|
Splunk User Enumeration Attempt
|
Splunk
|
T1078
|
TTP
|
Splunk Vulnerabilities
|
2026-05-14
|
|
Splunk Enterprise KV Store Incorrect Authorization
|
Splunk
|
T1548
|
Hunting
|
Splunk Vulnerabilities
|
2026-05-14
|
|
Windows AD add Self to Group
|
Windows Event Log Security 4728
|
T1098
|
TTP
|
Sneaky Active Directory Persistence Tricks, Medusa Ransomware, Active Directory Privilege Escalation
|
2026-06-01
|
|
Windows Potato Privilege Escalation Tool Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1068
|
TTP
|
Windows Privilege Escalation
|
2026-05-13
|
|
Windows Rasautou DLL Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1055.001
T1218
|
TTP
|
Windows Defense Evasion Tactics, Hellcat Ransomware, Compromised Windows Host
|
2026-05-13
|
|
Linux Auditd Service Restarted
|
Linux Auditd Proctitle
|
T1053.006
|
Anomaly
|
Scheduled Tasks, AwfulShred, Data Destruction, Gomir, Linux Living Off The Land, Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation
|
2026-05-13
|
|
Logon Script Event Trigger Execution
|
Sysmon EventID 13
|
T1037.001
|
TTP
|
Windows Persistence Techniques, Data Destruction, Windows Privilege Escalation, Hermetic Wiper, VIP Keylogger
|
2026-05-13
|
|
Linux Auditd Unload Module Via Modprobe
|
Linux Auditd Execve
|
T1547.006
|
TTP
|
Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host
|
2026-05-13
|
|
Linux Sudo OR Su Execution
|
Sysmon for Linux EventID 1
|
T1548.003
|
Hunting
|
Linux Persistence Techniques, Linux Privilege Escalation, VoidLink Cloud-Native Linux Malware
|
2026-05-13
|
|
Linux RPM Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Linux Visudo Utility Execution
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2026-05-13
|
|
Clop Ransomware Known Service Name
|
Windows Event Log System 7045
|
T1543
|
TTP
|
Compromised Windows Host, Clop Ransomware
|
2026-05-13
|
|
Spoolsv Writing a DLL - Sysmon
|
Sysmon EventID 11
|
T1547.012
|
TTP
|
Black Basta Ransomware, PrintNightmare CVE-2021-34527
|
2026-05-13
|
|
Linux Possible Access Or Modification Of sshd Config File
|
Sysmon for Linux EventID 1
|
T1098.004
|
Anomaly
|
Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Windows DnsAdmins New Member Added
|
Windows Event Log Security 4732
|
T1098
|
TTP
|
Active Directory Privilege Escalation
|
2026-05-13
|
|
Windows Drivers Loaded by Signature
|
Sysmon EventID 6
|
T1014
T1068
|
Hunting
|
CISA AA22-320A, Windows Drivers, AgentTesla, BlackByte Ransomware
|
2026-05-13
|
|
Windows Large Number of Computer Service Tickets Requested
|
Windows Event Log Security 4769
|
T1078
T1135
|
Anomaly
|
Active Directory Privilege Escalation, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows Entra User Management Via Azure CLI
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1078.004
T1098
T1136
|
Anomaly
|
Azure Active Directory Persistence
|
2026-05-13
|
|
Wscript Or Cscript Suspicious Child Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1055
T1134.004
T1543
|
Anomaly
|
0bj3ctivity Stealer, Remcos, Axios Supply Chain Post Compromise, Data Destruction, NjRAT, XWorm, WhisperGate, FIN7, ShrinkLocker, Unusual Processes, MuddyWater, VIP Keylogger
|
2026-05-13
|
|
Print Spooler Adding A Printer Driver
|
Windows Event Log Printservice 316
|
T1547.012
|
TTP
|
Black Basta Ransomware, PrintNightmare CVE-2021-34527
|
2026-05-13
|
|
Windows Process Injection into Commonly Abused Processes
|
Sysmon EventID 10
|
T1055.002
|
Anomaly
|
Earth Alux, SAP NetWeaver Exploitation, BishopFox Sliver Adversary Emulation Framework, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
Windows Remote Assistance Spawning Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1055
|
TTP
|
Unusual Processes, Compromised Windows Host
|
2026-05-13
|
|
Windows AD SID History Attribute Modified
|
Windows Event Log Security 5136
|
T1134.005
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Windows Process With NamedPipe CommandLine
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1055
|
Anomaly
|
Windows Defense Evasion Tactics
|
2026-05-13
|
|
CMD Echo Pipe - Escalation
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059.003
T1543.003
|
TTP
|
Graceful Wipe Out Attack, BlackByte Ransomware, Compromised Windows Host, Cobalt Strike
|
2026-05-13
|
|
Linux PHP Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Suspicious Scheduled Task from Public Directory
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1053.005
|
Anomaly
|
Scheduled Tasks, Windows Persistence Techniques, China-Nexus Threat Activity, Salt Typhoon, DarkCrystal RAT, MoonPeak, SolarWinds WHD RCE Post Exploitation, Malicious Inno Setup Loader, Azorult, Quasar RAT, Living Off The Land, NetSupport RMM Tool Abuse, XWorm, APT37 Rustonotto and FadeStealer, Scattered Spider, Medusa Ransomware, CISA AA23-347A, CISA AA24-241A, Ryuk Ransomware, Crypto Stealer, Ransomware, Lokibot
|
2026-05-13
|
|
Powershell Execute COM Object
|
Powershell Script Block Logging 4104
|
T1059.001
T1546.015
|
TTP
|
Hermetic Wiper, Malicious PowerShell, Ransomware, Data Destruction
|
2026-05-13
|
|
WSReset UAC Bypass
|
Sysmon EventID 13, Sysmon EventID 12
|
T1548.002
|
TTP
|
Living Off The Land, Windows Defense Evasion Tactics, Windows Registry Abuse, MoonPeak
|
2026-05-13
|
|
Linux Doas Tool Execution
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2026-05-13
|
|
Spoolsv Suspicious Process Access
|
Sysmon EventID 10
|
T1068
|
TTP
|
Black Basta Ransomware, PrintNightmare CVE-2021-34527
|
2026-05-13
|
|
Impacket Lateral Movement Commandline Parameters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1021.002
T1021.003
T1047
T1543.003
|
TTP
|
Industroyer2, Active Directory Lateral Movement, Prestige Ransomware, Data Destruction, WhisperGate, Gozi Malware, Graceful Wipe Out Attack, Storm-0501 Ransomware, Compromised Windows Host, CISA AA22-277A, Volt Typhoon
|
2026-05-13
|
|
Windows Azure PowerShell Module Installation Via PowerShell Script
|
Powershell Script Block Logging 4104
|
T1021.007
T1069.003
T1078
T1098
T1136.003
|
Anomaly
|
Azure Active Directory Account Takeover, Azure Active Directory Persistence, Azure Active Directory Privilege Escalation
|
2026-05-13
|
|
Windows Suspicious Child Process of TieringEngineService.exe
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1068
|
TTP
|
Windows Privilege Escalation, RedSun
|
2026-05-01
|
|
Windows Unsigned MS DLL Side-Loading
|
Sysmon EventID 7
|
T1547
T1574.001
|
Anomaly
|
Earth Alux, XWorm, Derusbi, China-Nexus Threat Activity, Salt Typhoon, APT29 Diplomatic Deceptions with WINELOADER
|
2026-05-13
|
|
Linux Possible Append Command To Profile Config File
|
Sysmon for Linux EventID 1
|
T1546.004
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2026-05-13
|
|
Cisco Isovalent - Cron Job Creation
|
Cisco Isovalent Process Exec
|
T1053.003
T1053.007
|
Anomaly
|
Cisco Isovalent Suspicious Activity
|
2026-05-13
|
|
Child Processes of Spoolsv exe
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1068
|
TTP
|
Hermetic Wiper, Data Destruction, Windows Privilege Escalation
|
2026-05-13
|
|
Trickbot Named Pipe
|
Sysmon EventID 17, Sysmon EventID 18
|
T1055
|
TTP
|
Trickbot, Hellcat Ransomware
|
2026-05-13
|
|
Linux Busybox Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Windows AD Short Lived Domain Account ServicePrincipalName
|
Windows Event Log Security 5136
|
T1098
|
TTP
|
Interlock Ransomware, Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Linux Auditd At Application Execution
|
Linux Auditd Syscall
|
T1053.002
|
Anomaly
|
Scheduled Tasks, Linux Living Off The Land, Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation
|
2026-05-13
|
|
Windows Scheduled Task with Highest Privileges
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1053.005
|
TTP
|
Scheduled Tasks, Quasar RAT, NetSupport RMM Tool Abuse, XWorm, RedLine Stealer, CISA AA23-347A, AsyncRAT, SolarWinds WHD RCE Post Exploitation, Compromised Windows Host, Castle RAT
|
2026-05-13
|
|
Short Lived Scheduled Task
|
Windows Event Log Security 4698, Windows Event Log Security 4699
|
T1053.005
|
TTP
|
Scheduled Tasks, Active Directory Lateral Movement, CISA AA23-347A, Compromised Windows Host, CISA AA22-257A
|
2026-05-13
|
|
Windows AD Cross Domain SID History Addition
|
Windows Event Log Security 4742, Windows Event Log Security 4738
|
T1134.005
|
TTP
|
Sneaky Active Directory Persistence Tricks, Compromised Windows Host
|
2026-05-13
|
|
Linux Cpulimit Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Windows Compatibility Telemetry Suspicious Child Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1053.005
T1546
|
TTP
|
Windows Persistence Techniques
|
2026-05-13
|
|
Linux Service File Created In Systemd Directory
|
Sysmon for Linux EventID 11
|
T1053.006
|
Anomaly
|
Scheduled Tasks, Gomir, China-Nexus Threat Activity, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, VoidLink Cloud-Native Linux Malware
|
2026-05-13
|
|
Windows Admon Default Group Policy Object Modified
|
Windows Active Directory Admon
|
T1484.001
|
TTP
|
Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation
|
2026-05-13
|
|
Schtasks scheduling job on remote system
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1053.005
|
TTP
|
Scheduled Tasks, NOBELIUM Group, Active Directory Lateral Movement, Quasar RAT, Living Off The Land, Prestige Ransomware, RedLine Stealer, Phemedrone Stealer, Compromised Windows Host
|
2026-05-13
|
|
Cisco Isovalent - Shell Execution
|
Cisco Isovalent Process Exec
|
T1543
|
Anomaly
|
Cisco Isovalent Suspicious Activity
|
2026-05-13
|
|
Potential password in username
|
Linux Secure
|
T1078.003
T1552.001
|
Hunting
|
Insider Threat, Credential Dumping
|
2026-05-13
|
|
Linux Service Started Or Enabled
|
Sysmon for Linux EventID 1
|
T1053.006
|
Anomaly
|
Scheduled Tasks, Gomir, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2026-05-13
|
|
SLUI Spawning a Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1548.002
|
TTP
|
Windows Defense Evasion Tactics, DarkSide Ransomware, Compromised Windows Host
|
2026-05-13
|
|
Linux Docker Root Directory Mount
|
Sysmon for Linux EventID 1
|
T1611
|
TTP
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Windows AD Object Owner Updated
|
Windows Event Log Security 5136
|
T1222.001
T1484
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Services Escalate Exe
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1548
|
TTP
|
Cobalt Strike, Graceful Wipe Out Attack, CISA AA23-347A, Compromised Windows Host, BlackByte Ransomware
|
2026-05-13
|
|
Linux Auditd Possible Append Cronjob Entry On Existing Cronjob File
|
Linux Auditd Cwd, Linux Auditd Path
|
T1053.003
|
Hunting
|
Scheduled Tasks, XorDDos, Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2026-05-13
|
|
Linux Edit Cron Table Parameter
|
Sysmon for Linux EventID 1
|
T1053.003
|
Hunting
|
Scheduled Tasks, Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Windows AppCertDLL Modification Via Command Line
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1546.009
|
Anomaly
|
Windows Privilege Escalation, Windows Persistence Techniques
|
2026-05-13
|
|
Print Spooler Failed to Load a Plug-in
|
Windows Event Log Printservice 808, Windows Event Log Printservice 4909
|
T1547.012
|
TTP
|
Black Basta Ransomware, PrintNightmare CVE-2021-34527
|
2026-05-13
|
|
Windows PowerShell ScheduleTask
|
Powershell Script Block Logging 4104
|
T1053.005
T1059.001
|
Anomaly
|
Scattered Spider, Scheduled Tasks
|
2026-05-13
|
|
Windows System File on Disk
|
Sysmon EventID 11
|
T1068
|
Hunting
|
Windows Drivers, CISA AA22-264A, Crypto Stealer
|
2026-05-13
|
|
Windows AD Domain Root ACL Deletion
|
Windows Event Log Security 5136
|
T1222.001
T1484
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Windows Vulnerable Driver Loaded
|
Sysmon EventID 6
|
T1543.003
|
Hunting
|
Windows Drivers, Void Manticore, BlackByte Ransomware
|
2026-05-13
|
|
Linux Telnet Authentication Bypass
|
Sysmon for Linux EventID 1
|
T1548
|
TTP
|
Telnetd CVE-2026-24061
|
2026-05-13
|
|
Linux Doas Conf File Creation
|
Sysmon for Linux EventID 11
|
T1548.003
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2026-05-13
|
|
Windows Suspicious Burst of Password Changes
|
Windows Event Log Security 4723, Windows Event Log Security 4724
|
T1068
|
TTP
|
BlueHammer, Windows Privilege Escalation
|
2026-04-29
|
|
Linux Auditd Doas Conf File Creation
|
Linux Auditd Cwd, Linux Auditd Path
|
T1548.003
|
TTP
|
Linux Persistence Techniques, Compromised Linux Host, Linux Privilege Escalation
|
2026-05-13
|
|
Windows Service Creation on Remote Endpoint
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1543.003
|
TTP
|
Active Directory Lateral Movement, China-Nexus Threat Activity, SnappyBee, CISA AA23-347A, Salt Typhoon
|
2026-05-13
|
|
Linux OpenVPN Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Sdclt UAC Bypass
|
Sysmon EventID 13, Sysmon EventID 12
|
T1548.002
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Linux Suspicious Namespace Creation
|
Sysmon for Linux EventID 1, Linux Auditd Syscall
|
T1068
|
TTP
|
Linux Privilege Escalation
|
2026-05-12
|
|
Svchost LOLBAS Execution Process Spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1053.005
|
TTP
|
Living Off The Land, Scheduled Tasks, Hellcat Ransomware, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows COM Hijacking InprocServer32 Modification
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1546.015
|
TTP
|
Living Off The Land, Compromised Windows Host
|
2026-05-13
|
|
Linux Possible Append Command To At Allow Config File
|
Sysmon for Linux EventID 1
|
T1053.002
|
Anomaly
|
Scheduled Tasks, Linux Persistence Techniques, Linux Privilege Escalation
|
2026-05-13
|
|
Linux Possible Append Cronjob Entry on Existing Cronjob File
|
Sysmon for Linux EventID 1
|
T1053.003
|
Hunting
|
Scheduled Tasks, XorDDos, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2026-05-13
|
|
Linux Node Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Windows Driver Inventory
|
|
T1068
|
Hunting
|
Windows Drivers
|
2026-05-13
|
|
WinEvent Scheduled Task Created to Spawn Shell
|
Windows Event Log Security 4698
|
T1053.005
|
TTP
|
0bj3ctivity Stealer, Scheduled Tasks, Winter Vivern, Windows Persistence Techniques, Windows Error Reporting Service Elevation of Privilege Vulnerability, Castle RAT, China-Nexus Threat Activity, Salt Typhoon, Compromised Windows Host, Ryuk Ransomware, CISA AA22-257A, Ransomware, Medusa Ransomware, SystemBC
|
2026-05-13
|
|
Windows Scheduled Task Created Via XML
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1053.005
|
Anomaly
|
Scheduled Tasks, CISA AA23-347A, Malicious Inno Setup Loader, MoonPeak, Winter Vivern, Lokibot
|
2026-05-13
|
|
Notepad with no Command Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1055
|
TTP
|
BishopFox Sliver Adversary Emulation Framework
|
2026-05-13
|
|
Active Directory Privilege Escalation Identified
|
|
T1484
|
Correlation
|
Active Directory Privilege Escalation
|
2026-05-13
|
|
Linux Setuid Using Chmod Utility
|
Sysmon for Linux EventID 1
|
T1548.001
|
Anomaly
|
Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Linux Composer Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Windows Increase in User Modification Activity
|
Windows Event Log Security 4720
|
T1098
T1685
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Windows AD Self DACL Assignment
|
Windows Event Log Security 5136
|
T1098
T1484
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Windows Level RMM Watchdog Task Created
|
Windows Event Log Security 4698
|
T1053
T1219
|
Anomaly
|
Remote Monitoring and Management Software
|
2026-05-13
|
|
Linux Auditd Edit Cron Table Parameter
|
Linux Auditd Syscall
|
T1053.003
|
Anomaly
|
Scheduled Tasks, Linux Living Off The Land, Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation
|
2026-05-13
|
|
Linux Service Restarted
|
Sysmon for Linux EventID 1
|
T1053.006
|
Anomaly
|
Scheduled Tasks, AwfulShred, Data Destruction, Gomir, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2026-05-13
|
|
NET Profiler UAC bypass
|
Sysmon EventID 13
|
T1548.002
|
TTP
|
Windows Defense Evasion Tactics
|
2026-05-13
|
|
Disable UAC Remote Restriction
|
Sysmon EventID 13
|
T1548.002
|
TTP
|
CISA AA23-347A, Windows Defense Evasion Tactics, Windows Registry Abuse, Suspicious Windows Registry Activities
|
2026-05-13
|
|
Windows Scheduled Task DLL Module Loaded
|
Sysmon EventID 7
|
T1053
|
TTP
|
ValleyRAT
|
2026-05-13
|
|
Windows Default Group Policy Object Modified with GPME
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1484.001
|
TTP
|
Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation
|
2026-05-13
|
|
Windows AD Dangerous User ACL Modification
|
Windows Event Log Security 5136
|
T1222.001
T1484
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Windows AD DSRM Account Changes
|
Sysmon EventID 13
|
T1098
|
TTP
|
Windows Registry Abuse, Sneaky Active Directory Persistence Tricks, Scattered Lapsus$ Hunters, Windows Persistence Techniques
|
2026-05-13
|
|
Linux Install Kernel Module Using Modprobe Utility
|
Sysmon for Linux EventID 1
|
T1547.006
|
Anomaly
|
China-Nexus Threat Activity, Linux Rootkit, Linux Persistence Techniques, Linux Privilege Escalation, VoidLink Cloud-Native Linux Malware
|
2026-05-13
|
|
Windows Scheduled Tasks for CompMgmtLauncher or Eventvwr
|
Windows Event Log Security 4698
|
T1053
|
TTP
|
Water Gamayun, ValleyRAT
|
2026-05-13
|
|
Windows ConvertTo-AADIntBackdoor Execution Via PowerShell Script
|
Powershell Script Block Logging 4104
|
T1071.001
T1078
T1212
T1482
|
TTP
|
Azure Active Directory Account Takeover, Azure Active Directory Persistence, Azure Active Directory Privilege Escalation
|
2026-05-13
|
|
Windows Event Triggered Image File Execution Options Injection
|
Windows Event Log Application 3000
|
T1546.012
|
Hunting
|
Windows Persistence Techniques
|
2026-05-13
|
|
Windows AD Domain Replication ACL Addition
|
Windows Event Log Security 5136
|
T1484
|
TTP
|
Sneaky Active Directory Persistence Tricks, Compromised Windows Host
|
2026-05-13
|
|
Windows Scheduled Task with Suspicious Command
|
Windows Event Log Security 4698, Windows Event Log Security 4700, Windows Event Log Security 4702
|
T1053.005
|
TTP
|
Scheduled Tasks, Windows Persistence Techniques, Quasar RAT, SolarWinds WHD RCE Post Exploitation, Ryuk Ransomware, APT37 Rustonotto and FadeStealer, Ransomware, Seashell Blizzard
|
2026-05-13
|
|
UAC Bypass MMC Load Unsigned Dll
|
Sysmon EventID 7
|
T1218.014
T1548.002
|
TTP
|
Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Increase in Group or Object Modification Activity
|
Windows Event Log Security 4663
|
T1098
T1685
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Linux Auditd Doas Tool Execution
|
Linux Auditd Syscall
|
T1548.003
|
Anomaly
|
Linux Persistence Techniques, Compromised Linux Host, Linux Privilege Escalation
|
2026-05-13
|
|
Linux Csvtool Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Linux NOPASSWD Entry In Sudoers File
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Salt Typhoon, Linux Persistence Techniques, Linux Privilege Escalation, China-Nexus Threat Activity
|
2026-05-13
|
|
Detect Baron Samedit CVE-2021-3156 Segfault
|
|
T1068
|
TTP
|
Baron Samedit CVE-2021-3156
|
2026-05-13
|
|
Eventvwr UAC Bypass
|
Sysmon EventID 13
|
T1548.002
|
TTP
|
Living Off The Land, ValleyRAT, Windows Registry Abuse, Windows Defense Evasion Tactics, IcedID
|
2026-05-13
|
|
Windows Suspicious Defender Engine or Signature Files Created
|
Sysmon EventID 11
|
T1068
|
Anomaly
|
BlueHammer, Windows Privilege Escalation
|
2026-04-27
|
|
Windows AD GPO Deleted
|
Windows Event Log Security 5136
|
T1484.001
T1685
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Linux File Creation In Init Boot Directory
|
Sysmon for Linux EventID 11
|
T1037.004
|
Anomaly
|
Backdoor Pingpong, XorDDos, China-Nexus Threat Activity, Linux Persistence Techniques, Linux Privilege Escalation
|
2026-05-13
|
|
Windows Suspicious Process File Path
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1036.005
T1543
|
TTP
|
Remcos, Water Gamayun, RoguePlanet, NailaoLocker Ransomware, Earth Alux, Prestige Ransomware, Axios Supply Chain Post Compromise, Double Zero Destructor, WhisperGate, China-Nexus Threat Activity, ValleyRAT, Salt Typhoon, Warzone RAT, DarkCrystal RAT, Phemedrone Stealer, MoonPeak, Rhysida Ransomware, Hermetic Wiper, Volt Typhoon, Brute Ratel C4, Castle RAT, SesameOp, LockBit Ransomware, SystemBC, AgentTesla, Meduza Stealer, RedLine Stealer, Malicious Inno Setup Loader, GhostRedirector IIS Module and Rungan Backdoor, PlugX, IcedID, Azorult, Handala Wiper, Industroyer2, PromptLock, Quasar RAT, XWorm, Qakbot, SnappyBee, AsyncRAT, Interlock Rat, Chaos Ransomware, StealC Stealer, Interlock Ransomware, BlackByte Ransomware, Amadey, XMRig, Data Destruction, Void Manticore, Swift Slicer, CISA AA23-347A, Graceful Wipe Out Attack, Trickbot, DarkGate Malware, VIP Keylogger, Lokibot
|
2026-06-11
|
|
Linux Persistence and Privilege Escalation Risk Behavior
|
|
T1548
|
Correlation
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2026-05-13
|
|
Print Processor Registry Autostart
|
Sysmon EventID 13
|
T1547.012
|
TTP
|
Hermetic Wiper, Data Destruction, Windows Privilege Escalation, Windows Persistence Techniques
|
2026-05-13
|
|
Linux Octave Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Winhlp32 Spawning a Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1055
|
TTP
|
Remcos, Compromised Windows Host
|
2026-05-13
|
|
SearchProtocolHost with no Command Line with Network
|
Sysmon EventID 1, Sysmon EventID 3
|
T1055
|
TTP
|
Cobalt Strike, Hellcat Ransomware, Graceful Wipe Out Attack, Compromised Windows Host, Cactus Ransomware, BlackByte Ransomware
|
2026-05-13
|
|
Windows Local LLM Framework Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1543
|
Hunting
|
Suspicious Local LLM Frameworks
|
2026-05-13
|
|
Suspicious Kerberos Service Ticket Request
|
Windows Event Log Security 4769
|
T1078.002
|
TTP
|
sAMAccountName Spoofing and Domain Controller Impersonation, Active Directory Privilege Escalation, Active Directory Kerberos Attacks
|
2026-05-13
|
|
Linux Emacs Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Windows AD Dangerous Group ACL Modification
|
Windows Event Log Security 5136
|
T1222.001
T1484
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Windows UAC Bypass Suspicious Child Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1548.002
|
TTP
|
Living Off The Land, Windows Defense Evasion Tactics, Castle RAT
|
2026-05-13
|
|
Windows Process Execution in Temp Dir
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1036.005
T1543
|
Anomaly
|
Remcos, AgentTesla, PromptLock, RoguePlanet, Gh0st RAT, Axios Supply Chain Post Compromise, NjRAT, XWorm, Qakbot, SesameOp, Salat Stealer, Trickbot, PathWiper, Ryuk Ransomware, Ransomware, Lokibot
|
2026-06-08
|
|
Linux Auditd Setuid Using Setcap Utility
|
Linux Auditd Execve
|
T1548.001
|
TTP
|
Linux Persistence Techniques, Compromised Linux Host, Linux Privilege Escalation
|
2026-05-13
|
|
Windows Remote Create Service
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1543.003
|
Anomaly
|
CISA AA23-347A, Active Directory Lateral Movement, BlackSuit Ransomware
|
2026-05-13
|
|
Windows Guest Account Enabled Via Net.EXE
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1078.001
|
Anomaly
|
Windows Persistence Techniques
|
2026-05-13
|
|
Windows Access Token Winlogon Duplicate Handle In Uncommon Path
|
Sysmon EventID 10
|
T1134.001
|
Anomaly
|
Brute Ratel C4, PathWiper
|
2026-05-13
|
|
Linux Make Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Windows PowerView AD Access Control List Enumeration
|
Powershell Script Block Logging 4104
|
T1069
T1078.002
|
TTP
|
Active Directory Privilege Escalation, Active Directory Discovery, Rhysida Ransomware
|
2026-05-13
|
|
Impacket Lateral Movement smbexec CommandLine Parameters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1021.002
T1021.003
T1047
T1543.003
|
TTP
|
Industroyer2, Active Directory Lateral Movement, Prestige Ransomware, Data Destruction, WhisperGate, Graceful Wipe Out Attack, Compromised Windows Host, CISA AA22-277A, Volt Typhoon
|
2026-05-13
|
|
Detect Baron Samedit CVE-2021-3156 via OSQuery
|
|
T1068
|
TTP
|
Baron Samedit CVE-2021-3156
|
2026-05-13
|
|
Windows AD Same Domain SID History Addition
|
Windows Event Log Security 4742, Windows Event Log Security 4738
|
T1134.005
|
TTP
|
Sneaky Active Directory Persistence Tricks, Compromised Windows Host, Windows Persistence Techniques
|
2026-05-13
|
|
Linux Auditd Possible Access Or Modification Of Sshd Config File
|
Linux Auditd Cwd, Linux Auditd Path
|
T1098.004
|
Anomaly
|
Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host
|
2026-05-13
|
|
Windows Change File Association Command To Notepad
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1546.001
|
TTP
|
Prestige Ransomware, Compromised Windows Host
|
2026-05-13
|
|
Windows Multiple Accounts Deleted
|
Windows Event Log Security 4726
|
T1078
T1098
|
TTP
|
Azure Active Directory Persistence
|
2026-05-13
|
|
Windows Suspicious Defender Update Activity in INetCache
|
Sysmon EventID 23, Sysmon EventID 11
|
T1068
T1105
|
Anomaly
|
BlueHammer, Windows Persistence Techniques
|
2026-04-27
|
|
Cisco NVM - Suspicious Network Connection From Process With No Args
|
Cisco Network Visibility Module Flow Data
|
T1055
T1218
|
Anomaly
|
Cisco Network Visibility Module Analytics
|
2026-05-13
|
|
Linux Find Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Windows Registry Delete Task SD
|
Sysmon EventID 12
|
T1053.005
T1685
|
Anomaly
|
Windows Registry Abuse, Scheduled Tasks, Windows Persistence Techniques
|
2026-05-13
|
|
Windows Bluetooth Service Installed From Uncommon Location
|
Windows Event Log System 7045
|
T1036
T1543.003
|
Anomaly
|
Lotus Blossom Chrysalis Backdoor
|
2026-05-13
|
|
Impacket Lateral Movement WMIExec Commandline Parameters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1021.002
T1021.003
T1047
T1543.003
|
TTP
|
Industroyer2, Active Directory Lateral Movement, Prestige Ransomware, Data Destruction, WhisperGate, Gozi Malware, Graceful Wipe Out Attack, Storm-0501 Ransomware, Compromised Windows Host, CISA AA22-277A, Volt Typhoon
|
2026-05-13
|
|
Schtasks used for forcing a reboot
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1053.005
|
TTP
|
Scheduled Tasks, Ransomware, Windows Persistence Techniques
|
2026-05-13
|
|
Windows Compatibility Telemetry Tampering Through Registry
|
Sysmon EventID 13
|
T1053.005
T1546
|
TTP
|
Windows Persistence Techniques
|
2026-05-13
|
|
Rundll32 Create Remote Thread To A Process
|
Sysmon EventID 8
|
T1055
|
TTP
|
Living Off The Land, IcedID
|
2026-05-13
|
|
Linux Auditd Sudo Or Su Execution
|
Linux Auditd Proctitle
|
T1548.003
|
Anomaly
|
Linux Persistence Techniques, Compromised Linux Host, Linux Privilege Escalation
|
2026-05-13
|
|
MacOS LoginHook Persistence
|
Osquery Results
|
T1037.002
|
TTP
|
MacOS Post-Exploitation
|
2026-05-13
|
|
Linux pkexec Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1068
|
TTP
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Windows Service Create Kernel Mode Driver
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1068
T1543.003
|
TTP
|
CISA AA22-320A, Windows Drivers
|
2026-05-13
|
|
Windows Remote Image Load
|
Sysmon EventID 7
|
T1059
T1068
T1129
T1203
|
Anomaly
|
Ransomware, BlackByte Ransomware, LockBit Ransomware
|
2026-05-13
|
|
Windows Suspicious Named Pipe
|
Sysmon EventID 17, Sysmon EventID 18
|
T1021.002
T1055
T1559
|
TTP
|
DarkSide Ransomware, Cobalt Strike, Remote Monitoring and Management Software, Hellcat Ransomware, Gozi Malware, LockBit Ransomware, Graceful Wipe Out Attack, Trickbot, APT37 Rustonotto and FadeStealer, Meterpreter, Brute Ratel C4, Tuoni, BlackByte Ransomware
|
2026-05-13
|
|
Linux Auditd Insert Kernel Module Using Insmod Utility
|
Linux Auditd Syscall
|
T1547.006
|
Anomaly
|
XorDDos, Linux Rootkit, Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation
|
2026-05-13
|
|
Linux Common Process For Elevation Control
|
Sysmon for Linux EventID 1
|
T1548.001
|
Hunting
|
Axios Supply Chain Post Compromise, China-Nexus Threat Activity, Salt Typhoon, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2026-05-13
|
|
Linux Auditd Copy Fail Privilege Escalation
|
Linux Auditd Syscall
|
T1068
|
TTP
|
Linux Privilege Escalation
|
2026-05-13
|
|
Randomly Generated Scheduled Task Name
|
Windows Event Log Security 4698
|
T1053.005
|
Hunting
|
0bj3ctivity Stealer, Scheduled Tasks, CISA AA22-257A, Active Directory Lateral Movement
|
2026-05-13
|
|
Linux Sudoers Tmp File Creation
|
Sysmon for Linux EventID 11
|
T1548.003
|
Anomaly
|
Salt Typhoon, Linux Persistence Techniques, Linux Privilege Escalation, China-Nexus Threat Activity
|
2026-05-13
|
|
Linux Adding Crontab Using List Parameter
|
Sysmon for Linux EventID 1
|
T1053.003
|
Hunting
|
Scheduled Tasks, Industroyer2, Data Destruction, Gomir, Cisco Isovalent Suspicious Activity, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, VoidLink Cloud-Native Linux Malware
|
2026-05-13
|
|
Windows VSSVC Process Accessing Defender Engine
|
Sysmon EventID 10
|
T1068
|
TTP
|
Windows Privilege Escalation, RedSun
|
2026-05-01
|
|
Windows Scheduled Task Created in a Group Policy Object
|
Windows Event Log Security 5145
|
T1053.005
T1484.001
|
TTP
|
Living Off The Land, Scheduled Tasks, Windows Persistence Techniques
|
2026-05-13
|
|
LLM Model File Creation
|
Sysmon EventID 11
|
T1543
|
Hunting
|
Suspicious Local LLM Frameworks
|
2026-05-13
|
|
Windows Process Injection into Notepad
|
Sysmon EventID 10
|
T1055.002
|
Anomaly
|
Earth Alux, BishopFox Sliver Adversary Emulation Framework, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
Powershell Fileless Process Injection via GetProcAddress
|
Powershell Script Block Logging 4104
|
T1055
T1059.001
|
TTP
|
Hermetic Wiper, Malicious PowerShell, Data Destruction, Hellcat Ransomware
|
2026-05-13
|
|
Schtasks Run Task On Demand
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1053
|
Anomaly
|
Scheduled Tasks, Industroyer2, Data Destruction, Qakbot, CISA AA22-257A, Medusa Ransomware, XMRig
|
2026-05-13
|
|
Shim Database File Creation
|
Sysmon EventID 11
|
T1546.011
|
TTP
|
Windows Persistence Techniques
|
2026-05-13
|
|
Linux Puppet Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Linux Auditd Setuid Using Chmod Utility
|
Linux Auditd Proctitle
|
T1548.001
|
Anomaly
|
Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host
|
2026-05-13
|
|
Linux Possible Access To Sudoers File
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Salt Typhoon, Linux Persistence Techniques, Linux Privilege Escalation, China-Nexus Threat Activity
|
2026-05-13
|
|
Windows Service Initiation on Remote Endpoint
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1543.003
|
TTP
|
CISA AA23-347A, Active Directory Lateral Movement
|
2026-05-13
|
|
Time Provider Persistence Registry
|
Sysmon EventID 13
|
T1547.003
|
TTP
|
Windows Persistence Techniques, Data Destruction, Windows Privilege Escalation, Hermetic Wiper, Windows Registry Abuse
|
2026-05-13
|
|
Spoolsv Writing a DLL
|
Sysmon EventID 11, Sysmon EventID 1, Windows Event Log Security 4688
|
T1547.012
|
TTP
|
Black Basta Ransomware, Compromised Windows Host, PrintNightmare CVE-2021-34527
|
2026-05-13
|
|
Windows Enable Win32 ScheduledJob via Registry
|
Sysmon EventID 13
|
T1053.005
|
Anomaly
|
Scheduled Tasks, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows List ENV Variables Via SET Command From Uncommon Parent
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1055
|
Anomaly
|
Qakbot
|
2026-05-13
|
|
Windows AD Hidden OU Creation
|
Windows Event Log Security 5136
|
T1222.001
T1484
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Linux Possible Cronjob Modification With Editor
|
Sysmon for Linux EventID 1
|
T1053.003
|
Hunting
|
Scheduled Tasks, XorDDos, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2026-05-13
|
|
Registry Keys Used For Persistence
|
Sysmon EventID 13
|
T1547.001
|
TTP
|
0bj3ctivity Stealer, Remcos, Windows Persistence Techniques, Axios Supply Chain Post Compromise, China-Nexus Threat Activity, Derusbi, Salt Typhoon, Warzone RAT, DarkCrystal RAT, ValleyRAT, MoonPeak, Snake Keylogger, Windows Registry Abuse, DHS Report TA18-074A, Castle RAT, SystemBC, Suspicious MSHTA Activity, RedLine Stealer, WinDealer RAT, Sneaky Active Directory Persistence Tricks, Suspicious Windows Registry Activities, Cactus Ransomware, MuddyWater, Azorult, IcedID, Quasar RAT, Gh0st RAT, Braodo Stealer, NetSupport RMM Tool Abuse, XWorm, Qakbot, NjRAT, SnappyBee, AsyncRAT, Salat Stealer, Chaos Ransomware, APT37 Rustonotto and FadeStealer, Interlock Ransomware, BlackByte Ransomware, Amadey, Emotet Malware DHS Report TA18-201A, CISA AA23-347A, Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns, Ransomware, DarkGate Malware, BlackSuit Ransomware, Lokibot
|
2026-06-08
|
|
Windows New Default File Association Value Set
|
Sysmon EventID 13
|
T1546.001
|
Hunting
|
Windows Persistence Techniques, Prestige Ransomware, Data Destruction, Windows Privilege Escalation, Hermetic Wiper, Windows Registry Abuse
|
2026-05-13
|
|
Linux Auditd Unix Shell Configuration Modification
|
Linux Auditd Cwd, Linux Auditd Path
|
T1546.004
|
TTP
|
Linux Living Off The Land, QuietVault, Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation
|
2026-05-13
|
|
Windows Scheduled Task with Suspicious Name
|
Windows Event Log Security 4698, Windows Event Log Security 4700, Windows Event Log Security 4702
|
T1053.005
|
TTP
|
0bj3ctivity Stealer, Scheduled Tasks, Windows Persistence Techniques, Castle RAT, Ryuk Ransomware, APT37 Rustonotto and FadeStealer, Ransomware
|
2026-05-13
|
|
Suspicious GPUpdate no Command Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1055
|
TTP
|
Graceful Wipe Out Attack, Hellcat Ransomware, BlackByte Ransomware, Cobalt Strike
|
2026-05-13
|
|
Windows AD Privileged Account SID History Addition
|
Windows Event Log Security 4742, Windows Event Log Security 4738
|
T1134.005
|
TTP
|
Sneaky Active Directory Persistence Tricks, Compromised Windows Host
|
2026-05-13
|
|
XMRIG Driver Loaded
|
Sysmon EventID 6
|
T1543.003
|
TTP
|
XMRig, CISA AA22-320A, Crypto Stealer
|
2026-05-13
|
|
Cisco NVM - Non-Network Binary Making Network Connection
|
Cisco Network Visibility Module Flow Data
|
T1036
T1055
|
Anomaly
|
Cisco Network Visibility Module Analytics
|
2026-05-13
|
|
Windows AD ServicePrincipalName Added To Domain Account
|
Windows Event Log Security 5136
|
T1098
|
TTP
|
Interlock Ransomware, Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Windows Privilege Escalation Attempt Via MSI Rollback
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1068
|
TTP
|
Windows Privilege Escalation
|
2026-05-13
|
|
Linux Auditd Kernel Module Using Rmmod Utility
|
Linux Auditd Syscall
|
T1547.006
|
TTP
|
Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host
|
2026-05-13
|
|
Disabling Remote User Account Control
|
Sysmon EventID 13
|
T1548.002
|
TTP
|
Remcos, AgentTesla, Suspicious Windows Registry Activities, Windows Registry Abuse, Windows Defense Evasion Tactics, Azorult
|
2026-05-13
|
|
Windows DISM Install PowerShell Web Access
|
Sysmon EventID 1, Windows Event Log Security 4688
|
T1548.002
|
TTP
|
CISA AA24-241A
|
2026-05-13
|
|
Windows AD DCShadow Privileges ACL Addition
|
Windows Event Log Security 5136
|
T1207
T1222.001
T1484
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Windows AD GPO Disabled
|
Windows Event Log Security 5136
|
T1484.001
T1685
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Services LOLBAS Execution Process Spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1543.003
|
TTP
|
Active Directory Lateral Movement, Living Off The Land, Hellcat Ransomware, Qakbot, CISA AA23-347A
|
2026-05-13
|
|
Linux Auditd Install Kernel Module Using Modprobe Utility
|
Linux Auditd Syscall
|
T1547.006
|
Anomaly
|
China-Nexus Threat Activity, Linux Rootkit, Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation
|
2026-05-13
|
|
Linux AWK Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Linux File Created In Kernel Driver Directory
|
Sysmon for Linux EventID 11
|
T1547.006
|
Anomaly
|
Linux Rootkit, Linux Persistence Techniques, Linux Privilege Escalation
|
2026-05-13
|
|
Windows Hidden Schedule Task Settings
|
Windows Event Log Security 4698
|
T1053
|
TTP
|
Scheduled Tasks, Industroyer2, Data Destruction, Hellcat Ransomware, Active Directory Discovery, Malicious Inno Setup Loader, Compromised Windows Host, Cactus Ransomware, CISA AA22-257A
|
2026-05-13
|
|
Linux Binary Launched Process with Null Argv
|
Linux Messages Syslog
|
T1068
|
TTP
|
Linux Privilege Escalation
|
2026-05-12
|
|
Suspicious DLLHost no Command Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1055
|
TTP
|
Graceful Wipe Out Attack, Cactus Ransomware, BlackByte Ransomware, Cobalt Strike
|
2026-05-13
|
|
Linux File Creation In Profile Directory
|
Sysmon for Linux EventID 11
|
T1546.004
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2026-05-13
|
|
Linux Add Files In Known Crontab Directories
|
Sysmon for Linux EventID 11
|
T1053.003
|
Anomaly
|
Scheduled Tasks, XorDDos, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2026-05-13
|
|
Create Remote Thread In Shell Application
|
Sysmon EventID 8
|
T1055
|
TTP
|
Warzone RAT, Qakbot, IcedID
|
2026-05-13
|
|
Linux GNU Awk Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Windows NorthStar C2 Agent Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1204.002
T1547.001
T1608
|
TTP
|
Compromised Windows Host
|
2026-05-13
|
|
Windows ComputerDefaults Spawning a Process
|
Sysmon EventID 1
|
T1548.002
|
TTP
|
Castle RAT, BlankGrabber Stealer
|
2026-05-13
|
|
Screensaver Event Trigger Execution
|
Sysmon EventID 13
|
T1546.002
|
TTP
|
Windows Persistence Techniques, Data Destruction, Windows Privilege Escalation, Hermetic Wiper, Windows Registry Abuse
|
2026-05-13
|
|
Windows Security Support Provider Reg Query
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1547.005
|
Anomaly
|
Prestige Ransomware, Windows Post-Exploitation, Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Windows Registry BootExecute Modification
|
Sysmon EventID 13
|
T1542
T1547.001
|
TTP
|
Windows BootKits
|
2026-05-13
|
|
Powershell Remote Thread To Known Windows Process
|
Sysmon EventID 8
|
T1055
|
TTP
|
Trickbot
|
2026-05-13
|
|
Windows MsMpEng Writing to System32
|
Sysmon EventID 15, Sysmon EventID 11
|
T1068
T1543.003
|
TTP
|
BlueHammer, Windows Drivers, Windows Privilege Escalation, RedSun
|
2026-04-27
|
|
Linux Ruby Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Detect Baron Samedit CVE-2021-3156
|
|
T1068
|
TTP
|
Baron Samedit CVE-2021-3156
|
2026-05-13
|
|
Linux PF_ALG Registration Outside of Boot Window
|
Linux Messages Syslog
|
T1068
|
TTP
|
Linux Privilege Escalation
|
2026-05-11
|
|
Windows AD Domain Root ACL Modification
|
Windows Event Log Security 5136
|
T1222.001
T1484
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Windows Process Injection Wermgr Child Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1055
|
Anomaly
|
Windows Error Reporting Service Elevation of Privilege Vulnerability, Qakbot
|
2026-05-13
|
|
Possible Lateral Movement PowerShell Spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1021.003
T1021.006
T1047
T1053.005
T1059.001
T1218.014
T1543.003
|
Anomaly
|
Scheduled Tasks, Microsoft WSUS CVE-2025-59287, Active Directory Lateral Movement, Data Destruction, Malicious PowerShell, CISA AA24-241A, Hermetic Wiper
|
2026-05-13
|
|
Suspicious SearchProtocolHost no Command Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1055
|
TTP
|
Cobalt Strike, Hellcat Ransomware, Graceful Wipe Out Attack, Cactus Ransomware, BlackByte Ransomware
|
2026-05-13
|
|
Active Setup Registry Autostart
|
Sysmon EventID 13
|
T1547.014
|
TTP
|
Hermetic Wiper, Data Destruction, Windows Privilege Escalation, Windows Persistence Techniques
|
2026-05-13
|
|
Windows Registry Modification for Safe Mode Persistence
|
Sysmon EventID 13
|
T1547.001
|
TTP
|
Windows Registry Abuse, Windows Drivers, Ransomware
|
2026-05-13
|
|
Runas Execution in CommandLine
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1134.001
|
Hunting
|
Quasar RAT, Hermetic Wiper, Data Destruction, Windows Privilege Escalation
|
2026-05-13
|
|
Windows UAC Bypass Suspicious Escalation Behavior
|
Sysmon EventID 1
|
T1548.002
|
TTP
|
Living Off The Land, Windows Defense Evasion Tactics, Compromised Windows Host
|
2026-05-13
|
|
WMI Permanent Event Subscription - Sysmon
|
Sysmon EventID 21
|
T1546.003
|
TTP
|
Suspicious WMI Use
|
2026-05-13
|
|
Linux Auditd Possible Access To Sudoers File
|
Linux Auditd Cwd, Linux Auditd Path
|
T1548.003
|
Anomaly
|
China-Nexus Threat Activity, Salt Typhoon, Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation
|
2026-05-13
|
|
Windows Suspicious Driver Loaded Path
|
Sysmon EventID 6
|
T1543.003
|
TTP
|
AgentTesla, APT37 Rustonotto and FadeStealer, Snake Keylogger, Interlock Ransomware, CISA AA22-320A, BlackByte Ransomware, XMRig
|
2026-05-13
|
|
Windows Schtasks Create Run As System
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1053.005
|
TTP
|
Scheduled Tasks, Windows Persistence Techniques, Qakbot, SolarWinds WHD RCE Post Exploitation, Castle RAT, Medusa Ransomware
|
2026-05-13
|
|
Cisco Isovalent - Nsenter Usage in Kubernetes Pod
|
Cisco Isovalent Process Exec
|
T1543
|
Anomaly
|
Cisco Isovalent Suspicious Activity
|
2026-05-13
|
|
Windows Group Policy Object Created
|
Windows Event Log Security 5137, Windows Event Log Security 5136
|
T1078.002
T1484.001
|
TTP
|
Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation
|
2026-05-13
|
|
Windows Admon Group Policy Object Created
|
Windows Active Directory Admon
|
T1484.001
|
TTP
|
Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation
|
2026-05-13
|
|
Windows Multiple Account Passwords Changed
|
Windows Event Log Security 4724
|
T1078
T1098
|
TTP
|
Azure Active Directory Persistence
|
2026-05-13
|
|
Windows AD Privileged Group Modification
|
Windows Event Log Security 4728
|
T1098
|
TTP
|
Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation
|
2026-05-13
|
|
Windows Privilege Escalation System Process Without System Parent
|
Sysmon EventID 1
|
T1068
T1134
T1548
|
TTP
|
Windows Privilege Escalation, BlackSuit Ransomware
|
2026-05-13
|
|
Windows Service Create RemComSvc
|
Windows Event Log System 7045
|
T1543.003
|
Anomaly
|
Active Directory Discovery
|
2026-05-13
|
|
Windows KrbRelayUp Service Creation
|
Windows Event Log System 7045
|
T1543.003
|
TTP
|
Compromised Windows Host, Local Privilege Escalation With KrbRelayUp
|
2026-05-13
|
|
Windows Process Injection In Non-Service SearchIndexer
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1055
|
TTP
|
Qakbot
|
2026-05-13
|
|
Windows Boot or Logon Autostart Execution In Startup Folder
|
Sysmon EventID 11
|
T1547.001
|
Anomaly
|
PromptFlux, BlankGrabber Stealer, Quasar RAT, APT37 Rustonotto and FadeStealer, XWorm, Gozi Malware, NjRAT, RedLine Stealer, Chaos Ransomware, Crypto Stealer, Interlock Ransomware
|
2026-05-13
|
|
Linux Gem Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Linux c89 Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Linux Insert Kernel Module Using Insmod Utility
|
Sysmon for Linux EventID 1
|
T1547.006
|
Anomaly
|
Linux Privilege Escalation, Linux Rootkit, Linux Persistence Techniques, XorDDos
|
2026-05-13
|
|
Suspicious PlistBuddy Usage
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1543.001
|
TTP
|
Silver Sparrow
|
2026-05-13
|
|
Detect WMI Event Subscription Persistence
|
Sysmon EventID 20
|
T1546.003
|
TTP
|
Hellcat Ransomware, Suspicious WMI Use
|
2026-05-13
|
|
Windows Process Injection Remote Thread
|
Sysmon EventID 8
|
T1055.002
|
TTP
|
Water Gamayun, Earth Alux, Qakbot, Graceful Wipe Out Attack, Warzone RAT
|
2026-05-13
|
|
Windows Process Injection Of Wermgr to Known Browser
|
Sysmon EventID 8
|
T1055.001
|
TTP
|
Qakbot
|
2026-05-13
|
|
Windows Multiple Accounts Disabled
|
Windows Event Log Security 4725
|
T1078
T1098
|
TTP
|
Azure Active Directory Persistence
|
2026-05-13
|
|
Windows Privilege Escalation Suspicious Process Elevation
|
Sysmon EventID 1
|
T1068
T1134
T1548
|
TTP
|
GhostRedirector IIS Module and Rungan Backdoor, Windows Privilege Escalation, BlackSuit Ransomware
|
2026-05-13
|
|
FodHelper UAC Bypass
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1112
T1548.002
|
TTP
|
BlankGrabber Stealer, ValleyRAT, Compromised Windows Host, Windows Defense Evasion Tactics, IcedID
|
2026-05-13
|
|
WinEvent Scheduled Task Created Within Public Path
|
Windows Event Log Security 4698
|
T1053.005
|
TTP
|
0bj3ctivity Stealer, Scheduled Tasks, Remcos, Active Directory Lateral Movement, Windows Persistence Techniques, Prestige Ransomware, China-Nexus Threat Activity, ValleyRAT, Salt Typhoon, Compromised Windows Host, CISA AA22-257A, Castle RAT, SystemBC, Malicious Inno Setup Loader, IcedID, PlugX, Industroyer2, Quasar RAT, XWorm, AsyncRAT, APT37 Rustonotto and FadeStealer, Winter Vivern, Medusa Ransomware, Data Destruction, CISA AA23-347A, Ryuk Ransomware, Ransomware
|
2026-05-13
|
|
MacOS Kextload Usage
|
Osquery Results
|
T1543
|
TTP
|
MacOS Privilege Escalation, MacOS Persistence Techniques
|
2026-05-13
|
|
Windows Scheduled Task Service Spawned Shell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1053.005
T1059
|
TTP
|
Windows Persistence Techniques
|
2026-05-13
|
|
Unusual Number of Computer Service Tickets Requested
|
Windows Event Log Security 4769
|
T1078
|
Hunting
|
Scattered Lapsus$ Hunters, Active Directory Privilege Escalation, Active Directory Lateral Movement, Active Directory Kerberos Attacks
|
2026-05-13
|
|
Windows Suspicious C2 Named Pipe
|
Sysmon EventID 17, Sysmon EventID 18
|
T1021.002
T1055
T1559
|
TTP
|
DarkSide Ransomware, Cobalt Strike, Remote Monitoring and Management Software, Hellcat Ransomware, Gozi Malware, LockBit Ransomware, Storm-0501 Ransomware, Graceful Wipe Out Attack, Trickbot, APT37 Rustonotto and FadeStealer, Meterpreter, Brute Ratel C4, Tuoni, BlackByte Ransomware
|
2026-05-13
|
|
Windows Process Injection With Public Source Path
|
Sysmon EventID 8
|
T1055.002
|
Hunting
|
Earth Alux, Brute Ratel C4
|
2026-05-13
|
|
Cisco Isovalent - Kprobe Spike
|
Cisco Isovalent Process Kprobe
|
T1068
|
Hunting
|
Cisco Isovalent Suspicious Activity, VoidLink Cloud-Native Linux Malware
|
2026-05-13
|
|
Windows Admin Password Changed by Non-Admin
|
Windows Event Log Security 4723
|
T1068
T1543.003
|
TTP
|
BlueHammer, Windows Privilege Escalation
|
2026-04-27
|
|
Short Lived Windows Accounts
|
Windows Event Log System 4720, Windows Event Log System 4726
|
T1078.003
T1136.001
|
TTP
|
GhostRedirector IIS Module and Rungan Backdoor, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows MSI Rollback Script Deleted By Non-Msiexec Process
|
Sysmon EventID 23
|
T1068
T1218.007
|
TTP
|
Windows Privilege Escalation
|
2026-05-13
|
|
Scheduled Task Initiation on Remote Endpoint
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1053.005
|
TTP
|
Scheduled Tasks, Active Directory Lateral Movement, Living Off The Land, Medusa Ransomware, Seashell Blizzard
|
2026-05-13
|
|
PowerShell PInvoke Process Injection API Chain
|
Powershell Script Block Logging 4104
|
T1055.001
T1055.003
T1055.004
T1055.012
T1055.013
T1059.001
T1620
|
TTP
|
VIP Keylogger
|
2026-05-13
|
|
Loading Of Dynwrapx Module
|
Sysmon EventID 7
|
T1055.001
|
TTP
|
AsyncRAT, Remcos
|
2026-05-13
|
|
Shim Database Installation With Suspicious Parameters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1546.011
|
TTP
|
Compromised Windows Host, Windows Persistence Techniques
|
2026-05-13
|
|
Overwriting Accessibility Binaries
|
Sysmon EventID 11
|
T1546.008
|
TTP
|
Hermetic Wiper, Flax Typhoon, Data Destruction, Windows Privilege Escalation
|
2026-05-13
|
|
Suspicious PlistBuddy Usage via OSquery
|
Osquery Results
|
T1543.001
|
TTP
|
Silver Sparrow
|
2026-05-13
|
|
Schedule Task with HTTP Command Arguments
|
Windows Event Log Security 4698
|
T1053
|
TTP
|
Scheduled Tasks, Windows Persistence Techniques, Living Off The Land, Hellcat Ransomware, Compromised Windows Host, Winter Vivern
|
2026-05-13
|
|
Windows Access Token Manipulation Winlogon Duplicate Token Handle
|
Sysmon EventID 10
|
T1134.001
|
Hunting
|
Brute Ratel C4
|
2026-05-13
|
|
Windows MOF Event Triggered Execution via WMI
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1546.003
|
TTP
|
Living Off The Land, Compromised Windows Host
|
2026-05-13
|
|
Windows RMM Named Pipe
|
Sysmon EventID 17, Sysmon EventID 18
|
T1021.002
T1055
T1559
|
Anomaly
|
Remote Monitoring and Management Software, Gozi Malware, CISA AA24-241A, GhostRedirector IIS Module and Rungan Backdoor, Scattered Lapsus$ Hunters, Scattered Spider, Cactus Ransomware, Command And Control, Insider Threat, Interlock Ransomware, Ransomware, Seashell Blizzard
|
2026-05-13
|
|
Suspicious Computer Account Name Change
|
Windows Event Log Security 4781
|
T1078.002
|
TTP
|
sAMAccountName Spoofing and Domain Controller Impersonation, Scattered Lapsus$ Hunters, Active Directory Privilege Escalation, Compromised Windows Host
|
2026-05-13
|
|
Cisco Isovalent - Late Process Execution
|
Cisco Isovalent Process Exec
|
T1543
|
Anomaly
|
Cisco Isovalent Suspicious Activity
|
2026-05-13
|
|
Schedule Task with Rundll32 Command Trigger
|
Windows Event Log Security 4698
|
T1053
|
TTP
|
Scheduled Tasks, Windows Persistence Techniques, Living Off The Land, Trickbot, Compromised Windows Host, Castle RAT, IcedID
|
2026-05-13
|
|
Windows AD Dangerous Deny ACL Modification
|
Windows Event Log Security 5136
|
T1222.001
T1484
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Powershell COM Hijacking InprocServer32 Modification
|
Powershell Script Block Logging 4104
|
T1059.001
T1546.015
|
TTP
|
Malicious PowerShell
|
2026-05-13
|
|
Linux APT Privilege Escalation
|
Sysmon for Linux EventID 1, Cisco Isovalent Process Exec
|
T1548.003
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Suspicious Ticket Granting Ticket Request
|
Windows Event Log Security 4781, Windows Event Log Security 4768
|
T1078.002
|
Hunting
|
sAMAccountName Spoofing and Domain Controller Impersonation, Active Directory Privilege Escalation, Active Directory Kerberos Attacks
|
2026-05-13
|
|
Monitor Registry Keys for Print Monitors
|
Sysmon EventID 13
|
T1547.010
|
TTP
|
Windows Registry Abuse, Suspicious Windows Registry Activities, Windows Persistence Techniques
|
2026-05-13
|
|
Windows Cloud Files Filter Loaded by Uncommon Process
|
Sysmon EventID 7
|
T1543.003
|
Anomaly
|
BlueHammer, RedSun
|
2026-05-18
|
|
Linux At Allow Config File Creation
|
Sysmon for Linux EventID 11
|
T1053.003
|
Anomaly
|
Scheduled Tasks, Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Windows Privilege Escalation User Process Spawn System Process
|
Sysmon EventID 1
|
T1068
T1134
T1548
|
TTP
|
GhostRedirector IIS Module and Rungan Backdoor, Windows Privilege Escalation, Compromised Windows Host, BlackSuit Ransomware
|
2026-05-13
|
|
Windows AD DSRM Password Reset
|
Windows Event Log Security 4794
|
T1098
|
TTP
|
Sneaky Active Directory Persistence Tricks, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Windows AD GPO New CSE Addition
|
Windows Event Log Security 5136
|
T1222.001
T1484.001
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Detect Excessive Account Lockouts From Endpoint
|
|
T1078.002
|
Anomaly
|
Active Directory Password Spraying
|
2026-05-13
|
|
Linux GDB Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Windows Parent PID Spoofing with Explorer
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1134.004
|
TTP
|
Windows Defense Evasion Tactics, Compromised Windows Host
|
2026-05-13
|
|
Windows PowerShell MSIX Package Installation
|
Powershell Script Block Logging 4104
|
T1059.001
T1547.001
|
TTP
|
Malicious PowerShell, MSIX Package Abuse
|
2026-05-13
|
|
First Time Seen Child Process of Zoom
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1068
|
Anomaly
|
Suspicious Zoom Child Processes
|
2026-05-13
|
|
Scheduled Task Deleted Or Created via CMD
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1053.005
|
Anomaly
|
0bj3ctivity Stealer, Scheduled Tasks, Remcos, Windows Persistence Techniques, Prestige Ransomware, China-Nexus Threat Activity, ValleyRAT, Salt Typhoon, DarkCrystal RAT, Phemedrone Stealer, MoonPeak, Rhysida Ransomware, DHS Report TA18-074A, CISA AA22-257A, Sandworm Tools, AgentTesla, RedLine Stealer, SolarWinds WHD RCE Post Exploitation, Azorult, PlugX, NOBELIUM Group, Quasar RAT, Living Off The Land, NetSupport RMM Tool Abuse, XWorm, Qakbot, NjRAT, AsyncRAT, APT37 Rustonotto and FadeStealer, Scattered Spider, Winter Vivern, Medusa Ransomware, Amadey, CISA AA23-347A, CISA AA24-241A, Trickbot, ShrinkLocker, Lokibot
|
2026-05-13
|
|
Windows Access Token Manipulation SeDebugPrivilege
|
Windows Event Log Security 4703
|
T1134.002
|
Anomaly
|
China-Nexus Threat Activity, Derusbi, Salt Typhoon, ValleyRAT, Brute Ratel C4, Tuoni, Meduza Stealer, WinDealer RAT, GhostRedirector IIS Module and Rungan Backdoor, PathWiper, PlugX, Gh0st RAT, Salat Stealer, SnappyBee, AsyncRAT, Scattered Lapsus$ Hunters, CISA AA23-347A, DarkGate Malware, Lokibot
|
2026-06-08
|
|
Registry Keys for Creating SHIM Databases
|
Sysmon EventID 13
|
T1546.011
|
TTP
|
Windows Registry Abuse, Suspicious Windows Registry Activities, Windows Persistence Techniques
|
2026-05-13
|
|
Unusual Number of Remote Endpoint Authentication Events
|
Windows Event Log Security 4624
|
T1078
|
Hunting
|
Active Directory Privilege Escalation, Active Directory Lateral Movement
|
2026-05-13
|
|
DLLHost with no Command Line Arguments with Network
|
Sysmon EventID 1, Sysmon EventID 3
|
T1055
|
TTP
|
Storm-2460 CLFS Zero Day Exploitation, Cobalt Strike, Earth Alux, Graceful Wipe Out Attack, Cactus Ransomware, BlackByte Ransomware
|
2026-05-13
|
|
Windows Non-System Process Querying Definition Update
|
Sysmon EventID 22
|
T1068
T1071.001
|
Anomaly
|
BlueHammer, Windows Privilege Escalation, RedSun
|
2026-04-27
|
|
Randomly Generated Windows Service Name
|
Windows Event Log System 7045
|
T1543.003
|
Hunting
|
Active Directory Lateral Movement, BlackSuit Ransomware
|
2026-05-13
|
|
Windows Default Group Policy Object Modified
|
Windows Event Log Security 5136
|
T1484.001
|
TTP
|
Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation
|
2026-05-13
|
|
WinEvent Windows Task Scheduler Event Action Started
|
Windows Event Log TaskScheduler 201, Windows Event Log TaskScheduler 200
|
T1053.005
|
Hunting
|
Scheduled Tasks, Remcos, Windows Persistence Techniques, Prestige Ransomware, ValleyRAT, DarkCrystal RAT, CISA AA22-257A, Sandworm Tools, SystemBC, SolarWinds WHD RCE Post Exploitation, Malicious Inno Setup Loader, IcedID, PlugX, Industroyer2, Qakbot, AsyncRAT, Winter Vivern, Amadey, Data Destruction, CISA AA24-241A, BlackSuit Ransomware
|
2026-05-13
|
|
Linux Sqlite3 Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
GPUpdate with no Command Line Arguments with Network
|
Sysmon EventID 1, Sysmon EventID 3
|
T1055
|
TTP
|
Cobalt Strike, Hellcat Ransomware, Graceful Wipe Out Attack, Compromised Windows Host, BlackByte Ransomware
|
2026-05-13
|
|
Spoolsv Suspicious Loaded Modules
|
Sysmon EventID 7
|
T1547.012
|
TTP
|
Black Basta Ransomware, PrintNightmare CVE-2021-34527
|
2026-05-13
|
|
Windows Snake Malware Service Create
|
Windows Event Log System 7045
|
T1547.006
T1569.002
|
TTP
|
Snake Malware, Compromised Windows Host
|
2026-05-13
|
|
Windows Snake Malware Kernel Driver Comadmin
|
Sysmon EventID 11
|
T1547.006
|
TTP
|
Snake Malware
|
2026-05-13
|
|
Allow Operation with Consent Admin
|
Sysmon EventID 13
|
T1548
|
TTP
|
Windows Registry Abuse, Ransomware, MoonPeak, Azorult
|
2026-05-13
|
|
Windows PUA Named Pipe
|
Sysmon EventID 17, Sysmon EventID 18
|
T1021.002
T1055
T1559
|
Anomaly
|
HAFNIUM Group, Seashell Blizzard, Active Directory Lateral Movement, DarkSide Ransomware, Volt Typhoon, Sandworm Tools, Medusa Ransomware, SamSam Ransomware, Cactus Ransomware, Rhysida Ransomware, VanHelsing Ransomware, DHS Report TA18-074A, CISA AA22-320A, DarkGate Malware, BlackByte Ransomware, IcedID
|
2026-05-13
|
|
Windows Mock Trusted Directory MSC File Creation
|
Sysmon EventID 11
|
T1218.014
T1548.002
T1574
|
TTP
|
Windows Privilege Escalation, Windows Persistence Techniques
|
2026-05-13
|
|
Linux At Application Execution
|
Sysmon for Linux EventID 1
|
T1053.002
|
Anomaly
|
Scheduled Tasks, Cisco Isovalent Suspicious Activity, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2026-05-13
|
|
SLUI RunAs Elevated
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1548.002
|
TTP
|
Windows Defense Evasion Tactics, DarkSide Ransomware, Compromised Windows Host
|
2026-05-13
|
|
Windows Vulnerable Driver Installed
|
Windows Event Log System 7045
|
T1543.003
|
TTP
|
Windows Drivers, Void Manticore
|
2026-05-13
|
|
Scheduled Task Creation on Remote Endpoint using At
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1053.002
|
TTP
|
0bj3ctivity Stealer, Living Off The Land, Scheduled Tasks, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows Bypass UAC via Pkgmgr Tool
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1548.002
|
Anomaly
|
Warzone RAT
|
2026-05-13
|
|
Windows Audit Policy Auditing Option Modified - Registry
|
Sysmon EventID 13
|
T1547.014
|
Anomaly
|
Windows Audit Policy Tampering
|
2026-05-13
|
|
Linux Malformed Auth Entry
|
Linux Secure
|
T1068
|
Anomaly
|
Linux Privilege Escalation
|
2026-05-06
|
|
Detect Excessive User Account Lockouts
|
|
T1078.003
|
Anomaly
|
Active Directory Password Spraying, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
SilentCleanup UAC Bypass
|
Sysmon EventID 13
|
T1548.002
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics, MoonPeak
|
2026-05-13
|
|
Linux Auditd Nopasswd Entry In Sudoers File
|
Linux Auditd Proctitle
|
T1548.003
|
Anomaly
|
China-Nexus Threat Activity, Salt Typhoon, Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation
|
2026-05-13
|
|
Linux Setuid Using Setcap Utility
|
Sysmon for Linux EventID 1
|
T1548.001
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2026-05-13
|
|
Windows Service Create with Tscon
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1543.003
T1563.002
|
TTP
|
Windows RDP Artifacts and Defense Evasion, Active Directory Lateral Movement, Compromised Windows Host
|
2026-05-13
|
|
Registry Keys Used For Privilege Escalation
|
Sysmon EventID 13
|
T1546.012
|
TTP
|
Data Destruction, Windows Privilege Escalation, Windows Registry Abuse, Suspicious Windows Registry Activities, Hermetic Wiper, Cloud Federated Credential Abuse
|
2026-05-13
|
|
Rundll32 CreateRemoteThread In Browser
|
Sysmon EventID 8
|
T1055
|
TTP
|
Living Off The Land, IcedID
|
2026-05-13
|
|
Windows AD AdminSDHolder ACL Modified
|
Windows Event Log Security 5136
|
T1546
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Windows Autostart Execution LSASS Driver Registry Modification
|
Sysmon EventID 13
|
T1547.008
|
TTP
|
Windows Registry Abuse
|
2026-05-13
|
|
Spoolsv Spawning Rundll32
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1547.012
|
TTP
|
Black Basta Ransomware, Compromised Windows Host, PrintNightmare CVE-2021-34527
|
2026-05-13
|
|
Windows Handle Duplication in Known UAC-Bypass Binaries
|
Sysmon EventID 10
|
T1134.001
|
Anomaly
|
Castle RAT
|
2026-05-13
|
|
Windows Driver Load Non-Standard Path
|
Windows Event Log System 7045
|
T1014
T1068
|
TTP
|
AgentTesla, Windows Drivers, CISA AA22-320A, BlackByte Ransomware, BlackSuit Ransomware
|
2026-05-13
|
|
Linux c99 Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Linux SSH Authorized Keys Modification
|
Sysmon for Linux EventID 1
|
T1098.004
|
Anomaly
|
Hellcat Ransomware, Linux Living Off The Land, VoidLink Cloud-Native Linux Malware
|
2026-05-13
|
|
Cisco Isovalent - Potential Escape to Host
|
Cisco Isovalent Process Exec
|
T1611
|
Anomaly
|
Cisco Isovalent Suspicious Activity, VoidLink Cloud-Native Linux Malware
|
2026-05-13
|
|
Windows Cloud Files Filter Log Created by Non-System Process
|
Sysmon EventID 11
|
T1068
|
TTP
|
Windows Privilege Escalation, RedSun
|
2026-05-01
|
|
Linux Possible Ssh Key File Creation
|
Sysmon for Linux EventID 11
|
T1098.004
|
Anomaly
|
Linux Persistence Techniques, Hellcat Ransomware, Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Linux MySQL Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
VMWare Aria Operations Exploit Attempt
|
Palo Alto Network Threat
|
T1068
T1133
T1190
T1210
|
TTP
|
VMware Aria Operations vRealize CVE-2023-20887
|
2026-05-13
|
|
Microsoft SharePoint Server Elevation of Privilege
|
Suricata
|
T1068
|
Anomaly
|
Microsoft SharePoint Server Elevation of Privilege CVE-2023-29357
|
2026-05-13
|
|
Cisco IOS XE Guestshell Activation and Destroy
|
Cisco IOS Logs
|
T1059
T1611
|
Anomaly
|
Salt Typhoon
|
2026-05-20
|
|
ESXi Shared or Stolen Root Account
|
VMWare ESXi Syslog
|
T1078
|
Anomaly
|
ESXi Post Compromise, Black Basta Ransomware
|
2026-05-13
|
|
Cisco ASA - New Local User Account Created
|
Cisco ASA Logs
|
T1078.003
T1136.001
|
Anomaly
|
Suspicious Cisco Adaptive Security Appliance Activity
|
2026-05-13
|
|
PingID New MFA Method Registered For User
|
PingID
|
T1098.005
T1556.006
T1621
|
TTP
|
Compromised User Account
|
2026-05-13
|
|
Cisco ASA - User Privilege Level Change
|
Cisco ASA Logs
|
T1078.003
T1098
|
Anomaly
|
ArcaneDoor, Suspicious Cisco Adaptive Security Appliance Activity
|
2026-05-13
|
|
M365 Copilot Application Usage Pattern Anomalies
|
M365 Copilot Graph API
|
T1078
|
Anomaly
|
Suspicious Microsoft 365 Copilot Activities
|
2026-05-13
|
|
Okta New API Token Created
|
Okta
|
T1078.001
|
TTP
|
Scattered Lapsus$ Hunters, Okta Account Takeover
|
2026-05-13
|
|
Zoom High Video Latency
|
|
T1078
|
Anomaly
|
Remote Employment Fraud
|
2026-05-13
|
|
Okta Phishing Detection with FastPass Origin Check
|
Okta
|
T1078.001
T1556
|
TTP
|
Okta Account Takeover
|
2026-05-13
|
|
ESXi External Root Login Activity
|
VMWare ESXi Syslog
|
T1078
|
Anomaly
|
ESXi Post Compromise, Black Basta Ransomware
|
2026-05-13
|
|
Okta New Device Enrolled on Account
|
Okta
|
T1098.005
|
TTP
|
Scattered Lapsus$ Hunters, Okta Account Takeover
|
2026-05-13
|
|
PingID Multiple Failed MFA Requests For User
|
PingID
|
T1078
T1110
T1621
|
TTP
|
Compromised User Account
|
2026-05-13
|
|
ESXi Account Modified
|
VMWare ESXi Syslog
|
T1078
T1098
T1136.001
|
Anomaly
|
ESXi Post Compromise, Black Basta Ransomware
|
2026-05-13
|
|
ESXi User Granted Admin Role
|
VMWare ESXi Syslog
|
T1078
T1098
|
TTP
|
ESXi Post Compromise, Black Basta Ransomware
|
2026-05-13
|
|
Okta Suspicious Activity Reported
|
Okta
|
T1078.001
|
TTP
|
Okta Account Takeover
|
2026-05-13
|
|
PingID New MFA Method After Credential Reset
|
PingID
|
T1098.005
T1556.006
T1621
|
TTP
|
Scattered Lapsus$ Hunters, Compromised User Account
|
2026-05-13
|
|
Okta Risk Threshold Exceeded
|
Okta
|
T1078
T1110
|
Correlation
|
Suspicious Okta Activity, Okta MFA Exhaustion, Okta Account Takeover
|
2026-05-13
|
|
Cisco IOS XE WebUI Programmatic Configuration
|
Cisco IOS Logs
|
T1078
T1190
|
Anomaly
|
Salt Typhoon
|
2026-05-19
|
|
Cisco IOS XE WebUI Login From IOSd Local Port
|
Cisco IOS Logs
|
T1078
T1190
|
TTP
|
Salt Typhoon
|
2026-05-19
|
|
Okta Successful Single Factor Authentication
|
Okta
|
T1078.004
T1586.003
T1621
|
Anomaly
|
Okta Account Takeover
|
2026-05-13
|
|
M365 Copilot Session Origin Anomalies
|
M365 Copilot Graph API
|
T1078
|
Anomaly
|
Suspicious Microsoft 365 Copilot Activities
|
2026-05-13
|
|
Okta Authentication Failed During MFA Challenge
|
Okta
|
T1078.004
T1586.003
T1621
|
TTP
|
Scattered Lapsus$ Hunters, Okta Account Takeover
|
2026-05-13
|
|
Okta ThreatInsight Threat Detected
|
Okta
|
T1078.004
|
Anomaly
|
Okta Account Takeover
|
2026-05-13
|
|
PingID Mismatch Auth Source and Verification Response
|
PingID
|
T1098.005
T1556.006
T1621
|
TTP
|
Compromised User Account
|
2026-05-13
|
|
GCP Successful Single-Factor Authentication
|
Google Workspace
|
T1078.004
T1586.003
|
TTP
|
Scattered Lapsus$ Hunters, GCP Account Takeover
|
2026-05-13
|
|
ASL AWS IAM Successful Group Deletion
|
ASL AWS CloudTrail
|
T1069.003
T1098
|
Hunting
|
AWS IAM Privilege Escalation
|
2026-05-13
|
|
AWS SAML Update identity provider
|
AWS CloudTrail UpdateSAMLProvider
|
T1078
|
TTP
|
Cloud Federated Credential Abuse
|
2026-05-13
|
|
O365 Cross-Tenant Access Change
|
Office 365 Universal Audit Log
|
T1484.002
|
TTP
|
Azure Active Directory Persistence
|
2026-05-13
|
|
GCP Detect gcploit framework
|
|
T1078
|
TTP
|
GCP Cross Account Activity
|
2026-05-13
|
|
Kubernetes Cron Job Creation
|
Kubernetes Audit
|
T1053.007
|
Anomaly
|
Kubernetes Security
|
2026-05-13
|
|
Cloud Provisioning Activity From Previously Unseen IP Address
|
AWS CloudTrail
|
T1078
|
Anomaly
|
Suspicious Cloud Provisioning Activities
|
2026-05-13
|
|
O365 Service Principal Privilege Escalation
|
O365 Add app role assignment grant to user.
|
T1098.003
|
TTP
|
Azure Active Directory Privilege Escalation, Office 365 Account Takeover
|
2026-05-13
|
|
Azure AD Successful PowerShell Authentication
|
Azure Active Directory
|
T1078.004
T1586.003
|
TTP
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
Azure AD New Federated Domain Added
|
Azure Active Directory Set domain authentication
|
T1484.002
|
TTP
|
Storm-0501 Ransomware, Scattered Lapsus$ Hunters, Azure Active Directory Persistence, Hellcat Ransomware
|
2026-05-13
|
|
Cloud Provisioning Activity From Previously Unseen City
|
AWS CloudTrail
|
T1078
|
Anomaly
|
Suspicious Cloud Provisioning Activities
|
2026-05-13
|
|
O365 Privileged Role Assigned
|
Office 365 Universal Audit Log
|
T1098.003
|
TTP
|
Scattered Lapsus$ Hunters, Azure Active Directory Persistence
|
2026-05-13
|
|
Cloud Compute Instance Created By Previously Unseen User
|
AWS CloudTrail
|
T1078.004
|
Anomaly
|
Cloud Cryptomining
|
2026-05-13
|
|
Azure AD Service Principal Authentication
|
Azure Active Directory Sign-in activity
|
T1078.004
|
TTP
|
Azure Active Directory Account Takeover, NOBELIUM Group
|
2026-05-13
|
|
Azure AD Global Administrator Role Assigned
|
Azure Active Directory Add member to role
|
T1098.003
|
TTP
|
Scattered Lapsus$ Hunters, Azure Active Directory Persistence, Azure Active Directory Privilege Escalation
|
2026-05-13
|
|
O365 FullAccessAsApp Permission Assigned
|
O365 Update application.
|
T1098.002
T1098.003
|
TTP
|
NOBELIUM Group, Office 365 Persistence Mechanisms
|
2026-05-13
|
|
Azure AD PIM Role Assigned
|
Azure Active Directory
|
T1098.003
|
TTP
|
Scattered Lapsus$ Hunters, Azure Active Directory Persistence, Azure Active Directory Privilege Escalation
|
2026-05-13
|
|
Azure AD Tenant Wide Admin Consent Granted
|
Azure Active Directory Consent to application
|
T1098.003
|
TTP
|
Azure Active Directory Persistence, NOBELIUM Group
|
2026-05-13
|
|
AWS Successful Single-Factor Authentication
|
AWS CloudTrail ConsoleLogin
|
T1078.004
T1586.003
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2026-05-13
|
|
O365 Privileged Role Assigned To Service Principal
|
Office 365 Universal Audit Log
|
T1098.003
|
TTP
|
Scattered Lapsus$ Hunters, Azure Active Directory Privilege Escalation
|
2026-05-13
|
|
O365 Application Registration Owner Added
|
O365 Add owner to application.
|
T1098
|
TTP
|
NOBELIUM Group, Office 365 Persistence Mechanisms
|
2026-05-13
|
|
AWS SetDefaultPolicyVersion
|
AWS CloudTrail SetDefaultPolicyVersion
|
T1078.004
|
TTP
|
AWS IAM Privilege Escalation
|
2026-05-13
|
|
O365 Security And Compliance Alert Triggered
|
|
T1078.004
|
TTP
|
Office 365 Account Takeover
|
2026-05-13
|
|
GCP Authentication Failed During MFA Challenge
|
Google Workspace login_failure
|
T1078.004
T1586.003
T1621
|
TTP
|
Scattered Lapsus$ Hunters, GCP Account Takeover
|
2026-05-13
|
|
Azure AD Service Principal Privilege Escalation
|
Azure Active Directory Add app role assignment to service principal
|
T1098.003
|
TTP
|
Azure Active Directory Privilege Escalation
|
2026-05-13
|
|
O365 Service Principal New Client Credentials
|
O365
|
T1098.001
|
TTP
|
NOBELIUM Group, Office 365 Persistence Mechanisms
|
2026-05-13
|
|
Azure AD Multiple Failed MFA Requests For User
|
Azure Active Directory Sign-in activity
|
T1078.004
T1586.003
T1621
|
TTP
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
O365 Mailbox Read Access Granted to Application
|
O365 Update application.
|
T1098.003
T1114.002
|
TTP
|
Office 365 Persistence Mechanisms
|
2026-05-13
|
|
O365 New MFA Method Registered
|
O365 Update user.
|
T1098.005
|
TTP
|
Office 365 Persistence Mechanisms
|
2026-05-13
|
|
O365 High Privilege Role Granted
|
O365 Add member to role.
|
T1098.003
|
TTP
|
Office 365 Persistence Mechanisms
|
2026-05-13
|
|
Okta Non-Standard VPN Usage
|
Okta
|
T1078
T1090
T1572
|
TTP
|
Suspicious Okta Activity, Remote Employment Fraud
|
2026-05-13
|
|
ASL AWS IAM Delete Policy
|
ASL AWS CloudTrail
|
T1098
|
Hunting
|
AWS IAM Privilege Escalation
|
2026-05-13
|
|
Cloud Provisioning Activity From Previously Unseen Country
|
AWS CloudTrail
|
T1078
|
Anomaly
|
Suspicious Cloud Provisioning Activities
|
2026-05-13
|
|
Azure AD Service Principal Owner Added
|
Azure Active Directory Add owner to application
|
T1098
|
TTP
|
Azure Active Directory Persistence, Azure Active Directory Privilege Escalation, NOBELIUM Group
|
2026-05-13
|
|
Azure Runbook Webhook Created
|
Azure Audit Create or Update an Azure Automation webhook
|
T1078.004
|
TTP
|
Azure Active Directory Persistence
|
2026-05-13
|
|
Azure AD PIM Role Assignment Activated
|
Azure Active Directory
|
T1098.003
|
TTP
|
Scattered Lapsus$ Hunters, Azure Active Directory Persistence, Azure Active Directory Privilege Escalation
|
2026-05-13
|
|
AWS IAM Delete Policy
|
AWS CloudTrail DeletePolicy
|
T1098
|
Hunting
|
AWS IAM Privilege Escalation
|
2026-05-13
|
|
O365 Multiple AppIDs and UserAgents Authentication Spike
|
O365 UserLoginFailed, O365 UserLoggedIn
|
T1078
|
Anomaly
|
Office 365 Account Takeover
|
2026-05-13
|
|
Azure AD Multiple AppIDs and UserAgents Authentication Spike
|
Azure Active Directory Sign-in activity
|
T1078
|
Anomaly
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
AWS Create Policy Version to allow all resources
|
AWS CloudTrail CreatePolicyVersion
|
T1078.004
|
TTP
|
AWS IAM Privilege Escalation
|
2026-05-13
|
|
Cloud Instance Modified By Previously Unseen User
|
AWS CloudTrail
|
T1078.004
|
Anomaly
|
Suspicious Cloud Instance Activities
|
2026-05-13
|
|
Azure AD New Custom Domain Added
|
Azure Active Directory Add unverified domain
|
T1484.002
|
TTP
|
Azure Active Directory Persistence
|
2026-05-13
|
|
AWS IAM Failure Group Deletion
|
AWS CloudTrail DeleteGroup
|
T1098
|
Anomaly
|
AWS IAM Privilege Escalation
|
2026-05-13
|
|
Azure AD FullAccessAsApp Permission Assigned
|
Azure Active Directory Update application
|
T1098.002
T1098.003
|
TTP
|
Azure Active Directory Persistence, NOBELIUM Group
|
2026-05-13
|
|
Azure AD Successful Single-Factor Authentication
|
Azure Active Directory
|
T1078.004
T1586.003
|
TTP
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
O365 Mailbox Folder Read Permission Assigned
|
O365 ModifyFolderPermissions
|
T1098.002
|
TTP
|
Office 365 Collection Techniques
|
2026-05-13
|
|
Azure AD Service Principal New Client Credentials
|
Azure Active Directory
|
T1098.001
|
TTP
|
Scattered Lapsus$ Hunters, Azure Active Directory Persistence, Azure Active Directory Privilege Escalation, NOBELIUM Group
|
2026-05-13
|
|
ASL AWS Create Policy Version to allow all resources
|
ASL AWS CloudTrail
|
T1078.004
|
TTP
|
Scattered Lapsus$ Hunters, AWS IAM Privilege Escalation
|
2026-05-13
|
|
Azure AD Application Administrator Role Assigned
|
Azure Active Directory Add member to role
|
T1098.003
|
TTP
|
Scattered Lapsus$ Hunters, Azure Active Directory Privilege Escalation
|
2026-05-13
|
|
O365 Application Available To Other Tenants
|
Office 365 Universal Audit Log
|
T1098.003
|
TTP
|
Azure Active Directory Account Takeover, Azure Active Directory Persistence, Data Exfiltration
|
2026-05-13
|
|
Azure AD Privileged Role Assigned
|
Azure Active Directory Add member to role
|
T1098.003
|
TTP
|
Storm-0501 Ransomware, Scattered Lapsus$ Hunters, Azure Active Directory Persistence, NOBELIUM Group
|
2026-05-13
|
|
Azure AD New MFA Method Registered
|
Azure Active Directory Update user
|
T1098.005
|
TTP
|
Scattered Lapsus$ Hunters, Azure Active Directory Persistence
|
2026-05-13
|
|
Cloud API Calls From Previously Unseen User Roles
|
AWS CloudTrail
|
T1078
|
Anomaly
|
Suspicious Cloud User Activities
|
2026-05-13
|
|
O365 Admin Consent Bypassed by Service Principal
|
O365 Add app role assignment to service principal.
|
T1098.003
|
TTP
|
Office 365 Persistence Mechanisms
|
2026-05-13
|
|
AWS Bedrock Invoke Model Access Denied
|
AWS CloudTrail
|
T1078
T1550
|
TTP
|
AWS Bedrock Security
|
2026-05-13
|
|
Azure AD Privileged Role Assigned to Service Principal
|
Azure Active Directory Add member to role
|
T1098.003
|
TTP
|
Scattered Lapsus$ Hunters, Azure Active Directory Privilege Escalation, NOBELIUM Group
|
2026-05-13
|
|
O365 ApplicationImpersonation Role Assigned
|
O365
|
T1098.002
|
TTP
|
NOBELIUM Group, Office 365 Collection Techniques, Office 365 Persistence Mechanisms
|
2026-05-13
|
|
AWS IAM Successful Group Deletion
|
AWS CloudTrail DeleteGroup
|
T1069.003
T1098
|
Hunting
|
AWS IAM Privilege Escalation
|
2026-05-13
|
|
Azure AD User ImmutableId Attribute Updated
|
Azure Active Directory Update user
|
T1098
|
TTP
|
Azure Active Directory Persistence, Hellcat Ransomware
|
2026-05-13
|
|
Azure AD Admin Consent Bypassed by Service Principal
|
Azure Active Directory Add app role assignment to service principal
|
T1098.003
|
TTP
|
Azure Active Directory Privilege Escalation, NOBELIUM Group
|
2026-05-13
|
|
ASL AWS SAML Update identity provider
|
ASL AWS CloudTrail
|
T1078
|
TTP
|
Cloud Federated Credential Abuse
|
2026-05-13
|
|
Microsoft Intune DeviceManagementConfigurationPolicies
|
Azure Monitor Activity
|
T1021.007
T1072
T1484
T1685
T1686
|
Hunting
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
Azure AD User Enabled And Password Reset
|
Azure Active Directory Reset password (by admin), Azure Active Directory Update user, Azure Active Directory Enable account
|
T1098
|
TTP
|
Scattered Lapsus$ Hunters, Azure Active Directory Persistence
|
2026-05-13
|
|
Geographic Improbable Location
|
Okta
|
T1078
|
Anomaly
|
Remote Employment Fraud
|
2026-05-13
|
|
ASL AWS IAM Failure Group Deletion
|
ASL AWS CloudTrail
|
T1098
|
Anomaly
|
AWS IAM Privilege Escalation
|
2026-05-13
|
|
Cloud Provisioning Activity From Previously Unseen Region
|
AWS CloudTrail
|
T1078
|
Anomaly
|
Suspicious Cloud Provisioning Activities
|
2026-05-13
|
|
Azure AD Authentication Failed During MFA Challenge
|
Azure Active Directory
|
T1078.004
T1586.003
T1621
|
TTP
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
GCP Multiple Failed MFA Requests For User
|
Google Workspace
|
T1078.004
T1586.003
T1621
|
TTP
|
Scattered Lapsus$ Hunters, GCP Account Takeover
|
2026-05-13
|
|
O365 Tenant Wide Admin Consent Granted
|
O365 Consent to application.
|
T1098.003
|
TTP
|
NOBELIUM Group, Office 365 Persistence Mechanisms
|
2026-05-13
|
|
O365 Elevated Mailbox Permission Assigned
|
O365 Add-MailboxPermission
|
T1098.002
|
TTP
|
Office 365 Collection Techniques
|
2026-05-13
|
|
O365 Mailbox Folder Read Permission Granted
|
O365 ModifyFolderPermissions
|
T1098.002
|
TTP
|
Office 365 Collection Techniques
|
2026-05-13
|
|
Cisco Privileged Account Creation with HTTP Command Execution
|
|
T1021.004
T1078
T1136
|
Correlation
|
Salt Typhoon, Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Cisco Secure Firewall - Communication Over Suspicious Ports
|
Cisco Secure Firewall Threat Defense Connection Event
|
T1021
T1055
T1059.001
T1105
T1219
T1571
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Cisco Configuration Archive Logging Analysis
|
Cisco IOS Logs
|
T1098
T1505.003
T1685
|
Hunting
|
Cisco Smart Install Remote Code Execution CVE-2018-0171
|
2026-05-13
|
|
Cisco Privileged Account Creation with Suspicious SSH Activity
|
|
T1021.004
T1078
T1136
|
Correlation
|
Salt Typhoon, Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Cisco Secure Firewall - High Priority Intrusion Classification
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1003
T1071
T1078
T1190
T1203
|
TTP
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Cisco IOS Suspicious Privileged Account Creation
|
Cisco IOS Logs
|
T1078
T1136
|
Anomaly
|
Cisco Smart Install Remote Code Execution CVE-2018-0171
|
2026-05-13
|
|
Cisco Secure Firewall - Wget or Curl Download
|
Cisco Secure Firewall Threat Defense Connection Event
|
T1053.003
T1059
T1071.001
T1105
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|