|
Deleting Shadow Copies
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1490
|
TTP
|
Clop Ransomware, Storm-2460 CLFS Zero Day Exploitation, Prestige Ransomware, Void Manticore, CISA AA22-264A, SamSam Ransomware, Medusa Ransomware, Termite Ransomware, Chaos Ransomware, Compromised Windows Host, Rhysida Ransomware, Black Basta Ransomware, Windows Log Manipulation, Cactus Ransomware, VanHelsing Ransomware, Ransomware, DarkGate Malware, LockBit Ransomware
|
2026-05-13
|
|
Disabling SystemRestore In Registry
|
Sysmon EventID 13
|
T1490
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics, NjRAT
|
2026-05-13
|
|
Linux DD File Overwrite
|
Sysmon for Linux EventID 1
|
T1485
|
TTP
|
Industroyer2, Data Destruction
|
2026-05-13
|
|
Common Ransomware Notes
|
Sysmon EventID 11
|
T1485
|
Hunting
|
Clop Ransomware, NailaoLocker Ransomware, Hellcat Ransomware, SamSam Ransomware, Storm-0501 Ransomware, Black Basta Ransomware, Termite Ransomware, Chaos Ransomware, Rhysida Ransomware, Ryuk Ransomware, Interlock Ransomware, Ransomware, Medusa Ransomware, LockBit Ransomware
|
2026-05-13
|
|
Linux Account Manipulation Of SSH Config and Keys
|
Sysmon for Linux EventID 11
|
T1070.004
T1485
|
Anomaly
|
Hellcat Ransomware, AcidRain
|
2026-05-13
|
|
Windows Service Stop Attempt
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1489
|
Hunting
|
Graceful Wipe Out Attack, Prestige Ransomware, Scattered Lapsus$ Hunters, Gh0st RAT
|
2026-05-13
|
|
Windows Excessive Service Stop Attempt
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1489
|
TTP
|
Ransomware, BlackByte Ransomware, XMRig
|
2026-05-13
|
|
Windows Security Account Manager Stopped
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1489
|
TTP
|
Scattered Lapsus$ Hunters, Compromised Windows Host, Ryuk Ransomware
|
2026-05-13
|
|
Linux Auditd Sysmon Service Stop
|
Linux Auditd Service Stop
|
T1489
|
Anomaly
|
Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host
|
2026-05-13
|
|
Linux Auditd Shred Overwrite Command
|
Linux Auditd Proctitle
|
T1485
|
TTP
|
Industroyer2, AwfulShred, Data Destruction, Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation
|
2026-05-13
|
|
Modification Of Wallpaper
|
Sysmon EventID 13
|
T1491
|
TTP
|
ZOVWiper, Revil Ransomware, Black Basta Ransomware, Rhysida Ransomware, BlackMatter Ransomware, Windows Registry Abuse, Brute Ratel C4, Ransomware, LockBit Ransomware
|
2026-05-13
|
|
Windows Data Destruction Recursive Exec Files Deletion
|
Sysmon EventID 23, Sysmon EventID 26
|
T1485
|
TTP
|
Handala Wiper, Disk Wiper, Data Destruction, Void Manticore, Swift Slicer
|
2026-05-13
|
|
Linux Deletion Of Cron Jobs
|
Sysmon for Linux EventID 11
|
T1070.004
T1485
|
Anomaly
|
Data Destruction, AcidRain, AcidPour
|
2026-05-13
|
|
Windows User Disabled Via Net
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1531
|
Anomaly
|
XMRig
|
2026-05-13
|
|
Sdelete Application Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1070.004
T1485
|
TTP
|
Scattered Spider, Masquerading - Rename System Utilities, Void Manticore
|
2026-05-13
|
|
Windows Excessive Usage Of Net App
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1531
|
Anomaly
|
XMRig, Windows Post-Exploitation, Prestige Ransomware, Graceful Wipe Out Attack, Rhysida Ransomware, Ransomware, Azorult
|
2026-05-13
|
|
Windows File Without Extension In Critical Folder
|
Sysmon EventID 11
|
T1485
|
TTP
|
Hermetic Wiper, Data Destruction
|
2026-05-13
|
|
Excessive Attempt To Disable Services
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1489
|
Anomaly
|
Azorult, XMRig
|
2026-05-13
|
|
Excessive File Deletion In WinDefender Folder
|
Sysmon EventID 23, Sysmon EventID 26
|
T1485
|
TTP
|
BlackByte Ransomware, Data Destruction, WhisperGate
|
2026-05-13
|
|
Windows Suspicious File in EFI Volume
|
Sysmon EventID 11
|
T1490
T1542.001
|
TTP
|
BlackLotus Campaign, Windows BootKits, Sandworm Tools
|
2026-05-13
|
|
Linux Deletion Of Services
|
Sysmon for Linux EventID 11
|
T1070.004
T1485
|
TTP
|
Data Destruction, AcidRain, AcidPour, AwfulShred
|
2026-05-13
|
|
Linux Deletion of SSL Certificate
|
Sysmon for Linux EventID 11
|
T1070.004
T1485
|
Anomaly
|
AcidRain, AcidPour
|
2026-05-13
|
|
Linux Auditd Auditd Service Stop
|
Linux Auditd Service Stop
|
T1489
|
Anomaly
|
Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host
|
2026-05-13
|
|
Windows Service Deletion In Registry
|
Sysmon EventID 13
|
T1489
|
Anomaly
|
Brute Ratel C4, Crypto Stealer, PlugX
|
2026-05-13
|
|
Linux Disable Services
|
Sysmon for Linux EventID 1
|
T1489
|
TTP
|
Industroyer2, Data Destruction, AwfulShred
|
2026-05-13
|
|
Windows .Key File Creation in Root Directory
|
Sysmon EventID 11
|
T1486
|
Anomaly
|
Ransomware
|
2026-05-13
|
|
Linux Shred Overwrite Command
|
Sysmon for Linux EventID 1
|
T1485
|
TTP
|
Industroyer2, AwfulShred, Data Destruction, Linux Persistence Techniques, Linux Privilege Escalation
|
2026-05-13
|
|
Delete ShadowCopy With PowerShell
|
Powershell Script Block Logging 4104
|
T1490
|
TTP
|
DarkSide Ransomware, Revil Ransomware, Cactus Ransomware, VanHelsing Ransomware, Ransomware, DarkGate Malware
|
2026-05-13
|
|
Linux Deletion Of Init Daemon Script
|
Sysmon for Linux EventID 11
|
T1070.004
T1485
|
TTP
|
Data Destruction, AcidRain, AcidPour
|
2026-05-13
|
|
Windows Security And Backup Services Stop
|
Windows Event Log System 7036
|
T1490
|
TTP
|
Hellcat Ransomware, Termite Ransomware, Scattered Lapsus$ Hunters, Compromised Windows Host, BlackMatter Ransomware, Ransomware, LockBit Ransomware
|
2026-05-13
|
|
Windows Disable Memory Crash Dump
|
Sysmon EventID 13
|
T1485
|
TTP
|
Windows Registry Abuse, Hermetic Wiper, Ransomware, Data Destruction
|
2026-05-13
|
|
Windows System Reboot CommandLine
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1529
|
Hunting
|
MuddyWater, Quasar RAT, XWorm, NjRAT, DarkCrystal RAT, MoonPeak, Scattered Lapsus$ Hunters, DarkGate Malware
|
2026-05-13
|
|
WBAdmin Delete System Backups
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1490
|
TTP
|
Storm-2460 CLFS Zero Day Exploitation, Prestige Ransomware, Storm-0501 Ransomware, Chaos Ransomware, Ryuk Ransomware, Ransomware
|
2026-05-13
|
|
Windows Cisco Secure Endpoint Related Service Stopped
|
Windows Event Log System 7036
|
T1490
|
Anomaly
|
Scattered Lapsus$ Hunters, Security Solution Tampering, Hellcat Ransomware
|
2026-05-13
|
|
Linux Auditd Data Destruction Command
|
Linux Auditd Proctitle
|
T1485
|
TTP
|
Data Destruction, Compromised Linux Host, AwfulShred
|
2026-05-13
|
|
Windows System Shutdown CommandLine
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1529
|
Anomaly
|
ZOVWiper, MuddyWater, Quasar RAT, XWorm, Sandworm Tools, NjRAT, DarkCrystal RAT, MoonPeak, Scattered Lapsus$ Hunters, DarkGate Malware
|
2026-05-13
|
|
Ransomware Notes bulk creation
|
Sysmon EventID 11
|
T1486
|
Anomaly
|
DarkSide Ransomware, Clop Ransomware, NailaoLocker Ransomware, Hellcat Ransomware, Black Basta Ransomware, Termite Ransomware, Chaos Ransomware, Rhysida Ransomware, BlackMatter Ransomware, Cactus Ransomware, Interlock Ransomware, Medusa Ransomware, LockBit Ransomware
|
2026-05-13
|
|
Windows Defacement Modify Transcodedwallpaper File
|
Sysmon EventID 11, Sysmon EventID 1
|
T1491
|
Anomaly
|
Brute Ratel C4
|
2026-05-13
|
|
Windows System LogOff Commandline
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1529
|
Anomaly
|
XWorm, DarkCrystal RAT, Scattered Lapsus$ Hunters, NjRAT
|
2026-05-13
|
|
Linux Deleting Critical Directory Using RM Command
|
Sysmon for Linux EventID 1
|
T1485
|
TTP
|
Industroyer2, Data Destruction, AwfulShred
|
2026-05-13
|
|
BCDEdit Failure Recovery Modification
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1490
|
TTP
|
Storm-2460 CLFS Zero Day Exploitation, Void Manticore, Compromised Windows Host, Ryuk Ransomware, Ransomware
|
2026-05-13
|
|
Linux System Reboot Via System Request Key
|
Sysmon for Linux EventID 1
|
T1529
|
TTP
|
Data Destruction, AwfulShred
|
2026-05-13
|
|
Linux Auditd Osquery Service Stop
|
Linux Auditd Service Stop
|
T1489
|
Anomaly
|
Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host
|
2026-05-13
|
|
Resize ShadowStorage volume
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1490
|
TTP
|
Clop Ransomware, Compromised Windows Host, VanHelsing Ransomware, Medusa Ransomware, BlackByte Ransomware
|
2026-05-13
|
|
Linux Magic SysRq Key Abuse
|
Linux Auditd Cwd, Linux Auditd Path
|
T1059.004
T1489
T1499
T1529
|
TTP
|
Compromised Linux Host
|
2026-05-13
|
|
Windows BitLocker Suspicious Command Usage
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1486
T1490
|
TTP
|
ShrinkLocker
|
2026-05-13
|
|
Linux Data Destruction Command
|
Sysmon for Linux EventID 1
|
T1485
|
TTP
|
Data Destruction, AwfulShred
|
2026-05-13
|
|
Windows Service Stop Win Updates
|
Windows Event Log System 7040
|
T1489
|
Anomaly
|
CISA AA23-347A, RedLine Stealer
|
2026-05-13
|
|
Windows WBAdmin File Recovery From Backup
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1490
T1565.001
|
Anomaly
|
Credential Dumping
|
2026-05-13
|
|
Windows Processes Killed By Industroyer2 Malware
|
Sysmon EventID 5
|
T1489
|
Anomaly
|
Industroyer2, Data Destruction
|
2026-05-13
|
|
Windows Raw Access To Master Boot Record Drive
|
Sysmon EventID 9
|
T1561.002
|
TTP
|
Caddy Wiper, Disk Wiper, Data Destruction, Void Manticore, CISA AA22-264A, WhisperGate, NjRAT, Graceful Wipe Out Attack, PathWiper, Hermetic Wiper, BlackByte Ransomware
|
2026-05-13
|
|
Bcdedit Command Back To Normal Mode Boot
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1490
|
TTP
|
BlackMatter Ransomware, Black Basta Ransomware
|
2026-05-13
|
|
Linux Auditd Dd File Overwrite
|
Linux Auditd Proctitle
|
T1485
|
TTP
|
Industroyer2, Compromised Linux Host, Data Destruction
|
2026-05-13
|
|
Windows User Deletion Via Net
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1531
|
Anomaly
|
Graceful Wipe Out Attack, DarkGate Malware, XMRig
|
2026-05-13
|
|
Windows Powershell Logoff User via Quser
|
Powershell Script Block Logging 4104
|
T1059.001
T1531
|
Anomaly
|
Crypto Stealer
|
2026-05-13
|
|
Linux High Frequency Of File Deletion In Etc Folder
|
Sysmon for Linux EventID 11
|
T1070.004
T1485
|
Anomaly
|
Data Destruction, AcidRain
|
2026-05-13
|
|
Windows Raw Access To Disk Volume Partition
|
Sysmon EventID 9
|
T1561.002
|
Anomaly
|
Caddy Wiper, Disk Wiper, Data Destruction, Void Manticore, CISA AA22-264A, NjRAT, Graceful Wipe Out Attack, PathWiper, Hermetic Wiper, BlackByte Ransomware
|
2026-05-13
|
|
Prevent Automatic Repair Mode using Bcdedit
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1490
|
TTP
|
Ransomware, Chaos Ransomware, Void Manticore
|
2026-05-13
|
|
Windows Set Account Password Policy To Unlimited Via Net
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1489
|
Anomaly
|
XMRig, Ransomware, BlackByte Ransomware, Crypto Stealer
|
2026-05-13
|
|
Linux High Frequency Of File Deletion In Boot Folder
|
Sysmon for Linux EventID 11
|
T1070.004
T1485
|
TTP
|
Industroyer2, Data Destruction, AcidPour
|
2026-05-13
|
|
Windows High File Deletion Frequency
|
Sysmon EventID 23, Sysmon EventID 26
|
T1485
|
Anomaly
|
Handala Wiper, ZOVWiper, Clop Ransomware, NailaoLocker Ransomware, APT37 Rustonotto and FadeStealer, Data Destruction, DynoWiper, WhisperGate, Void Manticore, Swift Slicer, Medusa Ransomware, DarkCrystal RAT, Black Basta Ransomware, Interlock Ransomware, Sandworm Tools
|
2026-05-13
|
|
Common Ransomware Extensions
|
Sysmon EventID 11
|
T1485
|
TTP
|
Clop Ransomware, NailaoLocker Ransomware, Prestige Ransomware, SamSam Ransomware, Black Basta Ransomware, Termite Ransomware, Rhysida Ransomware, Ryuk Ransomware, Interlock Ransomware, Ransomware, Medusa Ransomware, LockBit Ransomware
|
2026-05-13
|
|
Samsam Test File Write
|
Sysmon EventID 11
|
T1486
|
TTP
|
SamSam Ransomware
|
2026-05-13
|
|
Linux Auditd Stop Services
|
Linux Auditd Service Stop
|
T1489
|
Hunting
|
Industroyer2, AwfulShred, Compromised Linux Host, Data Destruction
|
2026-05-13
|
|
Windows Common Abused Cmd Shell Risk Behavior
|
|
T1016
T1033
T1049
T1059
T1222
T1529
|
Correlation
|
Microsoft WSUS CVE-2025-59287, Netsh Abuse, Windows Post-Exploitation, Disabling Security Tools, Qakbot, CISA AA23-347A, FIN7, DarkCrystal RAT, Volt Typhoon, Windows Defense Evasion Tactics, Sandworm Tools, Azorult
|
2026-05-13
|
|
Windows Account Access Removal via Logoff Exec
|
Sysmon EventID 1
|
T1059.001
T1531
|
Anomaly
|
Crypto Stealer
|
2026-05-13
|
|
Change To Safe Mode With Network Config
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1490
|
TTP
|
BlackMatter Ransomware, Black Basta Ransomware
|
2026-05-13
|
|
High Process Termination Frequency
|
Sysmon EventID 5
|
T1486
|
Anomaly
|
Clop Ransomware, NailaoLocker Ransomware, Snake Keylogger, Hellcat Ransomware, Termite Ransomware, Rhysida Ransomware, Crypto Stealer, BlackByte Ransomware, Interlock Ransomware, Medusa Ransomware, LockBit Ransomware
|
2026-05-13
|
|
Windows DiskCryptor Usage
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1486
|
Hunting
|
Ransomware
|
2026-05-13
|
|
Windows Service Stop By Deletion
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1489
|
Hunting
|
Graceful Wipe Out Attack, Crypto Stealer, Azorult
|
2026-05-13
|
|
Windows WMIC Shadowcopy Delete
|
Sysmon EventID 1
|
T1490
|
Anomaly
|
Volt Typhoon, Cactus Ransomware, Suspicious WMI Use
|
2026-05-13
|
|
Ryuk Test Files Detected
|
Sysmon EventID 11
|
T1486
|
TTP
|
Ryuk Ransomware
|
2026-05-13
|
|
Linux Stop Services
|
Sysmon for Linux EventID 1
|
T1489
|
TTP
|
Industroyer2, Data Destruction, AwfulShred
|
2026-05-13
|
|
Detect Web Access to Decommissioned S3 Bucket
|
AWS Cloudfront
|
T1485
|
Anomaly
|
AWS S3 Bucket Security Monitoring, Data Destruction
|
2026-05-13
|
|
ESXi Bulk VM Termination
|
VMWare ESXi Syslog
|
T1499
T1529
T1673
|
TTP
|
ESXi Post Compromise, Black Basta Ransomware
|
2026-05-13
|
|
Cisco ASA - User Account Deleted From Local Database
|
Cisco ASA Logs
|
T1070.008
T1531
|
Anomaly
|
Suspicious Cisco Adaptive Security Appliance Activity
|
2026-05-13
|
|
Ollama Abnormal Service Crash Availability Attack
|
Ollama Server
|
T1489
|
Anomaly
|
Suspicious Ollama Activities
|
2026-05-13
|
|
Ollama Possible Memory Exhaustion Resource Abuse
|
Ollama Server
|
T1499
|
Anomaly
|
Suspicious Ollama Activities
|
2026-05-13
|
|
Ollama Excessive API Requests
|
Ollama Server
|
T1498
|
Anomaly
|
Suspicious Ollama Activities
|
2026-05-13
|
|
ASL AWS Disable Bucket Versioning
|
ASL AWS CloudTrail
|
T1490
|
Anomaly
|
Suspicious AWS S3 Activities, Data Exfiltration
|
2026-05-13
|
|
ASL AWS Detect Users creating keys with encrypt policy without MFA
|
ASL AWS CloudTrail
|
T1486
|
TTP
|
Ransomware Cloud
|
2026-05-13
|
|
GitHub Organizations Repository Archived
|
GitHub Organizations Audit Logs
|
T1195
T1485
|
Anomaly
|
GitHub Malicious Activity, NPM Supply Chain Compromise
|
2026-05-13
|
|
AWS Bedrock Delete Knowledge Base
|
AWS CloudTrail DeleteKnowledgeBase
|
T1485
|
TTP
|
AWS Bedrock Security
|
2026-05-13
|
|
AWS Detect Users with KMS keys performing encryption S3
|
AWS CloudTrail
|
T1486
|
Anomaly
|
Ransomware Cloud
|
2026-05-13
|
|
O365 Email Send Attachments Excessive Volume
|
Office 365 Universal Audit Log
|
T1070.008
T1485
|
Anomaly
|
Suspicious Emails, Office 365 Account Takeover
|
2026-05-13
|
|
GitHub Enterprise Repository Deleted
|
GitHub Enterprise Audit Logs
|
T1195
T1485
|
Anomaly
|
GitHub Malicious Activity, NPM Supply Chain Compromise
|
2026-05-13
|
|
AWS Disable Bucket Versioning
|
AWS CloudTrail PutBucketVersioning
|
T1490
|
Anomaly
|
Suspicious AWS S3 Activities, Data Exfiltration
|
2026-05-13
|
|
AWS Detect Users creating keys with encrypt policy without MFA
|
AWS CloudTrail PutKeyPolicy, AWS CloudTrail CreateKey
|
T1486
|
TTP
|
Ransomware Cloud
|
2026-05-13
|
|
Microsoft Intune Bulk Wipe
|
Azure Monitor Activity
|
T1561.001
|
TTP
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
O365 Email Password and Payroll Compromise Behavior
|
Office 365 Universal Audit Log, Office 365 Reporting Message Trace
|
T1070.008
T1114.001
T1485
|
TTP
|
Suspicious Emails, Office 365 Collection Techniques, Office 365 Account Takeover, Data Destruction
|
2026-05-13
|
|
O365 Email Receive and Hard Delete Takeover Behavior
|
Office 365 Universal Audit Log, Office 365 Reporting Message Trace
|
T1070.008
T1114.001
T1485
|
Anomaly
|
Suspicious Emails, Office 365 Collection Techniques, Office 365 Account Takeover, Data Destruction
|
2026-05-13
|
|
O365 Email Hard Delete Excessive Volume
|
Office 365 Universal Audit Log
|
T1070.008
T1485
|
Anomaly
|
Suspicious Emails, Office 365 Account Takeover, Data Destruction
|
2026-05-13
|
|
Microsoft Intune Manual Device Management
|
Azure Monitor Activity
|
T1021.007
T1072
T1529
|
Hunting
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
AWS Defense Evasion PutBucketLifecycle
|
AWS CloudTrail PutBucketLifecycle
|
T1485.001
T1685.002
|
Hunting
|
AWS Defense Evasion
|
2026-05-13
|
|
O365 Email Send and Hard Delete Exfiltration Behavior
|
Office 365 Universal Audit Log, Office 365 Reporting Message Trace
|
T1070.008
T1114.001
T1485
|
Anomaly
|
Suspicious Emails, Office 365 Collection Techniques, Office 365 Account Takeover, Data Destruction
|
2026-05-13
|
|
ASL AWS Defense Evasion PutBucketLifecycle
|
ASL AWS CloudTrail
|
T1485.001
T1685.002
|
Hunting
|
AWS Defense Evasion
|
2026-05-13
|
|
GitHub Organizations Repository Deleted
|
GitHub Organizations Audit Logs
|
T1195
T1485
|
Anomaly
|
GitHub Malicious Activity, NPM Supply Chain Compromise
|
2026-05-13
|
|
GitHub Enterprise Remove Organization
|
GitHub Enterprise Audit Logs
|
T1195
T1485
|
Anomaly
|
GitHub Malicious Activity
|
2026-05-13
|
|
GitHub Enterprise Repository Archived
|
GitHub Enterprise Audit Logs
|
T1195
T1485
|
Anomaly
|
GitHub Malicious Activity, NPM Supply Chain Compromise
|
2026-05-13
|
|
O365 Email Send and Hard Delete Suspicious Behavior
|
Office 365 Universal Audit Log
|
T1070.008
T1114.001
T1485
|
Anomaly
|
Suspicious Emails, Office 365 Collection Techniques, Office 365 Account Takeover, Data Destruction
|
2026-05-13
|
|
Detect DNS Query to Decommissioned S3 Bucket
|
Sysmon EventID 22
|
T1485
|
Anomaly
|
AWS S3 Bucket Security Monitoring, Data Destruction
|
2026-05-13
|
|
Detect ARP Poisoning
|
Cisco IOS Logs
|
T1200
T1498
T1557.002
|
TTP
|
Router and Infrastructure Security
|
2026-05-13
|
|
Cisco Secure Firewall - Static Tundra Smart Install Abuse
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1190
T1210
T1499
|
TTP
|
Cisco Secure Firewall Threat Defense Analytics, Cisco Smart Install Remote Code Execution CVE-2018-0171
|
2026-05-13
|
|
Detect Rogue DHCP Server
|
Cisco IOS Logs
|
T1200
T1498
T1557
|
TTP
|
Scattered Lapsus$ Hunters, Router and Infrastructure Security
|
2026-05-13
|
|
Detect Port Security Violation
|
Cisco IOS Logs
|
T1200
T1498
T1557.002
|
TTP
|
Router and Infrastructure Security
|
2026-05-13
|
|
Large Volume of DNS ANY Queries
|
|
T1498.002
|
Anomaly
|
DNS Amplification Attacks
|
2026-05-13
|
|
Detect Traffic Mirroring
|
Cisco IOS Logs
|
T1020.001
T1200
T1498
|
TTP
|
Router and Infrastructure Security
|
2026-05-13
|
|
Detect IPv6 Network Infrastructure Threats
|
Cisco IOS Logs
|
T1200
T1498
T1557.002
|
TTP
|
Scattered Lapsus$ Hunters, Router and Infrastructure Security
|
2026-05-13
|
