Collection Analytic Stories

Name	Data Sources	Tactics	Products	Date
Linux Living Off The Land	Cisco Isovalent Process Exec, CrowdStrike ProcessRollup2, Linux Auditd Add User, Linux Auditd Cwd, Linux Auditd Execve, Linux Auditd Path, Linux Auditd Proctitle, Linux Auditd Service Stop, Linux Auditd Syscall, Sysmon EventID 1, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, Windows Event Log Security 4688	Collection Command and Control Credential Access Defense Impairment Discovery Execution Exfiltration Impact Lateral Movement Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
StealC Stealer	Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688	Collection Command and Control Credential Access Discovery Execution Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Suspicious Cisco Adaptive Security Appliance Activity	Cisco ASA Logs	Collection Credential Access Defense Impairment Discovery Exfiltration Impact Initial Access Persistence Privilege Escalation Reconnaissance Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Hellcat Ransomware	AWS CloudTrail CreateTask, Azure Active Directory Set domain authentication, Azure Active Directory Update user, Cisco Network Visibility Module Flow Data, Cisco Secure Firewall Threat Defense File Event, CrowdStrike ProcessRollup2, CrushFTP, Ivanti VTM Audit, Linux Auditd Execve, Nginx Access, Osquery Results, Palo Alto Network Threat, Powershell Script Block Logging 4104, Splunk Stream HTTP, Suricata, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 20, Sysmon EventID 22, Sysmon EventID 3, Sysmon EventID 5, Sysmon EventID 7, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, VMWare ESXi Syslog, Windows Event Log Application 17135, Windows Event Log CAPI2 70, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 5145, Windows Event Log System 7036, Windows Event Log System 7045	Collection Command and Control Credential Access Defense Impairment Execution Exfiltration Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Browser Hijacking	CrowdStrike ProcessRollup2, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688	Collection Discovery Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Local Privilege Escalation With KrbRelayUp	Suricata, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4624, Windows Event Log Security 4662, Windows Event Log Security 4741, Windows Event Log Security 4768, Windows Event Log Security 5136, Windows Event Log Security 5137, Windows Event Log System 7045	Collection Command and Control Credential Access Persistence Privilege Escalation	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Salt Typhoon	Cisco Network Visibility Module Flow Data, Cisco Secure Firewall Threat Defense Intrusion Event, CrowdStrike ProcessRollup2, Linux Auditd Cwd, Linux Auditd Execve, Linux Auditd Path, Linux Auditd Proctitle, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 7, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4703, Windows Event Log System 7045	Collection Command and Control Credential Access Defense Impairment Discovery Execution Initial Access Lateral Movement Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Castle RAT	Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4700, Windows Event Log Security 4702	Collection Defense Impairment Discovery Execution Persistence Privilege Escalation Reconnaissance Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Kerberos Coercion with DNS	Suricata, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4662, Windows Event Log Security 5136, Windows Event Log Security 5137	Collection Command and Control Credential Access	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Suspicious GCP Storage Activities		Collection	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Prestige Ransomware	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 5145, Windows Event Log TaskScheduler 200, Windows Event Log TaskScheduler 201	Collection Credential Access Defense Impairment Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
ESXi Post Compromise	CrowdStrike ProcessRollup2, Sysmon EventID 1, VMWare ESXi Syslog, Windows Event Log Security 4688	Collection Credential Access Defense Impairment Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Water Gamayun	Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 15, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 3, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4798	Collection Command and Control Credential Access Discovery Execution Exfiltration Lateral Movement Persistence Privilege Escalation Reconnaissance Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
China-Nexus Threat Activity	AWS CloudWatchLogs VPCflow, Cisco Network Visibility Module Flow Data, Cisco Secure Access Firewall, Cisco Secure Firewall Threat Defense Connection Event, CrowdStrike ProcessRollup2, Linux Auditd Cwd, Linux Auditd Execve, Linux Auditd Path, Linux Auditd Proctitle, Linux Auditd Syscall, Palo Alto Network Traffic, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 7, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, VMWare ESXi Syslog, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4703, Windows Event Log System 7045	Collection Command and Control Credential Access Defense Impairment Discovery Execution Exfiltration Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Silver Sparrow	CrowdStrike ProcessRollup2, Osquery Results, Sysmon EventID 1, Sysmon for Linux EventID 1, Windows Event Log Security 4688	Collection Command and Control Persistence Privilege Escalation	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Brute Ratel C4	CrowdStrike ProcessRollup2, Suricata, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log Security 4703, Windows Event Log System 7045	Collection Command and Control Credential Access Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
APT37 Rustonotto and FadeStealer	Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Osquery Results, Powershell Script Block Logging 4104, Splunk Stream HTTP, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 15, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 23, Sysmon EventID 26, Sysmon EventID 3, Sysmon EventID 6, Sysmon EventID 7, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4700, Windows Event Log Security 4702, Windows Event Log System 7045	Collection Command and Control Credential Access Execution Exfiltration Impact Initial Access Lateral Movement Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Azure Active Directory Account Takeover	Azure Active Directory Consent to application, Azure Active Directory Disable Strong Authentication, Azure Active Directory Sign-in activity, Azure Active Directory Update authorization policy, Azure Active Directory User registered security info, Azure Active Directory, Azure Monitor Activity, Office 365 Universal Audit Log, Powershell Script Block Logging 4104	Collection Command and Control Credential Access Defense Impairment Discovery Execution Exfiltration Impact Initial Access Lateral Movement Persistence Privilege Escalation Resource Development Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Router and Infrastructure Security	Cisco IOS Logs	Collection Credential Access Exfiltration Impact Initial Access Persistence Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Ransomware	Cisco Network Visibility Module Flow Data, Cisco Secure Firewall Threat Defense Connection Event, CrowdStrike ProcessRollup2, Palo Alto Network Threat, Palo Alto Network Traffic, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 1100, Windows Event Log Security 1102, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4700, Windows Event Log Security 4702, Windows Event Log System 104, Windows Event Log System 7036	Collection Command and Control Defense Impairment Discovery Execution Exfiltration Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance Resource Development Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Malicious Inno Setup Loader	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 3, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log TaskScheduler 200, Windows Event Log TaskScheduler 201	Collection Command and Control Credential Access Defense Impairment Discovery Execution Exfiltration Persistence Privilege Escalation Reconnaissance Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
CISA AA22-320A	CrowdStrike ProcessRollup2, Nginx Access, Office 365 Universal Audit Log, Powershell Script Block Logging 4104, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 6, Windows Event Log Security 4688, Windows Event Log System 7045	Collection Command and Control Credential Access Defense Impairment Discovery Execution Initial Access Lateral Movement Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Compromised User Account	ASL AWS CloudTrail, AWS CloudTrail ConsoleLogin, AWS CloudTrail DeleteAccountPasswordPolicy, AWS CloudTrail DescribeEventAggregates, AWS CloudTrail GetAccountPasswordPolicy, AWS CloudTrail UpdateAccountPasswordPolicy, AWS CloudTrail, Azure Active Directory MicrosoftGraphActivityLogs, Azure Active Directory NonInteractiveUserSignInLogs, Azure Active Directory Sign-in activity, Azure Active Directory User registered security info, Azure Active Directory, Cisco Secure Access Firewall, Office 365 Universal Audit Log, PingID, Sysmon EventID 3, Windows Event Log Security 4624, Windows Event Log Security 4625	Collection Credential Access Defense Impairment Discovery Initial Access Persistence Privilege Escalation Resource Development Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Compromised Linux Host	Linux Auditd Add User, Linux Auditd Cwd, Linux Auditd Daemon Abort, Linux Auditd Daemon End, Linux Auditd Daemon Start, Linux Auditd Execve, Linux Auditd Path, Linux Auditd Proctitle, Linux Auditd Service Stop, Linux Auditd Syscall, Sysmon EventID 1	Collection Command and Control Credential Access Defense Impairment Discovery Execution Exfiltration Impact Initial Access Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Remcos	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log TaskScheduler 200, Windows Event Log TaskScheduler 201	Collection Credential Access Defense Impairment Execution Initial Access Persistence Privilege Escalation Reconnaissance Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Braodo Stealer	Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4663	Collection Credential Access Defense Impairment Discovery Execution Persistence Privilege Escalation	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Active Directory Privilege Escalation	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 1, Windows Active Directory Admon, Windows Event Log Security 4624, Windows Event Log Security 4625, Windows Event Log Security 4627, Windows Event Log Security 4672, Windows Event Log Security 4688, Windows Event Log Security 4728, Windows Event Log Security 4732, Windows Event Log Security 4742, Windows Event Log Security 4768, Windows Event Log Security 4769, Windows Event Log Security 4781, Windows Event Log Security 5136, Windows Event Log Security 5137, Windows Event Log Security 5140, Windows Event Log Security 5145	Collection Credential Access Defense Impairment Discovery Initial Access Lateral Movement Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Data Exfiltration	ASL AWS CloudTrail, AWS CloudTrail CreateSnapshot, AWS CloudTrail CreateTask, AWS CloudTrail DeleteSnapshot, AWS CloudTrail DescribeSnapshotAttribute, AWS CloudTrail GetObject, AWS CloudTrail JobCreated, AWS CloudTrail ModifyImageAttribute, AWS CloudTrail ModifySnapshotAttribute, AWS CloudTrail PutBucketReplication, AWS CloudTrail PutBucketVersioning, Cisco Isovalent Process Exec, CrowdStrike ProcessRollup2, Nginx Access, O365, Office 365 Universal Audit Log, Powershell Script Block Logging 4104, Splunk Stream HTTP, Sysmon EventID 11, Sysmon EventID 1, Sysmon for Linux EventID 1, Windows Event Log Security 4688	Collection Command and Control Credential Access Exfiltration Impact Initial Access Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Remote Employment Fraud	Okta	Collection Command and Control Initial Access Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Scattered Lapsus$ Hunters	ASL AWS CloudTrail, AWS CloudTrail DeactivateMFADevice, AWS CloudTrail DeleteVirtualMFADevice, AWS CloudTrail DescribeEventAggregates, AWS CloudTrail ModifyDBInstance, AWS CloudWatchLogs VPCflow, Azure Active Directory Add member to role, Azure Active Directory Disable Strong Authentication, Azure Active Directory Enable account, Azure Active Directory Reset password (by admin), Azure Active Directory Set domain authentication, Azure Active Directory Update user, Azure Active Directory User registered security info, Azure Active Directory, Cisco IOS Logs, Cisco Network Visibility Module Flow Data, Cisco Secure Firewall Threat Defense Connection Event, CrowdStrike ProcessRollup2, G Suite Drive, Google Workspace login_failure, Google Workspace, Ivanti VTM Audit, Linux Auditd Execve, Nginx Access, O365 UserLoggedIn, O365 UserLoginFailed, Office 365 Universal Audit Log, Okta, Palo Alto Network Threat, Palo Alto Network Traffic, PingID, Powershell Script Block Logging 4104, Splunk Stream TCP, Suricata, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Sysmon for Linux EventID 1, Windows Event Log Security 1100, Windows Event Log Security 4624, Windows Event Log Security 4625, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4703, Windows Event Log Security 4720, Windows Event Log Security 4727, Windows Event Log Security 4731, Windows Event Log Security 4732, Windows Event Log Security 4744, Windows Event Log Security 4749, Windows Event Log Security 4754, Windows Event Log Security 4756, Windows Event Log Security 4759, Windows Event Log Security 4768, Windows Event Log Security 4769, Windows Event Log Security 4781, Windows Event Log Security 4783, Windows Event Log Security 4790, Windows Event Log Security 4794, Windows Event Log System 7036	Collection Command and Control Credential Access Defense Impairment Discovery Execution Exfiltration Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance Resource Development Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
HAFNIUM Group	Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4720, Windows Event Log Security 4732	Collection Command and Control Credential Access Execution Initial Access Lateral Movement Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Cobalt Strike	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Suricata, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 3, Windows Event Log Security 4688	Collection Command and Control Execution Lateral Movement Persistence Privilege Escalation Resource Development Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Office 365 Persistence Mechanisms	O365 Add app role assignment grant to user., O365 Add app role assignment to service principal., O365 Add member to role., O365 Add owner to application., O365 Add service principal., O365 Change user license., O365 Consent to application., O365 Disable Strong Authentication., O365 ModifyFolderPermissions, O365 Set Company Information., O365 Update application., O365 Update user., O365, Office 365 Universal Audit Log	Collection Credential Access Defense Impairment Persistence Privilege Escalation	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Ingress Tool Transfer	Cisco Isovalent Process Exec, Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Sysmon for Linux EventID 1, Windows Event Log Security 4688	Collection Command and Control Credential Access Execution Persistence Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
BlankGrabber Stealer	Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4663, Windows Event Log Security 4688	Collection Command and Control Credential Access Defense Impairment Discovery Execution Exfiltration Initial Access Persistence Privilege Escalation Reconnaissance Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Suspicious Emails	Office 365 Reporting Message Trace, Office 365 Universal Audit Log	Collection Impact Initial Access Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Collection and Staging	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Windows Event Log Security 4688	Collection Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Suspicious AWS S3 Activities	ASL AWS CloudTrail, AWS CloudTrail CreateTask, AWS CloudTrail PutBucketReplication, AWS CloudTrail PutBucketVersioning, AWS CloudTrail	Collection Exfiltration Impact	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Windows Post-Exploitation	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 1, Windows Event Log Security 4663, Windows Event Log Security 4688	Collection Command and Control Credential Access Defense Impairment Discovery Execution Impact Persistence Privilege Escalation Reconnaissance Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Lokibot	CrowdStrike ProcessRollup2, Suricata, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4703	Collection Command and Control Credential Access Discovery Execution Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
BlackSuit Ransomware	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Suricata, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 3, Sysmon EventID 8, Windows Event Log Security 4662, Windows Event Log Security 4688, Windows Event Log Security 4738, Windows Event Log Security 5145, Windows Event Log System 7045, Windows Event Log TaskScheduler 200, Windows Event Log TaskScheduler 201	Collection Command and Control Credential Access Discovery Execution Lateral Movement Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
BlackByte Ransomware	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 23, Sysmon EventID 26, Sysmon EventID 3, Sysmon EventID 5, Sysmon EventID 6, Sysmon EventID 7, Sysmon EventID 9, Sysmon for Linux EventID 1, Windows Event Log RemoteConnectionManager 1149, Windows Event Log Security 4688, Windows Event Log System 7045, Windows IIS	Collection Defense Impairment Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Winter Vivern	Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log TaskScheduler 200, Windows Event Log TaskScheduler 201	Collection Command and Control Discovery Execution Exfiltration Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Graceful Wipe Out Attack	CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 3, Sysmon EventID 8, Sysmon EventID 9, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 5145	Collection Credential Access Defense Impairment Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
CISA AA22-277A	Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 1, Windows Event Log Security 4688	Collection Command and Control Defense Impairment Discovery Execution Lateral Movement Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
CISA AA23-347A	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Suricata, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4699, Windows Event Log Security 4703, Windows Event Log System 7040, Windows Event Log System 7045	Collection Credential Access Defense Impairment Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
ArcaneDoor	Cisco ASA Logs, Cisco Secure Firewall Threat Defense Intrusion Event	Collection Command and Control Credential Access Defense Impairment Discovery Exfiltration Initial Access Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Network Discovery	AWS CloudWatchLogs VPCflow, Cisco Secure Firewall Threat Defense Connection Event, CrowdStrike ProcessRollup2, Osquery Results, Sysmon EventID 1, Sysmon EventID 3, Sysmon for Linux EventID 1, Windows Event Log Security 4688	Collection Discovery Reconnaissance	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Compromised Windows Host	Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Suricata, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 3, Sysmon EventID 7, Sysmon for Linux EventID 1, Windows Event Log Security 1102, Windows Event Log Security 4624, Windows Event Log Security 4627, Windows Event Log Security 4662, Windows Event Log Security 4663, Windows Event Log Security 4672, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4699, Windows Event Log Security 4738, Windows Event Log Security 4741, Windows Event Log Security 4742, Windows Event Log Security 4768, Windows Event Log Security 4769, Windows Event Log Security 4781, Windows Event Log Security 4798, Windows Event Log Security 4887, Windows Event Log Security 5136, Windows Event Log Security 5137, Windows Event Log Security 5141, Windows Event Log Security 5145, Windows Event Log System 104, Windows Event Log System 7036, Windows Event Log System 7040, Windows Event Log System 7045	Collection Command and Control Credential Access Defense Impairment Discovery Execution Exfiltration Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance Resource Development Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
AWS Identity and Access Management Account Takeover	ASL AWS CloudTrail, AWS CloudTrail ConsoleLogin, AWS CloudTrail CreateVirtualMFADevice, AWS CloudTrail DeactivateMFADevice, AWS CloudTrail DeleteVirtualMFADevice, AWS CloudTrail DescribeEventAggregates, AWS CloudTrail GetPasswordData, AWS CloudTrail ModifyDBInstance, AWS CloudTrail	Collection Credential Access Defense Impairment Discovery Initial Access Persistence Privilege Escalation Resource Development Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Office 365 Collection Techniques	O365 Add-MailboxPermission, O365 MailItemsAccessed, O365 ModifyFolderPermissions, O365, Office 365 Reporting Message Trace, Office 365 Universal Audit Log	Collection Credential Access Impact Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Windows Certificate Services	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 1, Windows Event Log CAPI2 70, Windows Event Log CertificateServicesClient 1007, Windows Event Log Security 4688, Windows Event Log Security 4768, Windows Event Log Security 4876, Windows Event Log Security 4886, Windows Event Log Security 4887	Collection Command and Control Credential Access Execution Lateral Movement	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
IcedID	Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 5140, Windows Event Log Security 5145, Windows Event Log TaskScheduler 200, Windows Event Log TaskScheduler 201	Collection Command and Control Defense Impairment Discovery Execution Initial Access Lateral Movement Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Suspicious DNS Traffic	CrowdStrike ProcessRollup2, Suricata, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4662, Windows Event Log Security 4688, Windows Event Log Security 5136, Windows Event Log Security 5137	Collection Command and Control Credential Access Exfiltration Initial Access	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Data Protection	CrowdStrike ProcessRollup2, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4688	Collection Command and Control Initial Access Lateral Movement	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Cisco Smart Install Remote Code Execution CVE-2018-0171	Cisco IOS Logs, Cisco Secure Firewall Threat Defense Intrusion Event, Splunk Stream TCP	Collection Credential Access Defense Impairment Discovery Exfiltration Impact Initial Access Lateral Movement Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Crypto Stealer	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Suricata, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 15, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 5, Sysmon EventID 6, Windows Event Log Security 4624, Windows Event Log Security 4625, Windows Event Log Security 4688, Windows Event Log System 7045	Collection Command and Control Credential Access Defense Impairment Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
VIP Keylogger	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688	Collection Command and Control Credential Access Defense Impairment Discovery Execution Persistence Privilege Escalation Reconnaissance Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
NOBELIUM Group	Azure Active Directory Add app role assignment to service principal, Azure Active Directory Add member to role, Azure Active Directory Add owner to application, Azure Active Directory Add service principal, Azure Active Directory Consent to application, Azure Active Directory Sign-in activity, Azure Active Directory Update application, Azure Active Directory, Cisco Secure Access Firewall, Cisco Secure Firewall Threat Defense Connection Event, CrowdStrike ProcessRollup2, O365 Add owner to application., O365 Add service principal., O365 Consent to application., O365 MailItemsAccessed, O365 Update application., O365 UserLoginFailed, O365, Palo Alto Network Traffic, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log System 7036	Collection Command and Control Credential Access Discovery Execution Initial Access Persistence Privilege Escalation Resource Development Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
NPM Supply Chain Compromise	Cisco Isovalent Process Exec, Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, GitHub Enterprise Audit Logs, GitHub Organizations Audit Logs, Sysmon EventID 11, Sysmon EventID 1, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, Windows Event Log Security 4688	Collection Command and Control Credential Access Defense Impairment Execution Impact Initial Access Persistence Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Spearphishing Attachments	CrowdStrike ProcessRollup2, Office 365 Universal Audit Log, Suricata, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Microsoft Windows TerminalServices RDPClient 1024, Windows Event Log Security 4688	Collection Command and Control Credential Access Execution Initial Access Lateral Movement Persistence Reconnaissance Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Active Directory Discovery	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 1, Sysmon EventID 3, Windows Event Log Security 4662, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log System 7045	Collection Credential Access Discovery Execution Initial Access Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Black Basta Ransomware	Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 23, Sysmon EventID 26, Sysmon EventID 7, VMWare ESXi Syslog, Windows Event Log Printservice 316, Windows Event Log Printservice 4909, Windows Event Log Printservice 808, Windows Event Log Security 4688	Collection Command and Control Credential Access Defense Impairment Discovery Execution Exfiltration Impact Initial Access Lateral Movement Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Data Destruction	AWS Cloudfront, Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Linux Auditd Execve, Linux Auditd Proctitle, Linux Auditd Service Stop, Office 365 Reporting Message Trace, Office 365 Universal Audit Log, Osquery Results, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 23, Sysmon EventID 26, Sysmon EventID 5, Sysmon EventID 7, Sysmon EventID 9, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4769, Windows Event Log Security 5145, Windows Event Log TaskScheduler 200, Windows Event Log TaskScheduler 201	Collection Command and Control Credential Access Defense Impairment Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance Resource Development Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
DarkGate Malware	CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4703	Collection Credential Access Defense Impairment Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
Office 365 Account Takeover	O365 Add app role assignment grant to user., O365 Consent to application., O365 Update authorization policy., O365 UserLoggedIn, O365 UserLoginFailed, O365, Office 365 Reporting Message Trace, Office 365 Universal Audit Log	Collection Credential Access Defense Impairment Execution Exfiltration Impact Initial Access Persistence Privilege Escalation Resource Development Stealth	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13
LAMEHUG	CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4688	Collection Command and Control Discovery	Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security	2026-05-13