UserLoginFailed
|
T1556
|
Anomaly
|
Office 365 Account Takeover, Cloud Federated Credential Abuse
|
2026-05-13
|
|
AWS Multiple Failed MFA Requests For User
|
AWS CloudTrail ConsoleLogin
|
T1586.003
T1621
|
Anomaly
|
AWS Identity and Access Management Account Takeover
|
2026-05-13
|
|
Azure AD Multiple Denied MFA Requests For User
|
Azure Active Directory Sign-in activity
|
T1621
|
TTP
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
Detect AWS Console Login by New User
|
AWS CloudTrail
|
T1552
T1586.003
|
Hunting
|
AWS Identity and Access Management Account Takeover, Suspicious Cloud Authentication Activities
|
2026-05-13
|
|
O365 SharePoint Suspicious Search Behavior
|
Office 365 Universal Audit Log
|
T1213.002
T1552
|
Anomaly
|
CISA AA22-320A, Office 365 Account Takeover, Compromised User Account, Office 365 Collection Techniques
|
2026-05-13
|
|
O365 File Permissioned Application Consent Granted by User
|
O365 Consent to application.
|
T1528
|
TTP
|
Office 365 Account Takeover
|
2026-05-13
|
|
ASL AWS New MFA Method Registered For User
|
ASL AWS CloudTrail
|
T1556.006
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2026-05-13
|
|
Kubernetes Nginx Ingress LFI
|
|
T1212
|
TTP
|
Dev Sec Ops
|
2026-05-13
|
|
Kubernetes Nginx Ingress RFI
|
|
T1212
|
TTP
|
Dev Sec Ops
|
2026-05-13
|
|
AWS Console Login Failed During MFA Challenge
|
AWS CloudTrail ConsoleLogin
|
T1586.003
T1621
|
TTP
|
Compromised User Account, AWS Identity and Access Management Account Takeover
|
2026-05-13
|
|
O365 Multi-Source Failed Authentications Spike
|
O365 UserLoginFailed
|
T1110.003
T1110.004
T1586.003
|
Hunting
|
Office 365 Account Takeover, NOBELIUM Group
|
2026-05-13
|
|
AWS Credential Access Failed Login
|
AWS CloudTrail ConsoleLogin
|
T1110.001
T1586.003
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2026-05-13
|
|
O365 Privileged Graph API Permission Assigned
|
O365 Update application.
|
T1003.002
|
TTP
|
Office 365 Persistence Mechanisms, NOBELIUM Group
|
2026-05-13
|
|
Azure AD OAuth Application Consent Granted By User
|
Azure Active Directory Consent to application
|
T1528
|
TTP
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
Kubernetes Abuse of Secret by Unusual Location
|
Kubernetes Audit
|
T1552.007
|
Anomaly
|
Kubernetes Security
|
2026-05-13
|
|
GCP Multiple Users Failing To Authenticate From Ip
|
Google Workspace
|
T1110.003
T1110.004
T1586.003
|
Anomaly
|
GCP Account Takeover
|
2026-05-13
|
|
O365 High Number Of Failed Authentications for User
|
O365 UserLoginFailed
|
T1110.001
|
TTP
|
Office 365 Account Takeover
|
2026-05-13
|
|
Kubernetes Abuse of Secret by Unusual User Name
|
Kubernetes Audit
|
T1552.007
|
Anomaly
|
Kubernetes Security
|
2026-05-13
|
|
ASL AWS Multi-Factor Authentication Disabled
|
ASL AWS CloudTrail
|
T1556.006
T1586.003
T1621
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2026-05-13
|
|
Azure AD Privileged Authentication Administrator Role Assigned
|
Azure Active Directory Add member to role
|
T1003.002
|
TTP
|
Azure Active Directory Privilege Escalation, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
AWS IAM Assume Role Policy Brute Force
|
AWS CloudTrail
|
T1110
T1580
|
TTP
|
AWS IAM Privilege Escalation
|
2026-05-13
|
|
Azure AD High Number Of Failed Authentications From Ip
|
Azure Active Directory
|
T1110.001
T1110.003
|
TTP
|
Compromised User Account, Azure Active Directory Account Takeover, NOBELIUM Group
|
2026-05-13
|
|
Kubernetes Abuse of Secret by Unusual User Agent
|
Kubernetes Audit
|
T1552.007
|
Anomaly
|
Kubernetes Security
|
2026-05-13
|
|
AWS Credential Access RDS Password reset
|
AWS CloudTrail ModifyDBInstance
|
T1110
T1586.003
|
TTP
|
Scattered Lapsus$ Hunters, AWS Identity and Access Management Account Takeover
|
2026-05-13
|
|
Azure AD Device Code Authentication
|
Azure Active Directory
|
T1528
T1566.002
|
TTP
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
GCP Multi-Factor Authentication Disabled
|
Google Workspace
|
T1556.006
T1586.003
|
TTP
|
Scattered Lapsus$ Hunters, GCP Account Takeover
|
2026-05-13
|
|
GCP Unusual Number of Failed Authentications From Ip
|
Google Workspace
|
T1110.003
T1110.004
T1586.003
|
Anomaly
|
GCP Account Takeover
|
2026-05-13
|
|
Kubernetes Abuse of Secret by Unusual User Group
|
Kubernetes Audit
|
T1552.007
|
Anomaly
|
Kubernetes Security
|
2026-05-13
|
|
AWS Credential Access GetPasswordData
|
AWS CloudTrail GetPasswordData
|
T1110.001
T1586.003
|
Anomaly
|
AWS Identity and Access Management Account Takeover
|
2026-05-13
|
|
Azure AD User Consent Denied for OAuth Application
|
Azure Active Directory Sign-in activity
|
T1528
|
TTP
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
AWS Multiple Users Failing To Authenticate From Ip
|
AWS CloudTrail ConsoleLogin
|
T1110.003
T1110.004
|
Anomaly
|
Compromised User Account, AWS Identity and Access Management Account Takeover
|
2026-05-13
|
|
ASL AWS Credential Access RDS Password reset
|
ASL AWS CloudTrail
|
T1110
T1586.003
|
TTP
|
Scattered Lapsus$ Hunters, AWS Identity and Access Management Account Takeover
|
2026-05-13
|
|
GCP Authentication Failed During MFA Challenge
|
Google Workspace login_failure
|
T1078.004
T1586.003
T1621
|
TTP
|
Scattered Lapsus$ Hunters, GCP Account Takeover
|
2026-05-13
|
|
ASL AWS Credential Access GetPasswordData
|
ASL AWS CloudTrail
|
T1110.001
T1586.003
|
Anomaly
|
AWS Identity and Access Management Account Takeover
|
2026-05-13
|
|
O365 Email Suspicious Search Behavior
|
Office 365 Universal Audit Log
|
T1114.002
T1552
|
Anomaly
|
CISA AA22-320A, Office 365 Account Takeover, Compromised User Account, Office 365 Collection Techniques
|
2026-05-13
|
|
O365 Mail Permissioned Application Consent Granted by User
|
O365 Consent to application.
|
T1528
|
TTP
|
Office 365 Account Takeover
|
2026-05-13
|
|
Azure AD Multiple Failed MFA Requests For User
|
Azure Active Directory Sign-in activity
|
T1078.004
T1586.003
T1621
|
TTP
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
O365 Disable MFA
|
O365 Disable Strong Authentication.
|
T1556
|
TTP
|
Office 365 Persistence Mechanisms
|
2026-05-13
|
|
O365 Multiple OS Vendors Authenticating From User
|
Office 365 Universal Audit Log
|
T1110
|
TTP
|
Office 365 Account Takeover
|
2026-05-13
|
|
AWS Unusual Number of Failed Authentications From Ip
|
AWS CloudTrail ConsoleLogin
|
T1110.003
T1110.004
T1586.003
|
Anomaly
|
AWS Identity and Access Management Account Takeover
|
2026-05-13
|
|
AWS High Number Of Failed Authentications From Ip
|
AWS CloudTrail ConsoleLogin
|
T1110.003
T1110.004
|
Anomaly
|
Compromised User Account, AWS Identity and Access Management Account Takeover
|
2026-05-13
|
|
AWS New MFA Method Registered For User
|
AWS CloudTrail CreateVirtualMFADevice
|
T1556.006
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2026-05-13
|
|
Azure AD Unusual Number of Failed Authentications From Ip
|
Azure Active Directory
|
T1110.003
T1110.004
T1586.003
|
Anomaly
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
Azure AD Multi-Factor Authentication Disabled
|
Azure Active Directory Disable Strong Authentication
|
T1556.006
T1586.003
|
TTP
|
Azure Active Directory Account Takeover, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
O365 Excessive Authentication Failures Alert
|
|
T1110
|
Anomaly
|
Office 365 Account Takeover
|
2026-05-13
|
|
Azure AD Multiple Users Failing To Authenticate From Ip
|
Azure Active Directory
|
T1110.003
T1110.004
T1586.003
|
Anomaly
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
Azure AD Privileged Graph API Permission Assigned
|
Azure Active Directory Update application
|
T1003.002
|
TTP
|
Azure Active Directory Persistence, NOBELIUM Group
|
2026-05-13
|
|
O365 Multiple Failed MFA Requests For User
|
O365 UserLoginFailed
|
T1621
|
TTP
|
Office 365 Account Takeover, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Azure AD New MFA Method Registered For User
|
Azure Active Directory User registered security info
|
T1556.006
|
TTP
|
Compromised User Account, Scattered Lapsus$ Hunters, Azure Active Directory Account Takeover
|
2026-05-13
|
|
Azure AD Multi-Source Failed Authentications Spike
|
Azure Active Directory
|
T1110.003
T1110.004
T1586.003
|
Hunting
|
Azure Active Directory Account Takeover, NOBELIUM Group
|
2026-05-13
|
|
Azure AD User Consent Blocked for Risky Application
|
Azure Active Directory Consent to application
|
T1528
|
TTP
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
High Number of Login Failures from a single source
|
O365 UserLoginFailed
|
T1110.001
|
Anomaly
|
Office 365 Account Takeover
|
2026-05-13
|
|
O365 User Consent Blocked for Risky Application
|
O365 Consent to application.
|
T1528
|
TTP
|
Office 365 Account Takeover
|
2026-05-13
|
|
AWS Multi-Factor Authentication Disabled
|
AWS CloudTrail DeactivateMFADevice, AWS CloudTrail DeleteVirtualMFADevice
|
T1556.006
T1586.003
T1621
|
TTP
|
Scattered Lapsus$ Hunters, AWS Identity and Access Management Account Takeover
|
2026-05-13
|
|
Azure AD Successful Authentication From Different Ips
|
Azure Active Directory
|
T1110.001
T1110.003
|
TTP
|
Compromised User Account, Azure Active Directory Account Takeover
|
2026-05-13
|
|
Azure AD Authentication Failed During MFA Challenge
|
Azure Active Directory
|
T1078.004
T1586.003
T1621
|
TTP
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
O365 Multiple Users Failing To Authenticate From Ip
|
O365 UserLoginFailed
|
T1110.003
T1110.004
T1586.003
|
TTP
|
Office 365 Account Takeover, NOBELIUM Group
|
2026-05-13
|
|
ASL AWS IAM Assume Role Policy Brute Force
|
ASL AWS CloudTrail
|
T1110
T1580
|
TTP
|
Scattered Lapsus$ Hunters, AWS IAM Privilege Escalation
|
2026-05-13
|
|
GCP Multiple Failed MFA Requests For User
|
Google Workspace
|
T1078.004
T1586.003
T1621
|
TTP
|
Scattered Lapsus$ Hunters, GCP Account Takeover
|
2026-05-13
|
|
Azure Active Directory High Risk Sign-in
|
Azure Active Directory
|
T1110.003
T1586.003
|
TTP
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
O365 User Consent Denied for OAuth Application
|
O365
|
T1528
|
TTP
|
Office 365 Account Takeover
|
2026-05-13
|
|
Azure AD High Number Of Failed Authentications For User
|
Azure Active Directory
|
T1110.001
|
TTP
|
Compromised User Account, Azure Active Directory Account Takeover
|
2026-05-13
|
|
Windows Remote Desktop Network Bruteforce Attempt
|
Sysmon EventID 3, Cisco Secure Access Firewall
|
T1110.001
|
Anomaly
|
Windows RDP Artifacts and Defense Evasion, Cisco Secure Access Analytics, SamSam Ransomware, Ryuk Ransomware, Compromised User Account
|
2026-05-13
|
|
Cisco Secure Firewall - Blocked Connection
|
Cisco Secure Firewall Threat Defense Connection Event
|
T1018
T1046
T1110
T1203
T1595.002
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Detect ARP Poisoning
|
Cisco IOS Logs
|
T1200
T1498
T1557.002
|
TTP
|
Router and Infrastructure Security
|
2026-05-13
|
|
Cisco Secure Firewall - Repeated Blocked Connections
|
Cisco Secure Firewall Threat Defense Connection Event
|
T1018
T1046
T1110
T1203
T1595.002
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Detect Rogue DHCP Server
|
Cisco IOS Logs
|
T1200
T1498
T1557
|
TTP
|
Scattered Lapsus$ Hunters, Router and Infrastructure Security
|
2026-05-13
|
|
Cisco Secure Firewall - High Priority Intrusion Classification
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1003
T1071
T1078
T1190
T1203
|
TTP
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Windows AD Replication Service Traffic
|
|
T1003.006
T1207
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Cisco Network Interface Modifications
|
Cisco IOS Logs
|
T1021
T1133
T1556
|
Anomaly
|
Cisco Smart Install Remote Code Execution CVE-2018-0171
|
2026-05-13
|
|
Detect Port Security Violation
|
Cisco IOS Logs
|
T1200
T1498
T1557.002
|
TTP
|
Router and Infrastructure Security
|
2026-05-13
|
|
Cisco Secure Firewall - Veeam CVE-2023-27532 Exploitation Activity
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1003.001
T1059.001
T1190
T1210
|
TTP
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
DNS Kerberos Coercion
|
Sysmon EventID 22, Suricata
|
T1071.004
T1187
T1557.001
|
TTP
|
Suspicious DNS Traffic, Compromised Windows Host, Local Privilege Escalation With KrbRelayUp, Kerberos Coercion with DNS
|
2026-05-13
|
|
Cisco SNMP Community String Configuration Changes
|
Cisco IOS Logs
|
T1040
T1552
T1685
|
Anomaly
|
Cisco Smart Install Remote Code Execution CVE-2018-0171
|
2026-05-13
|
|
Detect IPv6 Network Infrastructure Threats
|
Cisco IOS Logs
|
T1200
T1498
T1557.002
|
TTP
|
Scattered Lapsus$ Hunters, Router and Infrastructure Security
|
2026-05-13
|
