|
Cisco ASA - AAA Policy Tampering
|
Cisco ASA Logs
|
Network Device Authentication
|
Anomaly
|
Suspicious Cisco Adaptive Security Appliance Activity
|
2026-04-15
|
|
Cisco ASA - Core Syslog Message Volume Drop
|
Cisco ASA Logs
|
Disable or Modify Tools
|
Hunting
|
ArcaneDoor, Suspicious Cisco Adaptive Security Appliance Activity
|
2026-05-04
|
|
Cisco ASA - Logging Disabled via CLI
|
Cisco ASA Logs
|
Disable or Modify Tools
|
TTP
|
Suspicious Cisco Adaptive Security Appliance Activity
|
2026-05-04
|
|
Cisco ASA - Logging Filters Configuration Tampering
|
Cisco ASA Logs
|
Disable or Modify Tools
|
Anomaly
|
Suspicious Cisco Adaptive Security Appliance Activity
|
2026-05-04
|
|
Cisco ASA - Logging Message Suppression
|
Cisco ASA Logs
|
Disable or Modify Windows Event Log
Indicator Removal
|
Anomaly
|
ArcaneDoor, Suspicious Cisco Adaptive Security Appliance Activity
|
2026-05-04
|
|
Cisco Duo Admin Login Unusual Browser
|
Cisco Duo Activity
|
Modify Authentication Process
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-04-15
|
|
Cisco Duo Admin Login Unusual Country
|
Cisco Duo Activity
|
Modify Authentication Process
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-04-15
|
|
Cisco Duo Admin Login Unusual Os
|
Cisco Duo Activity
|
Modify Authentication Process
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-04-15
|
|
Cisco Duo Bulk Policy Deletion
|
Cisco Duo Administrator
|
Modify Authentication Process
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-04-15
|
|
Cisco Duo Bypass Code Generation
|
Cisco Duo Administrator
|
Modify Authentication Process
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-04-15
|
|
Cisco Duo Policy Allow Devices Without Screen Lock
|
Cisco Duo Administrator
|
Modify Authentication Process
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-04-15
|
|
Cisco Duo Policy Allow Network Bypass 2FA
|
Cisco Duo Administrator
|
Modify Authentication Process
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-04-15
|
|
Cisco Duo Policy Allow Old Flash
|
Cisco Duo Administrator
|
Modify Authentication Process
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-04-15
|
|
Cisco Duo Policy Allow Old Java
|
Cisco Duo Administrator
|
Modify Authentication Process
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-04-15
|
|
Cisco Duo Policy Allow Tampered Devices
|
Cisco Duo Administrator
|
Modify Authentication Process
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-04-15
|
|
Cisco Duo Policy Bypass 2FA
|
Cisco Duo Administrator
|
Modify Authentication Process
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-04-15
|
|
Cisco Duo Policy Deny Access
|
Cisco Duo Administrator
|
Modify Authentication Process
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-04-15
|
|
Cisco Duo Policy Skip 2FA for Other Countries
|
Cisco Duo Administrator
|
Modify Authentication Process
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-04-15
|
|
Cisco Duo Set User Status to Bypass 2FA
|
Cisco Duo Administrator
|
Modify Authentication Process
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-04-15
|
|
ESXi Audit Tampering
|
VMWare ESXi Syslog
|
Prevent Command History Logging
Indicator Removal
|
TTP
|
Black Basta Ransomware, ESXi Post Compromise
|
2026-05-04
|
|
ESXi Download Errors
|
VMWare ESXi Syslog
|
Patch System Image
Disable or Modify Tools
|
Anomaly
|
Black Basta Ransomware, ESXi Post Compromise
|
2026-05-04
|
|
ESXi Encryption Settings Modified
|
VMWare ESXi Syslog
|
Disable or Modify Tools
|
TTP
|
Black Basta Ransomware, ESXi Post Compromise
|
2026-05-04
|
|
ESXi Firewall Disabled
|
VMWare ESXi Syslog
|
Disable or Modify System Firewall
|
TTP
|
Black Basta Ransomware, China-Nexus Threat Activity, ESXi Post Compromise
|
2026-05-04
|
|
ESXi Lockdown Mode Disabled
|
VMWare ESXi Syslog
|
Disable or Modify Tools
|
TTP
|
Black Basta Ransomware, ESXi Post Compromise
|
2026-05-04
|
|
ESXi Loghost Config Tampering
|
VMWare ESXi Syslog
|
Disable or Modify Tools
|
TTP
|
Black Basta Ransomware, ESXi Post Compromise
|
2026-05-04
|
|
ESXi Syslog Config Change
|
VMWare ESXi Syslog
|
Prevent Command History Logging
|
TTP
|
Black Basta Ransomware, ESXi Post Compromise
|
2026-05-04
|
|
ESXi VIB Acceptance Level Tampering
|
VMWare ESXi Syslog
|
Disable or Modify Tools
|
TTP
|
Black Basta Ransomware, China-Nexus Threat Activity, ESXi Post Compromise
|
2026-05-04
|
|
M365 Copilot Agentic Jailbreak Attack
|
M365 Exported eDiscovery Prompts
|
Disable or Modify Tools
|
Anomaly
|
Suspicious Microsoft 365 Copilot Activities
|
2026-05-04
|
|
M365 Copilot Impersonation Jailbreak Attack
|
M365 Exported eDiscovery Prompts
|
Disable or Modify Tools
|
TTP
|
Suspicious Microsoft 365 Copilot Activities
|
2026-05-04
|
|
M365 Copilot Information Extraction Jailbreak Attack
|
M365 Exported eDiscovery Prompts
|
Disable or Modify Tools
|
TTP
|
Suspicious Microsoft 365 Copilot Activities
|
2026-05-04
|
|
M365 Copilot Jailbreak Attempts
|
M365 Exported eDiscovery Prompts
|
Disable or Modify Tools
|
Anomaly
|
Suspicious Microsoft 365 Copilot Activities
|
2026-05-04
|
|
M365 Copilot Non Compliant Devices Accessing M365 Copilot
|
M365 Copilot Graph API
|
Disable or Modify Tools
|
Anomaly
|
Suspicious Microsoft 365 Copilot Activities
|
2026-05-04
|
|
Okta Multi-Factor Authentication Disabled
|
Okta
|
Multi-Factor Authentication
|
TTP
|
Okta Account Takeover, Scattered Lapsus$ Hunters
|
2026-04-15
|
|
Okta Phishing Detection with FastPass Origin Check
|
Okta
|
Default Accounts
Modify Authentication Process
|
TTP
|
Okta Account Takeover
|
2026-03-10
|
|
PingID Mismatch Auth Source and Verification Response
|
PingID
|
Multi-Factor Authentication Request Generation
Multi-Factor Authentication
Device Registration
|
TTP
|
Compromised User Account
|
2026-04-15
|
|
PingID New MFA Method After Credential Reset
|
PingID
|
Multi-Factor Authentication Request Generation
Multi-Factor Authentication
Device Registration
|
TTP
|
Compromised User Account, Scattered Lapsus$ Hunters
|
2026-04-15
|
|
PingID New MFA Method Registered For User
|
PingID
|
Multi-Factor Authentication Request Generation
Multi-Factor Authentication
Device Registration
|
TTP
|
Compromised User Account
|
2026-04-15
|
|
ASL AWS Defense Evasion Delete Cloudtrail
|
ASL AWS CloudTrail
|
Disable or Modify Cloud Log
|
TTP
|
AWS Defense Evasion
|
2026-05-04
|
|
ASL AWS Defense Evasion Delete CloudWatch Log Group
|
ASL AWS CloudTrail
|
Disable or Modify Cloud Log
|
TTP
|
AWS Defense Evasion
|
2026-05-04
|
|
ASL AWS Defense Evasion Impair Security Services
|
ASL AWS CloudTrail
|
Disable or Modify Cloud Log
|
Hunting
|
AWS Defense Evasion
|
2026-05-04
|
|
ASL AWS Defense Evasion PutBucketLifecycle
|
ASL AWS CloudTrail
|
Lifecycle-Triggered Deletion
Disable or Modify Cloud Log
|
Hunting
|
AWS Defense Evasion
|
2026-05-04
|
|
ASL AWS Defense Evasion Stop Logging Cloudtrail
|
ASL AWS CloudTrail
|
Disable or Modify Cloud Log
|
TTP
|
AWS Defense Evasion
|
2026-05-04
|
|
ASL AWS Defense Evasion Update Cloudtrail
|
ASL AWS CloudTrail
|
Disable or Modify Cloud Log
|
TTP
|
AWS Defense Evasion
|
2026-05-04
|
|
ASL AWS Multi-Factor Authentication Disabled
|
ASL AWS CloudTrail
|
Multi-Factor Authentication
Cloud Accounts
Multi-Factor Authentication Request Generation
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2026-04-15
|
|
ASL AWS Network Access Control List Created with All Open Ports
|
ASL AWS CloudTrail
|
Cloud Firewall
|
TTP
|
AWS Network ACL Activity
|
2026-05-04
|
|
ASL AWS Network Access Control List Deleted
|
ASL AWS CloudTrail
|
Cloud Firewall
|
Anomaly
|
AWS Network ACL Activity, Scattered Lapsus$ Hunters
|
2026-05-04
|
|
ASL AWS New MFA Method Registered For User
|
ASL AWS CloudTrail
|
Multi-Factor Authentication
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2026-04-15
|
|
AWS Bedrock Delete GuardRails
|
AWS CloudTrail DeleteGuardrail
|
Disable or Modify Cloud Log
|
TTP
|
AWS Bedrock Security
|
2026-05-04
|
|
AWS Bedrock Delete Model Invocation Logging Configuration
|
AWS CloudTrail DeleteModelInvocationLoggingConfiguration
|
Disable or Modify Cloud Log
|
TTP
|
AWS Bedrock Security
|
2026-05-04
|
|
AWS Defense Evasion Delete Cloudtrail
|
AWS CloudTrail DeleteTrail
|
Disable or Modify Cloud Log
|
TTP
|
AWS Defense Evasion
|
2026-05-04
|
|
AWS Defense Evasion Delete CloudWatch Log Group
|
AWS CloudTrail DeleteLogGroup
|
Disable or Modify Cloud Log
|
TTP
|
AWS Defense Evasion
|
2026-05-04
|
|
AWS Defense Evasion Impair Security Services
|
AWS CloudTrail DeleteAlarms, AWS CloudTrail DeleteDetector, AWS CloudTrail DeleteIPSet, AWS CloudTrail DeleteLogStream, AWS CloudTrail DeleteLoggingConfiguration, AWS CloudTrail DeleteRule, AWS CloudTrail DeleteRuleGroup, AWS CloudTrail DeleteWebACL
|
Disable or Modify Cloud Log
|
TTP
|
AWS Defense Evasion
|
2026-05-04
|
|
AWS Defense Evasion PutBucketLifecycle
|
AWS CloudTrail PutBucketLifecycle
|
Lifecycle-Triggered Deletion
Disable or Modify Cloud Log
|
Hunting
|
AWS Defense Evasion
|
2026-05-04
|
|
AWS Defense Evasion Stop Logging Cloudtrail
|
AWS CloudTrail StopLogging
|
Disable or Modify Cloud Log
|
TTP
|
AWS Defense Evasion
|
2026-05-04
|
|
AWS Defense Evasion Update Cloudtrail
|
AWS CloudTrail UpdateTrail
|
Disable or Modify Cloud Log
|
TTP
|
AWS Defense Evasion
|
2026-05-04
|
|
AWS Multi-Factor Authentication Disabled
|
AWS CloudTrail DeactivateMFADevice, AWS CloudTrail DeleteVirtualMFADevice
|
Multi-Factor Authentication
Cloud Accounts
Multi-Factor Authentication Request Generation
|
TTP
|
AWS Identity and Access Management Account Takeover, Scattered Lapsus$ Hunters
|
2026-04-15
|
|
AWS Network Access Control List Created with All Open Ports
|
AWS CloudTrail CreateNetworkAclEntry, AWS CloudTrail ReplaceNetworkAclEntry
|
Cloud Firewall
|
TTP
|
AWS Network ACL Activity
|
2026-05-04
|
|
AWS Network Access Control List Deleted
|
AWS CloudTrail DeleteNetworkAclEntry
|
Cloud Firewall
|
Anomaly
|
AWS Network ACL Activity
|
2026-05-04
|
|
AWS New MFA Method Registered For User
|
AWS CloudTrail CreateVirtualMFADevice
|
Multi-Factor Authentication
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2026-04-15
|
|
Azure AD Block User Consent For Risky Apps Disabled
|
Azure Active Directory Update authorization policy
|
Disable or Modify Tools
|
TTP
|
Azure Active Directory Account Takeover
|
2026-05-04
|
|
Azure AD Multi-Factor Authentication Disabled
|
Azure Active Directory Disable Strong Authentication
|
Multi-Factor Authentication
Cloud Accounts
|
TTP
|
Azure Active Directory Account Takeover, Scattered Lapsus$ Hunters
|
2026-04-15
|
|
Azure AD New Custom Domain Added
|
Azure Active Directory Add unverified domain
|
Trust Modification
|
TTP
|
Azure Active Directory Persistence
|
2026-04-15
|
|
Azure AD New Federated Domain Added
|
Azure Active Directory Set domain authentication
|
Trust Modification
|
TTP
|
Azure Active Directory Persistence, Hellcat Ransomware, Scattered Lapsus$ Hunters, Storm-0501 Ransomware
|
2026-04-15
|
|
Azure AD New MFA Method Registered For User
|
Azure Active Directory User registered security info
|
Multi-Factor Authentication
|
TTP
|
Azure Active Directory Account Takeover, Compromised User Account, Scattered Lapsus$ Hunters
|
2026-04-15
|
|
Cloud Compute Instance Created With Previously Unseen Instance Type
|
AWS CloudTrail
|
Create Cloud Instance
|
Anomaly
|
Cloud Cryptomining
|
2026-04-15
|
|
Cloud Security Groups Modifications by User
|
AWS CloudTrail
|
Modify Cloud Compute Configurations
|
Anomaly
|
Suspicious Cloud User Activities
|
2026-04-15
|
|
GCP Multi-Factor Authentication Disabled
|
Google Workspace
|
Multi-Factor Authentication
Cloud Accounts
|
TTP
|
GCP Account Takeover, Scattered Lapsus$ Hunters
|
2026-04-15
|
|
GitHub Enterprise Delete Branch Ruleset
|
GitHub Enterprise Audit Logs
|
Disable or Modify Tools
Supply Chain Compromise
|
Anomaly
|
GitHub Malicious Activity, NPM Supply Chain Compromise
|
2026-05-04
|
|
GitHub Enterprise Disable 2FA Requirement
|
GitHub Enterprise Audit Logs
|
Disable or Modify Tools
Supply Chain Compromise
|
Anomaly
|
GitHub Malicious Activity
|
2026-05-04
|
|
GitHub Enterprise Disable Audit Log Event Stream
|
GitHub Enterprise Audit Logs
|
Disable or Modify Cloud Log
Supply Chain Compromise
|
Anomaly
|
GitHub Malicious Activity, NPM Supply Chain Compromise
|
2026-05-04
|
|
GitHub Enterprise Disable Classic Branch Protection Rule
|
GitHub Enterprise Audit Logs
|
Disable or Modify Tools
Supply Chain Compromise
|
Anomaly
|
GitHub Malicious Activity
|
2026-05-04
|
|
GitHub Enterprise Disable Dependabot
|
GitHub Enterprise Audit Logs
|
Disable or Modify Tools
Supply Chain Compromise
|
Anomaly
|
GitHub Malicious Activity
|
2026-05-04
|
|
GitHub Enterprise Disable IP Allow List
|
GitHub Enterprise Audit Logs
|
Disable or Modify Tools
Supply Chain Compromise
|
Anomaly
|
GitHub Malicious Activity
|
2026-05-04
|
|
GitHub Enterprise Modify Audit Log Event Stream
|
GitHub Enterprise Audit Logs
|
Disable or Modify Cloud Log
Supply Chain Compromise
|
Anomaly
|
GitHub Malicious Activity, NPM Supply Chain Compromise
|
2026-05-04
|
|
GitHub Enterprise Pause Audit Log Event Stream
|
GitHub Enterprise Audit Logs
|
Disable or Modify Cloud Log
Supply Chain Compromise
|
Anomaly
|
GitHub Malicious Activity, NPM Supply Chain Compromise
|
2026-05-04
|
|
GitHub Enterprise Register Self Hosted Runner
|
GitHub Enterprise Audit Logs
|
Disable or Modify Tools
Supply Chain Compromise
|
Anomaly
|
GitHub Malicious Activity, NPM Supply Chain Compromise
|
2026-05-04
|
|
GitHub Organizations Delete Branch Ruleset
|
GitHub Organizations Audit Logs
|
Disable or Modify Tools
Supply Chain Compromise
|
Anomaly
|
GitHub Malicious Activity, NPM Supply Chain Compromise
|
2026-05-04
|
|
GitHub Organizations Disable 2FA Requirement
|
GitHub Organizations Audit Logs
|
Disable or Modify Tools
Supply Chain Compromise
|
Anomaly
|
GitHub Malicious Activity
|
2026-05-04
|
|
GitHub Organizations Disable Classic Branch Protection Rule
|
GitHub Organizations Audit Logs
|
Disable or Modify Tools
Supply Chain Compromise
|
Anomaly
|
GitHub Malicious Activity
|
2026-05-04
|
|
GitHub Organizations Disable Dependabot
|
GitHub Organizations Audit Logs
|
Disable or Modify Tools
Supply Chain Compromise
|
Anomaly
|
GitHub Malicious Activity
|
2026-05-04
|
|
Microsoft Intune DeviceManagementConfigurationPolicies
|
Azure Monitor Activity
|
Software Deployment Tools
Domain or Tenant Policy Modification
Cloud Services
Disable or Modify Tools
Disable or Modify System Firewall
|
Hunting
|
Azure Active Directory Account Takeover
|
2026-05-04
|
|
O365 Advanced Audit Disabled
|
O365 Change user license.
|
Disable or Modify Cloud Log
|
TTP
|
Office 365 Persistence Mechanisms
|
2026-05-04
|
|
O365 Block User Consent For Risky Apps Disabled
|
O365 Update authorization policy.
|
Disable or Modify Tools
|
TTP
|
Office 365 Account Takeover
|
2026-05-04
|
|
O365 Bypass MFA via Trusted IP
|
O365 Set Company Information.
|
Cloud Firewall
|
TTP
|
Office 365 Persistence Mechanisms
|
2026-05-04
|
|
O365 Cross-Tenant Access Change
|
Office 365 Universal Audit Log
|
Trust Modification
|
TTP
|
Azure Active Directory Persistence
|
2026-04-15
|
|
O365 Disable MFA
|
O365 Disable Strong Authentication.
|
Modify Authentication Process
|
TTP
|
Office 365 Persistence Mechanisms
|
2026-04-15
|
|
O365 Email Security Feature Changed
|
Office 365 Universal Audit Log
|
Disable or Modify Cloud Log
|
TTP
|
Office 365 Account Takeover, Office 365 Persistence Mechanisms
|
2026-05-04
|
|
O365 Excessive SSO logon errors
|
O365 UserLoginFailed
|
Modify Authentication Process
|
Anomaly
|
Cloud Federated Credential Abuse, Office 365 Account Takeover
|
2026-04-15
|
|
Attempt To Add Certificate To Untrusted Store
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Install Root Certificate
|
Anomaly
|
Disabling Security Tools
|
2026-03-26
|
|
Processes launching netsh
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify System Firewall
|
Anomaly
|
Azorult, DHS Report TA18-074A, Disabling Security Tools, Hellcat Ransomware, Netsh Abuse, ShrinkLocker, Snake Keylogger, Volt Typhoon
|
2026-05-04
|
|
Active Directory Privilege Escalation Identified
|
|
Domain or Tenant Policy Modification
|
Correlation
|
Active Directory Privilege Escalation
|
2026-04-15
|
|
Add or Set Windows Defender Exclusion
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Tools
|
TTP
|
AgentTesla, CISA AA22-320A, Compromised Windows Host, Crypto Stealer, Data Destruction, NetSupport RMM Tool Abuse, Remcos, ValleyRAT, WhisperGate, Windows Defense Evasion Tactics, XWorm
|
2026-05-04
|
|
Allow File And Printing Sharing In Firewall
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Cloud Firewall
|
TTP
|
BlackByte Ransomware, Hellcat Ransomware, Ransomware
|
2026-05-04
|
|
Allow Network Discovery In Firewall
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Cloud Firewall
|
TTP
|
BlackByte Ransomware, Hellcat Ransomware, Medusa Ransomware, NjRAT, Ransomware, Revil Ransomware
|
2026-05-04
|
|
Disable AMSI Through Registry
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
CISA AA23-347A, Ransomware, Windows Registry Abuse
|
2026-05-04
|
|
Disable Defender AntiVirus Registry
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Black Basta Ransomware, CISA AA24-241A, Cactus Ransomware, IcedID, SolarWinds WHD RCE Post Exploitation, Windows Registry Abuse
|
2026-05-04
|
|
Disable Defender BlockAtFirstSeen Feature
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Azorult, CISA AA23-347A, IcedID, SolarWinds WHD RCE Post Exploitation, Windows Registry Abuse
|
2026-05-04
|
|
Disable Defender Enhanced Notification
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Azorult, CISA AA23-347A, IcedID, Windows Registry Abuse
|
2026-05-04
|
|
Disable Defender MpEngine Registry
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
IcedID, Windows Registry Abuse
|
2026-05-04
|
|
Disable Defender Spynet Reporting
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Azorult, CISA AA23-347A, IcedID, Qakbot, Windows Registry Abuse
|
2026-05-04
|
|
Disable Defender Submit Samples Consent Feature
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Azorult, BlankGrabber Stealer, CISA AA23-347A, IcedID, Windows Registry Abuse
|
2026-05-04
|
|
Disable ETW Through Registry
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
CISA AA23-347A, Ransomware, Windows Registry Abuse
|
2026-05-04
|
|
Disable Logs Using WevtUtil
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Clear Windows Event Logs
|
TTP
|
CISA AA23-347A, Ransomware, Rhysida Ransomware
|
2026-05-04
|
|
Disable Registry Tool
|
Sysmon EventID 13
|
Modify Registry
Disable or Modify Tools
|
TTP
|
NjRAT, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2026-05-04
|
|
Disable Schedule Task
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Tools
|
Anomaly
|
IcedID, Living Off The Land
|
2026-05-04
|
|
Disable Security Logs Using MiniNt Registry
|
Sysmon EventID 13
|
Modify Registry
|
TTP
|
CISA AA23-347A, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2026-04-15
|
|
Disable Show Hidden Files
|
Sysmon EventID 13
|
Modify Registry
Disable or Modify Tools
Hidden Files and Directories
|
Anomaly
|
Azorult, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2026-05-04
|
|
Disable Windows App Hotkeys
|
Sysmon EventID 13
|
Modify Registry
Disable or Modify Tools
|
TTP
|
Windows Registry Abuse, XMRig
|
2026-05-04
|
|
Disable Windows Behavior Monitoring
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Azorult, Black Basta Ransomware, BlankGrabber Stealer, CISA AA23-347A, Cactus Ransomware, NetSupport RMM Tool Abuse, Ransomware, RedLine Stealer, Revil Ransomware, Scattered Lapsus$ Hunters, SolarWinds WHD RCE Post Exploitation, Storm-0501 Ransomware, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2026-05-04
|
|
Disable Windows SmartScreen Protection
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
CISA AA23-347A, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2026-05-04
|
|
Disabling CMD Application
|
Sysmon EventID 13
|
Modify Registry
Disable or Modify Tools
|
TTP
|
NjRAT, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2026-05-04
|
|
Disabling ControlPanel
|
Sysmon EventID 13
|
Modify Registry
Disable or Modify Tools
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2026-05-04
|
|
Disabling Defender Services
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
IcedID, RedLine Stealer, Windows Registry Abuse
|
2026-05-04
|
|
Disabling Firewall with Netsh
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Tools
|
Anomaly
|
BlackByte Ransomware, Windows Defense Evasion Tactics
|
2026-05-04
|
|
Disabling FolderOptions Windows Feature
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
CISA AA23-347A, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2026-05-04
|
|
Disabling NoRun Windows App
|
Sysmon EventID 13
|
Modify Registry
Disable or Modify Tools
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2026-05-04
|
|
Disabling Task Manager
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
NjRAT, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2026-05-04
|
|
Disabling Windows Local Security Authority Defences via Registry
|
Sysmon EventID 13
|
Modify Authentication Process
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2026-04-15
|
|
Enable WDigest UseLogonCredential Registry
|
Sysmon EventID 13
|
Modify Registry
OS Credential Dumping
|
TTP
|
CISA AA22-320A, Credential Dumping, Windows Registry Abuse
|
2026-04-15
|
|
ETW Registry Disabled
|
Sysmon EventID 13
|
Trusted Developer Utilities Proxy Execution
Disable or Modify Tools
|
TTP
|
CISA AA23-347A, Data Destruction, Hermetic Wiper, Windows Persistence Techniques, Windows Privilege Escalation, Windows Registry Abuse
|
2026-05-04
|
|
Excessive number of service control start as disabled
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Tools
|
Anomaly
|
Windows Defense Evasion Tactics
|
2026-05-04
|
|
Excessive Usage Of Cacls App
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
File and Directory Permissions Modification
|
Anomaly
|
Azorult, Crypto Stealer, Defense Evasion or Unauthorized Access Via SDDL Tampering, Prestige Ransomware, Windows Post-Exploitation, XMRig
|
2026-04-15
|
|
Excessive Usage Of Taskkill
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Tools
|
Anomaly
|
AgentTesla, Azorult, BlankGrabber Stealer, CISA AA22-264A, CISA AA22-277A, Crypto Stealer, NjRAT, XMRig
|
2026-05-04
|
|
Firewall Allowed Program Enable
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify System Firewall
|
Anomaly
|
Azorult, BlackByte Ransomware, Medusa Ransomware, NjRAT, PlugX, Windows Defense Evasion Tactics
|
2026-05-04
|
|
FodHelper UAC Bypass
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Modify Registry
Bypass User Account Control
|
TTP
|
BlankGrabber Stealer, Compromised Windows Host, IcedID, ValleyRAT, Windows Defense Evasion Tactics
|
2026-04-15
|
|
Hide User Account From Sign-In Screen
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Azorult, Warzone RAT, Windows Registry Abuse, XMRig
|
2026-05-04
|
|
Hiding Files And Directories With Attrib exe
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Permissions
|
TTP
|
Azorult, Compromised Windows Host, Crypto Stealer, Malicious Inno Setup Loader, VIP Keylogger, Windows Defense Evasion Tactics, Windows Persistence Techniques
|
2026-04-21
|
|
Icacls Deny Command
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
File and Directory Permissions Modification
|
Anomaly
|
Azorult, Compromised Windows Host, Crypto Stealer, Defense Evasion or Unauthorized Access Via SDDL Tampering, Sandworm Tools, XMRig
|
2026-04-15
|
|
ICACLS Grant Command
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
File and Directory Permissions Modification
|
Anomaly
|
Crypto Stealer, Defense Evasion or Unauthorized Access Via SDDL Tampering, NetSupport RMM Tool Abuse, Ransomware, XMRig
|
2026-04-15
|
|
Linux Auditd Auditd Daemon Abort
|
Linux Auditd Daemon Abort
|
Disable or Modify Linux Audit System Log
|
Anomaly
|
Compromised Linux Host
|
2026-05-04
|
|
Linux Auditd Auditd Daemon Shutdown
|
Linux Auditd Daemon End
|
Disable or Modify Linux Audit System Log
|
Anomaly
|
Compromised Linux Host
|
2026-05-04
|
|
Linux Auditd Auditd Daemon Start
|
Linux Auditd Daemon Start
|
Disable or Modify Linux Audit System Log
|
Anomaly
|
Compromised Linux Host
|
2026-05-04
|
|
Linux Auditd Change File Owner To Root
|
Linux Auditd Proctitle
|
Linux and Mac Permissions
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2026-04-15
|
|
Linux Auditd Disable Or Modify System Firewall
|
Linux Auditd Service Stop
|
Disable or Modify System Firewall
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2026-05-04
|
|
Linux Auditd File Permission Modification Via Chmod
|
Linux Auditd Proctitle
|
Linux and Mac Permissions
|
Anomaly
|
Axios Supply Chain Post Compromise, China-Nexus Threat Activity, Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Salt Typhoon, XorDDos
|
2026-04-16
|
|
Linux Auditd File Permissions Modification Via Chattr
|
Linux Auditd Execve
|
Linux and Mac Permissions
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2026-04-15
|
|
Linux Change File Owner To Root
|
Sysmon for Linux EventID 1
|
Linux and Mac Permissions
|
Anomaly
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2026-04-15
|
|
Linux Impair Defenses Process Kill
|
Sysmon for Linux EventID 1
|
Disable or Modify Tools
|
Hunting
|
AwfulShred, Data Destruction, Scattered Lapsus$ Hunters
|
2026-05-04
|
|
Linux Iptables Firewall Modification
|
Sysmon for Linux EventID 1
|
Disable or Modify System Firewall
|
Anomaly
|
Backdoor Pingpong, China-Nexus Threat Activity, Cyclops Blink, Sandworm Tools
|
2026-05-04
|
|
Linux Stdout Redirection To Dev Null File
|
Sysmon for Linux EventID 1
|
Disable or Modify System Firewall
|
Anomaly
|
Cyclops Blink, Data Destruction, Industroyer2
|
2026-05-04
|
|
MacOS Gatekeeper Bypass
|
Osquery Results
|
Gatekeeper Bypass
|
Anomaly
|
MacOS Persistence Techniques, MacOS Post-Exploitation, MacOS Privilege Escalation
|
2026-04-15
|
|
MacOS plutil
|
Osquery Results
|
Plist File Modification
|
TTP
|
Living Off The Land
|
2026-04-16
|
|
Malicious InProcServer32 Modification
|
Sysmon EventID 12, Sysmon EventID 13
|
Regsvr32
Modify Registry
|
TTP
|
Remcos, Suspicious Regsvr32 Activity
|
2026-04-15
|
|
Modify ACL permission To Files Or Folder
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
File and Directory Permissions Modification
|
Anomaly
|
Crypto Stealer, Defense Evasion or Unauthorized Access Via SDDL Tampering, XMRig
|
2026-04-15
|
|
Permission Modification using Takeown App
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
File and Directory Permissions Modification
|
Anomaly
|
Crypto Stealer, Ransomware, Sandworm Tools, Scattered Lapsus$ Hunters
|
2026-04-15
|
|
Powershell Disable Security Monitoring
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Tools
|
TTP
|
BlankGrabber Stealer, CISA AA24-241A, Ransomware, Revil Ransomware
|
2026-05-04
|
|
Powershell Remove Windows Defender Directory
|
Powershell Script Block Logging 4104
|
Disable or Modify Tools
|
TTP
|
Data Destruction, WhisperGate
|
2026-05-04
|
|
Powershell Windows Defender Exclusion Commands
|
Powershell Script Block Logging 4104
|
Disable or Modify Tools
|
TTP
|
AgentTesla, BlankGrabber Stealer, CISA AA22-320A, Data Destruction, NetSupport RMM Tool Abuse, Remcos, Warzone RAT, WhisperGate, Windows Defense Evasion Tactics
|
2026-05-04
|
|
Process Kill Base On File Path
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Tools
|
TTP
|
XMRig
|
2026-05-04
|
|
Remcos client registry install entry
|
Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
|
TTP
|
Remcos, Windows Registry Abuse
|
2026-04-15
|
|
Revil Registry Entry
|
Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
|
TTP
|
Ransomware, Revil Ransomware, Windows Registry Abuse
|
2026-04-15
|
|
Rundll32 Shimcache Flush
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Modify Registry
|
TTP
|
Compromised Windows Host, Living Off The Land, Unusual Processes
|
2026-04-15
|
|
Suspicious Reg exe Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Modify Registry
|
Anomaly
|
DHS Report TA18-074A, Disabling Security Tools, Windows Defense Evasion Tactics
|
2026-04-15
|
|
Suspicious wevtutil Usage
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Clear Windows Event Logs
|
TTP
|
CISA AA23-347A, Clop Ransomware, Ransomware, Rhysida Ransomware, Scattered Spider, ShrinkLocker, Storm-0501 Ransomware, Storm-2460 CLFS Zero Day Exploitation, VoidLink Cloud-Native Linux Malware, Windows Log Manipulation
|
2026-05-04
|
|
Unload Sysmon Filter Driver
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Tools
|
TTP
|
CISA AA23-347A, Disabling Security Tools
|
2026-05-04
|
|
Unloading AMSI via Reflection
|
Powershell Script Block Logging 4104
|
PowerShell
Disable or Modify Tools
|
TTP
|
Data Destruction, Hermetic Wiper, Malicious PowerShell
|
2026-05-04
|
|
Windows AD Dangerous Deny ACL Modification
|
Windows Event Log Security 5136
|
Windows Permissions
Domain or Tenant Policy Modification
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-04-15
|
|
Windows AD Dangerous Group ACL Modification
|
Windows Event Log Security 5136
|
Windows Permissions
Domain or Tenant Policy Modification
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-04-15
|
|
Windows AD Dangerous User ACL Modification
|
Windows Event Log Security 5136
|
Windows Permissions
Domain or Tenant Policy Modification
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-04-15
|
|
Windows AD DCShadow Privileges ACL Addition
|
Windows Event Log Security 5136
|
Domain or Tenant Policy Modification
Rogue Domain Controller
Windows Permissions
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-04-15
|
|
Windows AD Domain Controller Audit Policy Disabled
|
Windows Event Log Security 4719
|
Disable or Modify Tools
|
TTP
|
Windows Audit Policy Tampering
|
2026-05-04
|
|
Windows AD Domain Controller Promotion
|
Windows Event Log Security 4742
|
Rogue Domain Controller
|
TTP
|
Compromised Windows Host, Sneaky Active Directory Persistence Tricks
|
2026-04-15
|
|
Windows AD Domain Replication ACL Addition
|
Windows Event Log Security 5136
|
Domain or Tenant Policy Modification
|
TTP
|
Compromised Windows Host, Sneaky Active Directory Persistence Tricks
|
2026-04-15
|
|
Windows AD Domain Root ACL Deletion
|
Windows Event Log Security 5136
|
Windows Permissions
Domain or Tenant Policy Modification
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-04-15
|
|
Windows AD Domain Root ACL Modification
|
Windows Event Log Security 5136
|
Windows Permissions
Domain or Tenant Policy Modification
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-04-15
|
|
Windows AD GPO Deleted
|
Windows Event Log Security 5136
|
Disable or Modify Tools
Group Policy Modification
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-04
|
|
Windows AD GPO Disabled
|
Windows Event Log Security 5136
|
Disable or Modify Tools
Group Policy Modification
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-04
|
|
Windows AD GPO New CSE Addition
|
Windows Event Log Security 5136
|
Windows Permissions
Group Policy Modification
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-04-15
|
|
Windows AD Hidden OU Creation
|
Windows Event Log Security 5136
|
Windows Permissions
Domain or Tenant Policy Modification
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-04-15
|
|
Windows AD Object Owner Updated
|
Windows Event Log Security 5136
|
Windows Permissions
Domain or Tenant Policy Modification
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-04-15
|
|
Windows AD Self DACL Assignment
|
Windows Event Log Security 5136
|
Domain or Tenant Policy Modification
Account Manipulation
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-04-15
|
|
Windows AD Short Lived Domain Controller SPN Attribute
|
Windows Event Log Security 4624, Windows Event Log Security 5136
|
Rogue Domain Controller
|
TTP
|
Compromised Windows Host, Sneaky Active Directory Persistence Tricks
|
2026-04-15
|
|
Windows AD Short Lived Server Object
|
Windows Event Log Security 5137, Windows Event Log Security 5141
|
Rogue Domain Controller
|
TTP
|
Compromised Windows Host, Sneaky Active Directory Persistence Tricks
|
2026-04-15
|
|
Windows AD Suspicious Attribute Modification
|
Windows Event Log Security 5136
|
Windows Permissions
Use Alternate Authentication Material
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-04-15
|
|
Windows Admon Default Group Policy Object Modified
|
Windows Active Directory Admon
|
Group Policy Modification
|
TTP
|
Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks
|
2026-04-15
|
|
Windows Admon Group Policy Object Created
|
Windows Active Directory Admon
|
Group Policy Modification
|
TTP
|
Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks
|
2026-04-15
|
|
Windows Advanced Installer MSIX with AI_STUBS Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
Mark-of-the-Web Bypass
Malicious File
|
TTP
|
MSIX Package Abuse
|
2026-04-15
|
|
Windows Anomalous Registry Value Length in Environment Key
|
Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
VIP Keylogger
|
2026-04-16
|
|
Windows AppX Deployment Full Trust Package Installation
|
Windows Event Log AppXDeployment-Server 400
|
Mark-of-the-Web Bypass
Malicious File
|
Hunting
|
MSIX Package Abuse
|
2026-04-15
|
|
Windows AppX Deployment Unsigned Package Installation
|
Windows Event Log AppXDeployment-Server 855
|
Mark-of-the-Web Bypass
Malicious File
|
TTP
|
MSIX Package Abuse
|
2026-04-15
|
|
Windows Attempt To Stop Security Service
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Tools
|
TTP
|
Azorult, Data Destruction, Disabling Security Tools, Graceful Wipe Out Attack, Trickbot, WhisperGate
|
2026-05-04
|
|
Windows Audit Policy Auditing Option Disabled via Auditpol
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Windows Event Log
|
TTP
|
Windows Audit Policy Tampering
|
2026-05-04
|
|
Windows Audit Policy Cleared via Auditpol
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Windows Event Log
|
TTP
|
Windows Audit Policy Tampering
|
2026-05-04
|
|
Windows Audit Policy Disabled via Auditpol
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Windows Event Log
|
Anomaly
|
Windows Audit Policy Tampering
|
2026-05-04
|
|
Windows Audit Policy Disabled via Legacy Auditpol
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Windows Event Log
|
Anomaly
|
Windows Audit Policy Tampering
|
2026-05-04
|
|
Windows Audit Policy Excluded Category via Auditpol
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Windows Event Log
|
Anomaly
|
Windows Audit Policy Tampering
|
2026-05-04
|
|
Windows Audit Policy Restored via Auditpol
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Windows Event Log
|
Anomaly
|
Windows Audit Policy Tampering
|
2026-05-04
|
|
Windows Audit Policy Security Descriptor Tampering via Auditpol
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Windows Event Log
|
Anomaly
|
Windows Audit Policy Tampering
|
2026-05-04
|
|
Windows Cisco Secure Endpoint Stop Immunet Service Via Sfc
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Tools
|
Anomaly
|
Security Solution Tampering
|
2026-05-04
|
|
Windows Cisco Secure Endpoint Unblock File Via Sfc
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Tools
|
Anomaly
|
Security Solution Tampering
|
2026-05-04
|
|
Windows Cisco Secure Endpoint Uninstall Immunet Service Via Sfc
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Tools
|
Anomaly
|
Security Solution Tampering
|
2026-05-04
|
|
Windows Common Abused Cmd Shell Risk Behavior
|
|
File and Directory Permissions Modification
System Network Connections Discovery
System Owner/User Discovery
System Shutdown/Reboot
System Network Configuration Discovery
Command and Scripting Interpreter
|
Correlation
|
Azorult, CISA AA23-347A, DarkCrystal RAT, Disabling Security Tools, FIN7, Microsoft WSUS CVE-2025-59287, Netsh Abuse, Qakbot, Sandworm Tools, Volt Typhoon, Windows Defense Evasion Tactics, Windows Post-Exploitation
|
2026-04-15
|
|
Windows CrowdStrike Agent Registry Key Removal
|
Sysmon EventID 12
|
Disable or Modify Tools
|
Anomaly
|
Security Solution Tampering, Windows Defense Evasion Tactics
|
2026-04-13
|
|
Windows Default Group Policy Object Modified
|
Windows Event Log Security 5136
|
Group Policy Modification
|
TTP
|
Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks
|
2026-04-15
|
|
Windows Default Group Policy Object Modified with GPME
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Group Policy Modification
|
TTP
|
Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks
|
2026-04-15
|
|
Windows Defender ASR or Threat Configuration Tamper
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Tools
|
TTP
|
Windows Defense Evasion Tactics
|
2026-05-04
|
|
Windows Defender ASR Registry Modification
|
Windows Event Log Defender 5007
|
Modify Registry
|
Hunting
|
Windows Attack Surface Reduction
|
2025-05-02
|
|
Windows Defender ASR Rule Disabled
|
Windows Event Log Defender 5007
|
Modify Registry
|
TTP
|
Windows Attack Surface Reduction
|
2026-04-15
|
|
Windows Defender Exclusion Registry Entry
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Azorult, NetSupport RMM Tool Abuse, Qakbot, Remcos, ValleyRAT, Warzone RAT, Windows Defense Evasion Tactics, XWorm
|
2026-05-04
|
|
Windows Delete or Modify System Firewall
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify System Firewall
|
Hunting
|
NjRAT, ShrinkLocker
|
2026-05-04
|
|
Windows Deleted Registry By A Non Critical Process File Path
|
Sysmon EventID 1, Sysmon EventID 12
|
Modify Registry
|
Anomaly
|
Data Destruction, Double Zero Destructor
|
2026-04-15
|
|
Windows Developer-Signed MSIX Package Installation
|
Windows Event Log AppXDeployment-Server 855
|
Mark-of-the-Web Bypass
Malicious File
|
Anomaly
|
MSIX Package Abuse
|
2026-04-15
|
|
Windows Disable Change Password Through Registry
|
Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
Ransomware, Windows Defense Evasion Tactics
|
2026-04-15
|
|
Windows Disable Lock Workstation Feature Through Registry
|
Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
Ransomware, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2026-04-15
|
|
Windows Disable LogOff Button Through Registry
|
Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
Ransomware, Windows Registry Abuse
|
2026-04-15
|
|
Windows Disable Notification Center
|
Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
CISA AA23-347A, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2026-04-15
|
|
Windows Disable or Modify Tools Via Taskkill
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Tools
|
Anomaly
|
BlankGrabber Stealer, Crypto Stealer, NjRAT, PXA Stealer
|
2026-05-04
|
|
Windows Disable or Stop Browser Process
|
Sysmon EventID 1
|
Disable or Modify Tools
|
TTP
|
BlankGrabber Stealer, Braodo Stealer, Castle RAT, Hellcat Ransomware, Scattered Lapsus$ Hunters
|
2026-05-04
|
|
Windows Disable Shutdown Button Through Registry
|
Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
Ransomware, Windows Registry Abuse
|
2026-04-15
|
|
Windows Disable Windows Event Logging Disable HTTP Logging
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
IIS Components
Disable or Modify Windows Event Log
|
Anomaly
|
CISA AA23-347A, Compromised Windows Host, IIS Components, Windows Defense Evasion Tactics
|
2026-05-04
|
|
Windows Disable Windows Group Policy Features Through Registry
|
Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
CISA AA23-347A, Ransomware, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2026-04-15
|
|
Windows DisableAntiSpyware Registry
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Azorult, CISA AA22-264A, CISA AA23-347A, RedLine Stealer, Ryuk Ransomware, SolarWinds WHD RCE Post Exploitation, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2026-05-04
|
|
Windows DISM Remove Defender
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Tools
|
TTP
|
CISA AA23-347A, Compromised Windows Host, Windows Defense Evasion Tactics
|
2026-05-04
|
|
Windows Downdate Registry Activity
|
Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 14
|
Modify Registry
Downgrade Attack
|
Anomaly
|
Windows Persistence Techniques
|
2026-04-13
|
|
Windows EDRSilencer Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Tools
|
Anomaly
|
Security Solution Tampering
|
2026-04-13
|
|
Windows EFI Volume Mount Attempt Via Mountvol
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Malicious File
Pre-OS Boot
Safe Mode Boot
|
Anomaly
|
Compromised Windows Host
|
2026-04-13
|
|
Windows Event For Service Disabled
|
Windows Event Log System 7040
|
Disable or Modify Tools
|
Hunting
|
RedLine Stealer, Windows Defense Evasion Tactics
|
2026-05-04
|
|
Windows Event Log Cleared
|
Windows Event Log Security 1102, Windows Event Log System 104
|
Clear Windows Event Logs
|
TTP
|
CISA AA22-264A, Clop Ransomware, Compromised Windows Host, Ransomware, ShrinkLocker, Windows Log Manipulation
|
2026-05-04
|
|
Windows Event Logging Service Has Shutdown
|
Windows Event Log Security 1100
|
Clear Windows Event Logs
|
Hunting
|
Clop Ransomware, Ransomware, Scattered Lapsus$ Hunters, Windows Log Manipulation
|
2026-05-04
|
|
Windows Eventlog Cleared Via Wevtutil
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Clear Windows Event Logs
|
Anomaly
|
CISA AA23-347A, Clop Ransomware, Ransomware, Rhysida Ransomware, ShrinkLocker, Windows Log Manipulation
|
2026-05-04
|
|
Windows Excessive Disabled Services Event
|
Windows Event Log System 7040
|
Disable or Modify Tools
|
TTP
|
CISA AA23-347A, Compromised Windows Host, Windows Defense Evasion Tactics
|
2026-05-04
|
|
Windows File and Directory Enable ReadOnly Permissions
|
Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Permissions
|
TTP
|
Crypto Stealer, NetSupport RMM Tool Abuse
|
2026-04-15
|
|
Windows File and Directory Permissions Enable Inheritance
|
Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Permissions
|
Hunting
|
Crypto Stealer, NetSupport RMM Tool Abuse
|
2026-04-15
|
|
Windows File and Directory Permissions Remove Inheritance
|
Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Permissions
|
Anomaly
|
Crypto Stealer
|
2026-04-15
|
|
Windows Files and Dirs Access Rights Modification Via Icacls
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Permissions
|
Anomaly
|
Amadey, Defense Evasion or Unauthorized Access Via SDDL Tampering
|
2026-04-15
|
|
Windows Filtering Platform Policy Added to Block EDR Process
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Disabling Security Tools, Security Solution Tampering
|
2026-04-13
|
|
Windows Firewall Rule Added
|
Windows Event Log Security 4946
|
Disable or Modify System Firewall
|
Anomaly
|
Medusa Ransomware, NetSupport RMM Tool Abuse, ShrinkLocker
|
2026-05-04
|
|
Windows Firewall Rule Deletion
|
Windows Event Log Security 4948
|
Disable or Modify System Firewall
|
Anomaly
|
Medusa Ransomware, NetSupport RMM Tool Abuse, ShrinkLocker
|
2026-05-04
|
|
Windows Firewall Rule Modification
|
Windows Event Log Security 4947
|
Disable or Modify System Firewall
|
Anomaly
|
Medusa Ransomware, NetSupport RMM Tool Abuse, ShrinkLocker
|
2026-05-04
|
|
Windows Global Object Access Audit List Cleared Via Auditpol
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Windows Event Log
|
TTP
|
Windows Audit Policy Tampering
|
2026-05-04
|
|
Windows Group Policy Object Created
|
Windows Event Log Security 5136, Windows Event Log Security 5137
|
Domain Accounts
Group Policy Modification
|
TTP
|
Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks
|
2026-04-15
|
|
Windows Hide Notification Features Through Registry
|
Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
Ransomware, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2026-04-15
|
|
Windows Impair Defense Add Xml Applocker Rules
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Tools
|
Hunting
|
Azorult
|
2026-05-04
|
|
Windows Impair Defense Change Win Defender Health Check Intervals
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2026-05-04
|
|
Windows Impair Defense Change Win Defender Quick Scan Interval
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2026-05-04
|
|
Windows Impair Defense Change Win Defender Throttle Rate
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2026-05-04
|
|
Windows Impair Defense Change Win Defender Tracing Level
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2026-05-04
|
|
Windows Impair Defense Configure App Install Control
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2026-05-04
|
|
Windows Impair Defense Define Win Defender Threat Action
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2026-05-04
|
|
Windows Impair Defense Delete Win Defender Context Menu
|
Sysmon EventID 13
|
Disable or Modify Tools
|
Hunting
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2026-05-04
|
|
Windows Impair Defense Delete Win Defender Profile Registry
|
Sysmon EventID 13
|
Disable or Modify Tools
|
Anomaly
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2026-05-04
|
|
Windows Impair Defense Deny Security Software With Applocker
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Azorult, Scattered Lapsus$ Hunters
|
2026-05-04
|
|
Windows Impair Defense Disable Controlled Folder Access
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
BlankGrabber Stealer, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2026-05-04
|
|
Windows Impair Defense Disable Defender Firewall And Network
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Scattered Lapsus$ Hunters, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2026-05-04
|
|
Windows Impair Defense Disable Defender Protocol Recognition
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Scattered Lapsus$ Hunters, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2026-05-04
|
|
Windows Impair Defense Disable PUA Protection
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Scattered Lapsus$ Hunters, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2026-05-04
|
|
Windows Impair Defense Disable Realtime Signature Delivery
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2026-05-04
|
|
Windows Impair Defense Disable Web Evaluation
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2026-05-04
|
|
Windows Impair Defense Disable Win Defender App Guard
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2026-05-04
|
|
Windows Impair Defense Disable Win Defender Compute File Hashes
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2026-05-04
|
|
Windows Impair Defense Disable Win Defender Gen reports
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2026-05-04
|
|
Windows Impair Defense Disable Win Defender Network Protection
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
BlankGrabber Stealer, Scattered Lapsus$ Hunters, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2026-05-04
|
|
Windows Impair Defense Disable Win Defender Report Infection
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2026-05-04
|
|
Windows Impair Defense Disable Win Defender Scan On Update
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2026-05-04
|
|
Windows Impair Defense Disable Win Defender Signature Retirement
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Scattered Lapsus$ Hunters, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2026-05-04
|
|
Windows Impair Defense Overide Win Defender Phishing Filter
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2026-05-04
|
|
Windows Impair Defense Override SmartScreen Prompt
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2026-05-04
|
|
Windows Impair Defense Set Win Defender Smart Screen Level To Warn
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2026-05-04
|
|
Windows Impair Defenses Disable Auto Logger Session
|
Sysmon EventID 13
|
Disable or Modify Tools
|
Anomaly
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2026-05-04
|
|
Windows Impair Defenses Disable AV AutoStart via Registry
|
Sysmon EventID 13
|
Modify Registry
|
TTP
|
Scattered Lapsus$ Hunters, ValleyRAT
|
2026-04-15
|
|
Windows Impair Defenses Disable HVCI
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
BlackLotus Campaign, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2026-05-04
|
|
Windows Impair Defenses Disable Win Defender Auto Logging
|
Sysmon EventID 13
|
Disable or Modify Tools
|
Anomaly
|
CISA AA23-347A, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2026-05-04
|
|
Windows Important Audit Policy Disabled
|
Windows Event Log Security 4719
|
Disable or Modify Tools
|
TTP
|
Windows Audit Policy Tampering
|
2026-05-04
|
|
Windows Increase in Group or Object Modification Activity
|
Windows Event Log Security 4663
|
Account Manipulation
Disable or Modify Tools
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-04
|
|
Windows Increase in User Modification Activity
|
Windows Event Log Security 4720
|
Account Manipulation
Disable or Modify Tools
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-04
|
|
Windows InProcServer32 New Outlook Form
|
Sysmon EventID 13
|
Phishing
Modify Registry
|
Anomaly
|
Outlook RCE CVE-2024-21378
|
2026-04-15
|
|
Windows Mark Of The Web Bypass
|
Sysmon EventID 23
|
Mark-of-the-Web Bypass
|
TTP
|
Quasar RAT, Warzone RAT
|
2026-04-15
|
|
Windows Modify Registry AuthenticationLevelOverride
|
Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
DarkGate Malware
|
2026-04-15
|
|
Windows Modify Registry Auto Minor Updates
|
Sysmon EventID 13
|
Modify Registry
|
Hunting
|
RedLine Stealer
|
2025-05-02
|
|
Windows Modify Registry Auto Update Notif
|
Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
RedLine Stealer
|
2026-04-15
|
|
Windows Modify Registry Configure BitLocker
|
Sysmon EventID 13
|
Modify Registry
|
TTP
|
ShrinkLocker
|
2026-04-15
|
|
Windows Modify Registry Default Icon Setting
|
Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
LockBit Ransomware
|
2026-04-15
|
|
Windows Modify Registry Delete Firewall Rules
|
Sysmon EventID 12
|
Modify Registry
|
TTP
|
CISA AA24-241A, NetSupport RMM Tool Abuse, ShrinkLocker
|
2026-04-15
|
|
Windows Modify Registry Disable RDP
|
Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
ShrinkLocker, Windows RDP Artifacts and Defense Evasion
|
2026-04-15
|
|
Windows Modify Registry Disable Restricted Admin
|
Sysmon EventID 13
|
Modify Registry
|
TTP
|
CISA AA23-347A, GhostRedirector IIS Module and Rungan Backdoor, Medusa Ransomware
|
2026-04-15
|
|
Windows Modify Registry Disable Toast Notifications
|
Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
Azorult
|
2026-04-15
|
|
Windows Modify Registry Disable Win Defender Raw Write Notif
|
Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
Azorult, CISA AA23-347A
|
2026-04-15
|
|
Windows Modify Registry Disable WinDefender Notifications
|
Sysmon EventID 13
|
Modify Registry
|
TTP
|
CISA AA23-347A, RedLine Stealer, SolarWinds WHD RCE Post Exploitation
|
2026-04-15
|
|
Windows Modify Registry Disable Windows Security Center Notif
|
Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
Azorult, CISA AA23-347A
|
2026-04-15
|
|
Windows Modify Registry DisableRemoteDesktopAntiAlias
|
Sysmon EventID 13
|
Modify Registry
|
TTP
|
DarkGate Malware
|
2026-04-15
|
|
Windows Modify Registry DisableSecuritySettings
|
Sysmon EventID 13
|
Modify Registry
|
TTP
|
CISA AA23-347A, DarkGate Malware
|
2026-04-15
|
|
Windows Modify Registry Disabling WER Settings
|
Sysmon EventID 13
|
Modify Registry
|
TTP
|
Azorult, CISA AA23-347A
|
2026-04-15
|
|
Windows Modify Registry DisAllow Windows App
|
Sysmon EventID 13
|
Modify Registry
|
TTP
|
Azorult
|
2026-04-15
|
|
Windows Modify Registry Do Not Connect To Win Update
|
Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
RedLine Stealer
|
2026-04-15
|
|
Windows Modify Registry DontShowUI
|
Sysmon EventID 13
|
Modify Registry
|
TTP
|
DarkGate Malware
|
2026-04-15
|
|
Windows Modify Registry EnableLinkedConnections
|
Sysmon EventID 13
|
Modify Registry
|
TTP
|
BlackByte Ransomware
|
2026-04-15
|
|
Windows Modify Registry LongPathsEnabled
|
Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
BlackByte Ransomware
|
2026-04-15
|
|
Windows Modify Registry MaxConnectionPerServer
|
Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
Warzone RAT
|
2026-04-15
|
|
Windows Modify Registry No Auto Reboot With Logon User
|
Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
RedLine Stealer
|
2026-04-15
|
|
Windows Modify Registry No Auto Update
|
Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
CISA AA23-347A, RedLine Stealer
|
2026-04-15
|
|
Windows Modify Registry NoChangingWallPaper
|
Sysmon EventID 13
|
Modify Registry
|
TTP
|
Rhysida Ransomware
|
2026-04-15
|
|
Windows Modify Registry on Smart Card Group Policy
|
Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
ShrinkLocker
|
2026-04-15
|
|
Windows Modify Registry ProxyEnable
|
Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
DarkGate Malware
|
2026-04-15
|
|
Windows Modify Registry ProxyServer
|
Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
DarkGate Malware
|
2026-04-15
|
|
Windows Modify Registry Qakbot Binary Data Registry
|
Sysmon EventID 1, Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
Qakbot
|
2026-04-15
|
|
Windows Modify Registry Regedit Silent Reg Import
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Modify Registry
|
Anomaly
|
Azorult
|
2026-04-15
|
|
Windows Modify Registry Risk Behavior
|
|
Modify Registry
|
Correlation
|
Windows Registry Abuse
|
2026-04-15
|
|
Windows Modify Registry Suppress Win Defender Notif
|
Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
Azorult, CISA AA23-347A
|
2026-04-15
|
|
Windows Modify Registry Tamper Protection
|
Sysmon EventID 13
|
Modify Registry
|
TTP
|
RedLine Stealer, Scattered Lapsus$ Hunters
|
2026-04-15
|
|
Windows Modify Registry to Add or Modify Firewall Rule
|
Sysmon EventID 13, Sysmon EventID 14
|
Modify Registry
|
Anomaly
|
CISA AA24-241A, NetSupport RMM Tool Abuse, ShrinkLocker
|
2026-04-15
|
|
Windows Modify Registry UpdateServiceUrlAlternate
|
Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
RedLine Stealer
|
2026-04-15
|
|
Windows Modify Registry USeWuServer
|
Sysmon EventID 13
|
Modify Registry
|
Hunting
|
RedLine Stealer
|
2025-05-02
|
|
Windows Modify Registry Utilize ProgIDs
|
Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
ValleyRAT
|
2026-04-15
|
|
Windows Modify Registry ValleyRAT C2 Config
|
Sysmon EventID 13
|
Modify Registry
|
TTP
|
ValleyRAT
|
2026-04-15
|
|
Windows Modify Registry ValleyRat PWN Reg Entry
|
Sysmon EventID 13
|
Modify Registry
|
TTP
|
ValleyRAT
|
2026-04-15
|
|
Windows Modify Registry With MD5 Reg Key Name
|
Sysmon EventID 13
|
Modify Registry
|
TTP
|
NjRAT
|
2026-04-15
|
|
Windows Modify Registry WuServer
|
Sysmon EventID 13
|
Modify Registry
|
Hunting
|
RedLine Stealer
|
2025-05-02
|
|
Windows Modify Registry wuStatusServer
|
Sysmon EventID 13
|
Modify Registry
|
Hunting
|
RedLine Stealer
|
2025-05-02
|
|
Windows Modify Show Compress Color And Info Tip Registry
|
Sysmon EventID 13
|
Modify Registry
|
TTP
|
Data Destruction, Hermetic Wiper, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2026-04-15
|
|
Windows Modify System Firewall with Notable Process Path
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify System Firewall
|
TTP
|
Compromised Windows Host, Medusa Ransomware, NjRAT
|
2026-05-04
|
|
Windows MpCmdRun RemoveDefinitions Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Tools
|
Anomaly
|
BlankGrabber Stealer
|
2026-05-04
|
|
Windows New Custom Security Descriptor Set On EventLog Channel
|
Sysmon EventID 13
|
Disable or Modify Windows Event Log
|
Anomaly
|
Defense Evasion or Unauthorized Access Via SDDL Tampering, LockBit Ransomware
|
2026-05-04
|
|
Windows New EventLog ChannelAccess Registry Value Set
|
Sysmon EventID 13
|
Disable or Modify Windows Event Log
|
Anomaly
|
Defense Evasion or Unauthorized Access Via SDDL Tampering, LockBit Ransomware
|
2026-05-04
|
|
Windows New InProcServer32 Added
|
Sysmon EventID 13
|
Modify Registry
|
Hunting
|
Hellcat Ransomware, Outlook RCE CVE-2024-21378
|
2025-10-14
|
|
Windows Outlook Dialogs Disabled from Unusual Process
|
Sysmon EventID 13
|
Modify Registry
Disable or Modify Tools
|
TTP
|
NotDoor Malware, Windows Registry Abuse
|
2026-05-04
|
|
Windows Outlook LoadMacroProviderOnBoot Persistence
|
Sysmon EventID 13
|
Modify Registry
Office Application Startup
|
TTP
|
NotDoor Malware, Windows Registry Abuse
|
2026-04-15
|
|
Windows Outlook WebView Registry Modification
|
Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
Suspicious Windows Registry Activities
|
2026-04-15
|
|
Windows PowerShell Disable HTTP Logging
|
Powershell Script Block Logging 4104
|
IIS Components
Disable or Modify Windows Event Log
|
TTP
|
IIS Components, Windows Defense Evasion Tactics
|
2026-05-04
|
|
Windows Powershell Import Applocker Policy
|
Powershell Script Block Logging 4104
|
PowerShell
Disable or Modify Tools
|
TTP
|
Azorult
|
2026-05-04
|
|
Windows Raccine Scheduled Task Deletion
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Tools
|
TTP
|
Compromised Windows Host, Ransomware
|
2026-05-04
|
|
Windows Registry Certificate Added
|
Sysmon EventID 13
|
Install Root Certificate
|
Anomaly
|
Windows Drivers, Windows Registry Abuse
|
2026-04-15
|
|
Windows Registry Delete Task SD
|
Sysmon EventID 12
|
Scheduled Task
Disable or Modify Tools
|
Anomaly
|
Scheduled Tasks, Windows Persistence Techniques, Windows Registry Abuse
|
2026-05-04
|
|
Windows Registry Dotnet ETW Disabled Via ENV Variable
|
Sysmon EventID 13
|
Disable or Modify Tools
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2026-05-04
|
|
Windows Registry SIP Provider Modification
|
Sysmon EventID 13
|
SIP and Trust Provider Hijacking
|
TTP
|
Subvert Trust Controls SIP and Trust Provider Hijacking
|
2026-04-15
|
|
Windows Routing and Remote Access Service Registry Key Change
|
Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
Gh0st RAT
|
2026-04-15
|
|
Windows RunMRU Registry Key or Value Deleted
|
Sysmon EventID 12
|
Modify Registry
|
Anomaly
|
NetSupport RMM Tool Abuse
|
2026-04-15
|
|
Windows Scheduled Task Created in a Group Policy Object
|
Windows Event Log Security 5145
|
Group Policy Modification
Scheduled Task
|
TTP
|
Living Off The Land, Scheduled Tasks, Windows Persistence Techniques
|
2026-04-13
|
|
Windows Set Network Profile Category to Private via Registry
|
Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
Secret Blizzard
|
2026-04-15
|
|
Windows SIP Provider Inventory
|
|
SIP and Trust Provider Hijacking
|
Hunting
|
Subvert Trust Controls SIP and Trust Provider Hijacking
|
2025-05-02
|
|
Windows SIP WinVerifyTrust Failed Trust Validation
|
Windows Event Log CAPI2 81
|
SIP and Trust Provider Hijacking
|
Anomaly
|
Subvert Trust Controls SIP and Trust Provider Hijacking
|
2026-04-15
|
|
Windows Snake Malware Registry Modification wav OpenWithProgIds
|
Sysmon EventID 13
|
Modify Registry
|
TTP
|
Snake Malware
|
2026-04-15
|
|
Windows SnappyBee Create Test Registry
|
Sysmon EventID 13
|
Modify Registry
|
TTP
|
China-Nexus Threat Activity, Salt Typhoon, SnappyBee
|
2026-04-15
|
|
Windows SubInAcl Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Permissions
|
Anomaly
|
Defense Evasion or Unauthorized Access Via SDDL Tampering
|
2026-04-15
|
|
Windows SymbolicLink-Testing-Tools Utility Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
File and Directory Permissions Modification
NTFS File Attributes
|
TTP
|
Windows Persistence Techniques, Windows Post-Exploitation, Windows Privilege Escalation
|
2026-04-13
|
|
Windows Symlink Evaluation Change via Fsutil
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Permissions
|
Anomaly
|
Windows Post-Exploitation
|
2026-04-15
|
|
Windows Terminating Lsass Process
|
Sysmon EventID 10
|
Disable or Modify Tools
|
Anomaly
|
Data Destruction, Double Zero Destructor, Scattered Lapsus$ Hunters
|
2026-05-04
|
|
Wmic NonInteractive App Uninstallation
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Tools
|
Hunting
|
Azorult, IcedID
|
2026-05-04
|
|
Cisco Configuration Archive Logging Analysis
|
Cisco IOS Logs
|
Disable or Modify Tools
Account Manipulation
Web Shell
|
Hunting
|
Cisco Smart Install Remote Code Execution CVE-2018-0171
|
2026-05-04
|
|
Cisco Network Interface Modifications
|
Cisco IOS Logs
|
Modify Authentication Process
Remote Services
External Remote Services
|
Anomaly
|
Cisco Smart Install Remote Code Execution CVE-2018-0171
|
2026-04-15
|
|
Cisco SNMP Community String Configuration Changes
|
Cisco IOS Logs
|
Disable or Modify Tools
Network Sniffing
Unsecured Credentials
|
Anomaly
|
Cisco Smart Install Remote Code Execution CVE-2018-0171
|
2026-05-04
|
|
Windows AD Replication Service Traffic
|
|
DCSync
Rogue Domain Controller
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-03-10
|
|
Windows AD Rogue Domain Controller Network Activity
|
|
Rogue Domain Controller
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-03-10
|
