|
Splunk Vulnerabilities
|
Splunk
|
Credential Access
Discovery
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-14
|
|
Suspicious Cisco Adaptive Security Appliance Activity
|
Cisco ASA Logs
|
Collection
Credential Access
Defense Impairment
Discovery
Exfiltration
Impact
Initial Access
Persistence
Privilege Escalation
Reconnaissance
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
sAMAccountName Spoofing and Domain Controller Impersonation
|
Windows Event Log Security 4768, Windows Event Log Security 4769, Windows Event Log Security 4781
|
Initial Access
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
GCP Cross Account Activity
|
|
Initial Access
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
ConnectWise ScreenConnect Vulnerabilities
|
Nginx Access, Suricata, Sysmon EventID 11, Windows Event Log Security 4663
|
Initial Access
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
ProxyNotShell
|
Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 1, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows IIS
|
Command and Control
Execution
Initial Access
Persistence
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Ivanti Virtual Traffic Manager CVE-2024-7593
|
Ivanti VTM Audit
|
Initial Access
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Salt Typhoon
|
Cisco Network Visibility Module Flow Data, Cisco Secure Firewall Threat Defense Intrusion Event, CrowdStrike ProcessRollup2, Linux Auditd Cwd, Linux Auditd Execve, Linux Auditd Path, Linux Auditd Proctitle, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 7, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4703, Windows Event Log System 7045
|
Collection
Command and Control
Credential Access
Defense Impairment
Discovery
Execution
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
GitHub Malicious Activity
|
GitHub Enterprise Audit Logs, GitHub Organizations Audit Logs
|
Defense Impairment
Impact
Initial Access
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Brute Ratel C4
|
CrowdStrike ProcessRollup2, Suricata, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log Security 4703, Windows Event Log System 7045
|
Collection
Command and Control
Credential Access
Execution
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Active Directory Password Spraying
|
Azure Active Directory Sign-in activity, NTLM Operational 8004, NTLM Operational 8005, NTLM Operational 8006, Windows Event Log Security 4625, Windows Event Log Security 4648, Windows Event Log Security 4720, Windows Event Log Security 4768, Windows Event Log Security 4771, Windows Event Log Security 4776
|
Credential Access
Initial Access
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Text4Shell CVE-2022-42889
|
Nginx Access
|
Initial Access
Persistence
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Suspicious Cloud Instance Activities
|
ASL AWS CloudTrail, AWS CloudTrail CreateSnapshot, AWS CloudTrail DeleteSnapshot, AWS CloudTrail DescribeSnapshotAttribute, AWS CloudTrail ModifyImageAttribute, AWS CloudTrail ModifySnapshotAttribute, AWS CloudTrail
|
Exfiltration
Initial Access
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
SQL Injection
|
|
Initial Access
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Cisco Network Visibility Module Analytics
|
Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 3, Windows Event Log Security 4688
|
Command and Control
Credential Access
Discovery
Execution
Exfiltration
Initial Access
Persistence
Privilege Escalation
Reconnaissance
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
AsyncRAT
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4703, Windows Event Log TaskScheduler 200, Windows Event Log TaskScheduler 201
|
Execution
Initial Access
Persistence
Privilege Escalation
Reconnaissance
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
CISA AA24-241A
|
CrowdStrike ProcessRollup2, Palo Alto Network Threat, Powershell Script Block Logging 4104, Suricata, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 14, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4648, Windows Event Log Security 4688, Windows Event Log Security 4720, Windows Event Log Security 4732, Windows Event Log TaskScheduler 200, Windows Event Log TaskScheduler 201, Windows IIS
|
Command and Control
Defense Impairment
Execution
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
MOVEit Transfer Critical Vulnerability
|
Sysmon EventID 11
|
Initial Access
Persistence
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
CVE-2023-21716 Word RTF Heap Corruption
|
CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Windows Event Log Security 4688
|
Initial Access
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server
|
Nginx Access, Suricata, Sysmon EventID 11
|
Initial Access
Resource Development
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Windows Persistence Techniques
|
CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 14, Sysmon EventID 1, Windows Event Log Application 3000, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4700, Windows Event Log Security 4702, Windows Event Log Security 4738, Windows Event Log Security 4742, Windows Event Log Security 5145, Windows Event Log TaskScheduler 200, Windows Event Log TaskScheduler 201
|
Credential Access
Defense Impairment
Execution
Initial Access
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Hermetic Wiper
|
Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Sysmon EventID 9, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4769, Windows Event Log Security 5145
|
Command and Control
Credential Access
Defense Impairment
Execution
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Gozi Malware
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Windows Event Log Security 4627, Windows Event Log Security 4688
|
Command and Control
Credential Access
Discovery
Execution
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Ivanti Connect Secure VPN Vulnerabilities
|
Suricata
|
Initial Access
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
HTTP Request Smuggling
|
Nginx Access, Suricata
|
Command and Control
Initial Access
Reconnaissance
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Citrix NetScaler ADC and NetScaler Gateway CVE-2023-4966
|
Suricata
|
Initial Access
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
PlugX
|
CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4703, Windows Event Log System 7045, Windows Event Log TaskScheduler 200, Windows Event Log TaskScheduler 201
|
Defense Impairment
Discovery
Execution
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Cisco Smart Install Remote Code Execution CVE-2018-0171
|
Cisco IOS Logs, Cisco Secure Firewall Threat Defense Intrusion Event, Splunk Stream TCP
|
Collection
Credential Access
Defense Impairment
Discovery
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Compromised Windows Host
|
Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Suricata, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 3, Sysmon EventID 7, Sysmon for Linux EventID 1, Windows Event Log Security 1102, Windows Event Log Security 4624, Windows Event Log Security 4627, Windows Event Log Security 4662, Windows Event Log Security 4663, Windows Event Log Security 4672, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4699, Windows Event Log Security 4738, Windows Event Log Security 4741, Windows Event Log Security 4742, Windows Event Log Security 4768, Windows Event Log Security 4769, Windows Event Log Security 4781, Windows Event Log Security 4798, Windows Event Log Security 4887, Windows Event Log Security 5136, Windows Event Log Security 5137, Windows Event Log Security 5141, Windows Event Log Security 5145, Windows Event Log System 104, Windows Event Log System 7036, Windows Event Log System 7040, Windows Event Log System 7045
|
Collection
Command and Control
Credential Access
Defense Impairment
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
Resource Development
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Unusual Processes
|
Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688
|
Credential Access
Defense Impairment
Discovery
Execution
Initial Access
Persistence
Privilege Escalation
Reconnaissance
Resource Development
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
GCP Account Takeover
|
Google Workspace login_failure, Google Workspace
|
Credential Access
Defense Impairment
Initial Access
Persistence
Privilege Escalation
Resource Development
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
AWS Bedrock Security
|
AWS CloudTrail DeleteGuardrail, AWS CloudTrail DeleteKnowledgeBase, AWS CloudTrail DeleteModelInvocationLoggingConfiguration, AWS CloudTrail
|
Defense Impairment
Discovery
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Ivanti EPMM Remote Unauthenticated Access
|
Suricata
|
Initial Access
Persistence
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Spearphishing Attachments
|
CrowdStrike ProcessRollup2, Office 365 Universal Audit Log, Suricata, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Microsoft Windows TerminalServices RDPClient 1024, Windows Event Log Security 4688
|
Collection
Command and Control
Credential Access
Execution
Initial Access
Lateral Movement
Persistence
Reconnaissance
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
F5 TMUI RCE CVE-2020-5902
|
|
Initial Access
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Zscaler Browser Proxy Threats
|
|
Initial Access
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Remote Employment Fraud
|
Okta
|
Collection
Command and Control
Initial Access
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
CISA AA22-257A
|
CrowdStrike ProcessRollup2, Nginx Access, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 1, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4699, Windows Event Log Security 4720, Windows Event Log Security 4732, Windows Event Log TaskScheduler 200, Windows Event Log TaskScheduler 201
|
Command and Control
Credential Access
Execution
Initial Access
Lateral Movement
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
VMware Aria Operations vRealize CVE-2023-20887
|
Palo Alto Network Threat, Sysmon EventID 11
|
Initial Access
Lateral Movement
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Cisco Catalyst SD-WAN Analytics
|
Cisco SD-WAN NTCE 1000001, Cisco SD-WAN Service Proxy Access Logs
|
Initial Access
Reconnaissance
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Apache Tomcat Session Deserialization Attacks
|
Nginx Access
|
Initial Access
Persistence
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
WordPress Vulnerabilities
|
Nginx Access
|
Initial Access
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Outlook RCE CVE-2024-21378
|
Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1
|
Defense Impairment
Initial Access
Persistence
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
ESXi Post Compromise
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, VMWare ESXi Syslog, Windows Event Log Security 4688
|
Collection
Credential Access
Defense Impairment
Discovery
Execution
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
China-Nexus Threat Activity
|
AWS CloudWatchLogs VPCflow, Cisco Network Visibility Module Flow Data, Cisco Secure Access Firewall, Cisco Secure Firewall Threat Defense Connection Event, CrowdStrike ProcessRollup2, Linux Auditd Cwd, Linux Auditd Execve, Linux Auditd Path, Linux Auditd Proctitle, Linux Auditd Syscall, Palo Alto Network Traffic, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 7, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, VMWare ESXi Syslog, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4703, Windows Event Log System 7045
|
Collection
Command and Control
Credential Access
Defense Impairment
Discovery
Execution
Exfiltration
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Suspicious Okta Activity
|
Okta
|
Command and Control
Credential Access
Discovery
Initial Access
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
F5 BIG-IP Vulnerability CVE-2022-1388
|
Palo Alto Network Threat
|
Initial Access
Persistence
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
MOVEit Transfer Authentication Bypass
|
|
Initial Access
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
JBoss Vulnerability
|
|
Discovery
Initial Access
Persistence
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Amadey
|
CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log TaskScheduler 200, Windows Event Log TaskScheduler 201
|
Defense Impairment
Discovery
Execution
Initial Access
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
APT37 Rustonotto and FadeStealer
|
Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Osquery Results, Powershell Script Block Logging 4104, Splunk Stream HTTP, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 15, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 23, Sysmon EventID 26, Sysmon EventID 3, Sysmon EventID 6, Sysmon EventID 7, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4700, Windows Event Log Security 4702, Windows Event Log System 7045
|
Collection
Command and Control
Credential Access
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Spring4Shell CVE-2022-22965
|
Nginx Access, Splunk Stream HTTP, Sysmon EventID 1, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1
|
Initial Access
Persistence
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Juniper JunOS Remote Code Execution
|
Suricata
|
Command and Control
Execution
Initial Access
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Azorult
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688
|
Command and Control
Credential Access
Defense Impairment
Discovery
Execution
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
WS FTP Server Critical Vulnerabilities
|
CrowdStrike ProcessRollup2, Powershell Installed IIS Modules, Suricata, Sysmon EventID 1, Sysmon for Linux EventID 1, Windows Event Log Security 4688
|
Initial Access
Persistence
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Router and Infrastructure Security
|
Cisco IOS Logs
|
Collection
Credential Access
Exfiltration
Impact
Initial Access
Persistence
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
AWS IAM Privilege Escalation
|
ASL AWS CloudTrail, AWS CloudTrail ConsoleLogin, AWS CloudTrail CreateAccessKey, AWS CloudTrail CreateLoginProfile, AWS CloudTrail CreatePolicyVersion, AWS CloudTrail DeleteAccountPasswordPolicy, AWS CloudTrail DeleteGroup, AWS CloudTrail DeletePolicy, AWS CloudTrail GetAccountPasswordPolicy, AWS CloudTrail SetDefaultPolicyVersion, AWS CloudTrail UpdateAccountPasswordPolicy, AWS CloudTrail UpdateLoginProfile, AWS CloudTrail
|
Credential Access
Discovery
Initial Access
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
CISA AA22-320A
|
CrowdStrike ProcessRollup2, Nginx Access, Office 365 Universal Audit Log, Powershell Script Block Logging 4104, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 6, Windows Event Log Security 4688, Windows Event Log System 7045
|
Collection
Command and Control
Credential Access
Defense Impairment
Discovery
Execution
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Rhysida Ransomware
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 5, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log System 7045
|
Credential Access
Defense Impairment
Discovery
Execution
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Remcos
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log TaskScheduler 200, Windows Event Log TaskScheduler 201
|
Collection
Credential Access
Defense Impairment
Execution
Initial Access
Persistence
Privilege Escalation
Reconnaissance
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Microsoft WSUS CVE-2025-59287
|
Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 1, Sysmon for Linux EventID 1, Windows Event Log Security 4688
|
Command and Control
Defense Impairment
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Active Directory Privilege Escalation
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 1, Windows Active Directory Admon, Windows Event Log Security 4624, Windows Event Log Security 4625, Windows Event Log Security 4627, Windows Event Log Security 4672, Windows Event Log Security 4688, Windows Event Log Security 4728, Windows Event Log Security 4732, Windows Event Log Security 4742, Windows Event Log Security 4768, Windows Event Log Security 4769, Windows Event Log Security 4781, Windows Event Log Security 5136, Windows Event Log Security 5137, Windows Event Log Security 5140, Windows Event Log Security 5145
|
Collection
Credential Access
Defense Impairment
Discovery
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Active Directory Kerberos Attacks
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 1, Sysmon EventID 3, Windows Event Log Security 4624, Windows Event Log Security 4627, Windows Event Log Security 4688, Windows Event Log Security 4738, Windows Event Log Security 4741, Windows Event Log Security 4768, Windows Event Log Security 4769, Windows Event Log Security 4771, Windows Event Log Security 4781
|
Credential Access
Discovery
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Prohibited Traffic Allowed or Protocol Mismatch
|
Cisco Secure Firewall Threat Defense Connection Event, Palo Alto Network Traffic, Powershell Script Block Logging 4104, Sysmon EventID 13, Sysmon EventID 22
|
Command and Control
Exfiltration
Initial Access
Lateral Movement
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Citrix NetScaler ADC and NetScaler Gateway CVE-2025-5777
|
Cisco Secure Firewall Threat Defense Intrusion Event, Suricata
|
Execution
Initial Access
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Scattered Lapsus$ Hunters
|
ASL AWS CloudTrail, AWS CloudTrail DeactivateMFADevice, AWS CloudTrail DeleteVirtualMFADevice, AWS CloudTrail DescribeEventAggregates, AWS CloudTrail ModifyDBInstance, AWS CloudWatchLogs VPCflow, Azure Active Directory Add member to role, Azure Active Directory Disable Strong Authentication, Azure Active Directory Enable account, Azure Active Directory Reset password (by admin), Azure Active Directory Set domain authentication, Azure Active Directory Update user, Azure Active Directory User registered security info, Azure Active Directory, Cisco IOS Logs, Cisco Network Visibility Module Flow Data, Cisco Secure Firewall Threat Defense Connection Event, CrowdStrike ProcessRollup2, G Suite Drive, Google Workspace login_failure, Google Workspace, Ivanti VTM Audit, Linux Auditd Execve, Nginx Access, O365 UserLoggedIn, O365 UserLoginFailed, Office 365 Universal Audit Log, Okta, Palo Alto Network Threat, Palo Alto Network Traffic, PingID, Powershell Script Block Logging 4104, Splunk Stream TCP, Suricata, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Sysmon for Linux EventID 1, Windows Event Log Security 1100, Windows Event Log Security 4624, Windows Event Log Security 4625, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4703, Windows Event Log Security 4720, Windows Event Log Security 4727, Windows Event Log Security 4731, Windows Event Log Security 4732, Windows Event Log Security 4744, Windows Event Log Security 4749, Windows Event Log Security 4754, Windows Event Log Security 4756, Windows Event Log Security 4759, Windows Event Log Security 4768, Windows Event Log Security 4769, Windows Event Log Security 4781, Windows Event Log Security 4783, Windows Event Log Security 4790, Windows Event Log Security 4794, Windows Event Log System 7036
|
Collection
Command and Control
Credential Access
Defense Impairment
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
Resource Development
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
SAP NetWeaver Exploitation
|
Suricata, Sysmon EventID 10, Sysmon EventID 1, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1
|
Initial Access
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
BlankGrabber Stealer
|
Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4663, Windows Event Log Security 4688
|
Collection
Command and Control
Credential Access
Defense Impairment
Discovery
Execution
Exfiltration
Initial Access
Persistence
Privilege Escalation
Reconnaissance
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Detect Zerologon Attack
|
Sysmon EventID 10, Windows Event Log Security 4742
|
Credential Access
Initial Access
Lateral Movement
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Warzone RAT
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 23, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4663, Windows Event Log Security 4688
|
Credential Access
Defense Impairment
Discovery
Execution
Initial Access
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Apache Struts Vulnerability
|
Sysmon EventID 1
|
Discovery
Initial Access
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Suspicious Emails
|
Office 365 Reporting Message Trace, Office 365 Universal Audit Log
|
Collection
Impact
Initial Access
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
SysAid On-Prem Software CVE-2023-47246 Vulnerability
|
Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, Windows Event Log Security 4688
|
Command and Control
Execution
Initial Access
Persistence
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
CVE-2022-40684 Fortinet Appliance Auth bypass
|
Palo Alto Network Threat
|
Initial Access
Persistence
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Confluence Data Center and Confluence Server Vulnerabilities
|
CrowdStrike ProcessRollup2, Nginx Access, Palo Alto Network Threat, Suricata, Sysmon EventID 11, Sysmon EventID 1, Windows Event Log Security 4688
|
Initial Access
Persistence
Resource Development
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Cleo File Transfer Software
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 1, Sysmon for Linux EventID 1, Windows Event Log Security 4688
|
Discovery
Execution
Initial Access
Persistence
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
AgentTesla
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 3, Sysmon EventID 6, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log System 7045
|
Command and Control
Credential Access
Defense Impairment
Execution
Initial Access
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Lumma Stealer
|
Cisco Network Visibility Module Flow Data, Cisco Secure Firewall Threat Defense Intrusion Event, CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Suricata, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4688
|
Command and Control
Execution
Exfiltration
Initial Access
Lateral Movement
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
IcedID
|
Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 5140, Windows Event Log Security 5145, Windows Event Log TaskScheduler 200, Windows Event Log TaskScheduler 201
|
Collection
Command and Control
Defense Impairment
Discovery
Execution
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
CrushFTP Vulnerabilities
|
CrowdStrike ProcessRollup2, CrushFTP, Sysmon EventID 1, Windows Event Log Security 4688
|
Credential Access
Execution
Initial Access
Persistence
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Cloud Federated Credential Abuse
|
ASL AWS CloudTrail, AWS CloudTrail UpdateSAMLProvider, CrowdStrike ProcessRollup2, O365 Add app role assignment grant to user., O365 UserLoginFailed, O365, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688
|
Credential Access
Defense Impairment
Initial Access
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Dev Sec Ops
|
ASL AWS CloudTrail, AWS CloudTrail DescribeImageScanFindings, AWS CloudTrail PutImage, CircleCI, G Suite Drive, G Suite Gmail
|
Credential Access
Discovery
Execution
Exfiltration
Initial Access
Persistence
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Ivanti Sentry Authentication Bypass CVE-2023-38035
|
Suricata
|
Initial Access
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Active Directory Discovery
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 1, Sysmon EventID 3, Windows Event Log Security 4662, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log System 7045
|
Collection
Credential Access
Discovery
Execution
Initial Access
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Earth Alux
|
CrowdStrike ProcessRollup2, Nginx Access, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 3, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4663, Windows Event Log Security 4688
|
Discovery
Execution
Initial Access
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
AwfulShred
|
Linux Auditd Execve, Linux Auditd Proctitle, Linux Auditd Service Stop, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1
|
Defense Impairment
Execution
Impact
Initial Access
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Okta Account Takeover
|
Okta
|
Credential Access
Defense Impairment
Discovery
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Resource Development
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
DarkCrystal RAT
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 23, Sysmon EventID 26, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log TaskScheduler 200, Windows Event Log TaskScheduler 201
|
Command and Control
Defense Impairment
Discovery
Execution
Impact
Initial Access
Persistence
Privilege Escalation
Reconnaissance
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
React2Shell
|
Cisco Secure Firewall Threat Defense Intrusion Event, CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon for Linux EventID 1
|
Execution
Initial Access
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Living Off The Land
|
Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Osquery Results, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 3, Sysmon EventID 7, Sysmon EventID 8, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 5145
|
Command and Control
Credential Access
Defense Impairment
Execution
Exfiltration
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360
|
Suricata
|
Initial Access
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Ivanti EPM Vulnerabilities
|
Suricata
|
Initial Access
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
CISA AA22-264A
|
Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 9, Sysmon for Linux EventID 1, Windows Event Log Security 1102, Windows Event Log Security 4688, Windows Event Log System 104
|
Credential Access
Defense Impairment
Execution
Impact
Initial Access
Persistence
Privilege Escalation
Reconnaissance
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Windows RDP Artifacts and Defense Evasion
|
Cisco Secure Access Firewall, CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 23, Sysmon EventID 26, Sysmon EventID 3, Windows Event Log Microsoft Windows TerminalServices RDPClient 1024, Windows Event Log RemoteConnectionManager 1149, Windows Event Log Security 4624, Windows Event Log Security 4688, Zeek Conn
|
Credential Access
Defense Impairment
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Jenkins Server Vulnerabilities
|
Nginx Access
|
Initial Access
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Cisco Secure Access Analytics
|
Cisco Secure Access Firewall, Cisco Secure Firewall Threat Defense Connection Event, Palo Alto Network Traffic, Sysmon EventID 3
|
Command and Control
Credential Access
Execution
Initial Access
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Okta MFA Exhaustion
|
Okta
|
Credential Access
Initial Access
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Data Exfiltration
|
ASL AWS CloudTrail, AWS CloudTrail CreateSnapshot, AWS CloudTrail CreateTask, AWS CloudTrail DeleteSnapshot, AWS CloudTrail DescribeSnapshotAttribute, AWS CloudTrail GetObject, AWS CloudTrail JobCreated, AWS CloudTrail ModifyImageAttribute, AWS CloudTrail ModifySnapshotAttribute, AWS CloudTrail PutBucketReplication, AWS CloudTrail PutBucketVersioning, Cisco Isovalent Process Exec, CrowdStrike ProcessRollup2, Nginx Access, O365, Office 365 Universal Audit Log, Powershell Script Block Logging 4104, Splunk Stream HTTP, Sysmon EventID 11, Sysmon EventID 1, Sysmon for Linux EventID 1, Windows Event Log Security 4688
|
Collection
Command and Control
Credential Access
Exfiltration
Impact
Initial Access
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Microsoft MSHTML Remote Code Execution CVE-2021-40444
|
CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688
|
Initial Access
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Cloud Cryptomining
|
AWS CloudTrail
|
Defense Impairment
Initial Access
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
PHP-CGI RCE Attack on Japanese Organizations
|
Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 1, Sysmon for Linux EventID 1, Windows Event Log Security 4688
|
Command and Control
Credential Access
Discovery
Execution
Initial Access
Persistence
Reconnaissance
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Microsoft SharePoint Vulnerabilities
|
CrowdStrike ProcessRollup2, Suricata, Sysmon EventID 11, Sysmon EventID 1, Sysmon for Linux EventID 1, Windows Event Log Security 4688
|
Credential Access
Initial Access
Persistence
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
NjRAT
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Sysmon EventID 9, Windows Event Log Security 4663, Windows Event Log Security 4688
|
Command and Control
Credential Access
Defense Impairment
Discovery
Execution
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Sneaky Active Directory Persistence Tricks
|
CrowdStrike ProcessRollup2, Sysmon EventID 13, Sysmon EventID 1, Windows Active Directory Admon, Windows Event Log Security 4624, Windows Event Log Security 4662, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4720, Windows Event Log Security 4728, Windows Event Log Security 4738, Windows Event Log Security 4742, Windows Event Log Security 4794, Windows Event Log Security 5136, Windows Event Log Security 5137, Windows Event Log Security 5141
|
Credential Access
Defense Impairment
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Atlassian Confluence Server and Data Center CVE-2022-26134
|
Palo Alto Network Threat, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1
|
Initial Access
Persistence
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Seashell Blizzard
|
CrowdStrike ProcessRollup2, Nginx Access, Suricata, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Windows Event Log Application 15457, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4700, Windows Event Log Security 4702, Windows IIS
|
Command and Control
Credential Access
Execution
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Active Directory Lateral Movement
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log RemoteConnectionManager 1149, Windows Event Log Security 4624, Windows Event Log Security 4625, Windows Event Log Security 4672, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4699, Windows Event Log Security 4769, Windows Event Log Security 5140, Windows Event Log Security 5145, Windows Event Log System 4720, Windows Event Log System 4726, Windows Event Log System 7045, Zeek Conn
|
Credential Access
Discovery
Execution
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
BlackByte Ransomware
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 23, Sysmon EventID 26, Sysmon EventID 3, Sysmon EventID 5, Sysmon EventID 6, Sysmon EventID 7, Sysmon EventID 9, Sysmon for Linux EventID 1, Windows Event Log RemoteConnectionManager 1149, Windows Event Log Security 4688, Windows Event Log System 7045, Windows IIS
|
Collection
Defense Impairment
Discovery
Execution
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
JetBrains TeamCity Unauthenticated RCE
|
CrowdStrike ProcessRollup2, Suricata, Sysmon EventID 11, Sysmon EventID 1, Windows Event Log Security 4688
|
Execution
Initial Access
Persistence
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Chaos Ransomware
|
CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688
|
Execution
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Citrix ShareFile RCE CVE-2023-24489
|
CrowdStrike ProcessRollup2, Suricata, Sysmon EventID 1, Windows Event Log Security 4688
|
Initial Access
Persistence
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Oracle E-Business Suite Exploitation
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
Initial Access
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Dynamic DNS
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4688
|
Exfiltration
Initial Access
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Compromised User Account
|
ASL AWS CloudTrail, AWS CloudTrail ConsoleLogin, AWS CloudTrail DeleteAccountPasswordPolicy, AWS CloudTrail DescribeEventAggregates, AWS CloudTrail GetAccountPasswordPolicy, AWS CloudTrail UpdateAccountPasswordPolicy, AWS CloudTrail, Azure Active Directory MicrosoftGraphActivityLogs, Azure Active Directory NonInteractiveUserSignInLogs, Azure Active Directory Sign-in activity, Azure Active Directory User registered security info, Azure Active Directory, Cisco Secure Access Firewall, Office 365 Universal Audit Log, PingID, Sysmon EventID 3, Windows Event Log Security 4624, Windows Event Log Security 4625
|
Collection
Credential Access
Defense Impairment
Discovery
Initial Access
Persistence
Privilege Escalation
Resource Development
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Data Protection
|
CrowdStrike ProcessRollup2, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4688
|
Collection
Command and Control
Initial Access
Lateral Movement
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
ProxyShell
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 1, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows IIS
|
Execution
Initial Access
Persistence
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Qakbot
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log System 7045, Windows Event Log TaskScheduler 200, Windows Event Log TaskScheduler 201
|
Command and Control
Defense Impairment
Discovery
Execution
Impact
Initial Access
Persistence
Privilege Escalation
Reconnaissance
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
JetBrains TeamCity Vulnerabilities
|
CrowdStrike ProcessRollup2, Suricata, Sysmon EventID 11, Sysmon EventID 1, Windows Event Log Security 4688
|
Execution
Initial Access
Persistence
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
NOBELIUM Group
|
Azure Active Directory Add app role assignment to service principal, Azure Active Directory Add member to role, Azure Active Directory Add owner to application, Azure Active Directory Add service principal, Azure Active Directory Consent to application, Azure Active Directory Sign-in activity, Azure Active Directory Update application, Azure Active Directory, Cisco Secure Access Firewall, Cisco Secure Firewall Threat Defense Connection Event, CrowdStrike ProcessRollup2, O365 Add owner to application., O365 Add service principal., O365 Consent to application., O365 MailItemsAccessed, O365 Update application., O365 UserLoginFailed, O365, Palo Alto Network Traffic, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log System 7036
|
Collection
Command and Control
Credential Access
Discovery
Execution
Initial Access
Persistence
Privilege Escalation
Resource Development
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Suspicious Ollama Activities
|
Ollama Server
|
Command and Control
Execution
Exfiltration
Impact
Initial Access
Reconnaissance
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Black Basta Ransomware
|
Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 23, Sysmon EventID 26, Sysmon EventID 7, VMWare ESXi Syslog, Windows Event Log Printservice 316, Windows Event Log Printservice 4909, Windows Event Log Printservice 808, Windows Event Log Security 4688
|
Collection
Command and Control
Credential Access
Defense Impairment
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Data Destruction
|
AWS Cloudfront, Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Linux Auditd Execve, Linux Auditd Proctitle, Linux Auditd Service Stop, Office 365 Reporting Message Trace, Office 365 Universal Audit Log, Osquery Results, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 23, Sysmon EventID 26, Sysmon EventID 5, Sysmon EventID 7, Sysmon EventID 9, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4769, Windows Event Log Security 5145, Windows Event Log TaskScheduler 200, Windows Event Log TaskScheduler 201
|
Collection
Command and Control
Credential Access
Defense Impairment
Discovery
Execution
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
Resource Development
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
DarkGate Malware
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4703
|
Collection
Credential Access
Defense Impairment
Discovery
Execution
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Azure Active Directory Privilege Escalation
|
Azure Active Directory Add app role assignment to service principal, Azure Active Directory Add member to role, Azure Active Directory Add owner to application, Azure Active Directory MicrosoftGraphActivityLogs, Azure Active Directory NonInteractiveUserSignInLogs, Azure Active Directory, O365 Add app role assignment grant to user., Office 365 Universal Audit Log, Powershell Script Block Logging 4104
|
Command and Control
Credential Access
Discovery
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Windows Attack Surface Reduction
|
Windows Event Log Defender 1121, Windows Event Log Defender 1122, Windows Event Log Defender 1125, Windows Event Log Defender 1126, Windows Event Log Defender 1129, Windows Event Log Defender 1131, Windows Event Log Defender 1132, Windows Event Log Defender 1133, Windows Event Log Defender 1134, Windows Event Log Defender 5007
|
Defense Impairment
Execution
Initial Access
Persistence
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Hellcat Ransomware
|
AWS CloudTrail CreateTask, Azure Active Directory Set domain authentication, Azure Active Directory Update user, Cisco Network Visibility Module Flow Data, Cisco Secure Firewall Threat Defense File Event, CrowdStrike ProcessRollup2, CrushFTP, Ivanti VTM Audit, Linux Auditd Execve, Nginx Access, Osquery Results, Palo Alto Network Threat, Powershell Script Block Logging 4104, Splunk Stream HTTP, Suricata, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 20, Sysmon EventID 22, Sysmon EventID 3, Sysmon EventID 5, Sysmon EventID 7, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, VMWare ESXi Syslog, Windows Event Log Application 17135, Windows Event Log CAPI2 70, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 5145, Windows Event Log System 7036, Windows Event Log System 7045
|
Collection
Command and Control
Credential Access
Defense Impairment
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Credential Dumping
|
CrowdStrike ProcessRollup2, Linux Secure, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 8, Windows Event Log Security 4624, Windows Event Log Security 4662, Windows Event Log Security 4663, Windows Event Log Security 4688
|
Credential Access
Defense Impairment
Execution
Impact
Initial Access
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Log4Shell CVE-2021-44228
|
Cisco Secure Access Firewall, Cisco Secure Firewall Threat Defense Connection Event, CrowdStrike ProcessRollup2, Nginx Access, Palo Alto Network Traffic, Splunk Stream HTTP, Sysmon EventID 1, Sysmon EventID 3, Sysmon for Linux EventID 1, Windows Event Log Security 4688
|
Command and Control
Execution
Initial Access
Persistence
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Meduza Stealer
|
CrowdStrike ProcessRollup2, Suricata, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4703
|
Command and Control
Credential Access
Discovery
Execution
Initial Access
Persistence
Privilege Escalation
Reconnaissance
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Suspicious Cloud Provisioning Activities
|
AWS CloudTrail
|
Initial Access
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Suspicious Cloud User Activities
|
ASL AWS CloudTrail, AWS CloudTrail
|
Defense Impairment
Discovery
Execution
Initial Access
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Prestige Ransomware
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 5145, Windows Event Log TaskScheduler 200, Windows Event Log TaskScheduler 201
|
Collection
Credential Access
Defense Impairment
Discovery
Execution
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Azure Active Directory Persistence
|
Azure Active Directory Add member to role, Azure Active Directory Add owner to application, Azure Active Directory Add service principal, Azure Active Directory Add unverified domain, Azure Active Directory Consent to application, Azure Active Directory Enable account, Azure Active Directory Invite external user, Azure Active Directory Reset password (by admin), Azure Active Directory Set domain authentication, Azure Active Directory Update application, Azure Active Directory Update user, Azure Active Directory, Azure Audit Create or Update an Azure Automation Runbook, Azure Audit Create or Update an Azure Automation account, Azure Audit Create or Update an Azure Automation webhook, CrowdStrike ProcessRollup2, Office 365 Universal Audit Log, Powershell Script Block Logging 4104, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4724, Windows Event Log Security 4725, Windows Event Log Security 4726
|
Command and Control
Credential Access
Defense Impairment
Discovery
Execution
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Derusbi
|
CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log Security 4703, Windows Event Log System 7045
|
Execution
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Citrix Netscaler ADC CVE-2023-3519
|
Palo Alto Network Threat
|
Initial Access
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
GhostRedirector IIS Module and Rungan Backdoor
|
Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Nginx Access, Powershell Installed IIS Modules, Powershell Script Block Logging 4104, Suricata, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 3, Sysmon for Linux EventID 1, Windows Event Log Application 15457, Windows Event Log Security 4688, Windows Event Log Security 4703, Windows Event Log Security 4720, Windows Event Log System 4720, Windows Event Log System 4726, Windows IIS 29
|
Command and Control
Defense Impairment
Execution
Exfiltration
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
DNS Hijacking
|
Sysmon EventID 22
|
Initial Access
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
FIN7
|
CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688
|
Credential Access
Defense Impairment
Discovery
Execution
Impact
Initial Access
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
PaperCut MF NG Vulnerability
|
CrowdStrike ProcessRollup2, Suricata, Sysmon EventID 1, Windows Event Log Security 4688
|
Execution
Initial Access
Persistence
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Azure Active Directory Account Takeover
|
Azure Active Directory Consent to application, Azure Active Directory Disable Strong Authentication, Azure Active Directory Sign-in activity, Azure Active Directory Update authorization policy, Azure Active Directory User registered security info, Azure Active Directory, Azure Monitor Activity, Office 365 Universal Audit Log, Powershell Script Block Logging 4104
|
Collection
Command and Control
Credential Access
Defense Impairment
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Resource Development
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Ransomware
|
Cisco Network Visibility Module Flow Data, Cisco Secure Firewall Threat Defense Connection Event, CrowdStrike ProcessRollup2, Palo Alto Network Threat, Palo Alto Network Traffic, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 1100, Windows Event Log Security 1102, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4700, Windows Event Log Security 4702, Windows Event Log System 104, Windows Event Log System 7036
|
Collection
Command and Control
Defense Impairment
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
Resource Development
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Command And Control
|
Cisco Secure Access Firewall, Cisco Secure Firewall Threat Defense Connection Event, CrowdStrike ProcessRollup2, Palo Alto Network Threat, Palo Alto Network Traffic, Splunk Stream HTTP, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4688
|
Command and Control
Execution
Exfiltration
Initial Access
Lateral Movement
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
CVE-2023-36884 Office and Windows HTML RCE Vulnerability
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688
|
Initial Access
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Compromised Linux Host
|
Linux Auditd Add User, Linux Auditd Cwd, Linux Auditd Daemon Abort, Linux Auditd Daemon End, Linux Auditd Daemon Start, Linux Auditd Execve, Linux Auditd Path, Linux Auditd Proctitle, Linux Auditd Service Stop, Linux Auditd Syscall, Sysmon EventID 1
|
Collection
Command and Control
Credential Access
Defense Impairment
Discovery
Execution
Exfiltration
Impact
Initial Access
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Fortinet FortiNAC CVE-2022-39952
|
Palo Alto Network Threat
|
Initial Access
Persistence
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Insider Threat
|
Cisco Secure Firewall Threat Defense Connection Event, CrowdStrike ProcessRollup2, G Suite Drive, G Suite Gmail, Linux Secure, Palo Alto Network Threat, Palo Alto Network Traffic, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4625, Windows Event Log Security 4648, Windows Event Log Security 4688, Windows Event Log Security 5145
|
Command and Control
Credential Access
Execution
Exfiltration
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Behavioral Analytics, Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
HAFNIUM Group
|
Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4720, Windows Event Log Security 4732
|
Collection
Command and Control
Credential Access
Execution
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
3CX Supply Chain Attack
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4663, Windows Event Log Security 4688
|
Credential Access
Initial Access
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Flax Typhoon
|
Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 1, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log System 7045
|
Command and Control
Credential Access
Execution
Initial Access
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Emotet Malware DHS Report TA18-201A
|
CrowdStrike ProcessRollup2, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688
|
Execution
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
SamSam Ransomware
|
Cisco Network Visibility Module Flow Data, Cisco Secure Access Firewall, CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 3, Windows Event Log Security 4688, Zeek Conn
|
Credential Access
Discovery
Execution
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Cisco Secure Firewall Threat Defense Analytics
|
AWS CloudWatchLogs VPCflow, Cisco Secure Access Firewall, Cisco Secure Firewall Threat Defense Connection Event, Cisco Secure Firewall Threat Defense File Event, Cisco Secure Firewall Threat Defense Intrusion Event, Palo Alto Network Traffic
|
Command and Control
Credential Access
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
Resource Development
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Cisco IOS XE Software Web Management User Interface vulnerability
|
Suricata
|
Initial Access
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
CISA AA23-347A
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Suricata, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4699, Windows Event Log Security 4703, Windows Event Log System 7040, Windows Event Log System 7045
|
Collection
Credential Access
Defense Impairment
Discovery
Execution
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
ArcaneDoor
|
Cisco ASA Logs, Cisco Secure Firewall Threat Defense Intrusion Event
|
Collection
Command and Control
Credential Access
Defense Impairment
Discovery
Exfiltration
Initial Access
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Execution
Initial Access
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
AWS Identity and Access Management Account Takeover
|
ASL AWS CloudTrail, AWS CloudTrail ConsoleLogin, AWS CloudTrail CreateVirtualMFADevice, AWS CloudTrail DeactivateMFADevice, AWS CloudTrail DeleteVirtualMFADevice, AWS CloudTrail DescribeEventAggregates, AWS CloudTrail GetPasswordData, AWS CloudTrail ModifyDBInstance, AWS CloudTrail
|
Collection
Credential Access
Defense Impairment
Discovery
Initial Access
Persistence
Privilege Escalation
Resource Development
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Graceful Wipe Out Attack
|
CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 3, Sysmon EventID 8, Sysmon EventID 9, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 5145
|
Collection
Credential Access
Defense Impairment
Discovery
Execution
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Suspicious DNS Traffic
|
CrowdStrike ProcessRollup2, Suricata, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4662, Windows Event Log Security 4688, Windows Event Log Security 5136, Windows Event Log Security 5137
|
Collection
Command and Control
Credential Access
Exfiltration
Initial Access
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Suspicious Microsoft 365 Copilot Activities
|
M365 Copilot Graph API, M365 Exported eDiscovery Prompts
|
Credential Access
Defense Impairment
Initial Access
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Crypto Stealer
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Suricata, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 15, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 5, Sysmon EventID 6, Windows Event Log Security 4624, Windows Event Log Security 4625, Windows Event Log Security 4688, Windows Event Log System 7045
|
Collection
Command and Control
Credential Access
Defense Impairment
Discovery
Execution
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Snake Keylogger
|
CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 15, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 3, Sysmon EventID 5, Sysmon EventID 6, Windows Event Log Security 4663, Windows Event Log Security 4688
|
Command and Control
Credential Access
Defense Impairment
Discovery
Execution
Impact
Initial Access
Persistence
Privilege Escalation
Reconnaissance
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
MuddyWater
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 4688
|
Execution
Impact
Initial Access
Persistence
Privilege Escalation
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
VMware Server Side Injection and Privilege Escalation
|
Palo Alto Network Threat, Sysmon EventID 11
|
Initial Access
Persistence
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
NPM Supply Chain Compromise
|
Cisco Isovalent Process Exec, Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, GitHub Enterprise Audit Logs, GitHub Organizations Audit Logs, Sysmon EventID 11, Sysmon EventID 1, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, Windows Event Log Security 4688
|
Collection
Command and Control
Credential Access
Defense Impairment
Execution
Impact
Initial Access
Persistence
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Trickbot
|
CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 5145
|
Defense Impairment
Execution
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
Office 365 Account Takeover
|
O365 Add app role assignment grant to user., O365 Consent to application., O365 Update authorization policy., O365 UserLoggedIn, O365 UserLoginFailed, O365, Office 365 Reporting Message Trace, Office 365 Universal Audit Log
|
Collection
Credential Access
Defense Impairment
Execution
Exfiltration
Impact
Initial Access
Persistence
Privilege Escalation
Resource Development
Stealth
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
|
PXA Stealer
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4663, Windows Event Log Security 4688
|
Defense Impairment
Discovery
Execution
Initial Access
Reconnaissance
|
Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security
|
2026-05-13
|
