|
PTC Windchill Exploitation
|
Windchill Log4j
|
Collection
Execution
Initial Access
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-06-14
|
|
LockBit Ransomware
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 5, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log System 7036
|
Defense Impairment
Execution
Impact
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Ransomware Cloud
|
ASL AWS CloudTrail, AWS CloudTrail CreateKey, AWS CloudTrail PutKeyPolicy, AWS CloudTrail, Office 365 Universal Audit Log
|
Execution
Impact
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Cisco Isovalent Suspicious Activity
|
Cisco Isovalent Process Connect, Cisco Isovalent Process Exec, Cisco Isovalent Process Kprobe, Sysmon for Linux EventID 1
|
Command and Control
Credential Access
Execution
Persistence
Privilege Escalation
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Tuoni
|
Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Suricata, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4703, Windows Event Log System 7045
|
Command and Control
Execution
Lateral Movement
Privilege Escalation
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
PHP-CGI RCE Attack on Japanese Organizations
|
Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 1, Sysmon for Linux EventID 1, Windows Event Log Security 4688
|
Command and Control
Credential Access
Discovery
Execution
Initial Access
Persistence
Reconnaissance
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Scattered Lapsus$ Hunters
|
ASL AWS CloudTrail, AWS CloudTrail DeactivateMFADevice, AWS CloudTrail DeleteVirtualMFADevice, AWS CloudTrail DescribeEventAggregates, AWS CloudTrail ModifyDBInstance, AWS CloudWatchLogs VPCflow, Azure Active Directory Add member to role, Azure Active Directory Disable Strong Authentication, Azure Active Directory Enable account, Azure Active Directory Reset password (by admin), Azure Active Directory Set domain authentication, Azure Active Directory Update user, Azure Active Directory User registered security info, Azure Active Directory, Cisco IOS Logs, Cisco Network Visibility Module Flow Data, Cisco Secure Firewall Threat Defense Connection Event, CrowdStrike ProcessRollup2, G Suite Drive, Google Workspace login_failure, Google Workspace, Ivanti VTM Audit, Linux Auditd Execve, Nginx Access, O365 UserLoggedIn, O365 UserLoginFailed, Office 365 Universal Audit Log, Okta, Palo Alto Network Threat, Palo Alto Network Traffic, PingID, Powershell Script Block Logging 4104, Splunk Stream TCP, Suricata, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Sysmon for Linux EventID 1, Windows Event Log Security 1100, Windows Event Log Security 4624, Windows Event Log Security 4625, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4703, Windows Event Log Security 4720, Windows Event Log Security 4727, Windows Event Log Security 4731, Windows Event Log Security 4732, Windows Event Log Security 4744, Windows Event Log Security 4749, Windows Event Log Security 4754, Windows Event Log Security 4756, Windows Event Log Security 4759, Windows Event Log Security 4768, Windows Event Log Security 4769, Windows Event Log Security 4781, Windows Event Log Security 4783, Windows Event Log Security 4790, Windows Event Log Security 4794, Windows Event Log System 7036
|
Collection
Command and Control
Credential Access
Defense Impairment
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
Resource Development
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
ProxyNotShell
|
Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 1, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows IIS
|
Command and Control
Execution
Initial Access
Persistence
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
NotDoor Malware
|
Sysmon EventID 11, Sysmon EventID 13
|
Command and Control
Defense Impairment
Execution
Persistence
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
VoidLink Cloud-Native Linux Malware
|
Cisco Isovalent Process Connect, Cisco Isovalent Process Exec, Cisco Isovalent Process Kprobe, CrowdStrike ProcessRollup2, Linux Auditd Cwd, Linux Auditd Path, Osquery Results, Sysmon EventID 1, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, Windows Event Log Security 4688
|
Command and Control
Credential Access
Defense Impairment
Discovery
Execution
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
APT29 Diplomatic Deceptions with WINELOADER
|
CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688
|
Execution
Persistence
Privilege Escalation
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Meduza Stealer
|
CrowdStrike ProcessRollup2, Suricata, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4703
|
Command and Control
Credential Access
Discovery
Execution
Initial Access
Persistence
Privilege Escalation
Reconnaissance
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Water Gamayun
|
Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 15, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 3, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4798
|
Collection
Command and Control
Credential Access
Discovery
Execution
Exfiltration
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
JetBrains TeamCity Unauthenticated RCE
|
CrowdStrike ProcessRollup2, Suricata, Sysmon EventID 11, Sysmon EventID 1, Windows Event Log Security 4688
|
Execution
Initial Access
Persistence
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Phemedrone Stealer
|
Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Sysmon EventID 15, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4663, Windows Event Log Security 4688
|
Command and Control
Credential Access
Discovery
Execution
Persistence
Privilege Escalation
Reconnaissance
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Masquerading - Rename System Utilities
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Execution
Impact
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
XMRig
|
Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 15, Sysmon EventID 1, Sysmon EventID 6, Windows Event Log Security 4688, Windows Event Log Security 4798
|
Command and Control
Credential Access
Defense Impairment
Discovery
Execution
Exfiltration
Impact
Persistence
Privilege Escalation
Reconnaissance
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
MSIX Package Abuse
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 1, Windows Event Log AppXDeployment-Server 400, Windows Event Log AppXDeployment-Server 854, Windows Event Log AppXDeployment-Server 855, Windows Event Log AppXPackaging 171, Windows Event Log Security 4688
|
Defense Impairment
Execution
Persistence
Privilege Escalation
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Windows Registry Abuse
|
CrowdStrike ProcessRollup2, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Control
Credential Access
Defense Impairment
Execution
Impact
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Windows Post-Exploitation
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 1, Windows Event Log Security 4663, Windows Event Log Security 4688
|
Collection
Command and Control
Credential Access
Defense Impairment
Discovery
Execution
Impact
Persistence
Privilege Escalation
Reconnaissance
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
PXA Stealer
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4663, Windows Event Log Security 4688
|
Defense Impairment
Discovery
Execution
Initial Access
Reconnaissance
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
BlackByte Ransomware
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 23, Sysmon EventID 26, Sysmon EventID 3, Sysmon EventID 5, Sysmon EventID 6, Sysmon EventID 7, Sysmon EventID 9, Sysmon for Linux EventID 1, Windows Event Log RemoteConnectionManager 1149, Windows Event Log Security 4688, Windows Event Log System 7045, Windows IIS
|
Collection
Defense Impairment
Discovery
Execution
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Castle RAT
|
Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4700, Windows Event Log Security 4702
|
Collection
Defense Impairment
Discovery
Execution
Persistence
Privilege Escalation
Reconnaissance
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Kubernetes Security
|
Kubernetes Audit, Kubernetes Falco
|
Credential Access
Discovery
Execution
Persistence
Privilege Escalation
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
CISA AA22-320A
|
CrowdStrike ProcessRollup2, Nginx Access, Office 365 Universal Audit Log, Powershell Script Block Logging 4104, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 6, Windows Event Log Security 4688, Windows Event Log System 7045
|
Collection
Command and Control
Credential Access
Defense Impairment
Discovery
Execution
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Suspicious WMI Use
|
Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 1, Sysmon EventID 20, Sysmon EventID 21, Windows Event Log Security 4688
|
Execution
Impact
Persistence
Privilege Escalation
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
AwfulShred
|
Linux Auditd Execve, Linux Auditd Proctitle, Linux Auditd Service Stop, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1
|
Defense Impairment
Execution
Impact
Initial Access
Persistence
Privilege Escalation
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Linux Living Off The Land
|
Cisco Isovalent Process Exec, CrowdStrike ProcessRollup2, Linux Auditd Add User, Linux Auditd Cwd, Linux Auditd Execve, Linux Auditd Path, Linux Auditd Proctitle, Linux Auditd Service Stop, Linux Auditd Syscall, Sysmon EventID 1, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, Windows Event Log Security 4688
|
Collection
Command and Control
Credential Access
Defense Impairment
Discovery
Execution
Exfiltration
Impact
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Storm-2460 CLFS Zero Day Exploitation
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 3, Windows Event Log Security 4688
|
Command and Control
Credential Access
Defense Impairment
Execution
Impact
Privilege Escalation
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Suspicious MSHTA Activity
|
Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688
|
Execution
Persistence
Privilege Escalation
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Cisco Secure Firewall Threat Defense Analytics
|
AWS CloudWatchLogs VPCflow, Cisco Secure Access Firewall, Cisco Secure Firewall Threat Defense Connection Event, Cisco Secure Firewall Threat Defense File Event, Cisco Secure Firewall Threat Defense Intrusion Event, Palo Alto Network Traffic
|
Command and Control
Credential Access
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
Resource Development
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
ESXi Post Compromise
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, VMWare ESXi Syslog, Windows Event Log Security 4688
|
Collection
Credential Access
Defense Impairment
Discovery
Execution
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Disabling Security Tools
|
CrowdStrike ProcessRollup2, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688
|
Defense Impairment
Discovery
Execution
Impact
Persistence
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Suspicious Command-Line Executions
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Execution
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Fake CAPTCHA Campaigns
|
Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 3, Windows Event Log Security 4688
|
Command and Control
Execution
Exfiltration
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
SesameOp
|
CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4688
|
Command and Control
Execution
Persistence
Privilege Escalation
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Remcos
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log TaskScheduler 200, Windows Event Log TaskScheduler 201
|
Collection
Credential Access
Defense Impairment
Execution
Initial Access
Persistence
Privilege Escalation
Reconnaissance
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
|
Execution
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Ingress Tool Transfer
|
Cisco Isovalent Process Exec, Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Sysmon for Linux EventID 1, Windows Event Log Security 4688
|
Collection
Command and Control
Credential Access
Execution
Persistence
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Handala Wiper
|
CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 23, Sysmon EventID 26, Sysmon EventID 3, Windows Event Log Security 4688
|
Execution
Impact
Persistence
Privilege Escalation
Reconnaissance
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Windows Service Abuse
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log System 7036
|
Execution
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Defense Evasion or Unauthorized Access Via SDDL Tampering
|
CrowdStrike ProcessRollup2, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688
|
Defense Impairment
Execution
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Braodo Stealer
|
Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4663
|
Collection
Credential Access
Defense Impairment
Discovery
Execution
Persistence
Privilege Escalation
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Linux Rootkit
|
Linux Auditd Syscall, Sysmon EventID 1, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1
|
Command and Control
Discovery
Execution
Persistence
Privilege Escalation
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Azorult
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688
|
Command and Control
Credential Access
Defense Impairment
Discovery
Execution
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
SystemBC
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log TaskScheduler 200, Windows Event Log TaskScheduler 201
|
Execution
Persistence
Privilege Escalation
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
China-Nexus Threat Activity
|
AWS CloudWatchLogs VPCflow, Cisco Network Visibility Module Flow Data, Cisco Secure Access Firewall, Cisco Secure Firewall Threat Defense Connection Event, CrowdStrike ProcessRollup2, Linux Auditd Cwd, Linux Auditd Execve, Linux Auditd Path, Linux Auditd Proctitle, Linux Auditd Syscall, Palo Alto Network Traffic, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 7, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, VMWare ESXi Syslog, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4703, Windows Event Log System 7045
|
Collection
Command and Control
Credential Access
Defense Impairment
Discovery
Execution
Exfiltration
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
BITS Jobs
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Control
Execution
Persistence
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Rhysida Ransomware
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 5, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log System 7045
|
Credential Access
Defense Impairment
Discovery
Execution
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Void Manticore
|
CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 23, Sysmon EventID 26, Sysmon EventID 3, Sysmon EventID 6, Sysmon EventID 9, Windows Event Log Security 4688, Windows Event Log System 7045
|
Discovery
Execution
Impact
Persistence
Privilege Escalation
Reconnaissance
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
HAFNIUM Group
|
Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4720, Windows Event Log Security 4732
|
Collection
Command and Control
Credential Access
Execution
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
SQL Server Abuse
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 1, Windows Event Log Application 15457, Windows Event Log Application 17135, Windows Event Log Application 8128, Windows Event Log Security 4688
|
Command and Control
Execution
Persistence
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Interlock Rat
|
CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688
|
Command and Control
Execution
Persistence
Privilege Escalation
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Office 365 Account Takeover
|
O365 Add app role assignment grant to user., O365 Consent to application., O365 Update authorization policy., O365 UserLoggedIn, O365 UserLoginFailed, O365, Office 365 Reporting Message Trace, Office 365 Universal Audit Log
|
Collection
Credential Access
Defense Impairment
Execution
Exfiltration
Impact
Initial Access
Persistence
Privilege Escalation
Resource Development
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
SamSam Ransomware
|
Cisco Network Visibility Module Flow Data, Cisco Secure Access Firewall, CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 3, Windows Event Log Security 4688, Zeek Conn
|
Credential Access
Discovery
Execution
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Axios Supply Chain Post Compromise
|
Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Linux Auditd Proctitle, Osquery Results, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Sysmon for Linux EventID 1, Windows Event Log Security 4688
|
Command and Control
Credential Access
Defense Impairment
Execution
Persistence
Privilege Escalation
Reconnaissance
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Malicious Inno Setup Loader
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 3, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log TaskScheduler 200, Windows Event Log TaskScheduler 201
|
Collection
Command and Control
Credential Access
Defense Impairment
Discovery
Execution
Exfiltration
Persistence
Privilege Escalation
Reconnaissance
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
SnappyBee
|
CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4703
|
Credential Access
Defense Impairment
Discovery
Execution
Persistence
Privilege Escalation
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Cisco Secure Access Analytics
|
Cisco Secure Access DNS, Cisco Secure Access Firewall, Cisco Secure Access Proxy, Cisco Secure Firewall Threat Defense Connection Event, Palo Alto Network Traffic, Sysmon EventID 3
|
Command and Control
Credential Access
Execution
Initial Access
Reconnaissance
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Deobfuscate-Decode Files or Information
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Execution
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
VIP Keylogger
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688
|
Collection
Command and Control
Credential Access
Defense Impairment
Discovery
Execution
Persistence
Privilege Escalation
Reconnaissance
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Winter Vivern
|
Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log TaskScheduler 200, Windows Event Log TaskScheduler 201
|
Collection
Command and Control
Discovery
Execution
Exfiltration
Persistence
Privilege Escalation
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Sandworm Tools
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 23, Sysmon EventID 26, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log TaskScheduler 200, Windows Event Log TaskScheduler 201
|
Credential Access
Defense Impairment
Discovery
Execution
Impact
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
ProxyShell
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 1, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows IIS
|
Execution
Initial Access
Persistence
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Credential Dumping
|
CrowdStrike ProcessRollup2, Linux Secure, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 8, Windows Event Log Security 4624, Windows Event Log Security 4662, Windows Event Log Security 4663, Windows Event Log Security 4688
|
Credential Access
Defense Impairment
Execution
Impact
Initial Access
Persistence
Privilege Escalation
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
NjRAT
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Sysmon EventID 9, Windows Event Log Security 4663, Windows Event Log Security 4688
|
Command and Control
Credential Access
Defense Impairment
Discovery
Execution
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Microsoft WSUS CVE-2025-59287
|
Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 1, Sysmon for Linux EventID 1, Windows Event Log Security 4688
|
Command and Control
Defense Impairment
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Linux Persistence Techniques
|
Cisco Isovalent Process Exec, Linux Auditd Add User, Linux Auditd Cwd, Linux Auditd Execve, Linux Auditd Path, Linux Auditd Proctitle, Linux Auditd Service Stop, Linux Auditd Syscall, Sysmon EventID 1, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1
|
Command and Control
Credential Access
Defense Impairment
Discovery
Execution
Exfiltration
Impact
Persistence
Privilege Escalation
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Flax Typhoon
|
Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 1, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log System 7045
|
Command and Control
Credential Access
Execution
Initial Access
Persistence
Privilege Escalation
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
CISA AA24-241A
|
CrowdStrike ProcessRollup2, Palo Alto Network Threat, Powershell Script Block Logging 4104, Suricata, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 14, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4648, Windows Event Log Security 4688, Windows Event Log Security 4720, Windows Event Log Security 4732, Windows Event Log TaskScheduler 200, Windows Event Log TaskScheduler 201, Windows IIS
|
Command and Control
Defense Impairment
Execution
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
DarkSide Ransomware
|
Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688
|
Command and Control
Credential Access
Execution
Exfiltration
Impact
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Azure Active Directory Account Takeover
|
Azure Active Directory Consent to application, Azure Active Directory Disable Strong Authentication, Azure Active Directory Sign-in activity, Azure Active Directory Update authorization policy, Azure Active Directory User registered security info, Azure Active Directory, Azure Monitor Activity, Office 365 Universal Audit Log, Powershell Script Block Logging 4104
|
Collection
Command and Control
Credential Access
Defense Impairment
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Resource Development
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Scheduled Tasks
|
CrowdStrike ProcessRollup2, Linux Auditd Cwd, Linux Auditd Path, Linux Auditd Proctitle, Linux Auditd Syscall, Powershell Script Block Logging 4104, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4699, Windows Event Log Security 4700, Windows Event Log Security 4702, Windows Event Log Security 5145, Windows Event Log TaskScheduler 200, Windows Event Log TaskScheduler 201
|
Defense Impairment
Execution
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Meterpreter
|
CrowdStrike ProcessRollup2, Suricata, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Control
Execution
Lateral Movement
Privilege Escalation
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Derusbi
|
CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log Security 4703, Windows Event Log System 7045
|
Execution
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Windows Error Reporting Service Elevation of Privilege Vulnerability
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698
|
Execution
Persistence
Privilege Escalation
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Brute Ratel C4
|
CrowdStrike ProcessRollup2, Suricata, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log Security 4703, Windows Event Log System 7045
|
Collection
Command and Control
Credential Access
Execution
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Gomir
|
Linux Auditd Proctitle, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1
|
Execution
Persistence
Privilege Escalation
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Trusted Developer Utilities Proxy Execution MSBuild
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Execution
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Lokibot
|
CrowdStrike ProcessRollup2, Suricata, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4703
|
Collection
Command and Control
Credential Access
Discovery
Execution
Persistence
Privilege Escalation
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
ValleyRAT
|
CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4703, Windows Event Log TaskScheduler 200, Windows Event Log TaskScheduler 201
|
Defense Impairment
Execution
Persistence
Privilege Escalation
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Clop Ransomware
|
CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 23, Sysmon EventID 26, Sysmon EventID 5, Windows Event Log Security 1100, Windows Event Log Security 1102, Windows Event Log Security 4688, Windows Event Log System 104, Windows Event Log System 7045
|
Defense Impairment
Execution
Impact
Persistence
Privilege Escalation
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
CISA AA22-257A
|
CrowdStrike ProcessRollup2, Nginx Access, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 1, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4699, Windows Event Log Security 4720, Windows Event Log Security 4732, Windows Event Log TaskScheduler 200, Windows Event Log TaskScheduler 201
|
Command and Control
Credential Access
Execution
Initial Access
Lateral Movement
Persistence
Privilege Escalation
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Living Off The Land
|
Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Osquery Results, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 3, Sysmon EventID 7, Sysmon EventID 8, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 5145
|
Command and Control
Credential Access
Defense Impairment
Execution
Exfiltration
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
SolarWinds WHD RCE Post Exploitation
|
Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 3, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4700, Windows Event Log Security 4702, Windows Event Log TaskScheduler 200, Windows Event Log TaskScheduler 201
|
Command and Control
Defense Impairment
Discovery
Execution
Persistence
Privilege Escalation
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Windows Discovery Techniques
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 3, Windows Event Log Security 4688
|
Discovery
Execution
Reconnaissance
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security, Splunk Behavioral Analytics
|
2026-05-13
|
|
ShrinkLocker
|
CrowdStrike ProcessRollup2, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 14, Sysmon EventID 1, Windows Event Log Security 1102, Windows Event Log Security 4688, Windows Event Log Security 4946, Windows Event Log Security 4947, Windows Event Log Security 4948, Windows Event Log System 104
|
Defense Impairment
Execution
Impact
Persistence
Privilege Escalation
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
BishopFox Sliver Adversary Emulation Framework
|
CrowdStrike ProcessRollup2, Suricata, Sysmon EventID 10, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log System 7045
|
Command and Control
Execution
Privilege Escalation
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
WhisperGate
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 23, Sysmon EventID 26, Sysmon EventID 9, Windows Event Log Security 4688
|
Defense Impairment
Discovery
Execution
Impact
Lateral Movement
Persistence
Privilege Escalation
Resource Development
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Quasar RAT
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 23, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4700, Windows Event Log Security 4702
|
Credential Access
Defense Impairment
Discovery
Execution
Impact
Persistence
Privilege Escalation
Reconnaissance
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Hellcat Ransomware
|
AWS CloudTrail CreateTask, Azure Active Directory Set domain authentication, Azure Active Directory Update user, Cisco Network Visibility Module Flow Data, Cisco Secure Firewall Threat Defense File Event, CrowdStrike ProcessRollup2, CrushFTP, Ivanti VTM Audit, Linux Auditd Execve, Nginx Access, Osquery Results, Palo Alto Network Threat, Powershell Script Block Logging 4104, Splunk Stream HTTP, Suricata, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 20, Sysmon EventID 22, Sysmon EventID 3, Sysmon EventID 5, Sysmon EventID 7, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, VMWare ESXi Syslog, Windows Event Log Application 17135, Windows Event Log CAPI2 70, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 5145, Windows Event Log System 7036, Windows Event Log System 7045
|
Collection
Command and Control
Credential Access
Defense Impairment
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
MetaSploit
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 1, Windows Event Log Security 4688
|
Execution
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Remote Monitoring and Management Software
|
Cisco Secure Firewall Threat Defense Connection Event, CrowdStrike ProcessRollup2, Palo Alto Network Threat, Palo Alto Network Traffic, Powershell Script Block Logging 4104, Suricata, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4688, Windows Event Log Security 4698
|
Command and Control
Execution
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Qakbot
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log System 7045, Windows Event Log TaskScheduler 200, Windows Event Log TaskScheduler 201
|
Command and Control
Defense Impairment
Discovery
Execution
Impact
Initial Access
Persistence
Privilege Escalation
Reconnaissance
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Crypto Stealer
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Suricata, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 15, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 5, Sysmon EventID 6, Windows Event Log Security 4624, Windows Event Log Security 4625, Windows Event Log Security 4688, Windows Event Log System 7045
|
Collection
Command and Control
Credential Access
Defense Impairment
Discovery
Execution
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
CISA AA22-277A
|
Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 1, Windows Event Log Security 4688
|
Collection
Command and Control
Defense Impairment
Discovery
Execution
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Hermetic Wiper
|
Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Sysmon EventID 9, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4769, Windows Event Log Security 5145
|
Command and Control
Credential Access
Defense Impairment
Execution
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Volt Typhoon
|
CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Windows Event Log Security 4625, Windows Event Log Security 4648, Windows Event Log Security 4688, Windows Event Log Security 4768, Windows Event Log Security 4771, Windows Event Log Security 4776
|
Command and Control
Credential Access
Defense Impairment
Discovery
Execution
Impact
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Emotet Malware DHS Report TA18-201A
|
CrowdStrike ProcessRollup2, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688
|
Execution
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Linux Privilege Escalation
|
Cisco Isovalent Process Exec, Linux Auditd Add User, Linux Auditd Cwd, Linux Auditd Execve, Linux Auditd Path, Linux Auditd Proctitle, Linux Auditd Service Stop, Linux Auditd Syscall, Linux Messages Syslog, Linux Secure, Sysmon EventID 1, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1
|
Command and Control
Credential Access
Defense Impairment
Discovery
Execution
Exfiltration
Impact
Persistence
Privilege Escalation
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
DHS Report TA18-074A
|
Cisco Secure Access Firewall, Cisco Secure Firewall Threat Defense Connection Event, CrowdStrike ProcessRollup2, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4720, Windows Event Log Security 4732
|
Command and Control
Defense Impairment
Execution
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
SysAid On-Prem Software CVE-2023-47246 Vulnerability
|
Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, Windows Event Log Security 4688
|
Command and Control
Execution
Initial Access
Persistence
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Snake Keylogger
|
CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 15, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 3, Sysmon EventID 5, Sysmon EventID 6, Windows Event Log Security 4663, Windows Event Log Security 4688
|
Command and Control
Credential Access
Discovery
Execution
Impact
Initial Access
Persistence
Privilege Escalation
Reconnaissance
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
VanHelsing Ransomware
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log Security 5145
|
Credential Access
Execution
Impact
Lateral Movement
Privilege Escalation
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
IcedID
|
Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 5140, Windows Event Log Security 5145, Windows Event Log TaskScheduler 200, Windows Event Log TaskScheduler 201
|
Collection
Command and Control
Defense Impairment
Discovery
Execution
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Amadey
|
CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log TaskScheduler 200, Windows Event Log TaskScheduler 201
|
Defense Impairment
Discovery
Execution
Initial Access
Persistence
Privilege Escalation
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Lumma Stealer
|
Cisco Network Visibility Module Flow Data, Cisco Secure Firewall Threat Defense Intrusion Event, CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Suricata, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4688
|
Command and Control
Execution
Exfiltration
Initial Access
Lateral Movement
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Suspicious Windows Registry Activities
|
Sysmon EventID 13
|
Defense Impairment
Execution
Persistence
Privilege Escalation
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Windows File Extension and Association Abuse
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Execution
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Suspicious Cloud User Activities
|
ASL AWS CloudTrail, AWS CloudTrail
|
Defense Impairment
Discovery
Execution
Initial Access
Persistence
Privilege Escalation
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
NailaoLocker Ransomware
|
CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 23, Sysmon EventID 26, Sysmon EventID 5, Sysmon EventID 7, Windows Event Log Security 4688
|
Execution
Impact
Persistence
Privilege Escalation
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
NetSupport RMM Tool Abuse
|
Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 14, Sysmon EventID 1, Sysmon EventID 29, Sysmon EventID 3, Sysmon EventID 7, Windows Event Log RemoteConnectionManager 1149, Windows Event Log Security 4688, Windows Event Log Security 4946, Windows Event Log Security 4947, Windows Event Log Security 4948
|
Command and Control
Credential Access
Defense Impairment
Discovery
Execution
Exfiltration
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Gh0st RAT
|
CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4703, Windows Event Log System 7045
|
Defense Impairment
Discovery
Execution
Impact
Persistence
Privilege Escalation
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
React2Shell
|
Cisco Secure Firewall Threat Defense Intrusion Event, CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon for Linux EventID 1
|
Execution
Initial Access
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
GhostRedirector IIS Module and Rungan Backdoor
|
Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Nginx Access, Powershell Installed IIS Modules, Powershell Script Block Logging 4104, Suricata, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 3, Sysmon for Linux EventID 1, Windows Event Log Application 15457, Windows Event Log Security 4688, Windows Event Log Security 4703, Windows Event Log Security 4720, Windows Event Log System 4720, Windows Event Log System 4726, Windows IIS 29
|
Command and Control
Defense Impairment
Execution
Exfiltration
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Cisco Network Visibility Module Analytics
|
Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 3, Windows Event Log Security 4688
|
Command and Control
Credential Access
Discovery
Execution
Exfiltration
Initial Access
Persistence
Privilege Escalation
Reconnaissance
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Active Directory Discovery
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 1, Sysmon EventID 3, Windows Event Log Security 4662, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log System 7045
|
Collection
Credential Access
Discovery
Execution
Initial Access
Persistence
Privilege Escalation
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
MuddyWater
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 4688
|
Execution
Impact
Initial Access
Persistence
Privilege Escalation
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Windows Privilege Escalation
|
CrowdStrike ProcessRollup2, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 15, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 23, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log Security 4723, Windows Event Log Security 4724, Windows Event Log Security 4769
|
Command and Control
Credential Access
Defense Impairment
Execution
Persistence
Privilege Escalation
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
XorDDos
|
Linux Auditd Cwd, Linux Auditd Path, Linux Auditd Proctitle, Linux Auditd Syscall, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1
|
Command and Control
Credential Access
Defense Impairment
Discovery
Execution
Persistence
Privilege Escalation
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
APT37 Rustonotto and FadeStealer
|
Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Osquery Results, Powershell Script Block Logging 4104, Splunk Stream HTTP, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 15, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 23, Sysmon EventID 26, Sysmon EventID 3, Sysmon EventID 6, Sysmon EventID 7, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4700, Windows Event Log Security 4702, Windows Event Log System 7045
|
Collection
Command and Control
Credential Access
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Snake Malware
|
Sysmon EventID 11, Sysmon EventID 13, Windows Event Log System 7045
|
Defense Impairment
Execution
Persistence
Privilege Escalation
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Revil Ransomware
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688
|
Defense Impairment
Execution
Impact
Persistence
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Prestige Ransomware
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 5145, Windows Event Log TaskScheduler 200, Windows Event Log TaskScheduler 201
|
Collection
Credential Access
Defense Impairment
Discovery
Execution
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Graceful Wipe Out Attack
|
CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 3, Sysmon EventID 8, Sysmon EventID 9, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 5145
|
Collection
Credential Access
Defense Impairment
Discovery
Execution
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Windows Persistence Techniques
|
CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 14, Sysmon EventID 1, Sysmon EventID 23, Windows Event Log Application 3000, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4700, Windows Event Log Security 4702, Windows Event Log Security 4738, Windows Event Log Security 4742, Windows Event Log Security 5145, Windows Event Log TaskScheduler 200, Windows Event Log TaskScheduler 201
|
Command and Control
Credential Access
Defense Impairment
Execution
Initial Access
Persistence
Privilege Escalation
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Active Directory Lateral Movement
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log RemoteConnectionManager 1149, Windows Event Log Security 4624, Windows Event Log Security 4625, Windows Event Log Security 4672, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4699, Windows Event Log Security 4769, Windows Event Log Security 5140, Windows Event Log Security 5145, Windows Event Log System 4720, Windows Event Log System 4726, Windows Event Log System 7045, Zeek Conn
|
Credential Access
Discovery
Execution
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns
|
CrowdStrike ProcessRollup2, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688
|
Execution
Persistence
Privilege Escalation
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Trusted Developer Utilities Proxy Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Execution
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
DarkCrystal RAT
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 23, Sysmon EventID 26, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log TaskScheduler 200, Windows Event Log TaskScheduler 201
|
Command and Control
Defense Impairment
Discovery
Execution
Impact
Initial Access
Persistence
Privilege Escalation
Reconnaissance
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Juniper JunOS Remote Code Execution
|
Suricata
|
Command and Control
Execution
Initial Access
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
XWorm
|
Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log Security 4698
|
Command and Control
Defense Impairment
Execution
Impact
Persistence
Privilege Escalation
Reconnaissance
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
AgentTesla
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 3, Sysmon EventID 6, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log System 7045
|
Command and Control
Credential Access
Defense Impairment
Execution
Initial Access
Persistence
Privilege Escalation
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Cleo File Transfer Software
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 1, Sysmon for Linux EventID 1, Windows Event Log Security 4688
|
Discovery
Execution
Initial Access
Persistence
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Warzone RAT
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 23, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4663, Windows Event Log Security 4688
|
Credential Access
Defense Impairment
Discovery
Execution
Initial Access
Persistence
Privilege Escalation
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
AMOS Stealer
|
Osquery Results
|
Execution
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Spearphishing Attachments
|
CrowdStrike ProcessRollup2, Office 365 Universal Audit Log, Suricata, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Microsoft Windows TerminalServices RDPClient 1024, Windows Event Log Security 4688
|
Collection
Command and Control
Credential Access
Execution
Initial Access
Lateral Movement
Persistence
Reconnaissance
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
CrushFTP Vulnerabilities
|
CrowdStrike ProcessRollup2, CrushFTP, Sysmon EventID 1, Windows Event Log Security 4688
|
Credential Access
Execution
Initial Access
Persistence
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Insider Threat
|
Cisco Secure Firewall Threat Defense Connection Event, CrowdStrike ProcessRollup2, G Suite Drive, G Suite Gmail, Linux Secure, Palo Alto Network Threat, Palo Alto Network Traffic, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4625, Windows Event Log Security 4648, Windows Event Log Security 4688, Windows Event Log Security 5145
|
Command and Control
Credential Access
Execution
Exfiltration
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise, Splunk Behavioral Analytics
|
2026-05-13
|
|
Black Basta Ransomware
|
Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 23, Sysmon EventID 26, Sysmon EventID 7, VMWare ESXi Syslog, Windows Event Log Printservice 316, Windows Event Log Printservice 4909, Windows Event Log Printservice 808, Windows Event Log Security 4688
|
Collection
Command and Control
Credential Access
Defense Impairment
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
BlankGrabber Stealer
|
Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4663, Windows Event Log Security 4688
|
Collection
Command and Control
Credential Access
Defense Impairment
Discovery
Execution
Exfiltration
Initial Access
Persistence
Privilege Escalation
Reconnaissance
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Windows Attack Surface Reduction
|
Windows Event Log Defender 1121, Windows Event Log Defender 1122, Windows Event Log Defender 1125, Windows Event Log Defender 1126, Windows Event Log Defender 1129, Windows Event Log Defender 1131, Windows Event Log Defender 1132, Windows Event Log Defender 1133, Windows Event Log Defender 1134, Windows Event Log Defender 5007
|
Defense Impairment
Execution
Initial Access
Persistence
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Scattered Spider
|
Cisco Network Visibility Module Flow Data, Cisco Secure Firewall Threat Defense Connection Event, CrowdStrike ProcessRollup2, Palo Alto Network Traffic, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4663, Windows Event Log Security 4688
|
Command and Control
Credential Access
Defense Impairment
Discovery
Execution
Impact
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
NOBELIUM Group
|
Azure Active Directory Add app role assignment to service principal, Azure Active Directory Add member to role, Azure Active Directory Add owner to application, Azure Active Directory Add service principal, Azure Active Directory Consent to application, Azure Active Directory Sign-in activity, Azure Active Directory Update application, Azure Active Directory, Cisco Secure Access Firewall, Cisco Secure Firewall Threat Defense Connection Event, CrowdStrike ProcessRollup2, O365 Add owner to application., O365 Add service principal., O365 Consent to application., O365 MailItemsAccessed, O365 Update application., O365 UserLoginFailed, O365, Palo Alto Network Traffic, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log System 7036
|
Collection
Command and Control
Credential Access
Discovery
Execution
Initial Access
Persistence
Privilege Escalation
Resource Development
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Windows DNS SIGRed CVE-2020-1350
|
|
Execution
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Ransomware
|
Cisco Network Visibility Module Flow Data, Cisco Secure Firewall Threat Defense Connection Event, CrowdStrike ProcessRollup2, Palo Alto Network Threat, Palo Alto Network Traffic, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 1100, Windows Event Log Security 1102, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4700, Windows Event Log Security 4702, Windows Event Log System 104, Windows Event Log System 7036
|
Collection
Command and Control
Defense Impairment
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
Resource Development
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
PlugX
|
CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4703, Windows Event Log System 7045, Windows Event Log TaskScheduler 200, Windows Event Log TaskScheduler 201
|
Defense Impairment
Discovery
Execution
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Salt Typhoon
|
Cisco IOS Logs, Cisco Network Visibility Module Flow Data, Cisco Secure Firewall Threat Defense Intrusion Event, CrowdStrike ProcessRollup2, Linux Auditd Cwd, Linux Auditd Execve, Linux Auditd Path, Linux Auditd Proctitle, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 7, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4703, Windows Event Log System 7045
|
Collection
Command and Control
Credential Access
Defense Impairment
Discovery
Execution
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Ryuk Ransomware
|
Cisco Secure Access Firewall, CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 3, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4700, Windows Event Log Security 4702, Zeek Conn
|
Credential Access
Defense Impairment
Discovery
Execution
Impact
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
FIN7
|
CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688
|
Credential Access
Defense Impairment
Discovery
Execution
Impact
Initial Access
Persistence
Privilege Escalation
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
ZDI-CAN-25373 Windows Shortcut Exploit Abused as Zero-Day
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Control
Execution
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Earth Alux
|
CrowdStrike ProcessRollup2, Nginx Access, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 3, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4663, Windows Event Log Security 4688
|
Discovery
Execution
Initial Access
Persistence
Privilege Escalation
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Trickbot
|
CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 5145
|
Defense Impairment
Execution
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Command And Control
|
Cisco Secure Access Firewall, Cisco Secure Firewall Threat Defense Connection Event, CrowdStrike ProcessRollup2, Palo Alto Network Threat, Palo Alto Network Traffic, Splunk Stream HTTP, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4688
|
Command and Control
Execution
Exfiltration
Initial Access
Lateral Movement
Privilege Escalation
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Medusa Ransomware
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 23, Sysmon EventID 26, Sysmon EventID 5, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4728, Windows Event Log Security 4946, Windows Event Log Security 4947, Windows Event Log Security 4948
|
Command and Control
Defense Impairment
Discovery
Execution
Impact
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Lotus Blossom Chrysalis Backdoor
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log System 7045
|
Discovery
Execution
Persistence
Privilege Escalation
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
JetBrains TeamCity Vulnerabilities
|
CrowdStrike ProcessRollup2, Suricata, Sysmon EventID 11, Sysmon EventID 1, Windows Event Log Security 4688
|
Execution
Initial Access
Persistence
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Hidden Cobra Malware
|
Cisco Secure Access Firewall, Cisco Secure Firewall Threat Defense Connection Event, CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4688, Zeek Conn
|
Command and Control
Execution
Exfiltration
Lateral Movement
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Interlock Ransomware
|
Cisco Network Visibility Module Flow Data, Cisco Secure Firewall Threat Defense Connection Event, CrowdStrike ProcessRollup2, Palo Alto Network Threat, Palo Alto Network Traffic, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 23, Sysmon EventID 26, Sysmon EventID 5, Sysmon EventID 6, Windows Event Log RemoteConnectionManager 1149, Windows Event Log Security 4688, Windows Event Log Security 5136
|
Command and Control
Credential Access
Discovery
Execution
Impact
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Dev Sec Ops
|
ASL AWS CloudTrail, AWS CloudTrail DescribeImageScanFindings, AWS CloudTrail PutImage, CircleCI, G Suite Drive, G Suite Gmail
|
Credential Access
Discovery
Execution
Exfiltration
Initial Access
Persistence
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
0bj3ctivity Stealer
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 13, Sysmon EventID 15, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4700, Windows Event Log Security 4702
|
Command and Control
Credential Access
Discovery
Execution
Exfiltration
Persistence
Privilege Escalation
Reconnaissance
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Log4Shell CVE-2021-44228
|
Cisco Secure Access Firewall, Cisco Secure Firewall Threat Defense Connection Event, CrowdStrike ProcessRollup2, Nginx Access, Palo Alto Network Traffic, Splunk Stream HTTP, Sysmon EventID 1, Sysmon EventID 3, Sysmon for Linux EventID 1, Windows Event Log Security 4688
|
Command and Control
Execution
Initial Access
Persistence
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Azure Active Directory Persistence
|
Azure Active Directory Add member to role, Azure Active Directory Add owner to application, Azure Active Directory Add service principal, Azure Active Directory Add unverified domain, Azure Active Directory Consent to application, Azure Active Directory Enable account, Azure Active Directory Invite external user, Azure Active Directory Reset password (by admin), Azure Active Directory Set domain authentication, Azure Active Directory Update application, Azure Active Directory Update user, Azure Active Directory, Azure Audit Create or Update an Azure Automation Runbook, Azure Audit Create or Update an Azure Automation account, Azure Audit Create or Update an Azure Automation webhook, CrowdStrike ProcessRollup2, Office 365 Universal Audit Log, Powershell Script Block Logging 4104, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4724, Windows Event Log Security 4725, Windows Event Log Security 4726
|
Command and Control
Credential Access
Defense Impairment
Discovery
Execution
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Unusual Processes
|
Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688
|
Credential Access
Defense Impairment
Discovery
Execution
Initial Access
Persistence
Privilege Escalation
Reconnaissance
Resource Development
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Netsh Abuse
|
|
Defense Impairment
Discovery
Execution
Impact
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Compromised Windows Host
|
Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Suricata, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 3, Sysmon EventID 7, Sysmon for Linux EventID 1, Windows Event Log Security 1102, Windows Event Log Security 4624, Windows Event Log Security 4627, Windows Event Log Security 4662, Windows Event Log Security 4663, Windows Event Log Security 4672, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4699, Windows Event Log Security 4738, Windows Event Log Security 4741, Windows Event Log Security 4742, Windows Event Log Security 4768, Windows Event Log Security 4769, Windows Event Log Security 4781, Windows Event Log Security 4798, Windows Event Log Security 4887, Windows Event Log Security 5136, Windows Event Log Security 5137, Windows Event Log Security 5141, Windows Event Log Security 5145, Windows Event Log System 104, Windows Event Log System 7036, Windows Event Log System 7040, Windows Event Log System 7045
|
Collection
Command and Control
Credential Access
Defense Impairment
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
Resource Development
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
RedLine Stealer
|
CrowdStrike ProcessRollup2, Suricata, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log System 7040
|
Command and Control
Credential Access
Defense Impairment
Discovery
Execution
Impact
Persistence
Privilege Escalation
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
BlackSuit Ransomware
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Suricata, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 3, Sysmon EventID 8, Windows Event Log Security 4662, Windows Event Log Security 4688, Windows Event Log Security 4738, Windows Event Log Security 5145, Windows Event Log System 7045, Windows Event Log TaskScheduler 200, Windows Event Log TaskScheduler 201
|
Collection
Command and Control
Credential Access
Discovery
Execution
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Malicious PowerShell
|
Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Suricata, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log System 7045
|
Command and Control
Credential Access
Defense Impairment
Discovery
Execution
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
AsyncRAT
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4703, Windows Event Log TaskScheduler 200, Windows Event Log TaskScheduler 201
|
Execution
Initial Access
Persistence
Privilege Escalation
Reconnaissance
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
DarkGate Malware
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4703
|
Collection
Credential Access
Defense Impairment
Discovery
Execution
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
MoonPeak
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4663, Windows Event Log Security 4688
|
Command and Control
Discovery
Execution
Impact
Persistence
Privilege Escalation
Reconnaissance
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Linux Post-Exploitation
|
Sysmon EventID 1, Sysmon for Linux EventID 1
|
Command and Control
Execution
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Gozi Malware
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Windows Event Log Security 4627, Windows Event Log Security 4688
|
Command and Control
Credential Access
Discovery
Execution
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Industroyer2
|
CrowdStrike ProcessRollup2, Linux Auditd Proctitle, Linux Auditd Service Stop, Osquery Results, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 5, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 5145, Windows Event Log TaskScheduler 200, Windows Event Log TaskScheduler 201
|
Credential Access
Defense Impairment
Discovery
Execution
Impact
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Cactus Ransomware
|
Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Suricata, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 3, Windows Event Log Security 4688, Windows Event Log Security 4698
|
Command and Control
Credential Access
Defense Impairment
Execution
Exfiltration
Impact
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Cobalt Strike
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Suricata, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 3, Windows Event Log Security 4688
|
Collection
Command and Control
Execution
Lateral Movement
Persistence
Privilege Escalation
Resource Development
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
StealC Stealer
|
Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688
|
Collection
Command and Control
Credential Access
Discovery
Execution
Persistence
Privilege Escalation
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Windows Certificate Services
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 1, Windows Event Log CAPI2 70, Windows Event Log CertificateServicesClient 1007, Windows Event Log Security 4688, Windows Event Log Security 4768, Windows Event Log Security 4876, Windows Event Log Security 4886, Windows Event Log Security 4887
|
Collection
Command and Control
Credential Access
Execution
Lateral Movement
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Data Destruction
|
AWS Cloudfront, Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Linux Auditd Execve, Linux Auditd Proctitle, Linux Auditd Service Stop, Office 365 Reporting Message Trace, Office 365 Universal Audit Log, Osquery Results, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 23, Sysmon EventID 26, Sysmon EventID 5, Sysmon EventID 7, Sysmon EventID 9, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4769, Windows Event Log Security 5145, Windows Event Log TaskScheduler 200, Windows Event Log TaskScheduler 201
|
Collection
Command and Control
Credential Access
Defense Impairment
Discovery
Execution
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
Resource Development
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Citrix NetScaler ADC and NetScaler Gateway CVE-2025-5777
|
Cisco Secure Firewall Threat Defense Intrusion Event, Suricata
|
Execution
Initial Access
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Seashell Blizzard
|
CrowdStrike ProcessRollup2, Nginx Access, Suricata, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Windows Event Log Application 15457, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4700, Windows Event Log Security 4702, Windows IIS
|
Command and Control
Credential Access
Execution
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Storm-0501 Ransomware
|
Azure Active Directory Add member to role, Azure Active Directory Set domain authentication, Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Control
Credential Access
Defense Impairment
Discovery
Execution
Exfiltration
Impact
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Orangeworm Attack Group
|
Windows Event Log System 7036
|
Execution
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Chaos Ransomware
|
CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688
|
Execution
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
PaperCut MF NG Vulnerability
|
CrowdStrike ProcessRollup2, Suricata, Sysmon EventID 1, Windows Event Log Security 4688
|
Execution
Initial Access
Persistence
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Suspicious Zoom Child Processes
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Execution
Privilege Escalation
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Windows Defense Evasion Tactics
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 15, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log System 7040
|
Credential Access
Defense Impairment
Discovery
Execution
Impact
Persistence
Privilege Escalation
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Suspicious Ollama Activities
|
Ollama Server
|
Command and Control
Execution
Exfiltration
Impact
Initial Access
Reconnaissance
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
CISA AA23-347A
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Suricata, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4699, Windows Event Log Security 4703, Windows Event Log System 7040, Windows Event Log System 7045
|
Collection
Credential Access
Defense Impairment
Discovery
Execution
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
PromptLock
|
Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Control
Execution
Persistence
Privilege Escalation
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
CISA AA22-264A
|
Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 9, Sysmon for Linux EventID 1, Windows Event Log Security 1102, Windows Event Log Security 4688, Windows Event Log System 104
|
Credential Access
Defense Impairment
Execution
Impact
Initial Access
Persistence
Privilege Escalation
Reconnaissance
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Execution
Initial Access
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Compromised Linux Host
|
Linux Auditd Add User, Linux Auditd Cwd, Linux Auditd Daemon Abort, Linux Auditd Daemon End, Linux Auditd Daemon Start, Linux Auditd Execve, Linux Auditd Path, Linux Auditd Proctitle, Linux Auditd Service Stop, Linux Auditd Syscall, Sysmon EventID 1
|
Collection
Command and Control
Credential Access
Defense Impairment
Discovery
Execution
Exfiltration
Impact
Initial Access
Persistence
Privilege Escalation
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Suspicious MCP Activities
|
MCP Server
|
Credential Access
Execution
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
NPM Supply Chain Compromise
|
Cisco Isovalent Process Exec, Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, GitHub Enterprise Audit Logs, GitHub Organizations Audit Logs, Sysmon EventID 11, Sysmon EventID 1, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, Windows Event Log Security 4688
|
Collection
Command and Control
Credential Access
Defense Impairment
Execution
Impact
Initial Access
Persistence
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-13
|
|
Salat Stealer
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 1102, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4703, Windows Event Log Security 4946, Windows Event Log System 104
|
Collection
Credential Access
Defense Impairment
Discovery
Execution
Persistence
Privilege Escalation
Stealth
|
Splunk Cloud, Splunk Enterprise Security, Splunk Enterprise
|
2026-05-12
|