Analytic Stories

Name	Data Sources	Tactics	Products	Date
Splunk Vulnerabilities	Splunk	Credential Access Discovery Initial Access Lateral Movement Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-14
NPM Supply Chain Compromise	Cisco Isovalent Process Exec, Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, GitHub Enterprise Audit Logs, GitHub Organizations Audit Logs, Sysmon EventID 11, Sysmon EventID 1, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, Windows Event Log Security 4688	Collection Command and Control Credential Access Defense Impairment Execution Impact Initial Access Persistence Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Interlock Rat	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688	Command and Control Execution Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Suspicious MSHTA Activity	Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688	Execution Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Suspicious AWS S3 Activities	ASL AWS CloudTrail, AWS CloudTrail CreateTask, AWS CloudTrail PutBucketReplication, AWS CloudTrail PutBucketVersioning, AWS CloudTrail	Collection Exfiltration Impact	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
XWorm	Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log Security 4698	Command and Control Defense Impairment Execution Impact Persistence Privilege Escalation Reconnaissance Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Okta MFA Exhaustion	Okta	Credential Access Initial Access Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
0bj3ctivity Stealer	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 13, Sysmon EventID 15, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4700, Windows Event Log Security 4702	Command and Control Credential Access Discovery Execution Exfiltration Persistence Privilege Escalation Reconnaissance Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
IIS Components	CrowdStrike ProcessRollup2, Powershell Installed IIS Modules, Powershell Script Block Logging 4104, Sysmon EventID 1, Windows Event Log Application 2282, Windows Event Log Security 4688, Windows IIS 29	Defense Impairment Persistence	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
CISA AA23-347A	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Suricata, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4699, Windows Event Log Security 4703, Windows Event Log System 7040, Windows Event Log System 7045	Collection Credential Access Defense Impairment Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
HTTP Request Smuggling	Nginx Access, Suricata	Command and Control Initial Access Reconnaissance	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Prohibited Traffic Allowed or Protocol Mismatch	Cisco Secure Firewall Threat Defense Connection Event, Palo Alto Network Traffic, Powershell Script Block Logging 4104, Sysmon EventID 13, Sysmon EventID 22	Command and Control Exfiltration Initial Access Lateral Movement	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
VMware ESXi AD Integration Authentication Bypass CVE-2024-37085	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4727, Windows Event Log Security 4730, Windows Event Log Security 4731, Windows Event Log Security 4737, Windows Event Log Security 4744, Windows Event Log Security 4749, Windows Event Log Security 4754, Windows Event Log Security 4756, Windows Event Log Security 4759, Windows Event Log Security 4783, Windows Event Log Security 4790	Persistence	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Compromised Windows Host	Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Suricata, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 3, Sysmon EventID 7, Sysmon for Linux EventID 1, Windows Event Log Security 1102, Windows Event Log Security 4624, Windows Event Log Security 4627, Windows Event Log Security 4662, Windows Event Log Security 4663, Windows Event Log Security 4672, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4699, Windows Event Log Security 4738, Windows Event Log Security 4741, Windows Event Log Security 4742, Windows Event Log Security 4768, Windows Event Log Security 4769, Windows Event Log Security 4781, Windows Event Log Security 4798, Windows Event Log Security 4887, Windows Event Log Security 5136, Windows Event Log Security 5137, Windows Event Log Security 5141, Windows Event Log Security 5145, Windows Event Log System 104, Windows Event Log System 7036, Windows Event Log System 7040, Windows Event Log System 7045	Collection Command and Control Credential Access Defense Impairment Discovery Execution Exfiltration Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance Resource Development Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Cisco Network Visibility Module Analytics	Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 3, Windows Event Log Security 4688	Command and Control Credential Access Discovery Execution Exfiltration Initial Access Persistence Privilege Escalation Reconnaissance Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
XML Runner Loader	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688	Lateral Movement Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Disabling Security Tools	CrowdStrike ProcessRollup2, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688	Defense Impairment Discovery Execution Impact Persistence Privilege Escalation	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
DarkSide Ransomware	Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688	Command and Control Credential Access Execution Exfiltration Impact Lateral Movement Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Qakbot	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log System 7045, Windows Event Log TaskScheduler 200, Windows Event Log TaskScheduler 201	Command and Control Defense Impairment Discovery Execution Impact Initial Access Persistence Privilege Escalation Reconnaissance Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
PromptLock	Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Windows Event Log Security 4688	Command and Control Execution Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Snake Keylogger	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 15, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 3, Sysmon EventID 5, Sysmon EventID 6, Windows Event Log Security 4663, Windows Event Log Security 4688	Command and Control Credential Access Defense Impairment Discovery Execution Impact Initial Access Persistence Privilege Escalation Reconnaissance Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Water Gamayun	Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 15, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 3, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4798	Collection Command and Control Credential Access Discovery Execution Exfiltration Lateral Movement Persistence Privilege Escalation Reconnaissance Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Living Off The Land	Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Osquery Results, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 3, Sysmon EventID 7, Sysmon EventID 8, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 5145	Command and Control Credential Access Defense Impairment Execution Exfiltration Initial Access Lateral Movement Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Log4Shell CVE-2021-44228	Cisco Secure Access Firewall, Cisco Secure Firewall Threat Defense Connection Event, CrowdStrike ProcessRollup2, Nginx Access, Palo Alto Network Traffic, Splunk Stream HTTP, Sysmon EventID 1, Sysmon EventID 3, Sysmon for Linux EventID 1, Windows Event Log Security 4688	Command and Control Execution Initial Access Persistence	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Hidden Cobra Malware	Cisco Secure Access Firewall, Cisco Secure Firewall Threat Defense Connection Event, CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4688, Zeek Conn	Command and Control Execution Exfiltration Lateral Movement Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Medusa Rootkit	Sysmon for Linux EventID 11	Reconnaissance Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
ColdRoot MacOS RAT	Osquery Results, Sysmon EventID 1	N/A	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
JBoss Vulnerability		Discovery Initial Access Persistence	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
XorDDos	Linux Auditd Cwd, Linux Auditd Path, Linux Auditd Proctitle, Linux Auditd Syscall, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1	Command and Control Credential Access Defense Impairment Discovery Execution Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
AWS IAM Privilege Escalation	ASL AWS CloudTrail, AWS CloudTrail ConsoleLogin, AWS CloudTrail CreateAccessKey, AWS CloudTrail CreateLoginProfile, AWS CloudTrail CreatePolicyVersion, AWS CloudTrail DeleteAccountPasswordPolicy, AWS CloudTrail DeleteGroup, AWS CloudTrail DeletePolicy, AWS CloudTrail GetAccountPasswordPolicy, AWS CloudTrail SetDefaultPolicyVersion, AWS CloudTrail UpdateAccountPasswordPolicy, AWS CloudTrail UpdateLoginProfile, AWS CloudTrail	Credential Access Discovery Initial Access Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
MSIX Package Abuse	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 1, Windows Event Log AppXDeployment-Server 400, Windows Event Log AppXDeployment-Server 854, Windows Event Log AppXDeployment-Server 855, Windows Event Log AppXPackaging 171, Windows Event Log Security 4688	Defense Impairment Execution Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
AMOS Stealer	Osquery Results	Execution	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Masquerading - Rename System Utilities	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Execution Impact Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Security Solution Tampering	CrowdStrike ProcessRollup2, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log System 7036	Defense Impairment Impact	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Black Basta Ransomware	Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 23, Sysmon EventID 26, Sysmon EventID 7, VMWare ESXi Syslog, Windows Event Log Printservice 316, Windows Event Log Printservice 4909, Windows Event Log Printservice 808, Windows Event Log Security 4688	Collection Command and Control Credential Access Defense Impairment Discovery Execution Exfiltration Impact Initial Access Lateral Movement Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
ValleyRAT	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4703, Windows Event Log TaskScheduler 200, Windows Event Log TaskScheduler 201	Defense Impairment Execution Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Zscaler Browser Proxy Threats		Initial Access	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
MOVEit Transfer Critical Vulnerability	Sysmon EventID 11	Initial Access Persistence	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Ivanti EPMM Remote Unauthenticated Access	Suricata	Initial Access Persistence	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Browser Hijacking	CrowdStrike ProcessRollup2, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688	Collection Discovery Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Microsoft SharePoint Server Elevation of Privilege CVE-2023-29357	Suricata	Privilege Escalation	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Oracle E-Business Suite Exploitation	Cisco Secure Firewall Threat Defense Intrusion Event	Initial Access	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Derusbi	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log Security 4703, Windows Event Log System 7045	Execution Initial Access Lateral Movement Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Critical Alerts	AWS Security Hub, Cisco AI Defense Alerts, CrowdStrike Falcon Stream Alert, MS Defender ATP Alerts, MS365 Defender Incident Alerts, Splunk AppDynamics Secure Application Alert	N/A	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Netsh Abuse	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Defense Impairment Discovery Execution Impact	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Lumma Stealer	Cisco Network Visibility Module Flow Data, Cisco Secure Firewall Threat Defense Intrusion Event, CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Suricata, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4688	Command and Control Execution Exfiltration Initial Access Lateral Movement Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
CVE-2022-40684 Fortinet Appliance Auth bypass	Palo Alto Network Threat	Initial Access Persistence	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Malicious Inno Setup Loader	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 3, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log TaskScheduler 200, Windows Event Log TaskScheduler 201	Collection Command and Control Credential Access Defense Impairment Discovery Execution Exfiltration Persistence Privilege Escalation Reconnaissance Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Cleo File Transfer Software	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 1, Sysmon for Linux EventID 1, Windows Event Log Security 4688	Discovery Execution Initial Access Persistence	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Subvert Trust Controls SIP and Trust Provider Hijacking	Sysmon EventID 13, Windows Event Log CAPI2 81	Defense Impairment	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Apache Tomcat Session Deserialization Attacks	Nginx Access	Initial Access Persistence	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
MacOS Post-Exploitation	Osquery Results	Defense Impairment Discovery Exfiltration Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
MoonPeak	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4663, Windows Event Log Security 4688	Command and Control Discovery Execution Impact Persistence Privilege Escalation Reconnaissance Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
PromptFlux	Sysmon EventID 11, Sysmon EventID 22	Command and Control Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
PaperCut MF NG Vulnerability	CrowdStrike ProcessRollup2, Suricata, Sysmon EventID 1, Windows Event Log Security 4688	Execution Initial Access Persistence	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Ivanti Virtual Traffic Manager CVE-2024-7593	Ivanti VTM Audit	Initial Access	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Windows System Binary Proxy Execution MSIExec	Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 3, Windows Event Log Security 4688	Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
MOVEit Transfer Authentication Bypass		Initial Access	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Braodo Stealer	Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4663	Collection Credential Access Defense Impairment Discovery Execution Persistence Privilege Escalation	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Volt Typhoon	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Windows Event Log Security 4625, Windows Event Log Security 4648, Windows Event Log Security 4688, Windows Event Log Security 4768, Windows Event Log Security 4771, Windows Event Log Security 4776	Command and Control Credential Access Defense Impairment Discovery Execution Impact Lateral Movement Persistence Privilege Escalation Reconnaissance Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Suspicious GCP Storage Activities		Collection	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Trusted Developer Utilities Proxy Execution MSBuild	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Execution Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Detect Zerologon Attack	Sysmon EventID 10, Windows Event Log Security 4742	Credential Access Initial Access Lateral Movement	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
SystemBC	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log TaskScheduler 200, Windows Event Log TaskScheduler 201	Execution Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
PXA Stealer	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4663, Windows Event Log Security 4688	Defense Impairment Discovery Execution Initial Access Reconnaissance	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
AWS Identity and Access Management Account Takeover	ASL AWS CloudTrail, AWS CloudTrail ConsoleLogin, AWS CloudTrail CreateVirtualMFADevice, AWS CloudTrail DeactivateMFADevice, AWS CloudTrail DeleteVirtualMFADevice, AWS CloudTrail DescribeEventAggregates, AWS CloudTrail GetPasswordData, AWS CloudTrail ModifyDBInstance, AWS CloudTrail	Collection Credential Access Defense Impairment Discovery Initial Access Persistence Privilege Escalation Resource Development Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Lotus Blossom Chrysalis Backdoor	CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log System 7045	Discovery Execution Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Linux Living Off The Land	Cisco Isovalent Process Exec, CrowdStrike ProcessRollup2, Linux Auditd Add User, Linux Auditd Cwd, Linux Auditd Execve, Linux Auditd Path, Linux Auditd Proctitle, Linux Auditd Service Stop, Linux Auditd Syscall, Sysmon EventID 1, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, Windows Event Log Security 4688	Collection Command and Control Credential Access Defense Impairment Discovery Execution Exfiltration Impact Lateral Movement Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Ingress Tool Transfer	Cisco Isovalent Process Exec, Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Sysmon for Linux EventID 1, Windows Event Log Security 4688	Collection Command and Control Credential Access Execution Persistence Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Snake Malware	Sysmon EventID 11, Sysmon EventID 13, Windows Event Log System 7045	Defense Impairment Execution Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
SQL Injection		Initial Access	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
VanHelsing Ransomware	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log Security 5145	Credential Access Execution Impact Lateral Movement Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Microsoft SharePoint Vulnerabilities	CrowdStrike ProcessRollup2, Suricata, Sysmon EventID 11, Sysmon EventID 1, Sysmon for Linux EventID 1, Windows Event Log Security 4688	Credential Access Initial Access Persistence Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Suspicious Windows Registry Activities	Sysmon EventID 13	Defense Impairment Execution Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Disk Wiper	Sysmon EventID 23, Sysmon EventID 26, Sysmon EventID 9	Impact	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
MuddyWater	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 4688	Execution Impact Initial Access Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Castle RAT	Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4700, Windows Event Log Security 4702	Collection Defense Impairment Discovery Execution Persistence Privilege Escalation Reconnaissance Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
WS FTP Server Critical Vulnerabilities	CrowdStrike ProcessRollup2, Powershell Installed IIS Modules, Suricata, Sysmon EventID 1, Sysmon for Linux EventID 1, Windows Event Log Security 4688	Initial Access Persistence	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Windows BootKits	Sysmon EventID 11, Sysmon EventID 13	Impact Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
ProxyNotShell	Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 1, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows IIS	Command and Control Execution Initial Access Persistence	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Dynamic DNS	CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4688	Exfiltration Initial Access	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Windows DNS SIGRed CVE-2020-1350		Execution	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
PHP-CGI RCE Attack on Japanese Organizations	Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 1, Sysmon for Linux EventID 1, Windows Event Log Security 4688	Command and Control Credential Access Discovery Execution Initial Access Persistence Reconnaissance Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Prestige Ransomware	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 5145, Windows Event Log TaskScheduler 200, Windows Event Log TaskScheduler 201	Collection Credential Access Defense Impairment Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Cloud Federated Credential Abuse	ASL AWS CloudTrail, AWS CloudTrail UpdateSAMLProvider, CrowdStrike ProcessRollup2, O365 Add app role assignment grant to user., O365 UserLoginFailed, O365, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688	Credential Access Defense Impairment Initial Access Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
XMRig	Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 15, Sysmon EventID 1, Sysmon EventID 6, Windows Event Log Security 4688, Windows Event Log Security 4798	Command and Control Credential Access Defense Impairment Discovery Execution Exfiltration Impact Persistence Privilege Escalation Reconnaissance Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Active Directory Privilege Escalation	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 1, Windows Active Directory Admon, Windows Event Log Security 4624, Windows Event Log Security 4625, Windows Event Log Security 4627, Windows Event Log Security 4672, Windows Event Log Security 4688, Windows Event Log Security 4728, Windows Event Log Security 4732, Windows Event Log Security 4742, Windows Event Log Security 4768, Windows Event Log Security 4769, Windows Event Log Security 4781, Windows Event Log Security 5136, Windows Event Log Security 5137, Windows Event Log Security 5140, Windows Event Log Security 5145	Collection Credential Access Defense Impairment Discovery Initial Access Lateral Movement Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
IcedID	Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 5140, Windows Event Log Security 5145, Windows Event Log TaskScheduler 200, Windows Event Log TaskScheduler 201	Collection Command and Control Defense Impairment Discovery Execution Initial Access Lateral Movement Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Industroyer2	CrowdStrike ProcessRollup2, Linux Auditd Proctitle, Linux Auditd Service Stop, Osquery Results, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 5, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 5145, Windows Event Log TaskScheduler 200, Windows Event Log TaskScheduler 201	Credential Access Defense Impairment Discovery Execution Impact Lateral Movement Persistence Privilege Escalation Reconnaissance Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
NotDoor Malware	Sysmon EventID 11, Sysmon EventID 13	Command and Control Defense Impairment Execution Persistence	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Collection and Staging	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Windows Event Log Security 4688	Collection Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Ivanti Sentry Authentication Bypass CVE-2023-38035	Suricata	Initial Access	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
AWS Network ACL Activity	ASL AWS CloudTrail, AWS CloudTrail CreateNetworkAclEntry, AWS CloudTrail DeleteNetworkAclEntry, AWS CloudTrail ReplaceNetworkAclEntry	Defense Impairment	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
RedLine Stealer	CrowdStrike ProcessRollup2, Suricata, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log System 7040	Command and Control Credential Access Defense Impairment Discovery Execution Impact Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Suspicious Ollama Activities	Ollama Server	Command and Control Execution Exfiltration Impact Initial Access Reconnaissance	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
SolarWinds WHD RCE Post Exploitation	Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 3, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4700, Windows Event Log Security 4702, Windows Event Log TaskScheduler 200, Windows Event Log TaskScheduler 201	Command and Control Defense Impairment Discovery Execution Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Suspicious Okta Activity	Okta	Command and Control Credential Access Discovery Initial Access Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
CrushFTP Vulnerabilities	CrowdStrike ProcessRollup2, CrushFTP, Sysmon EventID 1, Windows Event Log Security 4688	Credential Access Execution Initial Access Persistence	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Clop Ransomware	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 23, Sysmon EventID 26, Sysmon EventID 5, Windows Event Log Security 1100, Windows Event Log Security 1102, Windows Event Log Security 4688, Windows Event Log System 104, Windows Event Log System 7045	Defense Impairment Execution Impact Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
WinRAR Spoofing Attack CVE-2023-38831	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Command and Control	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
VoidLink Cloud-Native Linux Malware	Cisco Isovalent Process Connect, Cisco Isovalent Process Exec, Cisco Isovalent Process Kprobe, CrowdStrike ProcessRollup2, Linux Auditd Cwd, Linux Auditd Path, Osquery Results, Sysmon EventID 1, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, Windows Event Log Security 4688	Command and Control Credential Access Defense Impairment Discovery Execution Lateral Movement Persistence Privilege Escalation Reconnaissance Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Router and Infrastructure Security	Cisco IOS Logs	Collection Credential Access Exfiltration Impact Initial Access Persistence Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
VMware Server Side Injection and Privilege Escalation	Palo Alto Network Threat, Sysmon EventID 11	Initial Access Persistence	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Windows Post-Exploitation	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 1, Windows Event Log Security 4663, Windows Event Log Security 4688	Collection Command and Control Credential Access Defense Impairment Discovery Execution Impact Persistence Privilege Escalation Reconnaissance Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Microsoft MSHTML Remote Code Execution CVE-2021-40444	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688	Initial Access Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Monitor for Updates		N/A	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Cactus Ransomware	Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Suricata, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 3, Windows Event Log Security 4688, Windows Event Log Security 4698	Command and Control Credential Access Defense Impairment Execution Exfiltration Impact Lateral Movement Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Gozi Malware	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Windows Event Log Security 4627, Windows Event Log Security 4688	Command and Control Credential Access Discovery Execution Initial Access Lateral Movement Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
JetBrains TeamCity Vulnerabilities	CrowdStrike ProcessRollup2, Suricata, Sysmon EventID 11, Sysmon EventID 1, Windows Event Log Security 4688	Execution Initial Access Persistence	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
NetSupport RMM Tool Abuse	Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 14, Sysmon EventID 1, Sysmon EventID 29, Sysmon EventID 3, Sysmon EventID 7, Windows Event Log RemoteConnectionManager 1149, Windows Event Log Security 4688, Windows Event Log Security 4946, Windows Event Log Security 4947, Windows Event Log Security 4948	Command and Control Credential Access Defense Impairment Discovery Execution Exfiltration Lateral Movement Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Insider Threat	Cisco Secure Firewall Threat Defense Connection Event, CrowdStrike ProcessRollup2, G Suite Drive, G Suite Gmail, Linux Secure, Palo Alto Network Threat, Palo Alto Network Traffic, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4625, Windows Event Log Security 4648, Windows Event Log Security 4688, Windows Event Log Security 5145	Command and Control Credential Access Execution Exfiltration Initial Access Lateral Movement Persistence Privilege Escalation Stealth	Splunk Behavioral Analytics, Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Jenkins Server Vulnerabilities	Nginx Access	Initial Access	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Brand Monitoring		N/A	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Remcos	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log TaskScheduler 200, Windows Event Log TaskScheduler 201	Collection Credential Access Defense Impairment Execution Initial Access Persistence Privilege Escalation Reconnaissance Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Telnetd CVE-2026-24061	Sysmon for Linux EventID 1	Privilege Escalation	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
DNS Hijacking	Sysmon EventID 22	Initial Access	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Apache Struts Vulnerability	Sysmon EventID 1	Discovery Initial Access	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Suspicious DNS Traffic	CrowdStrike ProcessRollup2, Suricata, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4662, Windows Event Log Security 4688, Windows Event Log Security 5136, Windows Event Log Security 5137	Collection Command and Control Credential Access Exfiltration Initial Access	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Scheduled Tasks	CrowdStrike ProcessRollup2, Linux Auditd Cwd, Linux Auditd Path, Linux Auditd Proctitle, Linux Auditd Syscall, Powershell Script Block Logging 4104, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4699, Windows Event Log Security 4700, Windows Event Log Security 4702, Windows Event Log Security 5145, Windows Event Log TaskScheduler 200, Windows Event Log TaskScheduler 201	Defense Impairment Execution Lateral Movement Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Data Destruction	AWS Cloudfront, Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Linux Auditd Execve, Linux Auditd Proctitle, Linux Auditd Service Stop, Office 365 Reporting Message Trace, Office 365 Universal Audit Log, Osquery Results, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 23, Sysmon EventID 26, Sysmon EventID 5, Sysmon EventID 7, Sysmon EventID 9, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4769, Windows Event Log Security 5145, Windows Event Log TaskScheduler 200, Windows Event Log TaskScheduler 201	Collection Command and Control Credential Access Defense Impairment Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance Resource Development Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Meterpreter	CrowdStrike ProcessRollup2, Suricata, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Windows Event Log Security 4688	Command and Control Execution Lateral Movement Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Cisco Secure Access Analytics	Cisco Secure Access Firewall, Cisco Secure Firewall Threat Defense Connection Event, Palo Alto Network Traffic, Sysmon EventID 3	Command and Control Credential Access Execution Initial Access	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Fortinet FortiNAC CVE-2022-39952	Palo Alto Network Threat	Initial Access Persistence	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Kubernetes Security	Kubernetes Audit, Kubernetes Falco	Credential Access Discovery Execution Persistence Privilege Escalation	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
LockBit Ransomware	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 5, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log System 7036	Defense Impairment Execution Impact Lateral Movement Persistence Privilege Escalation Reconnaissance Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Ivanti EPM Vulnerabilities	Suricata	Initial Access	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Citrix Netscaler ADC CVE-2023-3519	Palo Alto Network Threat	Initial Access	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Azure Active Directory Privilege Escalation	Azure Active Directory Add app role assignment to service principal, Azure Active Directory Add member to role, Azure Active Directory Add owner to application, Azure Active Directory MicrosoftGraphActivityLogs, Azure Active Directory NonInteractiveUserSignInLogs, Azure Active Directory, O365 Add app role assignment grant to user., Office 365 Universal Audit Log, Powershell Script Block Logging 4104	Command and Control Credential Access Discovery Initial Access Lateral Movement Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
3CX Supply Chain Attack	CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4663, Windows Event Log Security 4688	Credential Access Initial Access	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Backdoor Pingpong	Cisco Secure Access Firewall, Palo Alto Network Traffic, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1	Command and Control Defense Impairment Persistence Privilege Escalation	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Rhysida Ransomware	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 5, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log System 7045	Credential Access Defense Impairment Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
MacOS Privilege Escalation	Osquery Results	Credential Access Defense Impairment Persistence Privilege Escalation	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Okta Account Takeover	Okta	Credential Access Defense Impairment Discovery Initial Access Lateral Movement Persistence Privilege Escalation Resource Development Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Baron Samedit CVE-2021-3156		Privilege Escalation	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Unusual Processes	Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688	Credential Access Defense Impairment Discovery Execution Initial Access Persistence Privilege Escalation Reconnaissance Resource Development Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Network Discovery	AWS CloudWatchLogs VPCflow, Cisco Secure Firewall Threat Defense Connection Event, CrowdStrike ProcessRollup2, Osquery Results, Sysmon EventID 1, Sysmon EventID 3, Sysmon for Linux EventID 1, Windows Event Log Security 4688	Collection Discovery Reconnaissance	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Spring4Shell CVE-2022-22965	Nginx Access, Splunk Stream HTTP, Sysmon EventID 1, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1	Initial Access Persistence	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
DarkGate Malware	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4703	Collection Credential Access Defense Impairment Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Hellcat Ransomware	AWS CloudTrail CreateTask, Azure Active Directory Set domain authentication, Azure Active Directory Update user, Cisco Network Visibility Module Flow Data, Cisco Secure Firewall Threat Defense File Event, CrowdStrike ProcessRollup2, CrushFTP, Ivanti VTM Audit, Linux Auditd Execve, Nginx Access, Osquery Results, Palo Alto Network Threat, Powershell Script Block Logging 4104, Splunk Stream HTTP, Suricata, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 20, Sysmon EventID 22, Sysmon EventID 3, Sysmon EventID 5, Sysmon EventID 7, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, VMWare ESXi Syslog, Windows Event Log Application 17135, Windows Event Log CAPI2 70, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 5145, Windows Event Log System 7036, Windows Event Log System 7045	Collection Command and Control Credential Access Defense Impairment Execution Exfiltration Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360	Suricata	Initial Access	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Windows File Extension and Association Abuse	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Execution Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
NailaoLocker Ransomware	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 23, Sysmon EventID 26, Sysmon EventID 5, Sysmon EventID 7, Windows Event Log Security 4688	Execution Impact Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Fake CAPTCHA Campaigns	Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 3, Windows Event Log Security 4688	Command and Control Execution Exfiltration Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
AWS User Monitoring	AWS CloudTrail	Discovery	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Interlock Ransomware	Cisco Network Visibility Module Flow Data, Cisco Secure Firewall Threat Defense Connection Event, CrowdStrike ProcessRollup2, Palo Alto Network Threat, Palo Alto Network Traffic, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 23, Sysmon EventID 26, Sysmon EventID 5, Sysmon EventID 6, Windows Event Log RemoteConnectionManager 1149, Windows Event Log Security 4688, Windows Event Log Security 5136	Command and Control Credential Access Discovery Execution Impact Lateral Movement Persistence Privilege Escalation Reconnaissance Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Cisco Catalyst SD-WAN Analytics	Cisco SD-WAN NTCE 1000001, Cisco SD-WAN Service Proxy Access Logs	Initial Access Reconnaissance	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Windows Log Manipulation	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 1100, Windows Event Log Security 1102, Windows Event Log Security 4688, Windows Event Log System 104	Defense Impairment Impact Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
BITS Jobs	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Command and Control Execution Persistence Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Amadey	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log TaskScheduler 200, Windows Event Log TaskScheduler 201	Defense Impairment Discovery Execution Initial Access Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Juniper JunOS Remote Code Execution	Suricata	Command and Control Execution Initial Access	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Suspicious Cloud Authentication Activities	AWS CloudTrail	Credential Access Resource Development Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
APT37 Rustonotto and FadeStealer	Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Osquery Results, Powershell Script Block Logging 4104, Splunk Stream HTTP, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 15, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 23, Sysmon EventID 26, Sysmon EventID 3, Sysmon EventID 6, Sysmon EventID 7, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4700, Windows Event Log Security 4702, Windows Event Log System 7045	Collection Command and Control Credential Access Execution Exfiltration Impact Initial Access Lateral Movement Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
CVE-2023-21716 Word RTF Heap Corruption	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Windows Event Log Security 4688	Initial Access	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Windows Discovery Techniques	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 3, Windows Event Log Security 4688	Discovery Execution Reconnaissance	Splunk Behavioral Analytics, Splunk Cloud, Splunk Enterprise, Splunk Enterprise Security	2026-05-13
Forest Blizzard	Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Command and Control Discovery Execution Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
China-Nexus Threat Activity	AWS CloudWatchLogs VPCflow, Cisco Network Visibility Module Flow Data, Cisco Secure Access Firewall, Cisco Secure Firewall Threat Defense Connection Event, CrowdStrike ProcessRollup2, Linux Auditd Cwd, Linux Auditd Execve, Linux Auditd Path, Linux Auditd Proctitle, Linux Auditd Syscall, Palo Alto Network Traffic, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 7, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, VMWare ESXi Syslog, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4703, Windows Event Log System 7045	Collection Command and Control Credential Access Defense Impairment Discovery Execution Exfiltration Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
NjRAT	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Sysmon EventID 9, Windows Event Log Security 4663, Windows Event Log Security 4688	Command and Control Credential Access Defense Impairment Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
SamSam Ransomware	Cisco Network Visibility Module Flow Data, Cisco Secure Access Firewall, CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 3, Windows Event Log Security 4688, Zeek Conn	Credential Access Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
CISA AA22-264A	Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 9, Sysmon for Linux EventID 1, Windows Event Log Security 1102, Windows Event Log Security 4688, Windows Event Log System 104	Credential Access Defense Impairment Execution Impact Initial Access Persistence Privilege Escalation Reconnaissance Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Linux Privilege Escalation	Cisco Isovalent Process Exec, Linux Auditd Add User, Linux Auditd Cwd, Linux Auditd Execve, Linux Auditd Path, Linux Auditd Proctitle, Linux Auditd Service Stop, Linux Auditd Syscall, Sysmon EventID 1, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1	Command and Control Credential Access Defense Impairment Discovery Execution Exfiltration Impact Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Cisco Secure Firewall Threat Defense Analytics	AWS CloudWatchLogs VPCflow, Cisco Secure Access Firewall, Cisco Secure Firewall Threat Defense Connection Event, Cisco Secure Firewall Threat Defense File Event, Cisco Secure Firewall Threat Defense Intrusion Event, Palo Alto Network Traffic	Command and Control Credential Access Discovery Execution Exfiltration Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance Resource Development Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Office 365 Account Takeover	O365 Add app role assignment grant to user., O365 Consent to application., O365 Update authorization policy., O365 UserLoggedIn, O365 UserLoginFailed, O365, Office 365 Reporting Message Trace, Office 365 Universal Audit Log	Collection Credential Access Defense Impairment Execution Exfiltration Impact Initial Access Persistence Privilege Escalation Resource Development Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
AcidRain	Sysmon for Linux EventID 11	Impact Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Windows Defense Evasion Tactics	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 15, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log System 7040	Credential Access Defense Impairment Discovery Execution Impact Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
QuietVault	Linux Auditd Cwd, Linux Auditd Path, Linux Auditd Proctitle, Linux Auditd Syscall	Discovery Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Defense Evasion or Unauthorized Access Via SDDL Tampering	CrowdStrike ProcessRollup2, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688	Defense Impairment Execution Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
CISA AA22-320A	CrowdStrike ProcessRollup2, Nginx Access, Office 365 Universal Audit Log, Powershell Script Block Logging 4104, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 6, Windows Event Log Security 4688, Windows Event Log System 7045	Collection Command and Control Credential Access Defense Impairment Discovery Execution Initial Access Lateral Movement Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Trickbot	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 5145	Defense Impairment Execution Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Meduza Stealer	CrowdStrike ProcessRollup2, Suricata, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4703	Command and Control Credential Access Discovery Execution Initial Access Persistence Privilege Escalation Reconnaissance Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
NOBELIUM Group	Azure Active Directory Add app role assignment to service principal, Azure Active Directory Add member to role, Azure Active Directory Add owner to application, Azure Active Directory Add service principal, Azure Active Directory Consent to application, Azure Active Directory Sign-in activity, Azure Active Directory Update application, Azure Active Directory, Cisco Secure Access Firewall, Cisco Secure Firewall Threat Defense Connection Event, CrowdStrike ProcessRollup2, O365 Add owner to application., O365 Add service principal., O365 Consent to application., O365 MailItemsAccessed, O365 Update application., O365 UserLoginFailed, O365, Palo Alto Network Traffic, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log System 7036	Collection Command and Control Credential Access Discovery Execution Initial Access Persistence Privilege Escalation Resource Development Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Trusted Developer Utilities Proxy Execution	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Execution Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Ransomware	Cisco Network Visibility Module Flow Data, Cisco Secure Firewall Threat Defense Connection Event, CrowdStrike ProcessRollup2, Palo Alto Network Threat, Palo Alto Network Traffic, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 1100, Windows Event Log Security 1102, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4700, Windows Event Log Security 4702, Windows Event Log System 104, Windows Event Log System 7036	Collection Command and Control Defense Impairment Discovery Execution Exfiltration Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance Resource Development Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Citrix NetScaler ADC and NetScaler Gateway CVE-2023-4966	Suricata	Initial Access	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
WinDealer RAT	Sysmon EventID 11, Sysmon EventID 13, Windows Event Log Security 4703	Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
ArcaneDoor	Cisco ASA Logs, Cisco Secure Firewall Threat Defense Intrusion Event	Collection Command and Control Credential Access Defense Impairment Discovery Exfiltration Initial Access Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Emotet Malware DHS Report TA18-201A	CrowdStrike ProcessRollup2, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688	Execution Initial Access Lateral Movement Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
AWS Security Hub Alerts	AWS Security Hub	N/A	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Suspicious User Agents	Nginx Access, Suricata, Sysmon EventID 1	Command and Control	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Kerberos Coercion with DNS	Suricata, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4662, Windows Event Log Security 5136, Windows Event Log Security 5137	Collection Command and Control Credential Access	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Brute Ratel C4	CrowdStrike ProcessRollup2, Suricata, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log Security 4703, Windows Event Log System 7045	Collection Command and Control Credential Access Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Silver Sparrow	CrowdStrike ProcessRollup2, Osquery Results, Sysmon EventID 1, Sysmon for Linux EventID 1, Windows Event Log Security 4688	Collection Command and Control Persistence Privilege Escalation	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Windows Error Reporting Service Elevation of Privilege Vulnerability	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698	Execution Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Suspicious Compiled HTML Activity	Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
WordPress Vulnerabilities	Nginx Access	Initial Access	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
ZOVWiper	CrowdStrike ProcessRollup2, Sysmon EventID 10, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 23, Sysmon EventID 26, Windows Event Log Security 4688	Credential Access Impact Lateral Movement Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Cisco IOS XE Software Web Management User Interface vulnerability	Suricata	Initial Access	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Information Sabotage	Windows Event Log Security 5145	Exfiltration	Splunk Behavioral Analytics, Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Asset Tracking		N/A	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
F5 Authentication Bypass with TMUI	Suricata	N/A	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
F5 BIG-IP Vulnerability CVE-2022-1388	Palo Alto Network Threat	Initial Access Persistence	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Remote Monitoring and Management Software	Cisco Secure Firewall Threat Defense Connection Event, CrowdStrike ProcessRollup2, Palo Alto Network Threat, Palo Alto Network Traffic, Powershell Script Block Logging 4104, Suricata, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4688, Windows Event Log Security 4698	Command and Control Execution Lateral Movement Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
AcidPour	Sysmon EventID 11, Sysmon for Linux EventID 11	Impact Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
ZDI-CAN-25373 Windows Shortcut Exploit Abused as Zero-Day	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Command and Control Execution	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Cisco Duo Suspicious Activity	Cisco Duo Activity, Cisco Duo Administrator	Credential Access Defense Impairment Persistence	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Secret Blizzard	CrowdStrike ProcessRollup2, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688	Defense Impairment Persistence Resource Development	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Active Directory Password Spraying	Azure Active Directory Sign-in activity, NTLM Operational 8004, NTLM Operational 8005, NTLM Operational 8006, Windows Event Log Security 4625, Windows Event Log Security 4648, Windows Event Log Security 4720, Windows Event Log Security 4768, Windows Event Log Security 4771, Windows Event Log Security 4776	Credential Access Initial Access Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
CISA AA22-277A	Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 1, Windows Event Log Security 4688	Collection Command and Control Defense Impairment Discovery Execution Lateral Movement Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
CVE-2023-23397 Outlook Elevation of Privilege	CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 3, Windows Event Log Security 4688	Exfiltration	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Suspicious Cloud Provisioning Activities	AWS CloudTrail	Initial Access Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Cyclops Blink	Sysmon for Linux EventID 1	Defense Impairment Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
F5 TMUI RCE CVE-2020-5902		Initial Access	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Signed Binary Proxy Execution InstallUtil	Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 3, Sysmon EventID 7, Windows Event Log Security 4688	Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Office 365 Persistence Mechanisms	O365 Add app role assignment grant to user., O365 Add app role assignment to service principal., O365 Add member to role., O365 Add owner to application., O365 Add service principal., O365 Change user license., O365 Consent to application., O365 Disable Strong Authentication., O365 ModifyFolderPermissions, O365 Set Company Information., O365 Update application., O365 Update user., O365, Office 365 Universal Audit Log	Collection Credential Access Defense Impairment Persistence Privilege Escalation	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Ivanti Connect Secure VPN Vulnerabilities	Suricata	Initial Access	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
OpenSSL CVE-2022-3602		Command and Control	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Windows Privilege Escalation	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 23, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log Security 4769	Credential Access Defense Impairment Execution Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Suspicious Zoom Child Processes	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Execution Privilege Escalation	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
PlugX	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4703, Windows Event Log System 7045, Windows Event Log TaskScheduler 200, Windows Event Log TaskScheduler 201	Defense Impairment Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
DHS Report TA18-074A	Cisco Secure Access Firewall, Cisco Secure Firewall Threat Defense Connection Event, CrowdStrike ProcessRollup2, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4720, Windows Event Log Security 4732	Command and Control Defense Impairment Execution Lateral Movement Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
HAFNIUM Group	Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4720, Windows Event Log Security 4732	Collection Command and Control Credential Access Execution Initial Access Lateral Movement Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Medusa Ransomware	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 23, Sysmon EventID 26, Sysmon EventID 5, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4728, Windows Event Log Security 4946, Windows Event Log Security 4947, Windows Event Log Security 4948	Command and Control Defense Impairment Discovery Execution Impact Lateral Movement Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Microsoft WSUS CVE-2025-59287	Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 1, Sysmon for Linux EventID 1, Windows Event Log Security 4688	Command and Control Defense Impairment Discovery Execution Exfiltration Impact Initial Access Lateral Movement Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Suspicious Emails	Office 365 Reporting Message Trace, Office 365 Universal Audit Log	Collection Impact Initial Access Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Suspicious AWS Traffic		N/A	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Phemedrone Stealer	Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Sysmon EventID 15, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4663, Windows Event Log Security 4688	Command and Control Credential Access Discovery Execution Persistence Privilege Escalation Reconnaissance Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
ESXi Post Compromise	CrowdStrike ProcessRollup2, Sysmon EventID 1, VMWare ESXi Syslog, Windows Event Log Security 4688	Collection Credential Access Defense Impairment Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Suspicious Command-Line Executions	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Execution Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Windows Drivers	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 6, Windows Event Log Security 4688, Windows Event Log System 7045	Defense Impairment Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Suspicious Cisco Adaptive Security Appliance Activity	Cisco ASA Logs	Collection Credential Access Defense Impairment Discovery Exfiltration Impact Initial Access Persistence Privilege Escalation Reconnaissance Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Caddy Wiper	Sysmon EventID 9	Impact	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
VIP Keylogger	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688	Collection Command and Control Credential Access Defense Impairment Discovery Execution Persistence Privilege Escalation Reconnaissance Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
PrintNightmare CVE-2021-34527	CrowdStrike ProcessRollup2, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 3, Sysmon EventID 7, Windows Event Log Printservice 316, Windows Event Log Printservice 4909, Windows Event Log Printservice 808, Windows Event Log Security 4688	Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Deobfuscate-Decode Files or Information	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Execution Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Hermetic Wiper	Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Sysmon EventID 9, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4769, Windows Event Log Security 5145	Command and Control Credential Access Defense Impairment Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Active Directory Lateral Movement	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log RemoteConnectionManager 1149, Windows Event Log Security 4624, Windows Event Log Security 4625, Windows Event Log Security 4672, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4699, Windows Event Log Security 4769, Windows Event Log Security 5140, Windows Event Log Security 5145, Windows Event Log System 4720, Windows Event Log System 4726, Windows Event Log System 7045, Zeek Conn	Credential Access Discovery Execution Initial Access Lateral Movement Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Dev Sec Ops	ASL AWS CloudTrail, AWS CloudTrail DescribeImageScanFindings, AWS CloudTrail PutImage, CircleCI, G Suite Drive, G Suite Gmail	Credential Access Discovery Execution Exfiltration Initial Access Persistence	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Windows AppLocker		Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Active Directory Discovery	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 1, Sysmon EventID 3, Windows Event Log Security 4662, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log System 7045	Collection Credential Access Discovery Execution Initial Access Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Double Zero Destructor	CrowdStrike ProcessRollup2, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 1, Windows Event Log Security 4688	Defense Impairment Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
AgentTesla	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 3, Sysmon EventID 6, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log System 7045	Command and Control Credential Access Defense Impairment Execution Initial Access Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Domain Trust Discovery	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Discovery	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
SesameOp	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4688	Command and Control Execution Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Tuoni	Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Suricata, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4703, Windows Event Log System 7045	Command and Control Execution Lateral Movement Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Credential Dumping	CrowdStrike ProcessRollup2, Linux Secure, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 8, Windows Event Log Security 4624, Windows Event Log Security 4662, Windows Event Log Security 4663, Windows Event Log Security 4688	Credential Access Defense Impairment Execution Impact Initial Access Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Azorult	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688	Command and Control Credential Access Defense Impairment Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Use of Cleartext Protocols	Cisco Secure Firewall Threat Defense Connection Event	N/A	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
MacOS Persistence Techniques	Osquery Results	Defense Impairment Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
sAMAccountName Spoofing and Domain Controller Impersonation	Windows Event Log Security 4768, Windows Event Log Security 4769, Windows Event Log Security 4781	Initial Access Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Suspicious WMI Use	Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 1, Sysmon EventID 20, Sysmon EventID 21, Windows Event Log Security 4688	Execution Impact Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Text4Shell CVE-2022-42889	Nginx Access	Initial Access Persistence	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
VMware Aria Operations vRealize CVE-2023-20887	Palo Alto Network Threat, Sysmon EventID 11	Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Suspicious AWS Login Activities	AWS CloudTrail ConsoleLogin, AWS CloudTrail	Resource Development Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
AsyncRAT	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4703, Windows Event Log TaskScheduler 200, Windows Event Log TaskScheduler 201	Execution Initial Access Persistence Privilege Escalation Reconnaissance Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
StealC Stealer	Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688	Collection Command and Control Credential Access Discovery Execution Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
SysAid On-Prem Software CVE-2023-47246 Vulnerability	Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, Windows Event Log Security 4688	Command and Control Execution Initial Access Persistence	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Quasar RAT	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 23, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4700, Windows Event Log Security 4702	Credential Access Defense Impairment Discovery Execution Impact Persistence Privilege Escalation Reconnaissance Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Seashell Blizzard	CrowdStrike ProcessRollup2, Nginx Access, Suricata, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Windows Event Log Application 15457, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4700, Windows Event Log Security 4702, Windows IIS	Command and Control Credential Access Execution Initial Access Lateral Movement Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Windows RDP Artifacts and Defense Evasion	Cisco Secure Access Firewall, CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 23, Sysmon EventID 26, Sysmon EventID 3, Windows Event Log Microsoft Windows TerminalServices RDPClient 1024, Windows Event Log RemoteConnectionManager 1149, Windows Event Log Security 4624, Windows Event Log Security 4688, Zeek Conn	Credential Access Defense Impairment Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Confluence Data Center and Confluence Server Vulnerabilities	CrowdStrike ProcessRollup2, Nginx Access, Palo Alto Network Threat, Suricata, Sysmon EventID 11, Sysmon EventID 1, Windows Event Log Security 4688	Initial Access Persistence Resource Development	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
CVE-2023-36884 Office and Windows HTML RCE Vulnerability	CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688	Initial Access	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Cloud Cryptomining	AWS CloudTrail	Defense Impairment Initial Access Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
PetitPotam NTLM Relay on Active Directory Certificate Services	Windows Event Log Security 4768, Windows Event Log Security 5145	Credential Access	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Linux Rootkit	Linux Auditd Syscall, Sysmon EventID 1, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1	Command and Control Discovery Execution Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Outlook RCE CVE-2024-21378	Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1	Defense Impairment Initial Access Persistence	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
BlankGrabber Stealer	Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4663, Windows Event Log Security 4688	Collection Command and Control Credential Access Defense Impairment Discovery Execution Exfiltration Initial Access Persistence Privilege Escalation Reconnaissance Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server	Nginx Access, Suricata, Sysmon EventID 11	Initial Access Resource Development	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Windows Audit Policy Tampering	CrowdStrike ProcessRollup2, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4719	Defense Impairment Persistence Privilege Escalation	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Storm-2460 CLFS Zero Day Exploitation	CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 3, Windows Event Log Security 4688	Command and Control Credential Access Defense Impairment Execution Impact Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
BlackByte Ransomware	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 23, Sysmon EventID 26, Sysmon EventID 3, Sysmon EventID 5, Sysmon EventID 6, Sysmon EventID 7, Sysmon EventID 9, Sysmon for Linux EventID 1, Windows Event Log RemoteConnectionManager 1149, Windows Event Log Security 4688, Windows Event Log System 7045, Windows IIS	Collection Defense Impairment Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Storm-0501 Ransomware	Azure Active Directory Add member to role, Azure Active Directory Set domain authentication, Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Windows Event Log Security 4688	Command and Control Credential Access Defense Impairment Discovery Execution Exfiltration Impact Lateral Movement Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Suspicious Rundll32 Activity	CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 3, Windows Event Log Security 4688	Credential Access Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Spearphishing Attachments	CrowdStrike ProcessRollup2, Office 365 Universal Audit Log, Suricata, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Microsoft Windows TerminalServices RDPClient 1024, Windows Event Log Security 4688	Collection Command and Control Credential Access Execution Initial Access Lateral Movement Persistence Reconnaissance Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Salt Typhoon	Cisco Network Visibility Module Flow Data, Cisco Secure Firewall Threat Defense Intrusion Event, CrowdStrike ProcessRollup2, Linux Auditd Cwd, Linux Auditd Execve, Linux Auditd Path, Linux Auditd Proctitle, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 7, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4703, Windows Event Log System 7045	Collection Command and Control Credential Access Defense Impairment Discovery Execution Initial Access Lateral Movement Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Execution Initial Access Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Gh0st RAT	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4703, Windows Event Log System 7045	Defense Impairment Discovery Execution Impact Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Reverse Network Proxy	CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 3, Sysmon EventID 7, Sysmon for Linux EventID 1, Windows Event Log Security 4688	Command and Control	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Office 365 Collection Techniques	O365 Add-MailboxPermission, O365 MailItemsAccessed, O365 ModifyFolderPermissions, O365, Office 365 Reporting Message Trace, Office 365 Universal Audit Log	Collection Credential Access Impact Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Citrix NetScaler ADC and NetScaler Gateway CVE-2025-5777	Cisco Secure Firewall Threat Defense Intrusion Event, Suricata	Execution Initial Access	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Atlassian Confluence Server and Data Center CVE-2022-26134	Palo Alto Network Threat, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1	Initial Access Persistence	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Termite Ransomware	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 5, Windows Event Log Security 4688, Windows Event Log System 7036	Impact	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Winter Vivern	Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log TaskScheduler 200, Windows Event Log TaskScheduler 201	Collection Command and Control Discovery Execution Exfiltration Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Data Exfiltration	ASL AWS CloudTrail, AWS CloudTrail CreateSnapshot, AWS CloudTrail CreateTask, AWS CloudTrail DeleteSnapshot, AWS CloudTrail DescribeSnapshotAttribute, AWS CloudTrail GetObject, AWS CloudTrail JobCreated, AWS CloudTrail ModifyImageAttribute, AWS CloudTrail ModifySnapshotAttribute, AWS CloudTrail PutBucketReplication, AWS CloudTrail PutBucketVersioning, Cisco Isovalent Process Exec, CrowdStrike ProcessRollup2, Nginx Access, O365, Office 365 Universal Audit Log, Powershell Script Block Logging 4104, Splunk Stream HTTP, Sysmon EventID 11, Sysmon EventID 1, Sysmon for Linux EventID 1, Windows Event Log Security 4688	Collection Command and Control Credential Access Exfiltration Impact Initial Access Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
GitHub Malicious Activity	GitHub Enterprise Audit Logs, GitHub Organizations Audit Logs	Defense Impairment Impact Initial Access	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
FIN7	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688	Credential Access Defense Impairment Discovery Execution Impact Initial Access Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns	CrowdStrike ProcessRollup2, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688	Execution Persistence Privilege Escalation	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Revil Ransomware	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688	Defense Impairment Execution Impact Persistence Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
SnappyBee	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4703	Credential Access Defense Impairment Discovery Execution Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Earth Alux	CrowdStrike ProcessRollup2, Nginx Access, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 3, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4663, Windows Event Log Security 4688	Discovery Execution Initial Access Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
DarkCrystal RAT	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 23, Sysmon EventID 26, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log TaskScheduler 200, Windows Event Log TaskScheduler 201	Command and Control Defense Impairment Discovery Execution Impact Initial Access Persistence Privilege Escalation Reconnaissance Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
ShrinkLocker	CrowdStrike ProcessRollup2, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 14, Sysmon EventID 1, Windows Event Log Security 1102, Windows Event Log Security 4688, Windows Event Log Security 4946, Windows Event Log Security 4947, Windows Event Log Security 4948, Windows Event Log System 104	Defense Impairment Execution Impact Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Kubernetes Sensitive Object Access Activity		N/A	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Windows Registry Abuse	CrowdStrike ProcessRollup2, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688	Command and Control Credential Access Defense Impairment Execution Impact Lateral Movement Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Compromised Linux Host	Linux Auditd Add User, Linux Auditd Cwd, Linux Auditd Daemon Abort, Linux Auditd Daemon End, Linux Auditd Daemon Start, Linux Auditd Execve, Linux Auditd Path, Linux Auditd Proctitle, Linux Auditd Service Stop, Linux Auditd Syscall, Sysmon EventID 1	Collection Command and Control Credential Access Defense Impairment Discovery Execution Exfiltration Impact Initial Access Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Sandworm Tools	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 23, Sysmon EventID 26, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log TaskScheduler 200, Windows Event Log TaskScheduler 201	Credential Access Defense Impairment Discovery Execution Impact Lateral Movement Persistence Privilege Escalation Reconnaissance Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Suspicious Cloud User Activities	ASL AWS CloudTrail, AWS CloudTrail	Defense Impairment Discovery Execution Initial Access Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Malicious PowerShell	Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Suricata, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log System 7045	Command and Control Credential Access Defense Impairment Discovery Execution Lateral Movement Persistence Privilege Escalation Reconnaissance Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Windows Certificate Services	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 1, Windows Event Log CAPI2 70, Windows Event Log CertificateServicesClient 1007, Windows Event Log Security 4688, Windows Event Log Security 4768, Windows Event Log Security 4876, Windows Event Log Security 4886, Windows Event Log Security 4887	Collection Command and Control Credential Access Execution Lateral Movement	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Suspicious Microsoft 365 Copilot Activities	M365 Copilot Graph API, M365 Exported eDiscovery Prompts	Credential Access Defense Impairment Initial Access Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Linux Post-Exploitation	Sysmon EventID 1, Sysmon for Linux EventID 1	Command and Control Execution Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Orangeworm Attack Group	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log System 7036	Execution Persistence Privilege Escalation	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
GCP Account Takeover	Google Workspace login_failure, Google Workspace	Credential Access Defense Impairment Initial Access Persistence Privilege Escalation Resource Development Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
AWS S3 Bucket Security Monitoring	AWS Cloudfront, Sysmon EventID 22	Impact	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
GhostRedirector IIS Module and Rungan Backdoor	Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Nginx Access, Powershell Installed IIS Modules, Powershell Script Block Logging 4104, Suricata, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 3, Sysmon for Linux EventID 1, Windows Event Log Application 15457, Windows Event Log Security 4688, Windows Event Log Security 4703, Windows Event Log Security 4720, Windows Event Log System 4720, Windows Event Log System 4726, Windows IIS 29	Command and Control Defense Impairment Execution Exfiltration Initial Access Lateral Movement Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Remote Employment Fraud	Okta	Collection Command and Control Initial Access Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Suspicious Local LLM Frameworks	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4688	Persistence Privilege Escalation Reconnaissance	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
React2Shell	Cisco Secure Firewall Threat Defense Intrusion Event, CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon for Linux EventID 1	Execution Initial Access	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Local Privilege Escalation With KrbRelayUp	Suricata, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4624, Windows Event Log Security 4662, Windows Event Log Security 4741, Windows Event Log Security 4768, Windows Event Log Security 5136, Windows Event Log Security 5137, Windows Event Log System 7045	Collection Command and Control Credential Access Persistence Privilege Escalation	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Crypto Stealer	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Suricata, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 15, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 5, Sysmon EventID 6, Windows Event Log Security 4624, Windows Event Log Security 4625, Windows Event Log Security 4688, Windows Event Log System 7045	Collection Command and Control Credential Access Defense Impairment Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Cisco Isovalent Suspicious Activity	Cisco Isovalent Process Connect, Cisco Isovalent Process Exec, Cisco Isovalent Process Kprobe, Sysmon for Linux EventID 1	Command and Control Credential Access Execution Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring		Execution	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
BishopFox Sliver Adversary Emulation Framework	CrowdStrike ProcessRollup2, Suricata, Sysmon EventID 10, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log System 7045	Command and Control Execution Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Windows Persistence Techniques	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 14, Sysmon EventID 1, Windows Event Log Application 3000, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4700, Windows Event Log Security 4702, Windows Event Log Security 4738, Windows Event Log Security 4742, Windows Event Log Security 5145, Windows Event Log TaskScheduler 200, Windows Event Log TaskScheduler 201	Credential Access Defense Impairment Execution Initial Access Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Command And Control	Cisco Secure Access Firewall, Cisco Secure Firewall Threat Defense Connection Event, CrowdStrike ProcessRollup2, Palo Alto Network Threat, Palo Alto Network Traffic, Splunk Stream HTTP, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4688	Command and Control Execution Exfiltration Initial Access Lateral Movement Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Handala Wiper	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 23, Sysmon EventID 26, Sysmon EventID 3, Windows Event Log Security 4688	Execution Impact Persistence Privilege Escalation Reconnaissance Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Suspicious Cloud Instance Activities	ASL AWS CloudTrail, AWS CloudTrail CreateSnapshot, AWS CloudTrail DeleteSnapshot, AWS CloudTrail DescribeSnapshotAttribute, AWS CloudTrail ModifyImageAttribute, AWS CloudTrail ModifySnapshotAttribute, AWS CloudTrail	Exfiltration Initial Access Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Warzone RAT	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 23, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4663, Windows Event Log Security 4688	Credential Access Defense Impairment Discovery Execution Initial Access Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
CISA AA24-241A	CrowdStrike ProcessRollup2, Palo Alto Network Threat, Powershell Script Block Logging 4104, Suricata, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 14, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4648, Windows Event Log Security 4688, Windows Event Log Security 4720, Windows Event Log Security 4732, Windows Event Log TaskScheduler 200, Windows Event Log TaskScheduler 201, Windows IIS	Command and Control Defense Impairment Execution Initial Access Lateral Movement Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
AWS Defense Evasion	ASL AWS CloudTrail, AWS CloudTrail DeleteAlarms, AWS CloudTrail DeleteDetector, AWS CloudTrail DeleteIPSet, AWS CloudTrail DeleteLogGroup, AWS CloudTrail DeleteLogStream, AWS CloudTrail DeleteLoggingConfiguration, AWS CloudTrail DeleteRuleGroup, AWS CloudTrail DeleteRule, AWS CloudTrail DeleteTrail, AWS CloudTrail DeleteWebACL, AWS CloudTrail PutBucketLifecycle, AWS CloudTrail StopLogging, AWS CloudTrail UpdateTrail	Defense Impairment Impact	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Kubernetes Scanning Activity		Discovery	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Swift Slicer	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 23, Sysmon EventID 26, Windows Event Log Security 4688	Impact Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
DynoWiper	Sysmon EventID 11, Sysmon EventID 23, Sysmon EventID 26	Impact Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
AwfulShred	Linux Auditd Execve, Linux Auditd Proctitle, Linux Auditd Service Stop, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1	Defense Impairment Execution Impact Initial Access Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Scattered Spider	Cisco Network Visibility Module Flow Data, Cisco Secure Firewall Threat Defense Connection Event, CrowdStrike ProcessRollup2, Palo Alto Network Traffic, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4663, Windows Event Log Security 4688	Command and Control Credential Access Defense Impairment Discovery Execution Impact Lateral Movement Persistence Privilege Escalation Reconnaissance Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Lokibot	CrowdStrike ProcessRollup2, Suricata, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4703	Collection Command and Control Credential Access Discovery Execution Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Azure Active Directory Persistence	Azure Active Directory Add member to role, Azure Active Directory Add owner to application, Azure Active Directory Add service principal, Azure Active Directory Add unverified domain, Azure Active Directory Consent to application, Azure Active Directory Enable account, Azure Active Directory Invite external user, Azure Active Directory Reset password (by admin), Azure Active Directory Set domain authentication, Azure Active Directory Update application, Azure Active Directory Update user, Azure Active Directory, Azure Audit Create or Update an Azure Automation Runbook, Azure Audit Create or Update an Azure Automation account, Azure Audit Create or Update an Azure Automation webhook, CrowdStrike ProcessRollup2, Office 365 Universal Audit Log, Powershell Script Block Logging 4104, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4724, Windows Event Log Security 4725, Windows Event Log Security 4726	Command and Control Credential Access Defense Impairment Discovery Execution Initial Access Lateral Movement Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
SQL Server Abuse	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 1, Windows Event Log Application 15457, Windows Event Log Application 17135, Windows Event Log Application 8128, Windows Event Log Security 4688	Command and Control Execution Persistence	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Windows Attack Surface Reduction	Windows Event Log Defender 1121, Windows Event Log Defender 1122, Windows Event Log Defender 1125, Windows Event Log Defender 1126, Windows Event Log Defender 1129, Windows Event Log Defender 1131, Windows Event Log Defender 1132, Windows Event Log Defender 1133, Windows Event Log Defender 1134, Windows Event Log Defender 5007	Defense Impairment Execution Initial Access Persistence	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
APT29 Diplomatic Deceptions with WINELOADER	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688	Execution Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Ransomware Cloud	ASL AWS CloudTrail, AWS CloudTrail CreateKey, AWS CloudTrail PutKeyPolicy, AWS CloudTrail, Office 365 Universal Audit Log	Execution Impact	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Windows Service Abuse	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log System 7036	Execution Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
AWS Bedrock Security	AWS CloudTrail DeleteGuardrail, AWS CloudTrail DeleteKnowledgeBase, AWS CloudTrail DeleteModelInvocationLoggingConfiguration, AWS CloudTrail	Defense Impairment Discovery Impact Initial Access Lateral Movement Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Citrix ShareFile RCE CVE-2023-24489	CrowdStrike ProcessRollup2, Suricata, Sysmon EventID 1, Windows Event Log Security 4688	Initial Access Persistence	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Suspicious Regsvcs Regasm Activity	CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 3, Windows Event Log Security 4688	Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Suspicious Regsvr32 Activity	CrowdStrike ProcessRollup2, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688	Defense Impairment Persistence Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
WhisperGate	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 23, Sysmon EventID 26, Sysmon EventID 9, Windows Event Log Security 4688	Defense Impairment Discovery Execution Impact Lateral Movement Persistence Privilege Escalation Resource Development Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
MetaSploit	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 1, Windows Event Log Security 4688	Execution	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
LAMEHUG	CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4688	Collection Command and Control Discovery	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
GCP Cross Account Activity		Initial Access Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Scattered Lapsus$ Hunters	ASL AWS CloudTrail, AWS CloudTrail DeactivateMFADevice, AWS CloudTrail DeleteVirtualMFADevice, AWS CloudTrail DescribeEventAggregates, AWS CloudTrail ModifyDBInstance, AWS CloudWatchLogs VPCflow, Azure Active Directory Add member to role, Azure Active Directory Disable Strong Authentication, Azure Active Directory Enable account, Azure Active Directory Reset password (by admin), Azure Active Directory Set domain authentication, Azure Active Directory Update user, Azure Active Directory User registered security info, Azure Active Directory, Cisco IOS Logs, Cisco Network Visibility Module Flow Data, Cisco Secure Firewall Threat Defense Connection Event, CrowdStrike ProcessRollup2, G Suite Drive, Google Workspace login_failure, Google Workspace, Ivanti VTM Audit, Linux Auditd Execve, Nginx Access, O365 UserLoggedIn, O365 UserLoginFailed, Office 365 Universal Audit Log, Okta, Palo Alto Network Threat, Palo Alto Network Traffic, PingID, Powershell Script Block Logging 4104, Splunk Stream TCP, Suricata, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Sysmon for Linux EventID 1, Windows Event Log Security 1100, Windows Event Log Security 4624, Windows Event Log Security 4625, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4703, Windows Event Log Security 4720, Windows Event Log Security 4727, Windows Event Log Security 4731, Windows Event Log Security 4732, Windows Event Log Security 4744, Windows Event Log Security 4749, Windows Event Log Security 4754, Windows Event Log Security 4756, Windows Event Log Security 4759, Windows Event Log Security 4768, Windows Event Log Security 4769, Windows Event Log Security 4781, Windows Event Log Security 4783, Windows Event Log Security 4790, Windows Event Log Security 4794, Windows Event Log System 7036	Collection Command and Control Credential Access Defense Impairment Discovery Execution Exfiltration Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance Resource Development Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
JetBrains TeamCity Unauthenticated RCE	CrowdStrike ProcessRollup2, Suricata, Sysmon EventID 11, Sysmon EventID 1, Windows Event Log Security 4688	Execution Initial Access Persistence	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Ryuk Ransomware	Cisco Secure Access Firewall, CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 3, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4700, Windows Event Log Security 4702, Zeek Conn	Credential Access Defense Impairment Discovery Execution Impact Lateral Movement Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
SAP NetWeaver Exploitation	Suricata, Sysmon EventID 10, Sysmon EventID 1, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1	Initial Access Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
ProxyShell	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 1, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows IIS	Execution Initial Access Persistence	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
BlackSuit Ransomware	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Suricata, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 3, Sysmon EventID 8, Windows Event Log Security 4662, Windows Event Log Security 4688, Windows Event Log Security 4738, Windows Event Log Security 5145, Windows Event Log System 7045, Windows Event Log TaskScheduler 200, Windows Event Log TaskScheduler 201	Collection Command and Control Credential Access Discovery Execution Lateral Movement Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Azure Active Directory Account Takeover	Azure Active Directory Consent to application, Azure Active Directory Disable Strong Authentication, Azure Active Directory Sign-in activity, Azure Active Directory Update authorization policy, Azure Active Directory User registered security info, Azure Active Directory, Azure Monitor Activity, Office 365 Universal Audit Log, Powershell Script Block Logging 4104	Collection Command and Control Credential Access Defense Impairment Discovery Execution Exfiltration Impact Initial Access Lateral Movement Persistence Privilege Escalation Resource Development Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Flax Typhoon	Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 1, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log System 7045	Command and Control Credential Access Execution Initial Access Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Sneaky Active Directory Persistence Tricks	CrowdStrike ProcessRollup2, Sysmon EventID 13, Sysmon EventID 1, Windows Active Directory Admon, Windows Event Log Security 4624, Windows Event Log Security 4662, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4720, Windows Event Log Security 4728, Windows Event Log Security 4738, Windows Event Log Security 4742, Windows Event Log Security 4794, Windows Event Log Security 5136, Windows Event Log Security 5137, Windows Event Log Security 5141	Credential Access Defense Impairment Initial Access Lateral Movement Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Graceful Wipe Out Attack	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 3, Sysmon EventID 8, Sysmon EventID 9, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 5145	Collection Credential Access Defense Impairment Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Compromised User Account	ASL AWS CloudTrail, AWS CloudTrail ConsoleLogin, AWS CloudTrail DeleteAccountPasswordPolicy, AWS CloudTrail DescribeEventAggregates, AWS CloudTrail GetAccountPasswordPolicy, AWS CloudTrail UpdateAccountPasswordPolicy, AWS CloudTrail, Azure Active Directory MicrosoftGraphActivityLogs, Azure Active Directory NonInteractiveUserSignInLogs, Azure Active Directory Sign-in activity, Azure Active Directory User registered security info, Azure Active Directory, Cisco Secure Access Firewall, Office 365 Universal Audit Log, PingID, Sysmon EventID 3, Windows Event Log Security 4624, Windows Event Log Security 4625	Collection Credential Access Defense Impairment Discovery Initial Access Persistence Privilege Escalation Resource Development Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Data Protection	CrowdStrike ProcessRollup2, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4688	Collection Command and Control Initial Access Lateral Movement	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
DNS Amplification Attacks		Impact	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Active Directory Kerberos Attacks	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 1, Sysmon EventID 3, Windows Event Log Security 4624, Windows Event Log Security 4627, Windows Event Log Security 4688, Windows Event Log Security 4738, Windows Event Log Security 4741, Windows Event Log Security 4768, Windows Event Log Security 4769, Windows Event Log Security 4771, Windows Event Log Security 4781	Credential Access Discovery Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
PathWiper	CrowdStrike ProcessRollup2, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 9, Windows Event Log Security 4688, Windows Event Log Security 4703	Impact Lateral Movement Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Cisco Smart Install Remote Code Execution CVE-2018-0171	Cisco IOS Logs, Cisco Secure Firewall Threat Defense Intrusion Event, Splunk Stream TCP	Collection Credential Access Defense Impairment Discovery Exfiltration Impact Initial Access Lateral Movement Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
BlackMatter Ransomware	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log System 7036	Credential Access Discovery Impact	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
CISA AA22-257A	CrowdStrike ProcessRollup2, Nginx Access, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 1, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4699, Windows Event Log Security 4720, Windows Event Log Security 4732, Windows Event Log TaskScheduler 200, Windows Event Log TaskScheduler 201	Command and Control Credential Access Execution Initial Access Lateral Movement Persistence Privilege Escalation	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Linux Persistence Techniques	Cisco Isovalent Process Exec, Linux Auditd Add User, Linux Auditd Cwd, Linux Auditd Execve, Linux Auditd Path, Linux Auditd Proctitle, Linux Auditd Service Stop, Linux Auditd Syscall, Sysmon EventID 1, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1	Command and Control Credential Access Defense Impairment Discovery Execution Exfiltration Impact Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Chaos Ransomware	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688	Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Gomir	Linux Auditd Proctitle, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1	Execution Persistence Privilege Escalation	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Suspicious MCP Activities	MCP Server	Credential Access Execution	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Void Manticore	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 23, Sysmon EventID 26, Sysmon EventID 3, Sysmon EventID 6, Sysmon EventID 9, Windows Event Log Security 4688, Windows Event Log System 7045	Discovery Execution Impact Persistence Privilege Escalation Reconnaissance Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Cobalt Strike	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Suricata, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 3, Windows Event Log Security 4688	Collection Command and Control Execution Lateral Movement Persistence Privilege Escalation Resource Development Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
BlackLotus Campaign	Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 3	Defense Impairment Impact Persistence Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
ConnectWise ScreenConnect Vulnerabilities	Nginx Access, Suricata, Sysmon EventID 11, Windows Event Log Security 4663	Initial Access	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Axios Supply Chain Post Compromise	Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Linux Auditd Proctitle, Osquery Results, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Sysmon for Linux EventID 1, Windows Event Log Security 4688	Command and Control Credential Access Defense Impairment Execution Persistence Privilege Escalation Reconnaissance Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13