|
Windows Exfiltration Over C2 Via Invoke RestMethod
|
Powershell Script Block Logging 4104
|
T1041
|
TTP
|
Water Gamayun, Winter Vivern, APT37 Rustonotto and FadeStealer, Microsoft WSUS CVE-2025-59287, Hellcat Ransomware
|
2026-05-13
|
|
Linux Auditd Data Transfer Size Limits Via Split
|
Linux Auditd Execve
|
T1030
|
Anomaly
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation, Linux Living Off The Land, Hellcat Ransomware
|
2026-05-13
|
|
Windows OneDrive Share Mounted via Net
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1567.002
|
Anomaly
|
Data Exfiltration
|
2026-05-13
|
|
LOLBAS With Network Traffic
|
Sysmon EventID 3
|
T1105
T1218
T1567
|
TTP
|
Water Gamayun, NetSupport RMM Tool Abuse, APT37 Rustonotto and FadeStealer, Malicious Inno Setup Loader, Fake CAPTCHA Campaigns, Living Off The Land, Hellcat Ransomware, GhostRedirector IIS Module and Rungan Backdoor
|
2026-05-13
|
|
Excessive Usage of NSLOOKUP App
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1048
|
Anomaly
|
Dynamic DNS, Command And Control, Suspicious DNS Traffic, Data Exfiltration
|
2026-05-13
|
|
Windows Exfiltration Over C2 Via Powershell UploadString
|
Powershell Script Block Logging 4104
|
T1041
|
TTP
|
Winter Vivern, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
Windows Network Connection From Program In Suspect Location
|
Sysmon EventID 3
|
T1011
|
Anomaly
|
Compromised Windows Host
|
2026-05-13
|
|
Potential Telegram API Request Via CommandLine
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1041
T1102.002
|
Anomaly
|
Water Gamayun, XMRig, 0bj3ctivity Stealer, BlankGrabber Stealer, Hellcat Ransomware
|
2026-05-13
|
|
Windows Gdrive Binary Activity
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1567
|
TTP
|
China-Nexus Threat Activity
|
2026-05-13
|
|
DNS Exfiltration Using Nslookup App
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1048
|
TTP
|
Suspicious DNS Traffic, Compromised Windows Host, Dynamic DNS, Command And Control, Data Exfiltration
|
2026-05-13
|
|
Windows Mustang Panda USB Tool Execution
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1020
T1204.002
T1574.001
|
TTP
|
Compromised Windows Host
|
2026-05-13
|
|
Windows Rundll32 WebDAV Request
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1048.003
|
Hunting
|
CVE-2023-23397 Outlook Elevation of Privilege
|
2026-05-13
|
|
Windows Rundll32 WebDav With Network Connection
|
Sysmon EventID 1, Sysmon EventID 3
|
T1048.003
|
TTP
|
CVE-2023-23397 Outlook Elevation of Privilege
|
2026-05-13
|
|
Detect Renamed RClone
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1020
|
Hunting
|
Black Basta Ransomware, DarkSide Ransomware, Ransomware, Cactus Ransomware
|
2026-05-13
|
|
Linux Auditd Data Transfer Size Limits Via Split Syscall
|
Linux Auditd Syscall
|
T1030
|
Anomaly
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation, Linux Living Off The Land
|
2026-05-13
|
|
Windows Azure Storage Utility Execution Via CLI
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1567.002
|
Anomaly
|
Data Exfiltration
|
2026-05-13
|
|
Linux Gdrive Binary Activity
|
Sysmon for Linux EventID 1
|
T1567
|
TTP
|
China-Nexus Threat Activity
|
2026-05-13
|
|
MacOS Data Chunking
|
Osquery Results
|
T1030
|
Anomaly
|
MacOS Post-Exploitation
|
2026-05-13
|
|
High Frequency Copy Of Files In Network Share
|
Windows Event Log Security 5145
|
T1537
|
Anomaly
|
Insider Threat, Information Sabotage, Hellcat Ransomware
|
2026-05-13
|
|
Detect RClone Command-Line Usage
|
Cisco Network Visibility Module Flow Data, Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1020
|
TTP
|
Black Basta Ransomware, DarkSide Ransomware, Ransomware, Cisco Network Visibility Module Analytics, Cactus Ransomware, Storm-0501 Ransomware, Hellcat Ransomware
|
2026-05-13
|
|
Cisco NVM - Rclone Execution With Network Activity
|
Cisco Network Visibility Module Flow Data
|
T1567.002
|
Anomaly
|
Scattered Lapsus$ Hunters, Cisco Network Visibility Module Analytics
|
2026-05-13
|
|
High Volume of Bytes Out to Url
|
Nginx Access
|
T1567
|
Anomaly
|
Hellcat Ransomware, Data Exfiltration
|
2026-05-13
|
|
Plain HTTP POST Exfiltrated Data
|
Splunk Stream HTTP
|
T1048.003
|
TTP
|
Command And Control, APT37 Rustonotto and FadeStealer, Data Exfiltration
|
2026-05-13
|
|
Multiple Archive Files Http Post Traffic
|
Splunk Stream HTTP
|
T1048.003
|
TTP
|
Command And Control, Hellcat Ransomware, APT37 Rustonotto and FadeStealer, Data Exfiltration
|
2026-05-13
|
|
Cisco ASA - Device File Copy to Remote Location
|
Cisco ASA Logs
|
T1005
T1041
T1048.003
|
Anomaly
|
ArcaneDoor, Suspicious Cisco Adaptive Security Appliance Activity
|
2026-05-13
|
|
Ollama Possible Model Exfiltration Data Leakage
|
Ollama Server
|
T1048
|
Anomaly
|
Suspicious Ollama Activities
|
2026-05-13
|
|
Gsuite Drive Share In External Email
|
G Suite Drive
|
T1567.002
|
Anomaly
|
Dev Sec Ops, Insider Threat, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
AWS Exfiltration via Bucket Replication
|
AWS CloudTrail PutBucketReplication
|
T1537
|
TTP
|
Suspicious AWS S3 Activities, Data Exfiltration
|
2026-05-13
|
|
AWS Exfiltration via EC2 Snapshot
|
AWS CloudTrail DeleteSnapshot, AWS CloudTrail ModifySnapshotAttribute, AWS CloudTrail CreateSnapshot, AWS CloudTrail DescribeSnapshotAttribute
|
T1537
|
TTP
|
Data Exfiltration, Suspicious Cloud Instance Activities
|
2026-05-13
|
|
O365 DLP Rule Triggered
|
Office 365 Universal Audit Log
|
T1048
T1567
|
Anomaly
|
Data Exfiltration
|
2026-05-13
|
|
AWS EC2 Snapshot Shared Externally
|
AWS CloudTrail ModifySnapshotAttribute
|
T1537
|
TTP
|
Data Exfiltration, Suspicious Cloud Instance Activities
|
2026-05-13
|
|
O365 Exfiltration via File Sync Download
|
Office 365 Universal Audit Log
|
T1530
T1567
|
Anomaly
|
Office 365 Account Takeover, Data Exfiltration
|
2026-05-13
|
|
AWS AMI Attribute Modification for Exfiltration
|
AWS CloudTrail ModifyImageAttribute
|
T1537
|
TTP
|
Data Exfiltration, Suspicious Cloud Instance Activities
|
2026-05-13
|
|
AWS S3 Exfiltration Behavior Identified
|
|
T1537
|
Correlation
|
Data Exfiltration, Suspicious Cloud Instance Activities
|
2026-05-13
|
|
ASL AWS EC2 Snapshot Shared Externally
|
ASL AWS CloudTrail
|
T1537
|
TTP
|
Data Exfiltration, Suspicious Cloud Instance Activities
|
2026-05-13
|
|
O365 Exfiltration via File Access
|
Office 365 Universal Audit Log
|
T1530
T1567
|
Anomaly
|
Office 365 Account Takeover, Data Exfiltration
|
2026-05-13
|
|
Gsuite Outbound Email With Attachment To External Domain
|
G Suite Gmail
|
T1048.003
|
Hunting
|
Dev Sec Ops, Insider Threat
|
2026-05-13
|
|
O365 Email Access By Security Administrator
|
Office 365 Universal Audit Log
|
T1114.002
T1567
|
TTP
|
Azure Active Directory Account Takeover, Office 365 Account Takeover, Data Exfiltration
|
2026-05-13
|
|
O365 Exfiltration via File Download
|
Office 365 Universal Audit Log
|
T1530
T1567
|
Anomaly
|
Office 365 Account Takeover, Data Exfiltration
|
2026-05-13
|
|
Prohibited Network Traffic Allowed
|
Cisco Secure Firewall Threat Defense Connection Event
|
T1048
|
TTP
|
Prohibited Traffic Allowed or Protocol Mismatch, Command And Control, Ransomware, Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Cisco Secure Firewall - Lumma Stealer Outbound Connection Attempt
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1041
T1573.002
|
Anomaly
|
Lumma Stealer, Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
DNS Query Length With High Standard Deviation
|
Sysmon EventID 22
|
T1048.003
|
Anomaly
|
Command And Control, Suspicious DNS Traffic, Hidden Cobra Malware
|
2026-05-13
|
|
Cisco Secure Firewall - Intrusion Events by Threat Activity
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1041
T1573.002
|
Anomaly
|
ArcaneDoor, Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Cisco Secure Firewall - Potential Data Exfiltration
|
Cisco Secure Firewall Threat Defense Connection Event
|
T1041
T1048.003
T1567.002
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Cisco TFTP Server Configuration for Data Exfiltration
|
Cisco IOS Logs
|
T1005
T1567
|
TTP
|
Cisco Smart Install Remote Code Execution CVE-2018-0171
|
2026-05-13
|
|
Detect SNICat SNI Exfiltration
|
|
T1041
|
TTP
|
Data Exfiltration
|
2026-05-13
|
|
Cisco Secure Firewall - Lumma Stealer Download Attempt
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1041
T1573.002
|
Anomaly
|
Lumma Stealer, Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Cisco Secure Firewall - High EVE Threat Confidence
|
Cisco Secure Firewall Threat Defense Connection Event
|
T1041
T1071.001
T1105
T1573.002
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Protocol or Port Mismatch
|
Cisco Secure Firewall Threat Defense Connection Event
|
T1048.003
|
Anomaly
|
Prohibited Traffic Allowed or Protocol Mismatch, Command And Control, Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Detect Traffic Mirroring
|
Cisco IOS Logs
|
T1020.001
T1200
T1498
|
TTP
|
Router and Infrastructure Security
|
2026-05-13
|
|
Cisco Secure Firewall - Connection to File Sharing Domain
|
Cisco Secure Firewall Threat Defense Connection Event
|
T1071.001
T1090.002
T1105
T1567.002
T1588.002
|
Anomaly
|
Scattered Lapsus$ Hunters, Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
