|
Splunk User Enumeration Attempt
|
Splunk
|
T1078
|
TTP
|
Splunk Vulnerabilities
|
2026-05-14
|
|
Splunk XSS Privilege Escalation via Custom Urls in Dashboard
|
Splunk
|
T1189
|
Hunting
|
Splunk Vulnerabilities
|
2026-05-14
|
|
PaperCut NG Suspicious Behavior Debug Log
|
|
T1133
T1190
|
Hunting
|
PaperCut MF NG Vulnerability
|
2026-05-13
|
|
Java Writing JSP File
|
Sysmon for Linux EventID 1, Sysmon for Linux EventID 11
|
T1133
T1190
|
TTP
|
Spring4Shell CVE-2022-22965, SAP NetWeaver Exploitation, SysAid On-Prem Software CVE-2023-47246 Vulnerability, Atlassian Confluence Server and Data Center CVE-2022-26134
|
2026-05-13
|
|
Windows TeamCity Payload Execution from Temp Directory
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1059
T1190
T1505.003
|
TTP
|
JetBrains TeamCity Vulnerabilities, JetBrains TeamCity Unauthenticated RCE
|
2026-05-13
|
|
Windows Large Number of Computer Service Tickets Requested
|
Windows Event Log Security 4769
|
T1078
T1135
|
Anomaly
|
Active Directory Privilege Escalation, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows Entra User Management Via Azure CLI
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1078.004
T1098
T1136
|
Anomaly
|
Azure Active Directory Persistence
|
2026-05-13
|
|
Windows WSUS Spawning Shell
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1190
T1505.003
|
TTP
|
Microsoft WSUS CVE-2025-59287
|
2026-05-13
|
|
MOVEit Empty Key Fingerprint Authentication Attempt
|
|
T1190
|
Hunting
|
MOVEit Transfer Authentication Bypass, Hellcat Ransomware
|
2026-05-13
|
|
MS Exchange Mailbox Replication service writing Active Server Pages
|
Sysmon EventID 11, Sysmon EventID 1
|
T1133
T1190
T1505.003
|
TTP
|
Ransomware, ProxyShell, BlackByte Ransomware
|
2026-05-13
|
|
Windows Azure PowerShell Module Installation Via PowerShell Script
|
Powershell Script Block Logging 4104
|
T1021.007
T1069.003
T1078
T1098
T1136.003
|
Anomaly
|
Azure Active Directory Persistence, Azure Active Directory Account Takeover, Azure Active Directory Privilege Escalation
|
2026-05-13
|
|
Windows Office Product Spawned Child Process For Download
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1566.001
|
TTP
|
APT37 Rustonotto and FadeStealer, NjRAT, Spearphishing Attachments, PlugX, CVE-2023-36884 Office and Windows HTML RCE Vulnerability
|
2026-05-13
|
|
Windows InProcServer32 New Outlook Form
|
Sysmon EventID 13
|
T1112
T1566
|
Anomaly
|
Outlook RCE CVE-2024-21378
|
2026-05-13
|
|
Windows Office Product Spawned Rundll32 With No DLL
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1566.001
|
TTP
|
Compromised Windows Host, Graceful Wipe Out Attack, Crypto Stealer, Prestige Ransomware, Spearphishing Attachments, CVE-2023-36884 Office and Windows HTML RCE Vulnerability
|
2026-05-13
|
|
Outbound Network Connection from Java Using Default Ports
|
Sysmon EventID 1, Sysmon EventID 3
|
T1133
T1190
|
TTP
|
Log4Shell CVE-2021-44228
|
2026-05-13
|
|
Potential password in username
|
Linux Secure
|
T1078.003
T1552.001
|
Hunting
|
Credential Dumping, Insider Threat
|
2026-05-13
|
|
Linux Auditd Hardware Addition Swapoff
|
Linux Auditd Execve
|
T1200
|
Anomaly
|
Data Destruction, AwfulShred, Scattered Lapsus$ Hunters, Compromised Linux Host
|
2026-05-13
|
|
Windows Office Product Spawned Control
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1566.001
|
TTP
|
Microsoft MSHTML Remote Code Execution CVE-2021-40444, Spearphishing Attachments, Compromised Windows Host
|
2026-05-13
|
|
Windows Office Product Loading VBE7 DLL
|
Sysmon EventID 7
|
T1566.001
|
Anomaly
|
Qakbot, Spearphishing Attachments, NjRAT, AgentTesla, MuddyWater, Azorult, Trickbot, Remcos, IcedID, DarkCrystal RAT, PlugX
|
2026-05-13
|
|
Windows Office Product Loading Taskschd DLL
|
Sysmon EventID 7
|
T1566.001
|
Anomaly
|
Spearphishing Attachments
|
2026-05-13
|
|
Windows Suspicious React or Next.js Child Process
|
Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1059.001
T1059.003
T1190
|
TTP
|
React2Shell
|
2026-05-13
|
|
Detect Exchange Web Shell
|
Sysmon EventID 11
|
T1133
T1190
T1505.003
|
TTP
|
Compromised Windows Host, Seashell Blizzard, ProxyNotShell, HAFNIUM Group, CISA AA22-257A, BlackByte Ransomware, ProxyShell, GhostRedirector IIS Module and Rungan Backdoor
|
2026-05-13
|
|
ConnectWise ScreenConnect Path Traversal Windows SACL
|
Windows Event Log Security 4663
|
T1190
|
TTP
|
Seashell Blizzard, Compromised Windows Host, ConnectWise ScreenConnect Vulnerabilities
|
2026-05-13
|
|
Windows Shell Process from CrushFTP
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1059.001
T1059.003
T1190
T1505
|
TTP
|
CrushFTP Vulnerabilities
|
2026-05-13
|
|
Detect Outlook exe writing a zip file
|
Sysmon EventID 11, Sysmon EventID 1
|
T1566.001
|
Anomaly
|
Meduza Stealer, APT37 Rustonotto and FadeStealer, PXA Stealer, Amadey, Remcos, Spearphishing Attachments
|
2026-05-13
|
|
Windows RDPClient Connection Sequence Events
|
Windows Event Log Microsoft Windows TerminalServices RDPClient 1024
|
T1133
|
Anomaly
|
Windows RDP Artifacts and Defense Evasion, Spearphishing Attachments
|
2026-05-13
|
|
Windows ConvertTo-AADIntBackdoor Execution Via PowerShell Script
|
Powershell Script Block Logging 4104
|
T1071.001
T1078
T1212
T1482
|
TTP
|
Azure Active Directory Persistence, Azure Active Directory Account Takeover, Azure Active Directory Privilege Escalation
|
2026-05-13
|
|
Windows Replication Through Removable Media
|
Sysmon EventID 11
|
T1091
|
TTP
|
APT37 Rustonotto and FadeStealer, China-Nexus Threat Activity, NjRAT, Chaos Ransomware, Salt Typhoon, Derusbi, PlugX
|
2026-05-13
|
|
Process Creating LNK file in Suspicious Location
|
Sysmon EventID 11
|
T1566.002
|
Anomaly
|
Qakbot, APT37 Rustonotto and FadeStealer, Amadey, IcedID, Gozi Malware, Spearphishing Attachments, BlankGrabber Stealer
|
2026-05-13
|
|
Windows Vulnerable 3CX Software
|
Sysmon EventID 1
|
T1195.002
|
TTP
|
3CX Supply Chain Attack
|
2026-05-13
|
|
Windows Defender ASR Audit Events
|
Windows Event Log Defender 1134, Windows Event Log Defender 1132, Windows Event Log Defender 1125, Windows Event Log Defender 1126, Windows Event Log Defender 1122
|
T1059
T1566.001
T1566.002
|
Anomaly
|
Windows Attack Surface Reduction
|
2026-05-13
|
|
Windows Shell or Script Execution From IIS Directory
|
Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1190
T1505.004
|
Anomaly
|
ProxyNotShell, ProxyShell
|
2026-05-13
|
|
Windows Office Product Dropped Cab or Inf File
|
Sysmon EventID 11, Windows Event Log Security 4688, Sysmon EventID 1
|
T1566.001
|
TTP
|
Microsoft MSHTML Remote Code Execution CVE-2021-40444, Spearphishing Attachments, Compromised Windows Host, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
Suspicious Kerberos Service Ticket Request
|
Windows Event Log Security 4769
|
T1078.002
|
TTP
|
Active Directory Kerberos Attacks, Active Directory Privilege Escalation, sAMAccountName Spoofing and Domain Controller Impersonation
|
2026-05-13
|
|
Windows Guest Account Enabled Via Net.EXE
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1078.001
|
Anomaly
|
Windows Persistence Techniques
|
2026-05-13
|
|
Windows PowerView AD Access Control List Enumeration
|
Powershell Script Block Logging 4104
|
T1069
T1078.002
|
TTP
|
Active Directory Privilege Escalation, Active Directory Discovery, Rhysida Ransomware
|
2026-05-13
|
|
Windows Multiple Accounts Deleted
|
Windows Event Log Security 4726
|
T1078
T1098
|
TTP
|
Azure Active Directory Persistence
|
2026-05-13
|
|
Exchange PowerShell Abuse via SSRF
|
|
T1133
T1190
|
TTP
|
ProxyNotShell, Seashell Blizzard, ProxyShell, BlackByte Ransomware
|
2026-05-13
|
|
Windows Process Executed From Removable Media
|
Sysmon EventID 13, Sysmon EventID 1
|
T1025
T1091
T1200
|
Anomaly
|
APT37 Rustonotto and FadeStealer, Data Protection
|
2026-05-13
|
|
Windows Phishing Recent ISO Exec Registry
|
Sysmon EventID 13
|
T1566.001
|
Hunting
|
Qakbot, Brute Ratel C4, IcedID, Warzone RAT, AgentTesla, Remcos, Azorult, Gozi Malware
|
2026-05-13
|
|
Windows SharePoint Spinstall0 Webshell File Creation
|
Sysmon EventID 11
|
T1190
T1505.003
|
TTP
|
Microsoft SharePoint Vulnerabilities
|
2026-05-13
|
|
Linux Suspicious React or Next.js Child Process
|
Sysmon for Linux EventID 1
|
T1059.004
T1190
|
TTP
|
React2Shell
|
2026-05-13
|
|
Log4Shell CVE-2021-44228 Exploitation
|
|
T1059
T1105
T1133
T1190
|
Correlation
|
CISA AA22-320A, Log4Shell CVE-2021-44228
|
2026-05-13
|
|
Web or Application Server Spawning a Shell
|
Sysmon for Linux EventID 1, Sysmon EventID 1
|
T1133
T1190
|
TTP
|
ProxyNotShell, Data Destruction, CISA AA22-257A, Spring4Shell CVE-2022-22965, PHP-CGI RCE Attack on Japanese Organizations, GhostRedirector IIS Module and Rungan Backdoor, CISA AA22-264A, Cleo File Transfer Software, HAFNIUM Group, Hermetic Wiper, BlackByte Ransomware, Flax Typhoon, ProxyShell, Microsoft SharePoint Vulnerabilities, SAP NetWeaver Exploitation, Log4Shell CVE-2021-44228, SysAid On-Prem Software CVE-2023-47246 Vulnerability, Microsoft WSUS CVE-2025-59287, WS FTP Server Critical Vulnerabilities
|
2026-05-13
|
|
MOVEit Certificate Store Access Failure
|
|
T1190
|
Hunting
|
MOVEit Transfer Authentication Bypass
|
2026-05-13
|
|
Windows Office Product Spawned Uncommon Process
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1566.001
|
TTP
|
Qakbot, IcedID, Compromised Windows Host, Spearphishing Attachments, APT37 Rustonotto and FadeStealer, NjRAT, AgentTesla, FIN7, Warzone RAT, MuddyWater, DarkCrystal RAT, Remcos, CVE-2023-21716 Word RTF Heap Corruption, Trickbot, Azorult, CVE-2023-36884 Office and Windows HTML RCE Vulnerability, PlugX
|
2026-05-13
|
|
Windows Identify PowerShell Web Access IIS Pool
|
Windows Event Log Security 4648
|
T1190
|
Hunting
|
CISA AA24-241A
|
2026-05-13
|
|
ConnectWise ScreenConnect Path Traversal
|
Sysmon EventID 11
|
T1190
|
TTP
|
Seashell Blizzard, ConnectWise ScreenConnect Vulnerabilities
|
2026-05-13
|
|
Windows WPDBusEnum Registry Key Modification
|
Sysmon EventID 13, Sysmon EventID 12
|
T1025
T1091
T1200
|
Anomaly
|
APT37 Rustonotto and FadeStealer, Data Protection
|
2026-05-13
|
|
Windows TeamCity Plugin Installed
|
Sysmon EventID 11
|
T1059
T1190
T1505.003
|
Anomaly
|
JetBrains TeamCity Vulnerabilities, JetBrains TeamCity Unauthenticated RCE
|
2026-05-13
|
|
GitHub Workflow File Creation or Modification
|
Sysmon EventID 11, Sysmon for Linux EventID 11
|
T1195
T1554
T1574.006
|
Hunting
|
NPM Supply Chain Compromise
|
2026-05-13
|
|
Windows Group Policy Object Created
|
Windows Event Log Security 5137, Windows Event Log Security 5136
|
T1078.002
T1484.001
|
TTP
|
Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Windows Multiple Account Passwords Changed
|
Windows Event Log Security 4724
|
T1078
T1098
|
TTP
|
Azure Active Directory Persistence
|
2026-05-13
|
|
WinRM Spawning a Process
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1190
|
TTP
|
Rhysida Ransomware, Unusual Processes, CISA AA23-347A, Microsoft WSUS CVE-2025-59287
|
2026-05-13
|
|
Windows Office Product Spawned MSDT
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1566.001
|
TTP
|
Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190, Spearphishing Attachments, Compromised Windows Host
|
2026-05-13
|
|
Windows Office Product Loaded MSHTML Module
|
Sysmon EventID 7
|
T1566.001
|
Anomaly
|
Microsoft MSHTML Remote Code Execution CVE-2021-40444, MuddyWater, Spearphishing Attachments, CVE-2023-36884 Office and Windows HTML RCE Vulnerability
|
2026-05-13
|
|
Windows Multiple Accounts Disabled
|
Windows Event Log Security 4725
|
T1078
T1098
|
TTP
|
Azure Active Directory Persistence
|
2026-05-13
|
|
Windows Universal Data Link File Creation
|
Sysmon EventID 11
|
T1204.002
T1566.001
|
Anomaly
|
Spearphishing Attachments
|
2026-05-13
|
|
Windows Defender ASR Block Events
|
Windows Event Log Defender 1121, Windows Event Log Defender 1133, Windows Event Log Defender 1126, Windows Event Log Defender 1131, Windows Event Log Defender 1129
|
T1059
T1566.001
T1566.002
|
Anomaly
|
Windows Attack Surface Reduction
|
2026-05-13
|
|
Windows Spearphishing Attachment Onenote Spawn Mshta
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1566.001
|
TTP
|
Spearphishing Attachments, Compromised Windows Host, APT37 Rustonotto and FadeStealer, AsyncRAT
|
2026-05-13
|
|
Unusual Number of Computer Service Tickets Requested
|
Windows Event Log Security 4769
|
T1078
|
Hunting
|
Active Directory Kerberos Attacks, Scattered Lapsus$ Hunters, Active Directory Privilege Escalation, Active Directory Lateral Movement
|
2026-05-13
|
|
Hunting 3CXDesktopApp Software
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1195.002
|
Hunting
|
3CX Supply Chain Attack
|
2026-05-13
|
|
Short Lived Windows Accounts
|
Windows Event Log System 4720, Windows Event Log System 4726
|
T1078.003
T1136.001
|
TTP
|
GhostRedirector IIS Module and Rungan Backdoor, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows CAB File on Disk
|
Sysmon EventID 11
|
T1566.001
|
Anomaly
|
DarkGate Malware, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
Windows PaperCut NG Spawn Shell
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1059
T1133
T1190
|
TTP
|
PaperCut MF NG Vulnerability, Compromised Windows Host
|
2026-05-13
|
|
Windows Phishing PDF File Executes URL Link
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1566.001
|
Anomaly
|
MuddyWater, Snake Keylogger, Spearphishing Attachments
|
2026-05-13
|
|
Suspicious Computer Account Name Change
|
Windows Event Log Security 4781
|
T1078.002
|
TTP
|
Active Directory Privilege Escalation, Scattered Lapsus$ Hunters, Compromised Windows Host, sAMAccountName Spoofing and Domain Controller Impersonation
|
2026-05-13
|
|
Windows USBSTOR Registry Key Modification
|
Sysmon EventID 13, Sysmon EventID 12
|
T1025
T1091
T1200
|
Anomaly
|
APT37 Rustonotto and FadeStealer, Data Protection
|
2026-05-13
|
|
Suspicious Ticket Granting Ticket Request
|
Windows Event Log Security 4781, Windows Event Log Security 4768
|
T1078.002
|
Hunting
|
Active Directory Kerberos Attacks, Active Directory Privilege Escalation, sAMAccountName Spoofing and Domain Controller Impersonation
|
2026-05-13
|
|
Windows Phishing Outlook Drop Dll In FORM Dir
|
Sysmon EventID 11, Sysmon EventID 1
|
T1566
|
TTP
|
Outlook RCE CVE-2024-21378
|
2026-05-13
|
|
Windows Metasploit Confluence Plugin Execution
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1190
T1505.003
T1608
|
TTP
|
Confluence Data Center and Confluence Server Vulnerabilities
|
2026-05-13
|
|
Windows Office Product Dropped Uncommon File
|
Sysmon EventID 11, Sysmon EventID 1
|
T1566.001
|
Anomaly
|
Compromised Windows Host, Warzone RAT, AgentTesla, FIN7, CVE-2023-21716 Word RTF Heap Corruption, PlugX
|
2026-05-13
|
|
Detect Excessive Account Lockouts From Endpoint
|
|
T1078.002
|
Anomaly
|
Active Directory Password Spraying
|
2026-05-13
|
|
Linux Hardware Addition SwapOff
|
Sysmon for Linux EventID 1
|
T1200
|
Anomaly
|
Data Destruction, AwfulShred, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Unusual Number of Remote Endpoint Authentication Events
|
Windows Event Log Security 4624
|
T1078
|
Hunting
|
Active Directory Privilege Escalation, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows MOVEit Transfer Writing ASPX
|
Sysmon EventID 11
|
T1133
T1190
|
TTP
|
MOVEit Transfer Critical Vulnerability, Hellcat Ransomware
|
2026-05-13
|
|
Shai-Hulud 2 Exfiltration Artifact Files
|
Sysmon EventID 11, Sysmon for Linux EventID 11
|
T1074.001
T1195.002
T1552.001
|
TTP
|
NPM Supply Chain Compromise
|
2026-05-13
|
|
Shai-Hulud Workflow File Creation or Modification
|
Sysmon EventID 11, Sysmon for Linux EventID 11
|
T1195
T1554
T1574.006
|
TTP
|
NPM Supply Chain Compromise
|
2026-05-13
|
|
Living Off The Land Detection
|
|
T1059
T1105
T1133
T1190
|
Correlation
|
Living Off The Land, Hellcat Ransomware
|
2026-05-13
|
|
Windows ISO LNK File Creation
|
Sysmon EventID 11
|
T1204.001
T1566.001
|
Hunting
|
Qakbot, Brute Ratel C4, APT37 Rustonotto and FadeStealer, Warzone RAT, AgentTesla, Azorult, Amadey, Remcos, IcedID, Gozi Malware, Spearphishing Attachments
|
2026-05-13
|
|
Detect Excessive User Account Lockouts
|
|
T1078.003
|
Anomaly
|
Scattered Lapsus$ Hunters, Active Directory Password Spraying
|
2026-05-13
|
|
Windows Unusual File Creation in Confluence Directory
|
Sysmon EventID 11
|
T1190
T1608.001
T1608.002
|
Anomaly
|
Confluence Data Center and Confluence Server Vulnerabilities, CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server
|
2026-05-13
|
|
Windows Defender ASR Rules Stacking
|
Windows Event Log Defender 1121, Windows Event Log Defender 1133, Windows Event Log Defender 1134, Windows Event Log Defender 1125, Windows Event Log Defender 1126, Windows Event Log Defender 5007, Windows Event Log Defender 1131, Windows Event Log Defender 1122, Windows Event Log Defender 1129
|
T1059
T1566.001
T1566.002
|
Hunting
|
Windows Attack Surface Reduction
|
2026-05-13
|
|
Cisco NVM - Webserver Download From File Sharing Website
|
Cisco Network Visibility Module Flow Data
|
T1105
T1190
|
TTP
|
Cisco Network Visibility Module Analytics, GhostRedirector IIS Module and Rungan Backdoor
|
2026-05-13
|
|
Ivanti Sentry Authentication Bypass
|
Suricata
|
T1190
|
TTP
|
Ivanti Sentry Authentication Bypass CVE-2023-38035
|
2026-05-13
|
|
PaperCut NG Remote Web Access Attempt
|
Suricata
|
T1133
T1190
|
TTP
|
PaperCut MF NG Vulnerability
|
2026-05-13
|
|
Hunting for Log4Shell
|
Nginx Access
|
T1133
T1190
|
Hunting
|
CISA AA22-320A, Log4Shell CVE-2021-44228
|
2026-05-13
|
|
Windows IIS Server PSWA Console Access
|
Windows IIS
|
T1190
|
Hunting
|
CISA AA24-241A
|
2026-05-13
|
|
Zscaler Exploit Threat Blocked
|
|
T1566
|
TTP
|
Zscaler Browser Proxy Threats
|
2026-05-13
|
|
Zscaler Malware Activity Threat Blocked
|
|
T1566
|
Anomaly
|
Zscaler Browser Proxy Threats
|
2026-05-13
|
|
Web Remote ShellServlet Access
|
Nginx Access
|
T1190
|
TTP
|
CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server, GhostRedirector IIS Module and Rungan Backdoor
|
2026-05-13
|
|
Web Spring4Shell HTTP Request Class Module
|
Splunk Stream HTTP
|
T1133
T1190
|
TTP
|
Spring4Shell CVE-2022-22965
|
2026-05-13
|
|
Zscaler Behavior Analysis Threat Blocked
|
|
T1566
|
Anomaly
|
Zscaler Browser Proxy Threats
|
2026-05-13
|
|
SAP NetWeaver Visual Composer Exploitation Attempt
|
Suricata
|
T1190
|
Hunting
|
SAP NetWeaver Exploitation
|
2026-05-13
|
|
Log4Shell JNDI Payload Injection with Outbound Connection
|
|
T1133
T1190
|
Anomaly
|
CISA AA22-320A, Log4Shell CVE-2021-44228
|
2026-05-13
|
|
JetBrains TeamCity Authentication Bypass CVE-2024-27198
|
Suricata
|
T1190
|
TTP
|
JetBrains TeamCity Vulnerabilities
|
2026-05-13
|
|
Zscaler Phishing Activity Threat Blocked
|
|
T1566
|
Anomaly
|
Zscaler Browser Proxy Threats, Hellcat Ransomware
|
2026-05-13
|
|
Tomcat Session Deserialization Attempt
|
Nginx Access
|
T1190
T1505.003
|
Anomaly
|
Apache Tomcat Session Deserialization Attacks
|
2026-05-13
|
|
Zscaler Scam Destinations Threat Blocked
|
|
T1566
|
Anomaly
|
Zscaler Browser Proxy Threats
|
2026-05-13
|
|
Cisco IOS XE Implant Access
|
Suricata
|
T1190
|
TTP
|
Cisco IOS XE Software Web Management User Interface vulnerability
|
2026-05-13
|
|
Zscaler Virus Download threat blocked
|
|
T1566
|
Anomaly
|
Zscaler Browser Proxy Threats
|
2026-05-13
|
|
Zscaler Potentially Abused File Download
|
|
T1566
|
Anomaly
|
Zscaler Browser Proxy Threats
|
2026-05-13
|
|
Adobe ColdFusion Access Control Bypass
|
Suricata
|
T1190
|
Anomaly
|
Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360
|
2026-05-13
|
|
Juniper Networks Remote Code Execution Exploit Detection
|
Suricata
|
T1059
T1105
T1190
|
TTP
|
Juniper JunOS Remote Code Execution
|
2026-05-13
|
|
Adobe ColdFusion Unauthenticated Arbitrary File Read
|
Suricata
|
T1190
|
Anomaly
|
Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360
|
2026-05-13
|
|
Zscaler Employment Search Web Activity
|
|
T1566
|
Anomaly
|
Zscaler Browser Proxy Threats
|
2026-05-13
|
|
HTTP Duplicated Header
|
Suricata
|
T1071.001
T1190
|
Anomaly
|
HTTP Request Smuggling
|
2026-05-13
|
|
Ivanti EPM SQL Injection Remote Code Execution
|
Suricata
|
T1190
|
TTP
|
Ivanti EPM Vulnerabilities, Hellcat Ransomware, GhostRedirector IIS Module and Rungan Backdoor
|
2026-05-13
|
|
Spring4Shell Payload URL Request
|
Nginx Access
|
T1133
T1190
T1505.003
|
TTP
|
Spring4Shell CVE-2022-22965
|
2026-05-13
|
|
Ivanti Connect Secure Command Injection Attempts
|
Suricata
|
T1190
|
TTP
|
Ivanti Connect Secure VPN Vulnerabilities, CISA AA24-241A
|
2026-05-13
|
|
Confluence Pre-Auth RCE via OGNL Injection CVE-2023-22527
|
Suricata
|
T1190
|
TTP
|
Confluence Data Center and Confluence Server Vulnerabilities
|
2026-05-13
|
|
Ivanti Connect Secure SSRF in SAML Component
|
Suricata
|
T1190
|
TTP
|
Ivanti Connect Secure VPN Vulnerabilities
|
2026-05-13
|
|
Supernova Webshell
|
|
T1133
T1505.003
|
TTP
|
Earth Alux, NOBELIUM Group, GhostRedirector IIS Module and Rungan Backdoor
|
2026-05-13
|
|
Windows Exchange Autodiscover SSRF Abuse
|
Windows IIS
|
T1133
T1190
|
TTP
|
ProxyNotShell, Seashell Blizzard, ProxyShell, BlackByte Ransomware
|
2026-05-13
|
|
JetBrains TeamCity RCE Attempt
|
Suricata
|
T1190
|
TTP
|
JetBrains TeamCity Vulnerabilities, CISA AA23-347A, JetBrains TeamCity Unauthenticated RCE
|
2026-05-13
|
|
ProxyShell ProxyNotShell Behavior Detected
|
|
T1133
T1190
|
Correlation
|
ProxyNotShell, Seashell Blizzard, ProxyShell
|
2026-05-13
|
|
JetBrains TeamCity Limited Auth Bypass Suricata CVE-2024-27199
|
Suricata
|
T1190
|
TTP
|
JetBrains TeamCity Vulnerabilities
|
2026-05-13
|
|
Log4Shell JNDI Payload Injection Attempt
|
Nginx Access
|
T1133
T1190
|
Anomaly
|
CISA AA22-320A, Log4Shell CVE-2021-44228, CISA AA22-257A
|
2026-05-13
|
|
Detect attackers scanning for vulnerable JBoss servers
|
|
T1082
T1133
|
TTP
|
JBoss Vulnerability, SamSam Ransomware
|
2026-05-13
|
|
Windows SharePoint Spinstall0 GET Request
|
Suricata
|
T1190
T1505.003
T1552
|
TTP
|
Microsoft SharePoint Vulnerabilities
|
2026-05-13
|
|
WS FTP Remote Code Execution
|
Suricata
|
T1190
|
TTP
|
WS FTP Server Critical Vulnerabilities
|
2026-05-13
|
|
Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint
|
Suricata
|
T1190
|
TTP
|
Ivanti Connect Secure VPN Vulnerabilities, CISA AA24-241A
|
2026-05-13
|
|
Zscaler Privacy Risk Destinations Threat Blocked
|
|
T1566
|
Anomaly
|
Zscaler Browser Proxy Threats
|
2026-05-13
|
|
VMWare Aria Operations Exploit Attempt
|
Palo Alto Network Threat
|
T1068
T1133
T1190
T1210
|
TTP
|
VMware Aria Operations vRealize CVE-2023-20887
|
2026-05-13
|
|
Nginx ConnectWise ScreenConnect Authentication Bypass
|
Nginx Access
|
T1190
|
TTP
|
Scattered Lapsus$ Hunters, Seashell Blizzard, ConnectWise ScreenConnect Vulnerabilities, Hellcat Ransomware
|
2026-05-13
|
|
Tomcat Session File Upload Attempt
|
Nginx Access
|
T1190
T1505.003
|
Anomaly
|
Apache Tomcat Session Deserialization Attacks
|
2026-05-13
|
|
Detect F5 TMUI RCE CVE-2020-5902
|
|
T1190
|
TTP
|
F5 TMUI RCE CVE-2020-5902
|
2026-05-13
|
|
Fortinet Appliance Auth bypass
|
Palo Alto Network Threat
|
T1133
T1190
|
TTP
|
CVE-2022-40684 Fortinet Appliance Auth bypass
|
2026-05-13
|
|
Citrix ADC and Gateway CitrixBleed 2 Memory Disclosure
|
Suricata
|
T1190
|
Anomaly
|
Citrix NetScaler ADC and NetScaler Gateway CVE-2025-5777
|
2026-05-13
|
|
SQL Injection with Long URLs
|
|
T1190
|
TTP
|
SQL Injection, GhostRedirector IIS Module and Rungan Backdoor
|
2026-05-13
|
|
Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082
|
Suricata
|
T1133
T1190
|
TTP
|
Ivanti EPMM Remote Unauthenticated Access
|
2026-05-13
|
|
Web Spring Cloud Function FunctionRouter
|
Splunk Stream HTTP
|
T1133
T1190
|
TTP
|
Spring4Shell CVE-2022-22965
|
2026-05-13
|
|
Zscaler CryptoMiner Downloaded Threat Blocked
|
|
T1566
|
Anomaly
|
Zscaler Browser Proxy Threats
|
2026-05-13
|
|
Windows SharePoint ToolPane Endpoint Exploitation Attempt
|
Suricata
|
T1190
T1505.003
|
TTP
|
Microsoft SharePoint Vulnerabilities
|
2026-05-13
|
|
HTTP Request to Reserved Name on IIS Server
|
Suricata
|
T1071.001
T1190
|
TTP
|
HTTP Request Smuggling
|
2026-05-13
|
|
Confluence CVE-2023-22515 Trigger Vulnerability
|
Suricata
|
T1190
|
TTP
|
CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server
|
2026-05-13
|
|
Jenkins Arbitrary File Read CVE-2024-23897
|
Nginx Access
|
T1190
|
TTP
|
Jenkins Server Vulnerabilities, Hellcat Ransomware
|
2026-05-13
|
|
Citrix ADC Exploitation CVE-2023-3519
|
Palo Alto Network Threat
|
T1190
|
Hunting
|
Citrix Netscaler ADC CVE-2023-3519, CISA AA24-241A
|
2026-05-13
|
|
Confluence Data Center and Server Privilege Escalation
|
Nginx Access
|
T1190
|
TTP
|
Confluence Data Center and Confluence Server Vulnerabilities, CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server
|
2026-05-13
|
|
Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952
|
Palo Alto Network Threat
|
T1133
T1190
|
TTP
|
Fortinet FortiNAC CVE-2022-39952, Hellcat Ransomware
|
2026-05-13
|
|
Ivanti Connect Secure System Information Access via Auth Bypass
|
Suricata
|
T1190
|
Anomaly
|
Ivanti Connect Secure VPN Vulnerabilities, CISA AA24-241A
|
2026-05-13
|
|
Citrix ShareFile Exploitation CVE-2023-24489
|
Suricata
|
T1190
|
Hunting
|
Citrix ShareFile RCE CVE-2023-24489
|
2026-05-13
|
|
Java Class File download by Java User Agent
|
Splunk Stream HTTP
|
T1190
|
TTP
|
Log4Shell CVE-2021-44228
|
2026-05-13
|
|
Exploit Public Facing Application via Apache Commons Text
|
Nginx Access
|
T1133
T1190
T1505.003
|
Anomaly
|
Text4Shell CVE-2022-42889
|
2026-05-13
|
|
Citrix ADC and Gateway Unauthorized Data Disclosure
|
Suricata
|
T1190
|
TTP
|
Scattered Lapsus$ Hunters, Citrix NetScaler ADC and NetScaler Gateway CVE-2023-4966
|
2026-05-13
|
|
Confluence Unauthenticated Remote Code Execution CVE-2022-26134
|
Palo Alto Network Threat
|
T1133
T1190
T1505
|
TTP
|
Atlassian Confluence Server and Data Center CVE-2022-26134, Confluence Data Center and Confluence Server Vulnerabilities
|
2026-05-13
|
|
CrushFTP Authentication Bypass Exploitation
|
CrushFTP
|
T1059.001
T1059.003
T1190
|
TTP
|
CrushFTP Vulnerabilities, Hellcat Ransomware
|
2026-05-13
|
|
Zscaler Adware Activities Threat Blocked
|
|
T1566
|
Anomaly
|
Zscaler Browser Proxy Threats
|
2026-05-13
|
|
HTTP Rapid POST with Mixed Status Codes
|
Nginx Access
|
T1071.001
T1190
T1595
|
Anomaly
|
HTTP Request Smuggling
|
2026-05-13
|
|
Web JSP Request via URL
|
Nginx Access
|
T1133
T1190
T1505.003
|
TTP
|
Spring4Shell CVE-2022-22965, Earth Alux
|
2026-05-13
|
|
ConnectWise ScreenConnect Authentication Bypass
|
Suricata
|
T1190
|
TTP
|
Seashell Blizzard, ConnectWise ScreenConnect Vulnerabilities
|
2026-05-13
|
|
WordPress Bricks Builder plugin RCE
|
Nginx Access
|
T1190
|
TTP
|
Hellcat Ransomware, WordPress Vulnerabilities
|
2026-05-13
|
|
JetBrains TeamCity Authentication Bypass Suricata CVE-2024-27198
|
Suricata
|
T1190
|
TTP
|
JetBrains TeamCity Vulnerabilities, Hellcat Ransomware
|
2026-05-13
|
|
VMware Workspace ONE Freemarker Server-side Template Injection
|
Palo Alto Network Threat
|
T1133
T1190
|
Anomaly
|
VMware Server Side Injection and Privilege Escalation
|
2026-05-13
|
|
Zscaler Legal Liability Threat Blocked
|
|
T1566
|
Anomaly
|
Zscaler Browser Proxy Threats
|
2026-05-13
|
|
Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078
|
Suricata
|
T1133
T1190
|
TTP
|
Ivanti EPMM Remote Unauthenticated Access
|
2026-05-13
|
|
VMware Server Side Template Injection Hunt
|
Palo Alto Network Threat
|
T1133
T1190
|
Hunting
|
VMware Server Side Injection and Privilege Escalation
|
2026-05-13
|
|
ESXi Shared or Stolen Root Account
|
VMWare ESXi Syslog
|
T1078
|
Anomaly
|
ESXi Post Compromise, Black Basta Ransomware
|
2026-05-13
|
|
Cisco ASA - New Local User Account Created
|
Cisco ASA Logs
|
T1078.003
T1136.001
|
Anomaly
|
Suspicious Cisco Adaptive Security Appliance Activity
|
2026-05-13
|
|
Cisco ASA - User Privilege Level Change
|
Cisco ASA Logs
|
T1078.003
T1098
|
Anomaly
|
ArcaneDoor, Suspicious Cisco Adaptive Security Appliance Activity
|
2026-05-13
|
|
M365 Copilot Application Usage Pattern Anomalies
|
M365 Copilot Graph API
|
T1078
|
Anomaly
|
Suspicious Microsoft 365 Copilot Activities
|
2026-05-13
|
|
Okta New API Token Created
|
Okta
|
T1078.001
|
TTP
|
Scattered Lapsus$ Hunters, Okta Account Takeover
|
2026-05-13
|
|
Ivanti VTM New Account Creation
|
Ivanti VTM Audit
|
T1190
|
TTP
|
Scattered Lapsus$ Hunters, Hellcat Ransomware, Ivanti Virtual Traffic Manager CVE-2024-7593
|
2026-05-13
|
|
Zoom High Video Latency
|
|
T1078
|
Anomaly
|
Remote Employment Fraud
|
2026-05-13
|
|
Okta Phishing Detection with FastPass Origin Check
|
Okta
|
T1078.001
T1556
|
TTP
|
Okta Account Takeover
|
2026-05-13
|
|
ESXi External Root Login Activity
|
VMWare ESXi Syslog
|
T1078
|
Anomaly
|
ESXi Post Compromise, Black Basta Ransomware
|
2026-05-13
|
|
PingID Multiple Failed MFA Requests For User
|
PingID
|
T1078
T1110
T1621
|
TTP
|
Compromised User Account
|
2026-05-13
|
|
ESXi Account Modified
|
VMWare ESXi Syslog
|
T1078
T1098
T1136.001
|
Anomaly
|
ESXi Post Compromise, Black Basta Ransomware
|
2026-05-13
|
|
ESXi User Granted Admin Role
|
VMWare ESXi Syslog
|
T1078
T1098
|
TTP
|
ESXi Post Compromise, Black Basta Ransomware
|
2026-05-13
|
|
Email Attachments With Lots Of Spaces
|
|
T1036.008
T1566.001
|
Anomaly
|
Data Destruction, Suspicious Emails, Emotet Malware DHS Report TA18-201A, Hermetic Wiper
|
2026-05-13
|
|
Ollama Possible RCE via Model Loading
|
Ollama Server
|
T1190
|
Anomaly
|
Suspicious Ollama Activities
|
2026-05-13
|
|
Okta Suspicious Activity Reported
|
Okta
|
T1078.001
|
TTP
|
Okta Account Takeover
|
2026-05-13
|
|
Okta Risk Threshold Exceeded
|
Okta
|
T1078
T1110
|
Correlation
|
Okta MFA Exhaustion, Okta Account Takeover, Suspicious Okta Activity
|
2026-05-13
|
|
Suspicious Java Classes
|
|
T1190
|
Anomaly
|
Apache Struts Vulnerability
|
2026-05-13
|
|
Ollama Suspicious Prompt Injection Jailbreak
|
Ollama Server
|
T1059
T1190
|
Anomaly
|
Suspicious Ollama Activities
|
2026-05-13
|
|
Suspicious Email Attachment Extensions
|
|
T1566.001
|
Anomaly
|
Data Destruction, Suspicious Emails, Emotet Malware DHS Report TA18-201A, Hermetic Wiper
|
2026-05-13
|
|
CrushFTP Server Side Template Injection
|
CrushFTP
|
T1190
|
TTP
|
CrushFTP Vulnerabilities, Hellcat Ransomware
|
2026-05-13
|
|
Okta Successful Single Factor Authentication
|
Okta
|
T1078.004
T1586.003
T1621
|
Anomaly
|
Okta Account Takeover
|
2026-05-13
|
|
M365 Copilot Session Origin Anomalies
|
M365 Copilot Graph API
|
T1078
|
Anomaly
|
Suspicious Microsoft 365 Copilot Activities
|
2026-05-13
|
|
Okta Authentication Failed During MFA Challenge
|
Okta
|
T1078.004
T1586.003
T1621
|
TTP
|
Scattered Lapsus$ Hunters, Okta Account Takeover
|
2026-05-13
|
|
Okta ThreatInsight Threat Detected
|
Okta
|
T1078.004
|
Anomaly
|
Okta Account Takeover
|
2026-05-13
|
|
O365 ZAP Activity Detection
|
Office 365 Universal Audit Log
|
T1566.001
T1566.002
|
Anomaly
|
Spearphishing Attachments, Suspicious Emails
|
2026-05-13
|
|
GCP Successful Single-Factor Authentication
|
Google Workspace
|
T1078.004
T1586.003
|
TTP
|
Scattered Lapsus$ Hunters, GCP Account Takeover
|
2026-05-13
|
|
AWS SAML Update identity provider
|
AWS CloudTrail UpdateSAMLProvider
|
T1078
|
TTP
|
Cloud Federated Credential Abuse
|
2026-05-13
|
|
GCP Detect gcploit framework
|
|
T1078
|
TTP
|
GCP Cross Account Activity
|
2026-05-13
|
|
Cloud Provisioning Activity From Previously Unseen IP Address
|
AWS CloudTrail
|
T1078
|
Anomaly
|
Suspicious Cloud Provisioning Activities
|
2026-05-13
|
|
O365 Email Reported By User Found Malicious
|
Office 365 Universal Audit Log
|
T1566.001
T1566.002
|
TTP
|
Spearphishing Attachments, Suspicious Emails
|
2026-05-13
|
|
GitHub Organizations Disable Dependabot
|
GitHub Organizations Audit Logs
|
T1195
T1685
|
Anomaly
|
GitHub Malicious Activity
|
2026-05-13
|
|
Azure AD Successful PowerShell Authentication
|
Azure Active Directory
|
T1078.004
T1586.003
|
TTP
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
Cloud Provisioning Activity From Previously Unseen City
|
AWS CloudTrail
|
T1078
|
Anomaly
|
Suspicious Cloud Provisioning Activities
|
2026-05-13
|
|
Gsuite Suspicious Shared File Name
|
G Suite Drive
|
T1566.001
|
Anomaly
|
Dev Sec Ops
|
2026-05-13
|
|
Cloud Compute Instance Created By Previously Unseen User
|
AWS CloudTrail
|
T1078.004
|
Anomaly
|
Cloud Cryptomining
|
2026-05-13
|
|
GitHub Enterprise Disable IP Allow List
|
GitHub Enterprise Audit Logs
|
T1195
T1685
|
Anomaly
|
GitHub Malicious Activity
|
2026-05-13
|
|
GitHub Organizations Repository Archived
|
GitHub Organizations Audit Logs
|
T1195
T1485
|
Anomaly
|
NPM Supply Chain Compromise, GitHub Malicious Activity
|
2026-05-13
|
|
Azure AD Service Principal Authentication
|
Azure Active Directory Sign-in activity
|
T1078.004
|
TTP
|
Azure Active Directory Account Takeover, NOBELIUM Group
|
2026-05-13
|
|
AWS Successful Single-Factor Authentication
|
AWS CloudTrail ConsoleLogin
|
T1078.004
T1586.003
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2026-05-13
|
|
GitHub Organizations Delete Branch Ruleset
|
GitHub Organizations Audit Logs
|
T1195
T1685
|
Anomaly
|
NPM Supply Chain Compromise, GitHub Malicious Activity
|
2026-05-13
|
|
GitHub Enterprise Register Self Hosted Runner
|
GitHub Enterprise Audit Logs
|
T1195
T1685
|
Anomaly
|
NPM Supply Chain Compromise, GitHub Malicious Activity
|
2026-05-13
|
|
Azure AD Device Code Authentication
|
Azure Active Directory
|
T1528
T1566.002
|
TTP
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
GitHub Enterprise Repository Deleted
|
GitHub Enterprise Audit Logs
|
T1195
T1485
|
Anomaly
|
NPM Supply Chain Compromise, GitHub Malicious Activity
|
2026-05-13
|
|
O365 Safe Links Detection
|
Office 365 Universal Audit Log
|
T1566.001
|
TTP
|
Office 365 Account Takeover, Spearphishing Attachments
|
2026-05-13
|
|
GitHub Enterprise Delete Branch Ruleset
|
GitHub Enterprise Audit Logs
|
T1195
T1685
|
Anomaly
|
NPM Supply Chain Compromise, GitHub Malicious Activity
|
2026-05-13
|
|
AWS SetDefaultPolicyVersion
|
AWS CloudTrail SetDefaultPolicyVersion
|
T1078.004
|
TTP
|
AWS IAM Privilege Escalation
|
2026-05-13
|
|
O365 Security And Compliance Alert Triggered
|
|
T1078.004
|
TTP
|
Office 365 Account Takeover
|
2026-05-13
|
|
Gdrive suspicious file sharing
|
|
T1566
|
Hunting
|
Spearphishing Attachments, Scattered Lapsus$ Hunters, Data Exfiltration
|
2026-05-13
|
|
GCP Authentication Failed During MFA Challenge
|
Google Workspace login_failure
|
T1078.004
T1586.003
T1621
|
TTP
|
Scattered Lapsus$ Hunters, GCP Account Takeover
|
2026-05-13
|
|
GitHub Organizations Disable 2FA Requirement
|
GitHub Organizations Audit Logs
|
T1195
T1685
|
Anomaly
|
GitHub Malicious Activity
|
2026-05-13
|
|
Gsuite Email Suspicious Subject With Attachment
|
G Suite Gmail
|
T1566.001
|
Anomaly
|
Dev Sec Ops
|
2026-05-13
|
|
Azure AD Multiple Failed MFA Requests For User
|
Azure Active Directory Sign-in activity
|
T1078.004
T1586.003
T1621
|
TTP
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
GitHub Enterprise Disable Audit Log Event Stream
|
GitHub Enterprise Audit Logs
|
T1195
T1685.002
|
Anomaly
|
NPM Supply Chain Compromise, GitHub Malicious Activity
|
2026-05-13
|
|
Okta Non-Standard VPN Usage
|
Okta
|
T1078
T1090
T1572
|
TTP
|
Remote Employment Fraud, Suspicious Okta Activity
|
2026-05-13
|
|
Cloud Provisioning Activity From Previously Unseen Country
|
AWS CloudTrail
|
T1078
|
Anomaly
|
Suspicious Cloud Provisioning Activities
|
2026-05-13
|
|
Azure Runbook Webhook Created
|
Azure Audit Create or Update an Azure Automation webhook
|
T1078.004
|
TTP
|
Azure Active Directory Persistence
|
2026-05-13
|
|
GitHub Organizations Disable Classic Branch Protection Rule
|
GitHub Organizations Audit Logs
|
T1195
T1685
|
Anomaly
|
GitHub Malicious Activity
|
2026-05-13
|
|
O365 Multiple AppIDs and UserAgents Authentication Spike
|
O365 UserLoginFailed, O365 UserLoggedIn
|
T1078
|
Anomaly
|
Office 365 Account Takeover
|
2026-05-13
|
|
GitHub Enterprise Modify Audit Log Event Stream
|
GitHub Enterprise Audit Logs
|
T1195
T1685.002
|
Anomaly
|
NPM Supply Chain Compromise, GitHub Malicious Activity
|
2026-05-13
|
|
Azure AD Multiple AppIDs and UserAgents Authentication Spike
|
Azure Active Directory Sign-in activity
|
T1078
|
Anomaly
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
GitHub Enterprise Disable Dependabot
|
GitHub Enterprise Audit Logs
|
T1195
T1685
|
Anomaly
|
GitHub Malicious Activity
|
2026-05-13
|
|
AWS Create Policy Version to allow all resources
|
AWS CloudTrail CreatePolicyVersion
|
T1078.004
|
TTP
|
AWS IAM Privilege Escalation
|
2026-05-13
|
|
Gsuite Email With Known Abuse Web Service Link
|
G Suite Gmail
|
T1566.001
|
Anomaly
|
Dev Sec Ops
|
2026-05-13
|
|
Cloud Instance Modified By Previously Unseen User
|
AWS CloudTrail
|
T1078.004
|
Anomaly
|
Suspicious Cloud Instance Activities
|
2026-05-13
|
|
GitHub Enterprise Pause Audit Log Event Stream
|
GitHub Enterprise Audit Logs
|
T1195
T1685.002
|
Anomaly
|
NPM Supply Chain Compromise, GitHub Malicious Activity
|
2026-05-13
|
|
Azure AD Successful Single-Factor Authentication
|
Azure Active Directory
|
T1078.004
T1586.003
|
TTP
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
GitHub Enterprise Disable Classic Branch Protection Rule
|
GitHub Enterprise Audit Logs
|
T1195
T1685
|
Anomaly
|
GitHub Malicious Activity
|
2026-05-13
|
|
GSuite Email Suspicious Attachment
|
G Suite Gmail
|
T1566.001
|
Anomaly
|
Dev Sec Ops
|
2026-05-13
|
|
O365 Threat Intelligence Suspicious Email Delivered
|
Office 365 Universal Audit Log
|
T1566.001
T1566.002
|
Anomaly
|
Spearphishing Attachments, Suspicious Emails
|
2026-05-13
|
|
ASL AWS Create Policy Version to allow all resources
|
ASL AWS CloudTrail
|
T1078.004
|
TTP
|
Scattered Lapsus$ Hunters, AWS IAM Privilege Escalation
|
2026-05-13
|
|
Cloud API Calls From Previously Unseen User Roles
|
AWS CloudTrail
|
T1078
|
Anomaly
|
Suspicious Cloud User Activities
|
2026-05-13
|
|
GitHub Organizations Repository Deleted
|
GitHub Organizations Audit Logs
|
T1195
T1485
|
Anomaly
|
NPM Supply Chain Compromise, GitHub Malicious Activity
|
2026-05-13
|
|
AWS Bedrock Invoke Model Access Denied
|
AWS CloudTrail
|
T1078
T1550
|
TTP
|
AWS Bedrock Security
|
2026-05-13
|
|
O365 Email Reported By Admin Found Malicious
|
Office 365 Universal Audit Log
|
T1566.001
T1566.002
|
TTP
|
Spearphishing Attachments, Suspicious Emails
|
2026-05-13
|
|
GitHub Enterprise Remove Organization
|
GitHub Enterprise Audit Logs
|
T1195
T1485
|
Anomaly
|
GitHub Malicious Activity
|
2026-05-13
|
|
ASL AWS SAML Update identity provider
|
ASL AWS CloudTrail
|
T1078
|
TTP
|
Cloud Federated Credential Abuse
|
2026-05-13
|
|
Gsuite suspicious calendar invite
|
|
T1566
|
Hunting
|
Spearphishing Attachments
|
2026-05-13
|
|
GitHub Enterprise Disable 2FA Requirement
|
GitHub Enterprise Audit Logs
|
T1195
T1685
|
Anomaly
|
GitHub Malicious Activity
|
2026-05-13
|
|
Geographic Improbable Location
|
Okta
|
T1078
|
Anomaly
|
Remote Employment Fraud
|
2026-05-13
|
|
Cloud Provisioning Activity From Previously Unseen Region
|
AWS CloudTrail
|
T1078
|
Anomaly
|
Suspicious Cloud Provisioning Activities
|
2026-05-13
|
|
GitHub Enterprise Repository Archived
|
GitHub Enterprise Audit Logs
|
T1195
T1485
|
Anomaly
|
NPM Supply Chain Compromise, GitHub Malicious Activity
|
2026-05-13
|
|
Azure AD Authentication Failed During MFA Challenge
|
Azure Active Directory
|
T1078.004
T1586.003
T1621
|
TTP
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
GCP Multiple Failed MFA Requests For User
|
Google Workspace
|
T1078.004
T1586.003
T1621
|
TTP
|
Scattered Lapsus$ Hunters, GCP Account Takeover
|
2026-05-13
|
|
3CX Supply Chain Attack Network Indicators
|
Sysmon EventID 22
|
T1195.002
|
TTP
|
3CX Supply Chain Attack
|
2026-05-13
|
|
Cisco Secure Firewall - Oracle E-Business Suite Correlation
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1190
|
TTP
|
Oracle E-Business Suite Exploitation, Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Cisco SD-WAN - Peering Activity
|
Cisco SD-WAN NTCE 1000001
|
T1190
|
Hunting
|
Cisco Catalyst SD-WAN Analytics
|
2026-05-13
|
|
Cisco Privileged Account Creation with HTTP Command Execution
|
|
T1021.004
T1078
T1136
|
Correlation
|
Salt Typhoon, Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Cisco Secure Firewall - React Server Components RCE Attempt
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1190
|
TTP
|
React2Shell
|
2026-05-13
|
|
Detect ARP Poisoning
|
Cisco IOS Logs
|
T1200
T1498
T1557.002
|
TTP
|
Router and Infrastructure Security
|
2026-05-13
|
|
Cisco Smart Install Oversized Packet Detection
|
Splunk Stream TCP
|
T1190
|
TTP
|
Cisco Smart Install Remote Code Execution CVE-2018-0171
|
2026-05-13
|
|
Cisco Smart Install Port Discovery and Status
|
Splunk Stream TCP
|
T1190
|
TTP
|
Scattered Lapsus$ Hunters, Cisco Smart Install Remote Code Execution CVE-2018-0171
|
2026-05-13
|
|
Cisco SD-WAN - Arbitrary File Overwrite Exploitation Activity
|
Cisco SD-WAN Service Proxy Access Logs
|
T1190
|
TTP
|
Cisco Catalyst SD-WAN Analytics
|
2026-05-13
|
|
Cisco SD-WAN - Low Frequency Rogue Peer
|
Cisco SD-WAN NTCE 1000001
|
T1190
|
Anomaly
|
Cisco Catalyst SD-WAN Analytics
|
2026-05-13
|
|
Detect Zerologon via Zeek
|
|
T1190
|
TTP
|
Rhysida Ransomware, Black Basta Ransomware, Detect Zerologon Attack
|
2026-05-13
|
|
F5 BIG-IP iControl REST Vulnerability CVE-2022-1388
|
Palo Alto Network Threat
|
T1133
T1190
|
TTP
|
F5 BIG-IP Vulnerability CVE-2022-1388, CISA AA24-241A
|
2026-05-13
|
|
Cisco Secure Firewall - Static Tundra Smart Install Abuse
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1190
T1210
T1499
|
TTP
|
Cisco Smart Install Remote Code Execution CVE-2018-0171, Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Cisco Privileged Account Creation with Suspicious SSH Activity
|
|
T1021.004
T1078
T1136
|
Correlation
|
Salt Typhoon, Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Detect Rogue DHCP Server
|
Cisco IOS Logs
|
T1200
T1498
T1557
|
TTP
|
Scattered Lapsus$ Hunters, Router and Infrastructure Security
|
2026-05-13
|
|
Cisco Secure Firewall - High Priority Intrusion Classification
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1003
T1071
T1078
T1190
T1203
|
TTP
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Cisco IOS Suspicious Privileged Account Creation
|
Cisco IOS Logs
|
T1078
T1136
|
Anomaly
|
Cisco Smart Install Remote Code Execution CVE-2018-0171
|
2026-05-13
|
|
Cisco Network Interface Modifications
|
Cisco IOS Logs
|
T1021
T1133
T1556
|
Anomaly
|
Cisco Smart Install Remote Code Execution CVE-2018-0171
|
2026-05-13
|
|
Detect Port Security Violation
|
Cisco IOS Logs
|
T1200
T1498
T1557.002
|
TTP
|
Router and Infrastructure Security
|
2026-05-13
|
|
Detect hosts connecting to dynamic domain providers
|
Sysmon EventID 22
|
T1189
|
TTP
|
Suspicious DNS Traffic, Dynamic DNS, DNS Hijacking, Command And Control, Data Protection, Prohibited Traffic Allowed or Protocol Mismatch
|
2026-05-13
|
|
Cisco Secure Firewall - Veeam CVE-2023-27532 Exploitation Activity
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1003.001
T1059.001
T1190
T1210
|
TTP
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Cisco Secure Firewall - Oracle E-Business Suite Exploitation
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1190
|
TTP
|
Oracle E-Business Suite Exploitation, Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Detect Traffic Mirroring
|
Cisco IOS Logs
|
T1020.001
T1200
T1498
|
TTP
|
Router and Infrastructure Security
|
2026-05-13
|
|
Cisco Secure Firewall - Lumma Stealer Activity
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1027
T1190
T1204
T1210
|
TTP
|
Lumma Stealer, Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Windows Spearphishing Attachment Connect To None MS Office Domain
|
Sysmon EventID 22
|
T1566.001
|
Hunting
|
MuddyWater, Spearphishing Attachments, AsyncRAT
|
2026-05-13
|
|
Detect IPv6 Network Infrastructure Threats
|
Cisco IOS Logs
|
T1200
T1498
T1557.002
|
TTP
|
Scattered Lapsus$ Hunters, Router and Infrastructure Security
|
2026-05-13
|
|
Detect Outbound LDAP Traffic
|
Palo Alto Network Traffic, Cisco Secure Access Firewall, Cisco Secure Firewall Threat Defense Connection Event
|
T1059
T1190
|
Hunting
|
Cisco Secure Access Analytics, Log4Shell CVE-2021-44228, Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
