|
Windows PowerShell Invoke-Sqlcmd Execution
|
Powershell Script Block Logging 4104
|
T1059.001
T1059.003
|
Hunting
|
SQL Server Abuse, GhostRedirector IIS Module and Rungan Backdoor
|
2026-05-13
|
|
Linux Auditd Service Restarted
|
Linux Auditd Proctitle
|
T1053.006
|
Anomaly
|
Compromised Linux Host, Scheduled Tasks, Gomir, Data Destruction, Linux Persistence Techniques, Linux Privilege Escalation, Linux Living Off The Land, AwfulShred
|
2026-05-13
|
|
MSBuild Suspicious Spawned By Script Process
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1127.001
|
TTP
|
Storm-2460 CLFS Zero Day Exploitation, Trusted Developer Utilities Proxy Execution MSBuild
|
2026-05-13
|
|
PowerShell 4104 Hunting
|
Powershell Script Block Logging 4104
|
T1059.001
|
Hunting
|
SystemBC, Braodo Stealer, Data Destruction, Lumma Stealer, PHP-CGI RCE Attack on Japanese Organizations, GhostRedirector IIS Module and Rungan Backdoor, Water Gamayun, Cleo File Transfer Software, Axios Supply Chain Post Compromise, APT37 Rustonotto and FadeStealer, Hermetic Wiper, Medusa Ransomware, Flax Typhoon, Scattered Spider, CISA AA24-241A, Rhysida Ransomware, MuddyWater, Salt Typhoon, Cactus Ransomware, Malicious PowerShell, DarkGate Malware, XWorm, China-Nexus Threat Activity, 0bj3ctivity Stealer, Microsoft WSUS CVE-2025-59287, CISA AA23-347A, Hellcat Ransomware, Interlock Ransomware
|
2026-05-13
|
|
Windows WMI Process And Service List
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1047
|
Anomaly
|
Prestige Ransomware, Windows Post-Exploitation
|
2026-05-13
|
|
Reg exe Manipulating Windows Services Registry Keys
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1574.011
|
TTP
|
Windows Persistence Techniques, Windows Service Abuse, Living Off The Land
|
2026-05-13
|
|
Windows PowerShell WMI Win32 ScheduledJob
|
Powershell Script Block Logging 4104
|
T1059.001
|
TTP
|
Active Directory Lateral Movement
|
2026-05-13
|
|
Linux Preload Hijack Library Calls
|
Sysmon for Linux EventID 1
|
T1574.006
|
TTP
|
China-Nexus Threat Activity, Salt Typhoon, Linux Persistence Techniques, Linux Privilege Escalation, VoidLink Cloud-Native Linux Malware
|
2026-05-13
|
|
Windows TeamCity Payload Execution from Temp Directory
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1059
T1190
T1505.003
|
TTP
|
JetBrains TeamCity Vulnerabilities, JetBrains TeamCity Unauthenticated RCE
|
2026-05-13
|
|
PowerShell Invoke WmiExec Usage
|
Powershell Script Block Logging 4104
|
T1047
|
TTP
|
Scattered Lapsus$ Hunters, Suspicious WMI Use
|
2026-05-13
|
|
Detect Empire with PowerShell Script Block Logging
|
Powershell Script Block Logging 4104
|
T1059.001
|
TTP
|
Data Destruction, Malicious PowerShell, Hellcat Ransomware, Hermetic Wiper
|
2026-05-13
|
|
Windows Crowdstrike RTR Script Execution
|
Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1059.001
|
Anomaly
|
Living Off The Land, Malicious PowerShell, Cobalt Strike, Suspicious MSHTA Activity
|
2026-05-13
|
|
Powershell Load Module in Meterpreter
|
Powershell Script Block Logging 4104
|
T1059.001
|
TTP
|
MetaSploit
|
2026-05-13
|
|
Windows Explorer.exe Spawning PowerShell or Cmd
|
Windows Event Log Security 4688, Sysmon EventID 1
|
T1059.001
T1204.002
|
Hunting
|
ZDI-CAN-25373 Windows Shortcut Exploit Abused as Zero-Day
|
2026-05-13
|
|
Windows Binary Execution from an Archive
|
Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1204.002
|
Anomaly
|
Spearphishing Attachments
|
2026-05-13
|
|
Execute Javascript With Jscript COM CLSID
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1059.005
|
TTP
|
Ransomware
|
2026-05-13
|
|
Suspicious msbuild path
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1036.003
T1127.001
|
TTP
|
Graceful Wipe Out Attack, Storm-2460 CLFS Zero Day Exploitation, Trusted Developer Utilities Proxy Execution MSBuild, Cobalt Strike, BlackByte Ransomware, Living Off The Land, Masquerading - Rename System Utilities
|
2026-05-13
|
|
Remote Process Instantiation via WMI and PowerShell
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1047
|
TTP
|
Compromised Windows Host, Active Directory Lateral Movement
|
2026-05-13
|
|
Powershell Processing Stream Of Data
|
Powershell Script Block Logging 4104
|
T1059.001
|
TTP
|
Braodo Stealer, IcedID, XWorm, AsyncRAT, MuddyWater, PXA Stealer, Data Destruction, MoonPeak, Malicious PowerShell, Hermetic Wiper, Medusa Ransomware, Hellcat Ransomware
|
2026-05-13
|
|
Recon Using WMI Class
|
Powershell Script Block Logging 4104
|
T1059.001
T1592
|
Anomaly
|
Qakbot, Axios Supply Chain Post Compromise, AsyncRAT, VIP Keylogger, Malicious Inno Setup Loader, Data Destruction, MoonPeak, Malicious PowerShell, Quasar RAT, LockBit Ransomware, Hermetic Wiper, Industroyer2, Scattered Spider, BlankGrabber Stealer
|
2026-05-13
|
|
Powershell Using memory As Backing Store
|
Powershell Script Block Logging 4104
|
T1059.001
|
TTP
|
Data Destruction, MoonPeak, Malicious PowerShell, Hermetic Wiper, IcedID, Medusa Ransomware
|
2026-05-13
|
|
Windows Service Created with Suspicious Service Name
|
Windows Event Log System 7045
|
T1569.002
|
Anomaly
|
Qakbot, Brute Ratel C4, Snake Malware, Clop Ransomware, Tuoni, Active Directory Lateral Movement, Gh0st RAT, Flax Typhoon, PlugX, CISA AA23-347A
|
2026-05-13
|
|
Malicious Powershell Executed As A Service
|
Windows Event Log System 7045
|
T1569.002
|
TTP
|
Rhysida Ransomware, Malicious PowerShell, Compromised Windows Host
|
2026-05-13
|
|
CMD Echo Pipe - Escalation
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1059.003
T1543.003
|
TTP
|
Compromised Windows Host, Cobalt Strike, Graceful Wipe Out Attack, BlackByte Ransomware
|
2026-05-13
|
|
Cisco Isovalent - Non Allowlisted Image Use
|
Cisco Isovalent Process Exec
|
T1204.003
|
Anomaly
|
Cisco Isovalent Suspicious Activity
|
2026-05-13
|
|
Windows SqlWriter SQLDumper DLL Sideload
|
Sysmon EventID 7
|
T1574.001
|
TTP
|
APT29 Diplomatic Deceptions with WINELOADER
|
2026-05-13
|
|
Windows GrimResource - MMC Process Accessing APDS DLL
|
Windows Event Log Security 4663
|
T1059.007
T1218.014
|
TTP
|
Compromised Windows Host
|
2026-05-13
|
|
Suspicious Scheduled Task from Public Directory
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1053.005
|
Anomaly
|
Azorult, APT37 Rustonotto and FadeStealer, Medusa Ransomware, Living Off The Land, Scattered Spider, CISA AA24-241A, Crypto Stealer, Salt Typhoon, SolarWinds WHD RCE Post Exploitation, Malicious Inno Setup Loader, Quasar RAT, Ryuk Ransomware, XWorm, Ransomware, China-Nexus Threat Activity, Windows Persistence Techniques, Scheduled Tasks, MoonPeak, NetSupport RMM Tool Abuse, DarkCrystal RAT, CISA AA23-347A, Lokibot
|
2026-05-13
|
|
Powershell Execute COM Object
|
Powershell Script Block Logging 4104
|
T1059.001
T1546.015
|
TTP
|
Data Destruction, Malicious PowerShell, Ransomware, Hermetic Wiper
|
2026-05-13
|
|
Windows Command and Scripting Interpreter Path Traversal Exec
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1059
|
TTP
|
Windows Defense Evasion Tactics, Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190, Compromised Windows Host
|
2026-05-13
|
|
Impacket Lateral Movement Commandline Parameters
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1021.002
T1021.003
T1047
T1543.003
|
TTP
|
WhisperGate, Compromised Windows Host, Graceful Wipe Out Attack, Volt Typhoon, Data Destruction, CISA AA22-277A, Storm-0501 Ransomware, Prestige Ransomware, Active Directory Lateral Movement, Industroyer2, Gozi Malware
|
2026-05-13
|
|
Suspicious microsoft workflow compiler usage
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1127
|
TTP
|
Living Off The Land, Trusted Developer Utilities Proxy Execution
|
2026-05-13
|
|
Windows MSIX Package Interaction
|
Windows Event Log AppXPackaging 171
|
T1204.002
|
Hunting
|
MSIX Package Abuse
|
2026-05-13
|
|
Linux Auditd Preload Hijack Library Calls
|
Linux Auditd Execve
|
T1574.006
|
TTP
|
Compromised Linux Host, China-Nexus Threat Activity, Salt Typhoon, Linux Persistence Techniques, Linux Privilege Escalation
|
2026-05-13
|
|
Windows Unsigned MS DLL Side-Loading
|
Sysmon EventID 7
|
T1547
T1574.001
|
Anomaly
|
XWorm, China-Nexus Threat Activity, Salt Typhoon, Earth Alux, APT29 Diplomatic Deceptions with WINELOADER, Derusbi
|
2026-05-13
|
|
Cisco Isovalent - Cron Job Creation
|
Cisco Isovalent Process Exec
|
T1053.003
T1053.007
|
Anomaly
|
Cisco Isovalent Suspicious Activity
|
2026-05-13
|
|
Linux Auditd At Application Execution
|
Linux Auditd Syscall
|
T1053.002
|
Anomaly
|
Compromised Linux Host, Scheduled Tasks, Linux Persistence Techniques, Linux Privilege Escalation, Linux Living Off The Land
|
2026-05-13
|
|
Cisco NVM - Susp Script From Archive Triggering Network Activity
|
Cisco Network Visibility Module Flow Data
|
T1059.005
T1204.002
|
Anomaly
|
Cisco Network Visibility Module Analytics
|
2026-05-13
|
|
Windows Scheduled Task with Highest Privileges
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1053.005
|
TTP
|
Compromised Windows Host, XWorm, Castle RAT, AsyncRAT, Scheduled Tasks, SolarWinds WHD RCE Post Exploitation, Quasar RAT, NetSupport RMM Tool Abuse, CISA AA23-347A, RedLine Stealer
|
2026-05-13
|
|
Short Lived Scheduled Task
|
Windows Event Log Security 4698, Windows Event Log Security 4699
|
T1053.005
|
TTP
|
Compromised Windows Host, Scheduled Tasks, CISA AA22-257A, Active Directory Lateral Movement, CISA AA23-347A
|
2026-05-13
|
|
Windows Compatibility Telemetry Suspicious Child Process
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1053.005
T1546
|
TTP
|
Windows Persistence Techniques
|
2026-05-13
|
|
Linux Service File Created In Systemd Directory
|
Sysmon for Linux EventID 11
|
T1053.006
|
Anomaly
|
China-Nexus Threat Activity, Scheduled Tasks, Gomir, Linux Persistence Techniques, Linux Privilege Escalation, Linux Living Off The Land, VoidLink Cloud-Native Linux Malware
|
2026-05-13
|
|
Windows AutoIt3 Execution
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1059
|
TTP
|
Crypto Stealer, DarkGate Malware, Void Manticore, Handala Wiper
|
2026-05-13
|
|
Windows PowerShell FakeCAPTCHA Clipboard Execution
|
Cisco Network Visibility Module Flow Data, Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1059.001
T1059.003
T1204.001
|
TTP
|
Cisco Network Visibility Module Analytics, Scattered Lapsus$ Hunters, Fake CAPTCHA Campaigns, NetSupport RMM Tool Abuse, Interlock Ransomware
|
2026-05-13
|
|
Schtasks scheduling job on remote system
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1053.005
|
TTP
|
Compromised Windows Host, Scheduled Tasks, Active Directory Lateral Movement, Quasar RAT, Prestige Ransomware, Living Off The Land, Phemedrone Stealer, NOBELIUM Group, RedLine Stealer
|
2026-05-13
|
|
Windows Suspicious VMWare Tools Child Process
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1059
|
TTP
|
ESXi Post Compromise, China-Nexus Threat Activity
|
2026-05-13
|
|
Windows AppX Deployment Full Trust Package Installation
|
Windows Event Log AppXDeployment-Server 400
|
T1204.002
T1553.005
|
Hunting
|
MSIX Package Abuse
|
2026-05-13
|
|
Windows Powershell RemoteSigned File
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1059.001
|
Anomaly
|
Amadey
|
2026-05-13
|
|
Detect Rare Executables
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1204
|
Anomaly
|
SnappyBee, China-Nexus Threat Activity, Rhysida Ransomware, Crypto Stealer, Salt Typhoon, Unusual Processes
|
2026-05-13
|
|
MacOS AMOS Stealer - Virtual Machine Check Activity
|
Osquery Results
|
T1059.002
|
Anomaly
|
AMOS Stealer, Hellcat Ransomware
|
2026-05-13
|
|
Linux Service Started Or Enabled
|
Sysmon for Linux EventID 1
|
T1053.006
|
Anomaly
|
Scheduled Tasks, Gomir, Linux Persistence Techniques, Linux Privilege Escalation, Linux Living Off The Land
|
2026-05-13
|
|
Linux Auditd Possible Append Cronjob Entry On Existing Cronjob File
|
Linux Auditd Path, Linux Auditd Cwd
|
T1053.003
|
Hunting
|
Compromised Linux Host, Scheduled Tasks, Linux Persistence Techniques, Linux Privilege Escalation, Linux Living Off The Land, XorDDos
|
2026-05-13
|
|
Linux Edit Cron Table Parameter
|
Sysmon for Linux EventID 1
|
T1053.003
|
Hunting
|
Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks, Linux Living Off The Land
|
2026-05-13
|
|
WMI Permanent Event Subscription
|
|
T1047
|
TTP
|
Suspicious WMI Use
|
2026-05-13
|
|
Windows PowerShell ScheduleTask
|
Powershell Script Block Logging 4104
|
T1053.005
T1059.001
|
Anomaly
|
Scattered Spider, Scheduled Tasks
|
2026-05-13
|
|
BITSAdmin Download File
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1105
T1197
|
TTP
|
DarkSide Ransomware, APT37 Rustonotto and FadeStealer, Ingress Tool Transfer, Flax Typhoon, BITS Jobs, Gozi Malware, Living Off The Land, Scattered Spider, Hellcat Ransomware, GhostRedirector IIS Module and Rungan Backdoor
|
2026-05-13
|
|
Windows SSH Proxy Command
|
Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1059.001
T1105
T1572
|
Anomaly
|
Living Off The Land, ZDI-CAN-25373 Windows Shortcut Exploit Abused as Zero-Day, Hellcat Ransomware
|
2026-05-13
|
|
Svchost LOLBAS Execution Process Spawn
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1053.005
|
TTP
|
Living Off The Land, Scheduled Tasks, Hellcat Ransomware, Active Directory Lateral Movement
|
2026-05-13
|
|
Linux Possible Append Command To At Allow Config File
|
Sysmon for Linux EventID 1
|
T1053.002
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2026-05-13
|
|
Windows Command and Scripting Interpreter Hunting Path Traversal
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1059
|
Hunting
|
Windows Defense Evasion Tactics, Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190
|
2026-05-13
|
|
Linux Possible Append Cronjob Entry on Existing Cronjob File
|
Sysmon for Linux EventID 1
|
T1053.003
|
Hunting
|
Scheduled Tasks, Linux Persistence Techniques, Linux Privilege Escalation, Linux Living Off The Land, XorDDos
|
2026-05-13
|
|
Windows Suspicious React or Next.js Child Process
|
Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1059.001
T1059.003
T1190
|
TTP
|
React2Shell
|
2026-05-13
|
|
Suspicious Process Executed From Container File
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1036.008
T1204.002
|
TTP
|
Water Gamayun, APT37 Rustonotto and FadeStealer, Amadey, Remcos, Snake Keylogger, Unusual Processes, GhostRedirector IIS Module and Rungan Backdoor
|
2026-05-13
|
|
Clop Common Exec Parameter
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1204
|
TTP
|
Clop Ransomware, Compromised Windows Host
|
2026-05-13
|
|
WinEvent Scheduled Task Created to Spawn Shell
|
Windows Event Log Security 4698
|
T1053.005
|
TTP
|
SystemBC, Windows Error Reporting Service Elevation of Privilege Vulnerability, Compromised Windows Host, Ransomware, Winter Vivern, China-Nexus Threat Activity, Castle RAT, Windows Persistence Techniques, Scheduled Tasks, Salt Typhoon, 0bj3ctivity Stealer, CISA AA22-257A, Ryuk Ransomware, Medusa Ransomware
|
2026-05-13
|
|
PowerShell Start-BitsTransfer
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1197
|
TTP
|
Gozi Malware, BITS Jobs
|
2026-05-13
|
|
Windows Scheduled Task Created Via XML
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1053.005
|
Anomaly
|
Winter Vivern, Scheduled Tasks, Malicious Inno Setup Loader, MoonPeak, CISA AA23-347A, Lokibot
|
2026-05-13
|
|
Set Default PowerShell Execution Policy To Unrestricted or Bypass
|
Sysmon EventID 13
|
T1059.001
|
TTP
|
SystemBC, SolarWinds WHD RCE Post Exploitation, Data Destruction, Malicious PowerShell, HAFNIUM Group, Hermetic Wiper, DarkGate Malware, Credential Dumping
|
2026-05-13
|
|
Single Letter Process On Endpoint
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1204.002
|
TTP
|
Compromised Windows Host, DHS Report TA18-074A
|
2026-05-13
|
|
Windows Executable in Loaded Modules
|
Sysmon EventID 7
|
T1129
|
TTP
|
NjRAT, Lokibot
|
2026-05-13
|
|
Windows Level RMM Watchdog Task Created
|
Windows Event Log Security 4698
|
T1053
T1219
|
Anomaly
|
Remote Monitoring and Management Software
|
2026-05-13
|
|
Linux Auditd Edit Cron Table Parameter
|
Linux Auditd Syscall
|
T1053.003
|
Anomaly
|
Compromised Linux Host, Scheduled Tasks, Linux Persistence Techniques, Linux Privilege Escalation, Linux Living Off The Land
|
2026-05-13
|
|
Linux Service Restarted
|
Sysmon for Linux EventID 1
|
T1053.006
|
Anomaly
|
Scheduled Tasks, Gomir, Data Destruction, Linux Persistence Techniques, Linux Privilege Escalation, Linux Living Off The Land, AwfulShred
|
2026-05-13
|
|
Cisco NVM - Curl Execution With Insecure Flags
|
Cisco Network Visibility Module Flow Data
|
T1197
|
Anomaly
|
Microsoft WSUS CVE-2025-59287, PromptLock, Cisco Network Visibility Module Analytics
|
2026-05-13
|
|
Windows Cobalt Strike PowerShell Loader
|
Powershell Script Block Logging 4104
|
T1059.001
T1608
|
TTP
|
Cobalt Strike
|
2026-05-13
|
|
Windows Command Shell DCRat ForkBomb Payload
|
Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1059.003
|
TTP
|
DarkCrystal RAT, Compromised Windows Host
|
2026-05-13
|
|
Windows Shell Process from CrushFTP
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1059.001
T1059.003
T1190
T1505
|
TTP
|
CrushFTP Vulnerabilities
|
2026-05-13
|
|
Windows Scheduled Task DLL Module Loaded
|
Sysmon EventID 7
|
T1053
|
TTP
|
ValleyRAT
|
2026-05-13
|
|
Windows Scheduled Tasks for CompMgmtLauncher or Eventvwr
|
Windows Event Log Security 4698
|
T1053
|
TTP
|
Water Gamayun, ValleyRAT
|
2026-05-13
|
|
Windows Process Execution From RDP Share
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1021.001
T1059
T1105
|
Anomaly
|
Hidden Cobra Malware
|
2026-05-13
|
|
Linux Decode Base64 to Shell
|
Sysmon for Linux EventID 1, Cisco Isovalent Process Exec
|
T1027
T1059.004
|
TTP
|
Cisco Isovalent Suspicious Activity, Linux Living Off The Land
|
2026-05-13
|
|
Windows Known Abused DLL Created
|
Sysmon EventID 11
|
T1574.001
|
Anomaly
|
Windows Defense Evasion Tactics, Living Off The Land
|
2026-05-13
|
|
Windows Scheduled Task with Suspicious Command
|
Windows Event Log Security 4700, Windows Event Log Security 4702, Windows Event Log Security 4698
|
T1053.005
|
TTP
|
Ransomware, Seashell Blizzard, APT37 Rustonotto and FadeStealer, Windows Persistence Techniques, Scheduled Tasks, SolarWinds WHD RCE Post Exploitation, Quasar RAT, Ryuk Ransomware
|
2026-05-13
|
|
Windows Defender ASR Audit Events
|
Windows Event Log Defender 1134, Windows Event Log Defender 1132, Windows Event Log Defender 1125, Windows Event Log Defender 1126, Windows Event Log Defender 1122
|
T1059
T1566.001
T1566.002
|
Anomaly
|
Windows Attack Surface Reduction
|
2026-05-13
|
|
Windows Advanced Installer MSIX with AI_STUBS Execution
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1204.002
T1218
T1553.005
|
TTP
|
MSIX Package Abuse
|
2026-05-13
|
|
Windows Service Create SliverC2
|
Windows Event Log System 7045
|
T1569.002
|
TTP
|
BishopFox Sliver Adversary Emulation Framework, Compromised Windows Host, Hellcat Ransomware
|
2026-05-13
|
|
Drop IcedID License dat
|
Sysmon EventID 11
|
T1204.002
|
Hunting
|
IcedID
|
2026-05-13
|
|
WMI Temporary Event Subscription
|
|
T1047
|
TTP
|
Suspicious WMI Use
|
2026-05-13
|
|
Windows DLL Side-Loading In Calc
|
Sysmon EventID 7
|
T1574.001
|
TTP
|
Qakbot, Earth Alux
|
2026-05-13
|
|
Wermgr Process Spawned CMD Or Powershell Process
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1059
|
TTP
|
Qakbot, Trickbot
|
2026-05-13
|
|
Windows XLL File Creation Outside of Typical Location
|
Sysmon EventID 11
|
T1059
T1129
|
Anomaly
|
Spearphishing Attachments
|
2026-05-13
|
|
Cisco NVM - Suspicious File Download via Headless Browser
|
Cisco Network Visibility Module Flow Data
|
T1059
T1105
|
TTP
|
BlankGrabber Stealer, Cisco Network Visibility Module Analytics
|
2026-05-13
|
|
Windows Set Custom DNS ServerLevelPlugin Via Dnscmd
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1574
|
Anomaly
|
Windows Persistence Techniques
|
2026-05-13
|
|
Windows Developer-Signed MSIX Package Installation
|
Windows Event Log AppXDeployment-Server 855
|
T1204.002
T1553.005
|
Anomaly
|
MSIX Package Abuse
|
2026-05-13
|
|
MacOS LOLbin
|
Osquery Results
|
T1059.004
|
TTP
|
Living Off The Land, Axios Supply Chain Post Compromise, Hellcat Ransomware
|
2026-05-13
|
|
Detect Path Interception By Creation Of program exe
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1574.009
|
TTP
|
Windows Persistence Techniques, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Windows Known Abused DLL Loaded Suspiciously
|
Sysmon EventID 7
|
T1574.001
|
TTP
|
Living Off The Land, Windows Defense Evasion Tactics, SolarWinds WHD RCE Post Exploitation
|
2026-05-13
|
|
Impacket Lateral Movement smbexec CommandLine Parameters
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1021.002
T1021.003
T1047
T1543.003
|
TTP
|
WhisperGate, Compromised Windows Host, Graceful Wipe Out Attack, Active Directory Lateral Movement, Volt Typhoon, Data Destruction, CISA AA22-277A, Prestige Ransomware, Industroyer2
|
2026-05-13
|
|
Process Execution via WMI
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1047
|
TTP
|
Suspicious WMI Use
|
2026-05-13
|
|
Windows MSExchange Management Mailbox Cmdlet Usage
|
|
T1059.001
|
Anomaly
|
ProxyNotShell, Scattered Spider, ProxyShell, BlackByte Ransomware
|
2026-05-13
|
|
Get-ForestTrust with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1059.001
T1482
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Registry Delete Task SD
|
Sysmon EventID 12
|
T1053.005
T1685
|
Anomaly
|
Windows Registry Abuse, Windows Persistence Techniques, Scheduled Tasks
|
2026-05-13
|
|
Excessive number of taskhost processes
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1059
|
Anomaly
|
Meterpreter
|
2026-05-13
|
|
Conti Common Exec parameter
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1204
|
TTP
|
Compromised Windows Host, Ransomware, Hellcat Ransomware
|
2026-05-13
|
|
Impacket Lateral Movement WMIExec Commandline Parameters
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1021.002
T1021.003
T1047
T1543.003
|
TTP
|
WhisperGate, Compromised Windows Host, Graceful Wipe Out Attack, Volt Typhoon, Data Destruction, CISA AA22-277A, Storm-0501 Ransomware, Prestige Ransomware, Active Directory Lateral Movement, Industroyer2, Gozi Malware
|
2026-05-13
|
|
Schtasks used for forcing a reboot
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1053.005
|
TTP
|
Windows Persistence Techniques, Scheduled Tasks, Ransomware
|
2026-05-13
|
|
Windows PowerShell Script Block With Malicious String
|
Powershell Script Block Logging 4104
|
T1059.001
|
TTP
|
Malicious PowerShell
|
2026-05-13
|
|
Windows Compatibility Telemetry Tampering Through Registry
|
Sysmon EventID 13
|
T1053.005
T1546
|
TTP
|
Windows Persistence Techniques
|
2026-05-13
|
|
Windows Anonymous Pipe Activity
|
Sysmon EventID 18, Sysmon EventID 17
|
T1559
|
Hunting
|
SnappyBee, Castle RAT, China-Nexus Threat Activity, Salt Typhoon, Interlock Rat
|
2026-05-13
|
|
Detect Prohibited Applications Spawning cmd exe
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1059.003
|
Hunting
|
Suspicious Zoom Child Processes, NOBELIUM Group, Suspicious MSHTA Activity, Suspicious Command-Line Executions
|
2026-05-13
|
|
Windows Powershell Import Applocker Policy
|
Powershell Script Block Logging 4104
|
T1059.001
T1685
|
TTP
|
Azorult
|
2026-05-13
|
|
Windows Remote Image Load
|
Sysmon EventID 7
|
T1059
T1068
T1129
T1203
|
Anomaly
|
LockBit Ransomware, Ransomware, BlackByte Ransomware
|
2026-05-13
|
|
Windows Suspicious Named Pipe
|
Sysmon EventID 18, Sysmon EventID 17
|
T1021.002
T1055
T1559
|
TTP
|
Brute Ratel C4, DarkSide Ransomware, Graceful Wipe Out Attack, APT37 Rustonotto and FadeStealer, Cobalt Strike, LockBit Ransomware, Remote Monitoring and Management Software, Trickbot, Tuoni, Meterpreter, BlackByte Ransomware, Gozi Malware, Hellcat Ransomware
|
2026-05-13
|
|
Windows Powershell Cryptography Namespace
|
Powershell Script Block Logging 4104
|
T1059.001
|
Anomaly
|
VIP Keylogger, XWorm, AsyncRAT
|
2026-05-13
|
|
Randomly Generated Scheduled Task Name
|
Windows Event Log Security 4698
|
T1053.005
|
Hunting
|
0bj3ctivity Stealer, Scheduled Tasks, CISA AA22-257A, Active Directory Lateral Movement
|
2026-05-13
|
|
Linux Adding Crontab Using List Parameter
|
Sysmon for Linux EventID 1
|
T1053.003
|
Hunting
|
Cisco Isovalent Suspicious Activity, Scheduled Tasks, Gomir, Data Destruction, Linux Persistence Techniques, Linux Privilege Escalation, Linux Living Off The Land, Industroyer2, VoidLink Cloud-Native Linux Malware
|
2026-05-13
|
|
Windows Get-Variable.EXE Execution from WindowsApps Folder
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1574.008
|
Anomaly
|
Windows Persistence Techniques
|
2026-05-13
|
|
PowerShell WebRequest Using Memory Stream
|
Powershell Script Block Logging 4104
|
T1027.011
T1059.001
T1105
|
TTP
|
Medusa Ransomware, MoonPeak, Malicious PowerShell, PHP-CGI RCE Attack on Japanese Organizations
|
2026-05-13
|
|
Windows Scheduled Task Created in a Group Policy Object
|
Windows Event Log Security 5145
|
T1053.005
T1484.001
|
TTP
|
Windows Persistence Techniques, Scheduled Tasks, Living Off The Land
|
2026-05-13
|
|
Windows Apache Benchmark Binary
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1059
|
Anomaly
|
MetaSploit
|
2026-05-13
|
|
Windows WinRAR Launched Outside Default Installation Directory
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1047
|
Anomaly
|
BlankGrabber Stealer
|
2026-05-13
|
|
Linux Suspicious React or Next.js Child Process
|
Sysmon for Linux EventID 1
|
T1059.004
T1190
|
TTP
|
React2Shell
|
2026-05-13
|
|
Powershell Fileless Process Injection via GetProcAddress
|
Powershell Script Block Logging 4104
|
T1055
T1059.001
|
TTP
|
Data Destruction, Malicious PowerShell, Hellcat Ransomware, Hermetic Wiper
|
2026-05-13
|
|
Schtasks Run Task On Demand
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1053
|
Anomaly
|
Qakbot, XMRig, Scheduled Tasks, Data Destruction, CISA AA22-257A, Industroyer2, Medusa Ransomware
|
2026-05-13
|
|
Windows Unsigned DLL Side-Loading In Same Process Path
|
Sysmon EventID 7
|
T1574.001
|
TTP
|
XWorm, SnappyBee, China-Nexus Threat Activity, Salt Typhoon, Malicious Inno Setup Loader, Lokibot, SolarWinds WHD RCE Post Exploitation, Derusbi, DarkGate Malware, PlugX, NailaoLocker Ransomware
|
2026-05-13
|
|
Windows Potential AppDomainManager Hijack Artifacts Creation
|
Sysmon EventID 11
|
T1574.014
|
Anomaly
|
SesameOp
|
2026-05-13
|
|
Windows DLL Side-Loading Process Child Of Calc
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1574.001
|
Anomaly
|
Qakbot, Earth Alux
|
2026-05-13
|
|
PowerShell Enable PowerShell Remoting
|
Powershell Script Block Logging 4104
|
T1059.001
|
Anomaly
|
Malicious PowerShell
|
2026-05-13
|
|
Jscript Execution Using Cscript App
|
Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1059.007
|
TTP
|
FIN7, Remcos
|
2026-05-13
|
|
Windows Enable PowerShell Web Access
|
Powershell Script Block Logging 4104
|
T1059.001
|
TTP
|
Malicious PowerShell, CISA AA24-241A
|
2026-05-13
|
|
Log4Shell CVE-2021-44228 Exploitation
|
|
T1059
T1105
T1133
T1190
|
Correlation
|
CISA AA22-320A, Log4Shell CVE-2021-44228
|
2026-05-13
|
|
Linux Auditd Preload Hijack Via Preload File
|
Linux Auditd Path, Linux Auditd Cwd
|
T1574.006
|
TTP
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation, Linux Living Off The Land, VoidLink Cloud-Native Linux Malware
|
2026-05-13
|
|
Windows Enable Win32 ScheduledJob via Registry
|
Sysmon EventID 13
|
T1053.005
|
Anomaly
|
Scheduled Tasks, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows SQLCMD Execution
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1059.003
|
Hunting
|
SQL Server Abuse, GhostRedirector IIS Module and Rungan Backdoor
|
2026-05-13
|
|
Linux Possible Cronjob Modification With Editor
|
Sysmon for Linux EventID 1
|
T1053.003
|
Hunting
|
Scheduled Tasks, Linux Persistence Techniques, Linux Privilege Escalation, Linux Living Off The Land, XorDDos
|
2026-05-13
|
|
Windows Scheduled Task with Suspicious Name
|
Windows Event Log Security 4700, Windows Event Log Security 4702, Windows Event Log Security 4698
|
T1053.005
|
TTP
|
Ransomware, APT37 Rustonotto and FadeStealer, Castle RAT, Windows Persistence Techniques, Scheduled Tasks, 0bj3ctivity Stealer, Ryuk Ransomware
|
2026-05-13
|
|
Linux Docker Shell Execution
|
Sysmon for Linux EventID 1
|
T1059.013
|
Anomaly
|
Linux Privilege Escalation, Linux Living Off The Land
|
2026-05-13
|
|
Windows Cmdline Tool Execution From Non-Shell Process
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1059.007
|
Anomaly
|
Qakbot, Water Gamayun, Rhysida Ransomware, FIN7, Volt Typhoon, SolarWinds WHD RCE Post Exploitation, CISA AA22-277A, Tuoni, Gh0st RAT, BlankGrabber Stealer, Medusa Ransomware, Gozi Malware, DarkGate Malware, CISA AA23-347A
|
2026-05-13
|
|
Windows PowerShell Invoke-RestMethod IP Information Collection
|
Powershell Script Block Logging 4104
|
T1016
T1059.001
T1082
|
Anomaly
|
Water Gamayun
|
2026-05-13
|
|
Unloading AMSI via Reflection
|
Powershell Script Block Logging 4104
|
T1059.001
T1685
|
TTP
|
Data Destruction, Malicious PowerShell, Hermetic Wiper
|
2026-05-13
|
|
First Time Seen Running Windows Service
|
Windows Event Log System 7036
|
T1569.002
|
Anomaly
|
Orangeworm Attack Group, NOBELIUM Group, Windows Service Abuse
|
2026-05-13
|
|
Excessive Usage Of SC Service Utility
|
Sysmon EventID 1
|
T1569.002
|
Anomaly
|
Crypto Stealer, Ransomware, Azorult
|
2026-05-13
|
|
Windows AppX Deployment Package Installation Success
|
Windows Event Log AppXDeployment-Server 854
|
T1204.002
|
Anomaly
|
MSIX Package Abuse
|
2026-05-13
|
|
Excessive distinct processes from Windows Temp
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1059
|
Anomaly
|
Meterpreter
|
2026-05-13
|
|
Windows Hidden Schedule Task Settings
|
Windows Event Log Security 4698
|
T1053
|
TTP
|
Active Directory Discovery, Compromised Windows Host, Scheduled Tasks, Malicious Inno Setup Loader, Data Destruction, Cactus Ransomware, CISA AA22-257A, Industroyer2, Hellcat Ransomware
|
2026-05-13
|
|
Windows EFI Volume Mount Attempt Via Mountvol
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1204.002
T1542
T1688
|
Anomaly
|
Compromised Windows Host
|
2026-05-13
|
|
Detect Certify With PowerShell Script Block Logging
|
Powershell Script Block Logging 4104
|
T1059.001
T1649
|
TTP
|
Windows Certificate Services, Malicious PowerShell
|
2026-05-13
|
|
Windows TeamCity Plugin Installed
|
Sysmon EventID 11
|
T1059
T1190
T1505.003
|
Anomaly
|
JetBrains TeamCity Vulnerabilities, JetBrains TeamCity Unauthenticated RCE
|
2026-05-13
|
|
Cisco NVM - MSHTML or MSHTA Network Execution Without URL in CLI
|
Cisco Network Visibility Module Flow Data
|
T1059.005
T1218.005
|
Anomaly
|
BlankGrabber Stealer, Cisco Network Visibility Module Analytics
|
2026-05-13
|
|
Windows User Execution Malicious URL Shortcut File
|
Sysmon EventID 11
|
T1204.002
|
Anomaly
|
XWorm, APT37 Rustonotto and FadeStealer, NjRAT, Chaos Ransomware, Quasar RAT, Snake Keylogger
|
2026-05-13
|
|
Windows Mustang Panda USB Tool Execution
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1020
T1204.002
T1574.001
|
TTP
|
Compromised Windows Host
|
2026-05-13
|
|
Linux Add Files In Known Crontab Directories
|
Sysmon for Linux EventID 11
|
T1053.003
|
Anomaly
|
Scheduled Tasks, Linux Persistence Techniques, Linux Privilege Escalation, Linux Living Off The Land, XorDDos
|
2026-05-13
|
|
Suspicious microsoft workflow compiler rename
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1036.003
T1127
|
Hunting
|
Graceful Wipe Out Attack, Cobalt Strike, BlackByte Ransomware, Living Off The Land, Masquerading - Rename System Utilities, Trusted Developer Utilities Proxy Execution
|
2026-05-13
|
|
Windows NorthStar C2 Agent Execution
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1204.002
T1547.001
T1608
|
TTP
|
Compromised Windows Host
|
2026-05-13
|
|
Windows DLL Search Order Hijacking with iscsicpl
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1574.001
|
TTP
|
Living Off The Land, Windows Defense Evasion Tactics, Compromised Windows Host
|
2026-05-13
|
|
Vbscript Execution Using Wscript App
|
Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1059.005
|
TTP
|
FIN7, Remcos, AsyncRAT
|
2026-05-13
|
|
Windows Rundll32 Execution With Log.DLL
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1574
|
Anomaly
|
Lotus Blossom Chrysalis Backdoor
|
2026-05-13
|
|
GitHub Workflow File Creation or Modification
|
Sysmon EventID 11, Sysmon for Linux EventID 11
|
T1195
T1554
T1574.006
|
Hunting
|
NPM Supply Chain Compromise
|
2026-05-13
|
|
Possible Lateral Movement PowerShell Spawn
|
Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1021.003
T1021.006
T1047
T1053.005
T1059.001
T1218.014
T1543.003
|
Anomaly
|
CISA AA24-241A, Scheduled Tasks, Active Directory Lateral Movement, Data Destruction, Malicious PowerShell, Hermetic Wiper, Microsoft WSUS CVE-2025-59287
|
2026-05-13
|
|
Suspicious MSBuild Rename
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1036.003
T1127.001
|
Hunting
|
Graceful Wipe Out Attack, Storm-2460 CLFS Zero Day Exploitation, Trusted Developer Utilities Proxy Execution MSBuild, Cobalt Strike, BlackByte Ransomware, Living Off The Land, Masquerading - Rename System Utilities
|
2026-05-13
|
|
Windows PowerShell Process Implementing Manual Base64 Decoder
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1027.010
T1059.001
|
Anomaly
|
Deobfuscate-Decode Files or Information, Compromised Windows Host
|
2026-05-13
|
|
Detect Mimikatz With PowerShell Script Block Logging
|
Powershell Script Block Logging 4104
|
T1003
T1059.001
|
TTP
|
CISA AA22-264A, Sandworm Tools, CISA AA22-320A, Data Destruction, Malicious PowerShell, Hermetic Wiper, Scattered Spider, CISA AA23-347A, Hellcat Ransomware
|
2026-05-13
|
|
BITS Job Persistence
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1197
|
TTP
|
Living Off The Land, BITS Jobs
|
2026-05-13
|
|
Malicious PowerShell Process - Execution Policy Bypass
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1059.001
|
Anomaly
|
DHS Report TA18-074A, XWorm, AsyncRAT, China-Nexus Threat Activity, APT37 Rustonotto and FadeStealer, MuddyWater, Salt Typhoon, Volt Typhoon, 0bj3ctivity Stealer, HAFNIUM Group, DarkCrystal RAT, BlankGrabber Stealer
|
2026-05-13
|
|
Cisco NVM - Installation of Typosquatted Python Package
|
Cisco Network Visibility Module Flow Data
|
T1059
|
TTP
|
Cisco Network Visibility Module Analytics
|
2026-05-13
|
|
Windows Schtasks Create Run As System
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1053.005
|
TTP
|
Qakbot, Castle RAT, Windows Persistence Techniques, Scheduled Tasks, SolarWinds WHD RCE Post Exploitation, Medusa Ransomware
|
2026-05-13
|
|
PowerShell Invoke CIMMethod CIMSession
|
Powershell Script Block Logging 4104
|
T1047
|
Anomaly
|
Malicious PowerShell, Scattered Lapsus$ Hunters, Active Directory Lateral Movement
|
2026-05-13
|
|
Remote WMI Command Attempt
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1047
|
TTP
|
Suspicious WMI Use, Graceful Wipe Out Attack, Volt Typhoon, IcedID, Living Off The Land, CISA AA23-347A
|
2026-05-13
|
|
Detection of tools built by NirSoft
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1072
|
Anomaly
|
Emotet Malware DHS Report TA18-201A
|
2026-05-13
|
|
Sunburst Correlation DLL and Network Event
|
Sysmon EventID 22, Sysmon EventID 7
|
T1203
|
TTP
|
NOBELIUM Group
|
2026-05-13
|
|
Cisco NVM - Suspicious Download From File Sharing Website
|
Cisco Network Visibility Module Flow Data
|
T1197
|
Anomaly
|
BlankGrabber Stealer, Cisco Network Visibility Module Analytics, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
Detect Renamed PSExec
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1569.002
|
Hunting
|
DarkSide Ransomware, DHS Report TA18-074A, Sandworm Tools, China-Nexus Threat Activity, Rhysida Ransomware, VanHelsing Ransomware, Medusa Ransomware, Salt Typhoon, Active Directory Lateral Movement, SamSam Ransomware, Cactus Ransomware, CISA AA22-320A, HAFNIUM Group, BlackByte Ransomware, DarkGate Malware
|
2026-05-13
|
|
PowerShell Script Block With URL Chain
|
Powershell Script Block Logging 4104
|
T1059.001
T1105
|
TTP
|
Malicious PowerShell, Hellcat Ransomware
|
2026-05-13
|
|
Windows Default Cobalt Strike PowerShell Beacon
|
Powershell Script Block Logging 4104
|
T1059.001
T1204.002
|
TTP
|
Cobalt Strike
|
2026-05-13
|
|
Windows PowerShell Get CIMInstance Remote Computer
|
Powershell Script Block Logging 4104
|
T1059.001
|
Anomaly
|
Active Directory Lateral Movement
|
2026-05-13
|
|
Linux Auditd Service Started
|
Linux Auditd Proctitle
|
T1569.002
|
Anomaly
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation, Linux Living Off The Land
|
2026-05-13
|
|
Linux Magic SysRq Key Abuse
|
Linux Auditd Path, Linux Auditd Cwd
|
T1059.004
T1489
T1499
T1529
|
TTP
|
Compromised Linux Host
|
2026-05-13
|
|
Windows Identify Protocol Handlers
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1059
|
Hunting
|
Living Off The Land
|
2026-05-13
|
|
Windows SQL Server Extended Procedure DLL Loading Hunt
|
Windows Event Log Application 8128
|
T1059.009
T1505.001
|
Hunting
|
SQL Server Abuse
|
2026-05-13
|
|
Windows MSC EvilTwin Directory Path Manipulation
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1036.005
T1203
T1218
|
TTP
|
Windows Defense Evasion Tactics, Water Gamayun, Living Off The Land
|
2026-05-13
|
|
Revil Common Exec Parameter
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1204
|
TTP
|
Revil Ransomware, Ransomware
|
2026-05-13
|
|
GetLocalUser with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1059.001
T1087.001
|
Hunting
|
Malicious PowerShell, Active Directory Discovery
|
2026-05-13
|
|
PowerShell - Connect To Internet With Hidden Window
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1059.001
|
Hunting
|
Log4Shell CVE-2021-44228, Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns, AgentTesla, Data Destruction, Malicious PowerShell, HAFNIUM Group, Hermetic Wiper
|
2026-05-13
|
|
Windows Universal Data Link File Creation
|
Sysmon EventID 11
|
T1204.002
T1566.001
|
Anomaly
|
Spearphishing Attachments
|
2026-05-13
|
|
Windows Defender ASR Block Events
|
Windows Event Log Defender 1121, Windows Event Log Defender 1133, Windows Event Log Defender 1126, Windows Event Log Defender 1131, Windows Event Log Defender 1129
|
T1059
T1566.001
T1566.002
|
Anomaly
|
Windows Attack Surface Reduction
|
2026-05-13
|
|
WinEvent Scheduled Task Created Within Public Path
|
Windows Event Log Security 4698
|
T1053.005
|
TTP
|
SystemBC, Compromised Windows Host, AsyncRAT, Data Destruction, CISA AA22-257A, Industroyer2, Winter Vivern, APT37 Rustonotto and FadeStealer, Remcos, Active Directory Lateral Movement, Medusa Ransomware, PlugX, Salt Typhoon, ValleyRAT, Malicious Inno Setup Loader, Quasar RAT, Ryuk Ransomware, XWorm, Ransomware, China-Nexus Threat Activity, Castle RAT, Windows Persistence Techniques, Scheduled Tasks, 0bj3ctivity Stealer, Prestige Ransomware, IcedID, CISA AA23-347A
|
2026-05-13
|
|
Windows Scheduled Task Service Spawned Shell
|
Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1053.005
T1059
|
TTP
|
Windows Persistence Techniques
|
2026-05-13
|
|
Windows Suspicious C2 Named Pipe
|
Sysmon EventID 18, Sysmon EventID 17
|
T1021.002
T1055
T1559
|
TTP
|
Brute Ratel C4, DarkSide Ransomware, Graceful Wipe Out Attack, APT37 Rustonotto and FadeStealer, Cobalt Strike, Storm-0501 Ransomware, LockBit Ransomware, Remote Monitoring and Management Software, Trickbot, Meterpreter, BlackByte Ransomware, Tuoni, Gozi Malware, Hellcat Ransomware
|
2026-05-13
|
|
Windows Suspicious QEMU Execution
|
Sysmon EventID 1
|
T1001
T1036
T1204.002
T1564.006
|
TTP
|
Linux Post-Exploitation, Compromised Linux Host, Linux Rootkit, Linux Privilege Escalation, Linux Living Off The Land, VoidLink Cloud-Native Linux Malware
|
2026-05-13
|
|
Process Writing DynamicWrapperX
|
Sysmon EventID 11
|
T1059
T1559.001
|
Hunting
|
Remcos
|
2026-05-13
|
|
Scheduled Task Initiation on Remote Endpoint
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1053.005
|
TTP
|
Seashell Blizzard, Scheduled Tasks, Active Directory Lateral Movement, Medusa Ransomware, Living Off The Land
|
2026-05-13
|
|
Exchange PowerShell Module Usage
|
Powershell Script Block Logging 4104
|
T1059.001
|
TTP
|
CISA AA22-264A, ProxyNotShell, CISA AA22-277A, BlackByte Ransomware, Scattered Spider, ProxyShell
|
2026-05-13
|
|
Windows PaperCut NG Spawn Shell
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1059
T1133
T1190
|
TTP
|
PaperCut MF NG Vulnerability, Compromised Windows Host
|
2026-05-13
|
|
Windows Hijack Execution Flow Version Dll Side Load
|
Sysmon EventID 7
|
T1574.001
|
Anomaly
|
Brute Ratel C4, XWorm, Malicious Inno Setup Loader, SolarWinds WHD RCE Post Exploitation
|
2026-05-13
|
|
PowerShell PInvoke Process Injection API Chain
|
Powershell Script Block Logging 4104
|
T1055.001
T1055.003
T1055.004
T1055.012
T1055.013
T1059.001
T1620
|
TTP
|
VIP Keylogger
|
2026-05-13
|
|
Windows WMI Process Call Create
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1047
|
Hunting
|
Qakbot, Suspicious WMI Use, Volt Typhoon, Cactus Ransomware, IcedID, CISA AA23-347A
|
2026-05-13
|
|
PowerShell Environment Variable Execution
|
Powershell Script Block Logging 4104
|
T1059.001
|
Anomaly
|
VIP Keylogger
|
2026-05-13
|
|
Schedule Task with HTTP Command Arguments
|
Windows Event Log Security 4698
|
T1053
|
TTP
|
Compromised Windows Host, Winter Vivern, Windows Persistence Techniques, Scheduled Tasks, Living Off The Land, Hellcat Ransomware
|
2026-05-13
|
|
Ryuk Wake on LAN Command
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1059.003
|
TTP
|
Compromised Windows Host, Hellcat Ransomware, Ryuk Ransomware
|
2026-05-13
|
|
Windows RMM Named Pipe
|
Sysmon EventID 18, Sysmon EventID 17
|
T1021.002
T1055
T1559
|
Anomaly
|
CISA AA24-241A, Ransomware, Seashell Blizzard, Insider Threat, Interlock Ransomware, Scattered Lapsus$ Hunters, Cactus Ransomware, Remote Monitoring and Management Software, Command And Control, Gozi Malware, Scattered Spider, GhostRedirector IIS Module and Rungan Backdoor
|
2026-05-13
|
|
Windows TinyCC Shellcode Execution
|
Windows Event Log Security 4688, Sysmon EventID 1
|
T1027
T1036
T1059.003
|
TTP
|
Lotus Blossom Chrysalis Backdoor
|
2026-05-13
|
|
Schedule Task with Rundll32 Command Trigger
|
Windows Event Log Security 4698
|
T1053
|
TTP
|
Compromised Windows Host, Castle RAT, Windows Persistence Techniques, Scheduled Tasks, Trickbot, IcedID, Living Off The Land
|
2026-05-13
|
|
Powershell COM Hijacking InprocServer32 Modification
|
Powershell Script Block Logging 4104
|
T1059.001
T1546.015
|
TTP
|
Malicious PowerShell
|
2026-05-13
|
|
MS Scripting Process Loading WMI Module
|
Sysmon EventID 7
|
T1059.007
|
Anomaly
|
FIN7
|
2026-05-13
|
|
Suspicious Linux Discovery Commands
|
Sysmon for Linux EventID 1
|
T1059.004
|
TTP
|
Linux Post-Exploitation, VoidLink Cloud-Native Linux Malware
|
2026-05-13
|
|
Batch File Write to System32
|
Sysmon EventID 11
|
T1204.002
|
TTP
|
SamSam Ransomware, Compromised Windows Host
|
2026-05-13
|
|
Detect Use of cmd exe to Launch Script Interpreters
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1059.003
|
Anomaly
|
Azorult, Emotet Malware DHS Report TA18-201A, Suspicious Command-Line Executions
|
2026-05-13
|
|
Windows BitDefender Submission Wizard DLL Sideloading
|
Sysmon EventID 7
|
T1574
|
TTP
|
Lotus Blossom Chrysalis Backdoor
|
2026-05-13
|
|
Windows File Download Via PowerShell
|
Cisco Network Visibility Module Flow Data, Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1059.001
T1105
|
Anomaly
|
Data Destruction, Phemedrone Stealer, PHP-CGI RCE Attack on Japanese Organizations, GhostRedirector IIS Module and Rungan Backdoor, APT37 Rustonotto and FadeStealer, Winter Vivern, StealC Stealer, HAFNIUM Group, Hermetic Wiper, SolarWinds WHD RCE Post Exploitation, Malicious PowerShell, Cisco Network Visibility Module Analytics, XWorm, Ingress Tool Transfer, NPM Supply Chain Compromise, SysAid On-Prem Software CVE-2023-47246 Vulnerability, Tuoni, IcedID, Microsoft WSUS CVE-2025-59287, NetSupport RMM Tool Abuse
|
2026-05-13
|
|
Windows Service Execution RemCom
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1569.002
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Powershell Logoff User via Quser
|
Powershell Script Block Logging 4104
|
T1059.001
T1531
|
Anomaly
|
Crypto Stealer
|
2026-05-13
|
|
CMD Carry Out String Command Parameter
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1059.003
|
Hunting
|
Qakbot, AsyncRAT, ProxyNotShell, Data Destruction, Interlock Rat, Azorult, Winter Vivern, StealC Stealer, Hermetic Wiper, Living Off The Land, PlugX, WhisperGate, Rhysida Ransomware, Crypto Stealer, Chaos Ransomware, NjRAT, Malicious Inno Setup Loader, Quasar RAT, DarkGate Malware, RedLine Stealer, Log4Shell CVE-2021-44228, Warzone RAT, 0bj3ctivity Stealer, IcedID, Gh0st RAT, DarkCrystal RAT, CISA AA23-347A
|
2026-05-13
|
|
Windows Powershell History File Deletion
|
Powershell Script Block Logging 4104
|
T1059.003
T1070.003
|
Anomaly
|
Medusa Ransomware
|
2026-05-13
|
|
Linux At Allow Config File Creation
|
Sysmon for Linux EventID 11
|
T1053.003
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks, Linux Living Off The Land
|
2026-05-13
|
|
Windows Software Discovery Via PowerShell
|
Powershell Script Block Logging 4104
|
T1012
T1059.001
T1518
|
Anomaly
|
Windows Discovery Techniques
|
2026-05-13
|
|
Msmpeng Application DLL Side Loading
|
Sysmon EventID 11
|
T1574.001
|
TTP
|
Revil Ransomware, Ransomware
|
2026-05-13
|
|
Windows AppX Deployment Unsigned Package Installation
|
Windows Event Log AppXDeployment-Server 855
|
T1204.002
T1553.005
|
TTP
|
MSIX Package Abuse
|
2026-05-13
|
|
Remote Process Instantiation via WMI and PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1047
|
TTP
|
Active Directory Lateral Movement
|
2026-05-13
|
|
Windows WMI Reconnaissance Class Query
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1047
|
Anomaly
|
BlankGrabber Stealer
|
2026-05-13
|
|
MS Scripting Process Loading Ldap Module
|
Sysmon EventID 7
|
T1059.007
|
Anomaly
|
FIN7
|
2026-05-13
|
|
Windows PowGoop Beacon Decoding
|
Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1001
T1059.001
|
TTP
|
Compromised Windows Host
|
2026-05-13
|
|
Windows PowerShell MSIX Package Installation
|
Powershell Script Block Logging 4104
|
T1059.001
T1547.001
|
TTP
|
Malicious PowerShell, MSIX Package Abuse
|
2026-05-13
|
|
Scheduled Task Deleted Or Created via CMD
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1053.005
|
Anomaly
|
Qakbot, AsyncRAT, AgentTesla, Trickbot, CISA AA22-257A, Azorult, Phemedrone Stealer, Winter Vivern, APT37 Rustonotto and FadeStealer, Remcos, Medusa Ransomware, Living Off The Land, Scattered Spider, PlugX, Sandworm Tools, CISA AA24-241A, Rhysida Ransomware, NjRAT, Salt Typhoon, ValleyRAT, SolarWinds WHD RCE Post Exploitation, Amadey, Quasar RAT, NOBELIUM Group, RedLine Stealer, XWorm, DHS Report TA18-074A, China-Nexus Threat Activity, Windows Persistence Techniques, Scheduled Tasks, MoonPeak, 0bj3ctivity Stealer, Prestige Ransomware, NetSupport RMM Tool Abuse, DarkCrystal RAT, CISA AA23-347A, ShrinkLocker, Lokibot
|
2026-05-13
|
|
Windows Unsigned DLL Side-Loading
|
Sysmon EventID 7
|
T1574.001
|
Anomaly
|
China-Nexus Threat Activity, NjRAT, Warzone RAT, Salt Typhoon, Earth Alux, SolarWinds WHD RCE Post Exploitation, Derusbi
|
2026-05-13
|
|
Script Execution via WMI
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1047
|
TTP
|
Scattered Spider, Suspicious WMI Use
|
2026-05-13
|
|
Windows Suspect Process With Authentication Traffic
|
Sysmon EventID 3
|
T1087.002
T1204.002
|
Anomaly
|
Active Directory Discovery
|
2026-05-13
|
|
Windows WMI Impersonate Token
|
Sysmon EventID 10
|
T1047
|
Anomaly
|
Qakbot, Water Gamayun
|
2026-05-13
|
|
WinEvent Windows Task Scheduler Event Action Started
|
Windows Event Log TaskScheduler 200, Windows Event Log TaskScheduler 201
|
T1053.005
|
Hunting
|
SystemBC, Qakbot, AsyncRAT, Data Destruction, CISA AA22-257A, Industroyer2, BlackSuit Ransomware, Winter Vivern, Remcos, PlugX, Sandworm Tools, CISA AA24-241A, ValleyRAT, SolarWinds WHD RCE Post Exploitation, Malicious Inno Setup Loader, Amadey, Windows Persistence Techniques, Scheduled Tasks, Prestige Ransomware, IcedID, DarkCrystal RAT
|
2026-05-13
|
|
Malicious PowerShell Process With Obfuscation Techniques
|
Sysmon EventID 1
|
T1059.001
|
TTP
|
Data Destruction, Malicious PowerShell, Hermetic Wiper, Hellcat Ransomware, GhostRedirector IIS Module and Rungan Backdoor
|
2026-05-13
|
|
Windows Masquerading Explorer As Child Process
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1574.001
|
TTP
|
Qakbot, Water Gamayun, Compromised Windows Host
|
2026-05-13
|
|
MSI Module Loaded by Non-System Binary
|
Sysmon EventID 7
|
T1574.001
|
Hunting
|
Data Destruction, Windows Privilege Escalation, Hermetic Wiper
|
2026-05-13
|
|
Windows WinDBG Spawning AutoIt3
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1059
|
TTP
|
DarkGate Malware, Compromised Windows Host
|
2026-05-13
|
|
Windows Snake Malware Service Create
|
Windows Event Log System 7045
|
T1547.006
T1569.002
|
TTP
|
Compromised Windows Host, Snake Malware
|
2026-05-13
|
|
Cisco Isovalent - Pods Running Offensive Tools
|
Cisco Isovalent Process Exec
|
T1204.003
|
Anomaly
|
Cisco Isovalent Suspicious Activity
|
2026-05-13
|
|
PowerShell Start or Stop Service
|
Powershell Script Block Logging 4104
|
T1059.001
|
Anomaly
|
Scattered Lapsus$ Hunters, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows PowerShell Process With Malicious String
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1059.001
|
TTP
|
Malicious PowerShell
|
2026-05-13
|
|
PowerShell Loading DotNET into Memory via Reflection
|
Powershell Script Block Logging 4104
|
T1059.001
|
Anomaly
|
Axios Supply Chain Post Compromise, Winter Vivern, AsyncRAT, VIP Keylogger, AgentTesla, Data Destruction, 0bj3ctivity Stealer, Malicious PowerShell, Hermetic Wiper, Hellcat Ransomware
|
2026-05-13
|
|
Windows PowerShell Script From WindowsApps Directory
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1059.001
T1204.002
|
TTP
|
Malicious PowerShell, MSIX Package Abuse
|
2026-05-13
|
|
Windows PUA Named Pipe
|
Sysmon EventID 18, Sysmon EventID 17
|
T1021.002
T1055
T1559
|
Anomaly
|
IcedID, DarkSide Ransomware, DHS Report TA18-074A, Sandworm Tools, Seashell Blizzard, Rhysida Ransomware, VanHelsing Ransomware, Medusa Ransomware, SamSam Ransomware, Active Directory Lateral Movement, Volt Typhoon, Cactus Ransomware, CISA AA22-320A, HAFNIUM Group, BlackByte Ransomware, DarkGate Malware
|
2026-05-13
|
|
Windows Mock Trusted Directory MSC File Creation
|
Sysmon EventID 11
|
T1218.014
T1548.002
T1574
|
TTP
|
Windows Persistence Techniques, Windows Privilege Escalation
|
2026-05-13
|
|
Shai-Hulud Workflow File Creation or Modification
|
Sysmon EventID 11, Sysmon for Linux EventID 11
|
T1195
T1554
T1574.006
|
TTP
|
NPM Supply Chain Compromise
|
2026-05-13
|
|
Windows Known GraphicalProton Loaded Modules
|
Sysmon EventID 7
|
T1574.001
|
Anomaly
|
Water Gamayun, CISA AA23-347A, Hellcat Ransomware
|
2026-05-13
|
|
Linux At Application Execution
|
Sysmon for Linux EventID 1
|
T1053.002
|
Anomaly
|
Scheduled Tasks, Cisco Isovalent Suspicious Activity, Linux Persistence Techniques, Linux Privilege Escalation, Linux Living Off The Land
|
2026-05-13
|
|
Living Off The Land Detection
|
|
T1059
T1105
T1133
T1190
|
Correlation
|
Living Off The Land, Hellcat Ransomware
|
2026-05-13
|
|
Windows Common Abused Cmd Shell Risk Behavior
|
|
T1016
T1033
T1049
T1059
T1222
T1529
|
Correlation
|
Qakbot, Windows Defense Evasion Tactics, Disabling Security Tools, Sandworm Tools, FIN7, Windows Post-Exploitation, Volt Typhoon, DarkCrystal RAT, Azorult, Microsoft WSUS CVE-2025-59287, Netsh Abuse, CISA AA23-347A
|
2026-05-13
|
|
Suspicious MSBuild Spawn
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1127.001
|
TTP
|
Living Off The Land, Storm-2460 CLFS Zero Day Exploitation, Trusted Developer Utilities Proxy Execution MSBuild
|
2026-05-13
|
|
Windows File Association Modification via Ftype
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1059.003
|
Anomaly
|
Windows File Extension and Association Abuse
|
2026-05-13
|
|
Scheduled Task Creation on Remote Endpoint using At
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1053.002
|
TTP
|
Living Off The Land, Scheduled Tasks, 0bj3ctivity Stealer, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows ISO LNK File Creation
|
Sysmon EventID 11
|
T1204.001
T1566.001
|
Hunting
|
Qakbot, Brute Ratel C4, APT37 Rustonotto and FadeStealer, Warzone RAT, AgentTesla, Azorult, Amadey, Remcos, IcedID, Gozi Malware, Spearphishing Attachments
|
2026-05-13
|
|
Remote Process Instantiation via WMI
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1047
|
TTP
|
Suspicious WMI Use, Ransomware, China-Nexus Threat Activity, Salt Typhoon, Void Manticore, Active Directory Lateral Movement, CISA AA23-347A
|
2026-05-13
|
|
Windows Account Access Removal via Logoff Exec
|
Sysmon EventID 1
|
T1059.001
T1531
|
Anomaly
|
Crypto Stealer
|
2026-05-13
|
|
Windows PowerShell Module File Created
|
Sysmon EventID 11
|
T1059.001
T1129
T1574
|
Anomaly
|
Windows Persistence Techniques, Malicious PowerShell
|
2026-05-13
|
|
ETW Registry Disabled
|
Sysmon EventID 13
|
T1127
T1685
|
TTP
|
Windows Persistence Techniques, Windows Registry Abuse, Data Destruction, Windows Privilege Escalation, Hermetic Wiper, CISA AA23-347A
|
2026-05-13
|
|
Windows Process Accessing Windows Recall Directory
|
Windows Event Log Security 4663
|
T1059
T1119
|
Anomaly
|
Windows Post-Exploitation
|
2026-05-13
|
|
Windows Outlook Macro Created by Suspicious Process
|
Sysmon EventID 11
|
T1059.005
T1137
|
TTP
|
NotDoor Malware
|
2026-05-13
|
|
Windows Service Creation Using Registry Entry
|
Sysmon EventID 13
|
T1574.011
|
Anomaly
|
Brute Ratel C4, SnappyBee, China-Nexus Threat Activity, Crypto Stealer, Windows Persistence Techniques, Salt Typhoon, Active Directory Lateral Movement, SolarWinds WHD RCE Post Exploitation, Windows Registry Abuse, Derusbi, Gh0st RAT, PlugX, CISA AA23-347A, Suspicious Windows Registry Activities
|
2026-05-13
|
|
Powershell Fileless Script Contains Base64 Encoded Content
|
Powershell Script Block Logging 4104
|
T1027
T1059.001
|
TTP
|
IcedID, Axios Supply Chain Post Compromise, XWorm, Winter Vivern, AsyncRAT, APT37 Rustonotto and FadeStealer, NjRAT, MuddyWater, VIP Keylogger, Data Destruction, 0bj3ctivity Stealer, Malicious PowerShell, Microsoft WSUS CVE-2025-59287, Hermetic Wiper, Medusa Ransomware, NetSupport RMM Tool Abuse, Hellcat Ransomware, GhostRedirector IIS Module and Rungan Backdoor
|
2026-05-13
|
|
GetWmiObject User Account with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1059.001
T1087.001
|
Hunting
|
Malicious PowerShell, Active Directory Discovery, Winter Vivern
|
2026-05-13
|
|
Powershell Creating Thread Mutex
|
Powershell Script Block Logging 4104
|
T1027.005
T1059.001
|
TTP
|
Water Gamayun, Malicious PowerShell
|
2026-05-13
|
|
PowerShell Domain Enumeration
|
Powershell Script Block Logging 4104
|
T1059.001
|
TTP
|
Data Destruction, Malicious PowerShell, Hermetic Wiper, Microsoft WSUS CVE-2025-59287, CISA AA23-347A, Interlock Ransomware
|
2026-05-13
|
|
Windows DLL Search Order Hijacking Hunt with Sysmon
|
Sysmon EventID 7
|
T1574.001
|
Hunting
|
Qakbot, Windows Defense Evasion Tactics, Malicious Inno Setup Loader, Living Off The Land
|
2026-05-13
|
|
Windows Explorer LNK Exploit Process Launch With Padding
|
Windows Event Log Security 4688, Sysmon EventID 1
|
T1059.001
T1204.002
|
TTP
|
ZDI-CAN-25373 Windows Shortcut Exploit Abused as Zero-Day
|
2026-05-13
|
|
Linux Unix Shell Enable All SysRq Functions
|
Sysmon for Linux EventID 1
|
T1059.004
|
Anomaly
|
Data Destruction, AwfulShred
|
2026-05-13
|
|
Windows Service Created with Suspicious Service Path
|
Windows Event Log System 7045
|
T1569.002
|
TTP
|
Qakbot, Brute Ratel C4, APT37 Rustonotto and FadeStealer, China-Nexus Threat Activity, Crypto Stealer, Salt Typhoon, Active Directory Lateral Movement, Snake Malware, Clop Ransomware, Derusbi, Gh0st RAT, Flax Typhoon, PlugX, CISA AA23-347A
|
2026-05-13
|
|
Windows Defender ASR Rules Stacking
|
Windows Event Log Defender 1121, Windows Event Log Defender 1133, Windows Event Log Defender 1134, Windows Event Log Defender 1125, Windows Event Log Defender 1126, Windows Event Log Defender 5007, Windows Event Log Defender 1131, Windows Event Log Defender 1122, Windows Event Log Defender 1129
|
T1059
T1566.001
T1566.002
|
Hunting
|
Windows Attack Surface Reduction
|
2026-05-13
|
|
Wmiprvse LOLBAS Execution Process Spawn
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1047
|
TTP
|
Active Directory Lateral Movement
|
2026-05-13
|
|
Windows ScManager Security Descriptor Tampering Via Sc.EXE
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1569.002
|
TTP
|
Defense Evasion or Unauthorized Access Via SDDL Tampering
|
2026-05-13
|
|
Nishang PowershellTCPOneLine
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1059.001
|
TTP
|
HAFNIUM Group, Cleo File Transfer Software
|
2026-05-13
|
|
Windows PowerShell Script TabExpansion Direct Call
|
Powershell Script Block Logging 4104
|
T1059.001
T1129
|
Anomaly
|
Malicious PowerShell
|
2026-05-13
|
|
CHCP Command Execution
|
Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1059
|
Anomaly
|
IcedID, Crypto Stealer, Forest Blizzard, Interlock Rat, Quasar RAT, Azorult
|
2026-05-13
|
|
Juniper Networks Remote Code Execution Exploit Detection
|
Suricata
|
T1059
T1105
T1190
|
TTP
|
Juniper JunOS Remote Code Execution
|
2026-05-13
|
|
CrushFTP Authentication Bypass Exploitation
|
CrushFTP
|
T1059.001
T1059.003
T1190
|
TTP
|
CrushFTP Vulnerabilities, Hellcat Ransomware
|
2026-05-13
|
|
ESXi Reverse Shell Patterns
|
VMWare ESXi Syslog
|
T1059
|
TTP
|
ESXi Post Compromise, Black Basta Ransomware
|
2026-05-13
|
|
MCP Prompt Injection
|
MCP Server
|
T1059
|
TTP
|
Suspicious MCP Activities
|
2026-05-13
|
|
Ollama Suspicious Prompt Injection Jailbreak
|
Ollama Server
|
T1059
T1190
|
Anomaly
|
Suspicious Ollama Activities
|
2026-05-13
|
|
MCP Filesystem Server Suspicious Extension Write
|
MCP Server
|
T1059
|
Hunting
|
Suspicious MCP Activities
|
2026-05-13
|
|
ASL AWS ECR Container Upload Unknown User
|
ASL AWS CloudTrail
|
T1204.003
|
Anomaly
|
Dev Sec Ops
|
2026-05-13
|
|
Kubernetes newly seen UDP edge
|
|
T1204
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2026-05-13
|
|
Kubernetes Cron Job Creation
|
Kubernetes Audit
|
T1053.007
|
Anomaly
|
Kubernetes Security
|
2026-05-13
|
|
Microsoft Intune Device Health Scripts
|
Azure Monitor Activity
|
T1021.007
T1072
T1105
T1202
|
Hunting
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
AWS ECR Container Upload Outside Business Hours
|
AWS CloudTrail PutImage
|
T1204.003
|
Anomaly
|
Dev Sec Ops
|
2026-05-13
|
|
ASL AWS ECR Container Upload Outside Business Hours
|
ASL AWS CloudTrail
|
T1204.003
|
Anomaly
|
Dev Sec Ops
|
2026-05-13
|
|
Kubernetes Shell Running on Worker Node with CPU Activity
|
|
T1204
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2026-05-13
|
|
AWS Lambda UpdateFunctionCode
|
AWS CloudTrail
|
T1204
|
Hunting
|
Suspicious Cloud User Activities
|
2026-05-13
|
|
Microsoft Intune Mobile Apps
|
Azure Monitor Activity
|
T1021.007
T1072
T1105
T1202
|
Hunting
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
AWS ECR Container Scanning Findings Low Informational Unknown
|
AWS CloudTrail DescribeImageScanFindings
|
T1204.003
|
Anomaly
|
Dev Sec Ops
|
2026-05-13
|
|
Kubernetes Falco Shell Spawned
|
Kubernetes Falco
|
T1204
|
Anomaly
|
Kubernetes Security
|
2026-05-13
|
|
Kubernetes Anomalous Outbound Network Activity from Process
|
|
T1204
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2026-05-13
|
|
AWS ECR Container Scanning Findings Medium
|
AWS CloudTrail DescribeImageScanFindings
|
T1204.003
|
Anomaly
|
Dev Sec Ops
|
2026-05-13
|
|
O365 SharePoint Malware Detection
|
Office 365 Universal Audit Log
|
T1204.002
|
TTP
|
Azure Active Directory Persistence, Office 365 Account Takeover, Ransomware Cloud
|
2026-05-13
|
|
Kubernetes Previously Unseen Process
|
|
T1204
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2026-05-13
|
|
Kubernetes newly seen TCP edge
|
|
T1204
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2026-05-13
|
|
Kubernetes Anomalous Inbound to Outbound Network IO Ratio
|
|
T1204
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2026-05-13
|
|
AWS ECR Container Upload Unknown User
|
AWS CloudTrail PutImage
|
T1204.003
|
Anomaly
|
Dev Sec Ops
|
2026-05-13
|
|
O365 Threat Intelligence Suspicious File Detected
|
Office 365 Universal Audit Log
|
T1204.002
|
TTP
|
Azure Active Directory Account Takeover, Office 365 Account Takeover, Ransomware Cloud
|
2026-05-13
|
|
Kubernetes Shell Running on Worker Node
|
|
T1204
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2026-05-13
|
|
Kubernetes Process with Resource Ratio Anomalies
|
|
T1204
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2026-05-13
|
|
Kubernetes Anomalous Inbound Outbound Network IO
|
|
T1204
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2026-05-13
|
|
Kubernetes Node Port Creation
|
Kubernetes Audit
|
T1204
|
Anomaly
|
Kubernetes Security
|
2026-05-13
|
|
Kubernetes Previously Unseen Container Image Name
|
|
T1204
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2026-05-13
|
|
Microsoft Intune Manual Device Management
|
Azure Monitor Activity
|
T1021.007
T1072
T1529
|
Hunting
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
Kubernetes Anomalous Inbound Network Activity from Process
|
|
T1204
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2026-05-13
|
|
Kubernetes Pod With Host Network Attachment
|
Kubernetes Audit
|
T1204
|
Anomaly
|
Kubernetes Security
|
2026-05-13
|
|
Kubernetes Create or Update Privileged Pod
|
Kubernetes Audit
|
T1204
|
Anomaly
|
Kubernetes Security
|
2026-05-13
|
|
Kubernetes Pod Created in Default Namespace
|
Kubernetes Audit
|
T1204
|
Anomaly
|
Kubernetes Security
|
2026-05-13
|
|
Kubernetes DaemonSet Deployed
|
Kubernetes Audit
|
T1204
|
Anomaly
|
Kubernetes Security
|
2026-05-13
|
|
AWS ECR Container Scanning Findings High
|
AWS CloudTrail DescribeImageScanFindings
|
T1204.003
|
TTP
|
Dev Sec Ops
|
2026-05-13
|
|
Kubernetes Process with Anomalous Resource Utilisation
|
|
T1204
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2026-05-13
|
|
Kubernetes Anomalous Traffic on Network Edge
|
|
T1204
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2026-05-13
|
|
Kubernetes Process Running From New Path
|
|
T1204
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2026-05-13
|
|
Kubernetes Unauthorized Access
|
Kubernetes Audit
|
T1204
|
Anomaly
|
Kubernetes Security
|
2026-05-13
|
|
Microsoft Intune DeviceManagementConfigurationPolicies
|
Azure Monitor Activity
|
T1021.007
T1072
T1484
T1685
T1686
|
Hunting
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
Risk Rule for Dev Sec Ops by Repository
|
|
T1204.003
|
Correlation
|
Dev Sec Ops
|
2026-05-13
|
|
Cisco Secure Firewall - Blocked Connection
|
Cisco Secure Firewall Threat Defense Connection Event
|
T1018
T1046
T1110
T1203
T1595.002
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Cisco Secure Firewall - Privileged Command Execution via HTTP
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1059
T1505.003
|
Anomaly
|
Salt Typhoon, Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Cisco Secure Firewall - Communication Over Suspicious Ports
|
Cisco Secure Firewall Threat Defense Connection Event
|
T1021
T1055
T1059.001
T1105
T1219
T1571
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Cisco Secure Firewall - Repeated Blocked Connections
|
Cisco Secure Firewall Threat Defense Connection Event
|
T1018
T1046
T1110
T1203
T1595.002
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Cisco Secure Firewall - Malware File Downloaded
|
Cisco Secure Firewall Threat Defense File Event
|
T1105
T1203
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Suspicious Process With Discord DNS Query
|
Sysmon EventID 22
|
T1059.005
|
Anomaly
|
WhisperGate, PXA Stealer, Cactus Ransomware, Data Destruction, BlankGrabber Stealer
|
2026-05-13
|
|
Cisco Secure Firewall - Citrix NetScaler Memory Overread Attempt
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1059
T1203
|
TTP
|
Citrix NetScaler ADC and NetScaler Gateway CVE-2025-5777, Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Cisco Secure Firewall - High Priority Intrusion Classification
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1003
T1071
T1078
T1190
T1203
|
TTP
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Suspicious Process DNS Query Known Abuse Web Services
|
Sysmon EventID 22
|
T1059.005
|
TTP
|
WhisperGate, Braodo Stealer, Meduza Stealer, Phemedrone Stealer, PXA Stealer, Malicious Inno Setup Loader, Data Destruction, Cactus Ransomware, Remcos, Snake Keylogger, BlankGrabber Stealer, RedLine Stealer
|
2026-05-13
|
|
Cisco Secure Firewall - Wget or Curl Download
|
Cisco Secure Firewall Threat Defense Connection Event
|
T1053.003
T1059
T1071.001
T1105
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Detect Windows DNS SIGRed via Zeek
|
|
T1203
|
TTP
|
Windows DNS SIGRed CVE-2020-1350
|
2026-05-13
|
|
Cisco Secure Firewall - Veeam CVE-2023-27532 Exploitation Activity
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1003.001
T1059.001
T1190
T1210
|
TTP
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Cisco Secure Firewall - Binary File Type Download
|
Cisco Secure Firewall Threat Defense File Event
|
T1059
T1203
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Cisco Secure Firewall - Possibly Compromised Host
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1059
T1203
T1587.001
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Cisco Secure Firewall - Lumma Stealer Activity
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1027
T1190
T1204
T1210
|
TTP
|
Lumma Stealer, Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Cisco Secure Firewall - High Volume of Intrusion Events Per Host
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1059
T1071
T1595.002
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Detect Windows DNS SIGRed via Splunk Stream
|
|
T1203
|
TTP
|
Windows DNS SIGRed CVE-2020-1350
|
2026-05-13
|
|
Detect Outbound LDAP Traffic
|
Palo Alto Network Traffic, Cisco Secure Access Firewall, Cisco Secure Firewall Threat Defense Connection Event
|
T1059
T1190
|
Hunting
|
Cisco Secure Access Analytics, Log4Shell CVE-2021-44228, Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
