Execution Detections

Name Data Source Technique Type Analytic Story Date
Windows PowerShell Invoke-Sqlcmd Execution Powershell Script Block Logging 4104 T1059.001 T1059.003 Hunting SQL Server Abuse, GhostRedirector IIS Module and Rungan Backdoor 2026-05-13
Linux Auditd Service Restarted Linux Auditd Proctitle T1053.006 Anomaly Scheduled Tasks, Linux Living Off The Land, Data Destruction, AwfulShred, Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation, Gomir 2026-05-13
MSBuild Suspicious Spawned By Script Process CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1127.001 TTP Trusted Developer Utilities Proxy Execution MSBuild, Storm-2460 CLFS Zero Day Exploitation 2026-05-13
PowerShell 4104 Hunting Powershell Script Block Logging 4104 T1059.001 Hunting Hermetic Wiper, Interlock Ransomware, GhostRedirector IIS Module and Rungan Backdoor, 0bj3ctivity Stealer, Water Gamayun, PHP-CGI RCE Attack on Japanese Organizations, CISA AA23-347A, Axios Supply Chain Post Compromise, CISA AA24-241A, Malicious PowerShell, Cactus Ransomware, SystemBC, Scattered Spider, MuddyWater, Salt Typhoon, Flax Typhoon, Lumma Stealer, Rhysida Ransomware, Phantom Stealer, Braodo Stealer, DarkGate Malware, Data Destruction, Medusa Ransomware, China-Nexus Threat Activity, Cleo File Transfer Software, Hellcat Ransomware, Microsoft WSUS CVE-2025-59287, Salat Stealer, APT37 Rustonotto and FadeStealer, XWorm 2026-06-25
Windows WMI Process And Service List CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1047 Anomaly Prestige Ransomware, Windows Post-Exploitation 2026-05-13
Reg exe Manipulating Windows Services Registry Keys CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1574.011 TTP Living Off The Land, Windows Service Abuse, Windows Persistence Techniques 2026-05-13
Windows PowerShell WMI Win32 ScheduledJob Powershell Script Block Logging 4104 T1059.001 TTP Active Directory Lateral Movement 2026-05-13
Linux Preload Hijack Library Calls Sysmon for Linux EventID 1 T1574.006 TTP China-Nexus Threat Activity, VoidLink Cloud-Native Linux Malware, Linux Persistence Techniques, Salt Typhoon, Linux Privilege Escalation 2026-05-13
Windows TeamCity Payload Execution from Temp Directory CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1059 T1190 T1505.003 TTP JetBrains TeamCity Vulnerabilities, JetBrains TeamCity Unauthenticated RCE 2026-05-13
PowerShell Invoke WmiExec Usage Powershell Script Block Logging 4104 T1047 TTP Suspicious WMI Use, Scattered Lapsus$ Hunters 2026-05-13
Detect Empire with PowerShell Script Block Logging Powershell Script Block Logging 4104 T1059.001 TTP Data Destruction, Hermetic Wiper, Malicious PowerShell, Hellcat Ransomware 2026-05-13
Windows Crowdstrike RTR Script Execution CrowdStrike ProcessRollup2, Sysmon EventID 1 T1059.001 Anomaly Living Off The Land, Suspicious MSHTA Activity, Cobalt Strike, Malicious PowerShell 2026-05-13
Powershell Load Module in Meterpreter Powershell Script Block Logging 4104 T1059.001 TTP MetaSploit 2026-05-13
Windows Explorer.exe Spawning PowerShell or Cmd Sysmon EventID 1, Windows Event Log Security 4688 T1059.001 T1204.002 Hunting ZDI-CAN-25373 Windows Shortcut Exploit Abused as Zero-Day 2026-05-13
Windows Binary Execution from an Archive CrowdStrike ProcessRollup2, Sysmon EventID 1 T1204.002 Anomaly Spearphishing Attachments 2026-05-13
Execute Javascript With Jscript COM CLSID CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1059.005 TTP Ransomware 2026-05-13
Suspicious msbuild path CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1036.003 T1127.001 TTP Masquerading - Rename System Utilities, Graceful Wipe Out Attack, Storm-2460 CLFS Zero Day Exploitation, Living Off The Land, Trusted Developer Utilities Proxy Execution MSBuild, Cobalt Strike, BlackByte Ransomware 2026-05-13
Remote Process Instantiation via WMI and PowerShell CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1047 TTP Active Directory Lateral Movement, Compromised Windows Host 2026-05-13
Powershell Processing Stream Of Data Powershell Script Block Logging 4104 T1059.001 Anomaly Braodo Stealer, Hermetic Wiper, Hellcat Ransomware, AsyncRAT, Data Destruction, IcedID, Malicious PowerShell, Salat Stealer, MoonPeak, Medusa Ransomware, XWorm, PXA Stealer, MuddyWater 2026-06-29
Recon Using WMI Class Powershell Script Block Logging 4104 T1059.001 T1592 Anomaly Malicious Inno Setup Loader, LockBit Ransomware, Hermetic Wiper, Axios Supply Chain Post Compromise, AsyncRAT, Data Destruction, Industroyer2, Malicious PowerShell, BlankGrabber Stealer, Qakbot, VIP Keylogger, MoonPeak, Scattered Spider, Quasar RAT 2026-05-13
Powershell Using memory As Backing Store Powershell Script Block Logging 4104 T1059.001 TTP Hermetic Wiper, Data Destruction, IcedID, Malicious PowerShell, Salat Stealer, MoonPeak, Medusa Ransomware 2026-06-08
Windows Service Created with Suspicious Service Name Windows Event Log System 7045 T1569.002 Anomaly Active Directory Lateral Movement, Tuoni, Snake Malware, Qakbot, PlugX, Brute Ratel C4, Gh0st RAT, CISA AA23-347A, Flax Typhoon, Clop Ransomware 2026-05-13
Malicious Powershell Executed As A Service Windows Event Log System 7045 T1569.002 TTP Rhysida Ransomware, Malicious PowerShell, Compromised Windows Host 2026-05-13
CMD Echo Pipe - Escalation CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1059.003 T1543.003 TTP Graceful Wipe Out Attack, Cobalt Strike, Compromised Windows Host, BlackByte Ransomware 2026-05-13
Cisco Isovalent - Non Allowlisted Image Use Cisco Isovalent Process Exec T1204.003 Anomaly Cisco Isovalent Suspicious Activity 2026-05-13
Windows SqlWriter SQLDumper DLL Sideload Sysmon EventID 7 T1574.001 TTP APT29 Diplomatic Deceptions with WINELOADER 2026-05-13
Windows GrimResource - MMC Process Accessing APDS DLL Windows Event Log Security 4663 T1059.007 T1218.014 TTP Compromised Windows Host 2026-05-13
Suspicious Scheduled Task from Public Directory CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1053.005 Anomaly Quasar RAT, CISA AA23-347A, Windows Persistence Techniques, Scheduled Tasks, Living Off The Land, CISA AA24-241A, MoonPeak, Ransomware, Scattered Spider, Crypto Stealer, DarkCrystal RAT, Salt Typhoon, Ryuk Ransomware, Lokibot, Medusa Ransomware, Azorult, SolarWinds WHD RCE Post Exploitation, Malicious Inno Setup Loader, China-Nexus Threat Activity, NetSupport RMM Tool Abuse, APT37 Rustonotto and FadeStealer, XWorm 2026-05-13
Powershell Execute COM Object Powershell Script Block Logging 4104 T1059.001 T1546.015 TTP Malicious PowerShell, Hermetic Wiper, Ransomware, Data Destruction 2026-05-13
Windows Command and Scripting Interpreter Path Traversal Exec CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1059 TTP Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190, Compromised Windows Host, Windows Defense Evasion Tactics 2026-05-13
Impacket Lateral Movement Commandline Parameters CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1021.002 T1021.003 T1047 T1543.003 TTP Active Directory Lateral Movement, Graceful Wipe Out Attack, Compromised Windows Host, Industroyer2, Data Destruction, Storm-0501 Ransomware, WhisperGate, CISA AA22-277A, Prestige Ransomware, Volt Typhoon, Gozi Malware 2026-05-13
Suspicious microsoft workflow compiler usage CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1127 TTP Living Off The Land, Trusted Developer Utilities Proxy Execution 2026-05-13
Windows MSIX Package Interaction Windows Event Log AppXPackaging 171 T1204.002 Hunting MSIX Package Abuse 2026-05-13
Linux Auditd Preload Hijack Library Calls Linux Auditd Execve T1574.006 TTP China-Nexus Threat Activity, Compromised Linux Host, Linux Persistence Techniques, Salt Typhoon, Linux Privilege Escalation 2026-05-13
Windows Unsigned MS DLL Side-Loading Sysmon EventID 7 T1547 T1574.001 Anomaly China-Nexus Threat Activity, Derusbi, XWorm, Earth Alux, Salt Typhoon, APT29 Diplomatic Deceptions with WINELOADER 2026-05-13
Cisco Isovalent - Cron Job Creation Cisco Isovalent Process Exec T1053.003 T1053.007 Anomaly Cisco Isovalent Suspicious Activity 2026-05-13
Linux Auditd At Application Execution Linux Auditd Syscall T1053.002 Anomaly Scheduled Tasks, Linux Living Off The Land, Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation 2026-05-13
Cisco NVM - Susp Script From Archive Triggering Network Activity Cisco Network Visibility Module Flow Data T1059.005 T1204.002 Anomaly Cisco Network Visibility Module Analytics 2026-05-13
Windows Scheduled Task with Highest Privileges CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1053.005 TTP Scheduled Tasks, SolarWinds WHD RCE Post Exploitation, RedLine Stealer, Compromised Windows Host, NetSupport RMM Tool Abuse, AsyncRAT, XWorm, Quasar RAT, Castle RAT, CISA AA23-347A 2026-05-13
Short Lived Scheduled Task Windows Event Log Security 4698, Windows Event Log Security 4699 T1053.005 TTP Scheduled Tasks, Active Directory Lateral Movement, Compromised Windows Host, CISA AA22-257A, CISA AA23-347A 2026-05-13
Windows Compatibility Telemetry Suspicious Child Process CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1053.005 T1546 TTP Windows Persistence Techniques 2026-05-13
Linux Service File Created In Systemd Directory Sysmon for Linux EventID 11 T1053.006 Anomaly Scheduled Tasks, China-Nexus Threat Activity, VoidLink Cloud-Native Linux Malware, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Gomir 2026-05-13
Windows AutoIt3 Execution CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1059 TTP DarkGate Malware, Handala Wiper, Void Manticore, Crypto Stealer 2026-05-13
Windows PowerShell FakeCAPTCHA Clipboard Execution CrowdStrike ProcessRollup2, Cisco Network Visibility Module Flow Data, Sysmon EventID 1, Windows Event Log Security 4688 T1059.001 T1059.003 T1204.001 TTP Interlock Ransomware, NetSupport RMM Tool Abuse, Cisco Network Visibility Module Analytics, Scattered Lapsus$ Hunters, Fake CAPTCHA Campaigns 2026-05-13
Schtasks scheduling job on remote system CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1053.005 TTP Scheduled Tasks, Active Directory Lateral Movement, RedLine Stealer, Compromised Windows Host, Living Off The Land, NOBELIUM Group, Quasar RAT, Phemedrone Stealer, Prestige Ransomware 2026-05-13
Windows Suspicious VMWare Tools Child Process CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1059 TTP China-Nexus Threat Activity, ESXi Post Compromise 2026-05-13
Windows AppX Deployment Full Trust Package Installation Windows Event Log AppXDeployment-Server 400 T1204.002 T1553.005 Hunting MSIX Package Abuse 2026-05-13
Windows Powershell RemoteSigned File CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1059.001 Anomaly Amadey 2026-05-13
Detect Rare Executables CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1204 Anomaly Rhysida Ransomware, China-Nexus Threat Activity, SnappyBee, Crypto Stealer, Salt Typhoon, Unusual Processes 2026-05-13
MacOS AMOS Stealer - Virtual Machine Check Activity Osquery Results T1059.002 Anomaly AMOS Stealer, Hellcat Ransomware 2026-05-13
Linux Service Started Or Enabled Sysmon for Linux EventID 1 T1053.006 Anomaly Scheduled Tasks, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Gomir 2026-05-13
Linux Auditd Possible Append Cronjob Entry On Existing Cronjob File Linux Auditd Cwd, Linux Auditd Path T1053.003 Hunting Scheduled Tasks, Linux Living Off The Land, Compromised Linux Host, XorDDos, Linux Persistence Techniques, Linux Privilege Escalation 2026-05-13
Linux Edit Cron Table Parameter Sysmon for Linux EventID 1 T1053.003 Hunting Scheduled Tasks, Linux Living Off The Land, Linux Privilege Escalation, Linux Persistence Techniques 2026-05-13
WMI Permanent Event Subscription T1047 TTP Suspicious WMI Use 2026-05-13
Windows PowerShell ScheduleTask Powershell Script Block Logging 4104 T1053.005 T1059.001 Anomaly Scheduled Tasks, Scattered Spider 2026-05-13
BITSAdmin Download File CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1105 T1197 TTP BITS Jobs, Hellcat Ransomware, Living Off The Land, Ingress Tool Transfer, GhostRedirector IIS Module and Rungan Backdoor, Scattered Spider, DarkSide Ransomware, APT37 Rustonotto and FadeStealer, Gozi Malware, Flax Typhoon 2026-05-13
Windows SSH Proxy Command CrowdStrike ProcessRollup2, Sysmon EventID 1 T1059.001 T1105 T1572 Anomaly Living Off The Land, ZDI-CAN-25373 Windows Shortcut Exploit Abused as Zero-Day, Hellcat Ransomware 2026-05-13
Svchost LOLBAS Execution Process Spawn CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1053.005 TTP Living Off The Land, Scheduled Tasks, Active Directory Lateral Movement, Hellcat Ransomware 2026-05-13
Linux Possible Append Command To At Allow Config File Sysmon for Linux EventID 1 T1053.002 Anomaly Scheduled Tasks, Linux Privilege Escalation, Linux Persistence Techniques 2026-05-13
Windows Command and Scripting Interpreter Hunting Path Traversal CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1059 Hunting Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190, Windows Defense Evasion Tactics 2026-05-13
Linux Possible Append Cronjob Entry on Existing Cronjob File Sysmon for Linux EventID 1 T1053.003 Hunting Scheduled Tasks, Linux Living Off The Land, XorDDos, Linux Persistence Techniques, Linux Privilege Escalation 2026-05-13
Windows Suspicious React or Next.js Child Process CrowdStrike ProcessRollup2, Sysmon EventID 1 T1059.001 T1059.003 T1190 TTP React2Shell 2026-05-13
Suspicious Process Executed From Container File CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1036.008 T1204.002 TTP Snake Keylogger, GhostRedirector IIS Module and Rungan Backdoor, Amadey, Water Gamayun, APT37 Rustonotto and FadeStealer, Remcos, Unusual Processes 2026-05-13
Clop Common Exec Parameter CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1204 TTP Compromised Windows Host, Clop Ransomware 2026-05-13
WinEvent Scheduled Task Created to Spawn Shell Windows Event Log Security 4698 T1053.005 TTP China-Nexus Threat Activity, Scheduled Tasks, Compromised Windows Host, Ryuk Ransomware, 0bj3ctivity Stealer, Windows Error Reporting Service Elevation of Privilege Vulnerability, CISA AA22-257A, Medusa Ransomware, SystemBC, Ransomware, Castle RAT, Salt Typhoon, Windows Persistence Techniques, Winter Vivern 2026-05-13
PowerShell Start-BitsTransfer CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1197 TTP BITS Jobs, Gozi Malware 2026-05-13
Windows Scheduled Task Created Via XML CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1053.005 Anomaly Malicious Inno Setup Loader, Scheduled Tasks, Lokibot, MoonPeak, CISA AA23-347A, Winter Vivern 2026-05-13
Set Default PowerShell Execution Policy To Unrestricted or Bypass Sysmon EventID 13 T1059.001 TTP SolarWinds WHD RCE Post Exploitation, Hermetic Wiper, DarkGate Malware, HAFNIUM Group, Data Destruction, Malicious PowerShell, Credential Dumping, SystemBC 2026-05-13
Single Letter Process On Endpoint CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1204.002 TTP Compromised Windows Host, DHS Report TA18-074A 2026-05-13
Windows Executable in Loaded Modules Sysmon EventID 7 T1129 TTP NjRAT, Lokibot 2026-05-13
Windows Level RMM Watchdog Task Created Windows Event Log Security 4698 T1053 T1219 Anomaly Remote Monitoring and Management Software 2026-05-13
Linux Auditd Edit Cron Table Parameter Linux Auditd Syscall T1053.003 Anomaly Scheduled Tasks, Linux Living Off The Land, Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation 2026-05-13
Linux Service Restarted Sysmon for Linux EventID 1 T1053.006 Anomaly Scheduled Tasks, Linux Living Off The Land, Data Destruction, AwfulShred, Linux Persistence Techniques, Linux Privilege Escalation, Gomir 2026-05-13
Cisco NVM - Curl Execution With Insecure Flags Cisco Network Visibility Module Flow Data T1197 Anomaly Cisco Network Visibility Module Analytics, Microsoft WSUS CVE-2025-59287, PromptLock 2026-05-13
Windows Cobalt Strike PowerShell Loader Powershell Script Block Logging 4104 T1059.001 T1608 TTP Cobalt Strike 2026-05-13
Windows Command Shell DCRat ForkBomb Payload CrowdStrike ProcessRollup2, Sysmon EventID 1 T1059.003 TTP Compromised Windows Host, DarkCrystal RAT 2026-05-13
Windows Shell Process from CrushFTP CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1059.001 T1059.003 T1190 T1505 TTP CrushFTP Vulnerabilities 2026-05-13
Windows Scheduled Task DLL Module Loaded Sysmon EventID 7 T1053 TTP ValleyRAT 2026-05-13
Powershell Defender Threat Actions Set to Allow CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1059.001 TTP Salat Stealer 2026-05-12
Windows Scheduled Tasks for CompMgmtLauncher or Eventvwr Windows Event Log Security 4698 T1053 TTP ValleyRAT, Water Gamayun 2026-05-13
Windows Process Execution From RDP Share CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1021.001 T1059 T1105 Anomaly Hidden Cobra Malware 2026-05-13
Linux Decode Base64 to Shell Cisco Isovalent Process Exec, Sysmon for Linux EventID 1 T1027 T1059.004 TTP Linux Living Off The Land, Cisco Isovalent Suspicious Activity 2026-05-13
Windows Known Abused DLL Created Sysmon EventID 11 T1574.001 Anomaly Living Off The Land, Windows Defense Evasion Tactics 2026-05-13
Windows Scheduled Task with Suspicious Command Windows Event Log Security 4702, Windows Event Log Security 4698, Windows Event Log Security 4700 T1053.005 TTP SolarWinds WHD RCE Post Exploitation, Scheduled Tasks, Ryuk Ransomware, Seashell Blizzard, Ransomware, APT37 Rustonotto and FadeStealer, Quasar RAT, Windows Persistence Techniques 2026-05-13
Windows Defender ASR Audit Events Windows Event Log Defender 1134, Windows Event Log Defender 1125, Windows Event Log Defender 1126, Windows Event Log Defender 1132, Windows Event Log Defender 1122 T1059 T1566.001 T1566.002 Anomaly Windows Attack Surface Reduction 2026-05-13
Windows Advanced Installer MSIX with AI_STUBS Execution CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1204.002 T1218 T1553.005 TTP MSIX Package Abuse 2026-05-13
Windows Service Create SliverC2 Windows Event Log System 7045 T1569.002 TTP Compromised Windows Host, BishopFox Sliver Adversary Emulation Framework, Hellcat Ransomware 2026-05-13
Drop IcedID License dat Sysmon EventID 11 T1204.002 Hunting IcedID 2026-05-13
WMI Temporary Event Subscription T1047 TTP Suspicious WMI Use 2026-05-13
Windows DLL Side-Loading In Calc Sysmon EventID 7 T1574.001 TTP Earth Alux, Qakbot 2026-05-13
Wermgr Process Spawned CMD Or Powershell Process CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1059 TTP Trickbot, Qakbot 2026-05-13
Windows XLL File Creation Outside of Typical Location Sysmon EventID 11 T1059 T1129 Anomaly Spearphishing Attachments 2026-05-13
Cisco NVM - Suspicious File Download via Headless Browser Cisco Network Visibility Module Flow Data T1059 T1105 TTP Cisco Network Visibility Module Analytics, BlankGrabber Stealer 2026-05-13
Windows Set Custom DNS ServerLevelPlugin Via Dnscmd CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1574 Anomaly Windows Persistence Techniques 2026-05-13
Windows Developer-Signed MSIX Package Installation Windows Event Log AppXDeployment-Server 855 T1204.002 T1553.005 Anomaly MSIX Package Abuse 2026-05-13
MacOS LOLbin Osquery Results T1059.004 TTP Living Off The Land, Axios Supply Chain Post Compromise, Hellcat Ransomware 2026-05-13
Detect Path Interception By Creation Of program exe CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1574.009 TTP Scattered Lapsus$ Hunters, Windows Persistence Techniques 2026-05-13
Windows Known Abused DLL Loaded Suspiciously Sysmon EventID 7 T1574.001 TTP Living Off The Land, SolarWinds WHD RCE Post Exploitation, Windows Defense Evasion Tactics 2026-05-13
Impacket Lateral Movement smbexec CommandLine Parameters CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1021.002 T1021.003 T1047 T1543.003 TTP Active Directory Lateral Movement, Graceful Wipe Out Attack, Compromised Windows Host, Industroyer2, Data Destruction, WhisperGate, CISA AA22-277A, Prestige Ransomware, Volt Typhoon 2026-05-13
Process Execution via WMI CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1047 TTP Suspicious WMI Use 2026-05-13
Windows MSExchange Management Mailbox Cmdlet Usage T1059.001 Anomaly ProxyShell, ProxyNotShell, Scattered Spider, BlackByte Ransomware 2026-05-13
Get-ForestTrust with PowerShell Script Block Powershell Script Block Logging 4104 T1059.001 T1482 TTP Active Directory Discovery 2026-05-13
Windows Registry Delete Task SD Sysmon EventID 12 T1053.005 T1685 Anomaly Windows Registry Abuse, Scheduled Tasks, Windows Persistence Techniques 2026-05-13
Excessive number of taskhost processes CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1059 Anomaly Meterpreter 2026-05-13
Conti Common Exec parameter CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1204 TTP Ransomware, Compromised Windows Host, Hellcat Ransomware 2026-05-13
Impacket Lateral Movement WMIExec Commandline Parameters CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1021.002 T1021.003 T1047 T1543.003 TTP Active Directory Lateral Movement, Graceful Wipe Out Attack, Compromised Windows Host, Industroyer2, Data Destruction, Storm-0501 Ransomware, WhisperGate, CISA AA22-277A, Prestige Ransomware, Volt Typhoon, Gozi Malware 2026-05-13
Schtasks used for forcing a reboot CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1053.005 TTP Scheduled Tasks, Ransomware, Windows Persistence Techniques 2026-05-13
Windows PowerShell Script Block With Malicious String Powershell Script Block Logging 4104 T1059.001 TTP Malicious PowerShell 2026-05-13
Windows Compatibility Telemetry Tampering Through Registry Sysmon EventID 13 T1053.005 T1546 TTP Windows Persistence Techniques 2026-05-13
Windows Anonymous Pipe Activity Sysmon EventID 18, Sysmon EventID 17 T1559 Hunting China-Nexus Threat Activity, SnappyBee, Castle RAT, Salt Typhoon, Interlock Rat 2026-05-13
Detect Prohibited Applications Spawning cmd exe CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1059.003 Hunting Suspicious MSHTA Activity, Suspicious Command-Line Executions, Suspicious Zoom Child Processes, NOBELIUM Group 2026-05-13
Windows Powershell Import Applocker Policy Powershell Script Block Logging 4104 T1059.001 T1685 Anomaly Azorult 2026-06-29
Windows Remote Image Load Sysmon EventID 7 T1059 T1068 T1129 T1203 Anomaly LockBit Ransomware, Ransomware, BlackByte Ransomware 2026-05-13
Windows Suspicious Named Pipe Sysmon EventID 18, Sysmon EventID 17 T1021.002 T1055 T1559 TTP Graceful Wipe Out Attack, LockBit Ransomware, Tuoni, Hellcat Ransomware, BlackByte Ransomware, Remote Monitoring and Management Software, Trickbot, Cobalt Strike, APT37 Rustonotto and FadeStealer, Brute Ratel C4, DarkSide Ransomware, Gozi Malware, Meterpreter 2026-05-13
Windows Powershell Cryptography Namespace Powershell Script Block Logging 4104 T1059.001 Anomaly AsyncRAT, Phantom Stealer, VIP Keylogger, XWorm 2026-06-25
Randomly Generated Scheduled Task Name Windows Event Log Security 4698 T1053.005 Hunting CISA AA22-257A, Scheduled Tasks, Active Directory Lateral Movement, 0bj3ctivity Stealer 2026-05-13
Linux Adding Crontab Using List Parameter Sysmon for Linux EventID 1 T1053.003 Hunting Scheduled Tasks, VoidLink Cloud-Native Linux Malware, Linux Living Off The Land, Industroyer2, Data Destruction, Linux Persistence Techniques, Linux Privilege Escalation, Cisco Isovalent Suspicious Activity, Gomir 2026-05-13
Windows Get-Variable.EXE Execution from WindowsApps Folder CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1574.008 Anomaly Windows Persistence Techniques 2026-05-13
PowerShell WebRequest Using Memory Stream Powershell Script Block Logging 4104 T1027.011 T1059.001 T1105 TTP MoonPeak, Medusa Ransomware, PHP-CGI RCE Attack on Japanese Organizations, Malicious PowerShell 2026-05-13
Windows Scheduled Task Created in a Group Policy Object Windows Event Log Security 5145 T1053.005 T1484.001 TTP Living Off The Land, Scheduled Tasks, Windows Persistence Techniques 2026-05-13
Windows Apache Benchmark Binary CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1059 Anomaly MetaSploit 2026-05-13
Windows WinRAR Launched Outside Default Installation Directory CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1047 Anomaly BlankGrabber Stealer 2026-05-13
Linux Suspicious React or Next.js Child Process Sysmon for Linux EventID 1 T1059.004 T1190 TTP React2Shell 2026-05-13
Powershell Fileless Process Injection via GetProcAddress Powershell Script Block Logging 4104 T1055 T1059.001 TTP Data Destruction, Hermetic Wiper, Malicious PowerShell, Hellcat Ransomware 2026-05-13
Schtasks Run Task On Demand CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1053 Anomaly Scheduled Tasks, Industroyer2, Data Destruction, Qakbot, CISA AA22-257A, Medusa Ransomware, XMRig 2026-05-13
Windows Unsigned DLL Side-Loading In Same Process Path Sysmon EventID 7 T1574.001 TTP China-Nexus Threat Activity, Malicious Inno Setup Loader, SolarWinds WHD RCE Post Exploitation, DarkGate Malware, Lokibot, Salt Typhoon, PlugX, SnappyBee, NailaoLocker Ransomware, XWorm, Derusbi 2026-05-13
Windows Potential AppDomainManager Hijack Artifacts Creation Sysmon EventID 11 T1574.014 Anomaly SesameOp 2026-05-13
Windows DLL Side-Loading Process Child Of Calc CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1574.001 Anomaly Earth Alux, Qakbot 2026-05-13
PowerShell Enable PowerShell Remoting Powershell Script Block Logging 4104 T1059.001 Anomaly Malicious PowerShell 2026-05-13
Jscript Execution Using Cscript App CrowdStrike ProcessRollup2, Sysmon EventID 1 T1059.007 TTP Remcos, FIN7 2026-05-13
Windows Enable PowerShell Web Access Powershell Script Block Logging 4104 T1059.001 TTP CISA AA24-241A, Malicious PowerShell 2026-05-13
Log4Shell CVE-2021-44228 Exploitation T1059 T1105 T1133 T1190 Correlation CISA AA22-320A, Log4Shell CVE-2021-44228 2026-05-13
Linux Auditd Preload Hijack Via Preload File Linux Auditd Cwd, Linux Auditd Path T1574.006 TTP VoidLink Cloud-Native Linux Malware, Linux Living Off The Land, Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation 2026-05-13
Windows Enable Win32 ScheduledJob via Registry Sysmon EventID 13 T1053.005 Anomaly Scheduled Tasks, Active Directory Lateral Movement 2026-05-13
Windows SQLCMD Execution CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1059.003 Hunting SQL Server Abuse, GhostRedirector IIS Module and Rungan Backdoor 2026-05-13
Linux Possible Cronjob Modification With Editor Sysmon for Linux EventID 1 T1053.003 Hunting Scheduled Tasks, Linux Living Off The Land, XorDDos, Linux Persistence Techniques, Linux Privilege Escalation 2026-05-13
Windows Scheduled Task with Suspicious Name Windows Event Log Security 4702, Windows Event Log Security 4698, Windows Event Log Security 4700 T1053.005 TTP Scheduled Tasks, Ryuk Ransomware, 0bj3ctivity Stealer, Ransomware, APT37 Rustonotto and FadeStealer, Castle RAT, Windows Persistence Techniques 2026-05-13
Linux Docker Shell Execution Sysmon for Linux EventID 1 T1059.013 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2026-05-13
Windows Cmdline Tool Execution From Non-Shell Process CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1059.007 Anomaly Rhysida Ransomware, SolarWinds WHD RCE Post Exploitation, Tuoni, DarkGate Malware, BlankGrabber Stealer, Qakbot, Medusa Ransomware, Volt Typhoon, Water Gamayun, CISA AA22-277A, Gh0st RAT, CISA AA23-347A, Gozi Malware, FIN7 2026-05-13
Windows PowerShell Invoke-RestMethod IP Information Collection Powershell Script Block Logging 4104 T1016 T1059.001 T1082 Anomaly Water Gamayun 2026-05-13
Unloading AMSI via Reflection Powershell Script Block Logging 4104 T1059.001 T1685 TTP Data Destruction, Hermetic Wiper, Malicious PowerShell 2026-05-13
First Time Seen Running Windows Service Windows Event Log System 7036 T1569.002 Anomaly Orangeworm Attack Group, Windows Service Abuse, NOBELIUM Group 2026-05-13
Excessive Usage Of SC Service Utility Sysmon EventID 1 T1569.002 Anomaly Ransomware, Azorult, Crypto Stealer 2026-05-13
Windows AppX Deployment Package Installation Success Windows Event Log AppXDeployment-Server 854 T1204.002 Anomaly MSIX Package Abuse 2026-05-13
Excessive distinct processes from Windows Temp CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1059 Anomaly Meterpreter 2026-05-13
Windows Hidden Schedule Task Settings Windows Event Log Security 4698 T1053 TTP Malicious Inno Setup Loader, Scheduled Tasks, Compromised Windows Host, Hellcat Ransomware, Data Destruction, Industroyer2, Active Directory Discovery, CISA AA22-257A, Cactus Ransomware 2026-05-13
Windows EFI Volume Mount Attempt Via Mountvol CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1204.002 T1542 T1688 Anomaly Compromised Windows Host 2026-05-13
Detect Certify With PowerShell Script Block Logging Powershell Script Block Logging 4104 T1059.001 T1649 TTP Malicious PowerShell, Windows Certificate Services 2026-05-13
Windows TeamCity Plugin Installed Sysmon EventID 11 T1059 T1190 T1505.003 Anomaly JetBrains TeamCity Vulnerabilities, JetBrains TeamCity Unauthenticated RCE 2026-05-13
Cisco NVM - MSHTML or MSHTA Network Execution Without URL in CLI Cisco Network Visibility Module Flow Data T1059.005 T1218.005 Anomaly Cisco Network Visibility Module Analytics, BlankGrabber Stealer 2026-05-13
Windows User Execution Malicious URL Shortcut File Sysmon EventID 11 T1204.002 Anomaly Snake Keylogger, Chaos Ransomware, APT37 Rustonotto and FadeStealer, XWorm, Quasar RAT, NjRAT 2026-05-13
Windows Mustang Panda USB Tool Execution CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1020 T1204.002 T1574.001 TTP Compromised Windows Host 2026-05-13
Linux Add Files In Known Crontab Directories Sysmon for Linux EventID 11 T1053.003 Anomaly Scheduled Tasks, Linux Living Off The Land, XorDDos, Linux Persistence Techniques, Linux Privilege Escalation 2026-05-13
Suspicious microsoft workflow compiler rename CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1036.003 T1127 Hunting Masquerading - Rename System Utilities, Graceful Wipe Out Attack, Living Off The Land, Trusted Developer Utilities Proxy Execution, Cobalt Strike, BlackByte Ransomware 2026-05-13
Windows NorthStar C2 Agent Execution CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1204.002 T1547.001 T1608 TTP Compromised Windows Host 2026-05-13
Windows DLL Search Order Hijacking with iscsicpl CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1574.001 TTP Living Off The Land, Compromised Windows Host, Windows Defense Evasion Tactics 2026-05-13
Vbscript Execution Using Wscript App CrowdStrike ProcessRollup2, Sysmon EventID 1 T1059.005 TTP AsyncRAT, Remcos, FIN7 2026-05-13
Windows Rundll32 Execution With Log.DLL CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1574 Anomaly Lotus Blossom Chrysalis Backdoor 2026-05-13
GitHub Workflow File Creation or Modification Sysmon EventID 11, Sysmon for Linux EventID 11 T1195 T1554 T1574.006 Hunting NPM Supply Chain Compromise 2026-05-13
Possible Lateral Movement PowerShell Spawn CrowdStrike ProcessRollup2, Sysmon EventID 1 T1021.003 T1021.006 T1047 T1053.005 T1059.001 T1218.014 T1543.003 Anomaly Scheduled Tasks, Active Directory Lateral Movement, Hermetic Wiper, Data Destruction, CISA AA24-241A, Malicious PowerShell, Microsoft WSUS CVE-2025-59287 2026-05-13
Suspicious MSBuild Rename CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1036.003 T1127.001 Hunting Masquerading - Rename System Utilities, Graceful Wipe Out Attack, Storm-2460 CLFS Zero Day Exploitation, Living Off The Land, Trusted Developer Utilities Proxy Execution MSBuild, Cobalt Strike, BlackByte Ransomware 2026-05-13
Windows PowerShell Process Implementing Manual Base64 Decoder CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1027.010 T1059.001 Anomaly Deobfuscate-Decode Files or Information, Compromised Windows Host 2026-05-13
Detect Mimikatz With PowerShell Script Block Logging Powershell Script Block Logging 4104 T1003 T1059.001 TTP Hermetic Wiper, Sandworm Tools, Hellcat Ransomware, Data Destruction, Malicious PowerShell, CISA AA22-320A, CISA AA22-264A, Scattered Spider, CISA AA23-347A 2026-05-13
BITS Job Persistence CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1197 TTP Living Off The Land, BITS Jobs 2026-05-13
Malicious PowerShell Process - Execution Policy Bypass CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1059.001 Anomaly China-Nexus Threat Activity, DHS Report TA18-074A, AsyncRAT, HAFNIUM Group, BlankGrabber Stealer, 0bj3ctivity Stealer, APT37 Rustonotto and FadeStealer, XWorm, DarkCrystal RAT, MuddyWater, Salt Typhoon, Volt Typhoon 2026-05-13
Cisco NVM - Installation of Typosquatted Python Package Cisco Network Visibility Module Flow Data T1059 TTP Cisco Network Visibility Module Analytics 2026-05-13
Windows Schtasks Create Run As System CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1053.005 TTP SolarWinds WHD RCE Post Exploitation, Scheduled Tasks, Qakbot, Medusa Ransomware, Castle RAT, Windows Persistence Techniques 2026-05-13
PowerShell Invoke CIMMethod CIMSession Powershell Script Block Logging 4104 T1047 Anomaly Active Directory Lateral Movement, Scattered Lapsus$ Hunters, Malicious PowerShell 2026-05-13
Remote WMI Command Attempt CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1047 TTP Graceful Wipe Out Attack, Living Off The Land, IcedID, CISA AA23-347A, Suspicious WMI Use, Volt Typhoon 2026-05-13
Detection of tools built by NirSoft CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1072 Anomaly Emotet Malware DHS Report TA18-201A 2026-05-13
Sunburst Correlation DLL and Network Event Sysmon EventID 7, Sysmon EventID 22 T1203 TTP NOBELIUM Group 2026-05-13
Cisco NVM - Suspicious Download From File Sharing Website Cisco Network Visibility Module Flow Data T1197 Anomaly BlankGrabber Stealer, Cisco Network Visibility Module Analytics, APT37 Rustonotto and FadeStealer 2026-05-13
Detect Renamed PSExec CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1569.002 Hunting VanHelsing Ransomware, China-Nexus Threat Activity, Active Directory Lateral Movement, Rhysida Ransomware, DHS Report TA18-074A, Sandworm Tools, DarkGate Malware, SamSam Ransomware, HAFNIUM Group, CISA AA22-320A, Medusa Ransomware, Cactus Ransomware, DarkSide Ransomware, BlackByte Ransomware, Salt Typhoon 2026-05-13
PowerShell Script Block With URL Chain Powershell Script Block Logging 4104 T1059.001 T1105 TTP Malicious PowerShell, Hellcat Ransomware 2026-05-13
Windows Default Cobalt Strike PowerShell Beacon Powershell Script Block Logging 4104 T1059.001 T1204.002 TTP Cobalt Strike 2026-05-13
Windows PowerShell Get CIMInstance Remote Computer Powershell Script Block Logging 4104 T1059.001 Anomaly Active Directory Lateral Movement 2026-05-13
Linux Auditd Service Started Linux Auditd Proctitle T1569.002 Anomaly Compromised Linux Host, Linux Living Off The Land, Linux Privilege Escalation, Linux Persistence Techniques 2026-05-13
Linux Magic SysRq Key Abuse Linux Auditd Cwd, Linux Auditd Path T1059.004 T1489 T1499 T1529 TTP Compromised Linux Host 2026-05-13
Windows Identify Protocol Handlers CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1059 Hunting Living Off The Land 2026-05-13
Windows SQL Server Extended Procedure DLL Loading Hunt Windows Event Log Application 8128 T1059.009 T1505.001 Hunting SQL Server Abuse 2026-05-13
Windows MSC EvilTwin Directory Path Manipulation CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1036.005 T1203 T1218 TTP Living Off The Land, Water Gamayun, Windows Defense Evasion Tactics 2026-05-13
Revil Common Exec Parameter CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1204 TTP Ransomware, Revil Ransomware 2026-05-13
GetLocalUser with PowerShell Script Block Powershell Script Block Logging 4104 T1059.001 T1087.001 Hunting Malicious PowerShell, Active Directory Discovery 2026-05-13
Windows Universal Data Link File Creation Sysmon EventID 11 T1204.002 T1566.001 Anomaly Spearphishing Attachments 2026-05-13
Windows Defender ASR Block Events Windows Event Log Defender 1131, Windows Event Log Defender 1133, Windows Event Log Defender 1126, Windows Event Log Defender 1129, Windows Event Log Defender 1121 T1059 T1566.001 T1566.002 Anomaly Windows Attack Surface Reduction 2026-05-13
WinEvent Scheduled Task Created Within Public Path Windows Event Log Security 4698 T1053.005 TTP ValleyRAT, 0bj3ctivity Stealer, Quasar RAT, CISA AA23-347A, Windows Persistence Techniques, Winter Vivern, Scheduled Tasks, AsyncRAT, Industroyer2, IcedID, SystemBC, Ransomware, Castle RAT, Salt Typhoon, Active Directory Lateral Movement, Compromised Windows Host, Ryuk Ransomware, Data Destruction, Medusa Ransomware, Remcos, China-Nexus Threat Activity, Malicious Inno Setup Loader, CISA AA22-257A, PlugX, APT37 Rustonotto and FadeStealer, XWorm, Prestige Ransomware 2026-05-13
Windows Scheduled Task Service Spawned Shell CrowdStrike ProcessRollup2, Sysmon EventID 1 T1053.005 T1059 TTP Windows Persistence Techniques 2026-05-13
Windows Suspicious C2 Named Pipe Sysmon EventID 18, Sysmon EventID 17 T1021.002 T1055 T1559 TTP Graceful Wipe Out Attack, LockBit Ransomware, Tuoni, Hellcat Ransomware, BlackByte Ransomware, Remote Monitoring and Management Software, Trickbot, Cobalt Strike, APT37 Rustonotto and FadeStealer, Brute Ratel C4, DarkSide Ransomware, Storm-0501 Ransomware, Gozi Malware, Meterpreter 2026-05-13
Windows Suspicious QEMU Execution Sysmon EventID 1 T1001 T1036 T1204.002 T1564.006 TTP Linux Rootkit, VoidLink Cloud-Native Linux Malware, Linux Living Off The Land, Compromised Linux Host, Linux Post-Exploitation, Linux Privilege Escalation 2026-05-13
Process Writing DynamicWrapperX Sysmon EventID 11 T1059 T1559.001 Hunting Remcos 2026-05-13
Scheduled Task Initiation on Remote Endpoint CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1053.005 TTP Scheduled Tasks, Active Directory Lateral Movement, Living Off The Land, Seashell Blizzard, Medusa Ransomware 2026-05-13
Exchange PowerShell Module Usage Powershell Script Block Logging 4104 T1059.001 TTP ProxyNotShell, ProxyShell, CISA AA22-264A, CISA AA22-277A, BlackByte Ransomware, Scattered Spider 2026-05-13
Windows PaperCut NG Spawn Shell CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1059 T1133 T1190 TTP PaperCut MF NG Vulnerability, Compromised Windows Host 2026-05-13
Windows Hijack Execution Flow Version Dll Side Load Sysmon EventID 7 T1574.001 Anomaly SolarWinds WHD RCE Post Exploitation, Malicious Inno Setup Loader, XWorm, Brute Ratel C4 2026-05-13
PowerShell PInvoke Process Injection API Chain Powershell Script Block Logging 4104 T1055.001 T1055.003 T1055.004 T1055.012 T1055.013 T1059.001 T1620 TTP Phantom Stealer, VIP Keylogger 2026-06-25
Windows WMI Process Call Create CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1047 Hunting IcedID, CISA AA23-347A, Qakbot, Suspicious WMI Use, Cactus Ransomware, Volt Typhoon 2026-05-13
PowerShell Environment Variable Execution Powershell Script Block Logging 4104 T1059.001 Anomaly VIP Keylogger 2026-06-29
Schedule Task with HTTP Command Arguments Windows Event Log Security 4698 T1053 TTP Scheduled Tasks, Compromised Windows Host, Hellcat Ransomware, Living Off The Land, Windows Persistence Techniques, Winter Vivern 2026-05-13
Ryuk Wake on LAN Command CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1059.003 TTP Ryuk Ransomware, Compromised Windows Host, Hellcat Ransomware 2026-05-13
Windows RMM Named Pipe Sysmon EventID 18, Sysmon EventID 17 T1021.002 T1055 T1559 Anomaly Interlock Ransomware, GhostRedirector IIS Module and Rungan Backdoor, Insider Threat, CISA AA24-241A, Remote Monitoring and Management Software, Scattered Lapsus$ Hunters, Seashell Blizzard, Cactus Ransomware, Ransomware, Scattered Spider, Command And Control, Gozi Malware 2026-05-13
Windows TinyCC Shellcode Execution Sysmon EventID 1, Windows Event Log Security 4688 T1027 T1036 T1059.003 TTP Lotus Blossom Chrysalis Backdoor 2026-05-13
Schedule Task with Rundll32 Command Trigger Windows Event Log Security 4698 T1053 TTP Scheduled Tasks, Compromised Windows Host, Living Off The Land, Trickbot, IcedID, Castle RAT, Windows Persistence Techniques 2026-05-13
Powershell COM Hijacking InprocServer32 Modification Powershell Script Block Logging 4104 T1059.001 T1546.015 TTP Malicious PowerShell 2026-05-13
MS Scripting Process Loading WMI Module Sysmon EventID 7 T1059.007 Anomaly FIN7 2026-05-13
Suspicious Linux Discovery Commands Sysmon for Linux EventID 1 T1059.004 TTP Linux Post-Exploitation, VoidLink Cloud-Native Linux Malware 2026-05-13
Batch File Write to System32 Sysmon EventID 11 T1204.002 TTP SamSam Ransomware, Compromised Windows Host 2026-05-13
Detect Use of cmd exe to Launch Script Interpreters CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1059.003 Anomaly Suspicious Command-Line Executions, Emotet Malware DHS Report TA18-201A, Azorult 2026-05-13
Windows BitDefender Submission Wizard DLL Sideloading Sysmon EventID 7 T1574 TTP Lotus Blossom Chrysalis Backdoor 2026-05-13
Windows File Download Via PowerShell CrowdStrike ProcessRollup2, Cisco Network Visibility Module Flow Data, Sysmon EventID 1, Windows Event Log Security 4688 T1059.001 T1105 Anomaly Hermetic Wiper, GhostRedirector IIS Module and Rungan Backdoor, PHP-CGI RCE Attack on Japanese Organizations, SysAid On-Prem Software CVE-2023-47246 Vulnerability, Winter Vivern, IcedID, Malicious PowerShell, StealC Stealer, Tuoni, Ingress Tool Transfer, HAFNIUM Group, Data Destruction, Phemedrone Stealer, SolarWinds WHD RCE Post Exploitation, NPM Supply Chain Compromise, NetSupport RMM Tool Abuse, Cisco Network Visibility Module Analytics, Microsoft WSUS CVE-2025-59287, APT37 Rustonotto and FadeStealer, XWorm 2026-05-13
Windows Service Execution RemCom CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1569.002 TTP Active Directory Discovery 2026-05-13
Windows Powershell Logoff User via Quser Powershell Script Block Logging 4104 T1059.001 T1531 Anomaly Crypto Stealer 2026-06-29
CMD Carry Out String Command Parameter CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1059.003 Hunting Hermetic Wiper, Chaos Ransomware, 0bj3ctivity Stealer, WhisperGate, Quasar RAT, NjRAT, CISA AA23-347A, Interlock Rat, Winter Vivern, ProxyNotShell, Living Off The Land, AsyncRAT, IcedID, Crypto Stealer, DarkCrystal RAT, Gh0st RAT, Log4Shell CVE-2021-44228, Rhysida Ransomware, RedLine Stealer, StealC Stealer, DarkGate Malware, Data Destruction, Azorult, Malicious Inno Setup Loader, Qakbot, PlugX, Warzone RAT 2026-05-13
Windows Powershell History File Deletion Powershell Script Block Logging 4104 T1059.003 T1070.003 Anomaly Medusa Ransomware 2026-05-13
Linux At Allow Config File Creation Sysmon for Linux EventID 11 T1053.003 Anomaly Scheduled Tasks, Linux Living Off The Land, Linux Privilege Escalation, Linux Persistence Techniques 2026-05-13
Windows Software Discovery Via PowerShell Powershell Script Block Logging 4104 T1012 T1059.001 T1518 Anomaly Windows Discovery Techniques 2026-05-13
Msmpeng Application DLL Side Loading Sysmon EventID 11 T1574.001 TTP Ransomware, Revil Ransomware 2026-05-13
Windows AppX Deployment Unsigned Package Installation Windows Event Log AppXDeployment-Server 855 T1204.002 T1553.005 TTP MSIX Package Abuse 2026-05-13
Remote Process Instantiation via WMI and PowerShell Script Block Powershell Script Block Logging 4104 T1047 TTP Active Directory Lateral Movement 2026-05-13
Windows WMI Reconnaissance Class Query CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1047 Anomaly BlankGrabber Stealer 2026-05-13
MS Scripting Process Loading Ldap Module Sysmon EventID 7 T1059.007 Anomaly FIN7 2026-05-13
Windows PowGoop Beacon Decoding CrowdStrike ProcessRollup2, Sysmon EventID 1 T1001 T1059.001 TTP Compromised Windows Host 2026-05-13
Windows PowerShell MSIX Package Installation Powershell Script Block Logging 4104 T1059.001 T1547.001 TTP Malicious PowerShell, MSIX Package Abuse 2026-05-13
Scheduled Task Deleted Or Created via CMD CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1053.005 Anomaly ValleyRAT, Trickbot, 0bj3ctivity Stealer, Quasar RAT, NjRAT, CISA AA23-347A, Windows Persistence Techniques, Winter Vivern, Scheduled Tasks, Sandworm Tools, Living Off The Land, AsyncRAT, Amadey, CISA AA24-241A, MoonPeak, AgentTesla, Scattered Spider, DarkCrystal RAT, Salt Typhoon, Rhysida Ransomware, RedLine Stealer, ShrinkLocker, Lokibot, Medusa Ransomware, Phemedrone Stealer, Azorult, Remcos, SolarWinds WHD RCE Post Exploitation, China-Nexus Threat Activity, DHS Report TA18-074A, NetSupport RMM Tool Abuse, Qakbot, CISA AA22-257A, PlugX, APT37 Rustonotto and FadeStealer, XWorm, NOBELIUM Group, Prestige Ransomware 2026-05-13
Windows Unsigned DLL Side-Loading Sysmon EventID 7 T1574.001 Anomaly China-Nexus Threat Activity, SolarWinds WHD RCE Post Exploitation, Warzone RAT, Derusbi, NjRAT, Earth Alux, Salt Typhoon 2026-05-13
Script Execution via WMI CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1047 TTP Suspicious WMI Use, Scattered Spider 2026-05-13
Windows Suspect Process With Authentication Traffic Sysmon EventID 3 T1087.002 T1204.002 Anomaly Active Directory Discovery 2026-05-13
Windows WMI Impersonate Token Sysmon EventID 10 T1047 Anomaly Water Gamayun, Qakbot 2026-05-13
WinEvent Windows Task Scheduler Event Action Started Windows Event Log TaskScheduler 201, Windows Event Log TaskScheduler 200 T1053.005 Hunting ValleyRAT, BlackSuit Ransomware, Windows Persistence Techniques, Winter Vivern, Scheduled Tasks, Sandworm Tools, AsyncRAT, Amadey, CISA AA24-241A, IcedID, Industroyer2, SystemBC, DarkCrystal RAT, Data Destruction, Remcos, SolarWinds WHD RCE Post Exploitation, Malicious Inno Setup Loader, Qakbot, CISA AA22-257A, PlugX, Prestige Ransomware 2026-05-13
Malicious PowerShell Process With Obfuscation Techniques Sysmon EventID 1 T1059.001 TTP Hermetic Wiper, Hellcat Ransomware, GhostRedirector IIS Module and Rungan Backdoor, Data Destruction, Malicious PowerShell 2026-05-13
Windows Masquerading Explorer As Child Process CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1574.001 TTP Water Gamayun, Compromised Windows Host, Qakbot 2026-05-13
MSI Module Loaded by Non-System Binary Sysmon EventID 7 T1574.001 Hunting Data Destruction, Hermetic Wiper, Windows Privilege Escalation 2026-05-13
Windows WinDBG Spawning AutoIt3 CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1059 TTP DarkGate Malware, Compromised Windows Host 2026-05-13
Windows Snake Malware Service Create Windows Event Log System 7045 T1547.006 T1569.002 TTP Snake Malware, Compromised Windows Host 2026-05-13
Cisco Isovalent - Pods Running Offensive Tools Cisco Isovalent Process Exec T1204.003 Anomaly Cisco Isovalent Suspicious Activity 2026-05-13
PowerShell Start or Stop Service Powershell Script Block Logging 4104 T1059.001 Anomaly Active Directory Lateral Movement, Scattered Lapsus$ Hunters 2026-05-13
Windows PowerShell Process With Malicious String CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1059.001 TTP Malicious PowerShell 2026-05-13
PowerShell Loading DotNET into Memory via Reflection Powershell Script Block Logging 4104 T1059.001 Anomaly Hermetic Wiper, Hellcat Ransomware, AsyncRAT, Axios Supply Chain Post Compromise, Data Destruction, Malicious PowerShell, 0bj3ctivity Stealer, VIP Keylogger, AgentTesla, Winter Vivern 2026-06-29
Windows PowerShell Script From WindowsApps Directory CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1059.001 T1204.002 TTP Malicious PowerShell, MSIX Package Abuse 2026-05-13
Windows PUA Named Pipe Sysmon EventID 18, Sysmon EventID 17 T1021.002 T1055 T1559 Anomaly VanHelsing Ransomware, Rhysida Ransomware, Active Directory Lateral Movement, DHS Report TA18-074A, Sandworm Tools, DarkGate Malware, HAFNIUM Group, IcedID, CISA AA22-320A, Seashell Blizzard, Medusa Ransomware, Cactus Ransomware, DarkSide Ransomware, BlackByte Ransomware, SamSam Ransomware, Volt Typhoon 2026-05-13
Windows Mock Trusted Directory MSC File Creation Sysmon EventID 11 T1218.014 T1548.002 T1574 TTP Windows Persistence Techniques, Windows Privilege Escalation 2026-05-13
Shai-Hulud Workflow File Creation or Modification Sysmon EventID 11, Sysmon for Linux EventID 11 T1195 T1554 T1574.006 TTP NPM Supply Chain Compromise 2026-05-13
Windows Known GraphicalProton Loaded Modules Sysmon EventID 7 T1574.001 Anomaly Water Gamayun, CISA AA23-347A, Hellcat Ransomware 2026-05-13
Linux At Application Execution Sysmon for Linux EventID 1 T1053.002 Anomaly Scheduled Tasks, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Cisco Isovalent Suspicious Activity 2026-05-13
Living Off The Land Detection T1059 T1105 T1133 T1190 Correlation Living Off The Land, Hellcat Ransomware 2026-05-13
Windows Common Abused Cmd Shell Risk Behavior T1016 T1033 T1049 T1059 T1222 T1529 Correlation Netsh Abuse, Disabling Security Tools, Sandworm Tools, CISA AA23-347A, Microsoft WSUS CVE-2025-59287, Qakbot, DarkCrystal RAT, Volt Typhoon, Windows Post-Exploitation, Azorult, FIN7, Windows Defense Evasion Tactics 2026-05-13
Suspicious MSBuild Spawn CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1127.001 TTP Living Off The Land, Trusted Developer Utilities Proxy Execution MSBuild, Storm-2460 CLFS Zero Day Exploitation 2026-05-13
Windows File Association Modification via Ftype CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1059.003 Anomaly Windows File Extension and Association Abuse 2026-05-13
Scheduled Task Creation on Remote Endpoint using At CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1053.002 TTP Living Off The Land, Scheduled Tasks, Active Directory Lateral Movement, 0bj3ctivity Stealer 2026-05-13
Windows ISO LNK File Creation Sysmon EventID 11 T1204.001 T1566.001 Hunting Amadey, IcedID, Remcos, Qakbot, Spearphishing Attachments, Warzone RAT, AgentTesla, APT37 Rustonotto and FadeStealer, Brute Ratel C4, Gozi Malware, Azorult 2026-05-13
Remote Process Instantiation via WMI CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1047 TTP China-Nexus Threat Activity, Active Directory Lateral Movement, Suspicious WMI Use, Ransomware, Salt Typhoon, CISA AA23-347A, Void Manticore 2026-05-13
Windows Account Access Removal via Logoff Exec Sysmon EventID 1 T1059.001 T1531 Anomaly Crypto Stealer 2026-05-13
Windows PowerShell Module File Created Sysmon EventID 11 T1059.001 T1129 T1574 Anomaly Windows Persistence Techniques, Malicious PowerShell 2026-05-13
ETW Registry Disabled Sysmon EventID 13 T1127 T1685 TTP Hermetic Wiper, Windows Privilege Escalation, Data Destruction, Windows Registry Abuse, CISA AA23-347A, Windows Persistence Techniques 2026-05-13
Windows Process Accessing Windows Recall Directory Windows Event Log Security 4663 T1059 T1119 Anomaly Windows Post-Exploitation 2026-05-13
Windows Outlook Macro Created by Suspicious Process Sysmon EventID 11 T1059.005 T1137 TTP NotDoor Malware 2026-05-13
Windows Service Creation Using Registry Entry Sysmon EventID 13 T1574.011 Anomaly SolarWinds WHD RCE Post Exploitation, China-Nexus Threat Activity, Active Directory Lateral Movement, Salt Typhoon, PlugX, SnappyBee, Windows Registry Abuse, Suspicious Windows Registry Activities, Brute Ratel C4, Gh0st RAT, Crypto Stealer, Derusbi, CISA AA23-347A, Windows Persistence Techniques 2026-05-13
Powershell Fileless Script Contains Base64 Encoded Content Powershell Script Block Logging 4104 T1027 T1059.001 TTP Hermetic Wiper, GhostRedirector IIS Module and Rungan Backdoor, VIP Keylogger, 0bj3ctivity Stealer, NjRAT, Winter Vivern, Axios Supply Chain Post Compromise, AsyncRAT, IcedID, Malicious PowerShell, MuddyWater, Phantom Stealer, Data Destruction, Medusa Ransomware, Hellcat Ransomware, NetSupport RMM Tool Abuse, Microsoft WSUS CVE-2025-59287, Salat Stealer, APT37 Rustonotto and FadeStealer, XWorm 2026-06-25
GetWmiObject User Account with PowerShell Script Block Powershell Script Block Logging 4104 T1059.001 T1087.001 Hunting Malicious PowerShell, Active Directory Discovery, Winter Vivern 2026-05-13
Powershell Creating Thread Mutex Powershell Script Block Logging 4104 T1027.005 T1059.001 TTP Water Gamayun, Malicious PowerShell 2026-05-13
PowerShell Domain Enumeration Powershell Script Block Logging 4104 T1059.001 Anomaly Hermetic Wiper, Interlock Ransomware, Data Destruction, Microsoft WSUS CVE-2025-59287, Malicious PowerShell, CISA AA23-347A 2026-06-28
Windows DLL Search Order Hijacking Hunt with Sysmon Sysmon EventID 7 T1574.001 Hunting Living Off The Land, Malicious Inno Setup Loader, Windows Defense Evasion Tactics, Qakbot 2026-05-13
Windows Explorer LNK Exploit Process Launch With Padding Sysmon EventID 1, Windows Event Log Security 4688 T1059.001 T1204.002 TTP ZDI-CAN-25373 Windows Shortcut Exploit Abused as Zero-Day 2026-05-13
Linux Unix Shell Enable All SysRq Functions Sysmon for Linux EventID 1 T1059.004 Anomaly Data Destruction, AwfulShred 2026-05-13
Windows Service Created with Suspicious Service Path Windows Event Log System 7045 T1569.002 TTP China-Nexus Threat Activity, Active Directory Lateral Movement, Snake Malware, Qakbot, Salt Typhoon, PlugX, Brute Ratel C4, Gh0st RAT, APT37 Rustonotto and FadeStealer, Crypto Stealer, Derusbi, CISA AA23-347A, Flax Typhoon, Clop Ransomware 2026-05-13
Windows Defender ASR Rules Stacking Windows Event Log Defender 1134, Windows Event Log Defender 1131, Windows Event Log Defender 1133, Windows Event Log Defender 1125, Windows Event Log Defender 1126, Windows Event Log Defender 1129, Windows Event Log Defender 1121, Windows Event Log Defender 5007, Windows Event Log Defender 1122 T1059 T1566.001 T1566.002 Hunting Windows Attack Surface Reduction 2026-05-13
Wmiprvse LOLBAS Execution Process Spawn CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1047 TTP Active Directory Lateral Movement 2026-05-13
Windows ScManager Security Descriptor Tampering Via Sc.EXE CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1569.002 TTP Defense Evasion or Unauthorized Access Via SDDL Tampering 2026-05-13
Nishang PowershellTCPOneLine CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1059.001 TTP Cleo File Transfer Software, HAFNIUM Group 2026-05-13
Windows PowerShell Script TabExpansion Direct Call Powershell Script Block Logging 4104 T1059.001 T1129 Anomaly Malicious PowerShell 2026-05-13
PowerShell - Connect To Internet With Hidden Window CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1059.001 Hunting Hermetic Wiper, HAFNIUM Group, Data Destruction, Malicious PowerShell, Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns, AgentTesla, Log4Shell CVE-2021-44228 2026-06-04
Juniper Networks Remote Code Execution Exploit Detection Suricata T1059 T1105 T1190 TTP Juniper JunOS Remote Code Execution 2026-05-13
CrushFTP Authentication Bypass Exploitation CrushFTP T1059.001 T1059.003 T1190 TTP CrushFTP Vulnerabilities, Hellcat Ransomware 2026-05-13
Cisco IOS XE Guestshell Activation and Destroy Cisco IOS Logs T1059 T1611 Anomaly Salt Typhoon 2026-05-20
Cisco IOS XE Request Platform Package Describe Shell Pattern Cisco IOS Logs T1059 T1190 TTP Salt Typhoon 2026-05-20
ESXi Reverse Shell Patterns VMWare ESXi Syslog T1059 TTP Black Basta Ransomware, ESXi Post Compromise 2026-05-13
MCP Prompt Injection MCP Server T1059 TTP Suspicious MCP Activities 2026-05-13
PTC Windchill Gateway Command Execution Windchill Log4j T1005 T1059 T1190 Anomaly PTC Windchill Exploitation 2026-06-14
Ollama Suspicious Prompt Injection Jailbreak Ollama Server T1059 T1190 Anomaly Suspicious Ollama Activities 2026-05-13
PTC Windchill GW READY OK Probe Windchill Log4j T1059 T1190 Anomaly PTC Windchill Exploitation 2026-06-14
MCP Filesystem Server Suspicious Extension Write MCP Server T1059 Hunting Suspicious MCP Activities 2026-05-13
ASL AWS ECR Container Upload Unknown User ASL AWS CloudTrail T1204.003 Anomaly Dev Sec Ops 2026-05-13
Kubernetes newly seen UDP edge T1204 Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2026-05-13
Kubernetes Cron Job Creation Kubernetes Audit T1053.007 Anomaly Kubernetes Security 2026-05-13
Microsoft Intune Device Health Scripts Azure Monitor Activity T1021.007 T1072 T1105 T1202 Hunting Azure Active Directory Account Takeover 2026-05-13
AWS ECR Container Upload Outside Business Hours AWS CloudTrail PutImage T1204.003 Anomaly Dev Sec Ops 2026-05-13
ASL AWS ECR Container Upload Outside Business Hours ASL AWS CloudTrail T1204.003 Anomaly Dev Sec Ops 2026-05-13
Kubernetes Shell Running on Worker Node with CPU Activity T1204 Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2026-05-13
AWS Lambda UpdateFunctionCode AWS CloudTrail T1204 Hunting Suspicious Cloud User Activities 2026-05-13
Microsoft Intune Mobile Apps Azure Monitor Activity T1021.007 T1072 T1105 T1202 Hunting Azure Active Directory Account Takeover 2026-05-13
AWS ECR Container Scanning Findings Low Informational Unknown AWS CloudTrail DescribeImageScanFindings T1204.003 Anomaly Dev Sec Ops 2026-05-13
Kubernetes Falco Shell Spawned Kubernetes Falco T1204 Anomaly Kubernetes Security 2026-05-13
Kubernetes Anomalous Outbound Network Activity from Process T1204 Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2026-05-13
AWS ECR Container Scanning Findings Medium AWS CloudTrail DescribeImageScanFindings T1204.003 Anomaly Dev Sec Ops 2026-05-13
O365 SharePoint Malware Detection Office 365 Universal Audit Log T1204.002 TTP Azure Active Directory Persistence, Office 365 Account Takeover, Ransomware Cloud 2026-05-13
Kubernetes Previously Unseen Process T1204 Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2026-05-13
Kubernetes newly seen TCP edge T1204 Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2026-05-13
Kubernetes Anomalous Inbound to Outbound Network IO Ratio T1204 Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2026-05-13
AWS ECR Container Upload Unknown User AWS CloudTrail PutImage T1204.003 Anomaly Dev Sec Ops 2026-05-13
O365 Threat Intelligence Suspicious File Detected Office 365 Universal Audit Log T1204.002 TTP Azure Active Directory Account Takeover, Office 365 Account Takeover, Ransomware Cloud 2026-05-13
Kubernetes Shell Running on Worker Node T1204 Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2026-05-13
Kubernetes Process with Resource Ratio Anomalies T1204 Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2026-05-13
Kubernetes Anomalous Inbound Outbound Network IO T1204 Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2026-05-13
Kubernetes Node Port Creation Kubernetes Audit T1204 Anomaly Kubernetes Security 2026-05-13
Kubernetes Previously Unseen Container Image Name T1204 Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2026-05-13
Microsoft Intune Manual Device Management Azure Monitor Activity T1021.007 T1072 T1529 Hunting Azure Active Directory Account Takeover 2026-05-13
Kubernetes Anomalous Inbound Network Activity from Process T1204 Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2026-05-13
Kubernetes Pod With Host Network Attachment Kubernetes Audit T1204 Anomaly Kubernetes Security 2026-05-13
Kubernetes Create or Update Privileged Pod Kubernetes Audit T1204 Anomaly Kubernetes Security 2026-05-13
Kubernetes Pod Created in Default Namespace Kubernetes Audit T1204 Anomaly Kubernetes Security 2026-05-13
Kubernetes DaemonSet Deployed Kubernetes Audit T1204 Anomaly Kubernetes Security 2026-05-13
AWS ECR Container Scanning Findings High AWS CloudTrail DescribeImageScanFindings T1204.003 TTP Dev Sec Ops 2026-05-13
Kubernetes Process with Anomalous Resource Utilisation T1204 Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2026-05-13
Kubernetes Anomalous Traffic on Network Edge T1204 Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2026-05-13
Kubernetes Process Running From New Path T1204 Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2026-05-13
Kubernetes Unauthorized Access Kubernetes Audit T1204 Anomaly Kubernetes Security 2026-05-13
Microsoft Intune DeviceManagementConfigurationPolicies Azure Monitor Activity T1021.007 T1072 T1484 T1685 T1686 Hunting Azure Active Directory Account Takeover 2026-05-13
Risk Rule for Dev Sec Ops by Repository T1204.003 Correlation Dev Sec Ops 2026-05-13
Cisco Secure Firewall - Blocked Connection Cisco Secure Firewall Threat Defense Connection Event T1018 T1046 T1110 T1203 T1595.002 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Cisco Secure Firewall - Privileged Command Execution via HTTP Cisco Secure Firewall Threat Defense Intrusion Event T1059 T1505.003 Anomaly Cisco Secure Firewall Threat Defense Analytics, Salt Typhoon 2026-05-13
Cisco Secure Firewall - Communication Over Suspicious Ports Cisco Secure Firewall Threat Defense Connection Event T1021 T1055 T1059.001 T1105 T1219 T1571 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Cisco Secure Firewall - Repeated Blocked Connections Cisco Secure Firewall Threat Defense Connection Event T1018 T1046 T1110 T1203 T1595.002 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Cisco Secure Firewall - Malware File Downloaded Cisco Secure Firewall Threat Defense File Event T1105 T1203 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Suspicious Process With Discord DNS Query Sysmon EventID 22 T1059.005 Anomaly Phantom Stealer, Data Destruction, BlankGrabber Stealer, Cactus Ransomware, WhisperGate, PXA Stealer 2026-06-25
Cisco Secure Firewall - Citrix NetScaler Memory Overread Attempt Cisco Secure Firewall Threat Defense Intrusion Event T1059 T1203 TTP Cisco Secure Firewall Threat Defense Analytics, Citrix NetScaler ADC and NetScaler Gateway CVE-2025-5777 2026-05-13
Cisco Secure Firewall - High Priority Intrusion Classification Cisco Secure Firewall Threat Defense Intrusion Event T1003 T1071 T1078 T1190 T1203 TTP Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Suspicious Process DNS Query Known Abuse Web Services Sysmon EventID 22 T1059.005 TTP Malicious Inno Setup Loader, Meduza Stealer, Braodo Stealer, Snake Keylogger, RedLine Stealer, Data Destruction, BlankGrabber Stealer, Cactus Ransomware, WhisperGate, PXA Stealer, Phemedrone Stealer, Remcos 2026-05-13
Cisco Secure Firewall - Wget or Curl Download Cisco Secure Firewall Threat Defense Connection Event T1053.003 T1059 T1071.001 T1105 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Detect Windows DNS SIGRed via Zeek T1203 TTP Windows DNS SIGRed CVE-2020-1350 2026-05-13
Cisco Secure Firewall - Veeam CVE-2023-27532 Exploitation Activity Cisco Secure Firewall Threat Defense Intrusion Event T1003.001 T1059.001 T1190 T1210 TTP Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Cisco Secure Firewall - Binary File Type Download Cisco Secure Firewall Threat Defense File Event T1059 T1203 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Cisco Secure Firewall - Possibly Compromised Host Cisco Secure Firewall Threat Defense Intrusion Event T1059 T1203 T1587.001 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Cisco Secure Firewall - Lumma Stealer Activity Cisco Secure Firewall Threat Defense Intrusion Event T1027 T1190 T1204 T1210 TTP Lumma Stealer, Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Cisco Secure Firewall - High Volume of Intrusion Events Per Host Cisco Secure Firewall Threat Defense Intrusion Event T1059 T1071 T1595.002 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Detect Windows DNS SIGRed via Splunk Stream T1203 TTP Windows DNS SIGRed CVE-2020-1350 2026-05-13
Detect Outbound LDAP Traffic Palo Alto Network Traffic, Cisco Secure Firewall Threat Defense Connection Event, Cisco Secure Access Firewall T1059 T1190 Hunting Cisco Secure Firewall Threat Defense Analytics, Cisco Secure Access Analytics, Log4Shell CVE-2021-44228 2026-05-13