|
Splunk User Enumeration Attempt
|
Splunk
|
T1078
|
TTP
|
Splunk Vulnerabilities
|
2026-05-14
|
|
CMLUA Or CMSTPLUA UAC Bypass
|
Sysmon EventID 7
|
T1218.003
|
TTP
|
LockBit Ransomware, DarkSide Ransomware, Ransomware, ValleyRAT
|
2026-05-13
|
|
Windows InstallUtil URL in Command Line
|
Cisco Network Visibility Module Flow Data, Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.004
|
TTP
|
Living Off The Land, Compromised Windows Host, Cisco Network Visibility Module Analytics, Signed Binary Proxy Execution InstallUtil
|
2026-05-13
|
|
Windows New Service Security Descriptor Set Via Sc.EXE
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1564
|
Anomaly
|
Defense Evasion or Unauthorized Access Via SDDL Tampering
|
2026-05-13
|
|
Windows Rasautou DLL Execution
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1055.001
T1218
|
TTP
|
Windows Defense Evasion Tactics, Compromised Windows Host, Hellcat Ransomware
|
2026-05-13
|
|
USN Journal Deletion
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1070
|
TTP
|
Ransomware, Windows Log Manipulation
|
2026-05-13
|
|
Mshta spawning Rundll32 OR Regsvr32 Process
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.005
|
TTP
|
Living Off The Land, Trickbot, APT37 Rustonotto and FadeStealer, IcedID
|
2026-05-13
|
|
Execution of File with Multiple Extensions
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1036.003
|
TTP
|
DarkGate Malware, Masquerading - Rename System Utilities, Windows File Extension and Association Abuse, AsyncRAT
|
2026-05-13
|
|
MSBuild Suspicious Spawned By Script Process
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1127.001
|
TTP
|
Storm-2460 CLFS Zero Day Exploitation, Trusted Developer Utilities Proxy Execution MSBuild
|
2026-05-13
|
|
Reg exe Manipulating Windows Services Registry Keys
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1574.011
|
TTP
|
Windows Persistence Techniques, Windows Service Abuse, Living Off The Land
|
2026-05-13
|
|
Suspicious Copy on System32
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1036.003
|
Anomaly
|
Qakbot, Water Gamayun, Sandworm Tools, Compromised Windows Host, AsyncRAT, Volt Typhoon, IcedID, Unusual Processes
|
2026-05-13
|
|
Detect RTLO In Process
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1036.002
|
TTP
|
Spearphishing Attachments
|
2026-05-13
|
|
Detect RTLO In File Name
|
Sysmon EventID 11
|
T1036.002
|
TTP
|
Spearphishing Attachments
|
2026-05-13
|
|
Linux Preload Hijack Library Calls
|
Sysmon for Linux EventID 1
|
T1574.006
|
TTP
|
China-Nexus Threat Activity, Salt Typhoon, Linux Persistence Techniques, Linux Privilege Escalation, VoidLink Cloud-Native Linux Malware
|
2026-05-13
|
|
Windows MSIExec DLLRegisterServer
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.007
|
TTP
|
Water Gamayun, Windows System Binary Proxy Execution MSIExec
|
2026-05-13
|
|
Linux Obfuscated Files or Information Base64 Decode
|
Sysmon for Linux EventID 1
|
T1027
|
Anomaly
|
Linux Living Off The Land
|
2026-05-13
|
|
Windows Rundll32 with Non-Standard File Extension
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.011
|
Anomaly
|
Gh0st RAT, Living Off The Land, Suspicious Rundll32 Activity
|
2026-05-13
|
|
Linux Auditd Base64 Decode Files
|
Linux Auditd Execve
|
T1140
|
Anomaly
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation, Linux Living Off The Land
|
2026-05-13
|
|
Windows Chromium Process Launched with Logging Disabled
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1497
|
Anomaly
|
Browser Hijacking
|
2026-05-13
|
|
Suspicious Rundll32 StartW
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.011
|
TTP
|
Graceful Wipe Out Attack, Cobalt Strike, Hellcat Ransomware, Trickbot, BlackByte Ransomware, Suspicious Rundll32 Activity
|
2026-05-13
|
|
Windows Odbcconf Load Response File
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.008
|
TTP
|
Living Off The Land
|
2026-05-13
|
|
Windows IOBit Unlocker Extension DLL Registration via Regsvr32
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.010
|
TTP
|
Compromised Windows Host
|
2026-05-13
|
|
Windows Drivers Loaded by Signature
|
Sysmon EventID 6
|
T1014
T1068
|
Hunting
|
CISA AA22-320A, Windows Drivers, AgentTesla, BlackByte Ransomware
|
2026-05-13
|
|
Cisco NVM - Rundll32 Abuse of MSHTML.DLL for Payload Download
|
Cisco Network Visibility Module Flow Data
|
T1218.005
|
Anomaly
|
Cisco Network Visibility Module Analytics
|
2026-05-13
|
|
Windows Proxy Execution of .NET Utilities via Scripts
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218
|
Anomaly
|
VIP Keylogger
|
2026-05-13
|
|
Windows Large Number of Computer Service Tickets Requested
|
Windows Event Log Security 4769
|
T1078
T1135
|
Anomaly
|
Active Directory Privilege Escalation, Active Directory Lateral Movement
|
2026-05-13
|
|
Suspicious msbuild path
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1036.003
T1127.001
|
TTP
|
Graceful Wipe Out Attack, Storm-2460 CLFS Zero Day Exploitation, Trusted Developer Utilities Proxy Execution MSBuild, Cobalt Strike, BlackByte Ransomware, Living Off The Land, Masquerading - Rename System Utilities
|
2026-05-13
|
|
Windows ConsoleHost History File Deletion
|
Sysmon EventID 26, Sysmon EventID 23
|
T1070.003
|
Anomaly
|
Medusa Ransomware
|
2026-05-13
|
|
Detect Regsvr32 Application Control Bypass
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.010
|
TTP
|
Compromised Windows Host, Graceful Wipe Out Attack, Suspicious Regsvr32 Activity, Cobalt Strike, BlackByte Ransomware, Living Off The Land, PHP-CGI RCE Attack on Japanese Organizations
|
2026-05-13
|
|
Windows Entra User Management Via Azure CLI
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1078.004
T1098
T1136
|
Anomaly
|
Azure Active Directory Persistence
|
2026-05-13
|
|
Wscript Or Cscript Suspicious Child Process
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1055
T1134.004
T1543
|
Anomaly
|
WhisperGate, Axios Supply Chain Post Compromise, XWorm, VIP Keylogger, NjRAT, MuddyWater, FIN7, Data Destruction, 0bj3ctivity Stealer, Remcos, Unusual Processes, ShrinkLocker
|
2026-05-13
|
|
Rundll32 Control RunDLL Hunt
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.011
|
Hunting
|
Microsoft MSHTML Remote Code Execution CVE-2021-40444, Living Off The Land, Suspicious Rundll32 Activity
|
2026-05-13
|
|
Windows Process Injection into Commonly Abused Processes
|
Sysmon EventID 10
|
T1055.002
|
Anomaly
|
SAP NetWeaver Exploitation, BishopFox Sliver Adversary Emulation Framework, Earth Alux, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
Windows Remote Assistance Spawning Process
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1055
|
TTP
|
Unusual Processes, Compromised Windows Host
|
2026-05-13
|
|
Windows AD SID History Attribute Modified
|
Windows Event Log Security 5136
|
T1134.005
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Windows Chromium process Launched with Disable Popup Blocking
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1497
|
Anomaly
|
Browser Hijacking
|
2026-05-13
|
|
Windows Process With NamedPipe CommandLine
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1055
|
Anomaly
|
Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows BitLockerToGo with Network Activity
|
Sysmon EventID 22
|
T1218
|
Hunting
|
Lumma Stealer, Hellcat Ransomware
|
2026-05-13
|
|
Linux Account Manipulation Of SSH Config and Keys
|
Sysmon for Linux EventID 11
|
T1070.004
T1485
|
Anomaly
|
AcidRain, Hellcat Ransomware
|
2026-05-13
|
|
Windows SqlWriter SQLDumper DLL Sideload
|
Sysmon EventID 7
|
T1574.001
|
TTP
|
APT29 Diplomatic Deceptions with WINELOADER
|
2026-05-13
|
|
Windows GrimResource - MMC Process Accessing APDS DLL
|
Windows Event Log Security 4663
|
T1059.007
T1218.014
|
TTP
|
Compromised Windows Host
|
2026-05-13
|
|
Curl Execution with Percent Encoded URL
|
Sysmon for Linux EventID 1, Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1027
T1105
|
Anomaly
|
Living Off The Land, Compromised Windows Host, Ingress Tool Transfer
|
2026-05-13
|
|
Detect Rundll32 Inline HTA Execution
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.005
|
TTP
|
Living Off The Land, NOBELIUM Group, Suspicious MSHTA Activity, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
Windows Azure PowerShell Module Installation Via PowerShell Script
|
Powershell Script Block Logging 4104
|
T1021.007
T1069.003
T1078
T1098
T1136.003
|
Anomaly
|
Azure Active Directory Persistence, Azure Active Directory Account Takeover, Azure Active Directory Privilege Escalation
|
2026-05-13
|
|
Powershell Enable SMB1Protocol Feature
|
Powershell Script Block Logging 4104
|
T1027.005
|
TTP
|
Data Destruction, Malicious PowerShell, Ransomware, Hermetic Wiper
|
2026-05-13
|
|
Suspicious microsoft workflow compiler usage
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1127
|
TTP
|
Living Off The Land, Trusted Developer Utilities Proxy Execution
|
2026-05-13
|
|
Linux Auditd Preload Hijack Library Calls
|
Linux Auditd Execve
|
T1574.006
|
TTP
|
Compromised Linux Host, China-Nexus Threat Activity, Salt Typhoon, Linux Persistence Techniques, Linux Privilege Escalation
|
2026-05-13
|
|
Windows Unsigned MS DLL Side-Loading
|
Sysmon EventID 7
|
T1547
T1574.001
|
Anomaly
|
XWorm, China-Nexus Threat Activity, Salt Typhoon, Earth Alux, APT29 Diplomatic Deceptions with WINELOADER, Derusbi
|
2026-05-13
|
|
Windows System Script Proxy Execution Syncappvpublishingserver
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1216
T1218
|
TTP
|
Living Off The Land
|
2026-05-13
|
|
Windows Obfuscated Files or Information via RAR SFX
|
Sysmon EventID 11
|
T1027.013
|
Anomaly
|
Crypto Stealer, APT37 Rustonotto and FadeStealer, GhostRedirector IIS Module and Rungan Backdoor
|
2026-05-13
|
|
Trickbot Named Pipe
|
Sysmon EventID 18, Sysmon EventID 17
|
T1055
|
TTP
|
Trickbot, Hellcat Ransomware
|
2026-05-13
|
|
Windows Process Execution From ProgramData
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1036.005
|
Hunting
|
Axios Supply Chain Post Compromise, XWorm, SnappyBee, China-Nexus Threat Activity, APT37 Rustonotto and FadeStealer, Salt Typhoon, StealC Stealer, SolarWinds WHD RCE Post Exploitation, GhostRedirector IIS Module and Rungan Backdoor
|
2026-05-13
|
|
Windows Odbcconf Load DLL
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.008
|
TTP
|
Living Off The Land
|
2026-05-13
|
|
Detect Regasm Spawning a Process
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.009
|
TTP
|
Suspicious Regsvcs Regasm Activity, Compromised Windows Host, Snake Keylogger, Handala Wiper, Void Manticore, DarkGate Malware, Living Off The Land
|
2026-05-13
|
|
Windows AD Cross Domain SID History Addition
|
Windows Event Log Security 4738, Windows Event Log Security 4742
|
T1134.005
|
TTP
|
Sneaky Active Directory Persistence Tricks, Compromised Windows Host
|
2026-05-13
|
|
Windows Diskshadow Proxy Execution
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218
|
TTP
|
Living Off The Land
|
2026-05-13
|
|
Windows MSIExec Spawn WinDBG
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.007
|
TTP
|
DarkGate Malware, Compromised Windows Host
|
2026-05-13
|
|
Potential password in username
|
Linux Secure
|
T1078.003
T1552.001
|
Hunting
|
Credential Dumping, Insider Threat
|
2026-05-13
|
|
BITSAdmin Download File
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1105
T1197
|
TTP
|
DarkSide Ransomware, APT37 Rustonotto and FadeStealer, Ingress Tool Transfer, Flax Typhoon, BITS Jobs, Gozi Malware, Living Off The Land, Scattered Spider, Hellcat Ransomware, GhostRedirector IIS Module and Rungan Backdoor
|
2026-05-13
|
|
Disable Show Hidden Files
|
Sysmon EventID 13
|
T1112
T1564.001
T1685
|
Anomaly
|
Windows Registry Abuse, Windows Defense Evasion Tactics, Azorult
|
2026-05-13
|
|
Windows Rundll32 Apply User Settings Changes
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.011
|
Anomaly
|
Rhysida Ransomware
|
2026-05-13
|
|
Windows HTTP Network Communication From MSIExec
|
Cisco Network Visibility Module Flow Data, Sysmon EventID 1, Sysmon EventID 3
|
T1218.007
|
Anomaly
|
Water Gamayun, Cisco Network Visibility Module Analytics, APT37 Rustonotto and FadeStealer, Windows System Binary Proxy Execution MSIExec, SolarWinds WHD RCE Post Exploitation, GhostRedirector IIS Module and Rungan Backdoor
|
2026-05-13
|
|
Linux Deletion Of Cron Jobs
|
Sysmon for Linux EventID 11
|
T1070.004
T1485
|
Anomaly
|
Data Destruction, AcidRain, AcidPour
|
2026-05-13
|
|
Windows RunMRU Command Execution
|
Sysmon EventID 13
|
T1202
|
Anomaly
|
Fake CAPTCHA Campaigns, Lumma Stealer
|
2026-05-13
|
|
MacOS Hidden Files and Directories
|
Osquery Results
|
T1564.001
|
Anomaly
|
MacOS Persistence Techniques
|
2026-05-13
|
|
LOLBAS With Network Traffic
|
Sysmon EventID 3
|
T1105
T1218
T1567
|
TTP
|
Water Gamayun, NetSupport RMM Tool Abuse, APT37 Rustonotto and FadeStealer, Malicious Inno Setup Loader, Fake CAPTCHA Campaigns, Living Off The Land, Hellcat Ransomware, GhostRedirector IIS Module and Rungan Backdoor
|
2026-05-13
|
|
Detect mshta inline hta execution
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.005
|
TTP
|
Compromised Windows Host, Suspicious MSHTA Activity, XWorm, APT37 Rustonotto and FadeStealer, Living Off The Land, Gozi Malware, BlankGrabber Stealer
|
2026-05-13
|
|
Suspicious Process Executed From Container File
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1036.008
T1204.002
|
TTP
|
Water Gamayun, APT37 Rustonotto and FadeStealer, Amadey, Remcos, Snake Keylogger, Unusual Processes, GhostRedirector IIS Module and Rungan Backdoor
|
2026-05-13
|
|
PowerShell Start-BitsTransfer
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1197
|
TTP
|
Gozi Malware, BITS Jobs
|
2026-05-13
|
|
Notepad with no Command Line Arguments
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1055
|
TTP
|
BishopFox Sliver Adversary Emulation Framework
|
2026-05-13
|
|
Sdelete Application Execution
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1070.004
T1485
|
TTP
|
Scattered Spider, Masquerading - Rename System Utilities, Void Manticore
|
2026-05-13
|
|
Linux Auditd Kernel Module Enumeration
|
Linux Auditd Syscall
|
T1014
T1082
|
Anomaly
|
Linux Rootkit, Compromised Linux Host, XorDDos
|
2026-05-13
|
|
Cisco NVM - Curl Execution With Insecure Flags
|
Cisco Network Visibility Module Flow Data
|
T1197
|
Anomaly
|
Microsoft WSUS CVE-2025-59287, PromptLock, Cisco Network Visibility Module Analytics
|
2026-05-13
|
|
Windows Odbcconf Hunting
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.008
|
Hunting
|
Living Off The Land
|
2026-05-13
|
|
WMIC XSL Execution via URL
|
Cisco Network Visibility Module Flow Data, Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1220
|
TTP
|
Compromised Windows Host, Cisco Network Visibility Module Analytics, Suspicious WMI Use
|
2026-05-13
|
|
Windows ConvertTo-AADIntBackdoor Execution Via PowerShell Script
|
Powershell Script Block Logging 4104
|
T1071.001
T1078
T1212
T1482
|
TTP
|
Azure Active Directory Persistence, Azure Active Directory Account Takeover, Azure Active Directory Privilege Escalation
|
2026-05-13
|
|
Linux Decode Base64 to Shell
|
Sysmon for Linux EventID 1, Cisco Isovalent Process Exec
|
T1027
T1059.004
|
TTP
|
Cisco Isovalent Suspicious Activity, Linux Living Off The Land
|
2026-05-13
|
|
Ping Sleep Batch Command
|
Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1497.003
|
Anomaly
|
WhisperGate, Meduza Stealer, Warzone RAT, Void Manticore, Data Destruction, Quasar RAT, BlackByte Ransomware, Gh0st RAT
|
2026-05-13
|
|
Windows Known Abused DLL Created
|
Sysmon EventID 11
|
T1574.001
|
Anomaly
|
Windows Defense Evasion Tactics, Living Off The Land
|
2026-05-13
|
|
Malicious PowerShell Process - Encoded Command
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1027
|
Hunting
|
Qakbot, WhisperGate, Sandworm Tools, Scattered Spider, Crypto Stealer, Volt Typhoon, SolarWinds WHD RCE Post Exploitation, CISA AA22-320A, Data Destruction, Lumma Stealer, Malicious PowerShell, Microsoft SharePoint Vulnerabilities, Hermetic Wiper, Microsoft WSUS CVE-2025-59287, DarkCrystal RAT, NOBELIUM Group, GhostRedirector IIS Module and Rungan Backdoor
|
2026-05-13
|
|
Recursive Delete of Directory In Batch CMD
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1070.004
|
TTP
|
Ransomware, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
UAC Bypass MMC Load Unsigned Dll
|
Sysmon EventID 7
|
T1218.014
T1548.002
|
TTP
|
Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Advanced Installer MSIX with AI_STUBS Execution
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1204.002
T1218
T1553.005
|
TTP
|
MSIX Package Abuse
|
2026-05-13
|
|
Windows Suspicious File in EFI Volume
|
Sysmon EventID 11
|
T1490
T1542.001
|
TTP
|
Windows BootKits, BlackLotus Campaign, Sandworm Tools
|
2026-05-13
|
|
Windows Registry Payload Injection
|
Sysmon EventID 13
|
T1027.011
|
TTP
|
Unusual Processes
|
2026-05-13
|
|
Windows NetSupport RMM DLL Loaded By Uncommon Process
|
Sysmon EventID 7
|
T1036
|
Anomaly
|
NetSupport RMM Tool Abuse
|
2026-05-13
|
|
Windows Process Writing File to World Writable Path
|
Sysmon EventID 11
|
T1218.005
|
Hunting
|
PathWiper, APT29 Diplomatic Deceptions with WINELOADER, PHP-CGI RCE Attack on Japanese Organizations
|
2026-05-13
|
|
Windows DLL Side-Loading In Calc
|
Sysmon EventID 7
|
T1574.001
|
TTP
|
Qakbot, Earth Alux
|
2026-05-13
|
|
Linux Deletion Of Services
|
Sysmon for Linux EventID 11
|
T1070.004
T1485
|
TTP
|
Data Destruction, AwfulShred, AcidRain, AcidPour
|
2026-05-13
|
|
Windows Suspicious Process File Path
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1036.005
T1543
|
TTP
|
SystemBC, Qakbot, AsyncRAT, AgentTesla, SesameOp, Volt Typhoon, Lokibot, Data Destruction, Interlock Rat, Trickbot, Industroyer2, Azorult, Phemedrone Stealer, GhostRedirector IIS Module and Rungan Backdoor, Water Gamayun, Brute Ratel C4, Axios Supply Chain Post Compromise, SnappyBee, Meduza Stealer, Void Manticore, StealC Stealer, LockBit Ransomware, Remcos, Hermetic Wiper, BlackByte Ransomware, PlugX, NailaoLocker Ransomware, WhisperGate, Rhysida Ransomware, Chaos Ransomware, Salt Typhoon, ValleyRAT, Malicious Inno Setup Loader, Amadey, Quasar RAT, DarkGate Malware, RedLine Stealer, XWorm, Graceful Wipe Out Attack, China-Nexus Threat Activity, Handala Wiper, Warzone RAT, XMRig, PromptLock, Castle RAT, Earth Alux, Swift Slicer, VIP Keylogger, MoonPeak, Double Zero Destructor, Prestige Ransomware, IcedID, DarkCrystal RAT, CISA AA23-347A, Interlock Ransomware
|
2026-05-13
|
|
Detect Regsvcs Spawning a Process
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.009
|
TTP
|
Living Off The Land, Suspicious Regsvcs Regasm Activity, Compromised Windows Host
|
2026-05-13
|
|
Winhlp32 Spawning a Process
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1055
|
TTP
|
Remcos, Compromised Windows Host
|
2026-05-13
|
|
SearchProtocolHost with no Command Line with Network
|
Sysmon EventID 1, Sysmon EventID 3
|
T1055
|
TTP
|
Compromised Windows Host, Graceful Wipe Out Attack, Cobalt Strike, Cactus Ransomware, BlackByte Ransomware, Hellcat Ransomware
|
2026-05-13
|
|
Windows Set Custom DNS ServerLevelPlugin Via Dnscmd
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1574
|
Anomaly
|
Windows Persistence Techniques
|
2026-05-13
|
|
Linux Deletion of SSL Certificate
|
Sysmon for Linux EventID 11
|
T1070.004
T1485
|
Anomaly
|
AcidRain, AcidPour
|
2026-05-13
|
|
Suspicious Kerberos Service Ticket Request
|
Windows Event Log Security 4769
|
T1078.002
|
TTP
|
Active Directory Kerberos Attacks, Active Directory Privilege Escalation, sAMAccountName Spoofing and Domain Controller Impersonation
|
2026-05-13
|
|
Suspicious Regsvr32 Register Suspicious Path
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.010
|
TTP
|
Qakbot, IcedID, China-Nexus Threat Activity, Salt Typhoon, Suspicious Regsvr32 Activity, Derusbi, Living Off The Land
|
2026-05-13
|
|
Detect Path Interception By Creation Of program exe
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1574.009
|
TTP
|
Windows Persistence Techniques, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Windows Execute Arbitrary Commands with MSDT
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218
|
TTP
|
Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190, Compromised Windows Host
|
2026-05-13
|
|
Windows Process Execution in Temp Dir
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1036.005
T1543
|
Anomaly
|
Qakbot, Axios Supply Chain Post Compromise, XWorm, Ransomware, NjRAT, AgentTesla, PathWiper, PromptLock, SesameOp, Remcos, Trickbot, Ryuk Ransomware, Gh0st RAT, Lokibot
|
2026-05-13
|
|
Windows Guest Account Enabled Via Net.EXE
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1078.001
|
Anomaly
|
Windows Persistence Techniques
|
2026-05-13
|
|
Windows Known Abused DLL Loaded Suspiciously
|
Sysmon EventID 7
|
T1574.001
|
TTP
|
Living Off The Land, Windows Defense Evasion Tactics, SolarWinds WHD RCE Post Exploitation
|
2026-05-13
|
|
Windows Access Token Winlogon Duplicate Handle In Uncommon Path
|
Sysmon EventID 10
|
T1134.001
|
Anomaly
|
PathWiper, Brute Ratel C4
|
2026-05-13
|
|
Windows PowerView AD Access Control List Enumeration
|
Powershell Script Block Logging 4104
|
T1069
T1078.002
|
TTP
|
Active Directory Privilege Escalation, Active Directory Discovery, Rhysida Ransomware
|
2026-05-13
|
|
Windows AD Same Domain SID History Addition
|
Windows Event Log Security 4738, Windows Event Log Security 4742
|
T1134.005
|
TTP
|
Windows Persistence Techniques, Compromised Windows Host, Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Windows Multiple Accounts Deleted
|
Windows Event Log Security 4726
|
T1078
T1098
|
TTP
|
Azure Active Directory Persistence
|
2026-05-13
|
|
Windows Time Based Evasion
|
Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1497.003
|
TTP
|
NjRAT, BlankGrabber Stealer
|
2026-05-13
|
|
Windows System Binary Proxy Execution Compiled HTML File Decompile
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.001
|
TTP
|
Living Off The Land, Suspicious Compiled HTML Activity, Compromised Windows Host, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
Cisco NVM - Suspicious Network Connection From Process With No Args
|
Cisco Network Visibility Module Flow Data
|
T1055
T1218
|
Anomaly
|
Cisco Network Visibility Module Analytics
|
2026-05-13
|
|
Windows Chromium Process with Disabled Extensions
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1497
|
Anomaly
|
Browser Hijacking
|
2026-05-13
|
|
Create or delete windows shares using net exe
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1070.005
|
TTP
|
Windows Post-Exploitation, CISA AA22-277A, Prestige Ransomware, DarkGate Malware, Hidden Cobra Malware
|
2026-05-13
|
|
Windows Bluetooth Service Installed From Uncommon Location
|
Windows Event Log System 7045
|
T1036
T1543.003
|
Anomaly
|
Lotus Blossom Chrysalis Backdoor
|
2026-05-13
|
|
Process Deleting Its Process File Path
|
Sysmon EventID 1
|
T1070
|
TTP
|
Clop Ransomware, WhisperGate, Remcos, Data Destruction
|
2026-05-13
|
|
Rundll32 Create Remote Thread To A Process
|
Sysmon EventID 8
|
T1055
|
TTP
|
Living Off The Land, IcedID
|
2026-05-13
|
|
Windows Rundll32 Load DLL in Temp Dir
|
Sysmon EventID 1
|
T1218.011
|
Anomaly
|
Interlock Rat
|
2026-05-13
|
|
Detect mshta renamed
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.005
|
Hunting
|
Living Off The Land, Suspicious MSHTA Activity, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
Windows Suspicious Named Pipe
|
Sysmon EventID 18, Sysmon EventID 17
|
T1021.002
T1055
T1559
|
TTP
|
Brute Ratel C4, DarkSide Ransomware, Graceful Wipe Out Attack, APT37 Rustonotto and FadeStealer, Cobalt Strike, LockBit Ransomware, Remote Monitoring and Management Software, Trickbot, Tuoni, Meterpreter, BlackByte Ransomware, Gozi Malware, Hellcat Ransomware
|
2026-05-13
|
|
Mmc LOLBAS Execution Process Spawn
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1021.003
T1218.014
|
TTP
|
Living Off The Land, Water Gamayun, XML Runner Loader, Active Directory Lateral Movement
|
2026-05-13
|
|
Regsvr32 with Known Silent Switch Cmdline
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.010
|
Anomaly
|
Qakbot, AsyncRAT, Suspicious Regsvr32 Activity, Remcos, IcedID, Living Off The Land
|
2026-05-13
|
|
Wbemprox COM Object Execution
|
Sysmon EventID 7
|
T1218.003
|
TTP
|
LockBit Ransomware, Revil Ransomware, Ransomware
|
2026-05-13
|
|
Windows Indirect Command Execution Via pcalua
|
Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1202
|
TTP
|
Living Off The Land
|
2026-05-13
|
|
Linux Indicator Removal Service File Deletion
|
Sysmon for Linux EventID 1
|
T1070.004
|
Anomaly
|
Data Destruction, AwfulShred
|
2026-05-13
|
|
RunDLL Loading DLL By Ordinal
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.011
|
TTP
|
Living Off The Land, Unusual Processes, Suspicious Rundll32 Activity, IcedID
|
2026-05-13
|
|
Suspicious writes to windows Recycle Bin
|
Sysmon EventID 11, Sysmon EventID 1
|
T1036
|
TTP
|
PlugX, Collection and Staging
|
2026-05-13
|
|
Windows Get-Variable.EXE Execution from WindowsApps Folder
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1574.008
|
Anomaly
|
Windows Persistence Techniques
|
2026-05-13
|
|
PowerShell WebRequest Using Memory Stream
|
Powershell Script Block Logging 4104
|
T1027.011
T1059.001
T1105
|
TTP
|
Medusa Ransomware, MoonPeak, Malicious PowerShell, PHP-CGI RCE Attack on Japanese Organizations
|
2026-05-13
|
|
Windows Mshta Execution In Registry
|
Sysmon EventID 13
|
T1218.005
|
TTP
|
Windows Persistence Techniques, Suspicious Windows Registry Activities
|
2026-05-13
|
|
Windows Process Injection into Notepad
|
Sysmon EventID 10
|
T1055.002
|
Anomaly
|
BishopFox Sliver Adversary Emulation Framework, Earth Alux, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
Powershell Fileless Process Injection via GetProcAddress
|
Powershell Script Block Logging 4104
|
T1055
T1059.001
|
TTP
|
Data Destruction, Malicious PowerShell, Hellcat Ransomware, Hermetic Wiper
|
2026-05-13
|
|
Linux Deletion Of Init Daemon Script
|
Sysmon for Linux EventID 11
|
T1070.004
T1485
|
TTP
|
Data Destruction, AcidRain, AcidPour
|
2026-05-13
|
|
Windows Unsigned DLL Side-Loading In Same Process Path
|
Sysmon EventID 7
|
T1574.001
|
TTP
|
XWorm, SnappyBee, China-Nexus Threat Activity, Salt Typhoon, Malicious Inno Setup Loader, Lokibot, SolarWinds WHD RCE Post Exploitation, Derusbi, DarkGate Malware, PlugX, NailaoLocker Ransomware
|
2026-05-13
|
|
Windows Potential AppDomainManager Hijack Artifacts Creation
|
Sysmon EventID 11
|
T1574.014
|
Anomaly
|
SesameOp
|
2026-05-13
|
|
Windows Alternate DataStream - Process Execution
|
Windows Event Log Security 4688, Sysmon EventID 1
|
T1564.004
|
TTP
|
Windows Defense Evasion Tactics, Compromised Windows Host
|
2026-05-13
|
|
Suspicious Rundll32 no Command Line Arguments
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.011
|
TTP
|
Graceful Wipe Out Attack, Cobalt Strike, Hellcat Ransomware, PrintNightmare CVE-2021-34527, BlackByte Ransomware, Suspicious Rundll32 Activity
|
2026-05-13
|
|
Detect Regsvcs with Network Connection
|
Sysmon EventID 3
|
T1218.009
|
TTP
|
Living Off The Land, Suspicious Regsvcs Regasm Activity, Hellcat Ransomware
|
2026-05-13
|
|
Windows Svchost.exe Parent Process Anomaly
|
Windows Event Log Security 4688, Sysmon EventID 1
|
T1036.009
|
Anomaly
|
SnappyBee, China-Nexus Threat Activity
|
2026-05-13
|
|
Windows DLL Side-Loading Process Child Of Calc
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1574.001
|
Anomaly
|
Qakbot, Earth Alux
|
2026-05-13
|
|
Windows Regsvr32 Renamed Binary
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.010
|
TTP
|
Qakbot, Compromised Windows Host
|
2026-05-13
|
|
Suspicious Rundll32 PluginInit
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.011
|
TTP
|
IcedID
|
2026-05-13
|
|
Linux Auditd Preload Hijack Via Preload File
|
Linux Auditd Path, Linux Auditd Cwd
|
T1574.006
|
TTP
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation, Linux Living Off The Land, VoidLink Cloud-Native Linux Malware
|
2026-05-13
|
|
Windows List ENV Variables Via SET Command From Uncommon Parent
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1055
|
Anomaly
|
Qakbot
|
2026-05-13
|
|
Windows WinLogon with Public Network Connection
|
Sysmon EventID 1, Sysmon EventID 3
|
T1542.003
|
Hunting
|
BlackLotus Campaign
|
2026-05-13
|
|
Windows Time Based Evasion via Choice Exec
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1497.003
|
Anomaly
|
Snake Keylogger, 0bj3ctivity Stealer, VIP Keylogger
|
2026-05-13
|
|
CertUtil With Decode Argument
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1140
|
TTP
|
Forest Blizzard, Storm-2460 CLFS Zero Day Exploitation, APT29 Diplomatic Deceptions with WINELOADER, Living Off The Land, Deobfuscate-Decode Files or Information, GhostRedirector IIS Module and Rungan Backdoor
|
2026-05-13
|
|
Detect HTML Help URL in Command Line
|
Cisco Network Visibility Module Flow Data, Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.001
|
TTP
|
Compromised Windows Host, Cisco Network Visibility Module Analytics, APT37 Rustonotto and FadeStealer, Living Off The Land, Suspicious Compiled HTML Activity
|
2026-05-13
|
|
Suspicious GPUpdate no Command Line Arguments
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1055
|
TTP
|
Cobalt Strike, Graceful Wipe Out Attack, Hellcat Ransomware, BlackByte Ransomware
|
2026-05-13
|
|
Windows AD Privileged Account SID History Addition
|
Windows Event Log Security 4738, Windows Event Log Security 4742
|
T1134.005
|
TTP
|
Sneaky Active Directory Persistence Tricks, Compromised Windows Host
|
2026-05-13
|
|
Uninstall App Using MsiExec
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.007
|
TTP
|
Ransomware
|
2026-05-13
|
|
Cisco NVM - Non-Network Binary Making Network Connection
|
Cisco Network Visibility Module Flow Data
|
T1036
T1055
|
Anomaly
|
Cisco Network Visibility Module Analytics
|
2026-05-13
|
|
Windows EFI Bootloader File Modification
|
Sysmon EventID 11
|
T1542.003
|
TTP
|
Windows BootKits
|
2026-05-13
|
|
Windows Chromium Browser Launched with Small Window Size
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1497
|
TTP
|
Browser Hijacking
|
2026-05-13
|
|
Windows BootLoader Inventory
|
|
T1542.001
|
Hunting
|
Windows BootKits, BlackLotus Campaign
|
2026-05-13
|
|
Rundll32 with no Command Line Arguments with Network
|
Sysmon EventID 1, Sysmon EventID 3
|
T1218.011
|
TTP
|
Compromised Windows Host, Graceful Wipe Out Attack, Cobalt Strike, Cactus Ransomware, PrintNightmare CVE-2021-34527, BlackByte Ransomware, BlackSuit Ransomware, Suspicious Rundll32 Activity
|
2026-05-13
|
|
Cisco NVM - Suspicious Network Connection Initiated via MsXsl
|
Cisco Network Visibility Module Flow Data
|
T1220
|
Anomaly
|
Cisco Network Visibility Module Analytics
|
2026-05-13
|
|
Windows LOLBAS Executed As Renamed File
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1036.003
T1218.011
|
TTP
|
Water Gamayun, Living Off The Land, Windows Defense Evasion Tactics, Masquerading - Rename System Utilities
|
2026-05-13
|
|
Windows Snake Malware File Modification Crmlog
|
Sysmon EventID 11
|
T1027
|
TTP
|
Snake Malware
|
2026-05-13
|
|
Windows Unusual Process Load Mozilla NSS-Mozglue Module
|
Sysmon EventID 7
|
T1218.003
|
Anomaly
|
VIP Keylogger, StealC Stealer, 0bj3ctivity Stealer, Quasar RAT, Lokibot
|
2026-05-13
|
|
Detect HTML Help Using InfoTech Storage Handlers
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.001
|
TTP
|
Living Off The Land, Suspicious Compiled HTML Activity, Compromised Windows Host, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
Windows Njrat Fileless Storage via Registry
|
Sysmon EventID 13
|
T1027.011
|
TTP
|
NjRAT
|
2026-05-13
|
|
Windows Binary Proxy Execution Mavinject DLL Injection
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.013
|
TTP
|
Living Off The Land
|
2026-05-13
|
|
Windows InstallUtil Uninstall Option
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.004
|
TTP
|
Living Off The Land, Compromised Windows Host, Signed Binary Proxy Execution InstallUtil
|
2026-05-13
|
|
Windows EFI Volume Mount Attempt Via Mountvol
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1204.002
T1542
T1688
|
Anomaly
|
Compromised Windows Host
|
2026-05-13
|
|
Windows Indirect Command Execution Via forfiles
|
Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1202
|
TTP
|
Living Off The Land, Windows Post-Exploitation
|
2026-05-13
|
|
Windows MSIExec Unregister DLLRegisterServer
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.007
|
TTP
|
Windows System Binary Proxy Execution MSIExec
|
2026-05-13
|
|
Suspicious DLLHost no Command Line Arguments
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1055
|
TTP
|
Cobalt Strike, Graceful Wipe Out Attack, Cactus Ransomware, BlackByte Ransomware
|
2026-05-13
|
|
Cisco NVM - MSHTML or MSHTA Network Execution Without URL in CLI
|
Cisco Network Visibility Module Flow Data
|
T1059.005
T1218.005
|
Anomaly
|
BlankGrabber Stealer, Cisco Network Visibility Module Analytics
|
2026-05-13
|
|
Windows Mustang Panda USB Tool Execution
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1020
T1204.002
T1574.001
|
TTP
|
Compromised Windows Host
|
2026-05-13
|
|
Linux Auditd AI CLI Permission Override Activated
|
Linux Auditd Proctitle
|
T1480
|
Anomaly
|
QuietVault
|
2026-05-13
|
|
Suspicious microsoft workflow compiler rename
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1036.003
T1127
|
Hunting
|
Graceful Wipe Out Attack, Cobalt Strike, BlackByte Ransomware, Living Off The Land, Masquerading - Rename System Utilities, Trusted Developer Utilities Proxy Execution
|
2026-05-13
|
|
Create Remote Thread In Shell Application
|
Sysmon EventID 8
|
T1055
|
TTP
|
Qakbot, Warzone RAT, IcedID
|
2026-05-13
|
|
Windows DLL Search Order Hijacking with iscsicpl
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1574.001
|
TTP
|
Living Off The Land, Windows Defense Evasion Tactics, Compromised Windows Host
|
2026-05-13
|
|
Windows MSIExec Remote Download
|
Cisco Network Visibility Module Flow Data, Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.007
|
Anomaly
|
Water Gamayun, Cisco Network Visibility Module Analytics, Windows System Binary Proxy Execution MSIExec, SolarWinds WHD RCE Post Exploitation, StealC Stealer
|
2026-05-13
|
|
Windows Registry BootExecute Modification
|
Sysmon EventID 13
|
T1542
T1547.001
|
TTP
|
Windows BootKits
|
2026-05-13
|
|
Detect Regasm with Network Connection
|
Sysmon EventID 3
|
T1218.009
|
TTP
|
Suspicious Regsvcs Regasm Activity, Handala Wiper, Void Manticore, Living Off The Land, Hellcat Ransomware
|
2026-05-13
|
|
System Processes Run From Unexpected Locations
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1036.003
|
Anomaly
|
Qakbot, Windows Error Reporting Service Elevation of Privilege Vulnerability, Ransomware, Suspicious Command-Line Executions, DarkGate Malware, Unusual Processes, Masquerading - Rename System Utilities
|
2026-05-13
|
|
Powershell Remote Thread To Known Windows Process
|
Sysmon EventID 8
|
T1055
|
TTP
|
Trickbot
|
2026-05-13
|
|
Malicious InProcServer32 Modification
|
Sysmon EventID 13, Sysmon EventID 12
|
T1112
T1218.010
|
TTP
|
Suspicious Regsvr32 Activity, Remcos
|
2026-05-13
|
|
Windows Indicator Removal Via Rmdir
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1070
|
Anomaly
|
DarkGate Malware, ZOVWiper, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
Windows Rundll32 Execution With Log.DLL
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1574
|
Anomaly
|
Lotus Blossom Chrysalis Backdoor
|
2026-05-13
|
|
GitHub Workflow File Creation or Modification
|
Sysmon EventID 11, Sysmon for Linux EventID 11
|
T1195
T1554
T1574.006
|
Hunting
|
NPM Supply Chain Compromise
|
2026-05-13
|
|
Executables Or Script Creation In Temp Path
|
Sysmon EventID 11
|
T1036
|
Anomaly
|
Qakbot, AsyncRAT, AgentTesla, SesameOp, Volt Typhoon, Data Destruction, Interlock Rat, Trickbot, Azorult, Industroyer2, Brute Ratel C4, Axios Supply Chain Post Compromise, Meduza Stealer, SnappyBee, APT37 Rustonotto and FadeStealer, PromptFlux, Void Manticore, LockBit Ransomware, Remcos, Hermetic Wiper, Derusbi, BlackByte Ransomware, PlugX, WhisperGate, Crypto Stealer, NjRAT, Rhysida Ransomware, Chaos Ransomware, Salt Typhoon, ValleyRAT, Amadey, XML Runner Loader, DarkGate Malware, WinDealer RAT, Snake Keylogger, RedLine Stealer, AcidPour, Graceful Wipe Out Attack, China-Nexus Threat Activity, Handala Wiper, Warzone RAT, XMRig, PromptLock, VIP Keylogger, Swift Slicer, MoonPeak, Double Zero Destructor, IcedID, DarkCrystal RAT, CISA AA23-347A, Lokibot
|
2026-05-13
|
|
Windows Process Injection Wermgr Child Process
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1055
|
Anomaly
|
Qakbot, Windows Error Reporting Service Elevation of Privilege Vulnerability
|
2026-05-13
|
|
Possible Lateral Movement PowerShell Spawn
|
Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1021.003
T1021.006
T1047
T1053.005
T1059.001
T1218.014
T1543.003
|
Anomaly
|
CISA AA24-241A, Scheduled Tasks, Active Directory Lateral Movement, Data Destruction, Malicious PowerShell, Hermetic Wiper, Microsoft WSUS CVE-2025-59287
|
2026-05-13
|
|
Suspicious SearchProtocolHost no Command Line Arguments
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1055
|
TTP
|
Graceful Wipe Out Attack, Cobalt Strike, Cactus Ransomware, BlackByte Ransomware, Hellcat Ransomware
|
2026-05-13
|
|
Runas Execution in CommandLine
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1134.001
|
Hunting
|
Data Destruction, Windows Privilege Escalation, Quasar RAT, Hermetic Wiper
|
2026-05-13
|
|
Suspicious MSBuild Rename
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1036.003
T1127.001
|
Hunting
|
Graceful Wipe Out Attack, Storm-2460 CLFS Zero Day Exploitation, Trusted Developer Utilities Proxy Execution MSBuild, Cobalt Strike, BlackByte Ransomware, Living Off The Land, Masquerading - Rename System Utilities
|
2026-05-13
|
|
Windows PowerShell Process Implementing Manual Base64 Decoder
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1027.010
T1059.001
|
Anomaly
|
Deobfuscate-Decode Files or Information, Compromised Windows Host
|
2026-05-13
|
|
Suspicious mshta child process
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.005
|
TTP
|
MuddyWater, Living Off The Land, Lumma Stealer, Suspicious MSHTA Activity
|
2026-05-13
|
|
BITS Job Persistence
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1197
|
TTP
|
Living Off The Land, BITS Jobs
|
2026-05-13
|
|
Detect HTML Help Renamed
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.001
|
Hunting
|
Living Off The Land, Suspicious Compiled HTML Activity, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
Control Loading from World Writable Directory
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.002
|
TTP
|
Microsoft MSHTML Remote Code Execution CVE-2021-40444, Living Off The Land, Compromised Windows Host
|
2026-05-13
|
|
Suspicious Rundll32 dllregisterserver
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.011
|
TTP
|
Living Off The Land, Suspicious Rundll32 Activity, IcedID
|
2026-05-13
|
|
Windows Executable Masquerading as Benign File Types
|
Sysmon EventID 29
|
T1036.008
|
Anomaly
|
NetSupport RMM Tool Abuse
|
2026-05-13
|
|
Windows Renamed Powershell Execution
|
Sysmon EventID 1
|
T1036.003
|
TTP
|
Axios Supply Chain Post Compromise, XWorm, Hellcat Ransomware
|
2026-05-13
|
|
Wermgr Process Create Executable File
|
Sysmon EventID 11
|
T1027
|
TTP
|
Trickbot
|
2026-05-13
|
|
Windows Group Policy Object Created
|
Windows Event Log Security 5137, Windows Event Log Security 5136
|
T1078.002
T1484.001
|
TTP
|
Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Windows Multiple Account Passwords Changed
|
Windows Event Log Security 4724
|
T1078
T1098
|
TTP
|
Azure Active Directory Persistence
|
2026-05-13
|
|
Windows MSHTA Writing to World Writable Path
|
Sysmon EventID 11
|
T1218.005
|
TTP
|
APT29 Diplomatic Deceptions with WINELOADER, Suspicious MSHTA Activity, XWorm
|
2026-05-13
|
|
Rundll32 Control RunDLL World Writable Directory
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.011
|
TTP
|
Microsoft MSHTML Remote Code Execution CVE-2021-40444, Living Off The Land, Compromised Windows Host, Suspicious Rundll32 Activity
|
2026-05-13
|
|
Cisco NVM - Suspicious Download From File Sharing Website
|
Cisco Network Visibility Module Flow Data
|
T1197
|
Anomaly
|
BlankGrabber Stealer, Cisco Network Visibility Module Analytics, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
Windows Privilege Escalation System Process Without System Parent
|
Sysmon EventID 1
|
T1068
T1134
T1548
|
TTP
|
Windows Privilege Escalation, BlackSuit Ransomware
|
2026-05-13
|
|
Windows Process Injection In Non-Service SearchIndexer
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1055
|
TTP
|
Qakbot
|
2026-05-13
|
|
Windows MSIExec Spawn Discovery Command
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.007
|
Anomaly
|
Medusa Ransomware, Water Gamayun, Windows System Binary Proxy Execution MSIExec, StealC Stealer
|
2026-05-13
|
|
Linux Indicator Removal Clear Cache
|
Sysmon for Linux EventID 1
|
T1070
|
TTP
|
Data Destruction, AwfulShred
|
2026-05-13
|
|
Windows BitLockerToGo Process Execution
|
Windows Event Log Security 4688, Sysmon EventID 1
|
T1218
|
Hunting
|
Lumma Stealer
|
2026-05-13
|
|
Suspicious mshta spawn
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.005
|
TTP
|
Living Off The Land, Suspicious MSHTA Activity, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
Windows Process Injection Remote Thread
|
Sysmon EventID 8
|
T1055.002
|
TTP
|
Qakbot, Water Gamayun, Graceful Wipe Out Attack, Warzone RAT, Earth Alux
|
2026-05-13
|
|
Windows New Deny Permission Set On Service SD Via Sc.EXE
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1564
|
Anomaly
|
Defense Evasion or Unauthorized Access Via SDDL Tampering
|
2026-05-13
|
|
Windows MSC EvilTwin Directory Path Manipulation
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1036.005
T1203
T1218
|
TTP
|
Windows Defense Evasion Tactics, Water Gamayun, Living Off The Land
|
2026-05-13
|
|
Windows InstallUtil in Non Standard Path
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1036.003
T1218.004
|
TTP
|
WhisperGate, Ransomware, Data Destruction, Living Off The Land, Signed Binary Proxy Execution InstallUtil, Unusual Processes, Masquerading - Rename System Utilities
|
2026-05-13
|
|
Windows Process Injection Of Wermgr to Known Browser
|
Sysmon EventID 8
|
T1055.001
|
TTP
|
Qakbot
|
2026-05-13
|
|
Windows Execution of Microsoft MSC File In Suspicious Path
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.014
|
Anomaly
|
XML Runner Loader
|
2026-05-13
|
|
Windows RDP Server Registry Deletion
|
Sysmon EventID 13, Sysmon EventID 12
|
T1070.004
|
Anomaly
|
Windows RDP Artifacts and Defense Evasion
|
2026-05-13
|
|
Windows Unusual SysWOW64 Process Run System32 Executable
|
Windows Event Log Security 4688, Sysmon EventID 1
|
T1036.009
|
Anomaly
|
DarkGate Malware, Salt Typhoon, China-Nexus Threat Activity
|
2026-05-13
|
|
Windows RDP Cache File Deletion
|
Sysmon EventID 26, Sysmon EventID 23
|
T1070.004
|
Anomaly
|
Windows RDP Artifacts and Defense Evasion
|
2026-05-13
|
|
Detect Regsvcs with No Command Line Arguments
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.009
|
TTP
|
Living Off The Land, Suspicious Regsvcs Regasm Activity
|
2026-05-13
|
|
XSL Script Execution With WMIC
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1220
|
TTP
|
FIN7, Suspicious WMI Use
|
2026-05-13
|
|
Windows Multiple Accounts Disabled
|
Windows Event Log Security 4725
|
T1078
T1098
|
TTP
|
Azure Active Directory Persistence
|
2026-05-13
|
|
Windows SymbolicLink-Testing-Tools Utility Execution
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1222
T1564.004
|
TTP
|
Windows Persistence Techniques, Windows Privilege Escalation, Windows Post-Exploitation
|
2026-05-13
|
|
Windows Indirect Command Execution Via Series Of Forfiles
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1202
|
Anomaly
|
Prestige Ransomware, Windows Post-Exploitation
|
2026-05-13
|
|
Windows Privilege Escalation Suspicious Process Elevation
|
Sysmon EventID 1
|
T1068
T1134
T1548
|
TTP
|
Windows Privilege Escalation, BlackSuit Ransomware, GhostRedirector IIS Module and Rungan Backdoor
|
2026-05-13
|
|
Windows Command Obfuscation with Environment Variable Substrings
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1027.010
|
Anomaly
|
Malicious PowerShell
|
2026-05-13
|
|
Windows Alternate DataStream - Base64 Content
|
Sysmon EventID 15
|
T1564.004
|
TTP
|
Windows Defense Evasion Tactics, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
Rundll32 LockWorkStation
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.011
|
Anomaly
|
Ransomware
|
2026-05-13
|
|
Unusual Number of Computer Service Tickets Requested
|
Windows Event Log Security 4769
|
T1078
|
Hunting
|
Active Directory Kerberos Attacks, Scattered Lapsus$ Hunters, Active Directory Privilege Escalation, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows Suspicious C2 Named Pipe
|
Sysmon EventID 18, Sysmon EventID 17
|
T1021.002
T1055
T1559
|
TTP
|
Brute Ratel C4, DarkSide Ransomware, Graceful Wipe Out Attack, APT37 Rustonotto and FadeStealer, Cobalt Strike, Storm-0501 Ransomware, LockBit Ransomware, Remote Monitoring and Management Software, Trickbot, Meterpreter, BlackByte Ransomware, Tuoni, Gozi Malware, Hellcat Ransomware
|
2026-05-13
|
|
Windows Process Injection With Public Source Path
|
Sysmon EventID 8
|
T1055.002
|
Hunting
|
Brute Ratel C4, Earth Alux
|
2026-05-13
|
|
Windows Suspicious QEMU Execution
|
Sysmon EventID 1
|
T1001
T1036
T1204.002
T1564.006
|
TTP
|
Linux Post-Exploitation, Compromised Linux Host, Linux Rootkit, Linux Privilege Escalation, Linux Living Off The Land, VoidLink Cloud-Native Linux Malware
|
2026-05-13
|
|
Short Lived Windows Accounts
|
Windows Event Log System 4720, Windows Event Log System 4726
|
T1078.003
T1136.001
|
TTP
|
GhostRedirector IIS Module and Rungan Backdoor, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows MSI Rollback Script Deleted By Non-Msiexec Process
|
Sysmon EventID 23
|
T1068
T1218.007
|
TTP
|
Windows Privilege Escalation
|
2026-05-13
|
|
Windows Hijack Execution Flow Version Dll Side Load
|
Sysmon EventID 7
|
T1574.001
|
Anomaly
|
Brute Ratel C4, XWorm, Malicious Inno Setup Loader, SolarWinds WHD RCE Post Exploitation
|
2026-05-13
|
|
PowerShell PInvoke Process Injection API Chain
|
Powershell Script Block Logging 4104
|
T1055.001
T1055.003
T1055.004
T1055.012
T1055.013
T1059.001
T1620
|
TTP
|
VIP Keylogger
|
2026-05-13
|
|
Loading Of Dynwrapx Module
|
Sysmon EventID 7
|
T1055.001
|
TTP
|
Remcos, AsyncRAT
|
2026-05-13
|
|
Windows ConHost with Headless Argument
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1564.003
T1564.006
|
TTP
|
Spearphishing Attachments, Compromised Windows Host
|
2026-05-13
|
|
Windows Alternate DataStream - Executable Content
|
Sysmon EventID 15
|
T1564.004
|
TTP
|
Windows Defense Evasion Tactics
|
2026-05-13
|
|
Rundll32 Process Creating Exe Dll Files
|
Sysmon EventID 11
|
T1218.011
|
TTP
|
Gh0st RAT, Living Off The Land, IcedID
|
2026-05-13
|
|
Windows Masquerading Msdtc Process
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1036
|
TTP
|
PlugX, Compromised Windows Host
|
2026-05-13
|
|
Windows Access Token Manipulation Winlogon Duplicate Token Handle
|
Sysmon EventID 10
|
T1134.001
|
Hunting
|
Brute Ratel C4
|
2026-05-13
|
|
Windows RMM Named Pipe
|
Sysmon EventID 18, Sysmon EventID 17
|
T1021.002
T1055
T1559
|
Anomaly
|
CISA AA24-241A, Ransomware, Seashell Blizzard, Insider Threat, Interlock Ransomware, Scattered Lapsus$ Hunters, Cactus Ransomware, Remote Monitoring and Management Software, Command And Control, Gozi Malware, Scattered Spider, GhostRedirector IIS Module and Rungan Backdoor
|
2026-05-13
|
|
Windows SoftEther VPN Masquerading as Legitimate Binary
|
Sysmon EventID 1
|
T1036
T1572
|
TTP
|
Flax Typhoon, Linux Persistence Techniques, Linux Privilege Escalation
|
2026-05-13
|
|
Windows TinyCC Shellcode Execution
|
Windows Event Log Security 4688, Sysmon EventID 1
|
T1027
T1036
T1059.003
|
TTP
|
Lotus Blossom Chrysalis Backdoor
|
2026-05-13
|
|
Suspicious Computer Account Name Change
|
Windows Event Log Security 4781
|
T1078.002
|
TTP
|
Active Directory Privilege Escalation, Scattered Lapsus$ Hunters, Compromised Windows Host, sAMAccountName Spoofing and Domain Controller Impersonation
|
2026-05-13
|
|
Windows InstallUtil Credential Theft
|
Sysmon EventID 7
|
T1218.004
|
TTP
|
Signed Binary Proxy Execution InstallUtil
|
2026-05-13
|
|
Executables Or Script Creation In Suspicious Path
|
Sysmon EventID 11
|
T1036
|
Anomaly
|
SystemBC, Qakbot, AsyncRAT, AgentTesla, SesameOp, Volt Typhoon, Lokibot, Data Destruction, Interlock Rat, Trickbot, Industroyer2, Azorult, GhostRedirector IIS Module and Rungan Backdoor, Brute Ratel C4, Axios Supply Chain Post Compromise, SnappyBee, Meduza Stealer, Void Manticore, LockBit Ransomware, Remcos, Hermetic Wiper, BlackByte Ransomware, Derusbi, PlugX, NailaoLocker Ransomware, WhisperGate, Rhysida Ransomware, Crypto Stealer, Chaos Ransomware, NjRAT, Salt Typhoon, ValleyRAT, Cactus Ransomware, Amadey, Quasar RAT, XML Runner Loader, DarkGate Malware, Snake Keylogger, WinDealer RAT, DynoWiper, RedLine Stealer, AcidPour, Graceful Wipe Out Attack, Castle RAT, China-Nexus Threat Activity, Handala Wiper, Warzone RAT, XMRig, PromptLock, VIP Keylogger, Earth Alux, Swift Slicer, MoonPeak, Double Zero Destructor, IcedID, DarkCrystal RAT, CISA AA23-347A, Interlock Ransomware
|
2026-05-13
|
|
Suspicious Ticket Granting Ticket Request
|
Windows Event Log Security 4781, Windows Event Log Security 4768
|
T1078.002
|
Hunting
|
Active Directory Kerberos Attacks, Active Directory Privilege Escalation, sAMAccountName Spoofing and Domain Controller Impersonation
|
2026-05-13
|
|
CSC Net On The Fly Compilation
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1027.004
|
Hunting
|
Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows DotNet Binary in Non Standard Path
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1036.003
T1218.004
|
TTP
|
WhisperGate, Ransomware, Data Destruction, Signed Binary Proxy Execution InstallUtil, Unusual Processes, Masquerading - Rename System Utilities
|
2026-05-13
|
|
Windows BitDefender Submission Wizard DLL Sideloading
|
Sysmon EventID 7
|
T1574
|
TTP
|
Lotus Blossom Chrysalis Backdoor
|
2026-05-13
|
|
Windows Application Whitelisting Bypass Attempt via Rundll32
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.011
|
TTP
|
Living Off The Land, Compromised Windows Host, Suspicious Rundll32 Activity
|
2026-05-13
|
|
Windows LOLBAS Executed Outside Expected Path
|
Windows Event Log Security 4688, Sysmon EventID 1
|
T1036.005
T1218.011
|
Anomaly
|
Living Off The Land, Windows Defense Evasion Tactics, Masquerading - Rename System Utilities
|
2026-05-13
|
|
Linux High Frequency Of File Deletion In Etc Folder
|
Sysmon for Linux EventID 11
|
T1070.004
T1485
|
Anomaly
|
Data Destruction, AcidRain
|
2026-05-13
|
|
Windows Powershell History File Deletion
|
Powershell Script Block Logging 4104
|
T1059.003
T1070.003
|
Anomaly
|
Medusa Ransomware
|
2026-05-13
|
|
Attacker Tools On Endpoint
|
Cisco Network Visibility Module Flow Data, Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1003
T1036.005
T1595
|
TTP
|
CISA AA22-264A, Compromised Windows Host, Cisco Network Visibility Module Analytics, XMRig, SamSam Ransomware, Scattered Spider, Unusual Processes, PHP-CGI RCE Attack on Japanese Organizations
|
2026-05-13
|
|
Msmpeng Application DLL Side Loading
|
Sysmon EventID 11
|
T1574.001
|
TTP
|
Revil Ransomware, Ransomware
|
2026-05-13
|
|
Windows Privilege Escalation User Process Spawn System Process
|
Sysmon EventID 1
|
T1068
T1134
T1548
|
TTP
|
Windows Privilege Escalation, Compromised Windows Host, BlackSuit Ransomware, GhostRedirector IIS Module and Rungan Backdoor
|
2026-05-13
|
|
Windows MsiExec HideWindow Rundll32 Execution
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.007
|
TTP
|
Qakbot, Water Gamayun
|
2026-05-13
|
|
Detect Excessive Account Lockouts From Endpoint
|
|
T1078.002
|
Anomaly
|
Active Directory Password Spraying
|
2026-05-13
|
|
Suspicious IcedID Rundll32 Cmdline
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.011
|
TTP
|
Living Off The Land, IcedID
|
2026-05-13
|
|
Windows Parent PID Spoofing with Explorer
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1134.004
|
TTP
|
Windows Defense Evasion Tactics, Compromised Windows Host
|
2026-05-13
|
|
Windows Debugger Tool Execution
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1036
|
Hunting
|
DarkGate Malware, PlugX
|
2026-05-13
|
|
Windows AppLocker Block Events
|
|
T1218
|
Anomaly
|
Windows AppLocker
|
2026-05-13
|
|
Windows Access Token Manipulation SeDebugPrivilege
|
Windows Event Log Security 4703
|
T1134.002
|
Anomaly
|
Brute Ratel C4, Meduza Stealer, SnappyBee, AsyncRAT, China-Nexus Threat Activity, PathWiper, Scattered Lapsus$ Hunters, Salt Typhoon, ValleyRAT, Lokibot, Tuoni, Gh0st RAT, Derusbi, DarkGate Malware, WinDealer RAT, PlugX, CISA AA23-347A, GhostRedirector IIS Module and Rungan Backdoor
|
2026-05-13
|
|
Unusual Number of Remote Endpoint Authentication Events
|
Windows Event Log Security 4624
|
T1078
|
Hunting
|
Active Directory Privilege Escalation, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows Unsigned DLL Side-Loading
|
Sysmon EventID 7
|
T1574.001
|
Anomaly
|
China-Nexus Threat Activity, NjRAT, Warzone RAT, Salt Typhoon, Earth Alux, SolarWinds WHD RCE Post Exploitation, Derusbi
|
2026-05-13
|
|
DLLHost with no Command Line Arguments with Network
|
Sysmon EventID 1, Sysmon EventID 3
|
T1055
|
TTP
|
Graceful Wipe Out Attack, Storm-2460 CLFS Zero Day Exploitation, Cobalt Strike, Earth Alux, Cactus Ransomware, BlackByte Ransomware
|
2026-05-13
|
|
Windows Masquerading Explorer As Child Process
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1574.001
|
TTP
|
Qakbot, Water Gamayun, Compromised Windows Host
|
2026-05-13
|
|
Linux High Frequency Of File Deletion In Boot Folder
|
Sysmon for Linux EventID 11
|
T1070.004
T1485
|
TTP
|
Data Destruction, AcidPour, Industroyer2
|
2026-05-13
|
|
UAC Bypass With Colorui COM Object
|
Sysmon EventID 7
|
T1218.003
|
TTP
|
LockBit Ransomware, Ransomware
|
2026-05-13
|
|
MSI Module Loaded by Non-System Binary
|
Sysmon EventID 7
|
T1574.001
|
Hunting
|
Data Destruction, Windows Privilege Escalation, Hermetic Wiper
|
2026-05-13
|
|
GPUpdate with no Command Line Arguments with Network
|
Sysmon EventID 1, Sysmon EventID 3
|
T1055
|
TTP
|
Compromised Windows Host, Graceful Wipe Out Attack, Cobalt Strike, BlackByte Ransomware, Hellcat Ransomware
|
2026-05-13
|
|
Headless Browser Usage
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1497
T1564.003
|
Anomaly
|
Forest Blizzard, Browser Hijacking
|
2026-05-13
|
|
Detect Regasm with no Command Line Arguments
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.009
|
TTP
|
Living Off The Land, Suspicious Regsvcs Regasm Activity, Void Manticore, Handala Wiper
|
2026-05-13
|
|
Windows AppLocker Rare Application Launch Detection
|
|
T1218
|
Hunting
|
Windows AppLocker
|
2026-05-13
|
|
Windows PUA Named Pipe
|
Sysmon EventID 18, Sysmon EventID 17
|
T1021.002
T1055
T1559
|
Anomaly
|
IcedID, DarkSide Ransomware, DHS Report TA18-074A, Sandworm Tools, Seashell Blizzard, Rhysida Ransomware, VanHelsing Ransomware, Medusa Ransomware, SamSam Ransomware, Active Directory Lateral Movement, Volt Typhoon, Cactus Ransomware, CISA AA22-320A, HAFNIUM Group, BlackByte Ransomware, DarkGate Malware
|
2026-05-13
|
|
Windows Mock Trusted Directory MSC File Creation
|
Sysmon EventID 11
|
T1218.014
T1548.002
T1574
|
TTP
|
Windows Persistence Techniques, Windows Privilege Escalation
|
2026-05-13
|
|
Windows MMC Loaded Script Engine DLL
|
Sysmon EventID 7
|
T1620
|
Anomaly
|
XML Runner Loader
|
2026-05-13
|
|
Clear Unallocated Sector Using Cipher App
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1070.004
|
TTP
|
Scattered Spider, Compromised Windows Host, Ransomware
|
2026-05-13
|
|
Shai-Hulud Workflow File Creation or Modification
|
Sysmon EventID 11, Sysmon for Linux EventID 11
|
T1195
T1554
T1574.006
|
TTP
|
NPM Supply Chain Compromise
|
2026-05-13
|
|
Windows Chromium Browser No Security Sandbox Process
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1497
|
TTP
|
Malicious Inno Setup Loader
|
2026-05-13
|
|
Windows Known GraphicalProton Loaded Modules
|
Sysmon EventID 7
|
T1574.001
|
Anomaly
|
Water Gamayun, CISA AA23-347A, Hellcat Ransomware
|
2026-05-13
|
|
Headless Browser Mockbin or Mocky Request
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1564.003
|
TTP
|
Forest Blizzard, GhostRedirector IIS Module and Rungan Backdoor
|
2026-05-13
|
|
Suspicious MSBuild Spawn
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1127.001
|
TTP
|
Living Off The Land, Storm-2460 CLFS Zero Day Exploitation, Trusted Developer Utilities Proxy Execution MSBuild
|
2026-05-13
|
|
Regsvr32 Silent and Install Param Dll Loading
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.010
|
Anomaly
|
AsyncRAT, Suspicious Regsvr32 Activity, Data Destruction, Remcos, Hermetic Wiper, Living Off The Land
|
2026-05-13
|
|
Windows InstallUtil Remote Network Connection
|
Cisco Network Visibility Module Flow Data, Sysmon EventID 1, Sysmon EventID 3
|
T1218.004
|
Anomaly
|
Living Off The Land, Compromised Windows Host, Cisco Network Visibility Module Analytics, Signed Binary Proxy Execution InstallUtil
|
2026-05-13
|
|
Windows PowerShell Module File Created
|
Sysmon EventID 11
|
T1059.001
T1129
T1574
|
Anomaly
|
Windows Persistence Techniques, Malicious PowerShell
|
2026-05-13
|
|
Linux Kworker Process In Writable Process Path
|
Sysmon for Linux EventID 1
|
T1036.004
|
Hunting
|
Cyclops Blink, Sandworm Tools
|
2026-05-13
|
|
ETW Registry Disabled
|
Sysmon EventID 13
|
T1127
T1685
|
TTP
|
Windows Persistence Techniques, Windows Registry Abuse, Data Destruction, Windows Privilege Escalation, Hermetic Wiper, CISA AA23-347A
|
2026-05-13
|
|
Detect Excessive User Account Lockouts
|
|
T1078.003
|
Anomaly
|
Scattered Lapsus$ Hunters, Active Directory Password Spraying
|
2026-05-13
|
|
Detect MSHTA Url in Command Line
|
Cisco Network Visibility Module Flow Data, Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.005
|
TTP
|
Compromised Windows Host, Suspicious MSHTA Activity, APT37 Rustonotto and FadeStealer, XWorm, Cisco Network Visibility Module Analytics, NetSupport RMM Tool Abuse, Lumma Stealer, Living Off The Land
|
2026-05-13
|
|
Rundll32 CreateRemoteThread In Browser
|
Sysmon EventID 8
|
T1055
|
TTP
|
Living Off The Land, IcedID
|
2026-05-13
|
|
Windows Service Creation Using Registry Entry
|
Sysmon EventID 13
|
T1574.011
|
Anomaly
|
Brute Ratel C4, SnappyBee, China-Nexus Threat Activity, Crypto Stealer, Windows Persistence Techniques, Salt Typhoon, Active Directory Lateral Movement, SolarWinds WHD RCE Post Exploitation, Windows Registry Abuse, Derusbi, Gh0st RAT, PlugX, CISA AA23-347A, Suspicious Windows Registry Activities
|
2026-05-13
|
|
Fsutil Zeroing File
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1070
|
TTP
|
LockBit Ransomware, Ransomware
|
2026-05-13
|
|
Powershell Fileless Script Contains Base64 Encoded Content
|
Powershell Script Block Logging 4104
|
T1027
T1059.001
|
TTP
|
IcedID, Axios Supply Chain Post Compromise, XWorm, Winter Vivern, AsyncRAT, APT37 Rustonotto and FadeStealer, NjRAT, MuddyWater, VIP Keylogger, Data Destruction, 0bj3ctivity Stealer, Malicious PowerShell, Microsoft WSUS CVE-2025-59287, Hermetic Wiper, Medusa Ransomware, NetSupport RMM Tool Abuse, Hellcat Ransomware, GhostRedirector IIS Module and Rungan Backdoor
|
2026-05-13
|
|
Windows AppLocker Privilege Escalation via Unauthorized Bypass
|
|
T1218
|
TTP
|
Windows AppLocker
|
2026-05-13
|
|
MacOS Log Removal
|
Osquery Results
|
T1070
|
TTP
|
MacOS Post-Exploitation
|
2026-05-13
|
|
Windows Default Rdp File Deletion
|
Sysmon EventID 26, Sysmon EventID 23
|
T1070.004
|
Anomaly
|
Windows RDP Artifacts and Defense Evasion
|
2026-05-13
|
|
Powershell Creating Thread Mutex
|
Powershell Script Block Logging 4104
|
T1027.005
T1059.001
|
TTP
|
Water Gamayun, Malicious PowerShell
|
2026-05-13
|
|
Windows Handle Duplication in Known UAC-Bypass Binaries
|
Sysmon EventID 10
|
T1134.001
|
Anomaly
|
Castle RAT
|
2026-05-13
|
|
Linux Kernel Module Enumeration
|
Sysmon for Linux EventID 1
|
T1014
T1082
|
Anomaly
|
Linux Rootkit, XorDDos
|
2026-05-13
|
|
Windows DLL Search Order Hijacking Hunt with Sysmon
|
Sysmon EventID 7
|
T1574.001
|
Hunting
|
Qakbot, Windows Defense Evasion Tactics, Malicious Inno Setup Loader, Living Off The Land
|
2026-05-13
|
|
Windows Rdp AutomaticDestinations Deletion
|
Sysmon EventID 26, Sysmon EventID 23
|
T1070.004
|
Anomaly
|
Windows RDP Artifacts and Defense Evasion
|
2026-05-13
|
|
Windows Chromium Browser with Custom User Data Directory
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1497
|
Anomaly
|
Lokibot, Malicious Inno Setup Loader, StealC Stealer
|
2026-05-13
|
|
Windows AppLocker Execution from Uncommon Locations
|
|
T1218
|
Hunting
|
Windows AppLocker
|
2026-05-13
|
|
Windows Driver Load Non-Standard Path
|
Windows Event Log System 7045
|
T1014
T1068
|
TTP
|
Windows Drivers, AgentTesla, CISA AA22-320A, BlackByte Ransomware, BlackSuit Ransomware
|
2026-05-13
|
|
Verclsid CLSID Execution
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.012
|
Hunting
|
Unusual Processes
|
2026-05-13
|
|
Linux Medusa Rootkit
|
Sysmon for Linux EventID 11
|
T1014
T1589.001
|
TTP
|
Medusa Rootkit, VoidLink Cloud-Native Linux Malware, Hellcat Ransomware, China-Nexus Threat Activity
|
2026-05-13
|
|
ESXi Shared or Stolen Root Account
|
VMWare ESXi Syslog
|
T1078
|
Anomaly
|
ESXi Post Compromise, Black Basta Ransomware
|
2026-05-13
|
|
Cisco ASA - New Local User Account Created
|
Cisco ASA Logs
|
T1078.003
T1136.001
|
Anomaly
|
Suspicious Cisco Adaptive Security Appliance Activity
|
2026-05-13
|
|
Cisco ASA - User Privilege Level Change
|
Cisco ASA Logs
|
T1078.003
T1098
|
Anomaly
|
ArcaneDoor, Suspicious Cisco Adaptive Security Appliance Activity
|
2026-05-13
|
|
M365 Copilot Application Usage Pattern Anomalies
|
M365 Copilot Graph API
|
T1078
|
Anomaly
|
Suspicious Microsoft 365 Copilot Activities
|
2026-05-13
|
|
Okta New API Token Created
|
Okta
|
T1078.001
|
TTP
|
Scattered Lapsus$ Hunters, Okta Account Takeover
|
2026-05-13
|
|
Zoom High Video Latency
|
|
T1078
|
Anomaly
|
Remote Employment Fraud
|
2026-05-13
|
|
Okta Phishing Detection with FastPass Origin Check
|
Okta
|
T1078.001
T1556
|
TTP
|
Okta Account Takeover
|
2026-05-13
|
|
ESXi External Root Login Activity
|
VMWare ESXi Syslog
|
T1078
|
Anomaly
|
ESXi Post Compromise, Black Basta Ransomware
|
2026-05-13
|
|
Cisco ASA - User Account Deleted From Local Database
|
Cisco ASA Logs
|
T1070.008
T1531
|
Anomaly
|
Suspicious Cisco Adaptive Security Appliance Activity
|
2026-05-13
|
|
PingID Multiple Failed MFA Requests For User
|
PingID
|
T1078
T1110
T1621
|
TTP
|
Compromised User Account
|
2026-05-13
|
|
Cisco ASA - Logging Message Suppression
|
Cisco ASA Logs
|
T1070
T1685.001
|
Anomaly
|
ArcaneDoor, Suspicious Cisco Adaptive Security Appliance Activity
|
2026-05-13
|
|
ESXi Account Modified
|
VMWare ESXi Syslog
|
T1078
T1098
T1136.001
|
Anomaly
|
ESXi Post Compromise, Black Basta Ransomware
|
2026-05-13
|
|
ESXi User Granted Admin Role
|
VMWare ESXi Syslog
|
T1078
T1098
|
TTP
|
ESXi Post Compromise, Black Basta Ransomware
|
2026-05-13
|
|
Email Attachments With Lots Of Spaces
|
|
T1036.008
T1566.001
|
Anomaly
|
Data Destruction, Suspicious Emails, Emotet Malware DHS Report TA18-201A, Hermetic Wiper
|
2026-05-13
|
|
Detect HTML Help Spawn Child Process
|
Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2
|
T1218.001
|
TTP
|
Compromised Windows Host, APT37 Rustonotto and FadeStealer, AgentTesla, Living Off The Land, Suspicious Compiled HTML Activity
|
2026-05-13
|
|
Okta Suspicious Activity Reported
|
Okta
|
T1078.001
|
TTP
|
Okta Account Takeover
|
2026-05-13
|
|
ESXi System Clock Manipulation
|
VMWare ESXi Syslog
|
T1070.006
|
TTP
|
ESXi Post Compromise, Black Basta Ransomware
|
2026-05-13
|
|
Okta Risk Threshold Exceeded
|
Okta
|
T1078
T1110
|
Correlation
|
Okta MFA Exhaustion, Okta Account Takeover, Suspicious Okta Activity
|
2026-05-13
|
|
Okta Successful Single Factor Authentication
|
Okta
|
T1078.004
T1586.003
T1621
|
Anomaly
|
Okta Account Takeover
|
2026-05-13
|
|
ESXi Audit Tampering
|
VMWare ESXi Syslog
|
T1070
T1690
|
TTP
|
ESXi Post Compromise, Black Basta Ransomware
|
2026-05-13
|
|
M365 Copilot Session Origin Anomalies
|
M365 Copilot Graph API
|
T1078
|
Anomaly
|
Suspicious Microsoft 365 Copilot Activities
|
2026-05-13
|
|
Okta Authentication Failed During MFA Challenge
|
Okta
|
T1078.004
T1586.003
T1621
|
TTP
|
Scattered Lapsus$ Hunters, Okta Account Takeover
|
2026-05-13
|
|
Okta ThreatInsight Threat Detected
|
Okta
|
T1078.004
|
Anomaly
|
Okta Account Takeover
|
2026-05-13
|
|
GCP Successful Single-Factor Authentication
|
Google Workspace
|
T1078.004
T1586.003
|
TTP
|
Scattered Lapsus$ Hunters, GCP Account Takeover
|
2026-05-13
|
|
O365 Email Transport Rule Changed
|
Office 365 Universal Audit Log
|
T1114.003
T1564.008
|
Anomaly
|
Office 365 Account Takeover, Data Exfiltration
|
2026-05-13
|
|
AWS SAML Update identity provider
|
AWS CloudTrail UpdateSAMLProvider
|
T1078
|
TTP
|
Cloud Federated Credential Abuse
|
2026-05-13
|
|
GCP Detect gcploit framework
|
|
T1078
|
TTP
|
GCP Cross Account Activity
|
2026-05-13
|
|
Cloud Provisioning Activity From Previously Unseen IP Address
|
AWS CloudTrail
|
T1078
|
Anomaly
|
Suspicious Cloud Provisioning Activities
|
2026-05-13
|
|
Microsoft Intune Device Health Scripts
|
Azure Monitor Activity
|
T1021.007
T1072
T1105
T1202
|
Hunting
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
Azure AD Successful PowerShell Authentication
|
Azure Active Directory
|
T1078.004
T1586.003
|
TTP
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
Cloud Provisioning Activity From Previously Unseen City
|
AWS CloudTrail
|
T1078
|
Anomaly
|
Suspicious Cloud Provisioning Activities
|
2026-05-13
|
|
Microsoft Intune Mobile Apps
|
Azure Monitor Activity
|
T1021.007
T1072
T1105
T1202
|
Hunting
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
Cloud Compute Instance Created By Previously Unseen User
|
AWS CloudTrail
|
T1078.004
|
Anomaly
|
Cloud Cryptomining
|
2026-05-13
|
|
Azure AD Service Principal Authentication
|
Azure Active Directory Sign-in activity
|
T1078.004
|
TTP
|
Azure Active Directory Account Takeover, NOBELIUM Group
|
2026-05-13
|
|
AWS Successful Single-Factor Authentication
|
AWS CloudTrail ConsoleLogin
|
T1078.004
T1586.003
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2026-05-13
|
|
O365 Email Send Attachments Excessive Volume
|
Office 365 Universal Audit Log
|
T1070.008
T1485
|
Anomaly
|
Office 365 Account Takeover, Suspicious Emails
|
2026-05-13
|
|
AWS SetDefaultPolicyVersion
|
AWS CloudTrail SetDefaultPolicyVersion
|
T1078.004
|
TTP
|
AWS IAM Privilege Escalation
|
2026-05-13
|
|
O365 Security And Compliance Alert Triggered
|
|
T1078.004
|
TTP
|
Office 365 Account Takeover
|
2026-05-13
|
|
AWS Successful Console Authentication From Multiple IPs
|
AWS CloudTrail ConsoleLogin
|
T1535
T1586
|
Anomaly
|
Compromised User Account, Suspicious AWS Login Activities
|
2026-05-13
|
|
GCP Authentication Failed During MFA Challenge
|
Google Workspace login_failure
|
T1078.004
T1586.003
T1621
|
TTP
|
Scattered Lapsus$ Hunters, GCP Account Takeover
|
2026-05-13
|
|
O365 Email Password and Payroll Compromise Behavior
|
Office 365 Reporting Message Trace, Office 365 Universal Audit Log
|
T1070.008
T1114.001
T1485
|
TTP
|
Data Destruction, Office 365 Account Takeover, Office 365 Collection Techniques, Suspicious Emails
|
2026-05-13
|
|
Azure AD Multiple Failed MFA Requests For User
|
Azure Active Directory Sign-in activity
|
T1078.004
T1586.003
T1621
|
TTP
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
O365 Email Receive and Hard Delete Takeover Behavior
|
Office 365 Reporting Message Trace, Office 365 Universal Audit Log
|
T1070.008
T1114.001
T1485
|
Anomaly
|
Data Destruction, Office 365 Account Takeover, Office 365 Collection Techniques, Suspicious Emails
|
2026-05-13
|
|
Detect AWS Console Login by User from New Region
|
AWS CloudTrail
|
T1535
T1586.003
|
Hunting
|
Compromised User Account, AWS Identity and Access Management Account Takeover, Suspicious AWS Login Activities, Suspicious Cloud Authentication Activities
|
2026-05-13
|
|
Cloud Compute Instance Created In Previously Unused Region
|
AWS CloudTrail
|
T1535
|
Anomaly
|
Cloud Cryptomining
|
2026-05-13
|
|
O365 Email Hard Delete Excessive Volume
|
Office 365 Universal Audit Log
|
T1070.008
T1485
|
Anomaly
|
Data Destruction, Office 365 Account Takeover, Suspicious Emails
|
2026-05-13
|
|
Okta Non-Standard VPN Usage
|
Okta
|
T1078
T1090
T1572
|
TTP
|
Remote Employment Fraud, Suspicious Okta Activity
|
2026-05-13
|
|
Cloud Provisioning Activity From Previously Unseen Country
|
AWS CloudTrail
|
T1078
|
Anomaly
|
Suspicious Cloud Provisioning Activities
|
2026-05-13
|
|
Azure Runbook Webhook Created
|
Azure Audit Create or Update an Azure Automation webhook
|
T1078.004
|
TTP
|
Azure Active Directory Persistence
|
2026-05-13
|
|
Detect AWS Console Login by User from New City
|
AWS CloudTrail
|
T1535
T1586.003
|
Hunting
|
Compromised User Account, AWS Identity and Access Management Account Takeover, Suspicious AWS Login Activities, Suspicious Cloud Authentication Activities
|
2026-05-13
|
|
O365 Email New Inbox Rule Created
|
Office 365 Universal Audit Log
|
T1114.003
T1564.008
|
Anomaly
|
Office 365 Collection Techniques
|
2026-05-13
|
|
O365 Multiple AppIDs and UserAgents Authentication Spike
|
O365 UserLoginFailed, O365 UserLoggedIn
|
T1078
|
Anomaly
|
Office 365 Account Takeover
|
2026-05-13
|
|
Azure AD Multiple AppIDs and UserAgents Authentication Spike
|
Azure Active Directory Sign-in activity
|
T1078
|
Anomaly
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
AWS Create Policy Version to allow all resources
|
AWS CloudTrail CreatePolicyVersion
|
T1078.004
|
TTP
|
AWS IAM Privilege Escalation
|
2026-05-13
|
|
Cloud Instance Modified By Previously Unseen User
|
AWS CloudTrail
|
T1078.004
|
Anomaly
|
Suspicious Cloud Instance Activities
|
2026-05-13
|
|
Azure AD Successful Single-Factor Authentication
|
Azure Active Directory
|
T1078.004
T1586.003
|
TTP
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
O365 Email Send and Hard Delete Exfiltration Behavior
|
Office 365 Reporting Message Trace, Office 365 Universal Audit Log
|
T1070.008
T1114.001
T1485
|
Anomaly
|
Data Destruction, Office 365 Account Takeover, Office 365 Collection Techniques, Suspicious Emails
|
2026-05-13
|
|
Detect AWS Console Login by User from New Country
|
AWS CloudTrail
|
T1535
T1586.003
|
Hunting
|
Compromised User Account, AWS Identity and Access Management Account Takeover, Suspicious AWS Login Activities, Suspicious Cloud Authentication Activities
|
2026-05-13
|
|
ASL AWS Create Policy Version to allow all resources
|
ASL AWS CloudTrail
|
T1078.004
|
TTP
|
Scattered Lapsus$ Hunters, AWS IAM Privilege Escalation
|
2026-05-13
|
|
Cloud API Calls From Previously Unseen User Roles
|
AWS CloudTrail
|
T1078
|
Anomaly
|
Suspicious Cloud User Activities
|
2026-05-13
|
|
AWS Bedrock Invoke Model Access Denied
|
AWS CloudTrail
|
T1078
T1550
|
TTP
|
AWS Bedrock Security
|
2026-05-13
|
|
ASL AWS SAML Update identity provider
|
ASL AWS CloudTrail
|
T1078
|
TTP
|
Cloud Federated Credential Abuse
|
2026-05-13
|
|
Geographic Improbable Location
|
Okta
|
T1078
|
Anomaly
|
Remote Employment Fraud
|
2026-05-13
|
|
Cloud Provisioning Activity From Previously Unseen Region
|
AWS CloudTrail
|
T1078
|
Anomaly
|
Suspicious Cloud Provisioning Activities
|
2026-05-13
|
|
Azure AD Authentication Failed During MFA Challenge
|
Azure Active Directory
|
T1078.004
T1586.003
T1621
|
TTP
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
GCP Multiple Failed MFA Requests For User
|
Google Workspace
|
T1078.004
T1586.003
T1621
|
TTP
|
Scattered Lapsus$ Hunters, GCP Account Takeover
|
2026-05-13
|
|
O365 Email Send and Hard Delete Suspicious Behavior
|
Office 365 Universal Audit Log
|
T1070.008
T1114.001
T1485
|
Anomaly
|
Data Destruction, Office 365 Account Takeover, Office 365 Collection Techniques, Suspicious Emails
|
2026-05-13
|
|
O365 BEC Email Hiding Rule Created
|
|
T1564.008
|
TTP
|
Office 365 Account Takeover
|
2026-05-13
|
|
Cisco Privileged Account Creation with HTTP Command Execution
|
|
T1021.004
T1078
T1136
|
Correlation
|
Salt Typhoon, Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Cisco Secure Firewall - Snort Rule Triggered Across Multiple Hosts
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1027
T1105
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Cisco Secure Firewall - Communication Over Suspicious Ports
|
Cisco Secure Firewall Threat Defense Connection Event
|
T1021
T1055
T1059.001
T1105
T1219
T1571
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Detect Software Download To Network Device
|
|
T1542.005
|
TTP
|
Router and Infrastructure Security
|
2026-05-13
|
|
Rundll32 DNSQuery
|
Sysmon EventID 22
|
T1218.011
|
TTP
|
Living Off The Land, IcedID
|
2026-05-13
|
|
Cisco Privileged Account Creation with Suspicious SSH Activity
|
|
T1021.004
T1078
T1136
|
Correlation
|
Salt Typhoon, Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Cisco Secure Firewall - High Priority Intrusion Classification
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1003
T1071
T1078
T1190
T1203
|
TTP
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Cisco IOS Suspicious Privileged Account Creation
|
Cisco IOS Logs
|
T1078
T1136
|
Anomaly
|
Cisco Smart Install Remote Code Execution CVE-2018-0171
|
2026-05-13
|
|
Cisco Secure Firewall - Repeated Malware Downloads
|
Cisco Secure Firewall Threat Defense File Event
|
T1027
T1105
|
Anomaly
|
Hellcat Ransomware, Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Cisco Secure Firewall - Lumma Stealer Activity
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1027
T1190
T1204
T1210
|
TTP
|
Lumma Stealer, Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
