|
Splunk User Enumeration Attempt
|
Splunk
|
T1078
|
TTP
|
Splunk Vulnerabilities
|
2026-05-14
|
|
Splunk Enterprise KV Store Incorrect Authorization
|
Splunk
|
T1548
|
Hunting
|
Splunk Vulnerabilities
|
2026-05-14
|
|
Windows AD add Self to Group
|
Windows Event Log Security 4728
|
T1098
|
TTP
|
Medusa Ransomware, Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation
|
2026-05-13
|
|
Windows Potato Privilege Escalation Tool Execution
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1068
|
TTP
|
Windows Privilege Escalation
|
2026-05-13
|
|
Windows Rasautou DLL Execution
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1055.001
T1218
|
TTP
|
Windows Defense Evasion Tactics, Compromised Windows Host, Hellcat Ransomware
|
2026-05-13
|
|
Linux Auditd Service Restarted
|
Linux Auditd Proctitle
|
T1053.006
|
Anomaly
|
Compromised Linux Host, Scheduled Tasks, Gomir, Data Destruction, Linux Persistence Techniques, Linux Privilege Escalation, Linux Living Off The Land, AwfulShred
|
2026-05-13
|
|
Logon Script Event Trigger Execution
|
Sysmon EventID 13
|
T1037.001
|
TTP
|
VIP Keylogger, Windows Persistence Techniques, Data Destruction, Windows Privilege Escalation, Hermetic Wiper
|
2026-05-13
|
|
Linux Auditd Unload Module Via Modprobe
|
Linux Auditd Execve
|
T1547.006
|
TTP
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation, Linux Living Off The Land
|
2026-05-13
|
|
Linux Sudo OR Su Execution
|
Sysmon for Linux EventID 1
|
T1548.003
|
Hunting
|
Linux Persistence Techniques, Linux Privilege Escalation, VoidLink Cloud-Native Linux Malware
|
2026-05-13
|
|
Linux RPM Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Privilege Escalation, Linux Living Off The Land
|
2026-05-13
|
|
Linux Visudo Utility Execution
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2026-05-13
|
|
Clop Ransomware Known Service Name
|
Windows Event Log System 7045
|
T1543
|
TTP
|
Clop Ransomware, Compromised Windows Host
|
2026-05-13
|
|
Spoolsv Writing a DLL - Sysmon
|
Sysmon EventID 11
|
T1547.012
|
TTP
|
PrintNightmare CVE-2021-34527, Black Basta Ransomware
|
2026-05-13
|
|
Linux Possible Access Or Modification Of sshd Config File
|
Sysmon for Linux EventID 1
|
T1098.004
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation, Linux Living Off The Land
|
2026-05-13
|
|
Windows DnsAdmins New Member Added
|
Windows Event Log Security 4732
|
T1098
|
TTP
|
Active Directory Privilege Escalation
|
2026-05-13
|
|
Windows Drivers Loaded by Signature
|
Sysmon EventID 6
|
T1014
T1068
|
Hunting
|
CISA AA22-320A, Windows Drivers, AgentTesla, BlackByte Ransomware
|
2026-05-13
|
|
Windows Large Number of Computer Service Tickets Requested
|
Windows Event Log Security 4769
|
T1078
T1135
|
Anomaly
|
Active Directory Privilege Escalation, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows Entra User Management Via Azure CLI
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1078.004
T1098
T1136
|
Anomaly
|
Azure Active Directory Persistence
|
2026-05-13
|
|
Wscript Or Cscript Suspicious Child Process
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1055
T1134.004
T1543
|
Anomaly
|
WhisperGate, Axios Supply Chain Post Compromise, XWorm, VIP Keylogger, NjRAT, MuddyWater, FIN7, Data Destruction, 0bj3ctivity Stealer, Remcos, Unusual Processes, ShrinkLocker
|
2026-05-13
|
|
Print Spooler Adding A Printer Driver
|
Windows Event Log Printservice 316
|
T1547.012
|
TTP
|
PrintNightmare CVE-2021-34527, Black Basta Ransomware
|
2026-05-13
|
|
Windows Process Injection into Commonly Abused Processes
|
Sysmon EventID 10
|
T1055.002
|
Anomaly
|
SAP NetWeaver Exploitation, BishopFox Sliver Adversary Emulation Framework, Earth Alux, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
Windows Remote Assistance Spawning Process
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1055
|
TTP
|
Unusual Processes, Compromised Windows Host
|
2026-05-13
|
|
Windows AD SID History Attribute Modified
|
Windows Event Log Security 5136
|
T1134.005
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Windows Process With NamedPipe CommandLine
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1055
|
Anomaly
|
Windows Defense Evasion Tactics
|
2026-05-13
|
|
CMD Echo Pipe - Escalation
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1059.003
T1543.003
|
TTP
|
Compromised Windows Host, Cobalt Strike, Graceful Wipe Out Attack, BlackByte Ransomware
|
2026-05-13
|
|
Linux PHP Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Privilege Escalation, Linux Living Off The Land
|
2026-05-13
|
|
Suspicious Scheduled Task from Public Directory
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1053.005
|
Anomaly
|
Azorult, APT37 Rustonotto and FadeStealer, Medusa Ransomware, Living Off The Land, Scattered Spider, CISA AA24-241A, Crypto Stealer, Salt Typhoon, SolarWinds WHD RCE Post Exploitation, Malicious Inno Setup Loader, Quasar RAT, Ryuk Ransomware, XWorm, Ransomware, China-Nexus Threat Activity, Windows Persistence Techniques, Scheduled Tasks, MoonPeak, NetSupport RMM Tool Abuse, DarkCrystal RAT, CISA AA23-347A, Lokibot
|
2026-05-13
|
|
Powershell Execute COM Object
|
Powershell Script Block Logging 4104
|
T1059.001
T1546.015
|
TTP
|
Data Destruction, Malicious PowerShell, Ransomware, Hermetic Wiper
|
2026-05-13
|
|
WSReset UAC Bypass
|
Sysmon EventID 13, Sysmon EventID 12
|
T1548.002
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics, MoonPeak, Living Off The Land
|
2026-05-13
|
|
Linux Doas Tool Execution
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2026-05-13
|
|
Spoolsv Suspicious Process Access
|
Sysmon EventID 10
|
T1068
|
TTP
|
PrintNightmare CVE-2021-34527, Black Basta Ransomware
|
2026-05-13
|
|
Impacket Lateral Movement Commandline Parameters
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1021.002
T1021.003
T1047
T1543.003
|
TTP
|
WhisperGate, Compromised Windows Host, Graceful Wipe Out Attack, Volt Typhoon, Data Destruction, CISA AA22-277A, Storm-0501 Ransomware, Prestige Ransomware, Active Directory Lateral Movement, Industroyer2, Gozi Malware
|
2026-05-13
|
|
Windows Azure PowerShell Module Installation Via PowerShell Script
|
Powershell Script Block Logging 4104
|
T1021.007
T1069.003
T1078
T1098
T1136.003
|
Anomaly
|
Azure Active Directory Persistence, Azure Active Directory Account Takeover, Azure Active Directory Privilege Escalation
|
2026-05-13
|
|
Windows Unsigned MS DLL Side-Loading
|
Sysmon EventID 7
|
T1547
T1574.001
|
Anomaly
|
XWorm, China-Nexus Threat Activity, Salt Typhoon, Earth Alux, APT29 Diplomatic Deceptions with WINELOADER, Derusbi
|
2026-05-13
|
|
Linux Possible Append Command To Profile Config File
|
Sysmon for Linux EventID 1
|
T1546.004
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2026-05-13
|
|
Cisco Isovalent - Cron Job Creation
|
Cisco Isovalent Process Exec
|
T1053.003
T1053.007
|
Anomaly
|
Cisco Isovalent Suspicious Activity
|
2026-05-13
|
|
Child Processes of Spoolsv exe
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1068
|
TTP
|
Data Destruction, Windows Privilege Escalation, Hermetic Wiper
|
2026-05-13
|
|
Trickbot Named Pipe
|
Sysmon EventID 18, Sysmon EventID 17
|
T1055
|
TTP
|
Trickbot, Hellcat Ransomware
|
2026-05-13
|
|
Linux Busybox Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Privilege Escalation, Linux Living Off The Land
|
2026-05-13
|
|
Windows AD Short Lived Domain Account ServicePrincipalName
|
Windows Event Log Security 5136
|
T1098
|
TTP
|
Sneaky Active Directory Persistence Tricks, Interlock Ransomware
|
2026-05-13
|
|
Linux Auditd At Application Execution
|
Linux Auditd Syscall
|
T1053.002
|
Anomaly
|
Compromised Linux Host, Scheduled Tasks, Linux Persistence Techniques, Linux Privilege Escalation, Linux Living Off The Land
|
2026-05-13
|
|
Windows Scheduled Task with Highest Privileges
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1053.005
|
TTP
|
Compromised Windows Host, XWorm, Castle RAT, AsyncRAT, Scheduled Tasks, SolarWinds WHD RCE Post Exploitation, Quasar RAT, NetSupport RMM Tool Abuse, CISA AA23-347A, RedLine Stealer
|
2026-05-13
|
|
Short Lived Scheduled Task
|
Windows Event Log Security 4698, Windows Event Log Security 4699
|
T1053.005
|
TTP
|
Compromised Windows Host, Scheduled Tasks, CISA AA22-257A, Active Directory Lateral Movement, CISA AA23-347A
|
2026-05-13
|
|
Windows AD Cross Domain SID History Addition
|
Windows Event Log Security 4738, Windows Event Log Security 4742
|
T1134.005
|
TTP
|
Sneaky Active Directory Persistence Tricks, Compromised Windows Host
|
2026-05-13
|
|
Linux Cpulimit Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Privilege Escalation, Linux Living Off The Land
|
2026-05-13
|
|
Windows Compatibility Telemetry Suspicious Child Process
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1053.005
T1546
|
TTP
|
Windows Persistence Techniques
|
2026-05-13
|
|
Linux Service File Created In Systemd Directory
|
Sysmon for Linux EventID 11
|
T1053.006
|
Anomaly
|
China-Nexus Threat Activity, Scheduled Tasks, Gomir, Linux Persistence Techniques, Linux Privilege Escalation, Linux Living Off The Land, VoidLink Cloud-Native Linux Malware
|
2026-05-13
|
|
Windows Admon Default Group Policy Object Modified
|
Windows Active Directory Admon
|
T1484.001
|
TTP
|
Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Schtasks scheduling job on remote system
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1053.005
|
TTP
|
Compromised Windows Host, Scheduled Tasks, Active Directory Lateral Movement, Quasar RAT, Prestige Ransomware, Living Off The Land, Phemedrone Stealer, NOBELIUM Group, RedLine Stealer
|
2026-05-13
|
|
Cisco Isovalent - Shell Execution
|
Cisco Isovalent Process Exec
|
T1543
|
Anomaly
|
Cisco Isovalent Suspicious Activity
|
2026-05-13
|
|
Potential password in username
|
Linux Secure
|
T1078.003
T1552.001
|
Hunting
|
Credential Dumping, Insider Threat
|
2026-05-13
|
|
Linux Service Started Or Enabled
|
Sysmon for Linux EventID 1
|
T1053.006
|
Anomaly
|
Scheduled Tasks, Gomir, Linux Persistence Techniques, Linux Privilege Escalation, Linux Living Off The Land
|
2026-05-13
|
|
SLUI Spawning a Process
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1548.002
|
TTP
|
Windows Defense Evasion Tactics, DarkSide Ransomware, Compromised Windows Host
|
2026-05-13
|
|
Linux Docker Root Directory Mount
|
Sysmon for Linux EventID 1
|
T1611
|
TTP
|
Linux Privilege Escalation, Linux Living Off The Land
|
2026-05-13
|
|
Windows AD Object Owner Updated
|
Windows Event Log Security 5136
|
T1222.001
T1484
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Services Escalate Exe
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1548
|
TTP
|
Compromised Windows Host, Graceful Wipe Out Attack, Cobalt Strike, BlackByte Ransomware, CISA AA23-347A
|
2026-05-13
|
|
Linux Auditd Possible Append Cronjob Entry On Existing Cronjob File
|
Linux Auditd Path, Linux Auditd Cwd
|
T1053.003
|
Hunting
|
Compromised Linux Host, Scheduled Tasks, Linux Persistence Techniques, Linux Privilege Escalation, Linux Living Off The Land, XorDDos
|
2026-05-13
|
|
Linux Edit Cron Table Parameter
|
Sysmon for Linux EventID 1
|
T1053.003
|
Hunting
|
Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks, Linux Living Off The Land
|
2026-05-13
|
|
Windows AppCertDLL Modification Via Command Line
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1546.009
|
Anomaly
|
Windows Persistence Techniques, Windows Privilege Escalation
|
2026-05-13
|
|
Print Spooler Failed to Load a Plug-in
|
Windows Event Log Printservice 808, Windows Event Log Printservice 4909
|
T1547.012
|
TTP
|
PrintNightmare CVE-2021-34527, Black Basta Ransomware
|
2026-05-13
|
|
Windows PowerShell ScheduleTask
|
Powershell Script Block Logging 4104
|
T1053.005
T1059.001
|
Anomaly
|
Scattered Spider, Scheduled Tasks
|
2026-05-13
|
|
Windows System File on Disk
|
Sysmon EventID 11
|
T1068
|
Hunting
|
CISA AA22-264A, Windows Drivers, Crypto Stealer
|
2026-05-13
|
|
Windows AD Domain Root ACL Deletion
|
Windows Event Log Security 5136
|
T1222.001
T1484
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Windows Vulnerable Driver Loaded
|
Sysmon EventID 6
|
T1543.003
|
Hunting
|
Windows Drivers, Void Manticore, BlackByte Ransomware
|
2026-05-13
|
|
Linux Telnet Authentication Bypass
|
Sysmon for Linux EventID 1
|
T1548
|
TTP
|
Telnetd CVE-2026-24061
|
2026-05-13
|
|
Linux Doas Conf File Creation
|
Sysmon for Linux EventID 11
|
T1548.003
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2026-05-13
|
|
Linux Auditd Doas Conf File Creation
|
Linux Auditd Path, Linux Auditd Cwd
|
T1548.003
|
TTP
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation
|
2026-05-13
|
|
Windows Service Creation on Remote Endpoint
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1543.003
|
TTP
|
SnappyBee, China-Nexus Threat Activity, Salt Typhoon, Active Directory Lateral Movement, CISA AA23-347A
|
2026-05-13
|
|
Linux OpenVPN Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Privilege Escalation, Linux Living Off The Land
|
2026-05-13
|
|
Sdclt UAC Bypass
|
Sysmon EventID 13, Sysmon EventID 12
|
T1548.002
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Svchost LOLBAS Execution Process Spawn
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1053.005
|
TTP
|
Living Off The Land, Scheduled Tasks, Hellcat Ransomware, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows COM Hijacking InprocServer32 Modification
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1546.015
|
TTP
|
Living Off The Land, Compromised Windows Host
|
2026-05-13
|
|
Linux Possible Append Command To At Allow Config File
|
Sysmon for Linux EventID 1
|
T1053.002
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2026-05-13
|
|
Linux Possible Append Cronjob Entry on Existing Cronjob File
|
Sysmon for Linux EventID 1
|
T1053.003
|
Hunting
|
Scheduled Tasks, Linux Persistence Techniques, Linux Privilege Escalation, Linux Living Off The Land, XorDDos
|
2026-05-13
|
|
Linux Node Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Privilege Escalation, Linux Living Off The Land
|
2026-05-13
|
|
Windows Driver Inventory
|
|
T1068
|
Hunting
|
Windows Drivers
|
2026-05-13
|
|
WinEvent Scheduled Task Created to Spawn Shell
|
Windows Event Log Security 4698
|
T1053.005
|
TTP
|
SystemBC, Windows Error Reporting Service Elevation of Privilege Vulnerability, Compromised Windows Host, Ransomware, Winter Vivern, China-Nexus Threat Activity, Castle RAT, Windows Persistence Techniques, Scheduled Tasks, Salt Typhoon, 0bj3ctivity Stealer, CISA AA22-257A, Ryuk Ransomware, Medusa Ransomware
|
2026-05-13
|
|
Windows Scheduled Task Created Via XML
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1053.005
|
Anomaly
|
Winter Vivern, Scheduled Tasks, Malicious Inno Setup Loader, MoonPeak, CISA AA23-347A, Lokibot
|
2026-05-13
|
|
Notepad with no Command Line Arguments
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1055
|
TTP
|
BishopFox Sliver Adversary Emulation Framework
|
2026-05-13
|
|
Active Directory Privilege Escalation Identified
|
|
T1484
|
Correlation
|
Active Directory Privilege Escalation
|
2026-05-13
|
|
Linux Setuid Using Chmod Utility
|
Sysmon for Linux EventID 1
|
T1548.001
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation, Linux Living Off The Land
|
2026-05-13
|
|
Linux Composer Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Privilege Escalation, Linux Living Off The Land
|
2026-05-13
|
|
Windows Increase in User Modification Activity
|
Windows Event Log Security 4720
|
T1098
T1685
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Windows AD Self DACL Assignment
|
Windows Event Log Security 5136
|
T1098
T1484
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Windows Level RMM Watchdog Task Created
|
Windows Event Log Security 4698
|
T1053
T1219
|
Anomaly
|
Remote Monitoring and Management Software
|
2026-05-13
|
|
Linux Auditd Edit Cron Table Parameter
|
Linux Auditd Syscall
|
T1053.003
|
Anomaly
|
Compromised Linux Host, Scheduled Tasks, Linux Persistence Techniques, Linux Privilege Escalation, Linux Living Off The Land
|
2026-05-13
|
|
Linux Service Restarted
|
Sysmon for Linux EventID 1
|
T1053.006
|
Anomaly
|
Scheduled Tasks, Gomir, Data Destruction, Linux Persistence Techniques, Linux Privilege Escalation, Linux Living Off The Land, AwfulShred
|
2026-05-13
|
|
NET Profiler UAC bypass
|
Sysmon EventID 13
|
T1548.002
|
TTP
|
Windows Defense Evasion Tactics
|
2026-05-13
|
|
Disable UAC Remote Restriction
|
Sysmon EventID 13
|
T1548.002
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics, CISA AA23-347A, Suspicious Windows Registry Activities
|
2026-05-13
|
|
Windows Scheduled Task DLL Module Loaded
|
Sysmon EventID 7
|
T1053
|
TTP
|
ValleyRAT
|
2026-05-13
|
|
Windows Default Group Policy Object Modified with GPME
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1484.001
|
TTP
|
Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Windows AD Dangerous User ACL Modification
|
Windows Event Log Security 5136
|
T1222.001
T1484
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Windows AD DSRM Account Changes
|
Sysmon EventID 13
|
T1098
|
TTP
|
Windows Registry Abuse, Sneaky Active Directory Persistence Tricks, Scattered Lapsus$ Hunters, Windows Persistence Techniques
|
2026-05-13
|
|
Linux Install Kernel Module Using Modprobe Utility
|
Sysmon for Linux EventID 1
|
T1547.006
|
Anomaly
|
China-Nexus Threat Activity, Linux Rootkit, Linux Persistence Techniques, Linux Privilege Escalation, VoidLink Cloud-Native Linux Malware
|
2026-05-13
|
|
Windows Scheduled Tasks for CompMgmtLauncher or Eventvwr
|
Windows Event Log Security 4698
|
T1053
|
TTP
|
Water Gamayun, ValleyRAT
|
2026-05-13
|
|
Windows ConvertTo-AADIntBackdoor Execution Via PowerShell Script
|
Powershell Script Block Logging 4104
|
T1071.001
T1078
T1212
T1482
|
TTP
|
Azure Active Directory Persistence, Azure Active Directory Account Takeover, Azure Active Directory Privilege Escalation
|
2026-05-13
|
|
Windows Event Triggered Image File Execution Options Injection
|
Windows Event Log Application 3000
|
T1546.012
|
Hunting
|
Windows Persistence Techniques
|
2026-05-13
|
|
Windows AD Domain Replication ACL Addition
|
Windows Event Log Security 5136
|
T1484
|
TTP
|
Sneaky Active Directory Persistence Tricks, Compromised Windows Host
|
2026-05-13
|
|
Windows Scheduled Task with Suspicious Command
|
Windows Event Log Security 4700, Windows Event Log Security 4702, Windows Event Log Security 4698
|
T1053.005
|
TTP
|
Ransomware, Seashell Blizzard, APT37 Rustonotto and FadeStealer, Windows Persistence Techniques, Scheduled Tasks, SolarWinds WHD RCE Post Exploitation, Quasar RAT, Ryuk Ransomware
|
2026-05-13
|
|
UAC Bypass MMC Load Unsigned Dll
|
Sysmon EventID 7
|
T1218.014
T1548.002
|
TTP
|
Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Increase in Group or Object Modification Activity
|
Windows Event Log Security 4663
|
T1098
T1685
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Linux Auditd Doas Tool Execution
|
Linux Auditd Syscall
|
T1548.003
|
Anomaly
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation
|
2026-05-13
|
|
Linux Csvtool Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Privilege Escalation, Linux Living Off The Land
|
2026-05-13
|
|
Linux NOPASSWD Entry In Sudoers File
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation, Salt Typhoon, China-Nexus Threat Activity
|
2026-05-13
|
|
Detect Baron Samedit CVE-2021-3156 Segfault
|
|
T1068
|
TTP
|
Baron Samedit CVE-2021-3156
|
2026-05-13
|
|
Eventvwr UAC Bypass
|
Sysmon EventID 13
|
T1548.002
|
TTP
|
Windows Defense Evasion Tactics, ValleyRAT, Windows Registry Abuse, IcedID, Living Off The Land
|
2026-05-13
|
|
Windows AD GPO Deleted
|
Windows Event Log Security 5136
|
T1484.001
T1685
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Linux File Creation In Init Boot Directory
|
Sysmon for Linux EventID 11
|
T1037.004
|
Anomaly
|
Backdoor Pingpong, China-Nexus Threat Activity, Linux Persistence Techniques, Linux Privilege Escalation, XorDDos
|
2026-05-13
|
|
Windows Suspicious Process File Path
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1036.005
T1543
|
TTP
|
SystemBC, Qakbot, AsyncRAT, AgentTesla, SesameOp, Volt Typhoon, Lokibot, Data Destruction, Interlock Rat, Trickbot, Industroyer2, Azorult, Phemedrone Stealer, GhostRedirector IIS Module and Rungan Backdoor, Water Gamayun, Brute Ratel C4, Axios Supply Chain Post Compromise, SnappyBee, Meduza Stealer, Void Manticore, StealC Stealer, LockBit Ransomware, Remcos, Hermetic Wiper, BlackByte Ransomware, PlugX, NailaoLocker Ransomware, WhisperGate, Rhysida Ransomware, Chaos Ransomware, Salt Typhoon, ValleyRAT, Malicious Inno Setup Loader, Amadey, Quasar RAT, DarkGate Malware, RedLine Stealer, XWorm, Graceful Wipe Out Attack, China-Nexus Threat Activity, Handala Wiper, Warzone RAT, XMRig, PromptLock, Castle RAT, Earth Alux, Swift Slicer, VIP Keylogger, MoonPeak, Double Zero Destructor, Prestige Ransomware, IcedID, DarkCrystal RAT, CISA AA23-347A, Interlock Ransomware
|
2026-05-13
|
|
Linux Persistence and Privilege Escalation Risk Behavior
|
|
T1548
|
Correlation
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2026-05-13
|
|
Print Processor Registry Autostart
|
Sysmon EventID 13
|
T1547.012
|
TTP
|
Data Destruction, Windows Persistence Techniques, Windows Privilege Escalation, Hermetic Wiper
|
2026-05-13
|
|
Linux Octave Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Privilege Escalation, Linux Living Off The Land
|
2026-05-13
|
|
Winhlp32 Spawning a Process
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1055
|
TTP
|
Remcos, Compromised Windows Host
|
2026-05-13
|
|
SearchProtocolHost with no Command Line with Network
|
Sysmon EventID 1, Sysmon EventID 3
|
T1055
|
TTP
|
Compromised Windows Host, Graceful Wipe Out Attack, Cobalt Strike, Cactus Ransomware, BlackByte Ransomware, Hellcat Ransomware
|
2026-05-13
|
|
Windows Local LLM Framework Execution
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1543
|
Hunting
|
Suspicious Local LLM Frameworks
|
2026-05-13
|
|
Suspicious Kerberos Service Ticket Request
|
Windows Event Log Security 4769
|
T1078.002
|
TTP
|
Active Directory Kerberos Attacks, Active Directory Privilege Escalation, sAMAccountName Spoofing and Domain Controller Impersonation
|
2026-05-13
|
|
Linux Emacs Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Privilege Escalation, Linux Living Off The Land
|
2026-05-13
|
|
Windows AD Dangerous Group ACL Modification
|
Windows Event Log Security 5136
|
T1222.001
T1484
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Windows UAC Bypass Suspicious Child Process
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1548.002
|
TTP
|
Windows Defense Evasion Tactics, Castle RAT, Living Off The Land
|
2026-05-13
|
|
Windows Process Execution in Temp Dir
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1036.005
T1543
|
Anomaly
|
Qakbot, Axios Supply Chain Post Compromise, XWorm, Ransomware, NjRAT, AgentTesla, PathWiper, PromptLock, SesameOp, Remcos, Trickbot, Ryuk Ransomware, Gh0st RAT, Lokibot
|
2026-05-13
|
|
Linux Auditd Setuid Using Setcap Utility
|
Linux Auditd Execve
|
T1548.001
|
TTP
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation
|
2026-05-13
|
|
Windows Remote Create Service
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1543.003
|
Anomaly
|
BlackSuit Ransomware, CISA AA23-347A, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows Guest Account Enabled Via Net.EXE
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1078.001
|
Anomaly
|
Windows Persistence Techniques
|
2026-05-13
|
|
Windows Access Token Winlogon Duplicate Handle In Uncommon Path
|
Sysmon EventID 10
|
T1134.001
|
Anomaly
|
PathWiper, Brute Ratel C4
|
2026-05-13
|
|
Linux Make Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Privilege Escalation, Linux Living Off The Land
|
2026-05-13
|
|
Windows PowerView AD Access Control List Enumeration
|
Powershell Script Block Logging 4104
|
T1069
T1078.002
|
TTP
|
Active Directory Privilege Escalation, Active Directory Discovery, Rhysida Ransomware
|
2026-05-13
|
|
Impacket Lateral Movement smbexec CommandLine Parameters
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1021.002
T1021.003
T1047
T1543.003
|
TTP
|
WhisperGate, Compromised Windows Host, Graceful Wipe Out Attack, Active Directory Lateral Movement, Volt Typhoon, Data Destruction, CISA AA22-277A, Prestige Ransomware, Industroyer2
|
2026-05-13
|
|
Detect Baron Samedit CVE-2021-3156 via OSQuery
|
|
T1068
|
TTP
|
Baron Samedit CVE-2021-3156
|
2026-05-13
|
|
Windows AD Same Domain SID History Addition
|
Windows Event Log Security 4738, Windows Event Log Security 4742
|
T1134.005
|
TTP
|
Windows Persistence Techniques, Compromised Windows Host, Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Linux Auditd Possible Access Or Modification Of Sshd Config File
|
Linux Auditd Path, Linux Auditd Cwd
|
T1098.004
|
Anomaly
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation, Linux Living Off The Land
|
2026-05-13
|
|
Windows Change File Association Command To Notepad
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1546.001
|
TTP
|
Prestige Ransomware, Compromised Windows Host
|
2026-05-13
|
|
Windows Multiple Accounts Deleted
|
Windows Event Log Security 4726
|
T1078
T1098
|
TTP
|
Azure Active Directory Persistence
|
2026-05-13
|
|
Cisco NVM - Suspicious Network Connection From Process With No Args
|
Cisco Network Visibility Module Flow Data
|
T1055
T1218
|
Anomaly
|
Cisco Network Visibility Module Analytics
|
2026-05-13
|
|
Linux Find Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Privilege Escalation, Linux Living Off The Land
|
2026-05-13
|
|
Windows Registry Delete Task SD
|
Sysmon EventID 12
|
T1053.005
T1685
|
Anomaly
|
Windows Registry Abuse, Windows Persistence Techniques, Scheduled Tasks
|
2026-05-13
|
|
Windows Bluetooth Service Installed From Uncommon Location
|
Windows Event Log System 7045
|
T1036
T1543.003
|
Anomaly
|
Lotus Blossom Chrysalis Backdoor
|
2026-05-13
|
|
Impacket Lateral Movement WMIExec Commandline Parameters
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1021.002
T1021.003
T1047
T1543.003
|
TTP
|
WhisperGate, Compromised Windows Host, Graceful Wipe Out Attack, Volt Typhoon, Data Destruction, CISA AA22-277A, Storm-0501 Ransomware, Prestige Ransomware, Active Directory Lateral Movement, Industroyer2, Gozi Malware
|
2026-05-13
|
|
Schtasks used for forcing a reboot
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1053.005
|
TTP
|
Windows Persistence Techniques, Scheduled Tasks, Ransomware
|
2026-05-13
|
|
Windows Compatibility Telemetry Tampering Through Registry
|
Sysmon EventID 13
|
T1053.005
T1546
|
TTP
|
Windows Persistence Techniques
|
2026-05-13
|
|
Rundll32 Create Remote Thread To A Process
|
Sysmon EventID 8
|
T1055
|
TTP
|
Living Off The Land, IcedID
|
2026-05-13
|
|
Linux Auditd Sudo Or Su Execution
|
Linux Auditd Proctitle
|
T1548.003
|
Anomaly
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation
|
2026-05-13
|
|
MacOS LoginHook Persistence
|
Osquery Results
|
T1037.002
|
TTP
|
MacOS Post-Exploitation
|
2026-05-13
|
|
Linux pkexec Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1068
|
TTP
|
Linux Privilege Escalation, Linux Living Off The Land
|
2026-05-13
|
|
Windows Service Create Kernel Mode Driver
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1068
T1543.003
|
TTP
|
CISA AA22-320A, Windows Drivers
|
2026-05-13
|
|
Windows Remote Image Load
|
Sysmon EventID 7
|
T1059
T1068
T1129
T1203
|
Anomaly
|
LockBit Ransomware, Ransomware, BlackByte Ransomware
|
2026-05-13
|
|
Windows Suspicious Named Pipe
|
Sysmon EventID 18, Sysmon EventID 17
|
T1021.002
T1055
T1559
|
TTP
|
Brute Ratel C4, DarkSide Ransomware, Graceful Wipe Out Attack, APT37 Rustonotto and FadeStealer, Cobalt Strike, LockBit Ransomware, Remote Monitoring and Management Software, Trickbot, Tuoni, Meterpreter, BlackByte Ransomware, Gozi Malware, Hellcat Ransomware
|
2026-05-13
|
|
Linux Auditd Insert Kernel Module Using Insmod Utility
|
Linux Auditd Syscall
|
T1547.006
|
Anomaly
|
Compromised Linux Host, Linux Rootkit, Linux Persistence Techniques, Linux Privilege Escalation, XorDDos
|
2026-05-13
|
|
Linux Common Process For Elevation Control
|
Sysmon for Linux EventID 1
|
T1548.001
|
Hunting
|
Axios Supply Chain Post Compromise, China-Nexus Threat Activity, Salt Typhoon, Linux Persistence Techniques, Linux Privilege Escalation, Linux Living Off The Land
|
2026-05-13
|
|
Linux Auditd Copy Fail Privilege Escalation
|
Linux Auditd Syscall
|
T1068
|
TTP
|
Linux Privilege Escalation
|
2026-05-13
|
|
Randomly Generated Scheduled Task Name
|
Windows Event Log Security 4698
|
T1053.005
|
Hunting
|
0bj3ctivity Stealer, Scheduled Tasks, CISA AA22-257A, Active Directory Lateral Movement
|
2026-05-13
|
|
Linux Sudoers Tmp File Creation
|
Sysmon for Linux EventID 11
|
T1548.003
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation, Salt Typhoon, China-Nexus Threat Activity
|
2026-05-13
|
|
Linux Adding Crontab Using List Parameter
|
Sysmon for Linux EventID 1
|
T1053.003
|
Hunting
|
Cisco Isovalent Suspicious Activity, Scheduled Tasks, Gomir, Data Destruction, Linux Persistence Techniques, Linux Privilege Escalation, Linux Living Off The Land, Industroyer2, VoidLink Cloud-Native Linux Malware
|
2026-05-13
|
|
Windows Scheduled Task Created in a Group Policy Object
|
Windows Event Log Security 5145
|
T1053.005
T1484.001
|
TTP
|
Windows Persistence Techniques, Scheduled Tasks, Living Off The Land
|
2026-05-13
|
|
LLM Model File Creation
|
Sysmon EventID 11
|
T1543
|
Hunting
|
Suspicious Local LLM Frameworks
|
2026-05-13
|
|
Windows Process Injection into Notepad
|
Sysmon EventID 10
|
T1055.002
|
Anomaly
|
BishopFox Sliver Adversary Emulation Framework, Earth Alux, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
Powershell Fileless Process Injection via GetProcAddress
|
Powershell Script Block Logging 4104
|
T1055
T1059.001
|
TTP
|
Data Destruction, Malicious PowerShell, Hellcat Ransomware, Hermetic Wiper
|
2026-05-13
|
|
Schtasks Run Task On Demand
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1053
|
Anomaly
|
Qakbot, XMRig, Scheduled Tasks, Data Destruction, CISA AA22-257A, Industroyer2, Medusa Ransomware
|
2026-05-13
|
|
Shim Database File Creation
|
Sysmon EventID 11
|
T1546.011
|
TTP
|
Windows Persistence Techniques
|
2026-05-13
|
|
Linux Puppet Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Privilege Escalation, Linux Living Off The Land
|
2026-05-13
|
|
Linux Auditd Setuid Using Chmod Utility
|
Linux Auditd Proctitle
|
T1548.001
|
Anomaly
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation, Linux Living Off The Land
|
2026-05-13
|
|
Linux Possible Access To Sudoers File
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation, Salt Typhoon, China-Nexus Threat Activity
|
2026-05-13
|
|
Windows Service Initiation on Remote Endpoint
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1543.003
|
TTP
|
CISA AA23-347A, Active Directory Lateral Movement
|
2026-05-13
|
|
Time Provider Persistence Registry
|
Sysmon EventID 13
|
T1547.003
|
TTP
|
Windows Persistence Techniques, Windows Registry Abuse, Data Destruction, Windows Privilege Escalation, Hermetic Wiper
|
2026-05-13
|
|
Spoolsv Writing a DLL
|
Sysmon EventID 11, Windows Event Log Security 4688, Sysmon EventID 1
|
T1547.012
|
TTP
|
PrintNightmare CVE-2021-34527, Compromised Windows Host, Black Basta Ransomware
|
2026-05-13
|
|
Windows Enable Win32 ScheduledJob via Registry
|
Sysmon EventID 13
|
T1053.005
|
Anomaly
|
Scheduled Tasks, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows List ENV Variables Via SET Command From Uncommon Parent
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1055
|
Anomaly
|
Qakbot
|
2026-05-13
|
|
Windows AD Hidden OU Creation
|
Windows Event Log Security 5136
|
T1222.001
T1484
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Linux Possible Cronjob Modification With Editor
|
Sysmon for Linux EventID 1
|
T1053.003
|
Hunting
|
Scheduled Tasks, Linux Persistence Techniques, Linux Privilege Escalation, Linux Living Off The Land, XorDDos
|
2026-05-13
|
|
Registry Keys Used For Persistence
|
Sysmon EventID 13
|
T1547.001
|
TTP
|
SystemBC, Qakbot, Braodo Stealer, AsyncRAT, Lokibot, Windows Registry Abuse, Azorult, BlackSuit Ransomware, Axios Supply Chain Post Compromise, SnappyBee, APT37 Rustonotto and FadeStealer, Remcos, BlackByte Ransomware, Derusbi, Sneaky Active Directory Persistence Tricks, NjRAT, Chaos Ransomware, MuddyWater, Salt Typhoon, Emotet Malware DHS Report TA18-201A, ValleyRAT, Cactus Ransomware, Amadey, Quasar RAT, Suspicious Windows Registry Activities, DarkGate Malware, Snake Keylogger, WinDealer RAT, RedLine Stealer, Ransomware, Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns, China-Nexus Threat Activity, XWorm, Warzone RAT, DHS Report TA18-074A, Suspicious MSHTA Activity, Windows Persistence Techniques, Castle RAT, MoonPeak, 0bj3ctivity Stealer, IcedID, Gh0st RAT, NetSupport RMM Tool Abuse, DarkCrystal RAT, CISA AA23-347A, Interlock Ransomware
|
2026-05-13
|
|
Windows New Default File Association Value Set
|
Sysmon EventID 13
|
T1546.001
|
Hunting
|
Windows Persistence Techniques, Windows Registry Abuse, Data Destruction, Windows Privilege Escalation, Prestige Ransomware, Hermetic Wiper
|
2026-05-13
|
|
Linux Auditd Unix Shell Configuration Modification
|
Linux Auditd Path, Linux Auditd Cwd
|
T1546.004
|
TTP
|
Compromised Linux Host, QuietVault, Linux Persistence Techniques, Linux Privilege Escalation, Linux Living Off The Land
|
2026-05-13
|
|
Windows Scheduled Task with Suspicious Name
|
Windows Event Log Security 4700, Windows Event Log Security 4702, Windows Event Log Security 4698
|
T1053.005
|
TTP
|
Ransomware, APT37 Rustonotto and FadeStealer, Castle RAT, Windows Persistence Techniques, Scheduled Tasks, 0bj3ctivity Stealer, Ryuk Ransomware
|
2026-05-13
|
|
Suspicious GPUpdate no Command Line Arguments
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1055
|
TTP
|
Cobalt Strike, Graceful Wipe Out Attack, Hellcat Ransomware, BlackByte Ransomware
|
2026-05-13
|
|
Windows AD Privileged Account SID History Addition
|
Windows Event Log Security 4738, Windows Event Log Security 4742
|
T1134.005
|
TTP
|
Sneaky Active Directory Persistence Tricks, Compromised Windows Host
|
2026-05-13
|
|
XMRIG Driver Loaded
|
Sysmon EventID 6
|
T1543.003
|
TTP
|
CISA AA22-320A, XMRig, Crypto Stealer
|
2026-05-13
|
|
Cisco NVM - Non-Network Binary Making Network Connection
|
Cisco Network Visibility Module Flow Data
|
T1036
T1055
|
Anomaly
|
Cisco Network Visibility Module Analytics
|
2026-05-13
|
|
Windows AD ServicePrincipalName Added To Domain Account
|
Windows Event Log Security 5136
|
T1098
|
TTP
|
Sneaky Active Directory Persistence Tricks, Interlock Ransomware
|
2026-05-13
|
|
Windows Privilege Escalation Attempt Via MSI Rollback
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1068
|
TTP
|
Windows Privilege Escalation
|
2026-05-13
|
|
Linux Auditd Kernel Module Using Rmmod Utility
|
Linux Auditd Syscall
|
T1547.006
|
TTP
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation, Linux Living Off The Land
|
2026-05-13
|
|
Disabling Remote User Account Control
|
Sysmon EventID 13
|
T1548.002
|
TTP
|
Windows Defense Evasion Tactics, AgentTesla, Windows Registry Abuse, Remcos, Azorult, Suspicious Windows Registry Activities
|
2026-05-13
|
|
Windows DISM Install PowerShell Web Access
|
Windows Event Log Security 4688, Sysmon EventID 1
|
T1548.002
|
TTP
|
CISA AA24-241A
|
2026-05-13
|
|
Windows AD DCShadow Privileges ACL Addition
|
Windows Event Log Security 5136
|
T1207
T1222.001
T1484
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Windows AD GPO Disabled
|
Windows Event Log Security 5136
|
T1484.001
T1685
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Services LOLBAS Execution Process Spawn
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1543.003
|
TTP
|
Qakbot, Active Directory Lateral Movement, Living Off The Land, CISA AA23-347A, Hellcat Ransomware
|
2026-05-13
|
|
Linux Auditd Install Kernel Module Using Modprobe Utility
|
Linux Auditd Syscall
|
T1547.006
|
Anomaly
|
Compromised Linux Host, China-Nexus Threat Activity, Linux Rootkit, Linux Persistence Techniques, Linux Privilege Escalation
|
2026-05-13
|
|
Linux AWK Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Privilege Escalation, Linux Living Off The Land
|
2026-05-13
|
|
Linux File Created In Kernel Driver Directory
|
Sysmon for Linux EventID 11
|
T1547.006
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation, Linux Rootkit
|
2026-05-13
|
|
Windows Hidden Schedule Task Settings
|
Windows Event Log Security 4698
|
T1053
|
TTP
|
Active Directory Discovery, Compromised Windows Host, Scheduled Tasks, Malicious Inno Setup Loader, Data Destruction, Cactus Ransomware, CISA AA22-257A, Industroyer2, Hellcat Ransomware
|
2026-05-13
|
|
Suspicious DLLHost no Command Line Arguments
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1055
|
TTP
|
Cobalt Strike, Graceful Wipe Out Attack, Cactus Ransomware, BlackByte Ransomware
|
2026-05-13
|
|
Linux File Creation In Profile Directory
|
Sysmon for Linux EventID 11
|
T1546.004
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2026-05-13
|
|
Linux Add Files In Known Crontab Directories
|
Sysmon for Linux EventID 11
|
T1053.003
|
Anomaly
|
Scheduled Tasks, Linux Persistence Techniques, Linux Privilege Escalation, Linux Living Off The Land, XorDDos
|
2026-05-13
|
|
Create Remote Thread In Shell Application
|
Sysmon EventID 8
|
T1055
|
TTP
|
Qakbot, Warzone RAT, IcedID
|
2026-05-13
|
|
Linux GNU Awk Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Privilege Escalation, Linux Living Off The Land
|
2026-05-13
|
|
Windows NorthStar C2 Agent Execution
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1204.002
T1547.001
T1608
|
TTP
|
Compromised Windows Host
|
2026-05-13
|
|
Windows ComputerDefaults Spawning a Process
|
Sysmon EventID 1
|
T1548.002
|
TTP
|
BlankGrabber Stealer, Castle RAT
|
2026-05-13
|
|
Screensaver Event Trigger Execution
|
Sysmon EventID 13
|
T1546.002
|
TTP
|
Windows Persistence Techniques, Windows Registry Abuse, Data Destruction, Windows Privilege Escalation, Hermetic Wiper
|
2026-05-13
|
|
Windows Security Support Provider Reg Query
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1547.005
|
Anomaly
|
Sneaky Active Directory Persistence Tricks, Prestige Ransomware, Windows Post-Exploitation
|
2026-05-13
|
|
Windows Registry BootExecute Modification
|
Sysmon EventID 13
|
T1542
T1547.001
|
TTP
|
Windows BootKits
|
2026-05-13
|
|
Powershell Remote Thread To Known Windows Process
|
Sysmon EventID 8
|
T1055
|
TTP
|
Trickbot
|
2026-05-13
|
|
Linux Ruby Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Privilege Escalation, Linux Living Off The Land
|
2026-05-13
|
|
Detect Baron Samedit CVE-2021-3156
|
|
T1068
|
TTP
|
Baron Samedit CVE-2021-3156
|
2026-05-13
|
|
Windows AD Domain Root ACL Modification
|
Windows Event Log Security 5136
|
T1222.001
T1484
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Windows Process Injection Wermgr Child Process
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1055
|
Anomaly
|
Qakbot, Windows Error Reporting Service Elevation of Privilege Vulnerability
|
2026-05-13
|
|
Possible Lateral Movement PowerShell Spawn
|
Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1021.003
T1021.006
T1047
T1053.005
T1059.001
T1218.014
T1543.003
|
Anomaly
|
CISA AA24-241A, Scheduled Tasks, Active Directory Lateral Movement, Data Destruction, Malicious PowerShell, Hermetic Wiper, Microsoft WSUS CVE-2025-59287
|
2026-05-13
|
|
Suspicious SearchProtocolHost no Command Line Arguments
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1055
|
TTP
|
Graceful Wipe Out Attack, Cobalt Strike, Cactus Ransomware, BlackByte Ransomware, Hellcat Ransomware
|
2026-05-13
|
|
Active Setup Registry Autostart
|
Sysmon EventID 13
|
T1547.014
|
TTP
|
Data Destruction, Windows Persistence Techniques, Windows Privilege Escalation, Hermetic Wiper
|
2026-05-13
|
|
Windows Registry Modification for Safe Mode Persistence
|
Sysmon EventID 13
|
T1547.001
|
TTP
|
Windows Registry Abuse, Windows Drivers, Ransomware
|
2026-05-13
|
|
Runas Execution in CommandLine
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1134.001
|
Hunting
|
Data Destruction, Windows Privilege Escalation, Quasar RAT, Hermetic Wiper
|
2026-05-13
|
|
Windows UAC Bypass Suspicious Escalation Behavior
|
Sysmon EventID 1
|
T1548.002
|
TTP
|
Living Off The Land, Windows Defense Evasion Tactics, Compromised Windows Host
|
2026-05-13
|
|
WMI Permanent Event Subscription - Sysmon
|
Sysmon EventID 21
|
T1546.003
|
TTP
|
Suspicious WMI Use
|
2026-05-13
|
|
Linux Auditd Possible Access To Sudoers File
|
Linux Auditd Path, Linux Auditd Cwd
|
T1548.003
|
Anomaly
|
Compromised Linux Host, China-Nexus Threat Activity, Salt Typhoon, Linux Persistence Techniques, Linux Privilege Escalation
|
2026-05-13
|
|
Windows Suspicious Driver Loaded Path
|
Sysmon EventID 6
|
T1543.003
|
TTP
|
APT37 Rustonotto and FadeStealer, XMRig, AgentTesla, CISA AA22-320A, BlackByte Ransomware, Snake Keylogger, Interlock Ransomware
|
2026-05-13
|
|
Windows Schtasks Create Run As System
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1053.005
|
TTP
|
Qakbot, Castle RAT, Windows Persistence Techniques, Scheduled Tasks, SolarWinds WHD RCE Post Exploitation, Medusa Ransomware
|
2026-05-13
|
|
Cisco Isovalent - Nsenter Usage in Kubernetes Pod
|
Cisco Isovalent Process Exec
|
T1543
|
Anomaly
|
Cisco Isovalent Suspicious Activity
|
2026-05-13
|
|
Windows Group Policy Object Created
|
Windows Event Log Security 5137, Windows Event Log Security 5136
|
T1078.002
T1484.001
|
TTP
|
Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Windows Admon Group Policy Object Created
|
Windows Active Directory Admon
|
T1484.001
|
TTP
|
Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Windows Multiple Account Passwords Changed
|
Windows Event Log Security 4724
|
T1078
T1098
|
TTP
|
Azure Active Directory Persistence
|
2026-05-13
|
|
Windows AD Privileged Group Modification
|
Windows Event Log Security 4728
|
T1098
|
TTP
|
Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Windows Privilege Escalation System Process Without System Parent
|
Sysmon EventID 1
|
T1068
T1134
T1548
|
TTP
|
Windows Privilege Escalation, BlackSuit Ransomware
|
2026-05-13
|
|
Windows Service Create RemComSvc
|
Windows Event Log System 7045
|
T1543.003
|
Anomaly
|
Active Directory Discovery
|
2026-05-13
|
|
Windows KrbRelayUp Service Creation
|
Windows Event Log System 7045
|
T1543.003
|
TTP
|
Local Privilege Escalation With KrbRelayUp, Compromised Windows Host
|
2026-05-13
|
|
Windows Process Injection In Non-Service SearchIndexer
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1055
|
TTP
|
Qakbot
|
2026-05-13
|
|
Windows Boot or Logon Autostart Execution In Startup Folder
|
Sysmon EventID 11
|
T1547.001
|
Anomaly
|
XWorm, APT37 Rustonotto and FadeStealer, PromptFlux, Crypto Stealer, NjRAT, Chaos Ransomware, Quasar RAT, Gozi Malware, BlankGrabber Stealer, RedLine Stealer, Interlock Ransomware
|
2026-05-13
|
|
Linux Gem Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Privilege Escalation, Linux Living Off The Land
|
2026-05-13
|
|
Linux c89 Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Privilege Escalation, Linux Living Off The Land
|
2026-05-13
|
|
Linux Insert Kernel Module Using Insmod Utility
|
Sysmon for Linux EventID 1
|
T1547.006
|
Anomaly
|
Linux Persistence Techniques, Linux Rootkit, Linux Privilege Escalation, XorDDos
|
2026-05-13
|
|
Suspicious PlistBuddy Usage
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1543.001
|
TTP
|
Silver Sparrow
|
2026-05-13
|
|
Detect WMI Event Subscription Persistence
|
Sysmon EventID 20
|
T1546.003
|
TTP
|
Suspicious WMI Use, Hellcat Ransomware
|
2026-05-13
|
|
Windows Process Injection Remote Thread
|
Sysmon EventID 8
|
T1055.002
|
TTP
|
Qakbot, Water Gamayun, Graceful Wipe Out Attack, Warzone RAT, Earth Alux
|
2026-05-13
|
|
Windows Process Injection Of Wermgr to Known Browser
|
Sysmon EventID 8
|
T1055.001
|
TTP
|
Qakbot
|
2026-05-13
|
|
Windows Multiple Accounts Disabled
|
Windows Event Log Security 4725
|
T1078
T1098
|
TTP
|
Azure Active Directory Persistence
|
2026-05-13
|
|
Windows Privilege Escalation Suspicious Process Elevation
|
Sysmon EventID 1
|
T1068
T1134
T1548
|
TTP
|
Windows Privilege Escalation, BlackSuit Ransomware, GhostRedirector IIS Module and Rungan Backdoor
|
2026-05-13
|
|
FodHelper UAC Bypass
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1112
T1548.002
|
TTP
|
Windows Defense Evasion Tactics, Compromised Windows Host, ValleyRAT, IcedID, BlankGrabber Stealer
|
2026-05-13
|
|
WinEvent Scheduled Task Created Within Public Path
|
Windows Event Log Security 4698
|
T1053.005
|
TTP
|
SystemBC, Compromised Windows Host, AsyncRAT, Data Destruction, CISA AA22-257A, Industroyer2, Winter Vivern, APT37 Rustonotto and FadeStealer, Remcos, Active Directory Lateral Movement, Medusa Ransomware, PlugX, Salt Typhoon, ValleyRAT, Malicious Inno Setup Loader, Quasar RAT, Ryuk Ransomware, XWorm, Ransomware, China-Nexus Threat Activity, Castle RAT, Windows Persistence Techniques, Scheduled Tasks, 0bj3ctivity Stealer, Prestige Ransomware, IcedID, CISA AA23-347A
|
2026-05-13
|
|
MacOS Kextload Usage
|
Osquery Results
|
T1543
|
TTP
|
MacOS Privilege Escalation, MacOS Persistence Techniques
|
2026-05-13
|
|
Windows Scheduled Task Service Spawned Shell
|
Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1053.005
T1059
|
TTP
|
Windows Persistence Techniques
|
2026-05-13
|
|
Unusual Number of Computer Service Tickets Requested
|
Windows Event Log Security 4769
|
T1078
|
Hunting
|
Active Directory Kerberos Attacks, Scattered Lapsus$ Hunters, Active Directory Privilege Escalation, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows Suspicious C2 Named Pipe
|
Sysmon EventID 18, Sysmon EventID 17
|
T1021.002
T1055
T1559
|
TTP
|
Brute Ratel C4, DarkSide Ransomware, Graceful Wipe Out Attack, APT37 Rustonotto and FadeStealer, Cobalt Strike, Storm-0501 Ransomware, LockBit Ransomware, Remote Monitoring and Management Software, Trickbot, Meterpreter, BlackByte Ransomware, Tuoni, Gozi Malware, Hellcat Ransomware
|
2026-05-13
|
|
Windows Process Injection With Public Source Path
|
Sysmon EventID 8
|
T1055.002
|
Hunting
|
Brute Ratel C4, Earth Alux
|
2026-05-13
|
|
Cisco Isovalent - Kprobe Spike
|
Cisco Isovalent Process Kprobe
|
T1068
|
Hunting
|
Cisco Isovalent Suspicious Activity, VoidLink Cloud-Native Linux Malware
|
2026-05-13
|
|
Short Lived Windows Accounts
|
Windows Event Log System 4720, Windows Event Log System 4726
|
T1078.003
T1136.001
|
TTP
|
GhostRedirector IIS Module and Rungan Backdoor, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows MSI Rollback Script Deleted By Non-Msiexec Process
|
Sysmon EventID 23
|
T1068
T1218.007
|
TTP
|
Windows Privilege Escalation
|
2026-05-13
|
|
Scheduled Task Initiation on Remote Endpoint
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1053.005
|
TTP
|
Seashell Blizzard, Scheduled Tasks, Active Directory Lateral Movement, Medusa Ransomware, Living Off The Land
|
2026-05-13
|
|
PowerShell PInvoke Process Injection API Chain
|
Powershell Script Block Logging 4104
|
T1055.001
T1055.003
T1055.004
T1055.012
T1055.013
T1059.001
T1620
|
TTP
|
VIP Keylogger
|
2026-05-13
|
|
Loading Of Dynwrapx Module
|
Sysmon EventID 7
|
T1055.001
|
TTP
|
Remcos, AsyncRAT
|
2026-05-13
|
|
Shim Database Installation With Suspicious Parameters
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1546.011
|
TTP
|
Windows Persistence Techniques, Compromised Windows Host
|
2026-05-13
|
|
Overwriting Accessibility Binaries
|
Sysmon EventID 11
|
T1546.008
|
TTP
|
Data Destruction, Flax Typhoon, Windows Privilege Escalation, Hermetic Wiper
|
2026-05-13
|
|
Suspicious PlistBuddy Usage via OSquery
|
Osquery Results
|
T1543.001
|
TTP
|
Silver Sparrow
|
2026-05-13
|
|
Schedule Task with HTTP Command Arguments
|
Windows Event Log Security 4698
|
T1053
|
TTP
|
Compromised Windows Host, Winter Vivern, Windows Persistence Techniques, Scheduled Tasks, Living Off The Land, Hellcat Ransomware
|
2026-05-13
|
|
Windows Access Token Manipulation Winlogon Duplicate Token Handle
|
Sysmon EventID 10
|
T1134.001
|
Hunting
|
Brute Ratel C4
|
2026-05-13
|
|
Windows MOF Event Triggered Execution via WMI
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1546.003
|
TTP
|
Living Off The Land, Compromised Windows Host
|
2026-05-13
|
|
Windows RMM Named Pipe
|
Sysmon EventID 18, Sysmon EventID 17
|
T1021.002
T1055
T1559
|
Anomaly
|
CISA AA24-241A, Ransomware, Seashell Blizzard, Insider Threat, Interlock Ransomware, Scattered Lapsus$ Hunters, Cactus Ransomware, Remote Monitoring and Management Software, Command And Control, Gozi Malware, Scattered Spider, GhostRedirector IIS Module and Rungan Backdoor
|
2026-05-13
|
|
Suspicious Computer Account Name Change
|
Windows Event Log Security 4781
|
T1078.002
|
TTP
|
Active Directory Privilege Escalation, Scattered Lapsus$ Hunters, Compromised Windows Host, sAMAccountName Spoofing and Domain Controller Impersonation
|
2026-05-13
|
|
Cisco Isovalent - Late Process Execution
|
Cisco Isovalent Process Exec
|
T1543
|
Anomaly
|
Cisco Isovalent Suspicious Activity
|
2026-05-13
|
|
Schedule Task with Rundll32 Command Trigger
|
Windows Event Log Security 4698
|
T1053
|
TTP
|
Compromised Windows Host, Castle RAT, Windows Persistence Techniques, Scheduled Tasks, Trickbot, IcedID, Living Off The Land
|
2026-05-13
|
|
Windows AD Dangerous Deny ACL Modification
|
Windows Event Log Security 5136
|
T1222.001
T1484
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Powershell COM Hijacking InprocServer32 Modification
|
Powershell Script Block Logging 4104
|
T1059.001
T1546.015
|
TTP
|
Malicious PowerShell
|
2026-05-13
|
|
Linux APT Privilege Escalation
|
Sysmon for Linux EventID 1, Cisco Isovalent Process Exec
|
T1548.003
|
Anomaly
|
Linux Privilege Escalation, Linux Living Off The Land
|
2026-05-13
|
|
Suspicious Ticket Granting Ticket Request
|
Windows Event Log Security 4781, Windows Event Log Security 4768
|
T1078.002
|
Hunting
|
Active Directory Kerberos Attacks, Active Directory Privilege Escalation, sAMAccountName Spoofing and Domain Controller Impersonation
|
2026-05-13
|
|
Monitor Registry Keys for Print Monitors
|
Sysmon EventID 13
|
T1547.010
|
TTP
|
Windows Registry Abuse, Windows Persistence Techniques, Suspicious Windows Registry Activities
|
2026-05-13
|
|
Linux At Allow Config File Creation
|
Sysmon for Linux EventID 11
|
T1053.003
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks, Linux Living Off The Land
|
2026-05-13
|
|
Windows Privilege Escalation User Process Spawn System Process
|
Sysmon EventID 1
|
T1068
T1134
T1548
|
TTP
|
Windows Privilege Escalation, Compromised Windows Host, BlackSuit Ransomware, GhostRedirector IIS Module and Rungan Backdoor
|
2026-05-13
|
|
Windows AD DSRM Password Reset
|
Windows Event Log Security 4794
|
T1098
|
TTP
|
Sneaky Active Directory Persistence Tricks, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Windows AD GPO New CSE Addition
|
Windows Event Log Security 5136
|
T1222.001
T1484.001
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Detect Excessive Account Lockouts From Endpoint
|
|
T1078.002
|
Anomaly
|
Active Directory Password Spraying
|
2026-05-13
|
|
Linux GDB Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Privilege Escalation, Linux Living Off The Land
|
2026-05-13
|
|
Windows Parent PID Spoofing with Explorer
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1134.004
|
TTP
|
Windows Defense Evasion Tactics, Compromised Windows Host
|
2026-05-13
|
|
Windows PowerShell MSIX Package Installation
|
Powershell Script Block Logging 4104
|
T1059.001
T1547.001
|
TTP
|
Malicious PowerShell, MSIX Package Abuse
|
2026-05-13
|
|
First Time Seen Child Process of Zoom
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1068
|
Anomaly
|
Suspicious Zoom Child Processes
|
2026-05-13
|
|
Scheduled Task Deleted Or Created via CMD
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1053.005
|
Anomaly
|
Qakbot, AsyncRAT, AgentTesla, Trickbot, CISA AA22-257A, Azorult, Phemedrone Stealer, Winter Vivern, APT37 Rustonotto and FadeStealer, Remcos, Medusa Ransomware, Living Off The Land, Scattered Spider, PlugX, Sandworm Tools, CISA AA24-241A, Rhysida Ransomware, NjRAT, Salt Typhoon, ValleyRAT, SolarWinds WHD RCE Post Exploitation, Amadey, Quasar RAT, NOBELIUM Group, RedLine Stealer, XWorm, DHS Report TA18-074A, China-Nexus Threat Activity, Windows Persistence Techniques, Scheduled Tasks, MoonPeak, 0bj3ctivity Stealer, Prestige Ransomware, NetSupport RMM Tool Abuse, DarkCrystal RAT, CISA AA23-347A, ShrinkLocker, Lokibot
|
2026-05-13
|
|
Windows Access Token Manipulation SeDebugPrivilege
|
Windows Event Log Security 4703
|
T1134.002
|
Anomaly
|
Brute Ratel C4, Meduza Stealer, SnappyBee, AsyncRAT, China-Nexus Threat Activity, PathWiper, Scattered Lapsus$ Hunters, Salt Typhoon, ValleyRAT, Lokibot, Tuoni, Gh0st RAT, Derusbi, DarkGate Malware, WinDealer RAT, PlugX, CISA AA23-347A, GhostRedirector IIS Module and Rungan Backdoor
|
2026-05-13
|
|
Registry Keys for Creating SHIM Databases
|
Sysmon EventID 13
|
T1546.011
|
TTP
|
Windows Registry Abuse, Windows Persistence Techniques, Suspicious Windows Registry Activities
|
2026-05-13
|
|
Unusual Number of Remote Endpoint Authentication Events
|
Windows Event Log Security 4624
|
T1078
|
Hunting
|
Active Directory Privilege Escalation, Active Directory Lateral Movement
|
2026-05-13
|
|
DLLHost with no Command Line Arguments with Network
|
Sysmon EventID 1, Sysmon EventID 3
|
T1055
|
TTP
|
Graceful Wipe Out Attack, Storm-2460 CLFS Zero Day Exploitation, Cobalt Strike, Earth Alux, Cactus Ransomware, BlackByte Ransomware
|
2026-05-13
|
|
Randomly Generated Windows Service Name
|
Windows Event Log System 7045
|
T1543.003
|
Hunting
|
BlackSuit Ransomware, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows Default Group Policy Object Modified
|
Windows Event Log Security 5136
|
T1484.001
|
TTP
|
Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
WinEvent Windows Task Scheduler Event Action Started
|
Windows Event Log TaskScheduler 200, Windows Event Log TaskScheduler 201
|
T1053.005
|
Hunting
|
SystemBC, Qakbot, AsyncRAT, Data Destruction, CISA AA22-257A, Industroyer2, BlackSuit Ransomware, Winter Vivern, Remcos, PlugX, Sandworm Tools, CISA AA24-241A, ValleyRAT, SolarWinds WHD RCE Post Exploitation, Malicious Inno Setup Loader, Amadey, Windows Persistence Techniques, Scheduled Tasks, Prestige Ransomware, IcedID, DarkCrystal RAT
|
2026-05-13
|
|
Linux Sqlite3 Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Privilege Escalation, Linux Living Off The Land
|
2026-05-13
|
|
GPUpdate with no Command Line Arguments with Network
|
Sysmon EventID 1, Sysmon EventID 3
|
T1055
|
TTP
|
Compromised Windows Host, Graceful Wipe Out Attack, Cobalt Strike, BlackByte Ransomware, Hellcat Ransomware
|
2026-05-13
|
|
Spoolsv Suspicious Loaded Modules
|
Sysmon EventID 7
|
T1547.012
|
TTP
|
PrintNightmare CVE-2021-34527, Black Basta Ransomware
|
2026-05-13
|
|
Windows Snake Malware Service Create
|
Windows Event Log System 7045
|
T1547.006
T1569.002
|
TTP
|
Compromised Windows Host, Snake Malware
|
2026-05-13
|
|
Windows Snake Malware Kernel Driver Comadmin
|
Sysmon EventID 11
|
T1547.006
|
TTP
|
Snake Malware
|
2026-05-13
|
|
Allow Operation with Consent Admin
|
Sysmon EventID 13
|
T1548
|
TTP
|
Windows Registry Abuse, MoonPeak, Ransomware, Azorult
|
2026-05-13
|
|
Windows PUA Named Pipe
|
Sysmon EventID 18, Sysmon EventID 17
|
T1021.002
T1055
T1559
|
Anomaly
|
IcedID, DarkSide Ransomware, DHS Report TA18-074A, Sandworm Tools, Seashell Blizzard, Rhysida Ransomware, VanHelsing Ransomware, Medusa Ransomware, SamSam Ransomware, Active Directory Lateral Movement, Volt Typhoon, Cactus Ransomware, CISA AA22-320A, HAFNIUM Group, BlackByte Ransomware, DarkGate Malware
|
2026-05-13
|
|
Windows Mock Trusted Directory MSC File Creation
|
Sysmon EventID 11
|
T1218.014
T1548.002
T1574
|
TTP
|
Windows Persistence Techniques, Windows Privilege Escalation
|
2026-05-13
|
|
Linux At Application Execution
|
Sysmon for Linux EventID 1
|
T1053.002
|
Anomaly
|
Scheduled Tasks, Cisco Isovalent Suspicious Activity, Linux Persistence Techniques, Linux Privilege Escalation, Linux Living Off The Land
|
2026-05-13
|
|
SLUI RunAs Elevated
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1548.002
|
TTP
|
Windows Defense Evasion Tactics, DarkSide Ransomware, Compromised Windows Host
|
2026-05-13
|
|
Windows Vulnerable Driver Installed
|
Windows Event Log System 7045
|
T1543.003
|
TTP
|
Windows Drivers, Void Manticore
|
2026-05-13
|
|
Scheduled Task Creation on Remote Endpoint using At
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1053.002
|
TTP
|
Living Off The Land, Scheduled Tasks, 0bj3ctivity Stealer, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows Bypass UAC via Pkgmgr Tool
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1548.002
|
Anomaly
|
Warzone RAT
|
2026-05-13
|
|
Windows Audit Policy Auditing Option Modified - Registry
|
Sysmon EventID 13
|
T1547.014
|
Anomaly
|
Windows Audit Policy Tampering
|
2026-05-13
|
|
Detect Excessive User Account Lockouts
|
|
T1078.003
|
Anomaly
|
Scattered Lapsus$ Hunters, Active Directory Password Spraying
|
2026-05-13
|
|
SilentCleanup UAC Bypass
|
Sysmon EventID 13
|
T1548.002
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics, MoonPeak
|
2026-05-13
|
|
Linux Auditd Nopasswd Entry In Sudoers File
|
Linux Auditd Proctitle
|
T1548.003
|
Anomaly
|
Compromised Linux Host, China-Nexus Threat Activity, Salt Typhoon, Linux Persistence Techniques, Linux Privilege Escalation
|
2026-05-13
|
|
Linux Setuid Using Setcap Utility
|
Sysmon for Linux EventID 1
|
T1548.001
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2026-05-13
|
|
Windows Service Create with Tscon
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1543.003
T1563.002
|
TTP
|
Windows RDP Artifacts and Defense Evasion, Compromised Windows Host, Active Directory Lateral Movement
|
2026-05-13
|
|
Registry Keys Used For Privilege Escalation
|
Sysmon EventID 13
|
T1546.012
|
TTP
|
Windows Registry Abuse, Data Destruction, Windows Privilege Escalation, Hermetic Wiper, Cloud Federated Credential Abuse, Suspicious Windows Registry Activities
|
2026-05-13
|
|
Rundll32 CreateRemoteThread In Browser
|
Sysmon EventID 8
|
T1055
|
TTP
|
Living Off The Land, IcedID
|
2026-05-13
|
|
Windows AD AdminSDHolder ACL Modified
|
Windows Event Log Security 5136
|
T1546
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Windows Autostart Execution LSASS Driver Registry Modification
|
Sysmon EventID 13
|
T1547.008
|
TTP
|
Windows Registry Abuse
|
2026-05-13
|
|
Spoolsv Spawning Rundll32
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1547.012
|
TTP
|
PrintNightmare CVE-2021-34527, Compromised Windows Host, Black Basta Ransomware
|
2026-05-13
|
|
Windows Handle Duplication in Known UAC-Bypass Binaries
|
Sysmon EventID 10
|
T1134.001
|
Anomaly
|
Castle RAT
|
2026-05-13
|
|
Windows Driver Load Non-Standard Path
|
Windows Event Log System 7045
|
T1014
T1068
|
TTP
|
Windows Drivers, AgentTesla, CISA AA22-320A, BlackByte Ransomware, BlackSuit Ransomware
|
2026-05-13
|
|
Linux c99 Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Privilege Escalation, Linux Living Off The Land
|
2026-05-13
|
|
Linux SSH Authorized Keys Modification
|
Sysmon for Linux EventID 1
|
T1098.004
|
Anomaly
|
VoidLink Cloud-Native Linux Malware, Hellcat Ransomware, Linux Living Off The Land
|
2026-05-13
|
|
Cisco Isovalent - Potential Escape to Host
|
Cisco Isovalent Process Exec
|
T1611
|
Anomaly
|
Cisco Isovalent Suspicious Activity, VoidLink Cloud-Native Linux Malware
|
2026-05-13
|
|
Linux Possible Ssh Key File Creation
|
Sysmon for Linux EventID 11
|
T1098.004
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation, Hellcat Ransomware, Linux Living Off The Land
|
2026-05-13
|
|
Linux MySQL Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Privilege Escalation, Linux Living Off The Land
|
2026-05-13
|
|
Sc exe Manipulating Windows Services
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1543.003
|
TTP
|
Windows Drivers, Disabling Security Tools, DHS Report TA18-074A, Crypto Stealer, Windows Persistence Techniques, Orangeworm Attack Group, Azorult, Windows Service Abuse, Scattered Spider, NOBELIUM Group
|
2026-05-13
|
|
VMWare Aria Operations Exploit Attempt
|
Palo Alto Network Threat
|
T1068
T1133
T1190
T1210
|
TTP
|
VMware Aria Operations vRealize CVE-2023-20887
|
2026-05-13
|
|
Microsoft SharePoint Server Elevation of Privilege
|
Suricata
|
T1068
|
Anomaly
|
Microsoft SharePoint Server Elevation of Privilege CVE-2023-29357
|
2026-05-13
|
|
ESXi Shared or Stolen Root Account
|
VMWare ESXi Syslog
|
T1078
|
Anomaly
|
ESXi Post Compromise, Black Basta Ransomware
|
2026-05-13
|
|
Cisco ASA - New Local User Account Created
|
Cisco ASA Logs
|
T1078.003
T1136.001
|
Anomaly
|
Suspicious Cisco Adaptive Security Appliance Activity
|
2026-05-13
|
|
PingID New MFA Method Registered For User
|
PingID
|
T1098.005
T1556.006
T1621
|
TTP
|
Compromised User Account
|
2026-05-13
|
|
Cisco ASA - User Privilege Level Change
|
Cisco ASA Logs
|
T1078.003
T1098
|
Anomaly
|
ArcaneDoor, Suspicious Cisco Adaptive Security Appliance Activity
|
2026-05-13
|
|
M365 Copilot Application Usage Pattern Anomalies
|
M365 Copilot Graph API
|
T1078
|
Anomaly
|
Suspicious Microsoft 365 Copilot Activities
|
2026-05-13
|
|
Okta New API Token Created
|
Okta
|
T1078.001
|
TTP
|
Scattered Lapsus$ Hunters, Okta Account Takeover
|
2026-05-13
|
|
Zoom High Video Latency
|
|
T1078
|
Anomaly
|
Remote Employment Fraud
|
2026-05-13
|
|
Okta Phishing Detection with FastPass Origin Check
|
Okta
|
T1078.001
T1556
|
TTP
|
Okta Account Takeover
|
2026-05-13
|
|
ESXi External Root Login Activity
|
VMWare ESXi Syslog
|
T1078
|
Anomaly
|
ESXi Post Compromise, Black Basta Ransomware
|
2026-05-13
|
|
Okta New Device Enrolled on Account
|
Okta
|
T1098.005
|
TTP
|
Scattered Lapsus$ Hunters, Okta Account Takeover
|
2026-05-13
|
|
PingID Multiple Failed MFA Requests For User
|
PingID
|
T1078
T1110
T1621
|
TTP
|
Compromised User Account
|
2026-05-13
|
|
ESXi Account Modified
|
VMWare ESXi Syslog
|
T1078
T1098
T1136.001
|
Anomaly
|
ESXi Post Compromise, Black Basta Ransomware
|
2026-05-13
|
|
ESXi User Granted Admin Role
|
VMWare ESXi Syslog
|
T1078
T1098
|
TTP
|
ESXi Post Compromise, Black Basta Ransomware
|
2026-05-13
|
|
Okta Suspicious Activity Reported
|
Okta
|
T1078.001
|
TTP
|
Okta Account Takeover
|
2026-05-13
|
|
PingID New MFA Method After Credential Reset
|
PingID
|
T1098.005
T1556.006
T1621
|
TTP
|
Compromised User Account, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Okta Risk Threshold Exceeded
|
Okta
|
T1078
T1110
|
Correlation
|
Okta MFA Exhaustion, Okta Account Takeover, Suspicious Okta Activity
|
2026-05-13
|
|
Okta Successful Single Factor Authentication
|
Okta
|
T1078.004
T1586.003
T1621
|
Anomaly
|
Okta Account Takeover
|
2026-05-13
|
|
M365 Copilot Session Origin Anomalies
|
M365 Copilot Graph API
|
T1078
|
Anomaly
|
Suspicious Microsoft 365 Copilot Activities
|
2026-05-13
|
|
Okta Authentication Failed During MFA Challenge
|
Okta
|
T1078.004
T1586.003
T1621
|
TTP
|
Scattered Lapsus$ Hunters, Okta Account Takeover
|
2026-05-13
|
|
Okta ThreatInsight Threat Detected
|
Okta
|
T1078.004
|
Anomaly
|
Okta Account Takeover
|
2026-05-13
|
|
PingID Mismatch Auth Source and Verification Response
|
PingID
|
T1098.005
T1556.006
T1621
|
TTP
|
Compromised User Account
|
2026-05-13
|
|
GCP Successful Single-Factor Authentication
|
Google Workspace
|
T1078.004
T1586.003
|
TTP
|
Scattered Lapsus$ Hunters, GCP Account Takeover
|
2026-05-13
|
|
ASL AWS IAM Successful Group Deletion
|
ASL AWS CloudTrail
|
T1069.003
T1098
|
Hunting
|
AWS IAM Privilege Escalation
|
2026-05-13
|
|
AWS SAML Update identity provider
|
AWS CloudTrail UpdateSAMLProvider
|
T1078
|
TTP
|
Cloud Federated Credential Abuse
|
2026-05-13
|
|
O365 Cross-Tenant Access Change
|
Office 365 Universal Audit Log
|
T1484.002
|
TTP
|
Azure Active Directory Persistence
|
2026-05-13
|
|
GCP Detect gcploit framework
|
|
T1078
|
TTP
|
GCP Cross Account Activity
|
2026-05-13
|
|
Kubernetes Cron Job Creation
|
Kubernetes Audit
|
T1053.007
|
Anomaly
|
Kubernetes Security
|
2026-05-13
|
|
Cloud Provisioning Activity From Previously Unseen IP Address
|
AWS CloudTrail
|
T1078
|
Anomaly
|
Suspicious Cloud Provisioning Activities
|
2026-05-13
|
|
O365 Service Principal Privilege Escalation
|
O365 Add app role assignment grant to user.
|
T1098.003
|
TTP
|
Azure Active Directory Privilege Escalation, Office 365 Account Takeover
|
2026-05-13
|
|
Azure AD Successful PowerShell Authentication
|
Azure Active Directory
|
T1078.004
T1586.003
|
TTP
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
Azure AD New Federated Domain Added
|
Azure Active Directory Set domain authentication
|
T1484.002
|
TTP
|
Azure Active Directory Persistence, Storm-0501 Ransomware, Scattered Lapsus$ Hunters, Hellcat Ransomware
|
2026-05-13
|
|
Cloud Provisioning Activity From Previously Unseen City
|
AWS CloudTrail
|
T1078
|
Anomaly
|
Suspicious Cloud Provisioning Activities
|
2026-05-13
|
|
O365 Privileged Role Assigned
|
Office 365 Universal Audit Log
|
T1098.003
|
TTP
|
Azure Active Directory Persistence, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Cloud Compute Instance Created By Previously Unseen User
|
AWS CloudTrail
|
T1078.004
|
Anomaly
|
Cloud Cryptomining
|
2026-05-13
|
|
Azure AD Service Principal Authentication
|
Azure Active Directory Sign-in activity
|
T1078.004
|
TTP
|
Azure Active Directory Account Takeover, NOBELIUM Group
|
2026-05-13
|
|
Azure AD Global Administrator Role Assigned
|
Azure Active Directory Add member to role
|
T1098.003
|
TTP
|
Azure Active Directory Persistence, Scattered Lapsus$ Hunters, Azure Active Directory Privilege Escalation
|
2026-05-13
|
|
O365 FullAccessAsApp Permission Assigned
|
O365 Update application.
|
T1098.002
T1098.003
|
TTP
|
Office 365 Persistence Mechanisms, NOBELIUM Group
|
2026-05-13
|
|
Azure AD PIM Role Assigned
|
Azure Active Directory
|
T1098.003
|
TTP
|
Azure Active Directory Privilege Escalation, Scattered Lapsus$ Hunters, Azure Active Directory Persistence
|
2026-05-13
|
|
Azure AD Tenant Wide Admin Consent Granted
|
Azure Active Directory Consent to application
|
T1098.003
|
TTP
|
Azure Active Directory Persistence, NOBELIUM Group
|
2026-05-13
|
|
AWS Successful Single-Factor Authentication
|
AWS CloudTrail ConsoleLogin
|
T1078.004
T1586.003
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2026-05-13
|
|
O365 Privileged Role Assigned To Service Principal
|
Office 365 Universal Audit Log
|
T1098.003
|
TTP
|
Azure Active Directory Privilege Escalation, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
O365 Application Registration Owner Added
|
O365 Add owner to application.
|
T1098
|
TTP
|
Office 365 Persistence Mechanisms, NOBELIUM Group
|
2026-05-13
|
|
AWS SetDefaultPolicyVersion
|
AWS CloudTrail SetDefaultPolicyVersion
|
T1078.004
|
TTP
|
AWS IAM Privilege Escalation
|
2026-05-13
|
|
O365 Security And Compliance Alert Triggered
|
|
T1078.004
|
TTP
|
Office 365 Account Takeover
|
2026-05-13
|
|
GCP Authentication Failed During MFA Challenge
|
Google Workspace login_failure
|
T1078.004
T1586.003
T1621
|
TTP
|
Scattered Lapsus$ Hunters, GCP Account Takeover
|
2026-05-13
|
|
Azure AD Service Principal Privilege Escalation
|
Azure Active Directory Add app role assignment to service principal
|
T1098.003
|
TTP
|
Azure Active Directory Privilege Escalation
|
2026-05-13
|
|
O365 Service Principal New Client Credentials
|
O365
|
T1098.001
|
TTP
|
Office 365 Persistence Mechanisms, NOBELIUM Group
|
2026-05-13
|
|
Azure AD Multiple Failed MFA Requests For User
|
Azure Active Directory Sign-in activity
|
T1078.004
T1586.003
T1621
|
TTP
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
O365 Mailbox Read Access Granted to Application
|
O365 Update application.
|
T1098.003
T1114.002
|
TTP
|
Office 365 Persistence Mechanisms
|
2026-05-13
|
|
O365 New MFA Method Registered
|
O365 Update user.
|
T1098.005
|
TTP
|
Office 365 Persistence Mechanisms
|
2026-05-13
|
|
O365 High Privilege Role Granted
|
O365 Add member to role.
|
T1098.003
|
TTP
|
Office 365 Persistence Mechanisms
|
2026-05-13
|
|
Okta Non-Standard VPN Usage
|
Okta
|
T1078
T1090
T1572
|
TTP
|
Remote Employment Fraud, Suspicious Okta Activity
|
2026-05-13
|
|
ASL AWS IAM Delete Policy
|
ASL AWS CloudTrail
|
T1098
|
Hunting
|
AWS IAM Privilege Escalation
|
2026-05-13
|
|
Cloud Provisioning Activity From Previously Unseen Country
|
AWS CloudTrail
|
T1078
|
Anomaly
|
Suspicious Cloud Provisioning Activities
|
2026-05-13
|
|
Azure AD Service Principal Owner Added
|
Azure Active Directory Add owner to application
|
T1098
|
TTP
|
Azure Active Directory Persistence, Azure Active Directory Privilege Escalation, NOBELIUM Group
|
2026-05-13
|
|
Azure Runbook Webhook Created
|
Azure Audit Create or Update an Azure Automation webhook
|
T1078.004
|
TTP
|
Azure Active Directory Persistence
|
2026-05-13
|
|
Azure AD PIM Role Assignment Activated
|
Azure Active Directory
|
T1098.003
|
TTP
|
Azure Active Directory Privilege Escalation, Scattered Lapsus$ Hunters, Azure Active Directory Persistence
|
2026-05-13
|
|
AWS IAM Delete Policy
|
AWS CloudTrail DeletePolicy
|
T1098
|
Hunting
|
AWS IAM Privilege Escalation
|
2026-05-13
|
|
O365 Multiple AppIDs and UserAgents Authentication Spike
|
O365 UserLoginFailed, O365 UserLoggedIn
|
T1078
|
Anomaly
|
Office 365 Account Takeover
|
2026-05-13
|
|
Azure AD Multiple AppIDs and UserAgents Authentication Spike
|
Azure Active Directory Sign-in activity
|
T1078
|
Anomaly
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
AWS Create Policy Version to allow all resources
|
AWS CloudTrail CreatePolicyVersion
|
T1078.004
|
TTP
|
AWS IAM Privilege Escalation
|
2026-05-13
|
|
Cloud Instance Modified By Previously Unseen User
|
AWS CloudTrail
|
T1078.004
|
Anomaly
|
Suspicious Cloud Instance Activities
|
2026-05-13
|
|
Azure AD New Custom Domain Added
|
Azure Active Directory Add unverified domain
|
T1484.002
|
TTP
|
Azure Active Directory Persistence
|
2026-05-13
|
|
AWS IAM Failure Group Deletion
|
AWS CloudTrail DeleteGroup
|
T1098
|
Anomaly
|
AWS IAM Privilege Escalation
|
2026-05-13
|
|
Azure AD FullAccessAsApp Permission Assigned
|
Azure Active Directory Update application
|
T1098.002
T1098.003
|
TTP
|
Azure Active Directory Persistence, NOBELIUM Group
|
2026-05-13
|
|
Azure AD Successful Single-Factor Authentication
|
Azure Active Directory
|
T1078.004
T1586.003
|
TTP
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
O365 Mailbox Folder Read Permission Assigned
|
O365 ModifyFolderPermissions
|
T1098.002
|
TTP
|
Office 365 Collection Techniques
|
2026-05-13
|
|
Azure AD Service Principal New Client Credentials
|
Azure Active Directory
|
T1098.001
|
TTP
|
Azure Active Directory Persistence, Scattered Lapsus$ Hunters, Azure Active Directory Privilege Escalation, NOBELIUM Group
|
2026-05-13
|
|
ASL AWS Create Policy Version to allow all resources
|
ASL AWS CloudTrail
|
T1078.004
|
TTP
|
Scattered Lapsus$ Hunters, AWS IAM Privilege Escalation
|
2026-05-13
|
|
Azure AD Application Administrator Role Assigned
|
Azure Active Directory Add member to role
|
T1098.003
|
TTP
|
Azure Active Directory Privilege Escalation, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
O365 Application Available To Other Tenants
|
Office 365 Universal Audit Log
|
T1098.003
|
TTP
|
Azure Active Directory Persistence, Azure Active Directory Account Takeover, Data Exfiltration
|
2026-05-13
|
|
Azure AD Privileged Role Assigned
|
Azure Active Directory Add member to role
|
T1098.003
|
TTP
|
Azure Active Directory Persistence, Storm-0501 Ransomware, Scattered Lapsus$ Hunters, NOBELIUM Group
|
2026-05-13
|
|
Azure AD New MFA Method Registered
|
Azure Active Directory Update user
|
T1098.005
|
TTP
|
Azure Active Directory Persistence, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Cloud API Calls From Previously Unseen User Roles
|
AWS CloudTrail
|
T1078
|
Anomaly
|
Suspicious Cloud User Activities
|
2026-05-13
|
|
O365 Admin Consent Bypassed by Service Principal
|
O365 Add app role assignment to service principal.
|
T1098.003
|
TTP
|
Office 365 Persistence Mechanisms
|
2026-05-13
|
|
AWS Bedrock Invoke Model Access Denied
|
AWS CloudTrail
|
T1078
T1550
|
TTP
|
AWS Bedrock Security
|
2026-05-13
|
|
Azure AD Privileged Role Assigned to Service Principal
|
Azure Active Directory Add member to role
|
T1098.003
|
TTP
|
Azure Active Directory Privilege Escalation, Scattered Lapsus$ Hunters, NOBELIUM Group
|
2026-05-13
|
|
O365 ApplicationImpersonation Role Assigned
|
O365
|
T1098.002
|
TTP
|
Office 365 Persistence Mechanisms, NOBELIUM Group, Office 365 Collection Techniques
|
2026-05-13
|
|
AWS IAM Successful Group Deletion
|
AWS CloudTrail DeleteGroup
|
T1069.003
T1098
|
Hunting
|
AWS IAM Privilege Escalation
|
2026-05-13
|
|
Azure AD User ImmutableId Attribute Updated
|
Azure Active Directory Update user
|
T1098
|
TTP
|
Azure Active Directory Persistence, Hellcat Ransomware
|
2026-05-13
|
|
Azure AD Admin Consent Bypassed by Service Principal
|
Azure Active Directory Add app role assignment to service principal
|
T1098.003
|
TTP
|
Azure Active Directory Privilege Escalation, NOBELIUM Group
|
2026-05-13
|
|
ASL AWS SAML Update identity provider
|
ASL AWS CloudTrail
|
T1078
|
TTP
|
Cloud Federated Credential Abuse
|
2026-05-13
|
|
Microsoft Intune DeviceManagementConfigurationPolicies
|
Azure Monitor Activity
|
T1021.007
T1072
T1484
T1685
T1686
|
Hunting
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
Azure AD User Enabled And Password Reset
|
Azure Active Directory Update user, Azure Active Directory Reset password (by admin), Azure Active Directory Enable account
|
T1098
|
TTP
|
Azure Active Directory Persistence, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Geographic Improbable Location
|
Okta
|
T1078
|
Anomaly
|
Remote Employment Fraud
|
2026-05-13
|
|
ASL AWS IAM Failure Group Deletion
|
ASL AWS CloudTrail
|
T1098
|
Anomaly
|
AWS IAM Privilege Escalation
|
2026-05-13
|
|
Cloud Provisioning Activity From Previously Unseen Region
|
AWS CloudTrail
|
T1078
|
Anomaly
|
Suspicious Cloud Provisioning Activities
|
2026-05-13
|
|
Azure AD Authentication Failed During MFA Challenge
|
Azure Active Directory
|
T1078.004
T1586.003
T1621
|
TTP
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
GCP Multiple Failed MFA Requests For User
|
Google Workspace
|
T1078.004
T1586.003
T1621
|
TTP
|
Scattered Lapsus$ Hunters, GCP Account Takeover
|
2026-05-13
|
|
O365 Tenant Wide Admin Consent Granted
|
O365 Consent to application.
|
T1098.003
|
TTP
|
Office 365 Persistence Mechanisms, NOBELIUM Group
|
2026-05-13
|
|
O365 Elevated Mailbox Permission Assigned
|
O365 Add-MailboxPermission
|
T1098.002
|
TTP
|
Office 365 Collection Techniques
|
2026-05-13
|
|
O365 Mailbox Folder Read Permission Granted
|
O365 ModifyFolderPermissions
|
T1098.002
|
TTP
|
Office 365 Collection Techniques
|
2026-05-13
|
|
Cisco Privileged Account Creation with HTTP Command Execution
|
|
T1021.004
T1078
T1136
|
Correlation
|
Salt Typhoon, Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Cisco Secure Firewall - Communication Over Suspicious Ports
|
Cisco Secure Firewall Threat Defense Connection Event
|
T1021
T1055
T1059.001
T1105
T1219
T1571
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Cisco Configuration Archive Logging Analysis
|
Cisco IOS Logs
|
T1098
T1505.003
T1685
|
Hunting
|
Cisco Smart Install Remote Code Execution CVE-2018-0171
|
2026-05-13
|
|
Cisco Privileged Account Creation with Suspicious SSH Activity
|
|
T1021.004
T1078
T1136
|
Correlation
|
Salt Typhoon, Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Cisco Secure Firewall - High Priority Intrusion Classification
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1003
T1071
T1078
T1190
T1203
|
TTP
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Cisco IOS Suspicious Privileged Account Creation
|
Cisco IOS Logs
|
T1078
T1136
|
Anomaly
|
Cisco Smart Install Remote Code Execution CVE-2018-0171
|
2026-05-13
|
|
Cisco Secure Firewall - Wget or Curl Download
|
Cisco Secure Firewall Threat Defense Connection Event
|
T1053.003
T1059
T1071.001
T1105
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
