|
Deleting Shadow Copies
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1490
|
TTP
|
CISA AA22-264A, Black Basta Ransomware, Compromised Windows Host, Ransomware, VanHelsing Ransomware, Rhysida Ransomware, Chaos Ransomware, Medusa Ransomware, SamSam Ransomware, Storm-2460 CLFS Zero Day Exploitation, Windows Log Manipulation, Cactus Ransomware, Clop Ransomware, Void Manticore, LockBit Ransomware, Prestige Ransomware, Termite Ransomware, DarkGate Malware
|
2026-05-13
|
|
Disabling SystemRestore In Registry
|
Sysmon EventID 13
|
T1490
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics, NjRAT
|
2026-05-13
|
|
Linux DD File Overwrite
|
Sysmon for Linux EventID 1
|
T1485
|
TTP
|
Data Destruction, Industroyer2
|
2026-05-13
|
|
Common Ransomware Notes
|
Sysmon EventID 11
|
T1485
|
Hunting
|
Black Basta Ransomware, Ransomware, Rhysida Ransomware, Chaos Ransomware, SamSam Ransomware, Clop Ransomware, LockBit Ransomware, Storm-0501 Ransomware, Termite Ransomware, Ryuk Ransomware, Medusa Ransomware, NailaoLocker Ransomware, Hellcat Ransomware, Interlock Ransomware
|
2026-05-13
|
|
Linux Account Manipulation Of SSH Config and Keys
|
Sysmon for Linux EventID 11
|
T1070.004
T1485
|
Anomaly
|
AcidRain, Hellcat Ransomware
|
2026-05-13
|
|
Windows Service Stop Attempt
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1489
|
Hunting
|
Gh0st RAT, Scattered Lapsus$ Hunters, Prestige Ransomware, Graceful Wipe Out Attack
|
2026-05-13
|
|
Windows Excessive Service Stop Attempt
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1489
|
TTP
|
XMRig, Ransomware, BlackByte Ransomware
|
2026-05-13
|
|
Windows Security Account Manager Stopped
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1489
|
TTP
|
Scattered Lapsus$ Hunters, Compromised Windows Host, Ryuk Ransomware
|
2026-05-13
|
|
Linux Auditd Sysmon Service Stop
|
Linux Auditd Service Stop
|
T1489
|
Anomaly
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation, Linux Living Off The Land
|
2026-05-13
|
|
Linux Auditd Shred Overwrite Command
|
Linux Auditd Proctitle
|
T1485
|
TTP
|
Compromised Linux Host, Data Destruction, Linux Persistence Techniques, Linux Privilege Escalation, Industroyer2, AwfulShred
|
2026-05-13
|
|
Modification Of Wallpaper
|
Sysmon EventID 13
|
T1491
|
TTP
|
BlackMatter Ransomware, Black Basta Ransomware, Brute Ratel C4, Ransomware, Rhysida Ransomware, ZOVWiper, Windows Registry Abuse, LockBit Ransomware, Revil Ransomware
|
2026-05-13
|
|
Windows Data Destruction Recursive Exec Files Deletion
|
Sysmon EventID 26, Sysmon EventID 23
|
T1485
|
TTP
|
Handala Wiper, Void Manticore, Swift Slicer, Data Destruction, Disk Wiper
|
2026-05-13
|
|
Linux Deletion Of Cron Jobs
|
Sysmon for Linux EventID 11
|
T1070.004
T1485
|
Anomaly
|
Data Destruction, AcidRain, AcidPour
|
2026-05-13
|
|
Windows User Disabled Via Net
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1531
|
Anomaly
|
XMRig
|
2026-05-13
|
|
Sdelete Application Execution
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1070.004
T1485
|
TTP
|
Scattered Spider, Masquerading - Rename System Utilities, Void Manticore
|
2026-05-13
|
|
Windows Excessive Usage Of Net App
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1531
|
Anomaly
|
Graceful Wipe Out Attack, Ransomware, Rhysida Ransomware, XMRig, Windows Post-Exploitation, Prestige Ransomware, Azorult
|
2026-05-13
|
|
Windows File Without Extension In Critical Folder
|
Sysmon EventID 11
|
T1485
|
TTP
|
Data Destruction, Hermetic Wiper
|
2026-05-13
|
|
Excessive Attempt To Disable Services
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1489
|
Anomaly
|
XMRig, Azorult
|
2026-05-13
|
|
Excessive File Deletion In WinDefender Folder
|
Sysmon EventID 26, Sysmon EventID 23
|
T1485
|
TTP
|
Data Destruction, WhisperGate, BlackByte Ransomware
|
2026-05-13
|
|
Windows Suspicious File in EFI Volume
|
Sysmon EventID 11
|
T1490
T1542.001
|
TTP
|
Windows BootKits, BlackLotus Campaign, Sandworm Tools
|
2026-05-13
|
|
Linux Deletion Of Services
|
Sysmon for Linux EventID 11
|
T1070.004
T1485
|
TTP
|
Data Destruction, AwfulShred, AcidRain, AcidPour
|
2026-05-13
|
|
Linux Deletion of SSL Certificate
|
Sysmon for Linux EventID 11
|
T1070.004
T1485
|
Anomaly
|
AcidRain, AcidPour
|
2026-05-13
|
|
Linux Auditd Auditd Service Stop
|
Linux Auditd Service Stop
|
T1489
|
Anomaly
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation, Linux Living Off The Land
|
2026-05-13
|
|
Windows Service Deletion In Registry
|
Sysmon EventID 13
|
T1489
|
Anomaly
|
Crypto Stealer, Brute Ratel C4, PlugX
|
2026-05-13
|
|
Linux Disable Services
|
Sysmon for Linux EventID 1
|
T1489
|
TTP
|
Data Destruction, AwfulShred, Industroyer2
|
2026-05-13
|
|
Windows .Key File Creation in Root Directory
|
Sysmon EventID 11
|
T1486
|
Anomaly
|
Ransomware
|
2026-05-13
|
|
Linux Shred Overwrite Command
|
Sysmon for Linux EventID 1
|
T1485
|
TTP
|
Data Destruction, Linux Persistence Techniques, Linux Privilege Escalation, Industroyer2, AwfulShred
|
2026-05-13
|
|
Delete ShadowCopy With PowerShell
|
Powershell Script Block Logging 4104
|
T1490
|
TTP
|
DarkSide Ransomware, Ransomware, VanHelsing Ransomware, Cactus Ransomware, DarkGate Malware, Revil Ransomware
|
2026-05-13
|
|
Linux Deletion Of Init Daemon Script
|
Sysmon for Linux EventID 11
|
T1070.004
T1485
|
TTP
|
Data Destruction, AcidRain, AcidPour
|
2026-05-13
|
|
Windows Security And Backup Services Stop
|
Windows Event Log System 7036
|
T1490
|
TTP
|
BlackMatter Ransomware, Compromised Windows Host, Ransomware, Scattered Lapsus$ Hunters, LockBit Ransomware, Termite Ransomware, Hellcat Ransomware
|
2026-05-13
|
|
Windows Disable Memory Crash Dump
|
Sysmon EventID 13
|
T1485
|
TTP
|
Data Destruction, Hermetic Wiper, Ransomware, Windows Registry Abuse
|
2026-05-13
|
|
Windows System Reboot CommandLine
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1529
|
Hunting
|
XWorm, NjRAT, MuddyWater, Scattered Lapsus$ Hunters, MoonPeak, Quasar RAT, DarkGate Malware, DarkCrystal RAT
|
2026-05-13
|
|
WBAdmin Delete System Backups
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1490
|
TTP
|
Ransomware, Chaos Ransomware, Storm-2460 CLFS Zero Day Exploitation, Storm-0501 Ransomware, Prestige Ransomware, Ryuk Ransomware
|
2026-05-13
|
|
Windows Cisco Secure Endpoint Related Service Stopped
|
Windows Event Log System 7036
|
T1490
|
Anomaly
|
Security Solution Tampering, Scattered Lapsus$ Hunters, Hellcat Ransomware
|
2026-05-13
|
|
Linux Auditd Data Destruction Command
|
Linux Auditd Proctitle
|
T1485
|
TTP
|
Data Destruction, AwfulShred, Compromised Linux Host
|
2026-05-13
|
|
Windows System Shutdown CommandLine
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1529
|
Anomaly
|
Sandworm Tools, XWorm, NjRAT, MuddyWater, Scattered Lapsus$ Hunters, ZOVWiper, MoonPeak, Quasar RAT, DarkGate Malware, DarkCrystal RAT
|
2026-05-13
|
|
Ransomware Notes bulk creation
|
Sysmon EventID 11
|
T1486
|
Anomaly
|
BlackMatter Ransomware, Black Basta Ransomware, DarkSide Ransomware, Rhysida Ransomware, Chaos Ransomware, Cactus Ransomware, Clop Ransomware, LockBit Ransomware, Termite Ransomware, Medusa Ransomware, NailaoLocker Ransomware, Hellcat Ransomware, Interlock Ransomware
|
2026-05-13
|
|
Windows Defacement Modify Transcodedwallpaper File
|
Sysmon EventID 11, Sysmon EventID 1
|
T1491
|
Anomaly
|
Brute Ratel C4
|
2026-05-13
|
|
Windows System LogOff Commandline
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1529
|
Anomaly
|
NjRAT, DarkCrystal RAT, Scattered Lapsus$ Hunters, XWorm
|
2026-05-13
|
|
Linux Deleting Critical Directory Using RM Command
|
Sysmon for Linux EventID 1
|
T1485
|
TTP
|
Data Destruction, AwfulShred, Industroyer2
|
2026-05-13
|
|
BCDEdit Failure Recovery Modification
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1490
|
TTP
|
Compromised Windows Host, Ransomware, Storm-2460 CLFS Zero Day Exploitation, Void Manticore, Ryuk Ransomware
|
2026-05-13
|
|
Linux System Reboot Via System Request Key
|
Sysmon for Linux EventID 1
|
T1529
|
TTP
|
Data Destruction, AwfulShred
|
2026-05-13
|
|
Linux Auditd Osquery Service Stop
|
Linux Auditd Service Stop
|
T1489
|
Anomaly
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation, Linux Living Off The Land
|
2026-05-13
|
|
Resize ShadowStorage volume
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1490
|
TTP
|
Compromised Windows Host, VanHelsing Ransomware, Clop Ransomware, BlackByte Ransomware, Medusa Ransomware
|
2026-05-13
|
|
Linux Magic SysRq Key Abuse
|
Linux Auditd Path, Linux Auditd Cwd
|
T1059.004
T1489
T1499
T1529
|
TTP
|
Compromised Linux Host
|
2026-05-13
|
|
Windows BitLocker Suspicious Command Usage
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1486
T1490
|
TTP
|
ShrinkLocker
|
2026-05-13
|
|
Linux Data Destruction Command
|
Sysmon for Linux EventID 1
|
T1485
|
TTP
|
Data Destruction, AwfulShred
|
2026-05-13
|
|
Windows Service Stop Win Updates
|
Windows Event Log System 7040
|
T1489
|
Anomaly
|
CISA AA23-347A, RedLine Stealer
|
2026-05-13
|
|
Windows WBAdmin File Recovery From Backup
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1490
T1565.001
|
Anomaly
|
Credential Dumping
|
2026-05-13
|
|
Windows Processes Killed By Industroyer2 Malware
|
Sysmon EventID 5
|
T1489
|
Anomaly
|
Data Destruction, Industroyer2
|
2026-05-13
|
|
Windows Raw Access To Master Boot Record Drive
|
Sysmon EventID 9
|
T1561.002
|
TTP
|
CISA AA22-264A, WhisperGate, Graceful Wipe Out Attack, NjRAT, PathWiper, Void Manticore, Data Destruction, BlackByte Ransomware, Disk Wiper, Hermetic Wiper, Caddy Wiper
|
2026-05-13
|
|
Bcdedit Command Back To Normal Mode Boot
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1490
|
TTP
|
BlackMatter Ransomware, Black Basta Ransomware
|
2026-05-13
|
|
Linux Auditd Dd File Overwrite
|
Linux Auditd Proctitle
|
T1485
|
TTP
|
Data Destruction, Compromised Linux Host, Industroyer2
|
2026-05-13
|
|
Windows User Deletion Via Net
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1531
|
Anomaly
|
DarkGate Malware, XMRig, Graceful Wipe Out Attack
|
2026-05-13
|
|
Windows Powershell Logoff User via Quser
|
Powershell Script Block Logging 4104
|
T1059.001
T1531
|
Anomaly
|
Crypto Stealer
|
2026-05-13
|
|
Linux High Frequency Of File Deletion In Etc Folder
|
Sysmon for Linux EventID 11
|
T1070.004
T1485
|
Anomaly
|
Data Destruction, AcidRain
|
2026-05-13
|
|
Windows Raw Access To Disk Volume Partition
|
Sysmon EventID 9
|
T1561.002
|
Anomaly
|
CISA AA22-264A, Graceful Wipe Out Attack, NjRAT, PathWiper, Void Manticore, Data Destruction, BlackByte Ransomware, Disk Wiper, Hermetic Wiper, Caddy Wiper
|
2026-05-13
|
|
Prevent Automatic Repair Mode using Bcdedit
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1490
|
TTP
|
Chaos Ransomware, Ransomware, Void Manticore
|
2026-05-13
|
|
Windows Set Account Password Policy To Unlimited Via Net
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1489
|
Anomaly
|
Crypto Stealer, XMRig, Ransomware, BlackByte Ransomware
|
2026-05-13
|
|
Linux High Frequency Of File Deletion In Boot Folder
|
Sysmon for Linux EventID 11
|
T1070.004
T1485
|
TTP
|
Data Destruction, AcidPour, Industroyer2
|
2026-05-13
|
|
Windows High File Deletion Frequency
|
Sysmon EventID 26, Sysmon EventID 23
|
T1485
|
Anomaly
|
WhisperGate, Black Basta Ransomware, Sandworm Tools, APT37 Rustonotto and FadeStealer, Handala Wiper, ZOVWiper, Void Manticore, Swift Slicer, Data Destruction, Clop Ransomware, Medusa Ransomware, DarkCrystal RAT, DynoWiper, NailaoLocker Ransomware, Interlock Ransomware
|
2026-05-13
|
|
Common Ransomware Extensions
|
Sysmon EventID 11
|
T1485
|
TTP
|
Black Basta Ransomware, Ransomware, Rhysida Ransomware, SamSam Ransomware, Clop Ransomware, LockBit Ransomware, Prestige Ransomware, Termite Ransomware, Ryuk Ransomware, Medusa Ransomware, NailaoLocker Ransomware, Interlock Ransomware
|
2026-05-13
|
|
Samsam Test File Write
|
Sysmon EventID 11
|
T1486
|
TTP
|
SamSam Ransomware
|
2026-05-13
|
|
Linux Auditd Stop Services
|
Linux Auditd Service Stop
|
T1489
|
Hunting
|
Data Destruction, AwfulShred, Compromised Linux Host, Industroyer2
|
2026-05-13
|
|
Windows Common Abused Cmd Shell Risk Behavior
|
|
T1016
T1033
T1049
T1059
T1222
T1529
|
Correlation
|
Qakbot, Windows Defense Evasion Tactics, Disabling Security Tools, Sandworm Tools, FIN7, Windows Post-Exploitation, Volt Typhoon, DarkCrystal RAT, Azorult, Microsoft WSUS CVE-2025-59287, Netsh Abuse, CISA AA23-347A
|
2026-05-13
|
|
Windows Account Access Removal via Logoff Exec
|
Sysmon EventID 1
|
T1059.001
T1531
|
Anomaly
|
Crypto Stealer
|
2026-05-13
|
|
Change To Safe Mode With Network Config
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1490
|
TTP
|
BlackMatter Ransomware, Black Basta Ransomware
|
2026-05-13
|
|
High Process Termination Frequency
|
Sysmon EventID 5
|
T1486
|
Anomaly
|
Rhysida Ransomware, Crypto Stealer, Clop Ransomware, LockBit Ransomware, Termite Ransomware, BlackByte Ransomware, Medusa Ransomware, Snake Keylogger, NailaoLocker Ransomware, Hellcat Ransomware, Interlock Ransomware
|
2026-05-13
|
|
Windows DiskCryptor Usage
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1486
|
Hunting
|
Ransomware
|
2026-05-13
|
|
Windows Service Stop By Deletion
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1489
|
Hunting
|
Crypto Stealer, Graceful Wipe Out Attack, Azorult
|
2026-05-13
|
|
Windows WMIC Shadowcopy Delete
|
Sysmon EventID 1
|
T1490
|
Anomaly
|
Suspicious WMI Use, Volt Typhoon, Cactus Ransomware
|
2026-05-13
|
|
Ryuk Test Files Detected
|
Sysmon EventID 11
|
T1486
|
TTP
|
Ryuk Ransomware
|
2026-05-13
|
|
Linux Stop Services
|
Sysmon for Linux EventID 1
|
T1489
|
TTP
|
Data Destruction, AwfulShred, Industroyer2
|
2026-05-13
|
|
Detect Web Access to Decommissioned S3 Bucket
|
AWS Cloudfront
|
T1485
|
Anomaly
|
Data Destruction, AWS S3 Bucket Security Monitoring
|
2026-05-13
|
|
ESXi Bulk VM Termination
|
VMWare ESXi Syslog
|
T1499
T1529
T1673
|
TTP
|
ESXi Post Compromise, Black Basta Ransomware
|
2026-05-13
|
|
Cisco ASA - User Account Deleted From Local Database
|
Cisco ASA Logs
|
T1070.008
T1531
|
Anomaly
|
Suspicious Cisco Adaptive Security Appliance Activity
|
2026-05-13
|
|
Ollama Abnormal Service Crash Availability Attack
|
Ollama Server
|
T1489
|
Anomaly
|
Suspicious Ollama Activities
|
2026-05-13
|
|
Ollama Possible Memory Exhaustion Resource Abuse
|
Ollama Server
|
T1499
|
Anomaly
|
Suspicious Ollama Activities
|
2026-05-13
|
|
Ollama Excessive API Requests
|
Ollama Server
|
T1498
|
Anomaly
|
Suspicious Ollama Activities
|
2026-05-13
|
|
ASL AWS Disable Bucket Versioning
|
ASL AWS CloudTrail
|
T1490
|
Anomaly
|
Suspicious AWS S3 Activities, Data Exfiltration
|
2026-05-13
|
|
ASL AWS Detect Users creating keys with encrypt policy without MFA
|
ASL AWS CloudTrail
|
T1486
|
TTP
|
Ransomware Cloud
|
2026-05-13
|
|
GitHub Organizations Repository Archived
|
GitHub Organizations Audit Logs
|
T1195
T1485
|
Anomaly
|
NPM Supply Chain Compromise, GitHub Malicious Activity
|
2026-05-13
|
|
AWS Bedrock Delete Knowledge Base
|
AWS CloudTrail DeleteKnowledgeBase
|
T1485
|
TTP
|
AWS Bedrock Security
|
2026-05-13
|
|
AWS Detect Users with KMS keys performing encryption S3
|
AWS CloudTrail
|
T1486
|
Anomaly
|
Ransomware Cloud
|
2026-05-13
|
|
O365 Email Send Attachments Excessive Volume
|
Office 365 Universal Audit Log
|
T1070.008
T1485
|
Anomaly
|
Office 365 Account Takeover, Suspicious Emails
|
2026-05-13
|
|
GitHub Enterprise Repository Deleted
|
GitHub Enterprise Audit Logs
|
T1195
T1485
|
Anomaly
|
NPM Supply Chain Compromise, GitHub Malicious Activity
|
2026-05-13
|
|
AWS Disable Bucket Versioning
|
AWS CloudTrail PutBucketVersioning
|
T1490
|
Anomaly
|
Suspicious AWS S3 Activities, Data Exfiltration
|
2026-05-13
|
|
AWS Detect Users creating keys with encrypt policy without MFA
|
AWS CloudTrail PutKeyPolicy, AWS CloudTrail CreateKey
|
T1486
|
TTP
|
Ransomware Cloud
|
2026-05-13
|
|
Microsoft Intune Bulk Wipe
|
Azure Monitor Activity
|
T1561.001
|
TTP
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
O365 Email Password and Payroll Compromise Behavior
|
Office 365 Reporting Message Trace, Office 365 Universal Audit Log
|
T1070.008
T1114.001
T1485
|
TTP
|
Data Destruction, Office 365 Account Takeover, Office 365 Collection Techniques, Suspicious Emails
|
2026-05-13
|
|
O365 Email Receive and Hard Delete Takeover Behavior
|
Office 365 Reporting Message Trace, Office 365 Universal Audit Log
|
T1070.008
T1114.001
T1485
|
Anomaly
|
Data Destruction, Office 365 Account Takeover, Office 365 Collection Techniques, Suspicious Emails
|
2026-05-13
|
|
O365 Email Hard Delete Excessive Volume
|
Office 365 Universal Audit Log
|
T1070.008
T1485
|
Anomaly
|
Data Destruction, Office 365 Account Takeover, Suspicious Emails
|
2026-05-13
|
|
Microsoft Intune Manual Device Management
|
Azure Monitor Activity
|
T1021.007
T1072
T1529
|
Hunting
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
AWS Defense Evasion PutBucketLifecycle
|
AWS CloudTrail PutBucketLifecycle
|
T1485.001
T1685.002
|
Hunting
|
AWS Defense Evasion
|
2026-05-13
|
|
O365 Email Send and Hard Delete Exfiltration Behavior
|
Office 365 Reporting Message Trace, Office 365 Universal Audit Log
|
T1070.008
T1114.001
T1485
|
Anomaly
|
Data Destruction, Office 365 Account Takeover, Office 365 Collection Techniques, Suspicious Emails
|
2026-05-13
|
|
ASL AWS Defense Evasion PutBucketLifecycle
|
ASL AWS CloudTrail
|
T1485.001
T1685.002
|
Hunting
|
AWS Defense Evasion
|
2026-05-13
|
|
GitHub Organizations Repository Deleted
|
GitHub Organizations Audit Logs
|
T1195
T1485
|
Anomaly
|
NPM Supply Chain Compromise, GitHub Malicious Activity
|
2026-05-13
|
|
GitHub Enterprise Remove Organization
|
GitHub Enterprise Audit Logs
|
T1195
T1485
|
Anomaly
|
GitHub Malicious Activity
|
2026-05-13
|
|
GitHub Enterprise Repository Archived
|
GitHub Enterprise Audit Logs
|
T1195
T1485
|
Anomaly
|
NPM Supply Chain Compromise, GitHub Malicious Activity
|
2026-05-13
|
|
O365 Email Send and Hard Delete Suspicious Behavior
|
Office 365 Universal Audit Log
|
T1070.008
T1114.001
T1485
|
Anomaly
|
Data Destruction, Office 365 Account Takeover, Office 365 Collection Techniques, Suspicious Emails
|
2026-05-13
|
|
Detect DNS Query to Decommissioned S3 Bucket
|
Sysmon EventID 22
|
T1485
|
Anomaly
|
Data Destruction, AWS S3 Bucket Security Monitoring
|
2026-05-13
|
|
Detect ARP Poisoning
|
Cisco IOS Logs
|
T1200
T1498
T1557.002
|
TTP
|
Router and Infrastructure Security
|
2026-05-13
|
|
Cisco Secure Firewall - Static Tundra Smart Install Abuse
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1190
T1210
T1499
|
TTP
|
Cisco Smart Install Remote Code Execution CVE-2018-0171, Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Detect Rogue DHCP Server
|
Cisco IOS Logs
|
T1200
T1498
T1557
|
TTP
|
Scattered Lapsus$ Hunters, Router and Infrastructure Security
|
2026-05-13
|
|
Detect Port Security Violation
|
Cisco IOS Logs
|
T1200
T1498
T1557.002
|
TTP
|
Router and Infrastructure Security
|
2026-05-13
|
|
Large Volume of DNS ANY Queries
|
|
T1498.002
|
Anomaly
|
DNS Amplification Attacks
|
2026-05-13
|
|
Detect Traffic Mirroring
|
Cisco IOS Logs
|
T1020.001
T1200
T1498
|
TTP
|
Router and Infrastructure Security
|
2026-05-13
|
|
Detect IPv6 Network Infrastructure Threats
|
Cisco IOS Logs
|
T1200
T1498
T1557.002
|
TTP
|
Scattered Lapsus$ Hunters, Router and Infrastructure Security
|
2026-05-13
|
