Privilege Escalation Detections

Name Data Source Technique Type Analytic Story Date
Splunk User Enumeration Attempt Splunk T1078 TTP Splunk Vulnerabilities 2026-05-14
Splunk Enterprise KV Store Incorrect Authorization Splunk T1548 Hunting Splunk Vulnerabilities 2026-05-14
Windows AD add Self to Group Windows Event Log Security 4728 T1098 TTP Sneaky Active Directory Persistence Tricks, Medusa Ransomware, Active Directory Privilege Escalation 2026-06-01
Windows Potato Privilege Escalation Tool Execution CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1068 TTP Windows Privilege Escalation 2026-05-13
Windows Rasautou DLL Execution CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1055.001 T1218 TTP Windows Defense Evasion Tactics, Hellcat Ransomware, Compromised Windows Host 2026-05-13
Linux Auditd Service Restarted Linux Auditd Proctitle T1053.006 Anomaly Scheduled Tasks, AwfulShred, Data Destruction, Gomir, Linux Living Off The Land, Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation 2026-05-13
Logon Script Event Trigger Execution Sysmon EventID 13 T1037.001 TTP Windows Persistence Techniques, Data Destruction, Windows Privilege Escalation, Hermetic Wiper, VIP Keylogger 2026-05-13
Linux Auditd Unload Module Via Modprobe Linux Auditd Execve T1547.006 TTP Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host 2026-05-13
Linux Sudo OR Su Execution Sysmon for Linux EventID 1 T1548.003 Hunting Linux Persistence Techniques, Linux Privilege Escalation, VoidLink Cloud-Native Linux Malware 2026-05-13
Linux RPM Privilege Escalation Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2026-05-13
Linux Visudo Utility Execution Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Persistence Techniques, Linux Privilege Escalation 2026-05-13
Clop Ransomware Known Service Name Windows Event Log System 7045 T1543 TTP Compromised Windows Host, Clop Ransomware 2026-05-13
Spoolsv Writing a DLL - Sysmon Sysmon EventID 11 T1547.012 TTP Black Basta Ransomware, PrintNightmare CVE-2021-34527 2026-05-13
Linux Possible Access Or Modification Of sshd Config File Sysmon for Linux EventID 1 T1098.004 Anomaly Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation 2026-05-13
Windows DnsAdmins New Member Added Windows Event Log Security 4732 T1098 TTP Active Directory Privilege Escalation 2026-05-13
Windows Drivers Loaded by Signature Sysmon EventID 6 T1014 T1068 Hunting CISA AA22-320A, Windows Drivers, AgentTesla, BlackByte Ransomware 2026-05-13
Windows Large Number of Computer Service Tickets Requested Windows Event Log Security 4769 T1078 T1135 Anomaly Active Directory Privilege Escalation, Active Directory Lateral Movement 2026-05-13
Windows Entra User Management Via Azure CLI CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1078.004 T1098 T1136 Anomaly Azure Active Directory Persistence 2026-05-13
Wscript Or Cscript Suspicious Child Process CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1055 T1134.004 T1543 Anomaly 0bj3ctivity Stealer, Remcos, Axios Supply Chain Post Compromise, Data Destruction, NjRAT, XWorm, WhisperGate, FIN7, ShrinkLocker, Unusual Processes, MuddyWater, VIP Keylogger 2026-05-13
Print Spooler Adding A Printer Driver Windows Event Log Printservice 316 T1547.012 TTP Black Basta Ransomware, PrintNightmare CVE-2021-34527 2026-05-13
Windows Process Injection into Commonly Abused Processes Sysmon EventID 10 T1055.002 Anomaly Earth Alux, SAP NetWeaver Exploitation, BishopFox Sliver Adversary Emulation Framework, APT37 Rustonotto and FadeStealer 2026-05-13
Windows Remote Assistance Spawning Process CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1055 TTP Unusual Processes, Compromised Windows Host 2026-05-13
Windows AD SID History Attribute Modified Windows Event Log Security 5136 T1134.005 TTP Sneaky Active Directory Persistence Tricks 2026-05-13
Windows Process With NamedPipe CommandLine CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1055 Anomaly Windows Defense Evasion Tactics 2026-05-13
CMD Echo Pipe - Escalation CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1059.003 T1543.003 TTP Graceful Wipe Out Attack, BlackByte Ransomware, Compromised Windows Host, Cobalt Strike 2026-05-13
Linux PHP Privilege Escalation Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2026-05-13
Suspicious Scheduled Task from Public Directory CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1053.005 Anomaly Scheduled Tasks, Windows Persistence Techniques, China-Nexus Threat Activity, Salt Typhoon, DarkCrystal RAT, MoonPeak, SolarWinds WHD RCE Post Exploitation, Malicious Inno Setup Loader, Azorult, Quasar RAT, Living Off The Land, NetSupport RMM Tool Abuse, XWorm, APT37 Rustonotto and FadeStealer, Scattered Spider, Medusa Ransomware, CISA AA23-347A, CISA AA24-241A, Ryuk Ransomware, Crypto Stealer, Ransomware, Lokibot 2026-05-13
Powershell Execute COM Object Powershell Script Block Logging 4104 T1059.001 T1546.015 TTP Hermetic Wiper, Malicious PowerShell, Ransomware, Data Destruction 2026-05-13
WSReset UAC Bypass Sysmon EventID 13, Sysmon EventID 12 T1548.002 TTP Living Off The Land, Windows Defense Evasion Tactics, Windows Registry Abuse, MoonPeak 2026-05-13
Linux Doas Tool Execution Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Persistence Techniques, Linux Privilege Escalation 2026-05-13
Spoolsv Suspicious Process Access Sysmon EventID 10 T1068 TTP Black Basta Ransomware, PrintNightmare CVE-2021-34527 2026-05-13
Impacket Lateral Movement Commandline Parameters CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1021.002 T1021.003 T1047 T1543.003 TTP Industroyer2, Active Directory Lateral Movement, Prestige Ransomware, Data Destruction, WhisperGate, Gozi Malware, Graceful Wipe Out Attack, Storm-0501 Ransomware, Compromised Windows Host, CISA AA22-277A, Volt Typhoon 2026-05-13
Windows Azure PowerShell Module Installation Via PowerShell Script Powershell Script Block Logging 4104 T1021.007 T1069.003 T1078 T1098 T1136.003 Anomaly Azure Active Directory Account Takeover, Azure Active Directory Persistence, Azure Active Directory Privilege Escalation 2026-05-13
Windows Suspicious Child Process of TieringEngineService.exe CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1068 TTP Windows Privilege Escalation, RedSun 2026-05-01
Windows Unsigned MS DLL Side-Loading Sysmon EventID 7 T1547 T1574.001 Anomaly Earth Alux, XWorm, Derusbi, China-Nexus Threat Activity, Salt Typhoon, APT29 Diplomatic Deceptions with WINELOADER 2026-05-13
Linux Possible Append Command To Profile Config File Sysmon for Linux EventID 1 T1546.004 Anomaly Linux Persistence Techniques, Linux Privilege Escalation 2026-05-13
Cisco Isovalent - Cron Job Creation Cisco Isovalent Process Exec T1053.003 T1053.007 Anomaly Cisco Isovalent Suspicious Activity 2026-05-13
Child Processes of Spoolsv exe CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1068 TTP Hermetic Wiper, Data Destruction, Windows Privilege Escalation 2026-05-13
Trickbot Named Pipe Sysmon EventID 17, Sysmon EventID 18 T1055 TTP Trickbot, Hellcat Ransomware 2026-05-13
Linux Busybox Privilege Escalation Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2026-05-13
Windows AD Short Lived Domain Account ServicePrincipalName Windows Event Log Security 5136 T1098 TTP Interlock Ransomware, Sneaky Active Directory Persistence Tricks 2026-05-13
Linux Auditd At Application Execution Linux Auditd Syscall T1053.002 Anomaly Scheduled Tasks, Linux Living Off The Land, Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation 2026-05-13
Windows Scheduled Task with Highest Privileges CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1053.005 TTP Scheduled Tasks, Quasar RAT, NetSupport RMM Tool Abuse, XWorm, RedLine Stealer, CISA AA23-347A, AsyncRAT, SolarWinds WHD RCE Post Exploitation, Compromised Windows Host, Castle RAT 2026-05-13
Short Lived Scheduled Task Windows Event Log Security 4698, Windows Event Log Security 4699 T1053.005 TTP Scheduled Tasks, Active Directory Lateral Movement, CISA AA23-347A, Compromised Windows Host, CISA AA22-257A 2026-05-13
Windows AD Cross Domain SID History Addition Windows Event Log Security 4742, Windows Event Log Security 4738 T1134.005 TTP Sneaky Active Directory Persistence Tricks, Compromised Windows Host 2026-05-13
Linux Cpulimit Privilege Escalation Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2026-05-13
Windows Compatibility Telemetry Suspicious Child Process CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1053.005 T1546 TTP Windows Persistence Techniques 2026-05-13
Linux Service File Created In Systemd Directory Sysmon for Linux EventID 11 T1053.006 Anomaly Scheduled Tasks, Gomir, China-Nexus Threat Activity, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, VoidLink Cloud-Native Linux Malware 2026-05-13
Windows Admon Default Group Policy Object Modified Windows Active Directory Admon T1484.001 TTP Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation 2026-05-13
Schtasks scheduling job on remote system CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1053.005 TTP Scheduled Tasks, NOBELIUM Group, Active Directory Lateral Movement, Quasar RAT, Living Off The Land, Prestige Ransomware, RedLine Stealer, Phemedrone Stealer, Compromised Windows Host 2026-05-13
Cisco Isovalent - Shell Execution Cisco Isovalent Process Exec T1543 Anomaly Cisco Isovalent Suspicious Activity 2026-05-13
Potential password in username Linux Secure T1078.003 T1552.001 Hunting Insider Threat, Credential Dumping 2026-05-13
Linux Service Started Or Enabled Sysmon for Linux EventID 1 T1053.006 Anomaly Scheduled Tasks, Gomir, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2026-05-13
SLUI Spawning a Process CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1548.002 TTP Windows Defense Evasion Tactics, DarkSide Ransomware, Compromised Windows Host 2026-05-13
Linux Docker Root Directory Mount Sysmon for Linux EventID 1 T1611 TTP Linux Living Off The Land, Linux Privilege Escalation 2026-05-13
Windows AD Object Owner Updated Windows Event Log Security 5136 T1222.001 T1484 TTP Sneaky Active Directory Persistence Tricks 2026-05-13
Services Escalate Exe CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1548 TTP Cobalt Strike, Graceful Wipe Out Attack, CISA AA23-347A, Compromised Windows Host, BlackByte Ransomware 2026-05-13
Linux Auditd Possible Append Cronjob Entry On Existing Cronjob File Linux Auditd Cwd, Linux Auditd Path T1053.003 Hunting Scheduled Tasks, XorDDos, Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2026-05-13
Linux Edit Cron Table Parameter Sysmon for Linux EventID 1 T1053.003 Hunting Scheduled Tasks, Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation 2026-05-13
Windows AppCertDLL Modification Via Command Line CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1546.009 Anomaly Windows Privilege Escalation, Windows Persistence Techniques 2026-05-13
Print Spooler Failed to Load a Plug-in Windows Event Log Printservice 808, Windows Event Log Printservice 4909 T1547.012 TTP Black Basta Ransomware, PrintNightmare CVE-2021-34527 2026-05-13
Windows PowerShell ScheduleTask Powershell Script Block Logging 4104 T1053.005 T1059.001 Anomaly Scattered Spider, Scheduled Tasks 2026-05-13
Windows System File on Disk Sysmon EventID 11 T1068 Hunting Windows Drivers, CISA AA22-264A, Crypto Stealer 2026-05-13
Windows AD Domain Root ACL Deletion Windows Event Log Security 5136 T1222.001 T1484 TTP Sneaky Active Directory Persistence Tricks 2026-05-13
Windows Vulnerable Driver Loaded Sysmon EventID 6 T1543.003 Hunting Windows Drivers, Void Manticore, BlackByte Ransomware 2026-05-13
Linux Telnet Authentication Bypass Sysmon for Linux EventID 1 T1548 TTP Telnetd CVE-2026-24061 2026-05-13
Linux Doas Conf File Creation Sysmon for Linux EventID 11 T1548.003 Anomaly Linux Persistence Techniques, Linux Privilege Escalation 2026-05-13
Windows Suspicious Burst of Password Changes Windows Event Log Security 4723, Windows Event Log Security 4724 T1068 TTP BlueHammer, Windows Privilege Escalation 2026-04-29
Linux Auditd Doas Conf File Creation Linux Auditd Cwd, Linux Auditd Path T1548.003 TTP Linux Persistence Techniques, Compromised Linux Host, Linux Privilege Escalation 2026-05-13
Windows Service Creation on Remote Endpoint CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1543.003 TTP Active Directory Lateral Movement, China-Nexus Threat Activity, SnappyBee, CISA AA23-347A, Salt Typhoon 2026-05-13
Linux OpenVPN Privilege Escalation Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2026-05-13
Sdclt UAC Bypass Sysmon EventID 13, Sysmon EventID 12 T1548.002 TTP Windows Registry Abuse, Windows Defense Evasion Tactics 2026-05-13
Linux Suspicious Namespace Creation Sysmon for Linux EventID 1, Linux Auditd Syscall T1068 TTP Linux Privilege Escalation 2026-05-12
Svchost LOLBAS Execution Process Spawn CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1053.005 TTP Living Off The Land, Scheduled Tasks, Hellcat Ransomware, Active Directory Lateral Movement 2026-05-13
Windows COM Hijacking InprocServer32 Modification CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1546.015 TTP Living Off The Land, Compromised Windows Host 2026-05-13
Linux Possible Append Command To At Allow Config File Sysmon for Linux EventID 1 T1053.002 Anomaly Scheduled Tasks, Linux Persistence Techniques, Linux Privilege Escalation 2026-05-13
Linux Possible Append Cronjob Entry on Existing Cronjob File Sysmon for Linux EventID 1 T1053.003 Hunting Scheduled Tasks, XorDDos, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2026-05-13
Linux Node Privilege Escalation Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2026-05-13
Windows Driver Inventory T1068 Hunting Windows Drivers 2026-05-13
WinEvent Scheduled Task Created to Spawn Shell Windows Event Log Security 4698 T1053.005 TTP 0bj3ctivity Stealer, Scheduled Tasks, Winter Vivern, Windows Persistence Techniques, Windows Error Reporting Service Elevation of Privilege Vulnerability, Castle RAT, China-Nexus Threat Activity, Salt Typhoon, Compromised Windows Host, Ryuk Ransomware, CISA AA22-257A, Ransomware, Medusa Ransomware, SystemBC 2026-05-13
Windows Scheduled Task Created Via XML CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1053.005 Anomaly Scheduled Tasks, CISA AA23-347A, Malicious Inno Setup Loader, MoonPeak, Winter Vivern, Lokibot 2026-05-13
Notepad with no Command Line Arguments CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1055 TTP BishopFox Sliver Adversary Emulation Framework 2026-05-13
Active Directory Privilege Escalation Identified T1484 Correlation Active Directory Privilege Escalation 2026-05-13
Linux Setuid Using Chmod Utility Sysmon for Linux EventID 1 T1548.001 Anomaly Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation 2026-05-13
Linux Composer Privilege Escalation Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2026-05-13
Windows Increase in User Modification Activity Windows Event Log Security 4720 T1098 T1685 TTP Sneaky Active Directory Persistence Tricks 2026-05-13
Windows AD Self DACL Assignment Windows Event Log Security 5136 T1098 T1484 TTP Sneaky Active Directory Persistence Tricks 2026-05-13
Windows Level RMM Watchdog Task Created Windows Event Log Security 4698 T1053 T1219 Anomaly Remote Monitoring and Management Software 2026-05-13
Linux Auditd Edit Cron Table Parameter Linux Auditd Syscall T1053.003 Anomaly Scheduled Tasks, Linux Living Off The Land, Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation 2026-05-13
Linux Service Restarted Sysmon for Linux EventID 1 T1053.006 Anomaly Scheduled Tasks, AwfulShred, Data Destruction, Gomir, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2026-05-13
NET Profiler UAC bypass Sysmon EventID 13 T1548.002 TTP Windows Defense Evasion Tactics 2026-05-13
Disable UAC Remote Restriction Sysmon EventID 13 T1548.002 TTP CISA AA23-347A, Windows Defense Evasion Tactics, Windows Registry Abuse, Suspicious Windows Registry Activities 2026-05-13
Windows Scheduled Task DLL Module Loaded Sysmon EventID 7 T1053 TTP ValleyRAT 2026-05-13
Windows Default Group Policy Object Modified with GPME CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1484.001 TTP Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation 2026-05-13
Windows AD Dangerous User ACL Modification Windows Event Log Security 5136 T1222.001 T1484 TTP Sneaky Active Directory Persistence Tricks 2026-05-13
Windows AD DSRM Account Changes Sysmon EventID 13 T1098 TTP Windows Registry Abuse, Sneaky Active Directory Persistence Tricks, Scattered Lapsus$ Hunters, Windows Persistence Techniques 2026-05-13
Linux Install Kernel Module Using Modprobe Utility Sysmon for Linux EventID 1 T1547.006 Anomaly China-Nexus Threat Activity, Linux Rootkit, Linux Persistence Techniques, Linux Privilege Escalation, VoidLink Cloud-Native Linux Malware 2026-05-13
Windows Scheduled Tasks for CompMgmtLauncher or Eventvwr Windows Event Log Security 4698 T1053 TTP Water Gamayun, ValleyRAT 2026-05-13
Windows ConvertTo-AADIntBackdoor Execution Via PowerShell Script Powershell Script Block Logging 4104 T1071.001 T1078 T1212 T1482 TTP Azure Active Directory Account Takeover, Azure Active Directory Persistence, Azure Active Directory Privilege Escalation 2026-05-13
Windows Event Triggered Image File Execution Options Injection Windows Event Log Application 3000 T1546.012 Hunting Windows Persistence Techniques 2026-05-13
Windows AD Domain Replication ACL Addition Windows Event Log Security 5136 T1484 TTP Sneaky Active Directory Persistence Tricks, Compromised Windows Host 2026-05-13
Windows Scheduled Task with Suspicious Command Windows Event Log Security 4698, Windows Event Log Security 4700, Windows Event Log Security 4702 T1053.005 TTP Scheduled Tasks, Windows Persistence Techniques, Quasar RAT, SolarWinds WHD RCE Post Exploitation, Ryuk Ransomware, APT37 Rustonotto and FadeStealer, Ransomware, Seashell Blizzard 2026-05-13
UAC Bypass MMC Load Unsigned Dll Sysmon EventID 7 T1218.014 T1548.002 TTP Windows Defense Evasion Tactics 2026-05-13
Windows Increase in Group or Object Modification Activity Windows Event Log Security 4663 T1098 T1685 TTP Sneaky Active Directory Persistence Tricks 2026-05-13
Linux Auditd Doas Tool Execution Linux Auditd Syscall T1548.003 Anomaly Linux Persistence Techniques, Compromised Linux Host, Linux Privilege Escalation 2026-05-13
Linux Csvtool Privilege Escalation Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2026-05-13
Linux NOPASSWD Entry In Sudoers File Sysmon for Linux EventID 1 T1548.003 Anomaly Salt Typhoon, Linux Persistence Techniques, Linux Privilege Escalation, China-Nexus Threat Activity 2026-05-13
Detect Baron Samedit CVE-2021-3156 Segfault T1068 TTP Baron Samedit CVE-2021-3156 2026-05-13
Eventvwr UAC Bypass Sysmon EventID 13 T1548.002 TTP Living Off The Land, ValleyRAT, Windows Registry Abuse, Windows Defense Evasion Tactics, IcedID 2026-05-13
Windows Suspicious Defender Engine or Signature Files Created Sysmon EventID 11 T1068 Anomaly BlueHammer, Windows Privilege Escalation 2026-04-27
Windows AD GPO Deleted Windows Event Log Security 5136 T1484.001 T1685 TTP Sneaky Active Directory Persistence Tricks 2026-05-13
Linux File Creation In Init Boot Directory Sysmon for Linux EventID 11 T1037.004 Anomaly Backdoor Pingpong, XorDDos, China-Nexus Threat Activity, Linux Persistence Techniques, Linux Privilege Escalation 2026-05-13
Windows Suspicious Process File Path CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1036.005 T1543 TTP Remcos, Water Gamayun, RoguePlanet, NailaoLocker Ransomware, Earth Alux, Prestige Ransomware, Axios Supply Chain Post Compromise, Double Zero Destructor, WhisperGate, China-Nexus Threat Activity, ValleyRAT, Salt Typhoon, Warzone RAT, DarkCrystal RAT, Phemedrone Stealer, MoonPeak, Rhysida Ransomware, Hermetic Wiper, Volt Typhoon, Brute Ratel C4, Castle RAT, SesameOp, LockBit Ransomware, SystemBC, AgentTesla, Meduza Stealer, RedLine Stealer, Malicious Inno Setup Loader, GhostRedirector IIS Module and Rungan Backdoor, PlugX, IcedID, Azorult, Handala Wiper, Industroyer2, PromptLock, Quasar RAT, XWorm, Qakbot, SnappyBee, AsyncRAT, Interlock Rat, Chaos Ransomware, StealC Stealer, Interlock Ransomware, BlackByte Ransomware, Amadey, XMRig, Data Destruction, Void Manticore, Swift Slicer, CISA AA23-347A, Graceful Wipe Out Attack, Trickbot, DarkGate Malware, VIP Keylogger, Lokibot 2026-06-11
Linux Persistence and Privilege Escalation Risk Behavior T1548 Correlation Linux Persistence Techniques, Linux Privilege Escalation 2026-05-13
Print Processor Registry Autostart Sysmon EventID 13 T1547.012 TTP Hermetic Wiper, Data Destruction, Windows Privilege Escalation, Windows Persistence Techniques 2026-05-13
Linux Octave Privilege Escalation Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2026-05-13
Winhlp32 Spawning a Process CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1055 TTP Remcos, Compromised Windows Host 2026-05-13
SearchProtocolHost with no Command Line with Network Sysmon EventID 1, Sysmon EventID 3 T1055 TTP Cobalt Strike, Hellcat Ransomware, Graceful Wipe Out Attack, Compromised Windows Host, Cactus Ransomware, BlackByte Ransomware 2026-05-13
Windows Local LLM Framework Execution CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1543 Hunting Suspicious Local LLM Frameworks 2026-05-13
Suspicious Kerberos Service Ticket Request Windows Event Log Security 4769 T1078.002 TTP sAMAccountName Spoofing and Domain Controller Impersonation, Active Directory Privilege Escalation, Active Directory Kerberos Attacks 2026-05-13
Linux Emacs Privilege Escalation Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2026-05-13
Windows AD Dangerous Group ACL Modification Windows Event Log Security 5136 T1222.001 T1484 TTP Sneaky Active Directory Persistence Tricks 2026-05-13
Windows UAC Bypass Suspicious Child Process CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1548.002 TTP Living Off The Land, Windows Defense Evasion Tactics, Castle RAT 2026-05-13
Windows Process Execution in Temp Dir CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1036.005 T1543 Anomaly Remcos, AgentTesla, PromptLock, RoguePlanet, Gh0st RAT, Axios Supply Chain Post Compromise, NjRAT, XWorm, Qakbot, SesameOp, Salat Stealer, Trickbot, PathWiper, Ryuk Ransomware, Ransomware, Lokibot 2026-06-08
Linux Auditd Setuid Using Setcap Utility Linux Auditd Execve T1548.001 TTP Linux Persistence Techniques, Compromised Linux Host, Linux Privilege Escalation 2026-05-13
Windows Remote Create Service CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1543.003 Anomaly CISA AA23-347A, Active Directory Lateral Movement, BlackSuit Ransomware 2026-05-13
Windows Guest Account Enabled Via Net.EXE CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1078.001 Anomaly Windows Persistence Techniques 2026-05-13
Windows Access Token Winlogon Duplicate Handle In Uncommon Path Sysmon EventID 10 T1134.001 Anomaly Brute Ratel C4, PathWiper 2026-05-13
Linux Make Privilege Escalation Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2026-05-13
Windows PowerView AD Access Control List Enumeration Powershell Script Block Logging 4104 T1069 T1078.002 TTP Active Directory Privilege Escalation, Active Directory Discovery, Rhysida Ransomware 2026-05-13
Impacket Lateral Movement smbexec CommandLine Parameters CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1021.002 T1021.003 T1047 T1543.003 TTP Industroyer2, Active Directory Lateral Movement, Prestige Ransomware, Data Destruction, WhisperGate, Graceful Wipe Out Attack, Compromised Windows Host, CISA AA22-277A, Volt Typhoon 2026-05-13
Detect Baron Samedit CVE-2021-3156 via OSQuery T1068 TTP Baron Samedit CVE-2021-3156 2026-05-13
Windows AD Same Domain SID History Addition Windows Event Log Security 4742, Windows Event Log Security 4738 T1134.005 TTP Sneaky Active Directory Persistence Tricks, Compromised Windows Host, Windows Persistence Techniques 2026-05-13
Linux Auditd Possible Access Or Modification Of Sshd Config File Linux Auditd Cwd, Linux Auditd Path T1098.004 Anomaly Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host 2026-05-13
Windows Change File Association Command To Notepad CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1546.001 TTP Prestige Ransomware, Compromised Windows Host 2026-05-13
Windows Multiple Accounts Deleted Windows Event Log Security 4726 T1078 T1098 TTP Azure Active Directory Persistence 2026-05-13
Windows Suspicious Defender Update Activity in INetCache Sysmon EventID 23, Sysmon EventID 11 T1068 T1105 Anomaly BlueHammer, Windows Persistence Techniques 2026-04-27
Cisco NVM - Suspicious Network Connection From Process With No Args Cisco Network Visibility Module Flow Data T1055 T1218 Anomaly Cisco Network Visibility Module Analytics 2026-05-13
Linux Find Privilege Escalation Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2026-05-13
Windows Registry Delete Task SD Sysmon EventID 12 T1053.005 T1685 Anomaly Windows Registry Abuse, Scheduled Tasks, Windows Persistence Techniques 2026-05-13
Windows Bluetooth Service Installed From Uncommon Location Windows Event Log System 7045 T1036 T1543.003 Anomaly Lotus Blossom Chrysalis Backdoor 2026-05-13
Impacket Lateral Movement WMIExec Commandline Parameters CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1021.002 T1021.003 T1047 T1543.003 TTP Industroyer2, Active Directory Lateral Movement, Prestige Ransomware, Data Destruction, WhisperGate, Gozi Malware, Graceful Wipe Out Attack, Storm-0501 Ransomware, Compromised Windows Host, CISA AA22-277A, Volt Typhoon 2026-05-13
Schtasks used for forcing a reboot CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1053.005 TTP Scheduled Tasks, Ransomware, Windows Persistence Techniques 2026-05-13
Windows Compatibility Telemetry Tampering Through Registry Sysmon EventID 13 T1053.005 T1546 TTP Windows Persistence Techniques 2026-05-13
Rundll32 Create Remote Thread To A Process Sysmon EventID 8 T1055 TTP Living Off The Land, IcedID 2026-05-13
Linux Auditd Sudo Or Su Execution Linux Auditd Proctitle T1548.003 Anomaly Linux Persistence Techniques, Compromised Linux Host, Linux Privilege Escalation 2026-05-13
MacOS LoginHook Persistence Osquery Results T1037.002 TTP MacOS Post-Exploitation 2026-05-13
Linux pkexec Privilege Escalation Sysmon for Linux EventID 1 T1068 TTP Linux Living Off The Land, Linux Privilege Escalation 2026-05-13
Windows Service Create Kernel Mode Driver CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1068 T1543.003 TTP CISA AA22-320A, Windows Drivers 2026-05-13
Windows Remote Image Load Sysmon EventID 7 T1059 T1068 T1129 T1203 Anomaly Ransomware, BlackByte Ransomware, LockBit Ransomware 2026-05-13
Windows Suspicious Named Pipe Sysmon EventID 17, Sysmon EventID 18 T1021.002 T1055 T1559 TTP DarkSide Ransomware, Cobalt Strike, Remote Monitoring and Management Software, Hellcat Ransomware, Gozi Malware, LockBit Ransomware, Graceful Wipe Out Attack, Trickbot, APT37 Rustonotto and FadeStealer, Meterpreter, Brute Ratel C4, Tuoni, BlackByte Ransomware 2026-05-13
Linux Auditd Insert Kernel Module Using Insmod Utility Linux Auditd Syscall T1547.006 Anomaly XorDDos, Linux Rootkit, Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation 2026-05-13
Linux Common Process For Elevation Control Sysmon for Linux EventID 1 T1548.001 Hunting Axios Supply Chain Post Compromise, China-Nexus Threat Activity, Salt Typhoon, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2026-05-13
Linux Auditd Copy Fail Privilege Escalation Linux Auditd Syscall T1068 TTP Linux Privilege Escalation 2026-05-13
Randomly Generated Scheduled Task Name Windows Event Log Security 4698 T1053.005 Hunting 0bj3ctivity Stealer, Scheduled Tasks, CISA AA22-257A, Active Directory Lateral Movement 2026-05-13
Linux Sudoers Tmp File Creation Sysmon for Linux EventID 11 T1548.003 Anomaly Salt Typhoon, Linux Persistence Techniques, Linux Privilege Escalation, China-Nexus Threat Activity 2026-05-13
Linux Adding Crontab Using List Parameter Sysmon for Linux EventID 1 T1053.003 Hunting Scheduled Tasks, Industroyer2, Data Destruction, Gomir, Cisco Isovalent Suspicious Activity, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, VoidLink Cloud-Native Linux Malware 2026-05-13
Windows VSSVC Process Accessing Defender Engine Sysmon EventID 10 T1068 TTP Windows Privilege Escalation, RedSun 2026-05-01
Windows Scheduled Task Created in a Group Policy Object Windows Event Log Security 5145 T1053.005 T1484.001 TTP Living Off The Land, Scheduled Tasks, Windows Persistence Techniques 2026-05-13
LLM Model File Creation Sysmon EventID 11 T1543 Hunting Suspicious Local LLM Frameworks 2026-05-13
Windows Process Injection into Notepad Sysmon EventID 10 T1055.002 Anomaly Earth Alux, BishopFox Sliver Adversary Emulation Framework, APT37 Rustonotto and FadeStealer 2026-05-13
Powershell Fileless Process Injection via GetProcAddress Powershell Script Block Logging 4104 T1055 T1059.001 TTP Hermetic Wiper, Malicious PowerShell, Data Destruction, Hellcat Ransomware 2026-05-13
Schtasks Run Task On Demand CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1053 Anomaly Scheduled Tasks, Industroyer2, Data Destruction, Qakbot, CISA AA22-257A, Medusa Ransomware, XMRig 2026-05-13
Shim Database File Creation Sysmon EventID 11 T1546.011 TTP Windows Persistence Techniques 2026-05-13
Linux Puppet Privilege Escalation Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2026-05-13
Linux Auditd Setuid Using Chmod Utility Linux Auditd Proctitle T1548.001 Anomaly Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host 2026-05-13
Linux Possible Access To Sudoers File Sysmon for Linux EventID 1 T1548.003 Anomaly Salt Typhoon, Linux Persistence Techniques, Linux Privilege Escalation, China-Nexus Threat Activity 2026-05-13
Windows Service Initiation on Remote Endpoint CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1543.003 TTP CISA AA23-347A, Active Directory Lateral Movement 2026-05-13
Time Provider Persistence Registry Sysmon EventID 13 T1547.003 TTP Windows Persistence Techniques, Data Destruction, Windows Privilege Escalation, Hermetic Wiper, Windows Registry Abuse 2026-05-13
Spoolsv Writing a DLL Sysmon EventID 11, Sysmon EventID 1, Windows Event Log Security 4688 T1547.012 TTP Black Basta Ransomware, Compromised Windows Host, PrintNightmare CVE-2021-34527 2026-05-13
Windows Enable Win32 ScheduledJob via Registry Sysmon EventID 13 T1053.005 Anomaly Scheduled Tasks, Active Directory Lateral Movement 2026-05-13
Windows List ENV Variables Via SET Command From Uncommon Parent CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1055 Anomaly Qakbot 2026-05-13
Windows AD Hidden OU Creation Windows Event Log Security 5136 T1222.001 T1484 TTP Sneaky Active Directory Persistence Tricks 2026-05-13
Linux Possible Cronjob Modification With Editor Sysmon for Linux EventID 1 T1053.003 Hunting Scheduled Tasks, XorDDos, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2026-05-13
Registry Keys Used For Persistence Sysmon EventID 13 T1547.001 TTP 0bj3ctivity Stealer, Remcos, Windows Persistence Techniques, Axios Supply Chain Post Compromise, China-Nexus Threat Activity, Derusbi, Salt Typhoon, Warzone RAT, DarkCrystal RAT, ValleyRAT, MoonPeak, Snake Keylogger, Windows Registry Abuse, DHS Report TA18-074A, Castle RAT, SystemBC, Suspicious MSHTA Activity, RedLine Stealer, WinDealer RAT, Sneaky Active Directory Persistence Tricks, Suspicious Windows Registry Activities, Cactus Ransomware, MuddyWater, Azorult, IcedID, Quasar RAT, Gh0st RAT, Braodo Stealer, NetSupport RMM Tool Abuse, XWorm, Qakbot, NjRAT, SnappyBee, AsyncRAT, Salat Stealer, Chaos Ransomware, APT37 Rustonotto and FadeStealer, Interlock Ransomware, BlackByte Ransomware, Amadey, Emotet Malware DHS Report TA18-201A, CISA AA23-347A, Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns, Ransomware, DarkGate Malware, BlackSuit Ransomware, Lokibot 2026-06-08
Windows New Default File Association Value Set Sysmon EventID 13 T1546.001 Hunting Windows Persistence Techniques, Prestige Ransomware, Data Destruction, Windows Privilege Escalation, Hermetic Wiper, Windows Registry Abuse 2026-05-13
Linux Auditd Unix Shell Configuration Modification Linux Auditd Cwd, Linux Auditd Path T1546.004 TTP Linux Living Off The Land, QuietVault, Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation 2026-05-13
Windows Scheduled Task with Suspicious Name Windows Event Log Security 4698, Windows Event Log Security 4700, Windows Event Log Security 4702 T1053.005 TTP 0bj3ctivity Stealer, Scheduled Tasks, Windows Persistence Techniques, Castle RAT, Ryuk Ransomware, APT37 Rustonotto and FadeStealer, Ransomware 2026-05-13
Suspicious GPUpdate no Command Line Arguments CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1055 TTP Graceful Wipe Out Attack, Hellcat Ransomware, BlackByte Ransomware, Cobalt Strike 2026-05-13
Windows AD Privileged Account SID History Addition Windows Event Log Security 4742, Windows Event Log Security 4738 T1134.005 TTP Sneaky Active Directory Persistence Tricks, Compromised Windows Host 2026-05-13
XMRIG Driver Loaded Sysmon EventID 6 T1543.003 TTP XMRig, CISA AA22-320A, Crypto Stealer 2026-05-13
Cisco NVM - Non-Network Binary Making Network Connection Cisco Network Visibility Module Flow Data T1036 T1055 Anomaly Cisco Network Visibility Module Analytics 2026-05-13
Windows AD ServicePrincipalName Added To Domain Account Windows Event Log Security 5136 T1098 TTP Interlock Ransomware, Sneaky Active Directory Persistence Tricks 2026-05-13
Windows Privilege Escalation Attempt Via MSI Rollback CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1068 TTP Windows Privilege Escalation 2026-05-13
Linux Auditd Kernel Module Using Rmmod Utility Linux Auditd Syscall T1547.006 TTP Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host 2026-05-13
Disabling Remote User Account Control Sysmon EventID 13 T1548.002 TTP Remcos, AgentTesla, Suspicious Windows Registry Activities, Windows Registry Abuse, Windows Defense Evasion Tactics, Azorult 2026-05-13
Windows DISM Install PowerShell Web Access Sysmon EventID 1, Windows Event Log Security 4688 T1548.002 TTP CISA AA24-241A 2026-05-13
Windows AD DCShadow Privileges ACL Addition Windows Event Log Security 5136 T1207 T1222.001 T1484 TTP Sneaky Active Directory Persistence Tricks 2026-05-13
Windows AD GPO Disabled Windows Event Log Security 5136 T1484.001 T1685 TTP Sneaky Active Directory Persistence Tricks 2026-05-13
Services LOLBAS Execution Process Spawn CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1543.003 TTP Active Directory Lateral Movement, Living Off The Land, Hellcat Ransomware, Qakbot, CISA AA23-347A 2026-05-13
Linux Auditd Install Kernel Module Using Modprobe Utility Linux Auditd Syscall T1547.006 Anomaly China-Nexus Threat Activity, Linux Rootkit, Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation 2026-05-13
Linux AWK Privilege Escalation Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2026-05-13
Linux File Created In Kernel Driver Directory Sysmon for Linux EventID 11 T1547.006 Anomaly Linux Rootkit, Linux Persistence Techniques, Linux Privilege Escalation 2026-05-13
Windows Hidden Schedule Task Settings Windows Event Log Security 4698 T1053 TTP Scheduled Tasks, Industroyer2, Data Destruction, Hellcat Ransomware, Active Directory Discovery, Malicious Inno Setup Loader, Compromised Windows Host, Cactus Ransomware, CISA AA22-257A 2026-05-13
Linux Binary Launched Process with Null Argv Linux Messages Syslog T1068 TTP Linux Privilege Escalation 2026-05-12
Suspicious DLLHost no Command Line Arguments CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1055 TTP Graceful Wipe Out Attack, Cactus Ransomware, BlackByte Ransomware, Cobalt Strike 2026-05-13
Linux File Creation In Profile Directory Sysmon for Linux EventID 11 T1546.004 Anomaly Linux Persistence Techniques, Linux Privilege Escalation 2026-05-13
Linux Add Files In Known Crontab Directories Sysmon for Linux EventID 11 T1053.003 Anomaly Scheduled Tasks, XorDDos, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2026-05-13
Create Remote Thread In Shell Application Sysmon EventID 8 T1055 TTP Warzone RAT, Qakbot, IcedID 2026-05-13
Linux GNU Awk Privilege Escalation Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2026-05-13
Windows NorthStar C2 Agent Execution CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1204.002 T1547.001 T1608 TTP Compromised Windows Host 2026-05-13
Windows ComputerDefaults Spawning a Process Sysmon EventID 1 T1548.002 TTP Castle RAT, BlankGrabber Stealer 2026-05-13
Screensaver Event Trigger Execution Sysmon EventID 13 T1546.002 TTP Windows Persistence Techniques, Data Destruction, Windows Privilege Escalation, Hermetic Wiper, Windows Registry Abuse 2026-05-13
Windows Security Support Provider Reg Query CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1547.005 Anomaly Prestige Ransomware, Windows Post-Exploitation, Sneaky Active Directory Persistence Tricks 2026-05-13
Windows Registry BootExecute Modification Sysmon EventID 13 T1542 T1547.001 TTP Windows BootKits 2026-05-13
Powershell Remote Thread To Known Windows Process Sysmon EventID 8 T1055 TTP Trickbot 2026-05-13
Windows MsMpEng Writing to System32 Sysmon EventID 15, Sysmon EventID 11 T1068 T1543.003 TTP BlueHammer, Windows Drivers, Windows Privilege Escalation, RedSun 2026-04-27
Linux Ruby Privilege Escalation Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2026-05-13
Detect Baron Samedit CVE-2021-3156 T1068 TTP Baron Samedit CVE-2021-3156 2026-05-13
Linux PF_ALG Registration Outside of Boot Window Linux Messages Syslog T1068 TTP Linux Privilege Escalation 2026-05-11
Windows AD Domain Root ACL Modification Windows Event Log Security 5136 T1222.001 T1484 TTP Sneaky Active Directory Persistence Tricks 2026-05-13
Windows Process Injection Wermgr Child Process CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1055 Anomaly Windows Error Reporting Service Elevation of Privilege Vulnerability, Qakbot 2026-05-13
Possible Lateral Movement PowerShell Spawn CrowdStrike ProcessRollup2, Sysmon EventID 1 T1021.003 T1021.006 T1047 T1053.005 T1059.001 T1218.014 T1543.003 Anomaly Scheduled Tasks, Microsoft WSUS CVE-2025-59287, Active Directory Lateral Movement, Data Destruction, Malicious PowerShell, CISA AA24-241A, Hermetic Wiper 2026-05-13
Suspicious SearchProtocolHost no Command Line Arguments CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1055 TTP Cobalt Strike, Hellcat Ransomware, Graceful Wipe Out Attack, Cactus Ransomware, BlackByte Ransomware 2026-05-13
Active Setup Registry Autostart Sysmon EventID 13 T1547.014 TTP Hermetic Wiper, Data Destruction, Windows Privilege Escalation, Windows Persistence Techniques 2026-05-13
Windows Registry Modification for Safe Mode Persistence Sysmon EventID 13 T1547.001 TTP Windows Registry Abuse, Windows Drivers, Ransomware 2026-05-13
Runas Execution in CommandLine CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1134.001 Hunting Quasar RAT, Hermetic Wiper, Data Destruction, Windows Privilege Escalation 2026-05-13
Windows UAC Bypass Suspicious Escalation Behavior Sysmon EventID 1 T1548.002 TTP Living Off The Land, Windows Defense Evasion Tactics, Compromised Windows Host 2026-05-13
WMI Permanent Event Subscription - Sysmon Sysmon EventID 21 T1546.003 TTP Suspicious WMI Use 2026-05-13
Linux Auditd Possible Access To Sudoers File Linux Auditd Cwd, Linux Auditd Path T1548.003 Anomaly China-Nexus Threat Activity, Salt Typhoon, Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation 2026-05-13
Windows Suspicious Driver Loaded Path Sysmon EventID 6 T1543.003 TTP AgentTesla, APT37 Rustonotto and FadeStealer, Snake Keylogger, Interlock Ransomware, CISA AA22-320A, BlackByte Ransomware, XMRig 2026-05-13
Windows Schtasks Create Run As System CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1053.005 TTP Scheduled Tasks, Windows Persistence Techniques, Qakbot, SolarWinds WHD RCE Post Exploitation, Castle RAT, Medusa Ransomware 2026-05-13
Cisco Isovalent - Nsenter Usage in Kubernetes Pod Cisco Isovalent Process Exec T1543 Anomaly Cisco Isovalent Suspicious Activity 2026-05-13
Windows Group Policy Object Created Windows Event Log Security 5137, Windows Event Log Security 5136 T1078.002 T1484.001 TTP Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation 2026-05-13
Windows Admon Group Policy Object Created Windows Active Directory Admon T1484.001 TTP Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation 2026-05-13
Windows Multiple Account Passwords Changed Windows Event Log Security 4724 T1078 T1098 TTP Azure Active Directory Persistence 2026-05-13
Windows AD Privileged Group Modification Windows Event Log Security 4728 T1098 TTP Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation 2026-05-13
Windows Privilege Escalation System Process Without System Parent Sysmon EventID 1 T1068 T1134 T1548 TTP Windows Privilege Escalation, BlackSuit Ransomware 2026-05-13
Windows Service Create RemComSvc Windows Event Log System 7045 T1543.003 Anomaly Active Directory Discovery 2026-05-13
Windows KrbRelayUp Service Creation Windows Event Log System 7045 T1543.003 TTP Compromised Windows Host, Local Privilege Escalation With KrbRelayUp 2026-05-13
Windows Process Injection In Non-Service SearchIndexer CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1055 TTP Qakbot 2026-05-13
Windows Boot or Logon Autostart Execution In Startup Folder Sysmon EventID 11 T1547.001 Anomaly PromptFlux, BlankGrabber Stealer, Quasar RAT, APT37 Rustonotto and FadeStealer, XWorm, Gozi Malware, NjRAT, RedLine Stealer, Chaos Ransomware, Crypto Stealer, Interlock Ransomware 2026-05-13
Linux Gem Privilege Escalation Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2026-05-13
Linux c89 Privilege Escalation Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2026-05-13
Linux Insert Kernel Module Using Insmod Utility Sysmon for Linux EventID 1 T1547.006 Anomaly Linux Privilege Escalation, Linux Rootkit, Linux Persistence Techniques, XorDDos 2026-05-13
Suspicious PlistBuddy Usage CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1543.001 TTP Silver Sparrow 2026-05-13
Detect WMI Event Subscription Persistence Sysmon EventID 20 T1546.003 TTP Hellcat Ransomware, Suspicious WMI Use 2026-05-13
Windows Process Injection Remote Thread Sysmon EventID 8 T1055.002 TTP Water Gamayun, Earth Alux, Qakbot, Graceful Wipe Out Attack, Warzone RAT 2026-05-13
Windows Process Injection Of Wermgr to Known Browser Sysmon EventID 8 T1055.001 TTP Qakbot 2026-05-13
Windows Multiple Accounts Disabled Windows Event Log Security 4725 T1078 T1098 TTP Azure Active Directory Persistence 2026-05-13
Windows Privilege Escalation Suspicious Process Elevation Sysmon EventID 1 T1068 T1134 T1548 TTP GhostRedirector IIS Module and Rungan Backdoor, Windows Privilege Escalation, BlackSuit Ransomware 2026-05-13
FodHelper UAC Bypass CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1112 T1548.002 TTP BlankGrabber Stealer, ValleyRAT, Compromised Windows Host, Windows Defense Evasion Tactics, IcedID 2026-05-13
WinEvent Scheduled Task Created Within Public Path Windows Event Log Security 4698 T1053.005 TTP 0bj3ctivity Stealer, Scheduled Tasks, Remcos, Active Directory Lateral Movement, Windows Persistence Techniques, Prestige Ransomware, China-Nexus Threat Activity, ValleyRAT, Salt Typhoon, Compromised Windows Host, CISA AA22-257A, Castle RAT, SystemBC, Malicious Inno Setup Loader, IcedID, PlugX, Industroyer2, Quasar RAT, XWorm, AsyncRAT, APT37 Rustonotto and FadeStealer, Winter Vivern, Medusa Ransomware, Data Destruction, CISA AA23-347A, Ryuk Ransomware, Ransomware 2026-05-13
MacOS Kextload Usage Osquery Results T1543 TTP MacOS Privilege Escalation, MacOS Persistence Techniques 2026-05-13
Windows Scheduled Task Service Spawned Shell CrowdStrike ProcessRollup2, Sysmon EventID 1 T1053.005 T1059 TTP Windows Persistence Techniques 2026-05-13
Unusual Number of Computer Service Tickets Requested Windows Event Log Security 4769 T1078 Hunting Scattered Lapsus$ Hunters, Active Directory Privilege Escalation, Active Directory Lateral Movement, Active Directory Kerberos Attacks 2026-05-13
Windows Suspicious C2 Named Pipe Sysmon EventID 17, Sysmon EventID 18 T1021.002 T1055 T1559 TTP DarkSide Ransomware, Cobalt Strike, Remote Monitoring and Management Software, Hellcat Ransomware, Gozi Malware, LockBit Ransomware, Storm-0501 Ransomware, Graceful Wipe Out Attack, Trickbot, APT37 Rustonotto and FadeStealer, Meterpreter, Brute Ratel C4, Tuoni, BlackByte Ransomware 2026-05-13
Windows Process Injection With Public Source Path Sysmon EventID 8 T1055.002 Hunting Earth Alux, Brute Ratel C4 2026-05-13
Cisco Isovalent - Kprobe Spike Cisco Isovalent Process Kprobe T1068 Hunting Cisco Isovalent Suspicious Activity, VoidLink Cloud-Native Linux Malware 2026-05-13
Windows Admin Password Changed by Non-Admin Windows Event Log Security 4723 T1068 T1543.003 TTP BlueHammer, Windows Privilege Escalation 2026-04-27
Short Lived Windows Accounts Windows Event Log System 4720, Windows Event Log System 4726 T1078.003 T1136.001 TTP GhostRedirector IIS Module and Rungan Backdoor, Active Directory Lateral Movement 2026-05-13
Windows MSI Rollback Script Deleted By Non-Msiexec Process Sysmon EventID 23 T1068 T1218.007 TTP Windows Privilege Escalation 2026-05-13
Scheduled Task Initiation on Remote Endpoint CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1053.005 TTP Scheduled Tasks, Active Directory Lateral Movement, Living Off The Land, Medusa Ransomware, Seashell Blizzard 2026-05-13
PowerShell PInvoke Process Injection API Chain Powershell Script Block Logging 4104 T1055.001 T1055.003 T1055.004 T1055.012 T1055.013 T1059.001 T1620 TTP VIP Keylogger 2026-05-13
Loading Of Dynwrapx Module Sysmon EventID 7 T1055.001 TTP AsyncRAT, Remcos 2026-05-13
Shim Database Installation With Suspicious Parameters CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1546.011 TTP Compromised Windows Host, Windows Persistence Techniques 2026-05-13
Overwriting Accessibility Binaries Sysmon EventID 11 T1546.008 TTP Hermetic Wiper, Flax Typhoon, Data Destruction, Windows Privilege Escalation 2026-05-13
Suspicious PlistBuddy Usage via OSquery Osquery Results T1543.001 TTP Silver Sparrow 2026-05-13
Schedule Task with HTTP Command Arguments Windows Event Log Security 4698 T1053 TTP Scheduled Tasks, Windows Persistence Techniques, Living Off The Land, Hellcat Ransomware, Compromised Windows Host, Winter Vivern 2026-05-13
Windows Access Token Manipulation Winlogon Duplicate Token Handle Sysmon EventID 10 T1134.001 Hunting Brute Ratel C4 2026-05-13
Windows MOF Event Triggered Execution via WMI CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1546.003 TTP Living Off The Land, Compromised Windows Host 2026-05-13
Windows RMM Named Pipe Sysmon EventID 17, Sysmon EventID 18 T1021.002 T1055 T1559 Anomaly Remote Monitoring and Management Software, Gozi Malware, CISA AA24-241A, GhostRedirector IIS Module and Rungan Backdoor, Scattered Lapsus$ Hunters, Scattered Spider, Cactus Ransomware, Command And Control, Insider Threat, Interlock Ransomware, Ransomware, Seashell Blizzard 2026-05-13
Suspicious Computer Account Name Change Windows Event Log Security 4781 T1078.002 TTP sAMAccountName Spoofing and Domain Controller Impersonation, Scattered Lapsus$ Hunters, Active Directory Privilege Escalation, Compromised Windows Host 2026-05-13
Cisco Isovalent - Late Process Execution Cisco Isovalent Process Exec T1543 Anomaly Cisco Isovalent Suspicious Activity 2026-05-13
Schedule Task with Rundll32 Command Trigger Windows Event Log Security 4698 T1053 TTP Scheduled Tasks, Windows Persistence Techniques, Living Off The Land, Trickbot, Compromised Windows Host, Castle RAT, IcedID 2026-05-13
Windows AD Dangerous Deny ACL Modification Windows Event Log Security 5136 T1222.001 T1484 TTP Sneaky Active Directory Persistence Tricks 2026-05-13
Powershell COM Hijacking InprocServer32 Modification Powershell Script Block Logging 4104 T1059.001 T1546.015 TTP Malicious PowerShell 2026-05-13
Linux APT Privilege Escalation Sysmon for Linux EventID 1, Cisco Isovalent Process Exec T1548.003 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2026-05-13
Suspicious Ticket Granting Ticket Request Windows Event Log Security 4781, Windows Event Log Security 4768 T1078.002 Hunting sAMAccountName Spoofing and Domain Controller Impersonation, Active Directory Privilege Escalation, Active Directory Kerberos Attacks 2026-05-13
Monitor Registry Keys for Print Monitors Sysmon EventID 13 T1547.010 TTP Windows Registry Abuse, Suspicious Windows Registry Activities, Windows Persistence Techniques 2026-05-13
Windows Cloud Files Filter Loaded by Uncommon Process Sysmon EventID 7 T1543.003 Anomaly BlueHammer, RedSun 2026-05-18
Linux At Allow Config File Creation Sysmon for Linux EventID 11 T1053.003 Anomaly Scheduled Tasks, Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation 2026-05-13
Windows Privilege Escalation User Process Spawn System Process Sysmon EventID 1 T1068 T1134 T1548 TTP GhostRedirector IIS Module and Rungan Backdoor, Windows Privilege Escalation, Compromised Windows Host, BlackSuit Ransomware 2026-05-13
Windows AD DSRM Password Reset Windows Event Log Security 4794 T1098 TTP Sneaky Active Directory Persistence Tricks, Scattered Lapsus$ Hunters 2026-05-13
Windows AD GPO New CSE Addition Windows Event Log Security 5136 T1222.001 T1484.001 TTP Sneaky Active Directory Persistence Tricks 2026-05-13
Detect Excessive Account Lockouts From Endpoint T1078.002 Anomaly Active Directory Password Spraying 2026-05-13
Linux GDB Privilege Escalation Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2026-05-13
Windows Parent PID Spoofing with Explorer CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1134.004 TTP Windows Defense Evasion Tactics, Compromised Windows Host 2026-05-13
Windows PowerShell MSIX Package Installation Powershell Script Block Logging 4104 T1059.001 T1547.001 TTP Malicious PowerShell, MSIX Package Abuse 2026-05-13
First Time Seen Child Process of Zoom CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1068 Anomaly Suspicious Zoom Child Processes 2026-05-13
Scheduled Task Deleted Or Created via CMD CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1053.005 Anomaly 0bj3ctivity Stealer, Scheduled Tasks, Remcos, Windows Persistence Techniques, Prestige Ransomware, China-Nexus Threat Activity, ValleyRAT, Salt Typhoon, DarkCrystal RAT, Phemedrone Stealer, MoonPeak, Rhysida Ransomware, DHS Report TA18-074A, CISA AA22-257A, Sandworm Tools, AgentTesla, RedLine Stealer, SolarWinds WHD RCE Post Exploitation, Azorult, PlugX, NOBELIUM Group, Quasar RAT, Living Off The Land, NetSupport RMM Tool Abuse, XWorm, Qakbot, NjRAT, AsyncRAT, APT37 Rustonotto and FadeStealer, Scattered Spider, Winter Vivern, Medusa Ransomware, Amadey, CISA AA23-347A, CISA AA24-241A, Trickbot, ShrinkLocker, Lokibot 2026-05-13
Windows Access Token Manipulation SeDebugPrivilege Windows Event Log Security 4703 T1134.002 Anomaly China-Nexus Threat Activity, Derusbi, Salt Typhoon, ValleyRAT, Brute Ratel C4, Tuoni, Meduza Stealer, WinDealer RAT, GhostRedirector IIS Module and Rungan Backdoor, PathWiper, PlugX, Gh0st RAT, Salat Stealer, SnappyBee, AsyncRAT, Scattered Lapsus$ Hunters, CISA AA23-347A, DarkGate Malware, Lokibot 2026-06-08
Registry Keys for Creating SHIM Databases Sysmon EventID 13 T1546.011 TTP Windows Registry Abuse, Suspicious Windows Registry Activities, Windows Persistence Techniques 2026-05-13
Unusual Number of Remote Endpoint Authentication Events Windows Event Log Security 4624 T1078 Hunting Active Directory Privilege Escalation, Active Directory Lateral Movement 2026-05-13
DLLHost with no Command Line Arguments with Network Sysmon EventID 1, Sysmon EventID 3 T1055 TTP Storm-2460 CLFS Zero Day Exploitation, Cobalt Strike, Earth Alux, Graceful Wipe Out Attack, Cactus Ransomware, BlackByte Ransomware 2026-05-13
Windows Non-System Process Querying Definition Update Sysmon EventID 22 T1068 T1071.001 Anomaly BlueHammer, Windows Privilege Escalation, RedSun 2026-04-27
Randomly Generated Windows Service Name Windows Event Log System 7045 T1543.003 Hunting Active Directory Lateral Movement, BlackSuit Ransomware 2026-05-13
Windows Default Group Policy Object Modified Windows Event Log Security 5136 T1484.001 TTP Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation 2026-05-13
WinEvent Windows Task Scheduler Event Action Started Windows Event Log TaskScheduler 201, Windows Event Log TaskScheduler 200 T1053.005 Hunting Scheduled Tasks, Remcos, Windows Persistence Techniques, Prestige Ransomware, ValleyRAT, DarkCrystal RAT, CISA AA22-257A, Sandworm Tools, SystemBC, SolarWinds WHD RCE Post Exploitation, Malicious Inno Setup Loader, IcedID, PlugX, Industroyer2, Qakbot, AsyncRAT, Winter Vivern, Amadey, Data Destruction, CISA AA24-241A, BlackSuit Ransomware 2026-05-13
Linux Sqlite3 Privilege Escalation Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2026-05-13
GPUpdate with no Command Line Arguments with Network Sysmon EventID 1, Sysmon EventID 3 T1055 TTP Cobalt Strike, Hellcat Ransomware, Graceful Wipe Out Attack, Compromised Windows Host, BlackByte Ransomware 2026-05-13
Spoolsv Suspicious Loaded Modules Sysmon EventID 7 T1547.012 TTP Black Basta Ransomware, PrintNightmare CVE-2021-34527 2026-05-13
Windows Snake Malware Service Create Windows Event Log System 7045 T1547.006 T1569.002 TTP Snake Malware, Compromised Windows Host 2026-05-13
Windows Snake Malware Kernel Driver Comadmin Sysmon EventID 11 T1547.006 TTP Snake Malware 2026-05-13
Allow Operation with Consent Admin Sysmon EventID 13 T1548 TTP Windows Registry Abuse, Ransomware, MoonPeak, Azorult 2026-05-13
Windows PUA Named Pipe Sysmon EventID 17, Sysmon EventID 18 T1021.002 T1055 T1559 Anomaly HAFNIUM Group, Seashell Blizzard, Active Directory Lateral Movement, DarkSide Ransomware, Volt Typhoon, Sandworm Tools, Medusa Ransomware, SamSam Ransomware, Cactus Ransomware, Rhysida Ransomware, VanHelsing Ransomware, DHS Report TA18-074A, CISA AA22-320A, DarkGate Malware, BlackByte Ransomware, IcedID 2026-05-13
Windows Mock Trusted Directory MSC File Creation Sysmon EventID 11 T1218.014 T1548.002 T1574 TTP Windows Privilege Escalation, Windows Persistence Techniques 2026-05-13
Linux At Application Execution Sysmon for Linux EventID 1 T1053.002 Anomaly Scheduled Tasks, Cisco Isovalent Suspicious Activity, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2026-05-13
SLUI RunAs Elevated CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1548.002 TTP Windows Defense Evasion Tactics, DarkSide Ransomware, Compromised Windows Host 2026-05-13
Windows Vulnerable Driver Installed Windows Event Log System 7045 T1543.003 TTP Windows Drivers, Void Manticore 2026-05-13
Scheduled Task Creation on Remote Endpoint using At CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1053.002 TTP 0bj3ctivity Stealer, Living Off The Land, Scheduled Tasks, Active Directory Lateral Movement 2026-05-13
Windows Bypass UAC via Pkgmgr Tool CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1548.002 Anomaly Warzone RAT 2026-05-13
Windows Audit Policy Auditing Option Modified - Registry Sysmon EventID 13 T1547.014 Anomaly Windows Audit Policy Tampering 2026-05-13
Linux Malformed Auth Entry Linux Secure T1068 Anomaly Linux Privilege Escalation 2026-05-06
Detect Excessive User Account Lockouts T1078.003 Anomaly Active Directory Password Spraying, Scattered Lapsus$ Hunters 2026-05-13
SilentCleanup UAC Bypass Sysmon EventID 13 T1548.002 TTP Windows Registry Abuse, Windows Defense Evasion Tactics, MoonPeak 2026-05-13
Linux Auditd Nopasswd Entry In Sudoers File Linux Auditd Proctitle T1548.003 Anomaly China-Nexus Threat Activity, Salt Typhoon, Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation 2026-05-13
Linux Setuid Using Setcap Utility Sysmon for Linux EventID 1 T1548.001 Anomaly Linux Persistence Techniques, Linux Privilege Escalation 2026-05-13
Windows Service Create with Tscon CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1543.003 T1563.002 TTP Windows RDP Artifacts and Defense Evasion, Active Directory Lateral Movement, Compromised Windows Host 2026-05-13
Registry Keys Used For Privilege Escalation Sysmon EventID 13 T1546.012 TTP Data Destruction, Windows Privilege Escalation, Windows Registry Abuse, Suspicious Windows Registry Activities, Hermetic Wiper, Cloud Federated Credential Abuse 2026-05-13
Rundll32 CreateRemoteThread In Browser Sysmon EventID 8 T1055 TTP Living Off The Land, IcedID 2026-05-13
Windows AD AdminSDHolder ACL Modified Windows Event Log Security 5136 T1546 TTP Sneaky Active Directory Persistence Tricks 2026-05-13
Windows Autostart Execution LSASS Driver Registry Modification Sysmon EventID 13 T1547.008 TTP Windows Registry Abuse 2026-05-13
Spoolsv Spawning Rundll32 CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1547.012 TTP Black Basta Ransomware, Compromised Windows Host, PrintNightmare CVE-2021-34527 2026-05-13
Windows Handle Duplication in Known UAC-Bypass Binaries Sysmon EventID 10 T1134.001 Anomaly Castle RAT 2026-05-13
Windows Driver Load Non-Standard Path Windows Event Log System 7045 T1014 T1068 TTP AgentTesla, Windows Drivers, CISA AA22-320A, BlackByte Ransomware, BlackSuit Ransomware 2026-05-13
Linux c99 Privilege Escalation Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2026-05-13
Linux SSH Authorized Keys Modification Sysmon for Linux EventID 1 T1098.004 Anomaly Hellcat Ransomware, Linux Living Off The Land, VoidLink Cloud-Native Linux Malware 2026-05-13
Cisco Isovalent - Potential Escape to Host Cisco Isovalent Process Exec T1611 Anomaly Cisco Isovalent Suspicious Activity, VoidLink Cloud-Native Linux Malware 2026-05-13
Windows Cloud Files Filter Log Created by Non-System Process Sysmon EventID 11 T1068 TTP Windows Privilege Escalation, RedSun 2026-05-01
Linux Possible Ssh Key File Creation Sysmon for Linux EventID 11 T1098.004 Anomaly Linux Persistence Techniques, Hellcat Ransomware, Linux Living Off The Land, Linux Privilege Escalation 2026-05-13
Linux MySQL Privilege Escalation Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2026-05-13
VMWare Aria Operations Exploit Attempt Palo Alto Network Threat T1068 T1133 T1190 T1210 TTP VMware Aria Operations vRealize CVE-2023-20887 2026-05-13
Microsoft SharePoint Server Elevation of Privilege Suricata T1068 Anomaly Microsoft SharePoint Server Elevation of Privilege CVE-2023-29357 2026-05-13
Cisco IOS XE Guestshell Activation and Destroy Cisco IOS Logs T1059 T1611 Anomaly Salt Typhoon 2026-05-20
ESXi Shared or Stolen Root Account VMWare ESXi Syslog T1078 Anomaly ESXi Post Compromise, Black Basta Ransomware 2026-05-13
Cisco ASA - New Local User Account Created Cisco ASA Logs T1078.003 T1136.001 Anomaly Suspicious Cisco Adaptive Security Appliance Activity 2026-05-13
PingID New MFA Method Registered For User PingID T1098.005 T1556.006 T1621 TTP Compromised User Account 2026-05-13
Cisco ASA - User Privilege Level Change Cisco ASA Logs T1078.003 T1098 Anomaly ArcaneDoor, Suspicious Cisco Adaptive Security Appliance Activity 2026-05-13
M365 Copilot Application Usage Pattern Anomalies M365 Copilot Graph API T1078 Anomaly Suspicious Microsoft 365 Copilot Activities 2026-05-13
Okta New API Token Created Okta T1078.001 TTP Scattered Lapsus$ Hunters, Okta Account Takeover 2026-05-13
Zoom High Video Latency T1078 Anomaly Remote Employment Fraud 2026-05-13
Okta Phishing Detection with FastPass Origin Check Okta T1078.001 T1556 TTP Okta Account Takeover 2026-05-13
ESXi External Root Login Activity VMWare ESXi Syslog T1078 Anomaly ESXi Post Compromise, Black Basta Ransomware 2026-05-13
Okta New Device Enrolled on Account Okta T1098.005 TTP Scattered Lapsus$ Hunters, Okta Account Takeover 2026-05-13
PingID Multiple Failed MFA Requests For User PingID T1078 T1110 T1621 TTP Compromised User Account 2026-05-13
ESXi Account Modified VMWare ESXi Syslog T1078 T1098 T1136.001 Anomaly ESXi Post Compromise, Black Basta Ransomware 2026-05-13
ESXi User Granted Admin Role VMWare ESXi Syslog T1078 T1098 TTP ESXi Post Compromise, Black Basta Ransomware 2026-05-13
Okta Suspicious Activity Reported Okta T1078.001 TTP Okta Account Takeover 2026-05-13
PingID New MFA Method After Credential Reset PingID T1098.005 T1556.006 T1621 TTP Scattered Lapsus$ Hunters, Compromised User Account 2026-05-13
Okta Risk Threshold Exceeded Okta T1078 T1110 Correlation Suspicious Okta Activity, Okta MFA Exhaustion, Okta Account Takeover 2026-05-13
Cisco IOS XE WebUI Programmatic Configuration Cisco IOS Logs T1078 T1190 Anomaly Salt Typhoon 2026-05-19
Cisco IOS XE WebUI Login From IOSd Local Port Cisco IOS Logs T1078 T1190 TTP Salt Typhoon 2026-05-19
Okta Successful Single Factor Authentication Okta T1078.004 T1586.003 T1621 Anomaly Okta Account Takeover 2026-05-13
M365 Copilot Session Origin Anomalies M365 Copilot Graph API T1078 Anomaly Suspicious Microsoft 365 Copilot Activities 2026-05-13
Okta Authentication Failed During MFA Challenge Okta T1078.004 T1586.003 T1621 TTP Scattered Lapsus$ Hunters, Okta Account Takeover 2026-05-13
Okta ThreatInsight Threat Detected Okta T1078.004 Anomaly Okta Account Takeover 2026-05-13
PingID Mismatch Auth Source and Verification Response PingID T1098.005 T1556.006 T1621 TTP Compromised User Account 2026-05-13
GCP Successful Single-Factor Authentication Google Workspace T1078.004 T1586.003 TTP Scattered Lapsus$ Hunters, GCP Account Takeover 2026-05-13
ASL AWS IAM Successful Group Deletion ASL AWS CloudTrail T1069.003 T1098 Hunting AWS IAM Privilege Escalation 2026-05-13
AWS SAML Update identity provider AWS CloudTrail UpdateSAMLProvider T1078 TTP Cloud Federated Credential Abuse 2026-05-13
O365 Cross-Tenant Access Change Office 365 Universal Audit Log T1484.002 TTP Azure Active Directory Persistence 2026-05-13
GCP Detect gcploit framework T1078 TTP GCP Cross Account Activity 2026-05-13
Kubernetes Cron Job Creation Kubernetes Audit T1053.007 Anomaly Kubernetes Security 2026-05-13
Cloud Provisioning Activity From Previously Unseen IP Address AWS CloudTrail T1078 Anomaly Suspicious Cloud Provisioning Activities 2026-05-13
O365 Service Principal Privilege Escalation O365 Add app role assignment grant to user. T1098.003 TTP Azure Active Directory Privilege Escalation, Office 365 Account Takeover 2026-05-13
Azure AD Successful PowerShell Authentication Azure Active Directory T1078.004 T1586.003 TTP Azure Active Directory Account Takeover 2026-05-13
Azure AD New Federated Domain Added Azure Active Directory Set domain authentication T1484.002 TTP Storm-0501 Ransomware, Scattered Lapsus$ Hunters, Azure Active Directory Persistence, Hellcat Ransomware 2026-05-13
Cloud Provisioning Activity From Previously Unseen City AWS CloudTrail T1078 Anomaly Suspicious Cloud Provisioning Activities 2026-05-13
O365 Privileged Role Assigned Office 365 Universal Audit Log T1098.003 TTP Scattered Lapsus$ Hunters, Azure Active Directory Persistence 2026-05-13
Cloud Compute Instance Created By Previously Unseen User AWS CloudTrail T1078.004 Anomaly Cloud Cryptomining 2026-05-13
Azure AD Service Principal Authentication Azure Active Directory Sign-in activity T1078.004 TTP Azure Active Directory Account Takeover, NOBELIUM Group 2026-05-13
Azure AD Global Administrator Role Assigned Azure Active Directory Add member to role T1098.003 TTP Scattered Lapsus$ Hunters, Azure Active Directory Persistence, Azure Active Directory Privilege Escalation 2026-05-13
O365 FullAccessAsApp Permission Assigned O365 Update application. T1098.002 T1098.003 TTP NOBELIUM Group, Office 365 Persistence Mechanisms 2026-05-13
Azure AD PIM Role Assigned Azure Active Directory T1098.003 TTP Scattered Lapsus$ Hunters, Azure Active Directory Persistence, Azure Active Directory Privilege Escalation 2026-05-13
Azure AD Tenant Wide Admin Consent Granted Azure Active Directory Consent to application T1098.003 TTP Azure Active Directory Persistence, NOBELIUM Group 2026-05-13
AWS Successful Single-Factor Authentication AWS CloudTrail ConsoleLogin T1078.004 T1586.003 TTP AWS Identity and Access Management Account Takeover 2026-05-13
O365 Privileged Role Assigned To Service Principal Office 365 Universal Audit Log T1098.003 TTP Scattered Lapsus$ Hunters, Azure Active Directory Privilege Escalation 2026-05-13
O365 Application Registration Owner Added O365 Add owner to application. T1098 TTP NOBELIUM Group, Office 365 Persistence Mechanisms 2026-05-13
AWS SetDefaultPolicyVersion AWS CloudTrail SetDefaultPolicyVersion T1078.004 TTP AWS IAM Privilege Escalation 2026-05-13
O365 Security And Compliance Alert Triggered T1078.004 TTP Office 365 Account Takeover 2026-05-13
GCP Authentication Failed During MFA Challenge Google Workspace login_failure T1078.004 T1586.003 T1621 TTP Scattered Lapsus$ Hunters, GCP Account Takeover 2026-05-13
Azure AD Service Principal Privilege Escalation Azure Active Directory Add app role assignment to service principal T1098.003 TTP Azure Active Directory Privilege Escalation 2026-05-13
O365 Service Principal New Client Credentials O365 T1098.001 TTP NOBELIUM Group, Office 365 Persistence Mechanisms 2026-05-13
Azure AD Multiple Failed MFA Requests For User Azure Active Directory Sign-in activity T1078.004 T1586.003 T1621 TTP Azure Active Directory Account Takeover 2026-05-13
O365 Mailbox Read Access Granted to Application O365 Update application. T1098.003 T1114.002 TTP Office 365 Persistence Mechanisms 2026-05-13
O365 New MFA Method Registered O365 Update user. T1098.005 TTP Office 365 Persistence Mechanisms 2026-05-13
O365 High Privilege Role Granted O365 Add member to role. T1098.003 TTP Office 365 Persistence Mechanisms 2026-05-13
Okta Non-Standard VPN Usage Okta T1078 T1090 T1572 TTP Suspicious Okta Activity, Remote Employment Fraud 2026-05-13
ASL AWS IAM Delete Policy ASL AWS CloudTrail T1098 Hunting AWS IAM Privilege Escalation 2026-05-13
Cloud Provisioning Activity From Previously Unseen Country AWS CloudTrail T1078 Anomaly Suspicious Cloud Provisioning Activities 2026-05-13
Azure AD Service Principal Owner Added Azure Active Directory Add owner to application T1098 TTP Azure Active Directory Persistence, Azure Active Directory Privilege Escalation, NOBELIUM Group 2026-05-13
Azure Runbook Webhook Created Azure Audit Create or Update an Azure Automation webhook T1078.004 TTP Azure Active Directory Persistence 2026-05-13
Azure AD PIM Role Assignment Activated Azure Active Directory T1098.003 TTP Scattered Lapsus$ Hunters, Azure Active Directory Persistence, Azure Active Directory Privilege Escalation 2026-05-13
AWS IAM Delete Policy AWS CloudTrail DeletePolicy T1098 Hunting AWS IAM Privilege Escalation 2026-05-13
O365 Multiple AppIDs and UserAgents Authentication Spike O365 UserLoginFailed, O365 UserLoggedIn T1078 Anomaly Office 365 Account Takeover 2026-05-13
Azure AD Multiple AppIDs and UserAgents Authentication Spike Azure Active Directory Sign-in activity T1078 Anomaly Azure Active Directory Account Takeover 2026-05-13
AWS Create Policy Version to allow all resources AWS CloudTrail CreatePolicyVersion T1078.004 TTP AWS IAM Privilege Escalation 2026-05-13
Cloud Instance Modified By Previously Unseen User AWS CloudTrail T1078.004 Anomaly Suspicious Cloud Instance Activities 2026-05-13
Azure AD New Custom Domain Added Azure Active Directory Add unverified domain T1484.002 TTP Azure Active Directory Persistence 2026-05-13
AWS IAM Failure Group Deletion AWS CloudTrail DeleteGroup T1098 Anomaly AWS IAM Privilege Escalation 2026-05-13
Azure AD FullAccessAsApp Permission Assigned Azure Active Directory Update application T1098.002 T1098.003 TTP Azure Active Directory Persistence, NOBELIUM Group 2026-05-13
Azure AD Successful Single-Factor Authentication Azure Active Directory T1078.004 T1586.003 TTP Azure Active Directory Account Takeover 2026-05-13
O365 Mailbox Folder Read Permission Assigned O365 ModifyFolderPermissions T1098.002 TTP Office 365 Collection Techniques 2026-05-13
Azure AD Service Principal New Client Credentials Azure Active Directory T1098.001 TTP Scattered Lapsus$ Hunters, Azure Active Directory Persistence, Azure Active Directory Privilege Escalation, NOBELIUM Group 2026-05-13
ASL AWS Create Policy Version to allow all resources ASL AWS CloudTrail T1078.004 TTP Scattered Lapsus$ Hunters, AWS IAM Privilege Escalation 2026-05-13
Azure AD Application Administrator Role Assigned Azure Active Directory Add member to role T1098.003 TTP Scattered Lapsus$ Hunters, Azure Active Directory Privilege Escalation 2026-05-13
O365 Application Available To Other Tenants Office 365 Universal Audit Log T1098.003 TTP Azure Active Directory Account Takeover, Azure Active Directory Persistence, Data Exfiltration 2026-05-13
Azure AD Privileged Role Assigned Azure Active Directory Add member to role T1098.003 TTP Storm-0501 Ransomware, Scattered Lapsus$ Hunters, Azure Active Directory Persistence, NOBELIUM Group 2026-05-13
Azure AD New MFA Method Registered Azure Active Directory Update user T1098.005 TTP Scattered Lapsus$ Hunters, Azure Active Directory Persistence 2026-05-13
Cloud API Calls From Previously Unseen User Roles AWS CloudTrail T1078 Anomaly Suspicious Cloud User Activities 2026-05-13
O365 Admin Consent Bypassed by Service Principal O365 Add app role assignment to service principal. T1098.003 TTP Office 365 Persistence Mechanisms 2026-05-13
AWS Bedrock Invoke Model Access Denied AWS CloudTrail T1078 T1550 TTP AWS Bedrock Security 2026-05-13
Azure AD Privileged Role Assigned to Service Principal Azure Active Directory Add member to role T1098.003 TTP Scattered Lapsus$ Hunters, Azure Active Directory Privilege Escalation, NOBELIUM Group 2026-05-13
O365 ApplicationImpersonation Role Assigned O365 T1098.002 TTP NOBELIUM Group, Office 365 Collection Techniques, Office 365 Persistence Mechanisms 2026-05-13
AWS IAM Successful Group Deletion AWS CloudTrail DeleteGroup T1069.003 T1098 Hunting AWS IAM Privilege Escalation 2026-05-13
Azure AD User ImmutableId Attribute Updated Azure Active Directory Update user T1098 TTP Azure Active Directory Persistence, Hellcat Ransomware 2026-05-13
Azure AD Admin Consent Bypassed by Service Principal Azure Active Directory Add app role assignment to service principal T1098.003 TTP Azure Active Directory Privilege Escalation, NOBELIUM Group 2026-05-13
ASL AWS SAML Update identity provider ASL AWS CloudTrail T1078 TTP Cloud Federated Credential Abuse 2026-05-13
Microsoft Intune DeviceManagementConfigurationPolicies Azure Monitor Activity T1021.007 T1072 T1484 T1685 T1686 Hunting Azure Active Directory Account Takeover 2026-05-13
Azure AD User Enabled And Password Reset Azure Active Directory Reset password (by admin), Azure Active Directory Update user, Azure Active Directory Enable account T1098 TTP Scattered Lapsus$ Hunters, Azure Active Directory Persistence 2026-05-13
Geographic Improbable Location Okta T1078 Anomaly Remote Employment Fraud 2026-05-13
ASL AWS IAM Failure Group Deletion ASL AWS CloudTrail T1098 Anomaly AWS IAM Privilege Escalation 2026-05-13
Cloud Provisioning Activity From Previously Unseen Region AWS CloudTrail T1078 Anomaly Suspicious Cloud Provisioning Activities 2026-05-13
Azure AD Authentication Failed During MFA Challenge Azure Active Directory T1078.004 T1586.003 T1621 TTP Azure Active Directory Account Takeover 2026-05-13
GCP Multiple Failed MFA Requests For User Google Workspace T1078.004 T1586.003 T1621 TTP Scattered Lapsus$ Hunters, GCP Account Takeover 2026-05-13
O365 Tenant Wide Admin Consent Granted O365 Consent to application. T1098.003 TTP NOBELIUM Group, Office 365 Persistence Mechanisms 2026-05-13
O365 Elevated Mailbox Permission Assigned O365 Add-MailboxPermission T1098.002 TTP Office 365 Collection Techniques 2026-05-13
O365 Mailbox Folder Read Permission Granted O365 ModifyFolderPermissions T1098.002 TTP Office 365 Collection Techniques 2026-05-13
Cisco Privileged Account Creation with HTTP Command Execution T1021.004 T1078 T1136 Correlation Salt Typhoon, Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Cisco Secure Firewall - Communication Over Suspicious Ports Cisco Secure Firewall Threat Defense Connection Event T1021 T1055 T1059.001 T1105 T1219 T1571 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Cisco Configuration Archive Logging Analysis Cisco IOS Logs T1098 T1505.003 T1685 Hunting Cisco Smart Install Remote Code Execution CVE-2018-0171 2026-05-13
Cisco Privileged Account Creation with Suspicious SSH Activity T1021.004 T1078 T1136 Correlation Salt Typhoon, Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Cisco Secure Firewall - High Priority Intrusion Classification Cisco Secure Firewall Threat Defense Intrusion Event T1003 T1071 T1078 T1190 T1203 TTP Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Cisco IOS Suspicious Privileged Account Creation Cisco IOS Logs T1078 T1136 Anomaly Cisco Smart Install Remote Code Execution CVE-2018-0171 2026-05-13
Cisco Secure Firewall - Wget or Curl Download Cisco Secure Firewall Threat Defense Connection Event T1053.003 T1059 T1071.001 T1105 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13