|
Suspicious Cisco Adaptive Security Appliance Activity
|
Cisco ASA Logs
|
Collection
Credential Access
Defense Impairment
Discovery
Exfiltration
Impact
Initial Access
Persistence
Privilege Escalation
Reconnaissance
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
BlackMatter Ransomware
|
CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log System 7036
|
Credential Access
Discovery
Impact
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Disabling Security Tools
|
CrowdStrike ProcessRollup2, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688
|
Defense Impairment
Discovery
Execution
Impact
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Disk Wiper
|
Sysmon EventID 23, Sysmon EventID 26, Sysmon EventID 9
|
Impact
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Sandworm Tools
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 23, Sysmon EventID 26, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log TaskScheduler 200, Windows Event Log TaskScheduler 201
|
Credential Access
Defense Impairment
Discovery
Execution
Impact
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
RedLine Stealer
|
CrowdStrike ProcessRollup2, Suricata, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log System 7040
|
Command and Control
Credential Access
Defense Impairment
Discovery
Execution
Impact
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
NailaoLocker Ransomware
|
CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 23, Sysmon EventID 26, Sysmon EventID 5, Sysmon EventID 7, Windows Event Log Security 4688
|
Execution
Impact
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
GitHub Malicious Activity
|
GitHub Enterprise Audit Logs, GitHub Organizations Audit Logs
|
Defense Impairment
Impact
Initial Access
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Brute Ratel C4
|
CrowdStrike ProcessRollup2, Suricata, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log Security 4703, Windows Event Log System 7045
|
Collection
Command and Control
Credential Access
Execution
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Security Solution Tampering
|
CrowdStrike ProcessRollup2, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log System 7036
|
Defense Impairment
Impact
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Hermetic Wiper
|
Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Sysmon EventID 9, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4769, Windows Event Log Security 5145
|
Command and Control
Credential Access
Defense Impairment
Execution
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Void Manticore
|
CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 23, Sysmon EventID 26, Sysmon EventID 3, Sysmon EventID 6, Sysmon EventID 9, Windows Event Log Security 4688, Windows Event Log System 7045
|
Discovery
Execution
Impact
Persistence
Privilege Escalation
Reconnaissance
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Suspicious AWS S3 Activities
|
ASL AWS CloudTrail, AWS CloudTrail CreateTask, AWS CloudTrail PutBucketReplication, AWS CloudTrail PutBucketVersioning, AWS CloudTrail
|
Collection
Exfiltration
Impact
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Linux Privilege Escalation
|
Cisco Isovalent Process Exec, Linux Auditd Add User, Linux Auditd Cwd, Linux Auditd Execve, Linux Auditd Path, Linux Auditd Proctitle, Linux Auditd Service Stop, Linux Auditd Syscall, Sysmon EventID 1, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1
|
Command and Control
Credential Access
Defense Impairment
Discovery
Execution
Exfiltration
Impact
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
PlugX
|
CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4703, Windows Event Log System 7045, Windows Event Log TaskScheduler 200, Windows Event Log TaskScheduler 201
|
Defense Impairment
Discovery
Execution
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Windows Log Manipulation
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 1100, Windows Event Log Security 1102, Windows Event Log Security 4688, Windows Event Log System 104
|
Defense Impairment
Impact
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Cisco Smart Install Remote Code Execution CVE-2018-0171
|
Cisco IOS Logs, Cisco Secure Firewall Threat Defense Intrusion Event, Splunk Stream TCP
|
Collection
Credential Access
Defense Impairment
Discovery
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
DarkSide Ransomware
|
Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688
|
Command and Control
Credential Access
Execution
Exfiltration
Impact
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Compromised Windows Host
|
Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Suricata, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 3, Sysmon EventID 7, Sysmon for Linux EventID 1, Windows Event Log Security 1102, Windows Event Log Security 4624, Windows Event Log Security 4627, Windows Event Log Security 4662, Windows Event Log Security 4663, Windows Event Log Security 4672, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4699, Windows Event Log Security 4738, Windows Event Log Security 4741, Windows Event Log Security 4742, Windows Event Log Security 4768, Windows Event Log Security 4769, Windows Event Log Security 4781, Windows Event Log Security 4798, Windows Event Log Security 4887, Windows Event Log Security 5136, Windows Event Log Security 5137, Windows Event Log Security 5141, Windows Event Log Security 5145, Windows Event Log System 104, Windows Event Log System 7036, Windows Event Log System 7040, Windows Event Log System 7045
|
Collection
Command and Control
Credential Access
Defense Impairment
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
Resource Development
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Gh0st RAT
|
CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4703, Windows Event Log System 7045
|
Defense Impairment
Discovery
Execution
Impact
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Cactus Ransomware
|
Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Suricata, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 3, Windows Event Log Security 4688, Windows Event Log Security 4698
|
Command and Control
Credential Access
Defense Impairment
Execution
Exfiltration
Impact
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
AWS Bedrock Security
|
AWS CloudTrail DeleteGuardrail, AWS CloudTrail DeleteKnowledgeBase, AWS CloudTrail DeleteModelInvocationLoggingConfiguration, AWS CloudTrail
|
Defense Impairment
Discovery
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
MoonPeak
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4663, Windows Event Log Security 4688
|
Command and Control
Discovery
Execution
Impact
Persistence
Privilege Escalation
Reconnaissance
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Linux Living Off The Land
|
Cisco Isovalent Process Exec, CrowdStrike ProcessRollup2, Linux Auditd Add User, Linux Auditd Cwd, Linux Auditd Execve, Linux Auditd Path, Linux Auditd Proctitle, Linux Auditd Service Stop, Linux Auditd Syscall, Sysmon EventID 1, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, Windows Event Log Security 4688
|
Collection
Command and Control
Credential Access
Defense Impairment
Discovery
Execution
Exfiltration
Impact
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
ZOVWiper
|
CrowdStrike ProcessRollup2, Sysmon EventID 10, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 23, Sysmon EventID 26, Windows Event Log Security 4688
|
Credential Access
Impact
Lateral Movement
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
ESXi Post Compromise
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, VMWare ESXi Syslog, Windows Event Log Security 4688
|
Collection
Credential Access
Defense Impairment
Discovery
Execution
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Swift Slicer
|
CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 23, Sysmon EventID 26, Windows Event Log Security 4688
|
Impact
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
APT37 Rustonotto and FadeStealer
|
Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Osquery Results, Powershell Script Block Logging 4104, Splunk Stream HTTP, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 15, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 23, Sysmon EventID 26, Sysmon EventID 3, Sysmon EventID 6, Sysmon EventID 7, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4700, Windows Event Log Security 4702, Windows Event Log System 7045
|
Collection
Command and Control
Credential Access
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Azorult
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688
|
Command and Control
Credential Access
Defense Impairment
Discovery
Execution
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Suspicious WMI Use
|
Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 1, Sysmon EventID 20, Sysmon EventID 21, Windows Event Log Security 4688
|
Execution
Impact
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Router and Infrastructure Security
|
Cisco IOS Logs
|
Collection
Credential Access
Exfiltration
Impact
Initial Access
Persistence
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Rhysida Ransomware
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 5, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log System 7045
|
Credential Access
Defense Impairment
Discovery
Execution
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Microsoft WSUS CVE-2025-59287
|
Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 1, Sysmon for Linux EventID 1, Windows Event Log Security 4688
|
Command and Control
Defense Impairment
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
WhisperGate
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 23, Sysmon EventID 26, Sysmon EventID 9, Windows Event Log Security 4688
|
Defense Impairment
Discovery
Execution
Impact
Lateral Movement
Persistence
Privilege Escalation
Resource Development
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
DynoWiper
|
Sysmon EventID 11, Sysmon EventID 23, Sysmon EventID 26
|
Impact
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Scattered Lapsus$ Hunters
|
ASL AWS CloudTrail, AWS CloudTrail DeactivateMFADevice, AWS CloudTrail DeleteVirtualMFADevice, AWS CloudTrail DescribeEventAggregates, AWS CloudTrail ModifyDBInstance, AWS CloudWatchLogs VPCflow, Azure Active Directory Add member to role, Azure Active Directory Disable Strong Authentication, Azure Active Directory Enable account, Azure Active Directory Reset password (by admin), Azure Active Directory Set domain authentication, Azure Active Directory Update user, Azure Active Directory User registered security info, Azure Active Directory, Cisco IOS Logs, Cisco Network Visibility Module Flow Data, Cisco Secure Firewall Threat Defense Connection Event, CrowdStrike ProcessRollup2, G Suite Drive, Google Workspace login_failure, Google Workspace, Ivanti VTM Audit, Linux Auditd Execve, Nginx Access, O365 UserLoggedIn, O365 UserLoginFailed, Office 365 Universal Audit Log, Okta, Palo Alto Network Threat, Palo Alto Network Traffic, PingID, Powershell Script Block Logging 4104, Splunk Stream TCP, Suricata, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Sysmon for Linux EventID 1, Windows Event Log Security 1100, Windows Event Log Security 4624, Windows Event Log Security 4625, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4703, Windows Event Log Security 4720, Windows Event Log Security 4727, Windows Event Log Security 4731, Windows Event Log Security 4732, Windows Event Log Security 4744, Windows Event Log Security 4749, Windows Event Log Security 4754, Windows Event Log Security 4756, Windows Event Log Security 4759, Windows Event Log Security 4768, Windows Event Log Security 4769, Windows Event Log Security 4781, Windows Event Log Security 4783, Windows Event Log Security 4790, Windows Event Log Security 4794, Windows Event Log System 7036
|
Collection
Command and Control
Credential Access
Defense Impairment
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
Resource Development
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Medusa Ransomware
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 23, Sysmon EventID 26, Sysmon EventID 5, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4728, Windows Event Log Security 4946, Windows Event Log Security 4947, Windows Event Log Security 4948
|
Command and Control
Defense Impairment
Discovery
Execution
Impact
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Suspicious Emails
|
Office 365 Reporting Message Trace, Office 365 Universal Audit Log
|
Collection
Impact
Initial Access
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Windows Post-Exploitation
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 1, Windows Event Log Security 4663, Windows Event Log Security 4688
|
Collection
Command and Control
Credential Access
Defense Impairment
Discovery
Execution
Impact
Persistence
Privilege Escalation
Reconnaissance
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
AWS Defense Evasion
|
ASL AWS CloudTrail, AWS CloudTrail DeleteAlarms, AWS CloudTrail DeleteDetector, AWS CloudTrail DeleteIPSet, AWS CloudTrail DeleteLogGroup, AWS CloudTrail DeleteLogStream, AWS CloudTrail DeleteLoggingConfiguration, AWS CloudTrail DeleteRuleGroup, AWS CloudTrail DeleteRule, AWS CloudTrail DeleteTrail, AWS CloudTrail DeleteWebACL, AWS CloudTrail PutBucketLifecycle, AWS CloudTrail StopLogging, AWS CloudTrail UpdateTrail
|
Defense Impairment
Impact
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
DNS Amplification Attacks
|
|
Impact
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Revil Ransomware
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688
|
Defense Impairment
Execution
Impact
Persistence
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Windows BootKits
|
Sysmon EventID 11, Sysmon EventID 13
|
Impact
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Windows Defense Evasion Tactics
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 15, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log System 7040
|
Credential Access
Defense Impairment
Discovery
Execution
Impact
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Ransomware Cloud
|
ASL AWS CloudTrail, AWS CloudTrail CreateKey, AWS CloudTrail PutKeyPolicy, AWS CloudTrail, Office 365 Universal Audit Log
|
Execution
Impact
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Volt Typhoon
|
CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Windows Event Log Security 4625, Windows Event Log Security 4648, Windows Event Log Security 4688, Windows Event Log Security 4768, Windows Event Log Security 4771, Windows Event Log Security 4776
|
Command and Control
Credential Access
Defense Impairment
Discovery
Execution
Impact
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
LockBit Ransomware
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 5, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log System 7036
|
Defense Impairment
Execution
Impact
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Handala Wiper
|
CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 23, Sysmon EventID 26, Sysmon EventID 3, Windows Event Log Security 4688
|
Execution
Impact
Persistence
Privilege Escalation
Reconnaissance
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Clop Ransomware
|
CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 23, Sysmon EventID 26, Sysmon EventID 5, Windows Event Log Security 1100, Windows Event Log Security 1102, Windows Event Log Security 4688, Windows Event Log System 104, Windows Event Log System 7045
|
Defense Impairment
Execution
Impact
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
PathWiper
|
CrowdStrike ProcessRollup2, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 9, Windows Event Log Security 4688, Windows Event Log Security 4703
|
Impact
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
AwfulShred
|
Linux Auditd Execve, Linux Auditd Proctitle, Linux Auditd Service Stop, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1
|
Defense Impairment
Execution
Impact
Initial Access
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
DarkCrystal RAT
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 23, Sysmon EventID 26, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log TaskScheduler 200, Windows Event Log TaskScheduler 201
|
Command and Control
Defense Impairment
Discovery
Execution
Impact
Initial Access
Persistence
Privilege Escalation
Reconnaissance
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
XWorm
|
Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log Security 4698
|
Command and Control
Defense Impairment
Execution
Impact
Persistence
Privilege Escalation
Reconnaissance
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Masquerading - Rename System Utilities
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Execution
Impact
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Interlock Ransomware
|
Cisco Network Visibility Module Flow Data, Cisco Secure Firewall Threat Defense Connection Event, CrowdStrike ProcessRollup2, Palo Alto Network Threat, Palo Alto Network Traffic, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 23, Sysmon EventID 26, Sysmon EventID 5, Sysmon EventID 6, Windows Event Log RemoteConnectionManager 1149, Windows Event Log Security 4688, Windows Event Log Security 5136
|
Command and Control
Credential Access
Discovery
Execution
Impact
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
CISA AA22-264A
|
Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 9, Sysmon for Linux EventID 1, Windows Event Log Security 1102, Windows Event Log Security 4688, Windows Event Log System 104
|
Credential Access
Defense Impairment
Execution
Impact
Initial Access
Persistence
Privilege Escalation
Reconnaissance
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Industroyer2
|
CrowdStrike ProcessRollup2, Linux Auditd Proctitle, Linux Auditd Service Stop, Osquery Results, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 5, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 5145, Windows Event Log TaskScheduler 200, Windows Event Log TaskScheduler 201
|
Credential Access
Defense Impairment
Discovery
Execution
Impact
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
VanHelsing Ransomware
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log Security 5145
|
Credential Access
Execution
Impact
Lateral Movement
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
ShrinkLocker
|
CrowdStrike ProcessRollup2, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 14, Sysmon EventID 1, Windows Event Log Security 1102, Windows Event Log Security 4688, Windows Event Log Security 4946, Windows Event Log Security 4947, Windows Event Log Security 4948, Windows Event Log System 104
|
Defense Impairment
Execution
Impact
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Data Exfiltration
|
ASL AWS CloudTrail, AWS CloudTrail CreateSnapshot, AWS CloudTrail CreateTask, AWS CloudTrail DeleteSnapshot, AWS CloudTrail DescribeSnapshotAttribute, AWS CloudTrail GetObject, AWS CloudTrail JobCreated, AWS CloudTrail ModifyImageAttribute, AWS CloudTrail ModifySnapshotAttribute, AWS CloudTrail PutBucketReplication, AWS CloudTrail PutBucketVersioning, Cisco Isovalent Process Exec, CrowdStrike ProcessRollup2, Nginx Access, O365, Office 365 Universal Audit Log, Powershell Script Block Logging 4104, Splunk Stream HTTP, Sysmon EventID 11, Sysmon EventID 1, Sysmon for Linux EventID 1, Windows Event Log Security 4688
|
Collection
Command and Control
Credential Access
Exfiltration
Impact
Initial Access
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Netsh Abuse
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Defense Impairment
Discovery
Execution
Impact
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Termite Ransomware
|
CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 5, Windows Event Log Security 4688, Windows Event Log System 7036
|
Impact
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
NjRAT
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Sysmon EventID 9, Windows Event Log Security 4663, Windows Event Log Security 4688
|
Command and Control
Credential Access
Defense Impairment
Discovery
Execution
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Storm-0501 Ransomware
|
Azure Active Directory Add member to role, Azure Active Directory Set domain authentication, Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Control
Credential Access
Defense Impairment
Discovery
Execution
Exfiltration
Impact
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
BlackByte Ransomware
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 23, Sysmon EventID 26, Sysmon EventID 3, Sysmon EventID 5, Sysmon EventID 6, Sysmon EventID 7, Sysmon EventID 9, Sysmon for Linux EventID 1, Windows Event Log RemoteConnectionManager 1149, Windows Event Log Security 4688, Windows Event Log System 7045, Windows IIS
|
Collection
Defense Impairment
Discovery
Execution
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Chaos Ransomware
|
CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688
|
Execution
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
AcidPour
|
Sysmon EventID 11, Sysmon for Linux EventID 11
|
Impact
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Qakbot
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log System 7045, Windows Event Log TaskScheduler 200, Windows Event Log TaskScheduler 201
|
Command and Control
Defense Impairment
Discovery
Execution
Impact
Initial Access
Persistence
Privilege Escalation
Reconnaissance
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Suspicious Ollama Activities
|
Ollama Server
|
Command and Control
Execution
Exfiltration
Impact
Initial Access
Reconnaissance
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Black Basta Ransomware
|
Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 23, Sysmon EventID 26, Sysmon EventID 7, VMWare ESXi Syslog, Windows Event Log Printservice 316, Windows Event Log Printservice 4909, Windows Event Log Printservice 808, Windows Event Log Security 4688
|
Collection
Command and Control
Credential Access
Defense Impairment
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Data Destruction
|
AWS Cloudfront, Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Linux Auditd Execve, Linux Auditd Proctitle, Linux Auditd Service Stop, Office 365 Reporting Message Trace, Office 365 Universal Audit Log, Osquery Results, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 23, Sysmon EventID 26, Sysmon EventID 5, Sysmon EventID 7, Sysmon EventID 9, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4769, Windows Event Log Security 5145, Windows Event Log TaskScheduler 200, Windows Event Log TaskScheduler 201
|
Collection
Command and Control
Credential Access
Defense Impairment
Discovery
Execution
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
Resource Development
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
DarkGate Malware
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4703
|
Collection
Credential Access
Defense Impairment
Discovery
Execution
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Linux Persistence Techniques
|
Cisco Isovalent Process Exec, Linux Auditd Add User, Linux Auditd Cwd, Linux Auditd Execve, Linux Auditd Path, Linux Auditd Proctitle, Linux Auditd Service Stop, Linux Auditd Syscall, Sysmon EventID 1, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1
|
Command and Control
Credential Access
Defense Impairment
Discovery
Execution
Exfiltration
Impact
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Hellcat Ransomware
|
AWS CloudTrail CreateTask, Azure Active Directory Set domain authentication, Azure Active Directory Update user, Cisco Network Visibility Module Flow Data, Cisco Secure Firewall Threat Defense File Event, CrowdStrike ProcessRollup2, CrushFTP, Ivanti VTM Audit, Linux Auditd Execve, Nginx Access, Osquery Results, Palo Alto Network Threat, Powershell Script Block Logging 4104, Splunk Stream HTTP, Suricata, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 20, Sysmon EventID 22, Sysmon EventID 3, Sysmon EventID 5, Sysmon EventID 7, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, VMWare ESXi Syslog, Windows Event Log Application 17135, Windows Event Log CAPI2 70, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 5145, Windows Event Log System 7036, Windows Event Log System 7045
|
Collection
Command and Control
Credential Access
Defense Impairment
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
AWS S3 Bucket Security Monitoring
|
AWS Cloudfront, Sysmon EventID 22
|
Impact
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Credential Dumping
|
CrowdStrike ProcessRollup2, Linux Secure, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 8, Windows Event Log Security 4624, Windows Event Log Security 4662, Windows Event Log Security 4663, Windows Event Log Security 4688
|
Credential Access
Defense Impairment
Execution
Impact
Initial Access
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
AcidRain
|
Sysmon for Linux EventID 11
|
Impact
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Storm-2460 CLFS Zero Day Exploitation
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 3, Windows Event Log Security 4688
|
Command and Control
Credential Access
Defense Impairment
Execution
Impact
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Ryuk Ransomware
|
Cisco Secure Access Firewall, CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 3, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4700, Windows Event Log Security 4702, Zeek Conn
|
Credential Access
Defense Impairment
Discovery
Execution
Impact
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Caddy Wiper
|
Sysmon EventID 9
|
Impact
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Prestige Ransomware
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 5145, Windows Event Log TaskScheduler 200, Windows Event Log TaskScheduler 201
|
Collection
Credential Access
Defense Impairment
Discovery
Execution
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
FIN7
|
CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688
|
Credential Access
Defense Impairment
Discovery
Execution
Impact
Initial Access
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Azure Active Directory Account Takeover
|
Azure Active Directory Consent to application, Azure Active Directory Disable Strong Authentication, Azure Active Directory Sign-in activity, Azure Active Directory Update authorization policy, Azure Active Directory User registered security info, Azure Active Directory, Azure Monitor Activity, Office 365 Universal Audit Log, Powershell Script Block Logging 4104
|
Collection
Command and Control
Credential Access
Defense Impairment
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Resource Development
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
XMRig
|
Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 15, Sysmon EventID 1, Sysmon EventID 6, Windows Event Log Security 4688, Windows Event Log Security 4798
|
Command and Control
Credential Access
Defense Impairment
Discovery
Execution
Exfiltration
Impact
Persistence
Privilege Escalation
Reconnaissance
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Ransomware
|
Cisco Network Visibility Module Flow Data, Cisco Secure Firewall Threat Defense Connection Event, CrowdStrike ProcessRollup2, Palo Alto Network Threat, Palo Alto Network Traffic, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 1100, Windows Event Log Security 1102, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4700, Windows Event Log Security 4702, Windows Event Log System 104, Windows Event Log System 7036
|
Collection
Command and Control
Defense Impairment
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
Resource Development
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Compromised Linux Host
|
Linux Auditd Add User, Linux Auditd Cwd, Linux Auditd Daemon Abort, Linux Auditd Daemon End, Linux Auditd Daemon Start, Linux Auditd Execve, Linux Auditd Path, Linux Auditd Proctitle, Linux Auditd Service Stop, Linux Auditd Syscall, Sysmon EventID 1
|
Collection
Command and Control
Credential Access
Defense Impairment
Discovery
Execution
Exfiltration
Impact
Initial Access
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Windows Registry Abuse
|
CrowdStrike ProcessRollup2, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Control
Credential Access
Defense Impairment
Execution
Impact
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
SamSam Ransomware
|
Cisco Network Visibility Module Flow Data, Cisco Secure Access Firewall, CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 3, Windows Event Log Security 4688, Zeek Conn
|
Credential Access
Discovery
Execution
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Quasar RAT
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 23, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4700, Windows Event Log Security 4702
|
Credential Access
Defense Impairment
Discovery
Execution
Impact
Persistence
Privilege Escalation
Reconnaissance
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Cisco Secure Firewall Threat Defense Analytics
|
AWS CloudWatchLogs VPCflow, Cisco Secure Access Firewall, Cisco Secure Firewall Threat Defense Connection Event, Cisco Secure Firewall Threat Defense File Event, Cisco Secure Firewall Threat Defense Intrusion Event, Palo Alto Network Traffic
|
Command and Control
Credential Access
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
Resource Development
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Graceful Wipe Out Attack
|
CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 3, Sysmon EventID 8, Sysmon EventID 9, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 5145
|
Collection
Credential Access
Defense Impairment
Discovery
Execution
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
CISA AA23-347A
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Suricata, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4699, Windows Event Log Security 4703, Windows Event Log System 7040, Windows Event Log System 7045
|
Collection
Credential Access
Defense Impairment
Discovery
Execution
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Office 365 Collection Techniques
|
O365 Add-MailboxPermission, O365 MailItemsAccessed, O365 ModifyFolderPermissions, O365, Office 365 Reporting Message Trace, Office 365 Universal Audit Log
|
Collection
Credential Access
Impact
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
BlackLotus Campaign
|
Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 3
|
Defense Impairment
Impact
Persistence
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Crypto Stealer
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Suricata, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 15, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 5, Sysmon EventID 6, Windows Event Log Security 4624, Windows Event Log Security 4625, Windows Event Log Security 4688, Windows Event Log System 7045
|
Collection
Command and Control
Credential Access
Defense Impairment
Discovery
Execution
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Snake Keylogger
|
CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 15, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 3, Sysmon EventID 5, Sysmon EventID 6, Windows Event Log Security 4663, Windows Event Log Security 4688
|
Command and Control
Credential Access
Defense Impairment
Discovery
Execution
Impact
Initial Access
Persistence
Privilege Escalation
Reconnaissance
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
MuddyWater
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 4688
|
Execution
Impact
Initial Access
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Scattered Spider
|
Cisco Network Visibility Module Flow Data, Cisco Secure Firewall Threat Defense Connection Event, CrowdStrike ProcessRollup2, Palo Alto Network Traffic, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4663, Windows Event Log Security 4688
|
Command and Control
Credential Access
Defense Impairment
Discovery
Execution
Impact
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
NPM Supply Chain Compromise
|
Cisco Isovalent Process Exec, Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, GitHub Enterprise Audit Logs, GitHub Organizations Audit Logs, Sysmon EventID 11, Sysmon EventID 1, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, Windows Event Log Security 4688
|
Collection
Command and Control
Credential Access
Defense Impairment
Execution
Impact
Initial Access
Persistence
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Office 365 Account Takeover
|
O365 Add app role assignment grant to user., O365 Consent to application., O365 Update authorization policy., O365 UserLoggedIn, O365 UserLoginFailed, O365, Office 365 Reporting Message Trace, Office 365 Universal Audit Log
|
Collection
Credential Access
Defense Impairment
Execution
Exfiltration
Impact
Initial Access
Persistence
Privilege Escalation
Resource Development
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
