Detections

Name Data Source Technique Type Analytic Story Date
Windows Credentials from Password Stores Chrome Login Data Access Windows icon Windows Event Log Security 4663 T1012 Anomaly Quasar RAT, Lokibot, Braodo Stealer, Snake Keylogger, Salat Stealer, Phemedrone Stealer, NjRAT, BlankGrabber Stealer, Earth Alux, RedLine Stealer, DarkGate Malware, Scattered Lapsus$ Hunters, StealC Stealer, Meduza Stealer, Warzone RAT, Phantom Stealer, VIP Keylogger, PXA Stealer, Malicious Inno Setup Loader, Salt Typhoon, MoonPeak, Amadey, China-Nexus Threat Activity, 0bj3ctivity Stealer, SnappyBee 2026-07-08
Linux Dirty Frag Kernel Privilege Escalation Linux icon Linux Auditd Syscall T1068 T1548.001 TTP Linux Privilege Escalation 2026-07-06
AWS Bedrock Claude High Risk Filesystem and Exec Tool Invocation AWS icon AWS Bedrock Claude T1055 Anomaly Suspicious AWS Bedrock Claude Activities 2026-07-06
AWS Bedrock Claude Unusually Large Prompts AWS icon AWS Bedrock Claude T1055 Anomaly Suspicious AWS Bedrock Claude Activities 2026-07-06
AWS Bedrock Claude Cross Region Possible Inference Abuse AWS icon AWS Bedrock Claude T1599 Anomaly Suspicious AWS Bedrock Claude Activities 2026-07-06
AWS Bedrock Claude Hostile Prompt Sentiment AWS icon AWS Bedrock Claude T1055 Anomaly Suspicious AWS Bedrock Claude Activities 2026-07-06
AWS Bedrock Claude Sensitive Data in Prompts AWS icon AWS Bedrock Claude T1055 Anomaly Suspicious AWS Bedrock Claude Activities 2026-07-06
AWS Bedrock Claude Possible Prompt Injection AWS icon AWS Bedrock Claude T1055 Hunting Suspicious AWS Bedrock Claude Activities 2026-07-06
AWS Bedrock Claude excessive use of tokens AWS icon AWS Bedrock Claude T1055 Anomaly Suspicious AWS Bedrock Claude Activities 2026-07-06
PetitPotam Suspicious Kerberos TGT Request Windows icon Windows Event Log Security 4768 T1003 TTP PetitPotam NTLM Relay on Active Directory Certificate Services, Active Directory Kerberos Attacks 2026-07-04
Powershell Remote Thread To Known Windows Process Windows icon Sysmon EventID 8 T1055 TTP Trickbot 2026-07-01
Attacker Tools On Endpoint Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Network icon Cisco Network Visibility Module Flow Data T1003 T1036.005 T1595 TTP XMRig, SamSam Ransomware, PHP-CGI RCE Attack on Japanese Organizations, Cisco Network Visibility Module Analytics, Unusual Processes, CISA AA22-264A, Compromised Windows Host, Scattered Spider 2026-07-01
Powershell Processing Stream Of Data Windows icon Powershell Script Block Logging 4104 T1059.001 Anomaly MuddyWater, Malicious PowerShell, Data Destruction, MoonPeak, Medusa Ransomware, AsyncRAT, IcedID, PXA Stealer, Hermetic Wiper, XWorm, Braodo Stealer, Salat Stealer, Hellcat Ransomware 2026-06-29
Rundll32 Create Remote Thread To A Process Windows icon Sysmon EventID 8 T1055 TTP IcedID, Living Off The Land 2026-06-29
Windows Powershell Import Applocker Policy Windows icon Powershell Script Block Logging 4104 T1059.001 T1685 Anomaly Azorult 2026-06-29
Windows Uncommon Remote Thread Creation In Browser Process Windows icon Sysmon EventID 8 T1055.001 Anomaly IcedID, Qakbot, Living Off The Land 2026-06-29
Powershell Windows Defender Exclusion Commands Windows icon Powershell Script Block Logging 4104 T1685 Anomaly WhisperGate, Data Destruction, AgentTesla, BlankGrabber Stealer, CISA AA22-320A, Remcos, NetSupport RMM Tool Abuse, Salat Stealer, Warzone RAT, Windows Defense Evasion Tactics 2026-06-29
Create Remote Thread In Shell Application Windows icon Sysmon EventID 8 T1055 TTP IcedID, Warzone RAT, Qakbot 2026-06-29
Windows Process Injection Remote Thread Windows icon Sysmon EventID 8 T1055.002 TTP Phantom Stealer, Water Gamayun, Earth Alux, Qakbot, Warzone RAT, Graceful Wipe Out Attack 2026-06-29
Powershell Remove Windows Defender Directory Windows icon Powershell Script Block Logging 4104 T1685 Anomaly WhisperGate, Data Destruction 2026-06-29
Create Remote Thread into LSASS Windows icon Sysmon EventID 8 T1003.001 TTP Credential Dumping, BlackSuit Ransomware, Lokibot 2026-06-29
Windows ClipBoard Data via Get-ClipBoard Windows icon Powershell Script Block Logging 4104 T1115 Anomaly Prestige Ransomware, BlankGrabber Stealer, Windows Post-Exploitation 2026-06-29
PowerShell Environment Variable Execution Windows icon Powershell Script Block Logging 4104 T1059.001 Anomaly VIP Keylogger 2026-06-29
Windows Powershell Logoff User via Quser Windows icon Powershell Script Block Logging 4104 T1059.001 T1531 Anomaly Crypto Stealer 2026-06-29
PowerShell Loading DotNET into Memory via Reflection Windows icon Powershell Script Block Logging 4104 T1059.001 Anomaly Axios Supply Chain Post Compromise, Malicious PowerShell, Data Destruction, AgentTesla, VIP Keylogger, AsyncRAT, Hermetic Wiper, 0bj3ctivity Stealer, Hellcat Ransomware, Winter Vivern 2026-06-29
Windows Process Injection With Public Source Path Windows icon Sysmon EventID 8 T1055.002 Hunting Brute Ratel C4, Earth Alux, Phantom Stealer 2026-06-29
Windows Process Injection Of Wermgr to Known Browser Windows icon Sysmon EventID 8 T1055.001 TTP Qakbot 2026-06-29
Rundll32 CreateRemoteThread In Browser Windows icon Sysmon EventID 8 T1055 TTP IcedID, Living Off The Land 2026-06-29
PowerShell Domain Enumeration Windows icon Powershell Script Block Logging 4104 T1059.001 Anomaly Malicious PowerShell, Data Destruction, Interlock Ransomware, CISA AA23-347A, Microsoft WSUS CVE-2025-59287, Hermetic Wiper 2026-06-28
PowerShell 4104 Hunting Windows icon Powershell Script Block Logging 4104 T1059.001 Hunting Braodo Stealer, Cleo File Transfer Software, Flax Typhoon, SystemBC, Salat Stealer, MuddyWater, Axios Supply Chain Post Compromise, Data Destruction, Interlock Ransomware, Water Gamayun, Rhysida Ransomware, XWorm, DarkGate Malware, Hellcat Ransomware, Malicious PowerShell, PHP-CGI RCE Attack on Japanese Organizations, Phantom Stealer, CISA AA24-241A, Medusa Ransomware, GhostRedirector IIS Module and Rungan Backdoor, Microsoft WSUS CVE-2025-59287, Hermetic Wiper, Cactus Ransomware, Scattered Spider, Salt Typhoon, CISA AA23-347A, China-Nexus Threat Activity, Lumma Stealer, 0bj3ctivity Stealer, APT37 Rustonotto and FadeStealer 2026-06-25
Windows Non Discord App Access Discord LevelDB Windows icon Windows Event Log Security 4663 T1012 Anomaly Phantom Stealer, BlankGrabber Stealer, PXA Stealer, Snake Keylogger, StealC Stealer 2026-06-25
Non Firefox Process Access Firefox Profile Dir Windows icon Windows Event Log Security 4663 T1555.003 Anomaly Quasar RAT, Lokibot, Snake Keylogger, Remcos, Salat Stealer, Phemedrone Stealer, NjRAT, BlankGrabber Stealer, RedLine Stealer, DarkGate Malware, StealC Stealer, Warzone RAT, AgentTesla, VIP Keylogger, Phantom Stealer, Azorult, 3CX Supply Chain Attack, Malicious Inno Setup Loader, Salt Typhoon, CISA AA23-347A, FIN7, China-Nexus Threat Activity, 0bj3ctivity Stealer, SnappyBee 2026-06-25
Windows Credentials from Password Stores Chrome Extension Access Windows icon Windows Event Log Security 4663 T1012 Anomaly MoonPeak, BlankGrabber Stealer, CISA AA23-347A, Phantom Stealer, Amadey, RedLine Stealer, Braodo Stealer, DarkGate Malware, StealC Stealer, Meduza Stealer, 0bj3ctivity Stealer, Malicious Inno Setup Loader, Phemedrone Stealer 2026-06-25
Windows Suspicious Process File Path Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1036.005 T1543 TTP Quasar RAT, Swift Slicer, Qakbot, Lokibot, SesameOp, Prestige Ransomware, Remcos, SystemBC, Brute Ratel C4, BlackByte Ransomware, Phemedrone Stealer, Graceful Wipe Out Attack, Axios Supply Chain Post Compromise, Data Destruction, Interlock Ransomware, LockBit Ransomware, Handala Wiper, AsyncRAT, Void Manticore, Water Gamayun, Earth Alux, Rhysida Ransomware, RedLine Stealer, XWorm, DarkGate Malware, DarkCrystal RAT, StealC Stealer, Meduza Stealer, Warzone RAT, Castle RAT, WhisperGate, XMRig, AgentTesla, Trickbot, GhostRedirector IIS Module and Rungan Backdoor, VIP Keylogger, Phantom Stealer, Hermetic Wiper, Azorult, Malicious Inno Setup Loader, Interlock Rat, Chaos Ransomware, Salt Typhoon, PromptLock, MoonPeak, CISA AA23-347A, IcedID, Amadey, RoguePlanet, Volt Typhoon, Double Zero Destructor, PlugX, Industroyer2, China-Nexus Threat Activity, NailaoLocker Ransomware, SnappyBee, ValleyRAT 2026-06-25
Windows Powershell Cryptography Namespace Windows icon Powershell Script Block Logging 4104 T1059.001 Anomaly Phantom Stealer, XWorm, VIP Keylogger, AsyncRAT 2026-06-25
Windows Unsecured Outlook Credentials Access In Registry Windows icon Windows Event Log Security 4663 T1552 Anomaly Phantom Stealer, VIP Keylogger, Lokibot, Snake Keylogger, StealC Stealer, Meduza Stealer, 0bj3ctivity Stealer 2026-06-25
Registry Keys Used For Persistence Windows icon Sysmon EventID 13 T1547.001 TTP Quasar RAT, Emotet Malware DHS Report TA18-201A, Ransomware, Qakbot, Lokibot, Braodo Stealer, Snake Keylogger, Remcos, SystemBC, Salat Stealer, WinDealer RAT, BlackByte Ransomware, NjRAT, MuddyWater, Axios Supply Chain Post Compromise, Interlock Ransomware, Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns, AsyncRAT, RedLine Stealer, XWorm, Suspicious Windows Registry Activities, DarkGate Malware, DarkCrystal RAT, Windows Persistence Techniques, Derusbi, NetSupport RMM Tool Abuse, Warzone RAT, Castle RAT, Gh0st RAT, BlackSuit Ransomware, Suspicious MSHTA Activity, Phantom Stealer, DHS Report TA18-074A, Sneaky Active Directory Persistence Tricks, Azorult, Cactus Ransomware, Chaos Ransomware, Salt Typhoon, MoonPeak, CISA AA23-347A, IcedID, Amadey, Windows Registry Abuse, China-Nexus Threat Activity, 0bj3ctivity Stealer, APT37 Rustonotto and FadeStealer, SnappyBee, ValleyRAT 2026-06-25
Windows Unusual Process Load Mozilla NSS-Mozglue Module Windows icon Sysmon EventID 7 T1218.003 Anomaly Quasar RAT, Phantom Stealer, VIP Keylogger, Lokibot, StealC Stealer, 0bj3ctivity Stealer 2026-06-25
Windows File Transfer Protocol In Non-Common Process Path Windows icon Sysmon EventID 3 T1071.003 Anomaly Snake Keylogger, Hellcat Ransomware, Phantom Stealer, AgentTesla 2026-06-25
Executables Or Script Creation In Temp Path Windows icon Sysmon EventID 11 T1036 Anomaly AcidPour, Swift Slicer, Qakbot, Lokibot, SesameOp, Snake Keylogger, Remcos, Salat Stealer, Brute Ratel C4, WinDealer RAT, BlackByte Ransomware, Graceful Wipe Out Attack, NjRAT, Axios Supply Chain Post Compromise, Data Destruction, Void Manticore, LockBit Ransomware, Handala Wiper, AsyncRAT, Rhysida Ransomware, RedLine Stealer, PromptFlux, DarkGate Malware, DarkCrystal RAT, Derusbi, Meduza Stealer, Warzone RAT, WhisperGate, XMRig, AgentTesla, Trickbot, VIP Keylogger, Phantom Stealer, Hermetic Wiper, Azorult, Interlock Rat, Chaos Ransomware, Salt Typhoon, PromptLock, MoonPeak, CISA AA23-347A, Amadey, IcedID, RoguePlanet, Volt Typhoon, Double Zero Destructor, Crypto Stealer, PlugX, Industroyer2, China-Nexus Threat Activity, XML Runner Loader, APT37 Rustonotto and FadeStealer, SnappyBee, ValleyRAT 2026-06-25
Windows Boot or Logon Autostart Execution In Startup Folder Windows icon Sysmon EventID 11 T1547.001 Anomaly Chaos Ransomware, Quasar RAT, Interlock Ransomware, BlankGrabber Stealer, Phantom Stealer, Gozi Malware, RedLine Stealer, XWorm, PromptFlux, Crypto Stealer, APT37 Rustonotto and FadeStealer, NjRAT 2026-06-25
Non Chrome Process Accessing Chrome Default Dir Windows icon Windows Event Log Security 4663 T1555.003 Anomaly Quasar RAT, Lokibot, Snake Keylogger, Remcos, Salat Stealer, Phemedrone Stealer, NjRAT, BlankGrabber Stealer, RedLine Stealer, DarkGate Malware, StealC Stealer, Warzone RAT, AgentTesla, VIP Keylogger, Phantom Stealer, 3CX Supply Chain Attack, Malicious Inno Setup Loader, Salt Typhoon, CISA AA23-347A, FIN7, China-Nexus Threat Activity, SnappyBee 2026-06-25
Windows Browser Process Launched with Unusual Flags Windows icon Sysmon EventID 1 T1185 Anomaly Phantom Stealer, Castle RAT 2026-06-25
Windows Disable or Stop Browser Process Windows icon Sysmon EventID 1 T1685 TTP BlankGrabber Stealer, Phantom Stealer, Braodo Stealer, Scattered Lapsus$ Hunters, Salat Stealer, Hellcat Ransomware, Castle RAT 2026-06-25
PowerShell PInvoke Process Injection API Chain Windows icon Powershell Script Block Logging 4104 T1055.001 T1055.003 T1055.004 T1055.012 T1055.013 T1059.001 T1620 TTP Phantom Stealer, VIP Keylogger 2026-06-25
Windows Unusual FileZilla XML Config Access Windows icon Windows Event Log Security 4663 T1552.001 Anomaly Quasar RAT, Phantom Stealer 2026-06-25
Executables Or Script Creation In Suspicious Path Windows icon Sysmon EventID 11 T1036 Anomaly Quasar RAT, AcidPour, Swift Slicer, Qakbot, Lokibot, SesameOp, Snake Keylogger, Remcos, SystemBC, Brute Ratel C4, WinDealer RAT, BlackByte Ransomware, Graceful Wipe Out Attack, NjRAT, Axios Supply Chain Post Compromise, Data Destruction, Interlock Ransomware, LockBit Ransomware, Handala Wiper, AsyncRAT, Void Manticore, Earth Alux, Rhysida Ransomware, RedLine Stealer, DarkGate Malware, DarkCrystal RAT, Derusbi, DynoWiper, Meduza Stealer, Warzone RAT, Castle RAT, WhisperGate, XMRig, AgentTesla, Trickbot, GhostRedirector IIS Module and Rungan Backdoor, VIP Keylogger, Phantom Stealer, Hermetic Wiper, Azorult, Cactus Ransomware, Interlock Rat, Chaos Ransomware, Salt Typhoon, PromptLock, MoonPeak, CISA AA23-347A, IcedID, Amadey, Volt Typhoon, Double Zero Destructor, Crypto Stealer, PlugX, Industroyer2, China-Nexus Threat Activity, XML Runner Loader, NailaoLocker Ransomware, SnappyBee, ValleyRAT 2026-06-25
Windows System Network Connections Discovery Netsh Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1049 Anomaly BlankGrabber Stealer, VIP Keylogger, Phantom Stealer, Prestige Ransomware, Snake Keylogger, Windows Post-Exploitation 2026-06-25
Windows Credentials from Password Stores Chrome LocalState Access Windows icon Windows Event Log Security 4663 T1012 Anomaly Quasar RAT, Lokibot, Braodo Stealer, Snake Keylogger, Salat Stealer, Phemedrone Stealer, NjRAT, BlankGrabber Stealer, Earth Alux, RedLine Stealer, DarkGate Malware, Scattered Lapsus$ Hunters, StealC Stealer, Meduza Stealer, Warzone RAT, Phantom Stealer, VIP Keylogger, PXA Stealer, Malicious Inno Setup Loader, Salt Typhoon, MoonPeak, Amadey, China-Nexus Threat Activity, 0bj3ctivity Stealer, SnappyBee 2026-06-25
Windows Credentials from Password Stores Chrome Copied in TEMP Dir Windows icon Sysmon EventID 11 T1555.003 TTP Braodo Stealer, Phantom Stealer, BlankGrabber Stealer, Scattered Lapsus$ Hunters 2026-06-25
Headless Browser Usage Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1497 T1564.003 Anomaly Phantom Stealer, Browser Hijacking, Forest Blizzard 2026-06-25
Windows Chromium Browser No Security Sandbox Process Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1497 TTP Phantom Stealer, Malicious Inno Setup Loader 2026-06-25
Windows Disable or Modify Tools Via Taskkill Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1685 Anomaly Phantom Stealer, BlankGrabber Stealer, PXA Stealer, Crypto Stealer, NjRAT 2026-06-25
Powershell Fileless Script Contains Base64 Encoded Content Windows icon Powershell Script Block Logging 4104 T1027 T1059.001 TTP Salat Stealer, NjRAT, MuddyWater, Axios Supply Chain Post Compromise, Data Destruction, AsyncRAT, XWorm, NetSupport RMM Tool Abuse, Hellcat Ransomware, Winter Vivern, Malicious PowerShell, Phantom Stealer, VIP Keylogger, Medusa Ransomware, GhostRedirector IIS Module and Rungan Backdoor, Microsoft WSUS CVE-2025-59287, Hermetic Wiper, IcedID, 0bj3ctivity Stealer, APT37 Rustonotto and FadeStealer 2026-06-25
Windows Chromium Browser with Custom User Data Directory Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1497 Anomaly Lokibot, Phantom Stealer, Malicious Inno Setup Loader, StealC Stealer 2026-06-25
Windows Credential Access From Browser Password Store Windows icon Windows Event Log Security 4663 T1012 Anomaly Quasar RAT, Braodo Stealer, Snake Keylogger, Salat Stealer, BlankGrabber Stealer, Earth Alux, Scattered Lapsus$ Hunters, StealC Stealer, Meduza Stealer, Phantom Stealer, VIP Keylogger, PXA Stealer, Scattered Spider, Malicious Inno Setup Loader, Salt Typhoon, MoonPeak, China-Nexus Threat Activity, 0bj3ctivity Stealer, SnappyBee 2026-06-25
Windows DNS Query Request by Telegram Bot API Windows icon Sysmon EventID 22 T1071.004 T1102.002 Anomaly Phantom Stealer, VIP Keylogger, BlankGrabber Stealer, Crypto Stealer, 0bj3ctivity Stealer 2026-06-25
Suspicious Process With Discord DNS Query Windows icon Sysmon EventID 22 T1059.005 Anomaly WhisperGate, Data Destruction, BlankGrabber Stealer, Phantom Stealer, PXA Stealer, Cactus Ransomware 2026-06-25
Windows WinSCP Configuration Security Access Windows icon Windows Event Log Security 4663 T1552.001 Anomaly Phantom Stealer 2026-06-24
Splunk Information Disclosure on Account Login Splunk icon Splunk T1087 Hunting Splunk Vulnerabilities 2026-06-24
Splunk Code Injection via custom dashboard leading to RCE T1210 Hunting Splunk Vulnerabilities 2026-06-24
Splunk RCE PDFgen Render Splunk icon Splunk T1210 TTP Splunk Vulnerabilities 2026-06-24
Splunk App for Lookup File Editing RCE via User XSLT T1210 Hunting Splunk Vulnerabilities 2026-06-24
Splunk Path Traversal In Splunk App For Lookup File Edit Splunk icon Splunk T1083 Hunting Splunk Vulnerabilities 2026-06-24
Splunk Enterprise KV Store Incorrect Authorization Splunk icon Splunk T1548 Hunting Splunk Vulnerabilities 2026-06-24
Splunk Authentication Token Exposure in Debug Log T1654 TTP Splunk Vulnerabilities 2026-06-24
Splunk RCE Through Arbitrary File Write to Windows System Root Splunk icon Splunk T1210 Hunting Splunk Vulnerabilities 2026-06-23
HTTP Scripting Tool User Agent Nginx Access T1071.001 Anomaly HTTP Request Smuggling, Suspicious User Agents 2026-06-15
PTC Windchill Gateway Command Execution Windchill Log4j T1005 T1059 T1190 Anomaly PTC Windchill Exploitation 2026-06-14
PTC Windchill GW READY OK Probe Windchill Log4j T1059 T1190 Anomaly PTC Windchill Exploitation 2026-06-14
Windows EDRSilencer Execution Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1685 Anomaly Security Solution Tampering 2026-06-13
Splunk Secure Application Alerts for Runtime Security N/A Anomaly Critical Alerts 2026-06-12
Windows Wermgr Alternate Data Stream in Temp Dir Windows icon Sysmon EventID 15 T1564.004 Anomaly RoguePlanet 2026-06-11
Regsvr32 Silent and Install Param Dll Loading Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1218.010 Anomaly Data Destruction, AsyncRAT, Living Off The Land, Hermetic Wiper, Remcos, Suspicious Regsvr32 Activity 2026-06-09
Cisco SD-WAN Multiple Source IP vManage Admin SSH Authentication Cisco SD-WAN Auth Log T1595 Hunting Cisco Catalyst SD-WAN Analytics 2026-06-09
Cisco SD-WAN Multiple SSH key Authentication from Same Source Cisco SD-WAN Auth Log T1595 Hunting Cisco Catalyst SD-WAN Analytics 2026-06-09
Cisco SA - Automated Web Reconnaissance via HTTP Access Errors Cisco Secure Access Proxy T1595 Anomaly Cisco Secure Access Analytics 2026-06-09
Cisco SA - Access to Anonymizer Services Cisco Secure Access DNS T1090.003 Anomaly Cisco Secure Access Analytics 2026-06-09
Regsvr32 with Known Silent Switch Cmdline Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1218.010 Anomaly AsyncRAT, IcedID, Qakbot, Living Off The Land, Remcos, Suspicious Regsvr32 Activity 2026-06-09
Powershell Using memory As Backing Store Windows icon Powershell Script Block Logging 4104 T1059.001 TTP Data Destruction, MoonPeak, Malicious PowerShell, Medusa Ransomware, IcedID, Hermetic Wiper, Salat Stealer 2026-06-08
Windows Obfuscated Files or Information via RAR SFX Windows icon Sysmon EventID 11 T1027.013 Anomaly APT37 Rustonotto and FadeStealer, Crypto Stealer, GhostRedirector IIS Module and Rungan Backdoor, Salat Stealer 2026-06-08
Windows Process Execution From ProgramData Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1036.005 Hunting Salt Typhoon, Axios Supply Chain Post Compromise, SolarWinds WHD RCE Post Exploitation, GhostRedirector IIS Module and Rungan Backdoor, XWorm, StealC Stealer, Salat Stealer, China-Nexus Threat Activity, APT37 Rustonotto and FadeStealer, SnappyBee 2026-06-08
Powershell Disable Security Monitoring Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1685 TTP BlankGrabber Stealer, CISA AA24-241A, Ransomware, Salat Stealer, Revil Ransomware 2026-06-08
Add or Set Windows Defender Exclusion Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1685 TTP WhisperGate, Data Destruction, AgentTesla, CISA AA22-320A, XWorm, Remcos, Compromised Windows Host, Crypto Stealer, NetSupport RMM Tool Abuse, Salat Stealer, Windows Defense Evasion Tactics, ValleyRAT 2026-06-08
Firewall Allowed Program Enable Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1686 Anomaly Medusa Ransomware, Azorult, NjRAT, PlugX, Salat Stealer, BlackByte Ransomware, Windows Defense Evasion Tactics 2026-06-08
Disable Defender Submit Samples Consent Feature Windows icon Sysmon EventID 13 T1685 TTP BlankGrabber Stealer, CISA AA23-347A, IcedID, Windows Registry Abuse, Azorult, Salat Stealer 2026-06-08
Windows Process Execution in Temp Dir Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1036.005 T1543 Anomaly Gh0st RAT, PromptLock, Axios Supply Chain Post Compromise, AgentTesla, Trickbot, Ransomware, Qakbot, Lokibot, XWorm, SesameOp, RoguePlanet, Ryuk Ransomware, Remcos, Salat Stealer, PathWiper, NjRAT 2026-06-08
Windows Defender Exclusion Registry Entry Windows icon Sysmon EventID 13 T1685 TTP Qakbot, XWorm, Azorult, Remcos, NetSupport RMM Tool Abuse, Salat Stealer, Warzone RAT, Windows Defense Evasion Tactics, ValleyRAT 2026-06-08
Windows Event Log Cleared Windows icon Windows Event Log System 104, Windows icon Windows Event Log Security 1102 T1685.005 TTP ShrinkLocker, Clop Ransomware, Ransomware, CISA AA22-264A, Compromised Windows Host, Salat Stealer, Windows Log Manipulation 2026-06-08
Disable Defender AntiVirus Registry Windows icon Sysmon EventID 13 T1685 TTP Black Basta Ransomware, CISA AA24-241A, SolarWinds WHD RCE Post Exploitation, IcedID, Windows Registry Abuse, Cactus Ransomware, Salat Stealer 2026-06-08
Windows Impair Defense Disable Web Evaluation Windows icon Sysmon EventID 13 T1685 TTP Salat Stealer, Windows Registry Abuse, Windows Defense Evasion Tactics 2026-06-08
Disable Windows Behavior Monitoring Windows icon Sysmon EventID 13 T1685 TTP Black Basta Ransomware, BlankGrabber Stealer, CISA AA23-347A, SolarWinds WHD RCE Post Exploitation, Windows Registry Abuse, Ransomware, RedLine Stealer, Storm-0501 Ransomware, Azorult, NetSupport RMM Tool Abuse, Scattered Lapsus$ Hunters, Cactus Ransomware, Salat Stealer, Revil Ransomware, Windows Defense Evasion Tactics 2026-06-08
Windows Access Token Manipulation SeDebugPrivilege Windows icon Windows Event Log Security 4703 T1134.002 Anomaly Lokibot, Salat Stealer, Brute Ratel C4, WinDealer RAT, AsyncRAT, DarkGate Malware, Derusbi, Scattered Lapsus$ Hunters, Meduza Stealer, Gh0st RAT, GhostRedirector IIS Module and Rungan Backdoor, PathWiper, Salt Typhoon, CISA AA23-347A, Tuoni, PlugX, China-Nexus Threat Activity, SnappyBee, ValleyRAT 2026-06-08
Windows Firewall Rule Added Windows icon Windows Event Log Security 4946 T1686 Anomaly ShrinkLocker, NetSupport RMM Tool Abuse, Medusa Ransomware, Salat Stealer 2026-06-08
Disable Windows SmartScreen Protection Windows icon Sysmon EventID 13 T1685 TTP Salat Stealer, Windows Registry Abuse, CISA AA23-347A, Windows Defense Evasion Tactics 2026-06-08
Windows Alternate DataStream - Process Execution Windows icon Windows Event Log Security 4688, Windows icon Sysmon EventID 1 T1564.004 TTP Compromised Windows Host, Windows Defense Evasion Tactics 2026-06-04
Linux Proxy Socks Curl Linux icon Sysmon for Linux EventID 1 T1090 T1095 TTP Ingress Tool Transfer, Linux Living Off The Land 2026-06-04
PowerShell - Connect To Internet With Hidden Window Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1059.001 Hunting Malicious PowerShell, Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns, AgentTesla, Data Destruction, HAFNIUM Group, Hermetic Wiper, Log4Shell CVE-2021-44228 2026-06-04
M365 Copilot Impersonation Jailbreak Attack M365 Exported eDiscovery Prompts T1685 TTP Suspicious Microsoft 365 Copilot Activities 2026-06-04
Windows AD add Self to Group Windows icon Windows Event Log Security 4728 T1098 TTP Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation, Medusa Ransomware 2026-06-01
Windows FFmpeg Audio and Video Device Discovery Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1125 Anomaly Salat Stealer 2026-05-20
Windows FFmpeg DirectShow Video Capture Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1125 Anomaly Salat Stealer 2026-05-20
Cisco IOS XE Guestshell Activation and Destroy Cisco IOS Logs T1059 T1611 Anomaly Salt Typhoon 2026-05-20
Cisco IOS XE Remote Access Probe Burst Cisco IOS Logs T1018 T1021.004 T1046 Anomaly Salt Typhoon 2026-05-20
Cisco IOS XE Request Platform Package Describe Shell Pattern Cisco IOS Logs T1059 T1190 TTP Salt Typhoon 2026-05-20
Cisco IOS XE Reconnaissance Command Activity Cisco IOS Logs T1016 T1082 T1590 Anomaly Salt Typhoon 2026-05-20
Cisco IOS XE Tunnel Interface Configuration Cisco IOS Logs T1090 T1572 Anomaly Salt Typhoon 2026-05-20
Cisco IOS XE VTY Access Class Tampering Cisco IOS Logs T1021 T1562 Anomaly Salt Typhoon 2026-05-20
Cisco IOS XE Log Clearing Sequence With Optional Loopback Removal Cisco IOS Logs T1070.001 T1562 Anomaly Salt Typhoon 2026-05-20
Cisco IOS XE WebUI Programmatic Configuration Cisco IOS Logs T1078 T1190 Anomaly Salt Typhoon 2026-05-19
Cisco IOS XE WebUI Login From IOSd Local Port Cisco IOS Logs T1078 T1190 TTP Salt Typhoon 2026-05-19
Windows Cloud Files Filter Loaded by Uncommon Process Windows icon Sysmon EventID 7 T1543.003 Anomaly RedSun, BlueHammer 2026-05-18
Splunk User Enumeration Attempt Splunk icon Splunk T1078 TTP Splunk Vulnerabilities 2026-05-14
Splunk Sensitive Information Disclosure in DEBUG Logging Channels Splunk icon Splunk T1552 Hunting Splunk Vulnerabilities 2026-05-14
Splunk XSS Privilege Escalation via Custom Urls in Dashboard Splunk icon Splunk T1189 Hunting Splunk Vulnerabilities 2026-05-14
Splunk RCE via User XSLT T1210 Hunting Splunk Vulnerabilities 2026-05-14
Windows PowerShell Add Module to Global Assembly Cache Windows icon Powershell Script Block Logging 4104 T1505.004 TTP IIS Components 2026-05-13
Windows Group Discovery Via Net Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1069.001 T1069.002 Hunting SolarWinds WHD RCE Post Exploitation, Medusa Ransomware, IcedID, Microsoft WSUS CVE-2025-59287, Rhysida Ransomware, Prestige Ransomware, Azorult, Cleo File Transfer Software, Volt Typhoon, Windows Post-Exploitation, Active Directory Discovery, Graceful Wipe Out Attack, Windows Discovery Techniques 2026-05-13
CMLUA Or CMSTPLUA UAC Bypass Windows icon Sysmon EventID 7 T1218.003 TTP DarkSide Ransomware, Ransomware, LockBit Ransomware, ValleyRAT 2026-05-13
Windows PowerShell Invoke-Sqlcmd Execution Windows icon Powershell Script Block Logging 4104 T1059.001 T1059.003 Hunting SQL Server Abuse, GhostRedirector IIS Module and Rungan Backdoor 2026-05-13
Windows Potato Privilege Escalation Tool Execution Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1068 TTP Windows Privilege Escalation 2026-05-13
Steal or Forge Authentication Certificates Behavior Identified T1649 Correlation Windows Certificate Services 2026-05-13
Windows InstallUtil URL in Command Line Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Network icon Cisco Network Visibility Module Flow Data T1218.004 TTP Signed Binary Proxy Execution InstallUtil, Compromised Windows Host, Living Off The Land, Cisco Network Visibility Module Analytics 2026-05-13
Windows New Service Security Descriptor Set Via Sc.EXE Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1564 Anomaly Defense Evasion or Unauthorized Access Via SDDL Tampering 2026-05-13
PaperCut NG Suspicious Behavior Debug Log T1133 T1190 Hunting PaperCut MF NG Vulnerability 2026-05-13
Windows Excel Spawning Microsoft Project Application Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1021.003 Anomaly PathWiper 2026-05-13
Deleting Shadow Copies Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1490 TTP Chaos Ransomware, SamSam Ransomware, Black Basta Ransomware, Void Manticore, LockBit Ransomware, Clop Ransomware, Medusa Ransomware, Ransomware, Storm-2460 CLFS Zero Day Exploitation, Rhysida Ransomware, Termite Ransomware, Prestige Ransomware, CISA AA22-264A, DarkGate Malware, VanHelsing Ransomware, Compromised Windows Host, Cactus Ransomware, Windows Log Manipulation 2026-05-13
Java Writing JSP File Linux icon Sysmon for Linux EventID 11, Linux icon Sysmon for Linux EventID 1 T1133 T1190 TTP SysAid On-Prem Software CVE-2023-47246 Vulnerability, Spring4Shell CVE-2022-22965, Atlassian Confluence Server and Data Center CVE-2022-26134, SAP NetWeaver Exploitation 2026-05-13
Windows Rasautou DLL Execution Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1055.001 T1218 TTP Hellcat Ransomware, Compromised Windows Host, Windows Defense Evasion Tactics 2026-05-13
Linux Auditd Service Restarted Linux icon Linux Auditd Proctitle T1053.006 Anomaly Linux Privilege Escalation, Data Destruction, Scheduled Tasks, AwfulShred, Linux Living Off The Land, Gomir, Compromised Linux Host, Linux Persistence Techniques 2026-05-13
Windows Credentials from Password Stores Deletion Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1555 TTP DarkGate Malware, NetSupport RMM Tool Abuse, Compromised Windows Host 2026-05-13
Windows Impair Defense Set Win Defender Smart Screen Level To Warn Windows icon Sysmon EventID 13 T1685 TTP Windows Registry Abuse, Windows Defense Evasion Tactics 2026-05-13
Linux Auditd File Permission Modification Via Chmod Linux icon Linux Auditd Proctitle T1222.002 Anomaly Linux Privilege Escalation, Salt Typhoon, Axios Supply Chain Post Compromise, XorDDos, Linux Living Off The Land, China-Nexus Threat Activity, Compromised Linux Host, Linux Persistence Techniques 2026-05-13
USN Journal Deletion Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1070 TTP Ransomware, Windows Log Manipulation 2026-05-13
Mshta spawning Rundll32 OR Regsvr32 Process Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1218.005 TTP IcedID, APT37 Rustonotto and FadeStealer, Living Off The Land, Trickbot 2026-05-13
Logon Script Event Trigger Execution Windows icon Sysmon EventID 13 T1037.001 TTP Data Destruction, VIP Keylogger, Hermetic Wiper, Windows Privilege Escalation, Windows Persistence Techniques 2026-05-13
Execution of File with Multiple Extensions Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1036.003 TTP Masquerading - Rename System Utilities, AsyncRAT, Windows File Extension and Association Abuse, DarkGate Malware 2026-05-13
MSBuild Suspicious Spawned By Script Process Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1127.001 TTP Storm-2460 CLFS Zero Day Exploitation, Trusted Developer Utilities Proxy Execution MSBuild 2026-05-13
Windows Anomalous Registry Value Length in Environment Key Windows icon Sysmon EventID 13 T1112 Anomaly VIP Keylogger 2026-05-13
Windows Password Policy Discovery with Net Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1201 Hunting Active Directory Discovery 2026-05-13
Windows Potential Cloudflared Network Connection Windows icon Sysmon EventID 3 T1572 Hunting Reverse Network Proxy 2026-05-13
Linux Auditd Find Credentials From Password Stores Linux icon Linux Auditd Execve T1555.005 TTP Linux Privilege Escalation, Scattered Lapsus$ Hunters, Linux Living Off The Land, Hellcat Ransomware, Compromised Linux Host, Linux Persistence Techniques 2026-05-13
Windows WMI Process And Service List Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1047 Anomaly Prestige Ransomware, Windows Post-Exploitation 2026-05-13
Linux Auditd Add User Account Linux icon Linux Auditd Proctitle T1136.001 Anomaly Linux Privilege Escalation, Compromised Linux Host, Linux Persistence Techniques 2026-05-13
Linux Auditd Unload Module Via Modprobe Linux icon Linux Auditd Execve T1547.006 TTP Linux Privilege Escalation, Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques 2026-05-13
Reg exe Manipulating Windows Services Registry Keys Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1574.011 TTP Windows Persistence Techniques, Windows Service Abuse, Living Off The Land 2026-05-13
Windows Gather Victim Identity SAM Info Windows icon Sysmon EventID 7 T1589.001 Hunting Brute Ratel C4 2026-05-13
Windows Local Administrator Credential Stuffing Windows icon Windows Event Log Security 4624, Windows icon Windows Event Log Security 4625 T1110.004 TTP Scattered Lapsus$ Hunters, Active Directory Lateral Movement, Active Directory Privilege Escalation 2026-05-13
Suspicious Copy on System32 Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1036.003 Anomaly AsyncRAT, IcedID, Sandworm Tools, Water Gamayun, Qakbot, Unusual Processes, Volt Typhoon, Compromised Windows Host 2026-05-13
Spike in File Writes Windows icon Sysmon EventID 11 N/A Anomaly SamSam Ransomware, Ryuk Ransomware, Ransomware, Rhysida Ransomware 2026-05-13
Windows PowerShell WMI Win32 ScheduledJob Windows icon Powershell Script Block Logging 4104 T1059.001 TTP Active Directory Lateral Movement 2026-05-13
Detect RTLO In Process Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1036.002 TTP Spearphishing Attachments 2026-05-13
Detect RTLO In File Name Windows icon Sysmon EventID 11 T1036.002 TTP Spearphishing Attachments 2026-05-13
Linux Preload Hijack Library Calls Linux icon Sysmon for Linux EventID 1 T1574.006 TTP Linux Privilege Escalation, Salt Typhoon, VoidLink Cloud-Native Linux Malware, China-Nexus Threat Activity, Linux Persistence Techniques 2026-05-13
Windows Administrative Shares Accessed On Multiple Hosts Windows icon Windows Event Log Security 5140, Windows icon Windows Event Log Security 5145 T1135 TTP Active Directory Lateral Movement, Active Directory Privilege Escalation 2026-05-13
Windows Impair Defense Disable Controlled Folder Access Windows icon Sysmon EventID 13 T1685 TTP Windows Registry Abuse, BlankGrabber Stealer, Windows Defense Evasion Tactics 2026-05-13
Windows MSIExec DLLRegisterServer Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1218.007 TTP Windows System Binary Proxy Execution MSIExec, Water Gamayun 2026-05-13
Windows ESX Admins Group Creation Security Event Windows icon Windows Event Log Security 4727, Windows icon Windows Event Log Security 4737, Windows icon Windows Event Log Security 4730 T1136.001 T1136.002 TTP VMware ESXi AD Integration Authentication Bypass CVE-2024-37085 2026-05-13
Windows TeamCity Payload Execution from Temp Directory Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1059 T1190 T1505.003 TTP JetBrains TeamCity Unauthenticated RCE, JetBrains TeamCity Vulnerabilities 2026-05-13
Linux Obfuscated Files or Information Base64 Decode Linux icon Sysmon for Linux EventID 1 T1027 Anomaly Linux Living Off The Land 2026-05-13
Linux Sudo OR Su Execution Linux icon Sysmon for Linux EventID 1 T1548.003 Hunting Linux Privilege Escalation, VoidLink Cloud-Native Linux Malware, Linux Persistence Techniques 2026-05-13
Windows Screen Capture in TEMP folder Windows icon Sysmon EventID 11 T1113 TTP VIP Keylogger, Braodo Stealer, Crypto Stealer, StealC Stealer, Hellcat Ransomware, APT37 Rustonotto and FadeStealer 2026-05-13
Windows Rundll32 with Non-Standard File Extension Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1218.011 Anomaly Gh0st RAT, Suspicious Rundll32 Activity, Living Off The Land 2026-05-13
Windows AD Privileged Object Access Activity Windows icon Windows Event Log Security 4662 T1087.002 TTP Active Directory Discovery, BlackSuit Ransomware 2026-05-13
Windows Defender ASR or Threat Configuration Tamper Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1685 TTP Windows Defense Evasion Tactics 2026-05-13
Linux Auditd Base64 Decode Files Linux icon Linux Auditd Execve T1140 Anomaly Linux Privilege Escalation, Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques 2026-05-13
Linux RPM Privilege Escalation Linux icon Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Privilege Escalation, Linux Living Off The Land 2026-05-13
PowerShell Invoke WmiExec Usage Windows icon Powershell Script Block Logging 4104 T1047 TTP Suspicious WMI Use, Scattered Lapsus$ Hunters 2026-05-13
Crowdstrike Medium Severity Alert T1110 Anomaly Compromised Windows Host 2026-05-13
Windows Level RMM PowerShell Script Installer Windows icon Powershell Script Block Logging 4104 T1219 Anomaly Remote Monitoring and Management Software 2026-05-13
Detect Empire with PowerShell Script Block Logging Windows icon Powershell Script Block Logging 4104 T1059.001 TTP Malicious PowerShell, Hellcat Ransomware, Hermetic Wiper, Data Destruction 2026-05-13
ICACLS Grant Command Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1222 Anomaly XMRig, Ransomware, Defense Evasion or Unauthorized Access Via SDDL Tampering, NetSupport RMM Tool Abuse, Crypto Stealer 2026-05-13
Windows Crowdstrike RTR Script Execution CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1059.001 Anomaly Cobalt Strike, Malicious PowerShell, Suspicious MSHTA Activity, Living Off The Land 2026-05-13
Powershell Load Module in Meterpreter Windows icon Powershell Script Block Logging 4104 T1059.001 TTP MetaSploit 2026-05-13
Windows Chromium Process Launched with Logging Disabled Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1497 Anomaly Browser Hijacking 2026-05-13
Disable Windows App Hotkeys Windows icon Sysmon EventID 13 T1112 T1685 TTP XMRig, Windows Registry Abuse 2026-05-13
GetWmiObject Ds Group with PowerShell Script Block Windows icon Powershell Script Block Logging 4104 T1069.002 TTP Active Directory Discovery 2026-05-13
Windows Explorer.exe Spawning PowerShell or Cmd Windows icon Windows Event Log Security 4688, Windows icon Sysmon EventID 1 T1059.001 T1204.002 Hunting ZDI-CAN-25373 Windows Shortcut Exploit Abused as Zero-Day 2026-05-13
Suspicious Rundll32 StartW Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1218.011 TTP Cobalt Strike, Hellcat Ransomware, Trickbot, Graceful Wipe Out Attack, Suspicious Rundll32 Activity, BlackByte Ransomware 2026-05-13
Windows Binary Execution from an Archive CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1204.002 Anomaly Spearphishing Attachments 2026-05-13
Linux Visudo Utility Execution Linux icon Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Privilege Escalation, Linux Persistence Techniques 2026-05-13
Windows PowerView Kerberos Service Ticket Request Windows icon Powershell Script Block Logging 4104 T1558.003 TTP Active Directory Kerberos Attacks, Rhysida Ransomware 2026-05-13
Clop Ransomware Known Service Name Windows icon Windows Event Log System 7045 T1543 TTP Compromised Windows Host, Clop Ransomware 2026-05-13
System User Discovery With Whoami Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1033 Hunting PHP-CGI RCE Attack on Japanese Organizations, CISA AA23-347A, Rhysida Ransomware, Qakbot, Lotus Blossom Chrysalis Backdoor, Active Directory Discovery, LAMEHUG, Winter Vivern 2026-05-13
Windows Odbcconf Load Response File Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1218.008 TTP Living Off The Land 2026-05-13
Windows Impair Defense Disable Win Defender Signature Retirement Windows icon Sysmon EventID 13 T1685 TTP Windows Registry Abuse, Scattered Lapsus$ Hunters, Windows Defense Evasion Tactics 2026-05-13
Windows Audit Policy Auditing Option Disabled via Auditpol Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1685.001 TTP Windows Audit Policy Tampering 2026-05-13
Windows AD Suspicious Attribute Modification Windows icon Windows Event Log Security 5136 T1222.001 T1550 TTP Sneaky Active Directory Persistence Tricks 2026-05-13
Spoolsv Writing a DLL - Sysmon Windows icon Sysmon EventID 11 T1547.012 TTP Black Basta Ransomware, PrintNightmare CVE-2021-34527 2026-05-13
Execute Javascript With Jscript COM CLSID Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1059.005 TTP Ransomware 2026-05-13
Linux Possible Access Or Modification Of sshd Config File Linux icon Sysmon for Linux EventID 1 T1098.004 Anomaly Linux Privilege Escalation, Linux Living Off The Land, Linux Persistence Techniques 2026-05-13
Windows Impair Defense Define Win Defender Threat Action Windows icon Sysmon EventID 13 T1685 TTP Windows Registry Abuse, Windows Defense Evasion Tactics 2026-05-13
Windows IOBit Unlocker Extension DLL Registration via Regsvr32 Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1218.010 TTP Compromised Windows Host 2026-05-13
Windows Modify Registry Do Not Connect To Win Update Windows icon Sysmon EventID 13 T1112 Anomaly RedLine Stealer 2026-05-13
Windows DnsAdmins New Member Added Windows icon Windows Event Log Security 4732 T1098 TTP Active Directory Privilege Escalation 2026-05-13
Windows Drivers Loaded by Signature Windows icon Sysmon EventID 6 T1014 T1068 Hunting Windows Drivers, AgentTesla, BlackByte Ransomware, CISA AA22-320A 2026-05-13
Cisco NVM - Rundll32 Abuse of MSHTML.DLL for Payload Download Network icon Cisco Network Visibility Module Flow Data T1218.005 Anomaly Cisco Network Visibility Module Analytics 2026-05-13
Disabling SystemRestore In Registry Windows icon Sysmon EventID 13 T1490 TTP Windows Registry Abuse, NjRAT, Windows Defense Evasion Tactics 2026-05-13
Windows Proxy Execution of .NET Utilities via Scripts Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1218 Anomaly VIP Keylogger 2026-05-13
Windows Remote Access Software RMS Registry Windows icon Sysmon EventID 13 T1219 TTP Azorult 2026-05-13
Windows Large Number of Computer Service Tickets Requested Windows icon Windows Event Log Security 4769 T1078 T1135 Anomaly Active Directory Lateral Movement, Active Directory Privilege Escalation 2026-05-13
Suspicious msbuild path Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1036.003 T1127.001 TTP Cobalt Strike, Storm-2460 CLFS Zero Day Exploitation, Living Off The Land, Masquerading - Rename System Utilities, Graceful Wipe Out Attack, Trusted Developer Utilities Proxy Execution MSBuild, BlackByte Ransomware 2026-05-13
Windows ConsoleHost History File Deletion Windows icon Sysmon EventID 26, Windows icon Sysmon EventID 23 T1070.003 Anomaly Medusa Ransomware 2026-05-13
Linux DD File Overwrite Linux icon Sysmon for Linux EventID 1 T1485 TTP Data Destruction, Industroyer2 2026-05-13
Remote Process Instantiation via WMI and PowerShell Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1047 TTP Compromised Windows Host, Active Directory Lateral Movement 2026-05-13
Windows Kerberos Coercion via DNS Windows icon Windows Event Log Security 4662, Windows icon Windows Event Log Security 5137, Windows icon Windows Event Log Security 5136 T1071.004 T1187 T1557.001 TTP Local Privilege Escalation With KrbRelayUp, Kerberos Coercion with DNS, Compromised Windows Host, Suspicious DNS Traffic 2026-05-13
Detect Regsvr32 Application Control Bypass Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1218.010 TTP Cobalt Strike, BlackByte Ransomware, PHP-CGI RCE Attack on Japanese Organizations, Living Off The Land, Compromised Windows Host, Graceful Wipe Out Attack, Suspicious Regsvr32 Activity 2026-05-13
Windows Entra User Management Via Azure CLI Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1078.004 T1098 T1136 Anomaly Azure Active Directory Persistence 2026-05-13
Windows DNS Query Request To TinyUrl Windows icon Sysmon EventID 22 T1105 Anomaly Malicious Inno Setup Loader 2026-05-13
Wscript Or Cscript Suspicious Child Process Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1055 T1134.004 T1543 Anomaly WhisperGate, MuddyWater, Data Destruction, ShrinkLocker, Axios Supply Chain Post Compromise, FIN7, VIP Keylogger, XWorm, Unusual Processes, Remcos, 0bj3ctivity Stealer, NjRAT 2026-05-13
Windows Outlook Dialogs Disabled from Unusual Process Windows icon Sysmon EventID 13 T1112 T1685 TTP Windows Registry Abuse, NotDoor Malware 2026-05-13
Common Ransomware Notes Windows icon Sysmon EventID 11 T1485 Hunting Chaos Ransomware, SamSam Ransomware, Black Basta Ransomware, Interlock Ransomware, LockBit Ransomware, Medusa Ransomware, Clop Ransomware, Ransomware, Rhysida Ransomware, Termite Ransomware, Storm-0501 Ransomware, Ryuk Ransomware, Hellcat Ransomware, NailaoLocker Ransomware 2026-05-13
Windows Hosts File Access Windows icon Windows Event Log Security 4663 T1012 Anomaly Gh0st RAT, BlankGrabber Stealer 2026-05-13
Windows Exfiltration Over C2 Via Invoke RestMethod Windows icon Powershell Script Block Logging 4104 T1041 TTP Water Gamayun, Microsoft WSUS CVE-2025-59287, Hellcat Ransomware, APT37 Rustonotto and FadeStealer, Winter Vivern 2026-05-13
Print Spooler Adding A Printer Driver Windows icon Windows Event Log Printservice 316 T1547.012 TTP Black Basta Ransomware, PrintNightmare CVE-2021-34527 2026-05-13
Windows Cisco Secure Endpoint Stop Immunet Service Via Sfc Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1685 Anomaly Security Solution Tampering 2026-05-13
Rundll32 Control RunDLL Hunt Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1218.011 Hunting Microsoft MSHTML Remote Code Execution CVE-2021-40444, Suspicious Rundll32 Activity, Living Off The Land 2026-05-13
Windows Process Injection into Commonly Abused Processes Windows icon Sysmon EventID 10 T1055.002 Anomaly BishopFox Sliver Adversary Emulation Framework, Earth Alux, SAP NetWeaver Exploitation, APT37 Rustonotto and FadeStealer 2026-05-13
Recon Using WMI Class Windows icon Powershell Script Block Logging 4104 T1059.001 T1592 Anomaly Quasar RAT, Axios Supply Chain Post Compromise, Malicious PowerShell, Data Destruction, MoonPeak, LockBit Ransomware, AsyncRAT, BlankGrabber Stealer, VIP Keylogger, Qakbot, Hermetic Wiper, Industroyer2, Scattered Spider, Malicious Inno Setup Loader 2026-05-13
Domain Controller Discovery with Wmic Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1018 Hunting Active Directory Discovery 2026-05-13
Windows Domain Account Discovery Via Get-NetComputer Windows icon Powershell Script Block Logging 4104 T1087.002 Anomaly CISA AA23-347A 2026-05-13
Windows Remote Assistance Spawning Process Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1055 TTP Compromised Windows Host, Unusual Processes 2026-05-13
Windows AD SID History Attribute Modified Windows icon Windows Event Log Security 5136 T1134.005 TTP Sneaky Active Directory Persistence Tricks 2026-05-13
Wmic Group Discovery Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1069.001 Anomaly Active Directory Discovery, LAMEHUG 2026-05-13
Windows Steal or Forge Kerberos Tickets Klist Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1558 Hunting Prestige Ransomware, Windows Post-Exploitation 2026-05-13
Windows SIP WinVerifyTrust Failed Trust Validation Windows icon Windows Event Log CAPI2 81 T1553.003 Anomaly Subvert Trust Controls SIP and Trust Provider Hijacking 2026-05-13
Windows Modify Registry WuServer Windows icon Sysmon EventID 13 T1112 Hunting RedLine Stealer 2026-05-13
Windows RDP Bitmap Cache File Creation Windows icon Sysmon EventID 11 T1021.001 Anomaly Windows RDP Artifacts and Defense Evasion 2026-05-13
Windows Chromium process Launched with Disable Popup Blocking Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1497 Anomaly Browser Hijacking 2026-05-13
Windows WSUS Spawning Shell Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1190 T1505.003 TTP Microsoft WSUS CVE-2025-59287 2026-05-13
Windows Service Created with Suspicious Service Name Windows icon Windows Event Log System 7045 T1569.002 Anomaly Gh0st RAT, Snake Malware, CISA AA23-347A, Clop Ransomware, Qakbot, Flax Typhoon, Tuoni, PlugX, Brute Ratel C4, Active Directory Lateral Movement 2026-05-13
Windows Credentials from Web Browsers Saved in TEMP Folder Windows icon Sysmon EventID 11 T1555.003 TTP Braodo Stealer, Scattered Lapsus$ Hunters 2026-05-13
Windows Process With NamedPipe CommandLine Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1055 Anomaly Windows Defense Evasion Tactics 2026-05-13
Malicious Powershell Executed As A Service Windows icon Windows Event Log System 7045 T1569.002 TTP Rhysida Ransomware, Compromised Windows Host, Malicious PowerShell 2026-05-13
CMD Echo Pipe - Escalation Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1059.003 T1543.003 TTP Cobalt Strike, BlackByte Ransomware, Compromised Windows Host, Graceful Wipe Out Attack 2026-05-13
User Discovery With Env Vars PowerShell Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1033 Hunting Active Directory Discovery 2026-05-13
Linux PHP Privilege Escalation Linux icon Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Privilege Escalation, Linux Living Off The Land 2026-05-13
Cisco Isovalent - Non Allowlisted Image Use Cisco Isovalent Process Exec T1204.003 Anomaly Cisco Isovalent Suspicious Activity 2026-05-13
Windows BitLockerToGo with Network Activity Windows icon Sysmon EventID 22 T1218 Hunting Lumma Stealer, Hellcat Ransomware 2026-05-13
Disable Defender BlockAtFirstSeen Feature Windows icon Sysmon EventID 13 T1685 TTP CISA AA23-347A, SolarWinds WHD RCE Post Exploitation, IcedID, Windows Registry Abuse, Azorult 2026-05-13
Linux Account Manipulation Of SSH Config and Keys Linux icon Sysmon for Linux EventID 11 T1070.004 T1485 Anomaly Hellcat Ransomware, AcidRain 2026-05-13
Windows Proxy Via Netsh Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1090.001 Anomaly Volt Typhoon 2026-05-13
Windows SqlWriter SQLDumper DLL Sideload Windows icon Sysmon EventID 7 T1574.001 TTP APT29 Diplomatic Deceptions with WINELOADER 2026-05-13
Windows GrimResource - MMC Process Accessing APDS DLL Windows icon Windows Event Log Security 4663 T1059.007 T1218.014 TTP Compromised Windows Host 2026-05-13
MacOS - Re-opened Applications Windows icon Sysmon EventID 1 N/A TTP ColdRoot MacOS RAT 2026-05-13
Suspicious Scheduled Task from Public Directory Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1053.005 Anomaly Quasar RAT, SolarWinds WHD RCE Post Exploitation, Scheduled Tasks, Ransomware, Living Off The Land, Lokibot, XWorm, DarkCrystal RAT, Ryuk Ransomware, Windows Persistence Techniques, NetSupport RMM Tool Abuse, CISA AA24-241A, Medusa Ransomware, Azorult, Scattered Spider, Malicious Inno Setup Loader, Salt Typhoon, MoonPeak, CISA AA23-347A, Crypto Stealer, China-Nexus Threat Activity, APT37 Rustonotto and FadeStealer 2026-05-13
MOVEit Empty Key Fingerprint Authentication Attempt T1190 Hunting MOVEit Transfer Authentication Bypass, Hellcat Ransomware 2026-05-13
Processes Tapping Keyboard Events Osquery Results N/A TTP APT37 Rustonotto and FadeStealer, ColdRoot MacOS RAT 2026-05-13
Powershell Execute COM Object Windows icon Powershell Script Block Logging 4104 T1059.001 T1546.015 TTP Ransomware, Hermetic Wiper, Malicious PowerShell, Data Destruction 2026-05-13
Linux Auditd Possible Access To Credential Files Linux icon Linux Auditd Proctitle T1003.008 Anomaly Linux Privilege Escalation, Salt Typhoon, Axios Supply Chain Post Compromise, China-Nexus Threat Activity, Compromised Linux Host, Linux Persistence Techniques 2026-05-13
Unload Sysmon Filter Driver Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1685 TTP Disabling Security Tools, CISA AA23-347A 2026-05-13
WSReset UAC Bypass Windows icon Sysmon EventID 13, Windows icon Sysmon EventID 12 T1548.002 TTP Windows Registry Abuse, MoonPeak, Living Off The Land, Windows Defense Evasion Tactics 2026-05-13
Windows RMM Tool Execution Windows icon Sysmon EventID 1 T1219 Anomaly Suspicious User Agents, NetSupport RMM Tool Abuse, Remote Monitoring and Management Software 2026-05-13
Elevated Group Discovery with PowerView Windows icon Powershell Script Block Logging 4104 T1069.002 Hunting Active Directory Discovery 2026-05-13
Linux Doas Tool Execution Linux icon Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Privilege Escalation, Linux Persistence Techniques 2026-05-13
Auto Admin Logon Registry Entry Windows icon Sysmon EventID 13 T1552.002 TTP BlackMatter Ransomware, Windows Registry Abuse 2026-05-13
DSQuery Domain Discovery Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1482 TTP Active Directory Discovery, Compromised Windows Host, Domain Trust Discovery 2026-05-13
Windows Remote Management Execute Shell Windows icon Windows Event Log Security 4688, Windows icon Sysmon EventID 1 T1021.006 Anomaly Crypto Stealer 2026-05-13
Windows Service Stop Attempt Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1489 Hunting Prestige Ransomware, Scattered Lapsus$ Hunters, Graceful Wipe Out Attack, Gh0st RAT 2026-05-13
System User Discovery With Query Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1033 Hunting Active Directory Discovery, Medusa Ransomware 2026-05-13
Spoolsv Suspicious Process Access Windows icon Sysmon EventID 10 T1068 TTP Black Basta Ransomware, PrintNightmare CVE-2021-34527 2026-05-13
MS Exchange Mailbox Replication service writing Active Server Pages Windows icon Sysmon EventID 1, Windows icon Sysmon EventID 11 T1133 T1190 T1505.003 TTP Ransomware, ProxyShell, BlackByte Ransomware 2026-05-13
Curl Execution with Percent Encoded URL Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Linux icon Sysmon for Linux EventID 1 T1027 T1105 Anomaly Ingress Tool Transfer, Compromised Windows Host, Living Off The Land 2026-05-13
Windows Command and Scripting Interpreter Path Traversal Exec Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1059 TTP Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190, Compromised Windows Host, Windows Defense Evasion Tactics 2026-05-13
Detect Rundll32 Inline HTA Execution Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1218.005 TTP APT37 Rustonotto and FadeStealer, NOBELIUM Group, Suspicious MSHTA Activity, Living Off The Land 2026-05-13
Mailsniper Invoke functions Windows icon Powershell Script Block Logging 4104 T1114.001 TTP Data Exfiltration 2026-05-13
Windows Modify Registry DisAllow Windows App Windows icon Sysmon EventID 13 T1112 TTP Azorult 2026-05-13
Windows Net System Service Discovery Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1007 Hunting Gh0st RAT, LAMEHUG 2026-05-13
SecretDumps Offline NTDS Dumping Tool Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1003.003 TTP Rhysida Ransomware, Storm-0501 Ransomware, Credential Dumping, Compromised Windows Host, Graceful Wipe Out Attack 2026-05-13
Impacket Lateral Movement Commandline Parameters Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1021.002 T1021.003 T1047 T1543.003 TTP WhisperGate, Data Destruction, CISA AA22-277A, Gozi Malware, Storm-0501 Ransomware, Prestige Ransomware, Graceful Wipe Out Attack, Volt Typhoon, Compromised Windows Host, Industroyer2, Active Directory Lateral Movement 2026-05-13
Windows Azure PowerShell Module Installation Via PowerShell Script Windows icon Powershell Script Block Logging 4104 T1021.007 T1069.003 T1078 T1098 T1136.003 Anomaly Azure Active Directory Privilege Escalation, Azure Active Directory Persistence, Azure Active Directory Account Takeover 2026-05-13
GetWmiObject DS User with PowerShell Script Block Windows icon Powershell Script Block Logging 4104 T1087.002 TTP Active Directory Discovery 2026-05-13
Windows Unusual Intelliform Storage Registry Access Windows icon Windows Event Log Security 4663 T1552.001 Anomaly Quasar RAT, Lokibot 2026-05-13
Windows Excessive Service Stop Attempt Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1489 TTP XMRig, Ransomware, BlackByte Ransomware 2026-05-13
Windows Sensitive Group Discovery With Net Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1069.002 Anomaly BlackSuit Ransomware, IcedID, Microsoft WSUS CVE-2025-59287, Rhysida Ransomware, Volt Typhoon, Active Directory Discovery 2026-05-13
Windows Office Product Spawned Child Process For Download Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1566.001 TTP CVE-2023-36884 Office and Windows HTML RCE Vulnerability, PlugX, Spearphishing Attachments, APT37 Rustonotto and FadeStealer, NjRAT 2026-05-13
Powershell Enable SMB1Protocol Feature Windows icon Powershell Script Block Logging 4104 T1027.005 TTP Ransomware, Hermetic Wiper, Malicious PowerShell, Data Destruction 2026-05-13
GetLocalUser with PowerShell Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1087.001 Hunting Active Directory Discovery 2026-05-13
Suspicious microsoft workflow compiler usage Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1127 TTP Trusted Developer Utilities Proxy Execution, Living Off The Land 2026-05-13
Windows DLL Module Loaded in Temp Dir Windows icon Sysmon EventID 7 T1105 Hunting Lokibot, SolarWinds WHD RCE Post Exploitation, Interlock Rat 2026-05-13
Windows Modify Registry EnableLinkedConnections Windows icon Sysmon EventID 13 T1112 TTP BlackByte Ransomware 2026-05-13
Windows MSIX Package Interaction Windows icon Windows Event Log AppXPackaging 171 T1204.002 Hunting MSIX Package Abuse 2026-05-13
Linux Auditd Preload Hijack Library Calls Linux icon Linux Auditd Execve T1574.006 TTP Linux Privilege Escalation, Salt Typhoon, China-Nexus Threat Activity, Compromised Linux Host, Linux Persistence Techniques 2026-05-13
Windows Unsigned MS DLL Side-Loading Windows icon Sysmon EventID 7 T1547 T1574.001 Anomaly Salt Typhoon, Earth Alux, XWorm, Derusbi, China-Nexus Threat Activity, APT29 Diplomatic Deceptions with WINELOADER 2026-05-13
Kerberos Pre-Authentication Flag Disabled with PowerShell Windows icon Powershell Script Block Logging 4104 T1558.004 TTP Active Directory Kerberos Attacks 2026-05-13
Linux Possible Append Command To Profile Config File Linux icon Sysmon for Linux EventID 1 T1546.004 Anomaly Linux Privilege Escalation, Linux Persistence Techniques 2026-05-13
MacOS Network Share Discovery Osquery Results T1135 Anomaly MacOS Post-Exploitation 2026-05-13
Windows Impair Defense Override SmartScreen Prompt Windows icon Sysmon EventID 13 T1685 TTP Windows Registry Abuse, Windows Defense Evasion Tactics 2026-05-13
Windows Impair Defense Overide Win Defender Phishing Filter Windows icon Sysmon EventID 13 T1685 TTP Windows Registry Abuse, Windows Defense Evasion Tactics 2026-05-13
Cisco Isovalent - Cron Job Creation Cisco Isovalent Process Exec T1053.003 T1053.007 Anomaly Cisco Isovalent Suspicious Activity 2026-05-13
Child Processes of Spoolsv exe Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1068 TTP Data Destruction, Hermetic Wiper, Windows Privilege Escalation 2026-05-13
Windows System Script Proxy Execution Syncappvpublishingserver Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1216 T1218 TTP Living Off The Land 2026-05-13
Disabled Kerberos Pre-Authentication Discovery With PowerView Windows icon Powershell Script Block Logging 4104 T1558.004 TTP Active Directory Kerberos Attacks, Interlock Ransomware 2026-05-13
Remote Process Instantiation via WinRM and Winrs Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1021.006 TTP Active Directory Lateral Movement 2026-05-13
Trickbot Named Pipe Windows icon Sysmon EventID 17, Windows icon Sysmon EventID 18 T1055 TTP Hellcat Ransomware, Trickbot 2026-05-13
Linux Busybox Privilege Escalation Linux icon Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Privilege Escalation, Linux Living Off The Land 2026-05-13
Windows New Custom Security Descriptor Set On EventLog Channel Windows icon Sysmon EventID 13 T1685.001 Anomaly Defense Evasion or Unauthorized Access Via SDDL Tampering, LockBit Ransomware 2026-05-13
Windows System Network Config Discovery Display DNS Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1016 Anomaly Prestige Ransomware, Water Gamayun, Windows Post-Exploitation, Medusa Ransomware 2026-05-13
Windows File and Directory Permissions Enable Inheritance Windows icon Windows Event Log Security 4688, Windows icon Sysmon EventID 1 T1222.001 Hunting NetSupport RMM Tool Abuse, Crypto Stealer 2026-05-13
Windows Impair Defense Delete Win Defender Context Menu Windows icon Sysmon EventID 13 T1685 Hunting Windows Registry Abuse, Windows Defense Evasion Tactics 2026-05-13
Windows Default RDP File Creation By Non MSTSC Process Windows icon Sysmon EventID 1, Windows icon Sysmon EventID 11 T1021.001 Anomaly Windows RDP Artifacts and Defense Evasion 2026-05-13
Windows AD Short Lived Domain Account ServicePrincipalName Windows icon Windows Event Log Security 5136 T1098 TTP Interlock Ransomware, Sneaky Active Directory Persistence Tricks 2026-05-13
Detect New Local Admin account Windows icon Windows Event Log Security 4732, Windows icon Windows Event Log Security 4720 T1136.001 TTP CISA AA24-241A, HAFNIUM Group, DHS Report TA18-074A, Scattered Lapsus$ Hunters, CISA AA22-257A 2026-05-13
Get ADDefaultDomainPasswordPolicy with Powershell Script Block Windows icon Powershell Script Block Logging 4104 T1201 Hunting Active Directory Discovery 2026-05-13
Windows Odbcconf Load DLL Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1218.008 TTP Living Off The Land 2026-05-13
Advanced IP or Port Scanner Execution Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1046 T1135 Anomaly Windows Defense Evasion Tactics 2026-05-13
Linux Auditd At Application Execution Linux icon Linux Auditd Syscall T1053.002 Anomaly Linux Privilege Escalation, Scheduled Tasks, Linux Living Off The Land, Compromised Linux Host, Linux Persistence Techniques 2026-05-13
Windows Security Account Manager Stopped Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1489 TTP Ryuk Ransomware, Compromised Windows Host, Scattered Lapsus$ Hunters 2026-05-13
Windows Impair Defenses Disable HVCI Windows icon Sysmon EventID 13 T1685 TTP Windows Registry Abuse, BlackLotus Campaign, Windows Defense Evasion Tactics 2026-05-13
Cisco NVM - Susp Script From Archive Triggering Network Activity Network icon Cisco Network Visibility Module Flow Data T1059.005 T1204.002 Anomaly Cisco Network Visibility Module Analytics 2026-05-13
Windows Scheduled Task with Highest Privileges Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1053.005 TTP Quasar RAT, CISA AA23-347A, SolarWinds WHD RCE Post Exploitation, AsyncRAT, Scheduled Tasks, RedLine Stealer, XWorm, Compromised Windows Host, NetSupport RMM Tool Abuse, Castle RAT 2026-05-13
Windows InProcServer32 New Outlook Form Windows icon Sysmon EventID 13 T1112 T1566 Anomaly Outlook RCE CVE-2024-21378 2026-05-13
Detect Regasm Spawning a Process Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1218.009 TTP Void Manticore, Handala Wiper, Living Off The Land, Suspicious Regsvcs Regasm Activity, Snake Keylogger, DarkGate Malware, Compromised Windows Host 2026-05-13
Short Lived Scheduled Task Windows icon Windows Event Log Security 4699, Windows icon Windows Event Log Security 4698 T1053.005 TTP CISA AA23-347A, Scheduled Tasks, Compromised Windows Host, CISA AA22-257A, Active Directory Lateral Movement 2026-05-13
Windows AD Cross Domain SID History Addition Windows icon Windows Event Log Security 4742, Windows icon Windows Event Log Security 4738 T1134.005 TTP Sneaky Active Directory Persistence Tricks, Compromised Windows Host 2026-05-13
Disabling Firewall with Netsh Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1685 Anomaly BlackByte Ransomware, Windows Defense Evasion Tactics 2026-05-13
Windows TOR Client Execution Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1090.003 Anomaly Data Exfiltration, Command And Control, Data Protection, Compromised Windows Host, Windows Post-Exploitation 2026-05-13
GetNetTcpconnection with PowerShell Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1049 Hunting Active Directory Discovery 2026-05-13
Windows Audit Policy Cleared via Auditpol Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1685.001 TTP Windows Audit Policy Tampering 2026-05-13
Linux Cpulimit Privilege Escalation Linux icon Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Privilege Escalation, Linux Living Off The Land 2026-05-13
Windows Compatibility Telemetry Suspicious Child Process Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1053.005 T1546 TTP Windows Persistence Techniques 2026-05-13
Linux Auditd Data Transfer Size Limits Via Split Linux icon Linux Auditd Execve T1030 Anomaly Linux Privilege Escalation, Linux Living Off The Land, Hellcat Ransomware, Compromised Linux Host, Linux Persistence Techniques 2026-05-13
Enable RDP In Other Port Number Windows icon Sysmon EventID 13 T1021 TTP Interlock Ransomware, Windows Registry Abuse, Prohibited Traffic Allowed or Protocol Mismatch, Windows RDP Artifacts and Defense Evasion 2026-05-13
Linux Service File Created In Systemd Directory Linux icon Sysmon for Linux EventID 11 T1053.006 Anomaly Linux Privilege Escalation, Scheduled Tasks, VoidLink Cloud-Native Linux Malware, Linux Living Off The Land, China-Nexus Threat Activity, Gomir, Linux Persistence Techniques 2026-05-13
Windows AutoIt3 Execution Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1059 TTP DarkGate Malware, Void Manticore, Handala Wiper, Crypto Stealer 2026-05-13
Windows Diskshadow Proxy Execution Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1218 TTP Living Off The Land 2026-05-13
Windows PowerShell FakeCAPTCHA Clipboard Execution Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Network icon Cisco Network Visibility Module Flow Data T1059.001 T1059.003 T1204.001 TTP Interlock Ransomware, Cisco Network Visibility Module Analytics, NetSupport RMM Tool Abuse, Scattered Lapsus$ Hunters, Fake CAPTCHA Campaigns 2026-05-13
Linux Auditd Sysmon Service Stop Linux icon Linux Auditd Service Stop T1489 Anomaly Linux Privilege Escalation, Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques 2026-05-13
Windows Office Product Spawned Rundll32 With No DLL Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1566.001 TTP CVE-2023-36884 Office and Windows HTML RCE Vulnerability, Prestige Ransomware, Compromised Windows Host, Crypto Stealer, Spearphishing Attachments, Graceful Wipe Out Attack 2026-05-13
Domain Group Discovery With Wmic Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1069.002 Hunting Active Directory Discovery 2026-05-13
Windows Admon Default Group Policy Object Modified Windows icon Windows Active Directory Admon T1484.001 TTP Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation 2026-05-13
Schtasks scheduling job on remote system Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1053.005 TTP Quasar RAT, Scheduled Tasks, Living Off The Land, RedLine Stealer, Prestige Ransomware, NOBELIUM Group, Compromised Windows Host, Active Directory Lateral Movement, Phemedrone Stealer 2026-05-13
Windows PowerShell Export Certificate Windows icon Powershell Script Block Logging 4104 T1552.004 T1649 Anomaly Windows Certificate Services 2026-05-13
Windows MSIExec Spawn WinDBG Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1218.007 TTP DarkGate Malware, Compromised Windows Host 2026-05-13
Windows Modify Registry Disable WinDefender Notifications Windows icon Sysmon EventID 13 T1112 TTP SolarWinds WHD RCE Post Exploitation, RedLine Stealer, CISA AA23-347A 2026-05-13
Cisco Isovalent - Shell Execution Cisco Isovalent Process Exec T1543 Anomaly Cisco Isovalent Suspicious Activity 2026-05-13
Windows Suspicious VMWare Tools Child Process Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1059 TTP China-Nexus Threat Activity, ESXi Post Compromise 2026-05-13
Windows AppX Deployment Full Trust Package Installation Windows icon Windows Event Log AppXDeployment-Server 400 T1204.002 T1553.005 Hunting MSIX Package Abuse 2026-05-13
Outbound Network Connection from Java Using Default Ports Windows icon Sysmon EventID 1, Windows icon Sysmon EventID 3 T1133 T1190 TTP Log4Shell CVE-2021-44228 2026-05-13
Windows Powershell RemoteSigned File Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1059.001 Anomaly Amadey 2026-05-13
Detect Rare Executables Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1204 Anomaly Salt Typhoon, Rhysida Ransomware, Unusual Processes, Crypto Stealer, China-Nexus Threat Activity, SnappyBee 2026-05-13
Potential password in username Linux icon Linux Secure T1078.003 T1552.001 Hunting Credential Dumping, Insider Threat 2026-05-13
Cisco NVM - Outbound Connection to Suspicious Port Network icon Cisco Network Visibility Module Flow Data T1571 Anomaly Cisco Network Visibility Module Analytics 2026-05-13
MacOS AMOS Stealer - Virtual Machine Check Activity Osquery Results T1059.002 Anomaly Hellcat Ransomware, AMOS Stealer 2026-05-13
Linux Service Started Or Enabled Linux icon Sysmon for Linux EventID 1 T1053.006 Anomaly Linux Privilege Escalation, Scheduled Tasks, Linux Living Off The Land, Gomir, Linux Persistence Techniques 2026-05-13
SLUI Spawning a Process Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1548.002 TTP DarkSide Ransomware, Compromised Windows Host, Windows Defense Evasion Tactics 2026-05-13
Linux Docker Root Directory Mount Linux icon Sysmon for Linux EventID 1 T1611 TTP Linux Privilege Escalation, Linux Living Off The Land 2026-05-13
Linux Auditd Hardware Addition Swapoff Linux icon Linux Auditd Execve T1200 Anomaly AwfulShred, Data Destruction, Scattered Lapsus$ Hunters, Compromised Linux Host 2026-05-13
Windows Impair Defense Delete Win Defender Profile Registry Windows icon Sysmon EventID 13 T1685 Anomaly Windows Registry Abuse, Windows Defense Evasion Tactics 2026-05-13
Windows AD Object Owner Updated Windows icon Windows Event Log Security 5136 T1222.001 T1484 TTP Sneaky Active Directory Persistence Tricks 2026-05-13
Services Escalate Exe Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1548 TTP Cobalt Strike, CISA AA23-347A, Graceful Wipe Out Attack, Compromised Windows Host, BlackByte Ransomware 2026-05-13
Linux Auditd Shred Overwrite Command Linux icon Linux Auditd Proctitle T1485 TTP Linux Privilege Escalation, Data Destruction, AwfulShred, Industroyer2, Compromised Linux Host, Linux Persistence Techniques 2026-05-13
Creation of Shadow Copy Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1003.003 TTP Credential Dumping, Volt Typhoon, Compromised Windows Host 2026-05-13
Linux Auditd Possible Append Cronjob Entry On Existing Cronjob File Linux icon Linux Auditd Path, Linux icon Linux Auditd Cwd T1053.003 Hunting Linux Privilege Escalation, Scheduled Tasks, XorDDos, Linux Living Off The Land, Compromised Linux Host, Linux Persistence Techniques 2026-05-13
Windows Office Product Spawned Control Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1566.001 TTP Spearphishing Attachments, Microsoft MSHTML Remote Code Execution CVE-2021-40444, Compromised Windows Host 2026-05-13
Windows Wmic CPU Discovery Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1082 Anomaly LAMEHUG 2026-05-13
Windows OneDrive Share Mounted via Net Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1567.002 Anomaly Data Exfiltration 2026-05-13
Windows Registry Entries Exported Via Reg Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1012 Hunting CISA AA23-347A, Windows Post-Exploitation, Prestige Ransomware 2026-05-13
Detect Remote Access Software Usage Registry Windows icon Sysmon EventID 13 T1219 Anomaly Command And Control, CISA AA24-241A, Ransomware, Gozi Malware, Remote Monitoring and Management Software, Seashell Blizzard, Scattered Lapsus$ Hunters, Cactus Ransomware, Scattered Spider, Insider Threat 2026-05-13
Linux Edit Cron Table Parameter Linux icon Sysmon for Linux EventID 1 T1053.003 Hunting Linux Privilege Escalation, Scheduled Tasks, Linux Living Off The Land, Linux Persistence Techniques 2026-05-13
Windows AppCertDLL Modification Via Command Line Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1546.009 Anomaly Windows Persistence Techniques, Windows Privilege Escalation 2026-05-13
Kerberos Service Ticket Request Using RC4 Encryption Windows icon Windows Event Log Security 4769 T1558.001 TTP Active Directory Kerberos Attacks, Scattered Lapsus$ Hunters, Active Directory Privilege Escalation 2026-05-13
Print Spooler Failed to Load a Plug-in Windows icon Windows Event Log Printservice 4909, Windows icon Windows Event Log Printservice 808 T1547.012 TTP Black Basta Ransomware, PrintNightmare CVE-2021-34527 2026-05-13
Windows Chrome Auto-Update Disabled via Registry Windows icon Sysmon EventID 13 T1185 Anomaly Browser Hijacking 2026-05-13
WMI Permanent Event Subscription T1047 TTP Suspicious WMI Use 2026-05-13
Disable Defender Enhanced Notification Windows icon Sysmon EventID 13 T1685 TTP IcedID, Azorult, Windows Registry Abuse, CISA AA23-347A 2026-05-13
GetWmiObject User Account with PowerShell Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1087.001 Hunting Active Directory Discovery, Water Gamayun, Winter Vivern 2026-05-13
PowerShell Get LocalGroup Discovery Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1069.001 Hunting Active Directory Discovery 2026-05-13
Windows Multiple NTLM Null Domain Authentications Windows icon NTLM Operational 8006, Windows icon NTLM Operational 8005, Windows icon NTLM Operational 8004 T1110.003 TTP Active Directory Password Spraying 2026-05-13
GetCurrent User with PowerShell Script Block Windows icon Powershell Script Block Logging 4104 T1033 Hunting Active Directory Discovery 2026-05-13
Modify ACL permission To Files Or Folder Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1222 Anomaly Defense Evasion or Unauthorized Access Via SDDL Tampering, XMRig, Crypto Stealer 2026-05-13
Windows PowerShell ScheduleTask Windows icon Powershell Script Block Logging 4104 T1053.005 T1059.001 Anomaly Scheduled Tasks, Scattered Spider 2026-05-13
Windows Global Object Access Audit List Cleared Via Auditpol Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1685.001 TTP Windows Audit Policy Tampering 2026-05-13
Dump LSASS via procdump Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1003.001 TTP HAFNIUM Group, Storm-2460 CLFS Zero Day Exploitation, Seashell Blizzard, Credential Dumping, Compromised Windows Host, CISA AA22-257A 2026-05-13
Windows Modify Registry to Add or Modify Firewall Rule Windows icon Sysmon EventID 13, Windows icon Sysmon EventID 14 T1112 Anomaly ShrinkLocker, NetSupport RMM Tool Abuse, CISA AA24-241A 2026-05-13
BITSAdmin Download File Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1105 T1197 TTP GhostRedirector IIS Module and Rungan Backdoor, Gozi Malware, Ingress Tool Transfer, Living Off The Land, Flax Typhoon, DarkSide Ransomware, BITS Jobs, Scattered Spider, Hellcat Ransomware, APT37 Rustonotto and FadeStealer 2026-05-13
Windows Account Discovery With NetUser PreauthNotRequire Windows icon Powershell Script Block Logging 4104 T1087 Hunting CISA AA23-347A 2026-05-13
Windows SSH Proxy Command CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1059.001 T1105 T1572 Anomaly Living Off The Land, Hellcat Ransomware, ZDI-CAN-25373 Windows Shortcut Exploit Abused as Zero-Day 2026-05-13
Windows Modify Registry DisableSecuritySettings Windows icon Sysmon EventID 13 T1112 TTP DarkGate Malware, CISA AA23-347A 2026-05-13
Windows System File on Disk Windows icon Sysmon EventID 11 T1068 Hunting CISA AA22-264A, Windows Drivers, Crypto Stealer 2026-05-13
Detect SharpHound File Modifications Windows icon Sysmon EventID 11 T1069.001 T1069.002 T1087.001 T1087.002 T1482 TTP Ransomware, BlackSuit Ransomware, Windows Discovery Techniques 2026-05-13
Disable Show Hidden Files Windows icon Sysmon EventID 13 T1112 T1564.001 T1685 Anomaly Azorult, Windows Registry Abuse, Windows Defense Evasion Tactics 2026-05-13
Windows Rundll32 Apply User Settings Changes Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1218.011 Anomaly Rhysida Ransomware 2026-05-13
Possible Browser Pass View Parameter Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1555.003 Hunting Remcos 2026-05-13
Network Traffic to Active Directory Web Services Protocol Windows icon Sysmon EventID 3 T1069.001 T1069.002 T1087.001 T1087.002 T1482 Hunting Windows Discovery Techniques 2026-05-13
Windows AD Domain Root ACL Deletion Windows icon Windows Event Log Security 5136 T1222.001 T1484 TTP Sneaky Active Directory Persistence Tricks 2026-05-13
Windows Vulnerable Driver Loaded Windows icon Sysmon EventID 6 T1543.003 Hunting Void Manticore, Windows Drivers, BlackByte Ransomware 2026-05-13
Modification Of Wallpaper Windows icon Sysmon EventID 13 T1491 TTP Black Basta Ransomware, LockBit Ransomware, Windows Registry Abuse, Ransomware, Rhysida Ransomware, ZOVWiper, BlackMatter Ransomware, Brute Ratel C4, Revil Ransomware 2026-05-13
Windows SpeechRuntime COM Hijacking DLL Load Windows icon Sysmon EventID 7 T1021.003 TTP Scattered Lapsus$ Hunters, Compromised Windows Host, Active Directory Lateral Movement 2026-05-13
Windows System Time Discovery W32tm Delay Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1124 Anomaly DarkCrystal RAT 2026-05-13
Linux Add User Account Cisco Isovalent Process Exec, Linux icon Sysmon for Linux EventID 1 T1136.001 Hunting Linux Privilege Escalation, Cisco Isovalent Suspicious Activity, Linux Persistence Techniques 2026-05-13
Domain Controller Discovery with Nltest Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1018 TTP BlackSuit Ransomware, CISA AA23-347A, Medusa Ransomware, Rhysida Ransomware, NetSupport RMM Tool Abuse, Active Directory Discovery 2026-05-13
Linux Telnet Authentication Bypass Linux icon Sysmon for Linux EventID 1 T1548 TTP Telnetd CVE-2026-24061 2026-05-13
Windows HTTP Network Communication From MSIExec Windows icon Sysmon EventID 1, Network icon Cisco Network Visibility Module Flow Data, Windows icon Sysmon EventID 3 T1218.007 Anomaly Cisco Network Visibility Module Analytics, SolarWinds WHD RCE Post Exploitation, GhostRedirector IIS Module and Rungan Backdoor, Water Gamayun, Windows System Binary Proxy Execution MSIExec, APT37 Rustonotto and FadeStealer 2026-05-13
Cisco NVM - Suspicious Network Connection to IP Lookup Service API Network icon Cisco Network Visibility Module Flow Data T1016 T1590.005 Anomaly BlankGrabber Stealer, Cisco Network Visibility Module Analytics, Castle RAT 2026-05-13
Linux Doas Conf File Creation Linux icon Sysmon for Linux EventID 11 T1548.003 Anomaly Linux Privilege Escalation, Linux Persistence Techniques 2026-05-13
Windows Filtering Platform Policy Added to Block EDR Process Windows icon Sysmon EventID 13 T1685 TTP Disabling Security Tools, Security Solution Tampering 2026-05-13
Windows Office Product Loading VBE7 DLL Windows icon Sysmon EventID 7 T1566.001 Anomaly MuddyWater, AgentTesla, Trickbot, IcedID, Qakbot, Azorult, DarkCrystal RAT, Remcos, PlugX, Spearphishing Attachments, NjRAT 2026-05-13
Windows PsTools Recon Usage Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1018 T1046 T1082 Anomaly Compromised Windows Host 2026-05-13
Linux Auditd Doas Conf File Creation Linux icon Linux Auditd Path, Linux icon Linux Auditd Cwd T1548.003 TTP Linux Privilege Escalation, Compromised Linux Host, Linux Persistence Techniques 2026-05-13
Windows Data Destruction Recursive Exec Files Deletion Windows icon Sysmon EventID 26, Windows icon Sysmon EventID 23 T1485 TTP Data Destruction, Void Manticore, Handala Wiper, Disk Wiper, Swift Slicer 2026-05-13
Windows Service Creation on Remote Endpoint Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1543.003 TTP Salt Typhoon, CISA AA23-347A, China-Nexus Threat Activity, Active Directory Lateral Movement, SnappyBee 2026-05-13
Linux OpenVPN Privilege Escalation Linux icon Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Privilege Escalation, Linux Living Off The Land 2026-05-13
Windows PowerView SPN Discovery Windows icon Powershell Script Block Logging 4104 T1558.003 TTP Active Directory Kerberos Attacks, Interlock Ransomware, Rhysida Ransomware, CISA AA23-347A 2026-05-13
Windows AD Domain Controller Promotion Windows icon Windows Event Log Security 4742 T1207 TTP Sneaky Active Directory Persistence Tricks, Compromised Windows Host 2026-05-13
Sdclt UAC Bypass Windows icon Sysmon EventID 13, Windows icon Sysmon EventID 12 T1548.002 TTP Windows Registry Abuse, Windows Defense Evasion Tactics 2026-05-13
Windows Devtunnels Execution Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1090 Anomaly Reverse Network Proxy 2026-05-13
Linux Deletion Of Cron Jobs Linux icon Sysmon for Linux EventID 11 T1070.004 T1485 Anomaly AcidPour, Data Destruction, AcidRain 2026-05-13
Windows RunMRU Command Execution Windows icon Sysmon EventID 13 T1202 Anomaly Lumma Stealer, Fake CAPTCHA Campaigns 2026-05-13
Windows Office Product Loading Taskschd DLL Windows icon Sysmon EventID 7 T1566.001 Anomaly Spearphishing Attachments 2026-05-13
GetCurrent User with PowerShell Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1033 Hunting Active Directory Discovery 2026-05-13
Powershell Get LocalGroup Discovery with Script Block Logging Windows icon Powershell Script Block Logging 4104 T1069.001 Hunting Active Directory Discovery 2026-05-13
Svchost LOLBAS Execution Process Spawn Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1053.005 TTP Living Off The Land, Scheduled Tasks, Hellcat Ransomware, Active Directory Lateral Movement 2026-05-13
Windows Terminating Lsass Process Windows icon Sysmon EventID 10 T1685 Anomaly Data Destruction, Double Zero Destructor, Scattered Lapsus$ Hunters 2026-05-13
Windows Impair Defense Disable Win Defender App Guard Windows icon Sysmon EventID 13 T1685 TTP Windows Registry Abuse, Windows Defense Evasion Tactics 2026-05-13
MacOS Hidden Files and Directories Osquery Results T1564.001 Anomaly MacOS Persistence Techniques 2026-05-13
Windows COM Hijacking InprocServer32 Modification Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1546.015 TTP Compromised Windows Host, Living Off The Land 2026-05-13
Windows Impair Defense Disable Win Defender Report Infection Windows icon Sysmon EventID 13 T1685 TTP Windows Registry Abuse, Windows Defense Evasion Tactics 2026-05-13
Windows SQL Server Startup Procedure Windows icon Windows Event Log Application 17135 T1505.001 Anomaly SQL Server Abuse, Hellcat Ransomware 2026-05-13
Windows Chrome Enable Extension Loading via Command-Line Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1185 Anomaly Browser Hijacking 2026-05-13
LOLBAS With Network Traffic Windows icon Sysmon EventID 3 T1105 T1218 T1567 TTP GhostRedirector IIS Module and Rungan Backdoor, Water Gamayun, Living Off The Land, APT37 Rustonotto and FadeStealer, Fake CAPTCHA Campaigns, NetSupport RMM Tool Abuse, Hellcat Ransomware, Malicious Inno Setup Loader 2026-05-13
Windows Account Discovery for Sam Account Name Windows icon Powershell Script Block Logging 4104 T1087 Anomaly CISA AA23-347A 2026-05-13
Linux Possible Append Command To At Allow Config File Linux icon Sysmon for Linux EventID 1 T1053.002 Anomaly Linux Privilege Escalation, Scheduled Tasks, Linux Persistence Techniques 2026-05-13
Windows Impair Defense Disable Realtime Signature Delivery Windows icon Sysmon EventID 13 T1685 TTP Windows Registry Abuse, Windows Defense Evasion Tactics 2026-05-13
Hiding Files And Directories With Attrib exe Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1222.001 TTP VIP Keylogger, Azorult, Windows Persistence Techniques, Compromised Windows Host, Crypto Stealer, Malicious Inno Setup Loader, Windows Defense Evasion Tactics 2026-05-13
Windows Command and Scripting Interpreter Hunting Path Traversal Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1059 Hunting Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190, Windows Defense Evasion Tactics 2026-05-13
Hide User Account From Sign-In Screen Windows icon Sysmon EventID 13 T1685 TTP Azorult, XMRig, Windows Registry Abuse, Warzone RAT 2026-05-13
Windows Modify Registry Disable Restricted Admin Windows icon Sysmon EventID 13 T1112 TTP CISA AA23-347A, Medusa Ransomware, GhostRedirector IIS Module and Rungan Backdoor 2026-05-13
Windows Audit Policy Restored via Auditpol Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1685.001 Anomaly Windows Audit Policy Tampering 2026-05-13
Windows Information Discovery Fsutil Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1082 Anomaly Prestige Ransomware, Windows Post-Exploitation 2026-05-13
Windows User Disabled Via Net Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1531 Anomaly XMRig 2026-05-13
Linux Possible Append Cronjob Entry on Existing Cronjob File Linux icon Sysmon for Linux EventID 1 T1053.003 Hunting Linux Privilege Escalation, Scheduled Tasks, XorDDos, Linux Living Off The Land, Linux Persistence Techniques 2026-05-13
Windows Modify Registry ValleyRat PWN Reg Entry Windows icon Sysmon EventID 13 T1112 TTP ValleyRAT 2026-05-13
Detect mshta inline hta execution Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1218.005 TTP Suspicious MSHTA Activity, BlankGrabber Stealer, Gozi Malware, Living Off The Land, XWorm, Compromised Windows Host, APT37 Rustonotto and FadeStealer 2026-05-13
Windows Unusual Count Of Users Remotely Failed To Auth From Host Windows icon Windows Event Log Security 4625 T1110.003 Anomaly Volt Typhoon, Active Directory Password Spraying 2026-05-13
Windows Suspicious React or Next.js Child Process CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1059.001 T1059.003 T1190 TTP React2Shell 2026-05-13
Windows Query Registry Browser List Application Windows icon Windows Event Log Security 4663 T1012 Anomaly China-Nexus Threat Activity, Salt Typhoon, RedLine Stealer, SnappyBee 2026-05-13
Excessive number of service control start as disabled Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1685 Anomaly Windows Defense Evasion Tactics 2026-05-13
Linux Auditd Whoami User Discovery Linux icon Linux Auditd Syscall T1033 Anomaly Linux Privilege Escalation, Linux Living Off The Land, QuietVault, Compromised Linux Host, Linux Persistence Techniques 2026-05-13
Detect Exchange Web Shell Windows icon Sysmon EventID 11 T1133 T1190 T1505.003 TTP GhostRedirector IIS Module and Rungan Backdoor, HAFNIUM Group, ProxyShell, Seashell Blizzard, Compromised Windows Host, ProxyNotShell, CISA AA22-257A, BlackByte Ransomware 2026-05-13
Linux Node Privilege Escalation Linux icon Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Privilege Escalation, Linux Living Off The Land 2026-05-13
Windows Mimikatz Binary Execution Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1003 TTP CISA AA23-347A, CISA AA22-320A, Sandworm Tools, Flax Typhoon, Credential Dumping, Volt Typhoon, Compromised Windows Host, Scattered Spider 2026-05-13
Enumerate Users Local Group Using Telegram Windows icon Windows Event Log Security 4798 T1087 TTP XMRig, Water Gamayun, Compromised Windows Host 2026-05-13
Windows Audit Policy Excluded Category via Auditpol Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1685.001 Anomaly Windows Audit Policy Tampering 2026-05-13
Windows Driver Inventory T1068 Hunting Windows Drivers 2026-05-13
Suspicious Process Executed From Container File Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1036.008 T1204.002 TTP GhostRedirector IIS Module and Rungan Backdoor, Amadey, Water Gamayun, Unusual Processes, Snake Keylogger, Remcos, APT37 Rustonotto and FadeStealer 2026-05-13
Clop Common Exec Parameter Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1204 TTP Compromised Windows Host, Clop Ransomware 2026-05-13
WinEvent Scheduled Task Created to Spawn Shell Windows icon Windows Event Log Security 4698 T1053.005 TTP Salt Typhoon, Medusa Ransomware, Ransomware, Scheduled Tasks, Windows Error Reporting Service Elevation of Privilege Vulnerability, Ryuk Ransomware, Windows Persistence Techniques, Compromised Windows Host, SystemBC, China-Nexus Threat Activity, 0bj3ctivity Stealer, CISA AA22-257A, Winter Vivern, Castle RAT 2026-05-13
PowerShell Start-BitsTransfer Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1197 TTP BITS Jobs, Gozi Malware 2026-05-13
AdsiSearcher Account Discovery Windows icon Powershell Script Block Logging 4104 T1087.002 TTP Data Destruction, CISA AA23-347A, Scattered Lapsus$ Hunters, Industroyer2, Active Directory Discovery 2026-05-13
Excessive Usage of NSLOOKUP App Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1048 Anomaly Data Exfiltration, Command And Control, Dynamic DNS, Suspicious DNS Traffic 2026-05-13
Windows Scheduled Task Created Via XML Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1053.005 Anomaly MoonPeak, CISA AA23-347A, Scheduled Tasks, Lokibot, Malicious Inno Setup Loader, Winter Vivern 2026-05-13
Windows Cabinet File Extraction Via Expand Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1105 TTP NetSupport RMM Tool Abuse, APT37 Rustonotto and FadeStealer 2026-05-13
Windows Suspicious Child Process Spawned From WebServer Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1505.003 Anomaly Medusa Ransomware, GhostRedirector IIS Module and Rungan Backdoor, HAFNIUM Group, WS FTP Server Critical Vulnerabilities, ProxyShell, Microsoft WSUS CVE-2025-59287, Citrix ShareFile RCE CVE-2023-24489, Flax Typhoon, CISA AA22-264A, Compromised Windows Host, Microsoft SharePoint Vulnerabilities, ProxyNotShell, SysAid On-Prem Software CVE-2023-47246 Vulnerability, CISA AA22-257A, BlackByte Ransomware 2026-05-13
Cisco Isovalent - Access To Cloud Metadata Service Cisco Isovalent Process Connect T1552.005 Anomaly Cisco Isovalent Suspicious Activity, VoidLink Cloud-Native Linux Malware 2026-05-13
Windows NirSoft Tool Bundle File Created Windows icon Sysmon EventID 11 T1588.002 Anomaly WhisperGate, Data Destruction, Unusual Processes 2026-05-13
Windows Potential Cloudflared Tunnel Execution Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1572 Anomaly Reverse Network Proxy 2026-05-13
Network Share Discovery Via Dir Command Windows icon Windows Event Log Security 5140 T1135 Hunting IcedID 2026-05-13
Set Default PowerShell Execution Policy To Unrestricted or Bypass Windows icon Sysmon EventID 13 T1059.001 TTP Malicious PowerShell, Data Destruction, SolarWinds WHD RCE Post Exploitation, HAFNIUM Group, Hermetic Wiper, DarkGate Malware, Credential Dumping, SystemBC 2026-05-13
Notepad with no Command Line Arguments Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1055 TTP BishopFox Sliver Adversary Emulation Framework 2026-05-13
Detect Password Spray Attack Behavior On User Windows icon Windows Event Log Security 4624, Windows icon Windows Event Log Security 4625 T1110.003 TTP Compromised User Account, Crypto Stealer 2026-05-13
Active Directory Privilege Escalation Identified T1484 Correlation Active Directory Privilege Escalation 2026-05-13
Single Letter Process On Endpoint Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1204.002 TTP DHS Report TA18-074A, Compromised Windows Host 2026-05-13
Linux Setuid Using Chmod Utility Linux icon Sysmon for Linux EventID 1 T1548.001 Anomaly Linux Privilege Escalation, Linux Living Off The Land, Linux Persistence Techniques 2026-05-13
Windows Steal Authentication Certificates Export Certificate Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1649 Anomaly Windows Certificate Services 2026-05-13
Linux Composer Privilege Escalation Linux icon Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Privilege Escalation, Linux Living Off The Land 2026-05-13
Windows Increase in User Modification Activity Windows icon Windows Event Log Security 4720 T1098 T1685 TTP Sneaky Active Directory Persistence Tricks 2026-05-13
Sdelete Application Execution Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1070.004 T1485 TTP Masquerading - Rename System Utilities, Void Manticore, Scattered Spider 2026-05-13
Windows Downdate Registry Activity Windows icon Sysmon EventID 13, Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 14 T1112 T1689 Anomaly Windows Persistence Techniques 2026-05-13
Disabled Kerberos Pre-Authentication Discovery With Get-ADUser Windows icon Powershell Script Block Logging 4104 T1558.004 TTP Active Directory Kerberos Attacks, Interlock Ransomware, BlackSuit Ransomware, CISA AA23-347A 2026-05-13
Windows Disable Change Password Through Registry Windows icon Sysmon EventID 13 T1112 Anomaly Ransomware, Windows Defense Evasion Tactics 2026-05-13
Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM Windows icon Windows Event Log Security 4776 T1110.003 Anomaly Volt Typhoon, Active Directory Password Spraying 2026-05-13
Windows AD Self DACL Assignment Windows icon Windows Event Log Security 5136 T1098 T1484 TTP Sneaky Active Directory Persistence Tricks 2026-05-13
NLTest Domain Trust Discovery Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1482 TTP Medusa Ransomware, IcedID, Qakbot, Rhysida Ransomware, Storm-0501 Ransomware, Cleo File Transfer Software, Ryuk Ransomware, Active Directory Discovery, Domain Trust Discovery 2026-05-13
Windows Executable in Loaded Modules Windows icon Sysmon EventID 7 T1129 TTP Lokibot, NjRAT 2026-05-13
Windows Level RMM Watchdog Task Created Windows icon Windows Event Log Security 4698 T1053 T1219 Anomaly Remote Monitoring and Management Software 2026-05-13
Linux Auditd Edit Cron Table Parameter Linux icon Linux Auditd Syscall T1053.003 Anomaly Linux Privilege Escalation, Scheduled Tasks, Linux Living Off The Land, Compromised Linux Host, Linux Persistence Techniques 2026-05-13
Windows Excessive Usage Of Net App Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1531 Anomaly XMRig, Ransomware, Rhysida Ransomware, Prestige Ransomware, Azorult, Windows Post-Exploitation, Graceful Wipe Out Attack 2026-05-13
Linux Service Restarted Linux icon Sysmon for Linux EventID 1 T1053.006 Anomaly Linux Privilege Escalation, Data Destruction, Scheduled Tasks, AwfulShred, Linux Living Off The Land, Gomir, Linux Persistence Techniques 2026-05-13
ConnectWise ScreenConnect Path Traversal Windows SACL Windows icon Windows Event Log Security 4663 T1190 TTP ConnectWise ScreenConnect Vulnerabilities, Compromised Windows Host, Seashell Blizzard 2026-05-13
Linux Auditd Kernel Module Enumeration Linux icon Linux Auditd Syscall T1014 T1082 Anomaly XorDDos, Linux Rootkit, Compromised Linux Host 2026-05-13
Cisco NVM - Curl Execution With Insecure Flags Network icon Cisco Network Visibility Module Flow Data T1197 Anomaly PromptLock, Microsoft WSUS CVE-2025-59287, Cisco Network Visibility Module Analytics 2026-05-13
Windows Odbcconf Hunting Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1218.008 Hunting Living Off The Land 2026-05-13
Windows Mail Protocol In Non-Common Process Path Windows icon Sysmon EventID 3 T1071.003 Anomaly AgentTesla 2026-05-13
Network Connection Discovery With Arp Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1049 Hunting Interlock Ransomware, IcedID, Qakbot, Prestige Ransomware, Volt Typhoon, Windows Post-Exploitation, Active Directory Discovery 2026-05-13
Windows Computer Account Created by Computer Account Windows icon Windows Event Log Security 4741 T1558 TTP Local Privilege Escalation With KrbRelayUp, Active Directory Kerberos Attacks 2026-05-13
Elevated Group Discovery With Wmic Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1069.002 TTP Active Directory Discovery 2026-05-13
Windows Cobalt Strike PowerShell Loader Windows icon Powershell Script Block Logging 4104 T1059.001 T1608 TTP Cobalt Strike 2026-05-13
Windows Multiple Invalid Users Fail To Authenticate Using Kerberos Windows icon Windows Event Log Security 4768 T1110.003 TTP Active Directory Kerberos Attacks, Volt Typhoon, Active Directory Password Spraying 2026-05-13
Windows System User Discovery Via Quser Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1033 Hunting Prestige Ransomware, Windows Post-Exploitation, Crypto Stealer 2026-05-13
Windows File Without Extension In Critical Folder Windows icon Sysmon EventID 11 T1485 TTP Data Destruction, Hermetic Wiper 2026-05-13
Windows Command Shell DCRat ForkBomb Payload CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1059.003 TTP DarkCrystal RAT, Compromised Windows Host 2026-05-13
Creation of lsass Dump with Taskmgr Windows icon Sysmon EventID 11 T1003.001 TTP Seashell Blizzard, Credential Dumping, Scattered Lapsus$ Hunters, Cactus Ransomware, CISA AA22-257A 2026-05-13
NET Profiler UAC bypass Windows icon Sysmon EventID 13 T1548.002 TTP Windows Defense Evasion Tactics 2026-05-13
Excessive Attempt To Disable Services Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1489 Anomaly Azorult, XMRig 2026-05-13
Disable UAC Remote Restriction Windows icon Sysmon EventID 13 T1548.002 TTP Suspicious Windows Registry Activities, Windows Registry Abuse, CISA AA23-347A, Windows Defense Evasion Tactics 2026-05-13
Windows Shell Process from CrushFTP Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1059.001 T1059.003 T1190 T1505 TTP CrushFTP Vulnerabilities 2026-05-13
Windows Scheduled Task DLL Module Loaded Windows icon Sysmon EventID 7 T1053 TTP ValleyRAT 2026-05-13
Windows Default Group Policy Object Modified with GPME Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1484.001 TTP Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation 2026-05-13
Detect Renamed WinRAR Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1560.001 Hunting China-Nexus Threat Activity, Salt Typhoon, Collection and Staging, CISA AA22-277A 2026-05-13
Windows AD Dangerous User ACL Modification Windows icon Windows Event Log Security 5136 T1222.001 T1484 TTP Sneaky Active Directory Persistence Tricks 2026-05-13
Get ADUserResultantPasswordPolicy with Powershell Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1201 TTP Active Directory Discovery, CISA AA23-347A 2026-05-13
Windows Impair Defense Disable Win Defender Scan On Update Windows icon Sysmon EventID 13 T1685 TTP Windows Registry Abuse, Windows Defense Evasion Tactics 2026-05-13
Excessive File Deletion In WinDefender Folder Windows icon Sysmon EventID 26, Windows icon Sysmon EventID 23 T1485 TTP WhisperGate, Data Destruction, BlackByte Ransomware 2026-05-13
WMIC XSL Execution via URL Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Network icon Cisco Network Visibility Module Flow Data T1220 TTP Suspicious WMI Use, Compromised Windows Host, Cisco Network Visibility Module Analytics 2026-05-13
Windows AD DSRM Account Changes Windows icon Sysmon EventID 13 T1098 TTP Windows Persistence Techniques, Windows Registry Abuse, Sneaky Active Directory Persistence Tricks, Scattered Lapsus$ Hunters 2026-05-13
Access LSASS Memory for Dump Creation Windows icon Sysmon EventID 10 T1003.001 TTP CISA AA23-347A, Lokibot, Credential Dumping, Scattered Lapsus$ Hunters, Cactus Ransomware 2026-05-13
Detect Outlook exe writing a zip file Windows icon Sysmon EventID 1, Windows icon Sysmon EventID 11 T1566.001 Anomaly Amadey, PXA Stealer, Remcos, Meduza Stealer, Spearphishing Attachments, APT37 Rustonotto and FadeStealer 2026-05-13
Windows Disable Windows Event Logging Disable HTTP Logging Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1505.004 T1685.001 Anomaly IIS Components, Compromised Windows Host, CISA AA23-347A, Windows Defense Evasion Tactics 2026-05-13
Windows RDPClient Connection Sequence Events Windows icon Windows Event Log Microsoft Windows TerminalServices RDPClient 1024 T1133 Anomaly Spearphishing Attachments, Windows RDP Artifacts and Defense Evasion 2026-05-13
Linux Install Kernel Module Using Modprobe Utility Linux icon Sysmon for Linux EventID 1 T1547.006 Anomaly Linux Privilege Escalation, VoidLink Cloud-Native Linux Malware, China-Nexus Threat Activity, Linux Rootkit, Linux Persistence Techniques 2026-05-13
Windows Scheduled Tasks for CompMgmtLauncher or Eventvwr Windows icon Windows Event Log Security 4698 T1053 TTP Water Gamayun, ValleyRAT 2026-05-13
Windows Multiple Invalid Users Failed To Authenticate Using NTLM Windows icon Windows Event Log Security 4776 T1110.003 TTP Volt Typhoon, Active Directory Password Spraying 2026-05-13
Windows Modify Registry Regedit Silent Reg Import Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1112 Anomaly Azorult 2026-05-13
Windows ConvertTo-AADIntBackdoor Execution Via PowerShell Script Windows icon Powershell Script Block Logging 4104 T1071.001 T1078 T1212 T1482 TTP Azure Active Directory Privilege Escalation, Azure Active Directory Persistence, Azure Active Directory Account Takeover 2026-05-13
Windows Modify Registry With MD5 Reg Key Name Windows icon Sysmon EventID 13 T1112 TTP NjRAT 2026-05-13
7zip CommandLine To SMB Share Path Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1560.001 Hunting Ransomware 2026-05-13
Windows Process Execution From RDP Share Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1021.001 T1059 T1105 Anomaly Hidden Cobra Malware 2026-05-13
Linux SSH Remote Services Script Execute Linux icon Sysmon for Linux EventID 1 T1021.004 TTP Hellcat Ransomware, Linux Living Off The Land, VoidLink Cloud-Native Linux Malware 2026-05-13
Linux Decode Base64 to Shell Cisco Isovalent Process Exec, Linux icon Sysmon for Linux EventID 1 T1027 T1059.004 TTP Cisco Isovalent Suspicious Activity, Linux Living Off The Land 2026-05-13
Ping Sleep Batch Command CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1497.003 Anomaly Quasar RAT, WhisperGate, Data Destruction, Void Manticore, Gh0st RAT, Meduza Stealer, Warzone RAT, BlackByte Ransomware 2026-05-13
Windows Known Abused DLL Created Windows icon Sysmon EventID 11 T1574.001 Anomaly Living Off The Land, Windows Defense Evasion Tactics 2026-05-13
Malicious PowerShell Process - Encoded Command Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1027 Hunting WhisperGate, Data Destruction, Malicious PowerShell, SolarWinds WHD RCE Post Exploitation, CISA AA22-320A, GhostRedirector IIS Module and Rungan Backdoor, Sandworm Tools, Microsoft WSUS CVE-2025-59287, Qakbot, Hermetic Wiper, DarkCrystal RAT, Volt Typhoon, NOBELIUM Group, Crypto Stealer, Microsoft SharePoint Vulnerabilities, Lumma Stealer, Scattered Spider 2026-05-13
Recursive Delete of Directory In Batch CMD Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1070.004 TTP Ransomware, APT37 Rustonotto and FadeStealer 2026-05-13
Windows Event Triggered Image File Execution Options Injection Windows icon Windows Event Log Application 3000 T1546.012 Hunting Windows Persistence Techniques 2026-05-13
Excessive Usage Of Taskkill Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1685 Anomaly XMRig, AgentTesla, CISA AA22-277A, BlankGrabber Stealer, CISA AA22-264A, Azorult, Crypto Stealer, NjRAT 2026-05-13
Windows Credentials in Registry Reg Query Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1552.002 Anomaly Prestige Ransomware, Windows Post-Exploitation 2026-05-13
Windows AD Domain Replication ACL Addition Windows icon Windows Event Log Security 5136 T1484 TTP Sneaky Active Directory Persistence Tricks, Compromised Windows Host 2026-05-13
Windows Scheduled Task with Suspicious Command Windows icon Windows Event Log Security 4698, Windows icon Windows Event Log Security 4702, Windows icon Windows Event Log Security 4700 T1053.005 TTP Quasar RAT, SolarWinds WHD RCE Post Exploitation, Scheduled Tasks, Ransomware, Seashell Blizzard, Ryuk Ransomware, Windows Persistence Techniques, APT37 Rustonotto and FadeStealer 2026-05-13
UAC Bypass MMC Load Unsigned Dll Windows icon Sysmon EventID 7 T1218.014 T1548.002 TTP Windows Defense Evasion Tactics 2026-05-13
Windows Increase in Group or Object Modification Activity Windows icon Windows Event Log Security 4663 T1098 T1685 TTP Sneaky Active Directory Persistence Tricks 2026-05-13
Linux Ingress Tool Transfer Hunting Linux icon Sysmon for Linux EventID 1 T1105 Hunting Axios Supply Chain Post Compromise, NPM Supply Chain Compromise, Ingress Tool Transfer, XorDDos, Linux Living Off The Land 2026-05-13
Linux Auditd Find Ssh Private Keys Linux icon Linux Auditd Execve T1552.004 Anomaly Linux Privilege Escalation, Linux Living Off The Land, Hellcat Ransomware, Compromised Linux Host, Linux Persistence Techniques 2026-05-13
Windows Firewall Rule Deletion Windows icon Windows Event Log Security 4948 T1686 Anomaly ShrinkLocker, NetSupport RMM Tool Abuse, Medusa Ransomware 2026-05-13
Linux Auditd Disable Or Modify System Firewall Linux icon Linux Auditd Service Stop T1686 Anomaly Linux Privilege Escalation, Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques 2026-05-13
Linux Auditd Doas Tool Execution Linux icon Linux Auditd Syscall T1548.003 Anomaly Linux Privilege Escalation, Compromised Linux Host, Linux Persistence Techniques 2026-05-13
Windows Kerberos Local Successful Logon Windows icon Windows Event Log Security 4624 T1558 TTP Local Privilege Escalation With KrbRelayUp, Active Directory Kerberos Attacks, Compromised Windows Host, Scattered Lapsus$ Hunters 2026-05-13
Windows Replication Through Removable Media Windows icon Sysmon EventID 11 T1091 TTP Chaos Ransomware, Salt Typhoon, Derusbi, PlugX, China-Nexus Threat Activity, APT37 Rustonotto and FadeStealer, NjRAT 2026-05-13
Process Creating LNK file in Suspicious Location Windows icon Sysmon EventID 11 T1566.002 Anomaly BlankGrabber Stealer, IcedID, Amadey, Gozi Malware, Qakbot, Spearphishing Attachments, APT37 Rustonotto and FadeStealer 2026-05-13
Linux Csvtool Privilege Escalation Linux icon Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Privilege Escalation, Linux Living Off The Land 2026-05-13
Windows Cisco Secure Endpoint Unblock File Via Sfc Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1685 Anomaly Security Solution Tampering 2026-05-13
Windows Vulnerable 3CX Software Windows icon Sysmon EventID 1 T1195.002 TTP 3CX Supply Chain Attack 2026-05-13
Rubeus Kerberos Ticket Exports Through Winlogon Access Windows icon Sysmon EventID 10 T1550.003 TTP Active Directory Kerberos Attacks, BlackSuit Ransomware, CISA AA23-347A, Scattered Lapsus$ Hunters, ZOVWiper 2026-05-13
Web Servers Executing Suspicious Processes Windows icon Sysmon EventID 1 T1082 TTP Apache Struts Vulnerability 2026-05-13
Windows Cisco Secure Endpoint Uninstall Immunet Service Via Sfc Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1685 Anomaly Security Solution Tampering 2026-05-13
Windows Defender ASR Audit Events Windows icon Windows Event Log Defender 1126, Windows icon Windows Event Log Defender 1122, Windows icon Windows Event Log Defender 1132, Windows icon Windows Event Log Defender 1134, Windows icon Windows Event Log Defender 1125 T1059 T1566.001 T1566.002 Anomaly Windows Attack Surface Reduction 2026-05-13
Windows Advanced Installer MSIX with AI_STUBS Execution Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1204.002 T1218 T1553.005 TTP MSIX Package Abuse 2026-05-13
Linux NOPASSWD Entry In Sudoers File Linux icon Sysmon for Linux EventID 1 T1548.003 Anomaly China-Nexus Threat Activity, Salt Typhoon, Linux Privilege Escalation, Linux Persistence Techniques 2026-05-13
Detect Baron Samedit CVE-2021-3156 Segfault T1068 TTP Baron Samedit CVE-2021-3156 2026-05-13
Windows Service Create SliverC2 Windows icon Windows Event Log System 7045 T1569.002 TTP BishopFox Sliver Adversary Emulation Framework, Hellcat Ransomware, Compromised Windows Host 2026-05-13
Windows Event For Service Disabled Windows icon Windows Event Log System 7040 T1685 Hunting RedLine Stealer, Windows Defense Evasion Tactics 2026-05-13
System Info Gathering Using Dxdiag Application Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1592 Hunting Remcos 2026-05-13
Drop IcedID License dat Windows icon Sysmon EventID 11 T1204.002 Hunting IcedID 2026-05-13
Eventvwr UAC Bypass Windows icon Sysmon EventID 13 T1548.002 TTP IcedID, Windows Registry Abuse, Living Off The Land, Windows Defense Evasion Tactics, ValleyRAT 2026-05-13
Windows Suspicious File in EFI Volume Windows icon Sysmon EventID 11 T1490 T1542.001 TTP Sandworm Tools, Windows BootKits, BlackLotus Campaign 2026-05-13
Windows SIP Provider Inventory T1553.003 Hunting Subvert Trust Controls SIP and Trust Provider Hijacking 2026-05-13
WMI Temporary Event Subscription T1047 TTP Suspicious WMI Use 2026-05-13
Windows Registry Payload Injection Windows icon Sysmon EventID 13 T1027.011 TTP Unusual Processes 2026-05-13
Windows NetSupport RMM DLL Loaded By Uncommon Process Windows icon Sysmon EventID 7 T1036 Anomaly NetSupport RMM Tool Abuse 2026-05-13
Windows Process Writing File to World Writable Path Windows icon Sysmon EventID 11 T1218.005 Hunting PathWiper, PHP-CGI RCE Attack on Japanese Organizations, APT29 Diplomatic Deceptions with WINELOADER 2026-05-13
Windows Impair Defense Disable PUA Protection Windows icon Sysmon EventID 13 T1685 TTP Windows Registry Abuse, Scattered Lapsus$ Hunters, Windows Defense Evasion Tactics 2026-05-13
Linux Auditd File Permissions Modification Via Chattr Linux icon Linux Auditd Execve T1222.002 Anomaly Linux Privilege Escalation, Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques 2026-05-13
Windows DLL Side-Loading In Calc Windows icon Sysmon EventID 7 T1574.001 TTP Earth Alux, Qakbot 2026-05-13
Windows AD GPO Deleted Windows icon Windows Event Log Security 5136 T1484.001 T1685 TTP Sneaky Active Directory Persistence Tricks 2026-05-13
Windows Default Rdp File Unhidden Windows icon Sysmon EventID 1 T1021.001 Anomaly Windows RDP Artifacts and Defense Evasion 2026-05-13
Linux File Creation In Init Boot Directory Linux icon Sysmon for Linux EventID 11 T1037.004 Anomaly Linux Privilege Escalation, Backdoor Pingpong, XorDDos, China-Nexus Threat Activity, Linux Persistence Techniques 2026-05-13
Wermgr Process Spawned CMD Or Powershell Process Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1059 TTP Qakbot, Trickbot 2026-05-13
Linux Deletion Of Services Linux icon Sysmon for Linux EventID 11 T1070.004 T1485 TTP AcidPour, AwfulShred, Data Destruction, AcidRain 2026-05-13
Windows Curl Upload to Remote Destination Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Network icon Cisco Network Visibility Module Flow Data T1105 TTP PromptLock, Axios Supply Chain Post Compromise, Cisco Network Visibility Module Analytics, NPM Supply Chain Compromise, Microsoft WSUS CVE-2025-59287, Ingress Tool Transfer, Compromised Windows Host 2026-05-13
Windows Shell or Script Execution From IIS Directory CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1190 T1505.004 Anomaly ProxyNotShell, ProxyShell 2026-05-13
Linux Persistence and Privilege Escalation Risk Behavior T1548 Correlation Linux Privilege Escalation, Linux Persistence Techniques 2026-05-13
Print Processor Registry Autostart Windows icon Sysmon EventID 13 T1547.012 TTP Data Destruction, Windows Persistence Techniques, Hermetic Wiper, Windows Privilege Escalation 2026-05-13
CrowdStrike Falcon Stream Alerts CrowdStrike Falcon Stream Alert N/A Anomaly Critical Alerts 2026-05-13
Linux Octave Privilege Escalation Linux icon Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Privilege Escalation, Linux Living Off The Land 2026-05-13
Windows Disable Internet Explorer Addons Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1176.001 Anomaly Malicious Inno Setup Loader 2026-05-13
Disable ETW Through Registry Windows icon Sysmon EventID 13 T1685 TTP Ransomware, CISA AA23-347A, Windows Registry Abuse 2026-05-13
Windows Modify Registry No Auto Update Windows icon Sysmon EventID 13 T1112 Anomaly RedLine Stealer, CISA AA23-347A 2026-05-13
Windows XLL File Creation Outside of Typical Location Windows icon Sysmon EventID 11 T1059 T1129 Anomaly Spearphishing Attachments 2026-05-13
Network Connection Discovery With Netstat Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1049 Hunting CISA AA23-347A, CISA AA22-277A, Medusa Ransomware, Qakbot, Prestige Ransomware, Volt Typhoon, Windows Post-Exploitation, PlugX, Active Directory Discovery 2026-05-13
Windows Office Product Dropped Cab or Inf File Windows icon Windows Event Log Security 4688, Windows icon Sysmon EventID 1, Windows icon Sysmon EventID 11 T1566.001 TTP Spearphishing Attachments, Microsoft MSHTML Remote Code Execution CVE-2021-40444, Compromised Windows Host, APT37 Rustonotto and FadeStealer 2026-05-13
Detect Password Spray Attack Behavior From Source Windows icon Windows Event Log Security 4624, Windows icon Windows Event Log Security 4625 T1110.003 TTP Compromised User Account 2026-05-13
Cisco NVM - Suspicious File Download via Headless Browser Network icon Cisco Network Visibility Module Flow Data T1059 T1105 TTP BlankGrabber Stealer, Cisco Network Visibility Module Analytics 2026-05-13
Detect Regsvcs Spawning a Process Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1218.009 TTP Compromised Windows Host, Living Off The Land, Suspicious Regsvcs Regasm Activity 2026-05-13
Winhlp32 Spawning a Process Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1055 TTP Compromised Windows Host, Remcos 2026-05-13
Get DomainPolicy with Powershell Script Block Windows icon Powershell Script Block Logging 4104 T1201 TTP Active Directory Discovery 2026-05-13
Crowdstrike Admin With Duplicate Password T1110 TTP Compromised Windows Host 2026-05-13
SearchProtocolHost with no Command Line with Network Windows icon Sysmon EventID 1, Windows icon Sysmon EventID 3 T1055 TTP Cobalt Strike, Graceful Wipe Out Attack, Compromised Windows Host, Cactus Ransomware, Hellcat Ransomware, BlackByte Ransomware 2026-05-13
Windows Local LLM Framework Execution Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1543 Hunting Suspicious Local LLM Frameworks 2026-05-13
Windows Set Custom DNS ServerLevelPlugin Via Dnscmd Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1574 Anomaly Windows Persistence Techniques 2026-05-13
Windows Defender ASR Registry Modification Windows icon Windows Event Log Defender 5007 T1112 Hunting Windows Attack Surface Reduction 2026-05-13
Windows Chrome Extension Allowed Registry Modification Windows icon Sysmon EventID 13 T1185 Anomaly Browser Hijacking 2026-05-13
Windows Developer-Signed MSIX Package Installation Windows icon Windows Event Log AppXDeployment-Server 855 T1204.002 T1553.005 Anomaly MSIX Package Abuse 2026-05-13
Get-DomainTrust with PowerShell Script Block Windows icon Powershell Script Block Logging 4104 T1482 TTP Active Directory Discovery 2026-05-13
Linux Deletion of SSL Certificate Linux icon Sysmon for Linux EventID 11 T1070.004 T1485 Anomaly AcidPour, AcidRain 2026-05-13
Windows Get-AdComputer Unconstrained Delegation Discovery Windows icon Powershell Script Block Logging 4104 T1018 TTP Active Directory Kerberos Attacks, Medusa Ransomware 2026-05-13
Windows SnappyBee Create Test Registry Windows icon Sysmon EventID 13 T1112 TTP China-Nexus Threat Activity, Salt Typhoon, SnappyBee 2026-05-13
Kerberos Pre-Authentication Flag Disabled in UserAccountControl Windows icon Windows Event Log Security 4738 T1558.004 TTP Active Directory Kerberos Attacks, BlackSuit Ransomware 2026-05-13
Windows LSA Secrets NoLMhash Registry Windows icon Sysmon EventID 13 T1003.004 TTP Scattered Lapsus$ Hunters, CISA AA23-347A 2026-05-13
MacOS LOLbin Osquery Results T1059.004 TTP Axios Supply Chain Post Compromise, Hellcat Ransomware, Living Off The Land 2026-05-13
Suspicious Kerberos Service Ticket Request Windows icon Windows Event Log Security 4769 T1078.002 TTP sAMAccountName Spoofing and Domain Controller Impersonation, Active Directory Kerberos Attacks, Active Directory Privilege Escalation 2026-05-13
Get ADUser with PowerShell Script Block Windows icon Powershell Script Block Logging 4104 T1087.002 Hunting Active Directory Discovery, CISA AA23-347A 2026-05-13
Linux Emacs Privilege Escalation Linux icon Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Privilege Escalation, Linux Living Off The Land 2026-05-13
Linux Auditd Auditd Service Stop Linux icon Linux Auditd Service Stop T1489 Anomaly Linux Privilege Escalation, Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques 2026-05-13
Suspicious Regsvr32 Register Suspicious Path Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1218.010 TTP Salt Typhoon, IcedID, Qakbot, Living Off The Land, Derusbi, China-Nexus Threat Activity, Suspicious Regsvr32 Activity 2026-05-13
Windows New InProcServer32 Added Windows icon Sysmon EventID 13 T1112 Hunting Hellcat Ransomware, Outlook RCE CVE-2024-21378 2026-05-13
Windows Credentials from Password Stores Query Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1555 Anomaly Prestige Ransomware, DarkGate Malware, NetSupport RMM Tool Abuse, Windows Post-Exploitation 2026-05-13
Windows AD Dangerous Group ACL Modification Windows icon Windows Event Log Security 5136 T1222.001 T1484 TTP Sneaky Active Directory Persistence Tricks 2026-05-13
Windows UAC Bypass Suspicious Child Process Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1548.002 TTP Living Off The Land, Castle RAT, Windows Defense Evasion Tactics 2026-05-13
Detect Path Interception By Creation Of program exe Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1574.009 TTP Windows Persistence Techniques, Scattered Lapsus$ Hunters 2026-05-13
Get ADDefaultDomainPasswordPolicy with Powershell Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1201 Hunting Active Directory Discovery 2026-05-13
Windows Execute Arbitrary Commands with MSDT Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1218 TTP Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190, Compromised Windows Host 2026-05-13
Detect Credential Dumping through LSASS access Windows icon Sysmon EventID 10 T1003.001 TTP BlackSuit Ransomware, CISA AA23-347A, Lokibot, Credential Dumping, Scattered Lapsus$ Hunters, Detect Zerologon Attack 2026-05-13
Linux Auditd Setuid Using Setcap Utility Linux icon Linux Auditd Execve T1548.001 TTP Linux Privilege Escalation, Compromised Linux Host, Linux Persistence Techniques 2026-05-13
Windows RDP Server Registry Entry Created Windows icon Sysmon EventID 13 T1021.001 Anomaly Windows RDP Artifacts and Defense Evasion 2026-05-13
Windows Remote Create Service Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1543.003 Anomaly CISA AA23-347A, BlackSuit Ransomware, Active Directory Lateral Movement 2026-05-13
Windows Guest Account Enabled Via Net.EXE Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1078.001 Anomaly Windows Persistence Techniques 2026-05-13
File Download or Read to Pipe Execution Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Linux icon Sysmon for Linux EventID 1 T1105 TTP NPM Supply Chain Compromise, Ingress Tool Transfer, Compromised Windows Host, Linux Living Off The Land, Log4Shell CVE-2021-44228 2026-05-13
Windows Known Abused DLL Loaded Suspiciously Windows icon Sysmon EventID 7 T1574.001 TTP Living Off The Land, SolarWinds WHD RCE Post Exploitation, Windows Defense Evasion Tactics 2026-05-13
Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos Windows icon Windows Event Log Security 4768 T1110.003 Anomaly Active Directory Kerberos Attacks, Volt Typhoon, Active Directory Password Spraying 2026-05-13
Windows LAPS Password Gathering Via PowerShell Script Windows icon Powershell Script Block Logging 4104 T1003 T1552 Anomaly Credential Dumping, Active Directory Privilege Escalation 2026-05-13
Windows Access Token Winlogon Duplicate Handle In Uncommon Path Windows icon Sysmon EventID 10 T1134.001 Anomaly Brute Ratel C4, PathWiper 2026-05-13
Linux Make Privilege Escalation Linux icon Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Privilege Escalation, Linux Living Off The Land 2026-05-13
Linux Auditd Database File And Directory Discovery Linux icon Linux Auditd Execve T1083 Anomaly Linux Privilege Escalation, Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques 2026-05-13
Windows PowerView AD Access Control List Enumeration Windows icon Powershell Script Block Logging 4104 T1069 T1078.002 TTP Active Directory Discovery, Rhysida Ransomware, Active Directory Privilege Escalation 2026-05-13
Windows RDP Client Launched with Admin Session Windows icon Sysmon EventID 1 T1021.001 Anomaly Windows RDP Artifacts and Defense Evasion 2026-05-13
Impacket Lateral Movement smbexec CommandLine Parameters Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1021.002 T1021.003 T1047 T1543.003 TTP WhisperGate, Data Destruction, CISA AA22-277A, Prestige Ransomware, Graceful Wipe Out Attack, Volt Typhoon, Compromised Windows Host, Industroyer2, Active Directory Lateral Movement 2026-05-13
Windows Findstr GPP Discovery Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1552.006 TTP Active Directory Privilege Escalation 2026-05-13
Detect Baron Samedit CVE-2021-3156 via OSQuery T1068 TTP Baron Samedit CVE-2021-3156 2026-05-13
Windows AD Same Domain SID History Addition Windows icon Windows Event Log Security 4742, Windows icon Windows Event Log Security 4738 T1134.005 TTP Sneaky Active Directory Persistence Tricks, Windows Persistence Techniques, Compromised Windows Host 2026-05-13
Recon AVProduct Through Pwh or WMI Windows icon Powershell Script Block Logging 4104 T1592 TTP Quasar RAT, Malicious PowerShell, Data Destruction, MoonPeak, Ransomware, Qakbot, Hermetic Wiper, XWorm, Prestige Ransomware, Windows Post-Exploitation 2026-05-13
Windows Privileged Group Modification Windows icon Windows Event Log Security 4749, Windows icon Windows Event Log Security 4744, Windows icon Windows Event Log Security 4783, Windows icon Windows Event Log Security 4756, Windows icon Windows Event Log Security 4790, Windows icon Windows Event Log Security 4754, Windows icon Windows Event Log Security 4759, Windows icon Windows Event Log Security 4727, Windows icon Windows Event Log Security 4731 T1136.001 T1136.002 TTP VMware ESXi AD Integration Authentication Bypass CVE-2024-37085, Scattered Lapsus$ Hunters 2026-05-13
Process Execution via WMI Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1047 TTP Suspicious WMI Use 2026-05-13
Windows System User Privilege Discovery Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1033 Hunting CISA AA23-347A 2026-05-13
Windows SubInAcl Execution Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1222.001 Anomaly Defense Evasion or Unauthorized Access Via SDDL Tampering 2026-05-13
Windows File Share Discovery With Powerview Windows icon Powershell Script Block Logging 4104 T1135 TTP Active Directory Discovery, Active Directory Privilege Escalation 2026-05-13
Linux Auditd Possible Access Or Modification Of Sshd Config File Linux icon Linux Auditd Path, Linux icon Linux Auditd Cwd T1098.004 Anomaly Linux Privilege Escalation, Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques 2026-05-13
Windows Change File Association Command To Notepad Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1546.001 TTP Prestige Ransomware, Compromised Windows Host 2026-05-13
Windows MSExchange Management Mailbox Cmdlet Usage T1059.001 Anomaly ProxyNotShell, ProxyShell, BlackByte Ransomware, Scattered Spider 2026-05-13
Windows Linked Policies In ADSI Discovery Windows icon Powershell Script Block Logging 4104 T1087.002 Anomaly Active Directory Discovery, Data Destruction, Industroyer2 2026-05-13
Windows Impair Defense Disable Win Defender Compute File Hashes Windows icon Sysmon EventID 13 T1685 TTP Windows Registry Abuse, Windows Defense Evasion Tactics 2026-05-13
Windows Impair Defense Change Win Defender Quick Scan Interval Windows icon Sysmon EventID 13 T1685 TTP Windows Registry Abuse, Windows Defense Evasion Tactics 2026-05-13
Windows Multiple Accounts Deleted Windows icon Windows Event Log Security 4726 T1078 T1098 TTP Azure Active Directory Persistence 2026-05-13
Rubeus Command Line Parameters Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1550.003 T1558.003 T1558.004 TTP Active Directory Kerberos Attacks, BlackSuit Ransomware, CISA AA23-347A, Active Directory Privilege Escalation, Scattered Lapsus$ Hunters, ZOVWiper 2026-05-13
Disabling Defender Services Windows icon Sysmon EventID 13 T1685 TTP IcedID, Windows Registry Abuse, RedLine Stealer 2026-05-13
Windows Time Based Evasion CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1497.003 TTP BlankGrabber Stealer, NjRAT 2026-05-13
MacOS plutil Osquery Results T1647 TTP Living Off The Land 2026-05-13
Windows System Binary Proxy Execution Compiled HTML File Decompile Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1218.001 TTP APT37 Rustonotto and FadeStealer, Compromised Windows Host, Suspicious Compiled HTML Activity, Living Off The Land 2026-05-13
Windows PowerSploit GPP Discovery Windows icon Powershell Script Block Logging 4104 T1552.006 TTP Active Directory Privilege Escalation 2026-05-13
Cisco NVM - Suspicious Network Connection From Process With No Args Network icon Cisco Network Visibility Module Flow Data T1055 T1218 Anomaly Cisco Network Visibility Module Analytics 2026-05-13
Windows Service Deletion In Registry Windows icon Sysmon EventID 13 T1489 Anomaly Brute Ratel C4, Crypto Stealer, PlugX 2026-05-13
Windows Input Capture Using Credential UI Dll Windows icon Sysmon EventID 7 T1056.002 Hunting Brute Ratel C4, APT37 Rustonotto and FadeStealer 2026-05-13
Get-ForestTrust with PowerShell Script Block Windows icon Powershell Script Block Logging 4104 T1059.001 T1482 TTP Active Directory Discovery 2026-05-13
Windows Wmic Systeminfo Discovery Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1082 Anomaly LAMEHUG, BlankGrabber Stealer, Lotus Blossom Chrysalis Backdoor 2026-05-13
Linux Find Privilege Escalation Linux icon Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Privilege Escalation, Linux Living Off The Land 2026-05-13
Windows Chromium Process with Disabled Extensions Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1497 Anomaly Browser Hijacking 2026-05-13
Windows System Discovery Using ldap Nslookup Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1033 Anomaly Qakbot 2026-05-13
Windows Modify Registry ProxyServer Windows icon Sysmon EventID 13 T1112 Anomaly DarkGate Malware 2026-05-13
Linux Disable Services Linux icon Sysmon for Linux EventID 1 T1489 TTP AwfulShred, Data Destruction, Industroyer2 2026-05-13
Windows IIS Components Add New Module Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1505.004 Anomaly IIS Components, GhostRedirector IIS Module and Rungan Backdoor 2026-05-13
Unusually Long Command Line Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 N/A Anomaly Suspicious Command-Line Executions, Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns, Ransomware, Unusual Processes 2026-05-13
Windows .Key File Creation in Root Directory Windows icon Sysmon EventID 11 T1486 Anomaly Ransomware 2026-05-13
Create or delete windows shares using net exe Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1070.005 TTP CISA AA22-277A, Hidden Cobra Malware, Prestige Ransomware, DarkGate Malware, Windows Post-Exploitation 2026-05-13
Windows Registry Delete Task SD Windows icon Sysmon EventID 12 T1053.005 T1685 Anomaly Windows Registry Abuse, Windows Persistence Techniques, Scheduled Tasks 2026-05-13
Excessive number of taskhost processes Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1059 Anomaly Meterpreter 2026-05-13
Conti Common Exec parameter Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1204 TTP Ransomware, Hellcat Ransomware, Compromised Windows Host 2026-05-13
Windows Bluetooth Service Installed From Uncommon Location Windows icon Windows Event Log System 7045 T1036 T1543.003 Anomaly Lotus Blossom Chrysalis Backdoor 2026-05-13
Get-DomainTrust with PowerShell Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1482 TTP Active Directory Discovery 2026-05-13
Disable Registry Tool Windows icon Sysmon EventID 13 T1112 T1685 TTP Windows Registry Abuse, NjRAT, Windows Defense Evasion Tactics 2026-05-13
Impacket Lateral Movement WMIExec Commandline Parameters Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1021.002 T1021.003 T1047 T1543.003 TTP WhisperGate, Data Destruction, CISA AA22-277A, Gozi Malware, Storm-0501 Ransomware, Prestige Ransomware, Graceful Wipe Out Attack, Volt Typhoon, Compromised Windows Host, Industroyer2, Active Directory Lateral Movement 2026-05-13
Windows Outlook LoadMacroProviderOnBoot Persistence Windows icon Sysmon EventID 13 T1112 T1137 TTP Windows Registry Abuse, NotDoor Malware 2026-05-13
Linux Shred Overwrite Command Linux icon Sysmon for Linux EventID 1 T1485 TTP Linux Privilege Escalation, Data Destruction, AwfulShred, Industroyer2, Linux Persistence Techniques 2026-05-13
Windows Impair Defense Disable Win Defender Network Protection Windows icon Sysmon EventID 13 T1685 TTP Windows Registry Abuse, BlankGrabber Stealer, Scattered Lapsus$ Hunters, Windows Defense Evasion Tactics 2026-05-13
Detect Copy of ShadowCopy with Script Block Logging Windows icon Powershell Script Block Logging 4104 T1003.002 TTP Credential Dumping, VanHelsing Ransomware 2026-05-13
Process Deleting Its Process File Path Windows icon Sysmon EventID 1 T1070 TTP WhisperGate, Data Destruction, Remcos, Clop Ransomware 2026-05-13
Schtasks used for forcing a reboot Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1053.005 TTP Ransomware, Windows Persistence Techniques, Scheduled Tasks 2026-05-13
Windows Exfiltration Over C2 Via Powershell UploadString Windows icon Powershell Script Block Logging 4104 T1041 TTP APT37 Rustonotto and FadeStealer, Winter Vivern 2026-05-13
Windows PowerShell Script Block With Malicious String Windows icon Powershell Script Block Logging 4104 T1059.001 TTP Malicious PowerShell 2026-05-13
Crowdstrike Admin Weak Password Policy T1110 TTP Compromised Windows Host 2026-05-13
Windows Outlook Macro Security Modified Windows icon Sysmon EventID 13 T1008 T1137 TTP Windows Registry Abuse, NotDoor Malware 2026-05-13
Windows Routing and Remote Access Service Registry Key Change Windows icon Sysmon EventID 13 T1112 Anomaly Gh0st RAT 2026-05-13
Windows Compatibility Telemetry Tampering Through Registry Windows icon Sysmon EventID 13 T1053.005 T1546 TTP Windows Persistence Techniques 2026-05-13
Windows Steal Authentication Certificates Export PfxCertificate Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1649 Anomaly Windows Certificate Services 2026-05-13
Windows Remote Services Allow Rdp In Firewall Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1021.001 Anomaly Azorult, Windows RDP Artifacts and Defense Evasion 2026-05-13
Windows Find Domain Organizational Units with GetDomainOU Windows icon Powershell Script Block Logging 4104 T1087.002 TTP Active Directory Discovery 2026-05-13
Windows Steal Authentication Certificates - ESC1 Authentication Windows icon Windows Event Log Security 4768, Windows icon Windows Event Log Security 4887 T1550 T1649 TTP Windows Certificate Services, Compromised Windows Host 2026-05-13
Windows Anonymous Pipe Activity Windows icon Sysmon EventID 17, Windows icon Sysmon EventID 18 T1559 Hunting Castle RAT, Salt Typhoon, SnappyBee, China-Nexus Threat Activity, Interlock Rat 2026-05-13
Linux Auditd Change File Owner To Root Linux icon Linux Auditd Proctitle T1222.002 Anomaly Linux Privilege Escalation, Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques 2026-05-13
Windows Unusual NTLM Authentication Users By Destination Windows icon NTLM Operational 8006, Windows icon NTLM Operational 8005, Windows icon NTLM Operational 8004 T1110.003 Anomaly Active Directory Password Spraying 2026-05-13
Windows Find Interesting ACL with FindInterestingDomainAcl Windows icon Powershell Script Block Logging 4104 T1087.002 TTP Active Directory Discovery 2026-05-13
Windows Cached Domain Credentials Reg Query Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1003.005 Anomaly Prestige Ransomware, Windows Post-Exploitation 2026-05-13
Linux Auditd Sudo Or Su Execution Linux icon Linux Auditd Proctitle T1548.003 Anomaly Linux Privilege Escalation, Compromised Linux Host, Linux Persistence Techniques 2026-05-13
Exchange PowerShell Abuse via SSRF T1133 T1190 TTP Seashell Blizzard, ProxyNotShell, ProxyShell, BlackByte Ransomware 2026-05-13
Windows Unusual Count Of Users Failed To Authenticate From Process Windows icon Windows Event Log Security 4625 T1110.003 Anomaly Volt Typhoon, Active Directory Password Spraying, Insider Threat 2026-05-13
Detect Prohibited Applications Spawning cmd exe Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1059.003 Hunting Suspicious Command-Line Executions, NOBELIUM Group, Suspicious MSHTA Activity, Suspicious Zoom Child Processes 2026-05-13
Windows Ldifde Directory Object Behavior Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1069.002 T1105 TTP Volt Typhoon 2026-05-13
Remote Process Instantiation via DCOM and PowerShell Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1021.003 TTP Compromised Windows Host, Active Directory Lateral Movement 2026-05-13
Windows Process Executed From Removable Media Windows icon Sysmon EventID 13, Windows icon Sysmon EventID 1 T1025 T1091 T1200 Anomaly Data Protection, APT37 Rustonotto and FadeStealer 2026-05-13
Windows Phishing Recent ISO Exec Registry Windows icon Sysmon EventID 13 T1566.001 Hunting AgentTesla, IcedID, Gozi Malware, Qakbot, Azorult, Remcos, Brute Ratel C4, Warzone RAT 2026-05-13
MacOS LoginHook Persistence Osquery Results T1037.002 TTP MacOS Post-Exploitation 2026-05-13
Disabling FolderOptions Windows Feature Windows icon Sysmon EventID 13 T1685 TTP Windows Registry Abuse, CISA AA23-347A, Windows Defense Evasion Tactics 2026-05-13
Windows Rundll32 Load DLL in Temp Dir Windows icon Sysmon EventID 1 T1218.011 Anomaly Interlock Rat 2026-05-13
Linux Impair Defenses Process Kill Linux icon Sysmon for Linux EventID 1 T1685 Hunting AwfulShred, Data Destruction, Scattered Lapsus$ Hunters 2026-05-13
Remote System Discovery with Adsisearcher Windows icon Powershell Script Block Logging 4104 T1018 TTP Active Directory Discovery 2026-05-13
Linux Change File Owner To Root Linux icon Sysmon for Linux EventID 1 T1222.002 Anomaly Linux Privilege Escalation, Linux Living Off The Land, Linux Persistence Techniques 2026-05-13
Linux pkexec Privilege Escalation Linux icon Sysmon for Linux EventID 1 T1068 TTP Linux Privilege Escalation, Linux Living Off The Land 2026-05-13
Windows Network Connection From Program In Suspect Location Windows icon Sysmon EventID 3 T1011 Anomaly Compromised Windows Host 2026-05-13
Detect mshta renamed Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1218.005 Hunting APT37 Rustonotto and FadeStealer, Suspicious MSHTA Activity, Living Off The Land 2026-05-13
Windows Service Create Kernel Mode Driver Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1068 T1543.003 TTP Windows Drivers, CISA AA22-320A 2026-05-13
Windows Remote Image Load Windows icon Sysmon EventID 7 T1059 T1068 T1129 T1203 Anomaly Ransomware, LockBit Ransomware, BlackByte Ransomware 2026-05-13
Windows SQL Server Configuration Option Hunt Windows icon Windows Event Log Application 15457 T1505.001 Hunting SQL Server Abuse 2026-05-13
Remote System Discovery with Wmic Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1018 TTP Active Directory Discovery 2026-05-13
Windows Suspicious Named Pipe Windows icon Sysmon EventID 17, Windows icon Sysmon EventID 18 T1021.002 T1055 T1559 TTP Cobalt Strike, LockBit Ransomware, Trickbot, Gozi Malware, Remote Monitoring and Management Software, APT37 Rustonotto and FadeStealer, DarkSide Ransomware, Graceful Wipe Out Attack, Tuoni, Brute Ratel C4, Meterpreter, Hellcat Ransomware, BlackByte Ransomware 2026-05-13
Remote System Discovery with Dsquery Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1018 Anomaly Active Directory Discovery, LAMEHUG 2026-05-13
Linux Auditd Insert Kernel Module Using Insmod Utility Linux icon Linux Auditd Syscall T1547.006 Anomaly Linux Privilege Escalation, Linux Rootkit, XorDDos, Compromised Linux Host, Linux Persistence Techniques 2026-05-13
Mmc LOLBAS Execution Process Spawn Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1021.003 T1218.014 TTP Water Gamayun, Living Off The Land, XML Runner Loader, Active Directory Lateral Movement 2026-05-13
Potential Telegram API Request Via CommandLine Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1041 T1102.002 Anomaly XMRig, BlankGrabber Stealer, Water Gamayun, 0bj3ctivity Stealer, Hellcat Ransomware 2026-05-13
Wbemprox COM Object Execution Windows icon Sysmon EventID 7 T1218.003 TTP Ransomware, LockBit Ransomware, Revil Ransomware 2026-05-13
Linux Common Process For Elevation Control Linux icon Sysmon for Linux EventID 1 T1548.001 Hunting Linux Privilege Escalation, Salt Typhoon, Axios Supply Chain Post Compromise, Linux Living Off The Land, China-Nexus Threat Activity, Linux Persistence Techniques 2026-05-13
Windows Indirect Command Execution Via pcalua CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1202 TTP Living Off The Land 2026-05-13
Detect Computer Changed with Anonymous Account Windows icon Windows Event Log Security 4742 T1210 Hunting Detect Zerologon Attack 2026-05-13
Windows SharePoint Spinstall0 Webshell File Creation Windows icon Sysmon EventID 11 T1190 T1505.003 TTP Microsoft SharePoint Vulnerabilities 2026-05-13
Disable Schedule Task Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1685 Anomaly IcedID, Living Off The Land 2026-05-13
Linux Auditd Copy Fail Privilege Escalation Linux icon Linux Auditd Syscall T1068 TTP Linux Privilege Escalation 2026-05-13
Linux Indicator Removal Service File Deletion Linux icon Sysmon for Linux EventID 1 T1070.004 Anomaly AwfulShred, Data Destruction 2026-05-13
GetWmiObject Ds Group with PowerShell Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1069.002 Anomaly Active Directory Discovery 2026-05-13
RunDLL Loading DLL By Ordinal Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1218.011 TTP IcedID, Suspicious Rundll32 Activity, Living Off The Land, Unusual Processes 2026-05-13
Windows Credential Dumping LSASS Memory Createdump Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1003.001 TTP Credential Dumping, Compromised Windows Host, Scattered Lapsus$ Hunters 2026-05-13
Suspicious WAV file in Appdata Folder Windows icon Windows Event Log Security 4688, Windows icon Sysmon EventID 1, Windows icon Sysmon EventID 11 T1113 TTP Remcos 2026-05-13
Randomly Generated Scheduled Task Name Windows icon Windows Event Log Security 4698 T1053.005 Hunting 0bj3ctivity Stealer, Scheduled Tasks, CISA AA22-257A, Active Directory Lateral Movement 2026-05-13
Linux Sudoers Tmp File Creation Linux icon Sysmon for Linux EventID 11 T1548.003 Anomaly China-Nexus Threat Activity, Salt Typhoon, Linux Privilege Escalation, Linux Persistence Techniques 2026-05-13
WinRAR Spawning Shell Application Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1105 TTP WinRAR Spoofing Attack CVE-2023-38831, Compromised Windows Host 2026-05-13
Windows Query Registry UnInstall Program List Windows icon Windows Event Log Security 4663 T1012 Anomaly RedLine Stealer, StealC Stealer, Meduza Stealer 2026-05-13
Suspicious writes to windows Recycle Bin Windows icon Sysmon EventID 1, Windows icon Sysmon EventID 11 T1036 TTP Collection and Staging, PlugX 2026-05-13
Delete ShadowCopy With PowerShell Windows icon Powershell Script Block Logging 4104 T1490 TTP Ransomware, DarkSide Ransomware, DarkGate Malware, VanHelsing Ransomware, Cactus Ransomware, Revil Ransomware 2026-05-13
Linux Adding Crontab Using List Parameter Linux icon Sysmon for Linux EventID 1 T1053.003 Hunting Linux Privilege Escalation, Data Destruction, Cisco Isovalent Suspicious Activity, Scheduled Tasks, VoidLink Cloud-Native Linux Malware, Linux Living Off The Land, Industroyer2, Gomir, Linux Persistence Techniques 2026-05-13
Windows Modify Registry Qakbot Binary Data Registry Windows icon Sysmon EventID 13, Windows icon Sysmon EventID 1 T1112 Anomaly Qakbot 2026-05-13
Windows Get-Variable.EXE Execution from WindowsApps Folder Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1574.008 Anomaly Windows Persistence Techniques 2026-05-13
PowerShell WebRequest Using Memory Stream Windows icon Powershell Script Block Logging 4104 T1027.011 T1059.001 T1105 TTP PHP-CGI RCE Attack on Japanese Organizations, Malicious PowerShell, MoonPeak, Medusa Ransomware 2026-05-13
Windows Scheduled Task Created in a Group Policy Object Windows icon Windows Event Log Security 5145 T1053.005 T1484.001 TTP Scheduled Tasks, Windows Persistence Techniques, Living Off The Land 2026-05-13
Windows Mshta Execution In Registry Windows icon Sysmon EventID 13 T1218.005 TTP Suspicious Windows Registry Activities, Windows Persistence Techniques 2026-05-13
Windows Apache Benchmark Binary Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1059 Anomaly MetaSploit 2026-05-13
Windows Registry Entries Restored Via Reg Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1012 Hunting Prestige Ransomware, Windows Post-Exploitation 2026-05-13
Windows WinRAR Launched Outside Default Installation Directory Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1047 Anomaly BlankGrabber Stealer 2026-05-13
Windows AdFind Exe Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1018 TTP BlackSuit Ransomware, IcedID, Domain Trust Discovery, NOBELIUM Group, Graceful Wipe Out Attack 2026-05-13
Ntdsutil Export NTDS Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1003.003 TTP HAFNIUM Group, Rhysida Ransomware, Living Off The Land, Prestige Ransomware, Credential Dumping, Volt Typhoon, NetSupport RMM Tool Abuse 2026-05-13
Download Files Using Telegram Windows icon Sysmon EventID 15 T1105 TTP XMRig, Water Gamayun, Snake Keylogger, Crypto Stealer, 0bj3ctivity Stealer, Phemedrone Stealer 2026-05-13
LLM Model File Creation Windows icon Sysmon EventID 11 T1543 Hunting Suspicious Local LLM Frameworks 2026-05-13
Windows Get Local Admin with FindLocalAdminAccess Windows icon Powershell Script Block Logging 4104 T1087.002 TTP Active Directory Discovery 2026-05-13
Linux Suspicious React or Next.js Child Process Linux icon Sysmon for Linux EventID 1 T1059.004 T1190 TTP React2Shell 2026-05-13
Windows Process Injection into Notepad Windows icon Sysmon EventID 10 T1055.002 Anomaly BishopFox Sliver Adversary Emulation Framework, Earth Alux, APT37 Rustonotto and FadeStealer 2026-05-13
Disabling ControlPanel Windows icon Sysmon EventID 13 T1112 T1685 TTP Windows Registry Abuse, Windows Defense Evasion Tactics 2026-05-13
Windows Modify Registry AuthenticationLevelOverride Windows icon Sysmon EventID 13 T1112 Anomaly DarkGate Malware 2026-05-13
Windows Network Connection Discovery Via Net Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1049 Hunting Azorult, Active Directory Discovery, Windows Post-Exploitation, Prestige Ransomware 2026-05-13
Windows Files and Dirs Access Rights Modification Via Icacls Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1222.001 Anomaly Amadey, Defense Evasion or Unauthorized Access Via SDDL Tampering 2026-05-13
Powershell Fileless Process Injection via GetProcAddress Windows icon Powershell Script Block Logging 4104 T1055 T1059.001 TTP Malicious PowerShell, Hellcat Ransomware, Hermetic Wiper, Data Destruction 2026-05-13
Schtasks Run Task On Demand Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1053 Anomaly XMRig, Data Destruction, Medusa Ransomware, Scheduled Tasks, Qakbot, Industroyer2, CISA AA22-257A 2026-05-13
Linux Deletion Of Init Daemon Script Linux icon Sysmon for Linux EventID 11 T1070.004 T1485 TTP AcidPour, Data Destruction, AcidRain 2026-05-13
Windows Unsigned DLL Side-Loading In Same Process Path Windows icon Sysmon EventID 7 T1574.001 TTP Salt Typhoon, SolarWinds WHD RCE Post Exploitation, NailaoLocker Ransomware, XWorm, Lokibot, DarkGate Malware, Derusbi, PlugX, China-Nexus Threat Activity, Malicious Inno Setup Loader, SnappyBee 2026-05-13
Shim Database File Creation Windows icon Sysmon EventID 11 T1546.011 TTP Windows Persistence Techniques 2026-05-13
Windows Security And Backup Services Stop Windows icon Windows Event Log System 7036 T1490 TTP LockBit Ransomware, Ransomware, Termite Ransomware, Compromised Windows Host, Scattered Lapsus$ Hunters, BlackMatter Ransomware, Hellcat Ransomware 2026-05-13
Windows Mark Of The Web Bypass Windows icon Sysmon EventID 23 T1553.005 TTP Quasar RAT, Warzone RAT 2026-05-13
Windows Potential AppDomainManager Hijack Artifacts Creation Windows icon Sysmon EventID 11 T1574.014 Anomaly SesameOp 2026-05-13
Linux Puppet Privilege Escalation Linux icon Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Privilege Escalation, Linux Living Off The Land 2026-05-13
Linux Auditd Setuid Using Chmod Utility Linux icon Linux Auditd Proctitle T1548.001 Anomaly Linux Privilege Escalation, Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques 2026-05-13
Domain Group Discovery With Dsquery Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1069.002 Anomaly Active Directory Discovery, LAMEHUG 2026-05-13
Linux Possible Access To Sudoers File Linux icon Sysmon for Linux EventID 1 T1548.003 Anomaly China-Nexus Threat Activity, Salt Typhoon, Linux Privilege Escalation, Linux Persistence Techniques 2026-05-13
GetDomainController with PowerShell Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1018 Hunting Active Directory Discovery 2026-05-13
Windows Service Initiation on Remote Endpoint Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1543.003 TTP CISA AA23-347A, Active Directory Lateral Movement 2026-05-13
Domain Account Discovery with Wmic Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1087.002 TTP Active Directory Discovery, Interlock Ransomware 2026-05-13
Suspicious Rundll32 no Command Line Arguments Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1218.011 TTP Cobalt Strike, BlackByte Ransomware, Hellcat Ransomware, PrintNightmare CVE-2021-34527, Suspicious Rundll32 Activity, Graceful Wipe Out Attack 2026-05-13
Windows RDP Login Session Was Established Windows icon Windows Event Log Security 4624 T1021.001 Anomaly Windows RDP Artifacts and Defense Evasion, Scattered Lapsus$ Hunters 2026-05-13
Detect Regsvcs with Network Connection Windows icon Sysmon EventID 3 T1218.009 TTP Hellcat Ransomware, Living Off The Land, Suspicious Regsvcs Regasm Activity 2026-05-13
Allow Inbound Traffic By Firewall Rule Registry Windows icon Sysmon EventID 13 T1021.001 TTP Medusa Ransomware, Windows Registry Abuse, Azorult, Prohibited Traffic Allowed or Protocol Mismatch, PlugX, NjRAT 2026-05-13
Windows Disable Memory Crash Dump Windows icon Sysmon EventID 13 T1485 TTP Ransomware, Data Destruction, Hermetic Wiper, Windows Registry Abuse 2026-05-13
Time Provider Persistence Registry Windows icon Sysmon EventID 13 T1547.003 TTP Data Destruction, Windows Registry Abuse, Hermetic Wiper, Windows Privilege Escalation, Windows Persistence Techniques 2026-05-13
Domain Group Discovery with Adsisearcher Windows icon Powershell Script Block Logging 4104 T1069.002 TTP Active Directory Discovery, Scattered Lapsus$ Hunters 2026-05-13
Windows Svchost.exe Parent Process Anomaly Windows icon Windows Event Log Security 4688, Windows icon Sysmon EventID 1 T1036.009 Anomaly China-Nexus Threat Activity, SnappyBee 2026-05-13
User Discovery With Env Vars PowerShell Script Block Windows icon Powershell Script Block Logging 4104 T1033 Hunting Active Directory Discovery 2026-05-13
Windows DLL Side-Loading Process Child Of Calc Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1574.001 Anomaly Earth Alux, Qakbot 2026-05-13
Windows Regsvr32 Renamed Binary Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1218.010 TTP Compromised Windows Host, Qakbot 2026-05-13
PowerShell Enable PowerShell Remoting Windows icon Powershell Script Block Logging 4104 T1059.001 Anomaly Malicious PowerShell 2026-05-13
Enable WDigest UseLogonCredential Registry Windows icon Sysmon EventID 13 T1003 T1112 TTP Credential Dumping, CISA AA22-320A, Windows Registry Abuse 2026-05-13
Detect Renamed 7-Zip Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1560.001 Hunting Collection and Staging, Malicious Inno Setup Loader 2026-05-13
Jscript Execution Using Cscript App CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1059.007 TTP Remcos, FIN7 2026-05-13
Windows Gdrive Binary Activity Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1567 TTP China-Nexus Threat Activity 2026-05-13
GetDomainComputer with PowerShell Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1018 TTP Active Directory Discovery 2026-05-13
Windows System Reboot CommandLine Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1529 Hunting Quasar RAT, MuddyWater, MoonPeak, XWorm, DarkGate Malware, DarkCrystal RAT, Scattered Lapsus$ Hunters, NjRAT 2026-05-13
Spoolsv Writing a DLL Windows icon Windows Event Log Security 4688, Windows icon Sysmon EventID 1, Windows icon Sysmon EventID 11 T1547.012 TTP Black Basta Ransomware, Compromised Windows Host, PrintNightmare CVE-2021-34527 2026-05-13
Windows Enable PowerShell Web Access Windows icon Powershell Script Block Logging 4104 T1059.001 TTP Malicious PowerShell, CISA AA24-241A 2026-05-13
WMI Recon Running Process Or Services Windows icon Powershell Script Block Logging 4104 T1592 Anomaly Malicious PowerShell, Data Destruction, Hermetic Wiper 2026-05-13
Suspicious Rundll32 PluginInit Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1218.011 TTP IcedID 2026-05-13
Log4Shell CVE-2021-44228 Exploitation T1059 T1105 T1133 T1190 Correlation Log4Shell CVE-2021-44228, CISA AA22-320A 2026-05-13
Linux Auditd Preload Hijack Via Preload File Linux icon Linux Auditd Path, Linux icon Linux Auditd Cwd T1574.006 TTP Linux Privilege Escalation, VoidLink Cloud-Native Linux Malware, Linux Living Off The Land, Compromised Linux Host, Linux Persistence Techniques 2026-05-13
Windows Registry Dotnet ETW Disabled Via ENV Variable Windows icon Sysmon EventID 13 T1685 TTP Windows Registry Abuse, Windows Defense Evasion Tactics 2026-05-13
Windows Impair Defense Deny Security Software With Applocker Windows icon Sysmon EventID 13 T1685 TTP Azorult, Scattered Lapsus$ Hunters 2026-05-13
Windows Sensitive Registry Hive Dump Via CommandLine Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1003.002 TTP Data Destruction, CISA AA23-347A, Windows Registry Abuse, Seashell Blizzard, DarkSide Ransomware, Credential Dumping, Volt Typhoon, Compromised Windows Host, Industroyer2, CISA AA22-257A 2026-05-13
Windows Enable Win32 ScheduledJob via Registry Windows icon Sysmon EventID 13 T1053.005 Anomaly Scheduled Tasks, Active Directory Lateral Movement 2026-05-13
Windows List ENV Variables Via SET Command From Uncommon Parent Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1055 Anomaly Qakbot 2026-05-13
Windows Disable LogOff Button Through Registry Windows icon Sysmon EventID 13 T1112 Anomaly Ransomware, Windows Registry Abuse 2026-05-13
Windows WinLogon with Public Network Connection Windows icon Sysmon EventID 1, Windows icon Sysmon EventID 3 T1542.003 Hunting BlackLotus Campaign 2026-05-13
Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos Windows icon Windows Event Log Security 4768 T1110.003 TTP Active Directory Kerberos Attacks, Volt Typhoon, Active Directory Password Spraying 2026-05-13
Windows Special Privileged Logon On Multiple Hosts Windows icon Windows Event Log Security 4672 T1021.002 T1087 T1135 TTP Compromised Windows Host, Active Directory Lateral Movement, Active Directory Privilege Escalation 2026-05-13
Windows File Download Via CertUtil Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Network icon Cisco Network Visibility Module Flow Data T1105 TTP Cisco Network Visibility Module Analytics, CISA AA22-277A, Forest Blizzard, Ingress Tool Transfer, Living Off The Land, Flax Typhoon, DarkSide Ransomware, Compromised Windows Host, ProxyNotShell 2026-05-13
Windows SQLCMD Execution Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1059.003 Hunting SQL Server Abuse, GhostRedirector IIS Module and Rungan Backdoor 2026-05-13
Windows Time Based Evasion via Choice Exec Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1497.003 Anomaly Snake Keylogger, 0bj3ctivity Stealer, VIP Keylogger 2026-05-13
WBAdmin Delete System Backups Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1490 TTP Chaos Ransomware, Ransomware, Storm-2460 CLFS Zero Day Exploitation, Prestige Ransomware, Ryuk Ransomware, Storm-0501 Ransomware 2026-05-13
CertUtil With Decode Argument Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1140 TTP Deobfuscate-Decode Files or Information, Forest Blizzard, GhostRedirector IIS Module and Rungan Backdoor, Storm-2460 CLFS Zero Day Exploitation, Living Off The Land, APT29 Diplomatic Deceptions with WINELOADER 2026-05-13
Windows AD Hidden OU Creation Windows icon Windows Event Log Security 5136 T1222.001 T1484 TTP Sneaky Active Directory Persistence Tricks 2026-05-13
Windows Disable Lock Workstation Feature Through Registry Windows icon Sysmon EventID 13 T1112 Anomaly Ransomware, Windows Registry Abuse, Windows Defense Evasion Tactics 2026-05-13
Linux Possible Cronjob Modification With Editor Linux icon Sysmon for Linux EventID 1 T1053.003 Hunting Linux Privilege Escalation, Scheduled Tasks, XorDDos, Linux Living Off The Land, Linux Persistence Techniques 2026-05-13
Windows New Default File Association Value Set Windows icon Sysmon EventID 13 T1546.001 Hunting Data Destruction, Windows Registry Abuse, Hermetic Wiper, Windows Privilege Escalation, Prestige Ransomware, Windows Persistence Techniques 2026-05-13
Windows PowerShell Export PfxCertificate Windows icon Powershell Script Block Logging 4104 T1552.004 T1649 Anomaly Water Gamayun, Windows Certificate Services, Scattered Lapsus$ Hunters 2026-05-13
Linux Auditd Unix Shell Configuration Modification Linux icon Linux Auditd Path, Linux icon Linux Auditd Cwd T1546.004 TTP Linux Privilege Escalation, Linux Living Off The Land, QuietVault, Compromised Linux Host, Linux Persistence Techniques 2026-05-13
Detect HTML Help URL in Command Line Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Network icon Cisco Network Visibility Module Flow Data T1218.001 TTP Cisco Network Visibility Module Analytics, Suspicious Compiled HTML Activity, Living Off The Land, Compromised Windows Host, APT37 Rustonotto and FadeStealer 2026-05-13
Windows Scheduled Task with Suspicious Name Windows icon Windows Event Log Security 4698, Windows icon Windows Event Log Security 4702, Windows icon Windows Event Log Security 4700 T1053.005 TTP Scheduled Tasks, Ransomware, Ryuk Ransomware, Windows Persistence Techniques, 0bj3ctivity Stealer, APT37 Rustonotto and FadeStealer, Castle RAT 2026-05-13
Linux System Network Discovery Osquery Results, Linux icon Sysmon for Linux EventID 1 T1016 Anomaly Data Destruction, VoidLink Cloud-Native Linux Malware, Network Discovery, Industroyer2 2026-05-13
Suspicious GPUpdate no Command Line Arguments Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1055 TTP Cobalt Strike, Graceful Wipe Out Attack, Hellcat Ransomware, BlackByte Ransomware 2026-05-13
Windows AD Privileged Account SID History Addition Windows icon Windows Event Log Security 4742, Windows icon Windows Event Log Security 4738 T1134.005 TTP Sneaky Active Directory Persistence Tricks, Compromised Windows Host 2026-05-13
Windows SpeechRuntime Suspicious Child Process Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1021.003 TTP Compromised Windows Host, Active Directory Lateral Movement 2026-05-13
Crowdstrike Multiple LOW Severity Alerts T1110 Anomaly Compromised Windows Host 2026-05-13
Uninstall App Using MsiExec Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1218.007 TTP Ransomware 2026-05-13
Windows Curl Download to Suspicious Path Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Network icon Cisco Network Visibility Module Flow Data T1105 TTP Black Basta Ransomware, Salt Typhoon, Cisco Network Visibility Module Analytics, Forest Blizzard, GhostRedirector IIS Module and Rungan Backdoor, IcedID, NPM Supply Chain Compromise, Ingress Tool Transfer, Compromised Windows Host, China-Nexus Threat Activity, APT37 Rustonotto and FadeStealer 2026-05-13
Windows Impair Defense Change Win Defender Throttle Rate Windows icon Sysmon EventID 13 T1685 TTP Windows Registry Abuse, Windows Defense Evasion Tactics 2026-05-13
ServicePrincipalNames Discovery with SetSPN Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1558.003 TTP Active Directory Discovery, Compromised Windows Host, Active Directory Privilege Escalation, Active Directory Kerberos Attacks 2026-05-13
Windows Impair Defense Disable Defender Protocol Recognition Windows icon Sysmon EventID 13 T1685 TTP Windows Registry Abuse, Scattered Lapsus$ Hunters, Windows Defense Evasion Tactics 2026-05-13
XMRIG Driver Loaded Windows icon Sysmon EventID 6 T1543.003 TTP XMRig, Crypto Stealer, CISA AA22-320A 2026-05-13
Windows Wmic DiskDrive Discovery Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1082 Anomaly LAMEHUG 2026-05-13
Cisco NVM - Non-Network Binary Making Network Connection Network icon Cisco Network Visibility Module Flow Data T1036 T1055 Anomaly Cisco Network Visibility Module Analytics 2026-05-13
Windows AD Replication Request Initiated by User Account Windows icon Windows Event Log Security 4662, Windows icon Windows Event Log Security 4624 T1003.006 TTP Credential Dumping, Sneaky Active Directory Persistence Tricks, Compromised Windows Host 2026-05-13
Web or Application Server Spawning a Shell Windows icon Sysmon EventID 1, Linux icon Sysmon for Linux EventID 1 T1133 T1190 TTP HAFNIUM Group, Flax Typhoon, Cleo File Transfer Software, WS FTP Server Critical Vulnerabilities, Log4Shell CVE-2021-44228, CISA AA22-257A, BlackByte Ransomware, Data Destruction, ProxyShell, Spring4Shell CVE-2022-22965, PHP-CGI RCE Attack on Japanese Organizations, GhostRedirector IIS Module and Rungan Backdoor, Microsoft WSUS CVE-2025-59287, Hermetic Wiper, CISA AA22-264A, ProxyNotShell, SysAid On-Prem Software CVE-2023-47246 Vulnerability, SAP NetWeaver Exploitation, Microsoft SharePoint Vulnerabilities 2026-05-13
Windows Outlook WebView Registry Modification Windows icon Sysmon EventID 13 T1112 Anomaly Suspicious Windows Registry Activities 2026-05-13
Windows AD ServicePrincipalName Added To Domain Account Windows icon Windows Event Log Security 5136 T1098 TTP Interlock Ransomware, Sneaky Active Directory Persistence Tricks 2026-05-13
Linux Docker Shell Execution Linux icon Sysmon for Linux EventID 1 T1059.013 Anomaly Linux Privilege Escalation, Linux Living Off The Land 2026-05-13
Windows Impair Defense Disable Defender Firewall And Network Windows icon Sysmon EventID 13 T1685 TTP Windows Registry Abuse, Scattered Lapsus$ Hunters, Windows Defense Evasion Tactics 2026-05-13
Windows Privilege Escalation Attempt Via MSI Rollback Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1068 TTP Windows Privilege Escalation 2026-05-13
MOVEit Certificate Store Access Failure T1190 Hunting MOVEit Transfer Authentication Bypass 2026-05-13
Windows Archive Collected Data via Powershell Windows icon Powershell Script Block Logging 4104 T1560 Anomaly CISA AA23-347A, APT37 Rustonotto and FadeStealer 2026-05-13
Windows PowerView Constrained Delegation Discovery Windows icon Powershell Script Block Logging 4104 T1018 TTP Active Directory Kerberos Attacks, Rhysida Ransomware, CISA AA23-347A 2026-05-13
Linux Auditd Kernel Module Using Rmmod Utility Linux icon Linux Auditd Syscall T1547.006 TTP Linux Privilege Escalation, Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques 2026-05-13
Linux Auditd Auditd Daemon Shutdown Linux icon Linux Auditd Daemon End T1685.004 Anomaly Compromised Linux Host 2026-05-13
Unusual Number of Kerberos Service Tickets Requested Windows icon Windows Event Log Security 4769 T1558.003 Anomaly Active Directory Kerberos Attacks 2026-05-13
Windows Cmdline Tool Execution From Non-Shell Process Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1059.007 Anomaly Gh0st RAT, BlankGrabber Stealer, CISA AA23-347A, CISA AA22-277A, Medusa Ransomware, FIN7, Water Gamayun, Gozi Malware, SolarWinds WHD RCE Post Exploitation, Qakbot, Rhysida Ransomware, DarkGate Malware, Tuoni, Volt Typhoon 2026-05-13
Windows Office Product Spawned Uncommon Process Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1566.001 TTP MuddyWater, CVE-2023-36884 Office and Windows HTML RCE Vulnerability, AgentTesla, FIN7, Trickbot, IcedID, Qakbot, CVE-2023-21716 Word RTF Heap Corruption, Azorult, DarkCrystal RAT, Compromised Windows Host, Remcos, PlugX, Spearphishing Attachments, Warzone RAT, APT37 Rustonotto and FadeStealer, NjRAT 2026-05-13
Windows Domain Admin Impersonation Indicator Windows icon Windows Event Log Security 4627 T1558 TTP Active Directory Kerberos Attacks, Gozi Malware, Compromised Windows Host, Active Directory Privilege Escalation 2026-05-13
Disabling Remote User Account Control Windows icon Sysmon EventID 13 T1548.002 TTP AgentTesla, Windows Registry Abuse, Suspicious Windows Registry Activities, Azorult, Remcos, Windows Defense Evasion Tactics 2026-05-13
System Information Discovery Detection Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1082 TTP Interlock Ransomware, BlackSuit Ransomware, BlankGrabber Stealer, SolarWinds WHD RCE Post Exploitation, Medusa Ransomware, Gozi Malware, Lotus Blossom Chrysalis Backdoor, Cleo File Transfer Software, NetSupport RMM Tool Abuse, LAMEHUG, Windows Discovery Techniques 2026-05-13
GetDomainGroup with PowerShell Script Block Windows icon Powershell Script Block Logging 4104 T1069.002 TTP Active Directory Discovery 2026-05-13
Windows PowerShell Invoke-RestMethod IP Information Collection Windows icon Powershell Script Block Logging 4104 T1016 T1059.001 T1082 Anomaly Water Gamayun 2026-05-13
Windows EFI Bootloader File Modification Windows icon Sysmon EventID 11 T1542.003 TTP Windows BootKits 2026-05-13
Windows Identify PowerShell Web Access IIS Pool Windows icon Windows Event Log Security 4648 T1190 Hunting CISA AA24-241A 2026-05-13
Mimikatz PassTheTicket CommandLine Parameters Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1550.003 TTP Active Directory Kerberos Attacks, CISA AA23-347A, CISA AA22-320A, Sandworm Tools, Scattered Lapsus$ Hunters 2026-05-13
Unloading AMSI via Reflection Windows icon Powershell Script Block Logging 4104 T1059.001 T1685 TTP Malicious PowerShell, Data Destruction, Hermetic Wiper 2026-05-13
ConnectWise ScreenConnect Path Traversal Windows icon Sysmon EventID 11 T1190 TTP ConnectWise ScreenConnect Vulnerabilities, Seashell Blizzard 2026-05-13
Windows Chromium Browser Launched with Small Window Size Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1497 TTP Browser Hijacking 2026-05-13
Windows Steal Authentication Certificates CryptoAPI Windows icon Windows Event Log CAPI2 70 T1649 Anomaly Windows Certificate Services, Hellcat Ransomware 2026-05-13
Windows DISM Install PowerShell Web Access Windows icon Windows Event Log Security 4688, Windows icon Sysmon EventID 1 T1548.002 TTP CISA AA24-241A 2026-05-13
Rundll32 Shimcache Flush Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1112 TTP Compromised Windows Host, Living Off The Land, Unusual Processes 2026-05-13
First Time Seen Running Windows Service Windows icon Windows Event Log System 7036 T1569.002 Anomaly NOBELIUM Group, Windows Service Abuse, Orangeworm Attack Group 2026-05-13
Kerberos User Enumeration Windows icon Windows Event Log Security 4768 T1589.002 Anomaly Active Directory Kerberos Attacks 2026-05-13
Windows BootLoader Inventory T1542.001 Hunting Windows BootKits, BlackLotus Campaign 2026-05-13
Excessive Usage Of SC Service Utility Windows icon Sysmon EventID 1 T1569.002 Anomaly Azorult, Ransomware, Crypto Stealer 2026-05-13
Rundll32 with no Command Line Arguments with Network Windows icon Sysmon EventID 1, Windows icon Sysmon EventID 3 T1218.011 TTP Cobalt Strike, BlackByte Ransomware, BlackSuit Ransomware, PrintNightmare CVE-2021-34527, Compromised Windows Host, Cactus Ransomware, Suspicious Rundll32 Activity, Graceful Wipe Out Attack 2026-05-13
Windows Cisco Secure Endpoint Related Service Stopped Windows icon Windows Event Log System 7036 T1490 Anomaly Hellcat Ransomware, Scattered Lapsus$ Hunters, Security Solution Tampering 2026-05-13
Cisco NVM - Suspicious Network Connection Initiated via MsXsl Network icon Cisco Network Visibility Module Flow Data T1220 Anomaly Cisco Network Visibility Module Analytics 2026-05-13
Windows AppX Deployment Package Installation Success Windows icon Windows Event Log AppXDeployment-Server 854 T1204.002 Anomaly MSIX Package Abuse 2026-05-13
Windows New EventLog ChannelAccess Registry Value Set Windows icon Sysmon EventID 13 T1685.001 Anomaly Defense Evasion or Unauthorized Access Via SDDL Tampering, LockBit Ransomware 2026-05-13
Windows LOLBAS Executed As Renamed File Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1036.003 T1218.011 TTP Masquerading - Rename System Utilities, Water Gamayun, Living Off The Land, Windows Defense Evasion Tactics 2026-05-13
Windows Export Certificate Windows icon Windows Event Log CertificateServicesClient 1007 T1552.004 T1649 Anomaly Windows Certificate Services 2026-05-13
Windows Snake Malware File Modification Crmlog Windows icon Sysmon EventID 11 T1027 TTP Snake Malware 2026-05-13
Windows Modify Registry UpdateServiceUrlAlternate Windows icon Sysmon EventID 13 T1112 Anomaly RedLine Stealer 2026-05-13
Windows WPDBusEnum Registry Key Modification Windows icon Sysmon EventID 13, Windows icon Sysmon EventID 12 T1025 T1091 T1200 Anomaly Data Protection, APT37 Rustonotto and FadeStealer 2026-05-13
DNS Exfiltration Using Nslookup App Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1048 TTP Data Exfiltration, Command And Control, Compromised Windows Host, Dynamic DNS, Suspicious DNS Traffic 2026-05-13
Linux Auditd Data Destruction Command Linux icon Linux Auditd Proctitle T1485 TTP AwfulShred, Data Destruction, Compromised Linux Host 2026-05-13
Windows System Shutdown CommandLine Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1529 Anomaly Quasar RAT, MuddyWater, MoonPeak, Sandworm Tools, XWorm, DarkGate Malware, DarkCrystal RAT, Scattered Lapsus$ Hunters, ZOVWiper, NjRAT 2026-05-13
Windows Attempt To Stop Security Service Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1685 TTP WhisperGate, Data Destruction, Trickbot, Azorult, Disabling Security Tools, Graceful Wipe Out Attack 2026-05-13
Detect HTML Help Using InfoTech Storage Handlers Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1218.001 TTP APT37 Rustonotto and FadeStealer, Compromised Windows Host, Suspicious Compiled HTML Activity, Living Off The Land 2026-05-13
Excessive distinct processes from Windows Temp Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1059 Anomaly Meterpreter 2026-05-13
Ransomware Notes bulk creation Windows icon Sysmon EventID 11 T1486 Anomaly Chaos Ransomware, Black Basta Ransomware, Interlock Ransomware, LockBit Ransomware, Medusa Ransomware, Clop Ransomware, Rhysida Ransomware, Termite Ransomware, DarkSide Ransomware, Cactus Ransomware, BlackMatter Ransomware, Hellcat Ransomware, NailaoLocker Ransomware 2026-05-13
Windows AD DCShadow Privileges ACL Addition Windows icon Windows Event Log Security 5136 T1207 T1222.001 T1484 TTP Sneaky Active Directory Persistence Tricks 2026-05-13
Windows AD GPO Disabled Windows icon Windows Event Log Security 5136 T1484.001 T1685 TTP Sneaky Active Directory Persistence Tricks 2026-05-13
Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials Windows icon Windows Event Log Security 4648 T1110.003 TTP Volt Typhoon, Active Directory Password Spraying, Insider Threat 2026-05-13
Services LOLBAS Execution Process Spawn Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1543.003 TTP CISA AA23-347A, Qakbot, Living Off The Land, Hellcat Ransomware, Active Directory Lateral Movement 2026-05-13
Windows AD Replication Request Initiated from Unsanctioned Location Windows icon Windows Event Log Security 4662, Windows icon Windows Event Log Security 4624 T1003.006 TTP Credential Dumping, Sneaky Active Directory Persistence Tricks, Compromised Windows Host 2026-05-13
Windows AD Short Lived Domain Controller SPN Attribute Windows icon Windows Event Log Security 4624, Windows icon Windows Event Log Security 5136 T1207 TTP Sneaky Active Directory Persistence Tricks, Compromised Windows Host 2026-05-13
Windows Defacement Modify Transcodedwallpaper File Windows icon Sysmon EventID 1, Windows icon Sysmon EventID 11 T1491 Anomaly Brute Ratel C4 2026-05-13
Linux Auditd Install Kernel Module Using Modprobe Utility Linux icon Linux Auditd Syscall T1547.006 Anomaly Linux Privilege Escalation, Linux Rootkit, China-Nexus Threat Activity, Compromised Linux Host, Linux Persistence Techniques 2026-05-13
Linux AWK Privilege Escalation Linux icon Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Privilege Escalation, Linux Living Off The Land 2026-05-13
Windows Njrat Fileless Storage via Registry Windows icon Sysmon EventID 13 T1027.011 TTP NjRAT 2026-05-13
Windows Modify Registry Risk Behavior T1112 Correlation Windows Registry Abuse 2026-05-13
Linux File Created In Kernel Driver Directory Linux icon Sysmon for Linux EventID 11 T1547.006 Anomaly Linux Privilege Escalation, Linux Rootkit, Linux Persistence Techniques 2026-05-13
Get DomainUser with PowerShell Script Block Windows icon Powershell Script Block Logging 4104 T1087.002 TTP Active Directory Discovery, CISA AA23-347A 2026-05-13
Windows Hidden Schedule Task Settings Windows icon Windows Event Log Security 4698 T1053 TTP Data Destruction, Hellcat Ransomware, Scheduled Tasks, Compromised Windows Host, Industroyer2, Cactus Ransomware, Active Directory Discovery, CISA AA22-257A, Malicious Inno Setup Loader 2026-05-13
Windows Binary Proxy Execution Mavinject DLL Injection Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1218.013 TTP Living Off The Land 2026-05-13
Windows System LogOff Commandline Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1529 Anomaly DarkCrystal RAT, Scattered Lapsus$ Hunters, XWorm, NjRAT 2026-05-13
Windows InstallUtil Uninstall Option Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1218.004 TTP Signed Binary Proxy Execution InstallUtil, Compromised Windows Host, Living Off The Land 2026-05-13
Windows EFI Volume Mount Attempt Via Mountvol Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1204.002 T1542 T1688 Anomaly Compromised Windows Host 2026-05-13
Detect Certify With PowerShell Script Block Logging Windows icon Powershell Script Block Logging 4104 T1059.001 T1649 TTP Malicious PowerShell, Windows Certificate Services 2026-05-13
Windows Non-System Account Targeting Lsass Windows icon Sysmon EventID 10 T1003.001 TTP Credential Dumping, Lokibot, Scattered Lapsus$ Hunters, CISA AA23-347A 2026-05-13
Detect PsExec With accepteula Flag Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1021.002 TTP SamSam Ransomware, BlackByte Ransomware, Medusa Ransomware, CISA AA22-320A, IcedID, HAFNIUM Group, DHS Report TA18-074A, Sandworm Tools, Rhysida Ransomware, Storm-0501 Ransomware, Seashell Blizzard, DarkSide Ransomware, DarkGate Malware, Volt Typhoon, VanHelsing Ransomware, Cactus Ransomware, Active Directory Lateral Movement 2026-05-13
Windows TeamCity Plugin Installed Windows icon Sysmon EventID 11 T1059 T1190 T1505.003 Anomaly JetBrains TeamCity Unauthenticated RCE, JetBrains TeamCity Vulnerabilities 2026-05-13
Linux Auditd System Network Configuration Discovery Linux icon Linux Auditd Syscall T1016 Anomaly Linux Privilege Escalation, Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques 2026-05-13
Crowdstrike High Identity Risk Severity T1110 TTP Compromised Windows Host 2026-05-13
Windows Indirect Command Execution Via forfiles CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1202 TTP Windows Post-Exploitation, Living Off The Land 2026-05-13
Windows MSIExec Unregister DLLRegisterServer Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1218.007 TTP Windows System Binary Proxy Execution MSIExec 2026-05-13
Windows Hunting System Account Targeting Lsass Windows icon Sysmon EventID 10 T1003.001 Hunting Credential Dumping, Lokibot, Scattered Lapsus$ Hunters, CISA AA23-347A 2026-05-13
Revil Registry Entry Windows icon Sysmon EventID 13, Windows icon Sysmon EventID 12 T1112 TTP Ransomware, Revil Ransomware, Windows Registry Abuse 2026-05-13
Suspicious DLLHost no Command Line Arguments Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1055 TTP Cobalt Strike, Graceful Wipe Out Attack, BlackByte Ransomware, Cactus Ransomware 2026-05-13
GetAdGroup with PowerShell Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1069.002 Hunting Active Directory Discovery 2026-05-13
Detect Remote Access Software Usage File Windows icon Sysmon EventID 11 T1219 Anomaly Command And Control, Interlock Ransomware, CISA AA24-241A, GhostRedirector IIS Module and Rungan Backdoor, Gozi Malware, Ransomware, Remote Monitoring and Management Software, Seashell Blizzard, Scattered Lapsus$ Hunters, Cactus Ransomware, Scattered Spider, Insider Threat 2026-05-13
Windows Eventlog Cleared Via Wevtutil Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1685.005 Anomaly ShrinkLocker, CISA AA23-347A, Clop Ransomware, Ransomware, Rhysida Ransomware, Windows Log Manipulation 2026-05-13
Cisco NVM - MSHTML or MSHTA Network Execution Without URL in CLI Network icon Cisco Network Visibility Module Flow Data T1059.005 T1218.005 Anomaly BlankGrabber Stealer, Cisco Network Visibility Module Analytics 2026-05-13
Windows User Execution Malicious URL Shortcut File Windows icon Sysmon EventID 11 T1204.002 Anomaly Chaos Ransomware, Quasar RAT, XWorm, Snake Keylogger, APT37 Rustonotto and FadeStealer, NjRAT 2026-05-13
Linux File Creation In Profile Directory Linux icon Sysmon for Linux EventID 11 T1546.004 Anomaly Linux Privilege Escalation, Linux Persistence Techniques 2026-05-13
Windows Modify Registry Utilize ProgIDs Windows icon Sysmon EventID 13 T1112 Anomaly ValleyRAT 2026-05-13
Windows Sqlservr Spawning Shell Windows icon Windows Event Log Security 4688, Windows icon Sysmon EventID 1 T1505.001 Hunting SQL Server Abuse 2026-05-13
Windows Mustang Panda USB Tool Execution Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1020 T1204.002 T1574.001 TTP Compromised Windows Host 2026-05-13
Windows Event Logging Service Has Shutdown Windows icon Windows Event Log Security 1100 T1685.005 Hunting Ransomware, Windows Log Manipulation, Scattered Lapsus$ Hunters, Clop Ransomware 2026-05-13
Linux Auditd AI CLI Permission Override Activated Linux icon Linux Auditd Proctitle T1480 Anomaly QuietVault 2026-05-13
GetNetTcpconnection with PowerShell Script Block Windows icon Powershell Script Block Logging 4104 T1049 Hunting Active Directory Discovery 2026-05-13
Linux Add Files In Known Crontab Directories Linux icon Sysmon for Linux EventID 11 T1053.003 Anomaly Linux Privilege Escalation, Scheduled Tasks, XorDDos, Linux Living Off The Land, Linux Persistence Techniques 2026-05-13
Suspicious microsoft workflow compiler rename Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1036.003 T1127 Hunting Cobalt Strike, Living Off The Land, Masquerading - Rename System Utilities, Graceful Wipe Out Attack, Trusted Developer Utilities Proxy Execution, BlackByte Ransomware 2026-05-13
Windows Credentials from Password Stores Creation Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1555 TTP DarkGate Malware, NetSupport RMM Tool Abuse, Compromised Windows Host 2026-05-13
Allow Network Discovery In Firewall Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1686.001 TTP BlackByte Ransomware, Medusa Ransomware, Ransomware, Hellcat Ransomware, Revil Ransomware, NjRAT 2026-05-13
Windows Remote Services Allow Remote Assistance Windows icon Sysmon EventID 13 T1021.001 Anomaly Azorult 2026-05-13
Windows Unusual NTLM Authentication Destinations By Source Windows icon NTLM Operational 8006, Windows icon NTLM Operational 8005, Windows icon NTLM Operational 8004 T1110.003 Anomaly Active Directory Password Spraying 2026-05-13
Disabling Task Manager Windows icon Sysmon EventID 13 T1685 TTP Windows Registry Abuse, NjRAT, Windows Defense Evasion Tactics 2026-05-13
Linux GNU Awk Privilege Escalation Linux icon Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Privilege Escalation, Linux Living Off The Land 2026-05-13
Linux Auditd Virtual Disk File And Directory Discovery Linux icon Linux Auditd Execve T1083 Anomaly Linux Privilege Escalation, Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques 2026-05-13
Windows NorthStar C2 Agent Execution Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1204.002 T1547.001 T1608 TTP Compromised Windows Host 2026-05-13
Potential System Network Configuration Discovery Activity Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1016 Anomaly Unusual Processes 2026-05-13
Windows DLL Search Order Hijacking with iscsicpl Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1574.001 TTP Compromised Windows Host, Living Off The Land, Windows Defense Evasion Tactics 2026-05-13
Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos Windows icon Windows Event Log Security 4768 T1110.003 Anomaly Active Directory Kerberos Attacks, Volt Typhoon, Active Directory Password Spraying 2026-05-13
Windows MSIExec Remote Download Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Network icon Cisco Network Visibility Module Flow Data T1218.007 Anomaly Cisco Network Visibility Module Analytics, SolarWinds WHD RCE Post Exploitation, Water Gamayun, Windows System Binary Proxy Execution MSIExec, StealC Stealer 2026-05-13
Windows ComputerDefaults Spawning a Process Windows icon Sysmon EventID 1 T1548.002 TTP BlankGrabber Stealer, Castle RAT 2026-05-13
Screensaver Event Trigger Execution Windows icon Sysmon EventID 13 T1546.002 TTP Data Destruction, Windows Registry Abuse, Hermetic Wiper, Windows Privilege Escalation, Windows Persistence Techniques 2026-05-13
Windows Remote Host Computer Management Access Windows icon Windows Event Log Security 4688, Windows icon Sysmon EventID 1 T1021.006 Anomaly Medusa Ransomware 2026-05-13
Check Elevated CMD using whoami Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1033 TTP FIN7 2026-05-13
Windows Remote Services Rdp Enable Windows icon Sysmon EventID 13 T1021.001 TTP Azorult, Windows RDP Artifacts and Defense Evasion, BlackSuit Ransomware, Medusa Ransomware 2026-05-13
Linux Deleting Critical Directory Using RM Command Linux icon Sysmon for Linux EventID 1 T1485 TTP AwfulShred, Data Destruction, Industroyer2 2026-05-13
Windows Security Support Provider Reg Query Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1547.005 Anomaly Prestige Ransomware, Sneaky Active Directory Persistence Tricks, Windows Post-Exploitation 2026-05-13
Windows Registry BootExecute Modification Windows icon Sysmon EventID 13 T1542 T1547.001 TTP Windows BootKits 2026-05-13
Detect Regasm with Network Connection Windows icon Sysmon EventID 3 T1218.009 TTP Void Manticore, Handala Wiper, Living Off The Land, Suspicious Regsvcs Regasm Activity, Hellcat Ransomware 2026-05-13
System Processes Run From Unexpected Locations Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1036.003 Anomaly Ransomware, Qakbot, Unusual Processes, Windows Error Reporting Service Elevation of Privilege Vulnerability, Masquerading - Rename System Utilities, Suspicious Command-Line Executions, DarkGate Malware 2026-05-13
Vbscript Execution Using Wscript App CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1059.005 TTP Remcos, FIN7, AsyncRAT 2026-05-13
Windows Firewall Rule Modification Windows icon Windows Event Log Security 4947 T1686 Anomaly ShrinkLocker, NetSupport RMM Tool Abuse, Medusa Ransomware 2026-05-13
Windows Registry SIP Provider Modification Windows icon Sysmon EventID 13 T1553.003 TTP Subvert Trust Controls SIP and Trust Provider Hijacking 2026-05-13
Windows Application Layer Protocol RMS Radmin Tool Namedpipe Windows icon Sysmon EventID 17, Windows icon Sysmon EventID 18 T1071 TTP Azorult 2026-05-13
Get DomainUser with PowerShell Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1087.002 TTP Active Directory Discovery, CISA AA23-347A 2026-05-13
Windows Modify Registry MaxConnectionPerServer Windows icon Sysmon EventID 13 T1112 Anomaly Warzone RAT 2026-05-13
Crowdstrike User with Duplicate Password T1110 Anomaly Compromised Windows Host 2026-05-13
Windows Registry Certificate Added Windows icon Sysmon EventID 13 T1553.004 Anomaly Windows Registry Abuse, Windows Drivers 2026-05-13
Get ADUserResultantPasswordPolicy with Powershell Script Block Windows icon Powershell Script Block Logging 4104 T1201 TTP Active Directory Discovery, CISA AA23-347A 2026-05-13
Linux Ruby Privilege Escalation Linux icon Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Privilege Escalation, Linux Living Off The Land 2026-05-13
Malicious InProcServer32 Modification Windows icon Sysmon EventID 13, Windows icon Sysmon EventID 12 T1112 T1218.010 TTP Remcos, Suspicious Regsvr32 Activity 2026-05-13
Detect Baron Samedit CVE-2021-3156 T1068 TTP Baron Samedit CVE-2021-3156 2026-05-13
Windows Indicator Removal Via Rmdir Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1070 Anomaly DarkGate Malware, APT37 Rustonotto and FadeStealer, ZOVWiper 2026-05-13
Disable Logs Using WevtUtil Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1685.005 TTP Ransomware, Rhysida Ransomware, CISA AA23-347A 2026-05-13
Windows Credentials Access via VaultCli Module Windows icon Sysmon EventID 7 T1555.004 Anomaly Hellcat Ransomware, Meduza Stealer 2026-05-13
Windows Rundll32 Execution With Log.DLL Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1574 Anomaly Lotus Blossom Chrysalis Backdoor 2026-05-13
GitHub Workflow File Creation or Modification Linux icon Sysmon for Linux EventID 11, Windows icon Sysmon EventID 11 T1195 T1554 T1574.006 Hunting NPM Supply Chain Compromise 2026-05-13
Windows AD Domain Root ACL Modification Windows icon Windows Event Log Security 5136 T1222.001 T1484 TTP Sneaky Active Directory Persistence Tricks 2026-05-13
Windows Devtunnels Image Loaded Windows icon Sysmon EventID 7 T1090 Anomaly Reverse Network Proxy 2026-05-13
Windows Modify Registry USeWuServer Windows icon Sysmon EventID 13 T1112 Hunting RedLine Stealer 2026-05-13
Windows Delete or Modify System Firewall Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1686 Hunting ShrinkLocker, NjRAT 2026-05-13
Detect Remote Access Software Usage Process Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1219 Anomaly Command And Control, Interlock Ransomware, CISA AA24-241A, GhostRedirector IIS Module and Rungan Backdoor, Ransomware, Gozi Malware, Remote Monitoring and Management Software, Seashell Blizzard, Scattered Lapsus$ Hunters, Cactus Ransomware, Scattered Spider, Storm-0501 Ransomware, Insider Threat 2026-05-13
Windows Ngrok Reverse Proxy Usage Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1090 T1102 T1572 Anomaly CISA AA24-241A, Reverse Network Proxy, CISA AA22-320A 2026-05-13
Windows Unusual NTLM Authentication Destinations By User Windows icon NTLM Operational 8006, Windows icon NTLM Operational 8005, Windows icon NTLM Operational 8004 T1110.003 Anomaly Active Directory Password Spraying 2026-05-13
Linux Auditd File And Directory Discovery Linux icon Linux Auditd Execve T1083 Anomaly Linux Privilege Escalation, Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques 2026-05-13
Linux Auditd Auditd Daemon Abort Linux icon Linux Auditd Daemon Abort T1685.004 Anomaly Compromised Linux Host 2026-05-13
Windows Process Injection Wermgr Child Process Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1055 Anomaly Qakbot, Windows Error Reporting Service Elevation of Privilege Vulnerability 2026-05-13
Possible Lateral Movement PowerShell Spawn CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1021.003 T1021.006 T1047 T1053.005 T1059.001 T1218.014 T1543.003 Anomaly Malicious PowerShell, Data Destruction, CISA AA24-241A, Scheduled Tasks, Microsoft WSUS CVE-2025-59287, Hermetic Wiper, Active Directory Lateral Movement 2026-05-13
Windows Possible Credential Dumping Windows icon Sysmon EventID 10 T1003.001 TTP CISA AA23-347A, CISA AA22-264A, DarkSide Ransomware, Credential Dumping, Scattered Lapsus$ Hunters, Detect Zerologon Attack, CISA AA22-257A 2026-05-13
Suspicious SearchProtocolHost no Command Line Arguments Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1055 TTP Cobalt Strike, BlackByte Ransomware, Cactus Ransomware, Hellcat Ransomware, Graceful Wipe Out Attack 2026-05-13
Active Setup Registry Autostart Windows icon Sysmon EventID 13 T1547.014 TTP Data Destruction, Windows Persistence Techniques, Hermetic Wiper, Windows Privilege Escalation 2026-05-13
BCDEdit Failure Recovery Modification Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1490 TTP Void Manticore, Ransomware, Storm-2460 CLFS Zero Day Exploitation, Ryuk Ransomware, Compromised Windows Host 2026-05-13
Windows Registry Modification for Safe Mode Persistence Windows icon Sysmon EventID 13 T1547.001 TTP Ransomware, Windows Drivers, Windows Registry Abuse 2026-05-13
Runas Execution in CommandLine Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1134.001 Hunting Quasar RAT, Data Destruction, Hermetic Wiper, Windows Privilege Escalation 2026-05-13
Allow File And Printing Sharing In Firewall Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1686.001 TTP Ransomware, Hellcat Ransomware, BlackByte Ransomware 2026-05-13
Suspicious MSBuild Rename Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1036.003 T1127.001 Hunting Cobalt Strike, Storm-2460 CLFS Zero Day Exploitation, Living Off The Land, Masquerading - Rename System Utilities, Graceful Wipe Out Attack, Trusted Developer Utilities Proxy Execution MSBuild, BlackByte Ransomware 2026-05-13
Windows PowerShell Process Implementing Manual Base64 Decoder Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1027.010 T1059.001 Anomaly Deobfuscate-Decode Files or Information, Compromised Windows Host 2026-05-13
Detect Mimikatz With PowerShell Script Block Logging Windows icon Powershell Script Block Logging 4104 T1003 T1059.001 TTP Malicious PowerShell, Data Destruction, CISA AA23-347A, CISA AA22-320A, Sandworm Tools, Hermetic Wiper, CISA AA22-264A, Scattered Spider, Hellcat Ransomware 2026-05-13
Windows UAC Bypass Suspicious Escalation Behavior Windows icon Sysmon EventID 1 T1548.002 TTP Compromised Windows Host, Living Off The Land, Windows Defense Evasion Tactics 2026-05-13
Active Directory Lateral Movement Identified T1210 Correlation Active Directory Lateral Movement 2026-05-13
Suspicious mshta child process Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1218.005 TTP MuddyWater, Lumma Stealer, Suspicious MSHTA Activity, Living Off The Land 2026-05-13
BITS Job Persistence Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1197 TTP BITS Jobs, Living Off The Land 2026-05-13
Disable Defender Spynet Reporting Windows icon Sysmon EventID 13 T1685 TTP CISA AA23-347A, IcedID, Windows Registry Abuse, Qakbot, Azorult 2026-05-13
Detect HTML Help Renamed Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1218.001 Hunting APT37 Rustonotto and FadeStealer, Suspicious Compiled HTML Activity, Living Off The Land 2026-05-13
Linux Stdout Redirection To Dev Null File Linux icon Sysmon for Linux EventID 1 T1686 Anomaly Data Destruction, Cyclops Blink, Industroyer2 2026-05-13
Windows Modify Registry Tamper Protection Windows icon Sysmon EventID 13 T1112 TTP RedLine Stealer, Scattered Lapsus$ Hunters 2026-05-13
Certutil exe certificate extraction Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1649 TTP Cloud Federated Credential Abuse, Storm-2460 CLFS Zero Day Exploitation, Living Off The Land, Windows Persistence Techniques, Compromised Windows Host, Windows Certificate Services 2026-05-13
Malicious PowerShell Process - Execution Policy Bypass Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1059.001 Anomaly MuddyWater, Salt Typhoon, BlankGrabber Stealer, AsyncRAT, HAFNIUM Group, DHS Report TA18-074A, XWorm, DarkCrystal RAT, Volt Typhoon, China-Nexus Threat Activity, 0bj3ctivity Stealer, APT37 Rustonotto and FadeStealer 2026-05-13
WMI Permanent Event Subscription - Sysmon Windows icon Sysmon EventID 21 T1546.003 TTP Suspicious WMI Use 2026-05-13
Windows Gather Victim Host Information Camera Windows icon Powershell Script Block Logging 4104 T1592.001 Anomaly DarkCrystal RAT 2026-05-13
Cisco NVM - Installation of Typosquatted Python Package Network icon Cisco Network Visibility Module Flow Data T1059 TTP Cisco Network Visibility Module Analytics 2026-05-13
Linux Ngrok Reverse Proxy Usage Linux icon Sysmon for Linux EventID 1 T1090 T1102 T1572 Anomaly Reverse Network Proxy 2026-05-13
GetAdGroup with PowerShell Script Block Windows icon Powershell Script Block Logging 4104 T1069.002 Hunting Active Directory Discovery, Scattered Lapsus$ Hunters 2026-05-13
Control Loading from World Writable Directory Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1218.002 TTP Microsoft MSHTML Remote Code Execution CVE-2021-40444, Compromised Windows Host, Living Off The Land 2026-05-13
GetDomainController with PowerShell Script Block Windows icon Powershell Script Block Logging 4104 T1018 TTP Active Directory Discovery 2026-05-13
Windows Rundll32 WebDAV Request Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1048.003 Hunting CVE-2023-23397 Outlook Elevation of Privilege 2026-05-13
Suspicious Rundll32 dllregisterserver Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1218.011 TTP IcedID, Suspicious Rundll32 Activity, Living Off The Land 2026-05-13
Windows RunMRU Registry Key or Value Deleted Windows icon Sysmon EventID 12 T1112 Anomaly NetSupport RMM Tool Abuse 2026-05-13
Windows Disable Shutdown Button Through Registry Windows icon Sysmon EventID 13 T1112 Anomaly Ransomware, Windows Registry Abuse 2026-05-13
Linux System Reboot Via System Request Key Linux icon Sysmon for Linux EventID 1 T1529 TTP AwfulShred, Data Destruction 2026-05-13
Windows Rundll32 WebDav With Network Connection Windows icon Sysmon EventID 1, Windows icon Sysmon EventID 3 T1048.003 TTP CVE-2023-23397 Outlook Elevation of Privilege 2026-05-13
MacOS Gatekeeper Bypass Osquery Results T1553.001 Anomaly MacOS Persistence Techniques, MacOS Privilege Escalation, MacOS Post-Exploitation 2026-05-13
Linux Auditd Possible Access To Sudoers File Linux icon Linux Auditd Path, Linux icon Linux Auditd Cwd T1548.003 Anomaly Linux Privilege Escalation, Salt Typhoon, China-Nexus Threat Activity, Compromised Linux Host, Linux Persistence Techniques 2026-05-13
Detect Renamed RClone Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1020 Hunting Black Basta Ransomware, DarkSide Ransomware, Ransomware, Cactus Ransomware 2026-05-13
Windows Steal Authentication Certificates CS Backup Windows icon Windows Event Log Security 4876 T1649 Anomaly Windows Certificate Services 2026-05-13
Windows Executable Masquerading as Benign File Types Windows icon Sysmon EventID 29 T1036.008 Anomaly NetSupport RMM Tool Abuse 2026-05-13
Crowdstrike Privilege Escalation For Non-Admin User T1110 Anomaly Compromised Windows Host 2026-05-13
Windows Suspicious Driver Loaded Path Windows icon Sysmon EventID 6 T1543.003 TTP XMRig, Interlock Ransomware, AgentTesla, CISA AA22-320A, Snake Keylogger, APT37 Rustonotto and FadeStealer, BlackByte Ransomware 2026-05-13
Windows Schtasks Create Run As System Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1053.005 TTP SolarWinds WHD RCE Post Exploitation, Medusa Ransomware, Scheduled Tasks, Qakbot, Windows Persistence Techniques, Castle RAT 2026-05-13
Linux Auditd Data Transfer Size Limits Via Split Syscall Linux icon Linux Auditd Syscall T1030 Anomaly Linux Privilege Escalation, Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques 2026-05-13
Disabling Windows Local Security Authority Defences via Registry Windows icon Sysmon EventID 13 T1556 TTP Windows Registry Abuse, Windows Defense Evasion Tactics 2026-05-13
Cisco Isovalent - Nsenter Usage in Kubernetes Pod Cisco Isovalent Process Exec T1543 Anomaly Cisco Isovalent Suspicious Activity 2026-05-13
Windows Renamed Powershell Execution Windows icon Sysmon EventID 1 T1036.003 TTP Axios Supply Chain Post Compromise, Hellcat Ransomware, XWorm 2026-05-13
PowerShell Invoke CIMMethod CIMSession Windows icon Powershell Script Block Logging 4104 T1047 Anomaly Malicious PowerShell, Active Directory Lateral Movement, Scattered Lapsus$ Hunters 2026-05-13
Windows Modify Registry Suppress Win Defender Notif Windows icon Sysmon EventID 13 T1112 Anomaly Azorult, CISA AA23-347A 2026-05-13
Suspicious Reg exe Process Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1112 Anomaly DHS Report TA18-074A, Disabling Security Tools, Windows Defense Evasion Tactics 2026-05-13
Wermgr Process Create Executable File Windows icon Sysmon EventID 11 T1027 TTP Trickbot 2026-05-13
Windows Wmic Memory Chip Discovery Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1082 Anomaly LAMEHUG 2026-05-13
Windows Process With NetExec Command Line Parameters Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1550.003 T1558.003 T1558.004 TTP Active Directory Kerberos Attacks, Active Directory Privilege Escalation 2026-05-13
Windows Screen Capture Via Powershell Windows icon Powershell Script Block Logging 4104 T1113 TTP Water Gamayun, BlankGrabber Stealer, APT37 Rustonotto and FadeStealer, Winter Vivern 2026-05-13
Remote WMI Command Attempt Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1047 TTP CISA AA23-347A, IcedID, Living Off The Land, Volt Typhoon, Suspicious WMI Use, Graceful Wipe Out Attack 2026-05-13
Windows Group Policy Object Created Windows icon Windows Event Log Security 5137, Windows icon Windows Event Log Security 5136 T1078.002 T1484.001 TTP Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation 2026-05-13
Windows PowerShell IIS Components WebGlobalModule Usage Windows icon Powershell Script Block Logging 4104 T1505.004 Anomaly IIS Components, GhostRedirector IIS Module and Rungan Backdoor 2026-05-13
Windows AD Short Lived Server Object Windows icon Windows Event Log Security 5137, Windows icon Windows Event Log Security 5141 T1207 TTP Sneaky Active Directory Persistence Tricks, Compromised Windows Host 2026-05-13
Windows Admon Group Policy Object Created Windows icon Windows Active Directory Admon T1484.001 TTP Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation 2026-05-13
Detection of tools built by NirSoft Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1072 Anomaly Emotet Malware DHS Report TA18-201A 2026-05-13
Sunburst Correlation DLL and Network Event Windows icon Sysmon EventID 7, Windows icon Sysmon EventID 22 T1203 TTP NOBELIUM Group 2026-05-13
Windows Modify Registry ProxyEnable Windows icon Sysmon EventID 13 T1112 Anomaly DarkGate Malware 2026-05-13
Windows Multiple Account Passwords Changed Windows icon Windows Event Log Security 4724 T1078 T1098 TTP Azure Active Directory Persistence 2026-05-13
MacOS Keychains Dumped Osquery Results T1555.001 TTP MacOS Privilege Escalation 2026-05-13
Windows File and Directory Enable ReadOnly Permissions Windows icon Windows Event Log Security 4688, Windows icon Sysmon EventID 1 T1222.001 TTP NetSupport RMM Tool Abuse, Crypto Stealer 2026-05-13
Excessive Usage Of Cacls App Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1222 Anomaly XMRig, Prestige Ransomware, Azorult, Defense Evasion or Unauthorized Access Via SDDL Tampering, Crypto Stealer, Windows Post-Exploitation 2026-05-13
Credential Dumping via Copy Command from Shadow Copy Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1003.003 TTP Credential Dumping, Compromised Windows Host 2026-05-13
Interactive Session on Remote Endpoint with PowerShell Windows icon Powershell Script Block Logging 4104 T1021.006 TTP Active Directory Lateral Movement 2026-05-13
Windows MSHTA Writing to World Writable Path Windows icon Sysmon EventID 11 T1218.005 TTP Suspicious MSHTA Activity, XWorm, APT29 Diplomatic Deceptions with WINELOADER 2026-05-13
Windows Defender ASR Rule Disabled Windows icon Windows Event Log Defender 5007 T1112 TTP Windows Attack Surface Reduction 2026-05-13
Rundll32 Control RunDLL World Writable Directory Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1218.011 TTP Microsoft MSHTML Remote Code Execution CVE-2021-40444, Compromised Windows Host, Suspicious Rundll32 Activity, Living Off The Land 2026-05-13
Windows AD Privileged Group Modification Windows icon Windows Event Log Security 4728 T1098 TTP Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation 2026-05-13
Cisco NVM - Suspicious Download From File Sharing Website Network icon Cisco Network Visibility Module Flow Data T1197 Anomaly BlankGrabber Stealer, Cisco Network Visibility Module Analytics, APT37 Rustonotto and FadeStealer 2026-05-13
Linux Auditd Osquery Service Stop Linux icon Linux Auditd Service Stop T1489 Anomaly Linux Privilege Escalation, Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques 2026-05-13
Windows Privilege Escalation System Process Without System Parent Windows icon Sysmon EventID 1 T1068 T1134 T1548 TTP BlackSuit Ransomware, Windows Privilege Escalation 2026-05-13
Windows EventLog Recon Activity Using Log Query Utilities Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1654 Anomaly BlankGrabber Stealer, Windows Discovery Techniques 2026-05-13
Detect Renamed PSExec Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1569.002 Hunting Salt Typhoon, SamSam Ransomware, CISA AA22-320A, Medusa Ransomware, HAFNIUM Group, DHS Report TA18-074A, Sandworm Tools, Rhysida Ransomware, DarkGate Malware, DarkSide Ransomware, VanHelsing Ransomware, Active Directory Lateral Movement, Cactus Ransomware, China-Nexus Threat Activity, BlackByte Ransomware 2026-05-13
WinRM Spawning a Process Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1190 TTP Microsoft WSUS CVE-2025-59287, Rhysida Ransomware, CISA AA23-347A, Unusual Processes 2026-05-13
Windows Archive Collected Data via Rar Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1560.001 Anomaly China-Nexus Threat Activity, DarkGate Malware, Salt Typhoon, APT37 Rustonotto and FadeStealer 2026-05-13
Windows Rapid Authentication On Multiple Hosts Windows icon Windows Event Log Security 4624 T1003.002 TTP Active Directory Lateral Movement, Active Directory Privilege Escalation 2026-05-13
SAM Database File Access Attempt Windows icon Windows Event Log Security 4663 T1003.002 Hunting Credential Dumping, Rhysida Ransomware, Graceful Wipe Out Attack 2026-05-13
Windows Service Create RemComSvc Windows icon Windows Event Log System 7045 T1543.003 Anomaly Active Directory Discovery 2026-05-13
Windows KrbRelayUp Service Creation Windows icon Windows Event Log System 7045 T1543.003 TTP Local Privilege Escalation With KrbRelayUp, Compromised Windows Host 2026-05-13
Windows Process Injection In Non-Service SearchIndexer Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1055 TTP Qakbot 2026-05-13
Windows SQL Server xp_cmdshell Config Change Windows icon Windows Event Log Application 15457 T1505.001 TTP Seashell Blizzard, SQL Server Abuse, GhostRedirector IIS Module and Rungan Backdoor 2026-05-13
GetAdComputer with PowerShell Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1018 Hunting Active Directory Discovery, Medusa Ransomware 2026-05-13
Windows MSIExec Spawn Discovery Command Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1218.007 Anomaly Windows System Binary Proxy Execution MSIExec, Water Gamayun, StealC Stealer, Medusa Ransomware 2026-05-13
Windows Impair Defense Configure App Install Control Windows icon Sysmon EventID 13 T1685 TTP Windows Registry Abuse, Windows Defense Evasion Tactics 2026-05-13
Windows Modify Registry DisableRemoteDesktopAntiAlias Windows icon Sysmon EventID 13 T1112 TTP DarkGate Malware 2026-05-13
Remcos client registry install entry Windows icon Sysmon EventID 13, Windows icon Sysmon EventID 12 T1112 TTP Windows Registry Abuse, Remcos 2026-05-13
Resize ShadowStorage volume Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1490 TTP Clop Ransomware, Medusa Ransomware, VanHelsing Ransomware, Compromised Windows Host, BlackByte Ransomware 2026-05-13
Windows File and Directory Permissions Remove Inheritance Windows icon Windows Event Log Security 4688, Windows icon Sysmon EventID 1 T1222.001 Anomaly Crypto Stealer 2026-05-13
Windows Wmic Network Discovery Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1082 Anomaly LAMEHUG 2026-05-13
Windows DNS Gather Network Info Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1590.002 Anomaly Sandworm Tools, Volt Typhoon 2026-05-13
Linux Auditd Clipboard Data Copy Linux icon Linux Auditd Execve T1115 Anomaly Compromised Linux Host, Linux Living Off The Land 2026-05-13
Windows App Layer Protocol Wermgr Connect To NamedPipe Windows icon Sysmon EventID 17, Windows icon Sysmon EventID 18 T1071 Anomaly Qakbot 2026-05-13
Permission Modification using Takeown App Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1222 Anomaly Sandworm Tools, Ransomware, Scattered Lapsus$ Hunters, Crypto Stealer 2026-05-13
Linux Indicator Removal Clear Cache Linux icon Sysmon for Linux EventID 1 T1070 TTP AwfulShred, Data Destruction 2026-05-13
Get WMIObject Group Discovery with Script Block Logging Windows icon Powershell Script Block Logging 4104 T1069.001 Hunting Active Directory Discovery 2026-05-13
Linux Gem Privilege Escalation Linux icon Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Privilege Escalation, Linux Living Off The Land 2026-05-13
Windows Office Product Spawned MSDT Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1566.001 TTP Spearphishing Attachments, Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190, Compromised Windows Host 2026-05-13
Linux c89 Privilege Escalation Linux icon Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Privilege Escalation, Linux Living Off The Land 2026-05-13
Windows BitLockerToGo Process Execution Windows icon Windows Event Log Security 4688, Windows icon Sysmon EventID 1 T1218 Hunting Lumma Stealer 2026-05-13
PowerShell Script Block With URL Chain Windows icon Powershell Script Block Logging 4104 T1059.001 T1105 TTP Malicious PowerShell, Hellcat Ransomware 2026-05-13
Linux Insert Kernel Module Using Insmod Utility Linux icon Sysmon for Linux EventID 1 T1547.006 Anomaly Linux Privilege Escalation, XorDDos, Linux Rootkit, Linux Persistence Techniques 2026-05-13
Windows Office Product Loaded MSHTML Module Windows icon Sysmon EventID 7 T1566.001 Anomaly Spearphishing Attachments, Microsoft MSHTML Remote Code Execution CVE-2021-40444, MuddyWater, CVE-2023-36884 Office and Windows HTML RCE Vulnerability 2026-05-13
Windows Impair Defense Change Win Defender Health Check Intervals Windows icon Sysmon EventID 13 T1685 TTP Windows Registry Abuse, Windows Defense Evasion Tactics 2026-05-13
Windows IIS Components Get-WebGlobalModule Module Query Windows icon Powershell Installed IIS Modules T1505.004 Hunting IIS Components, WS FTP Server Critical Vulnerabilities, GhostRedirector IIS Module and Rungan Backdoor 2026-05-13
Suspicious wevtutil Usage Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1685.005 TTP ShrinkLocker, CISA AA23-347A, Clop Ransomware, Ransomware, Storm-2460 CLFS Zero Day Exploitation, Rhysida Ransomware, VoidLink Cloud-Native Linux Malware, Scattered Spider, Windows Log Manipulation, Storm-0501 Ransomware 2026-05-13
Windows Default Cobalt Strike PowerShell Beacon Windows icon Powershell Script Block Logging 4104 T1059.001 T1204.002 TTP Cobalt Strike 2026-05-13
Windows Impair Defense Disable Win Defender Gen reports Windows icon Sysmon EventID 13 T1685 TTP Windows Registry Abuse, Windows Defense Evasion Tactics 2026-05-13
Windows Modify Registry Configure BitLocker Windows icon Sysmon EventID 13 T1112 TTP ShrinkLocker 2026-05-13
Suspicious PlistBuddy Usage Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1543.001 TTP Silver Sparrow 2026-05-13
Windows Admin Permission Discovery Windows icon Sysmon EventID 11 T1069.001 Anomaly NjRAT 2026-05-13
Windows Important Audit Policy Disabled Windows icon Windows Event Log Security 4719 T1685 TTP Windows Audit Policy Tampering 2026-05-13
Windows PowerShell Get CIMInstance Remote Computer Windows icon Powershell Script Block Logging 4104 T1059.001 Anomaly Active Directory Lateral Movement 2026-05-13
Windows Modify Registry on Smart Card Group Policy Windows icon Sysmon EventID 13 T1112 Anomaly ShrinkLocker 2026-05-13
Linux Auditd Private Keys and Certificate Enumeration Linux icon Linux Auditd Execve T1552.004 Anomaly Linux Privilege Escalation, Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques 2026-05-13
Linux Auditd Service Started Linux icon Linux Auditd Proctitle T1569.002 Anomaly Linux Privilege Escalation, Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques 2026-05-13
Windows Modify Registry Disable Toast Notifications Windows icon Sysmon EventID 13 T1112 Anomaly Azorult 2026-05-13
Detect WMI Event Subscription Persistence Windows icon Sysmon EventID 20 T1546.003 TTP Suspicious WMI Use, Hellcat Ransomware 2026-05-13
Windows Computer Account With SPN Windows icon Windows Event Log Security 4741 T1558 TTP Local Privilege Escalation With KrbRelayUp, Active Directory Kerberos Attacks, Compromised Windows Host 2026-05-13
Suspicious mshta spawn Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1218.005 TTP APT37 Rustonotto and FadeStealer, Suspicious MSHTA Activity, Living Off The Land 2026-05-13
Windows AI Platform DNS Query Windows icon Sysmon EventID 22 T1071.004 Anomaly LAMEHUG, SesameOp, PromptFlux 2026-05-13
Linux Auditd Find Credentials From Password Managers Linux icon Linux Auditd Execve T1555.005 TTP Linux Privilege Escalation, Scattered Lapsus$ Hunters, Linux Living Off The Land, Compromised Linux Host, Linux Persistence Techniques 2026-05-13
Linux Magic SysRq Key Abuse Linux icon Linux Auditd Path, Linux icon Linux Auditd Cwd T1059.004 T1489 T1499 T1529 TTP Compromised Linux Host 2026-05-13
Windows Unusual Count Of Users Failed To Authenticate Using NTLM Windows icon Windows Event Log Security 4776 T1110.003 Anomaly Volt Typhoon, Active Directory Password Spraying 2026-05-13
Disable Security Logs Using MiniNt Registry Windows icon Sysmon EventID 13 T1112 TTP Windows Registry Abuse, CISA AA23-347A, Windows Defense Evasion Tactics 2026-05-13
Windows Identify Protocol Handlers Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1059 Hunting Living Off The Land 2026-05-13
Windows SQL Server Extended Procedure DLL Loading Hunt Windows icon Windows Event Log Application 8128 T1059.009 T1505.001 Hunting SQL Server Abuse 2026-05-13
Windows New Deny Permission Set On Service SD Via Sc.EXE Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1564 Anomaly Defense Evasion or Unauthorized Access Via SDDL Tampering 2026-05-13
Windows MSC EvilTwin Directory Path Manipulation Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1036.005 T1203 T1218 TTP Water Gamayun, Living Off The Land, Windows Defense Evasion Tactics 2026-05-13
Windows Azure Storage Utility Execution Via CLI Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1567.002 Anomaly Data Exfiltration 2026-05-13
Windows InstallUtil in Non Standard Path Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1036.003 T1218.004 TTP WhisperGate, Data Destruction, Signed Binary Proxy Execution InstallUtil, Ransomware, Living Off The Land, Unusual Processes, Masquerading - Rename System Utilities 2026-05-13
Windows Steal Authentication Certificates - ESC1 Abuse Windows icon Windows Event Log Security 4886, Windows icon Windows Event Log Security 4887 T1649 TTP Windows Certificate Services 2026-05-13
Linux Gdrive Binary Activity Linux icon Sysmon for Linux EventID 1 T1567 TTP China-Nexus Threat Activity 2026-05-13
Windows Detect Network Scanner Behavior Windows icon Sysmon EventID 3 T1595.001 T1595.002 Anomaly Windows Discovery Techniques, Network Discovery 2026-05-13
Windows Execution of Microsoft MSC File In Suspicious Path Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1218.014 Anomaly XML Runner Loader 2026-05-13
Windows RDP Server Registry Deletion Windows icon Sysmon EventID 13, Windows icon Sysmon EventID 12 T1070.004 Anomaly Windows RDP Artifacts and Defense Evasion 2026-05-13
Windows Modify Registry Disable RDP Windows icon Sysmon EventID 13 T1112 Anomaly ShrinkLocker, Windows RDP Artifacts and Defense Evasion 2026-05-13
Windows Post Exploitation Risk Behavior T1003 T1012 T1016 T1049 T1069 T1082 T1115 T1552 Correlation Windows Post-Exploitation 2026-05-13
Windows Unusual SysWOW64 Process Run System32 Executable Windows icon Windows Event Log Security 4688, Windows icon Sysmon EventID 1 T1036.009 Anomaly China-Nexus Threat Activity, DarkGate Malware, Salt Typhoon 2026-05-13
Windows Modify Registry Auto Update Notif Windows icon Sysmon EventID 13 T1112 Anomaly RedLine Stealer 2026-05-13
Revil Common Exec Parameter Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1204 TTP Ransomware, Revil Ransomware 2026-05-13
Windows RDP Cache File Deletion Windows icon Sysmon EventID 26, Windows icon Sysmon EventID 23 T1070.004 Anomaly Windows RDP Artifacts and Defense Evasion 2026-05-13
Linux Iptables Firewall Modification Linux icon Sysmon for Linux EventID 1 T1686 Anomaly China-Nexus Threat Activity, Sandworm Tools, Cyclops Blink, Backdoor Pingpong 2026-05-13
Windows Network Share Interaction Via Net Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1039 T1135 Hunting Active Directory Discovery, Active Directory Privilege Escalation, Network Discovery 2026-05-13
Detect Regsvcs with No Command Line Arguments Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1218.009 TTP Living Off The Land, Suspicious Regsvcs Regasm Activity 2026-05-13
XSL Script Execution With WMIC Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1220 TTP Suspicious WMI Use, FIN7 2026-05-13
Windows Symlink Evaluation Change via Fsutil Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1222.001 Anomaly Windows Post-Exploitation 2026-05-13
GetLocalUser with PowerShell Script Block Windows icon Powershell Script Block Logging 4104 T1059.001 T1087.001 Hunting Active Directory Discovery, Malicious PowerShell 2026-05-13
Windows Audit Policy Disabled via Legacy Auditpol Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1685.001 Anomaly Windows Audit Policy Tampering 2026-05-13
Windows Ingress Tool Transfer Using Explorer Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1105 Anomaly DarkCrystal RAT 2026-05-13
MacOS Account Created Osquery Results T1136 Anomaly MacOS Persistence Techniques 2026-05-13
ServicePrincipalNames Discovery with PowerShell Windows icon Powershell Script Block Logging 4104 T1558.003 TTP Active Directory Kerberos Attacks, Malicious PowerShell, Active Directory Privilege Escalation, Active Directory Discovery, Hellcat Ransomware 2026-05-13
Windows Multiple Accounts Disabled Windows icon Windows Event Log Security 4725 T1078 T1098 TTP Azure Active Directory Persistence 2026-05-13
Windows Proxy Via Registry Windows icon Sysmon EventID 13 T1090.001 Anomaly Volt Typhoon 2026-05-13
Windows BitLocker Suspicious Command Usage Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1486 T1490 TTP ShrinkLocker 2026-05-13
Windows RDP Connection Successful Windows icon Windows Event Log RemoteConnectionManager 1149 T1563.002 Hunting Interlock Ransomware, Windows RDP Artifacts and Defense Evasion, NetSupport RMM Tool Abuse, Active Directory Lateral Movement, BlackByte Ransomware 2026-05-13
Windows SymbolicLink-Testing-Tools Utility Execution Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1222 T1564.004 TTP Windows Persistence Techniques, Windows Post-Exploitation, Windows Privilege Escalation 2026-05-13
Windows Impair Defenses Disable Win Defender Auto Logging Windows icon Sysmon EventID 13 T1685 Anomaly Windows Registry Abuse, CISA AA23-347A, Windows Defense Evasion Tactics 2026-05-13
Windows Root Domain linked policies Discovery Windows icon Powershell Script Block Logging 4104 T1087.002 Anomaly Active Directory Discovery, Data Destruction, Industroyer2 2026-05-13
Detect Remote Access Software Usage FileInfo Windows icon Sysmon EventID 1 T1219 Anomaly Command And Control, Interlock Ransomware, Ransomware, Gozi Malware, Remote Monitoring and Management Software, Seashell Blizzard, Scattered Lapsus$ Hunters, Cactus Ransomware, Scattered Spider, Insider Threat 2026-05-13
Windows Universal Data Link File Creation Windows icon Sysmon EventID 11 T1204.002 T1566.001 Anomaly Spearphishing Attachments 2026-05-13
Windows Indirect Command Execution Via Series Of Forfiles Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1202 Anomaly Prestige Ransomware, Windows Post-Exploitation 2026-05-13
Windows Defender ASR Block Events Windows icon Windows Event Log Defender 1126, Windows icon Windows Event Log Defender 1133, Windows icon Windows Event Log Defender 1129, Windows icon Windows Event Log Defender 1121, Windows icon Windows Event Log Defender 1131 T1059 T1566.001 T1566.002 Anomaly Windows Attack Surface Reduction 2026-05-13
Allow Inbound Traffic In Firewall Rule Windows icon Powershell Script Block Logging 4104 T1021.001 TTP NetSupport RMM Tool Abuse, Prohibited Traffic Allowed or Protocol Mismatch 2026-05-13
Kerberos TGT Request Using RC4 Encryption Windows icon Windows Event Log Security 4768 T1550 TTP Active Directory Kerberos Attacks, Scattered Lapsus$ Hunters 2026-05-13
Windows Privilege Escalation Suspicious Process Elevation Windows icon Sysmon EventID 1 T1068 T1134 T1548 TTP BlackSuit Ransomware, GhostRedirector IIS Module and Rungan Backdoor, Windows Privilege Escalation 2026-05-13
Windows Command Obfuscation with Environment Variable Substrings Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1027.010 Anomaly Malicious PowerShell 2026-05-13
Linux Data Destruction Command Linux icon Sysmon for Linux EventID 1 T1485 TTP AwfulShred, Data Destruction 2026-05-13
Kerberoasting spn request with RC4 encryption Windows icon Windows Event Log Security 4769 T1558.003 TTP Active Directory Kerberos Attacks, Data Destruction, Hermetic Wiper, Windows Privilege Escalation, Compromised Windows Host 2026-05-13
Windows Alternate DataStream - Base64 Content Windows icon Sysmon EventID 15 T1564.004 TTP APT37 Rustonotto and FadeStealer, Windows Defense Evasion Tactics 2026-05-13
Windows Service Stop Win Updates Windows icon Windows Event Log System 7040 T1489 Anomaly RedLine Stealer, CISA AA23-347A 2026-05-13
MacOS Data Chunking Osquery Results T1030 Anomaly MacOS Post-Exploitation 2026-05-13
Windows Create Local Account Windows icon Windows Event Log Security 4720 T1136.001 Anomaly Scattered Lapsus$ Hunters, Active Directory Password Spraying, CISA AA24-241A, GhostRedirector IIS Module and Rungan Backdoor 2026-05-13
Windows WBAdmin File Recovery From Backup Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1490 T1565.001 Anomaly Credential Dumping 2026-05-13
FodHelper UAC Bypass Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1112 T1548.002 TTP BlankGrabber Stealer, IcedID, Compromised Windows Host, ValleyRAT, Windows Defense Evasion Tactics 2026-05-13
Windows PowerShell Disable HTTP Logging Windows icon Powershell Script Block Logging 4104 T1505.004 T1685.001 TTP IIS Components, Windows Defense Evasion Tactics 2026-05-13
Windows Spearphishing Attachment Onenote Spawn Mshta Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1566.001 TTP Spearphishing Attachments, Compromised Windows Host, APT37 Rustonotto and FadeStealer, AsyncRAT 2026-05-13
WinEvent Scheduled Task Created Within Public Path Windows icon Windows Event Log Security 4698 T1053.005 TTP Quasar RAT, Ransomware, Scheduled Tasks, Prestige Ransomware, Remcos, SystemBC, CISA AA22-257A, Data Destruction, AsyncRAT, XWorm, Ryuk Ransomware, Windows Persistence Techniques, Compromised Windows Host, Winter Vivern, Castle RAT, Medusa Ransomware, Malicious Inno Setup Loader, Active Directory Lateral Movement, Salt Typhoon, CISA AA23-347A, IcedID, Industroyer2, PlugX, China-Nexus Threat Activity, 0bj3ctivity Stealer, APT37 Rustonotto and FadeStealer, ValleyRAT 2026-05-13
Remote Desktop Process Running On System Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1021.001 Hunting Windows RDP Artifacts and Defense Evasion, Active Directory Lateral Movement, Hidden Cobra Malware 2026-05-13
MacOS Kextload Usage Osquery Results T1543 TTP MacOS Persistence Techniques, MacOS Privilege Escalation 2026-05-13
Windows MpCmdRun RemoveDefinitions Execution Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1685 Anomaly BlankGrabber Stealer 2026-05-13
Windows Scheduled Task Service Spawned Shell CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1053.005 T1059 TTP Windows Persistence Techniques 2026-05-13
Windows Modify Registry Disable Windows Security Center Notif Windows icon Sysmon EventID 13 T1112 Anomaly Azorult, CISA AA23-347A 2026-05-13
Windows Computer Account Requesting Kerberos Ticket Windows icon Windows Event Log Security 4768 T1558 TTP Local Privilege Escalation With KrbRelayUp, Active Directory Kerberos Attacks 2026-05-13
Rundll32 LockWorkStation Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1218.011 Anomaly Ransomware 2026-05-13
Anomalous usage of 7zip Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1560.001 Anomaly Cobalt Strike, BlackByte Ransomware, BlackSuit Ransomware, NOBELIUM Group, Graceful Wipe Out Attack 2026-05-13
Get-ForestTrust with PowerShell Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1482 TTP Active Directory Discovery 2026-05-13
Windows Processes Killed By Industroyer2 Malware Windows icon Sysmon EventID 5 T1489 Anomaly Data Destruction, Industroyer2 2026-05-13
Unusual Number of Computer Service Tickets Requested Windows icon Windows Event Log Security 4769 T1078 Hunting Active Directory Kerberos Attacks, Scattered Lapsus$ Hunters, Active Directory Lateral Movement, Active Directory Privilege Escalation 2026-05-13
Windows Suspicious C2 Named Pipe Windows icon Sysmon EventID 17, Windows icon Sysmon EventID 18 T1021.002 T1055 T1559 TTP Cobalt Strike, BlackByte Ransomware, LockBit Ransomware, Trickbot, Gozi Malware, Remote Monitoring and Management Software, Storm-0501 Ransomware, DarkSide Ransomware, Graceful Wipe Out Attack, Tuoni, Brute Ratel C4, Meterpreter, Hellcat Ransomware, APT37 Rustonotto and FadeStealer 2026-05-13
GetAdComputer with PowerShell Script Block Windows icon Powershell Script Block Logging 4104 T1018 Hunting Active Directory Discovery, Gozi Malware, Medusa Ransomware, CISA AA22-320A 2026-05-13
Hunting 3CXDesktopApp Software Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1195.002 Hunting 3CX Supply Chain Attack 2026-05-13
Windows Suspicious QEMU Execution Windows icon Sysmon EventID 1 T1001 T1036 T1204.002 T1564.006 TTP Linux Post-Exploitation, Linux Privilege Escalation, Compromised Linux Host, VoidLink Cloud-Native Linux Malware, Linux Living Off The Land, Linux Rootkit 2026-05-13
Process Writing DynamicWrapperX Windows icon Sysmon EventID 11 T1059 T1559.001 Hunting Remcos 2026-05-13
Cisco Isovalent - Kprobe Spike Cisco Isovalent Process Kprobe T1068 Hunting Cisco Isovalent Suspicious Activity, VoidLink Cloud-Native Linux Malware 2026-05-13
Windows Certutil Root Certificate Addition Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1587.003 TTP Secret Blizzard 2026-05-13
Short Lived Windows Accounts Windows icon Windows Event Log System 4726, Windows icon Windows Event Log System 4720 T1078.003 T1136.001 TTP Active Directory Lateral Movement, GhostRedirector IIS Module and Rungan Backdoor 2026-05-13
Windows MSI Rollback Script Deleted By Non-Msiexec Process Windows icon Sysmon EventID 23 T1068 T1218.007 TTP Windows Privilege Escalation 2026-05-13
Remote Process Instantiation via DCOM and PowerShell Script Block Windows icon Powershell Script Block Logging 4104 T1021.003 TTP Active Directory Lateral Movement 2026-05-13
Add DefaultUser And Password In Registry Windows icon Sysmon EventID 13, Windows icon Sysmon EventID 12 T1552.002 Anomaly BlackMatter Ransomware 2026-05-13
Scheduled Task Initiation on Remote Endpoint Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1053.005 TTP Medusa Ransomware, Scheduled Tasks, Living Off The Land, Seashell Blizzard, Active Directory Lateral Movement 2026-05-13
Windows NirSoft AdvancedRun Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1588.002 TTP WhisperGate, Ransomware, Data Destruction, Unusual Processes 2026-05-13
Exchange PowerShell Module Usage Windows icon Powershell Script Block Logging 4104 T1059.001 TTP CISA AA22-277A, ProxyShell, CISA AA22-264A, ProxyNotShell, Scattered Spider, BlackByte Ransomware 2026-05-13
Windows CAB File on Disk Windows icon Sysmon EventID 11 T1566.001 Anomaly DarkGate Malware, APT37 Rustonotto and FadeStealer 2026-05-13
Windows PaperCut NG Spawn Shell Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1059 T1133 T1190 TTP PaperCut MF NG Vulnerability, Compromised Windows Host 2026-05-13
Windows Private Keys Discovery Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1552.004 Anomaly Prestige Ransomware, Windows Post-Exploitation 2026-05-13
Windows Phishing PDF File Executes URL Link Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1566.001 Anomaly Spearphishing Attachments, MuddyWater, Snake Keylogger 2026-05-13
Windows Hijack Execution Flow Version Dll Side Load Windows icon Sysmon EventID 7 T1574.001 Anomaly Brute Ratel C4, Malicious Inno Setup Loader, SolarWinds WHD RCE Post Exploitation, XWorm 2026-05-13
Loading Of Dynwrapx Module Windows icon Sysmon EventID 7 T1055.001 TTP Remcos, AsyncRAT 2026-05-13
Windows WMI Process Call Create Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1047 Hunting CISA AA23-347A, IcedID, Qakbot, Volt Typhoon, Cactus Ransomware, Suspicious WMI Use 2026-05-13
Windows ConHost with Headless Argument Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1564.003 T1564.006 TTP Spearphishing Attachments, Compromised Windows Host 2026-05-13
Shim Database Installation With Suspicious Parameters Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1546.011 TTP Windows Persistence Techniques, Compromised Windows Host 2026-05-13
Windows Alternate DataStream - Executable Content Windows icon Sysmon EventID 15 T1564.004 TTP Windows Defense Evasion Tactics 2026-05-13
Windows Modify Registry No Auto Reboot With Logon User Windows icon Sysmon EventID 13 T1112 Anomaly RedLine Stealer 2026-05-13
Rundll32 Process Creating Exe Dll Files Windows icon Sysmon EventID 11 T1218.011 TTP IcedID, Gh0st RAT, Living Off The Land 2026-05-13
Overwriting Accessibility Binaries Windows icon Sysmon EventID 11 T1546.008 TTP Flax Typhoon, Data Destruction, Hermetic Wiper, Windows Privilege Escalation 2026-05-13
Suspicious PlistBuddy Usage via OSquery Osquery Results T1543.001 TTP Silver Sparrow 2026-05-13
Windows Create Local Administrator Account Via Net Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1136.001 Anomaly CISA AA24-241A, Medusa Ransomware, GhostRedirector IIS Module and Rungan Backdoor, DHS Report TA18-074A, Azorult, DarkGate Malware, Scattered Lapsus$ Hunters, CISA AA22-257A 2026-05-13
Schedule Task with HTTP Command Arguments Windows icon Windows Event Log Security 4698 T1053 TTP Scheduled Tasks, Living Off The Land, Windows Persistence Techniques, Compromised Windows Host, Hellcat Ransomware, Winter Vivern 2026-05-13
Windows Raw Access To Master Boot Record Drive Windows icon Sysmon EventID 9 T1561.002 TTP WhisperGate, Data Destruction, BlackByte Ransomware, Disk Wiper, Void Manticore, Hermetic Wiper, CISA AA22-264A, Caddy Wiper, Graceful Wipe Out Attack, PathWiper, NjRAT 2026-05-13
Ryuk Wake on LAN Command Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1059.003 TTP Ryuk Ransomware, Hellcat Ransomware, Compromised Windows Host 2026-05-13
Windows IIS Components New Module Added Windows icon Windows IIS 29 T1505.004 TTP IIS Components, GhostRedirector IIS Module and Rungan Backdoor 2026-05-13
Windows Masquerading Msdtc Process Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1036 TTP Compromised Windows Host, PlugX 2026-05-13
Windows Access Token Manipulation Winlogon Duplicate Token Handle Windows icon Sysmon EventID 10 T1134.001 Hunting Brute Ratel C4 2026-05-13
Windows Modify Registry Auto Minor Updates Windows icon Sysmon EventID 13 T1112 Hunting RedLine Stealer 2026-05-13
Windows MOF Event Triggered Execution via WMI Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1546.003 TTP Compromised Windows Host, Living Off The Land 2026-05-13
Windows RMM Named Pipe Windows icon Sysmon EventID 17, Windows icon Sysmon EventID 18 T1021.002 T1055 T1559 Anomaly Command And Control, Interlock Ransomware, CISA AA24-241A, GhostRedirector IIS Module and Rungan Backdoor, Gozi Malware, Ransomware, Remote Monitoring and Management Software, Seashell Blizzard, Scattered Lapsus$ Hunters, Cactus Ransomware, Scattered Spider, Insider Threat 2026-05-13
High Frequency Copy Of Files In Network Share Windows icon Windows Event Log Security 5145 T1537 Anomaly Hellcat Ransomware, Information Sabotage, Insider Threat 2026-05-13
Windows SoftEther VPN Masquerading as Legitimate Binary Windows icon Sysmon EventID 1 T1036 T1572 TTP Flax Typhoon, Linux Privilege Escalation, Linux Persistence Techniques 2026-05-13
MacOS List Firewall Rules Osquery Results T1016 Anomaly Network Discovery 2026-05-13
Detect AzureHound File Modifications Windows icon Sysmon EventID 11 T1069.001 T1069.002 T1087.001 T1087.002 T1482 TTP Windows Discovery Techniques 2026-05-13
Windows Process Commandline Discovery Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1057 Hunting CISA AA23-347A 2026-05-13
Bcdedit Command Back To Normal Mode Boot Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1490 TTP Black Basta Ransomware, BlackMatter Ransomware 2026-05-13
GetWmiObject Ds Computer with PowerShell Script Block Windows icon Powershell Script Block Logging 4104 T1018 TTP Active Directory Discovery 2026-05-13
Windows Modify Registry Default Icon Setting Windows icon Sysmon EventID 13 T1112 Anomaly LockBit Ransomware 2026-05-13
Windows Snake Malware Registry Modification wav OpenWithProgIds Windows icon Sysmon EventID 13 T1112 TTP Snake Malware 2026-05-13
Disabling CMD Application Windows icon Sysmon EventID 13 T1112 T1685 TTP Windows Registry Abuse, NjRAT, Windows Defense Evasion Tactics 2026-05-13
Windows TinyCC Shellcode Execution Windows icon Windows Event Log Security 4688, Windows icon Sysmon EventID 1 T1027 T1036 T1059.003 TTP Lotus Blossom Chrysalis Backdoor 2026-05-13
Suspicious Computer Account Name Change Windows icon Windows Event Log Security 4781 T1078.002 TTP sAMAccountName Spoofing and Domain Controller Impersonation, Scattered Lapsus$ Hunters, Compromised Windows Host, Active Directory Privilege Escalation 2026-05-13
Windows InstallUtil Credential Theft Windows icon Sysmon EventID 7 T1218.004 TTP Signed Binary Proxy Execution InstallUtil 2026-05-13
Windows AD Abnormal Object Access Activity Windows icon Windows Event Log Security 4662 T1087.002 Anomaly Active Directory Discovery, BlackSuit Ransomware 2026-05-13
Linux Clipboard Data Copy Linux icon Sysmon for Linux EventID 1 T1115 Anomaly Linux Living Off The Land 2026-05-13
Cisco Isovalent - Late Process Execution Cisco Isovalent Process Exec T1543 Anomaly Cisco Isovalent Suspicious Activity 2026-05-13
Schedule Task with Rundll32 Command Trigger Windows icon Windows Event Log Security 4698 T1053 TTP Trickbot, IcedID, Scheduled Tasks, Living Off The Land, Windows Persistence Techniques, Compromised Windows Host, Castle RAT 2026-05-13
Windows AD Dangerous Deny ACL Modification Windows icon Windows Event Log Security 5136 T1222.001 T1484 TTP Sneaky Active Directory Persistence Tricks 2026-05-13
Windows USBSTOR Registry Key Modification Windows icon Sysmon EventID 13, Windows icon Sysmon EventID 12 T1025 T1091 T1200 Anomaly Data Protection, APT37 Rustonotto and FadeStealer 2026-05-13
Crowdstrike User Weak Password Policy T1110 Anomaly Compromised Windows Host 2026-05-13
Cisco Isovalent - Curl Execution With Insecure Flags Cisco Isovalent Process Exec T1105 Anomaly Cisco Isovalent Suspicious Activity 2026-05-13
Powershell COM Hijacking InprocServer32 Modification Windows icon Powershell Script Block Logging 4104 T1059.001 T1546.015 TTP Malicious PowerShell 2026-05-13
Linux APT Privilege Escalation Cisco Isovalent Process Exec, Linux icon Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Privilege Escalation, Linux Living Off The Land 2026-05-13
Windows Modify Show Compress Color And Info Tip Registry Windows icon Sysmon EventID 13 T1112 TTP Data Destruction, Hermetic Wiper, Windows Registry Abuse, Windows Defense Evasion Tactics 2026-05-13
Suspicious Ticket Granting Ticket Request Windows icon Windows Event Log Security 4768, Windows icon Windows Event Log Security 4781 T1078.002 Hunting sAMAccountName Spoofing and Domain Controller Impersonation, Active Directory Kerberos Attacks, Active Directory Privilege Escalation 2026-05-13
MS Scripting Process Loading WMI Module Windows icon Sysmon EventID 7 T1059.007 Anomaly FIN7 2026-05-13
Monitor Registry Keys for Print Monitors Windows icon Sysmon EventID 13 T1547.010 TTP Suspicious Windows Registry Activities, Windows Registry Abuse, Windows Persistence Techniques 2026-05-13
Detect RClone Command-Line Usage Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Network icon Cisco Network Visibility Module Flow Data T1020 TTP Black Basta Ransomware, Cisco Network Visibility Module Analytics, Ransomware, DarkSide Ransomware, Cactus Ransomware, Hellcat Ransomware, Storm-0501 Ransomware 2026-05-13
Get DomainPolicy with Powershell Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1201 TTP Active Directory Discovery 2026-05-13
Suspicious Linux Discovery Commands Linux icon Sysmon for Linux EventID 1 T1059.004 TTP Linux Post-Exploitation, VoidLink Cloud-Native Linux Malware 2026-05-13
Windows Disable Notification Center Windows icon Sysmon EventID 13 T1112 Anomaly Windows Registry Abuse, CISA AA23-347A, Windows Defense Evasion Tactics 2026-05-13
Windows Phishing Outlook Drop Dll In FORM Dir Windows icon Sysmon EventID 1, Windows icon Sysmon EventID 11 T1566 TTP Outlook RCE CVE-2024-21378 2026-05-13
Windows Impair Defenses Disable Auto Logger Session Windows icon Sysmon EventID 13 T1685 Anomaly Windows Registry Abuse, Windows Defense Evasion Tactics 2026-05-13
Batch File Write to System32 Windows icon Sysmon EventID 11 T1204.002 TTP SamSam Ransomware, Compromised Windows Host 2026-05-13
Detect Use of cmd exe to Launch Script Interpreters Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1059.003 Anomaly Emotet Malware DHS Report TA18-201A, Azorult, Suspicious Command-Line Executions 2026-05-13
Windows Deleted Registry By A Non Critical Process File Path Windows icon Sysmon EventID 1, Windows icon Sysmon EventID 12 T1112 Anomaly Data Destruction, Double Zero Destructor 2026-05-13
Linux Auditd Dd File Overwrite Linux icon Linux Auditd Proctitle T1485 TTP Data Destruction, Compromised Linux Host, Industroyer2 2026-05-13
CSC Net On The Fly Compilation Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1027.004 Hunting Windows Defense Evasion Tactics 2026-05-13
Process Kill Base On File Path Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1685 TTP XMRig 2026-05-13
Windows AD Domain Controller Audit Policy Disabled Windows icon Windows Event Log Security 4719 T1685 TTP Windows Audit Policy Tampering 2026-05-13
Get WMIObject Group Discovery Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1069.001 Hunting Active Directory Discovery 2026-05-13
Windows DotNet Binary in Non Standard Path Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1036.003 T1218.004 TTP WhisperGate, Data Destruction, Signed Binary Proxy Execution InstallUtil, Ransomware, Unusual Processes, Masquerading - Rename System Utilities 2026-05-13
Windows BitDefender Submission Wizard DLL Sideloading Windows icon Sysmon EventID 7 T1574 TTP Lotus Blossom Chrysalis Backdoor 2026-05-13
Detect Certify Command Line Arguments Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1105 T1649 TTP Ingress Tool Transfer, Windows Certificate Services, Compromised Windows Host 2026-05-13
Windows ESX Admins Group Creation via PowerShell Windows icon Powershell Script Block Logging 4104 T1136.001 T1136.002 TTP VMware ESXi AD Integration Authentication Bypass CVE-2024-37085 2026-05-13
Windows Hide Notification Features Through Registry Windows icon Sysmon EventID 13 T1112 Anomaly Ransomware, Windows Registry Abuse, Windows Defense Evasion Tactics 2026-05-13
Suspicious Curl Network Connection Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Linux icon Sysmon for Linux EventID 1 T1105 TTP GhostRedirector IIS Module and Rungan Backdoor, Ingress Tool Transfer, Linux Living Off The Land, Silver Sparrow, Hellcat Ransomware, APT37 Rustonotto and FadeStealer 2026-05-13
Windows Metasploit Confluence Plugin Execution Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1190 T1505.003 T1608 TTP Confluence Data Center and Confluence Server Vulnerabilities 2026-05-13
Windows File Download Via PowerShell Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Network icon Cisco Network Visibility Module Flow Data T1059.001 T1105 Anomaly SolarWinds WHD RCE Post Exploitation, NPM Supply Chain Compromise, HAFNIUM Group, Phemedrone Stealer, Data Destruction, XWorm, NetSupport RMM Tool Abuse, StealC Stealer, Winter Vivern, Malicious PowerShell, PHP-CGI RCE Attack on Japanese Organizations, Cisco Network Visibility Module Analytics, GhostRedirector IIS Module and Rungan Backdoor, Microsoft WSUS CVE-2025-59287, Ingress Tool Transfer, Hermetic Wiper, SysAid On-Prem Software CVE-2023-47246 Vulnerability, IcedID, Tuoni, APT37 Rustonotto and FadeStealer 2026-05-13
Windows PuTTY Suite Utility Execution Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1021.004 Anomaly Command And Control, Active Directory Lateral Movement 2026-05-13
Windows User Deletion Via Net Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1531 Anomaly XMRig, Graceful Wipe Out Attack, DarkGate Malware 2026-05-13
Windows Service Execution RemCom Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1569.002 TTP Active Directory Discovery 2026-05-13
Windows Application Whitelisting Bypass Attempt via Rundll32 Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1218.011 TTP Compromised Windows Host, Suspicious Rundll32 Activity, Living Off The Land 2026-05-13
Windows Excessive Disabled Services Event Windows icon Windows Event Log System 7040 T1685 TTP Compromised Windows Host, CISA AA23-347A, Windows Defense Evasion Tactics 2026-05-13
Windows LOLBAS Executed Outside Expected Path Windows icon Windows Event Log Security 4688, Windows icon Sysmon EventID 1 T1036.005 T1218.011 Anomaly Masquerading - Rename System Utilities, Living Off The Land, Windows Defense Evasion Tactics 2026-05-13
CMD Carry Out String Command Parameter Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1059.003 Hunting Quasar RAT, Qakbot, Living Off The Land, Log4Shell CVE-2021-44228, NjRAT, Data Destruction, AsyncRAT, Rhysida Ransomware, RedLine Stealer, DarkGate Malware, DarkCrystal RAT, StealC Stealer, Warzone RAT, Winter Vivern, WhisperGate, Gh0st RAT, Hermetic Wiper, Azorult, ProxyNotShell, Malicious Inno Setup Loader, Interlock Rat, Chaos Ransomware, CISA AA23-347A, IcedID, Crypto Stealer, PlugX, 0bj3ctivity Stealer 2026-05-13
Linux High Frequency Of File Deletion In Etc Folder Linux icon Sysmon for Linux EventID 11 T1070.004 T1485 Anomaly Data Destruction, AcidRain 2026-05-13
Windows Powershell History File Deletion Windows icon Powershell Script Block Logging 4104 T1059.003 T1070.003 Anomaly Medusa Ransomware 2026-05-13
Remote Process Instantiation via WinRM and PowerShell Script Block Windows icon Powershell Script Block Logging 4104 T1021.006 TTP Active Directory Lateral Movement 2026-05-13
Linux At Allow Config File Creation Linux icon Sysmon for Linux EventID 11 T1053.003 Anomaly Linux Privilege Escalation, Scheduled Tasks, Linux Living Off The Land, Linux Persistence Techniques 2026-05-13
Domain Account Discovery with Dsquery Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1087.002 Anomaly Active Directory Discovery, LAMEHUG 2026-05-13
Windows Software Discovery Via PowerShell Windows icon Powershell Script Block Logging 4104 T1012 T1059.001 T1518 Anomaly Windows Discovery Techniques 2026-05-13
Windows Office Product Dropped Uncommon File Windows icon Sysmon EventID 1, Windows icon Sysmon EventID 11 T1566.001 Anomaly AgentTesla, FIN7, CVE-2023-21716 Word RTF Heap Corruption, Compromised Windows Host, PlugX, Warzone RAT 2026-05-13
Windows Account Discovery for None Disable User Account Windows icon Powershell Script Block Logging 4104 T1087.001 Hunting CISA AA23-347A 2026-05-13
Icacls Deny Command Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1222 Anomaly XMRig, Sandworm Tools, Defense Evasion or Unauthorized Access Via SDDL Tampering, Azorult, Compromised Windows Host, Crypto Stealer 2026-05-13
Msmpeng Application DLL Side Loading Windows icon Sysmon EventID 11 T1574.001 TTP Ransomware, Revil Ransomware 2026-05-13
Windows Privilege Escalation User Process Spawn System Process Windows icon Sysmon EventID 1 T1068 T1134 T1548 TTP BlackSuit Ransomware, Compromised Windows Host, GhostRedirector IIS Module and Rungan Backdoor, Windows Privilege Escalation 2026-05-13
Windows MsiExec HideWindow Rundll32 Execution Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1218.007 TTP Water Gamayun, Qakbot 2026-05-13
Windows Raw Access To Disk Volume Partition Windows icon Sysmon EventID 9 T1561.002 Anomaly Data Destruction, BlackByte Ransomware, Disk Wiper, Void Manticore, Hermetic Wiper, CISA AA22-264A, Caddy Wiper, Graceful Wipe Out Attack, PathWiper, NjRAT 2026-05-13
Windows AD DSRM Password Reset Windows icon Windows Event Log Security 4794 T1098 TTP Sneaky Active Directory Persistence Tricks, Scattered Lapsus$ Hunters 2026-05-13
Windows AppX Deployment Unsigned Package Installation Windows icon Windows Event Log AppXDeployment-Server 855 T1204.002 T1553.005 TTP MSIX Package Abuse 2026-05-13
GetDomainComputer with PowerShell Script Block Windows icon Powershell Script Block Logging 4104 T1018 TTP Active Directory Discovery 2026-05-13
Windows AD GPO New CSE Addition Windows icon Windows Event Log Security 5136 T1222.001 T1484.001 TTP Sneaky Active Directory Persistence Tricks 2026-05-13
IcedID Exfiltrated Archived File Creation Windows icon Sysmon EventID 11 T1560.001 Hunting IcedID, APT37 Rustonotto and FadeStealer 2026-05-13
Remote Process Instantiation via WMI and PowerShell Script Block Windows icon Powershell Script Block Logging 4104 T1047 TTP Active Directory Lateral Movement 2026-05-13
Windows WMI Reconnaissance Class Query Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1047 Anomaly BlankGrabber Stealer 2026-05-13
MS Scripting Process Loading Ldap Module Windows icon Sysmon EventID 7 T1059.007 Anomaly FIN7 2026-05-13
Windows PowGoop Beacon Decoding CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1001 T1059.001 TTP Compromised Windows Host 2026-05-13
Detect Excessive Account Lockouts From Endpoint T1078.002 Anomaly Active Directory Password Spraying 2026-05-13
Linux GDB Privilege Escalation Linux icon Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Privilege Escalation, Linux Living Off The Land 2026-05-13
Windows Audit Policy Security Descriptor Tampering via Auditpol Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1685.001 Anomaly Windows Audit Policy Tampering 2026-05-13
Suspicious IcedID Rundll32 Cmdline Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1218.011 TTP IcedID, Living Off The Land 2026-05-13
Windows Parent PID Spoofing with Explorer Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1134.004 TTP Compromised Windows Host, Windows Defense Evasion Tactics 2026-05-13
Windows PowerShell MSIX Package Installation Windows icon Powershell Script Block Logging 4104 T1059.001 T1547.001 TTP Malicious PowerShell, MSIX Package Abuse 2026-05-13
Linux Hardware Addition SwapOff Linux icon Sysmon for Linux EventID 1 T1200 Anomaly AwfulShred, Data Destruction, Scattered Lapsus$ Hunters 2026-05-13
Windows Debugger Tool Execution Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1036 Hunting DarkGate Malware, PlugX 2026-05-13
First Time Seen Child Process of Zoom Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1068 Anomaly Suspicious Zoom Child Processes 2026-05-13
Scheduled Task Deleted Or Created via CMD Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1053.005 Anomaly Quasar RAT, SolarWinds WHD RCE Post Exploitation, Sandworm Tools, Scheduled Tasks, Qakbot, Living Off The Land, Lokibot, Prestige Ransomware, NOBELIUM Group, Remcos, CISA AA22-257A, Phemedrone Stealer, NjRAT, AsyncRAT, Rhysida Ransomware, RedLine Stealer, XWorm, DarkCrystal RAT, Windows Persistence Techniques, NetSupport RMM Tool Abuse, Winter Vivern, ShrinkLocker, AgentTesla, CISA AA24-241A, Trickbot, Medusa Ransomware, DHS Report TA18-074A, Azorult, Scattered Spider, Salt Typhoon, MoonPeak, CISA AA23-347A, Amadey, PlugX, China-Nexus Threat Activity, 0bj3ctivity Stealer, APT37 Rustonotto and FadeStealer, ValleyRAT 2026-05-13
Windows AppLocker Block Events T1218 Anomaly Windows AppLocker 2026-05-13
Windows Raccine Scheduled Task Deletion Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1685 TTP Ransomware, Compromised Windows Host 2026-05-13
Windows App Layer Protocol Qakbot NamedPipe Windows icon Sysmon EventID 17, Windows icon Sysmon EventID 18 T1071 Anomaly Qakbot 2026-05-13
Windows File Collection Via Copy Utilities Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1119 Anomaly LAMEHUG 2026-05-13
Registry Keys for Creating SHIM Databases Windows icon Sysmon EventID 13 T1546.011 TTP Suspicious Windows Registry Activities, Windows Registry Abuse, Windows Persistence Techniques 2026-05-13
Unusual Number of Remote Endpoint Authentication Events Windows icon Windows Event Log Security 4624 T1078 Hunting Active Directory Lateral Movement, Active Directory Privilege Escalation 2026-05-13
Prevent Automatic Repair Mode using Bcdedit Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1490 TTP Chaos Ransomware, Ransomware, Void Manticore 2026-05-13
Windows Unsigned DLL Side-Loading Windows icon Sysmon EventID 7 T1574.001 Anomaly Salt Typhoon, SolarWinds WHD RCE Post Exploitation, Earth Alux, Derusbi, China-Nexus Threat Activity, Warzone RAT, NjRAT 2026-05-13
Windows SQL Spawning CertUtil Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1105 TTP Flax Typhoon, SQL Server Abuse, Storm-2460 CLFS Zero Day Exploitation 2026-05-13
Windows Short Lived DNS Record Windows icon Windows Event Log Security 5137, Windows icon Windows Event Log Security 5136 T1071.004 T1187 T1557.001 TTP Local Privilege Escalation With KrbRelayUp, Kerberos Coercion with DNS, Compromised Windows Host, Suspicious DNS Traffic 2026-05-13
Windows Disable Windows Group Policy Features Through Registry Windows icon Sysmon EventID 13 T1112 Anomaly Ransomware, CISA AA23-347A, Windows Registry Abuse, Windows Defense Evasion Tactics 2026-05-13
Windows Server Software Component GACUtil Install to GAC Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1505.004 TTP IIS Components 2026-05-13
Script Execution via WMI Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1047 TTP Suspicious WMI Use, Scattered Spider 2026-05-13
Windows Suspect Process With Authentication Traffic Windows icon Sysmon EventID 3 T1087.002 T1204.002 Anomaly Active Directory Discovery 2026-05-13
Disable Defender MpEngine Registry Windows icon Sysmon EventID 13 T1685 TTP IcedID, Windows Registry Abuse 2026-05-13
DLLHost with no Command Line Arguments with Network Windows icon Sysmon EventID 1, Windows icon Sysmon EventID 3 T1055 TTP Cobalt Strike, BlackByte Ransomware, Storm-2460 CLFS Zero Day Exploitation, Earth Alux, Cactus Ransomware, Graceful Wipe Out Attack 2026-05-13
Linux Auditd Add User Account Type Linux icon Linux Auditd Add User T1136.001 Anomaly Linux Privilege Escalation, Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques 2026-05-13
Windows WMI Impersonate Token Windows icon Sysmon EventID 10 T1047 Anomaly Water Gamayun, Qakbot 2026-05-13
Windows Set Account Password Policy To Unlimited Via Net Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1489 Anomaly Crypto Stealer, Ransomware, XMRig, BlackByte Ransomware 2026-05-13
Randomly Generated Windows Service Name Windows icon Windows Event Log System 7045 T1543.003 Hunting BlackSuit Ransomware, Active Directory Lateral Movement 2026-05-13
Disabling NoRun Windows App Windows icon Sysmon EventID 13 T1112 T1685 TTP Windows Registry Abuse, Windows Defense Evasion Tactics 2026-05-13
Windows Default Group Policy Object Modified Windows icon Windows Event Log Security 5136 T1484.001 TTP Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation 2026-05-13
WinEvent Windows Task Scheduler Event Action Started Windows icon Windows Event Log TaskScheduler 201, Windows icon Windows Event Log TaskScheduler 200 T1053.005 Hunting SolarWinds WHD RCE Post Exploitation, Sandworm Tools, Scheduled Tasks, Qakbot, Prestige Ransomware, Remcos, SystemBC, CISA AA22-257A, Data Destruction, AsyncRAT, DarkCrystal RAT, Windows Persistence Techniques, Winter Vivern, BlackSuit Ransomware, CISA AA24-241A, Malicious Inno Setup Loader, IcedID, Amadey, Industroyer2, PlugX, ValleyRAT 2026-05-13
Malicious PowerShell Process With Obfuscation Techniques Windows icon Sysmon EventID 1 T1059.001 TTP Malicious PowerShell, Data Destruction, GhostRedirector IIS Module and Rungan Backdoor, Hermetic Wiper, Hellcat Ransomware 2026-05-13
Windows Masquerading Explorer As Child Process Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1574.001 TTP Water Gamayun, Compromised Windows Host, Qakbot 2026-05-13
Linux High Frequency Of File Deletion In Boot Folder Linux icon Sysmon for Linux EventID 11 T1070.004 T1485 TTP AcidPour, Data Destruction, Industroyer2 2026-05-13
Windows System Discovery Using Qwinsta Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1033 Hunting Qakbot 2026-05-13
UAC Bypass With Colorui COM Object Windows icon Sysmon EventID 7 T1218.003 TTP Ransomware, LockBit Ransomware 2026-05-13
Linux Sqlite3 Privilege Escalation Linux icon Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Privilege Escalation, Linux Living Off The Land 2026-05-13
Wmic NonInteractive App Uninstallation Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1685 Hunting IcedID, Azorult 2026-05-13
MSI Module Loaded by Non-System Binary Windows icon Sysmon EventID 7 T1574.001 Hunting Data Destruction, Hermetic Wiper, Windows Privilege Escalation 2026-05-13
Linux Ingress Tool Transfer with Curl Linux icon Sysmon for Linux EventID 1 T1105 Anomaly XorDDos, Ingress Tool Transfer, Linux Living Off The Land, NPM Supply Chain Compromise 2026-05-13
Windows WinDBG Spawning AutoIt3 Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1059 TTP DarkGate Malware, Compromised Windows Host 2026-05-13
GPUpdate with no Command Line Arguments with Network Windows icon Sysmon EventID 1, Windows icon Sysmon EventID 3 T1055 TTP Cobalt Strike, Graceful Wipe Out Attack, Compromised Windows Host, Hellcat Ransomware, BlackByte Ransomware 2026-05-13
Get ADUser with PowerShell Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1087.002 Hunting Active Directory Discovery, CISA AA23-347A 2026-05-13
Detect Regasm with no Command Line Arguments Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1218.009 TTP Void Manticore, Handala Wiper, Living Off The Land, Suspicious Regsvcs Regasm Activity 2026-05-13
Windows Modify Registry Disabling WER Settings Windows icon Sysmon EventID 13 T1112 TTP Azorult, CISA AA23-347A 2026-05-13
Windows Protocol Tunneling with Plink Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1021.004 T1572 TTP CISA AA22-257A 2026-05-13
Spoolsv Suspicious Loaded Modules Windows icon Sysmon EventID 7 T1547.012 TTP Black Basta Ransomware, PrintNightmare CVE-2021-34527 2026-05-13
Windows Snake Malware Service Create Windows icon Windows Event Log System 7045 T1547.006 T1569.002 TTP Snake Malware, Compromised Windows Host 2026-05-13
Windows Visual Basic Commandline Compiler DNSQuery Windows icon Sysmon EventID 22 T1071.004 TTP Lokibot 2026-05-13
Windows MOVEit Transfer Writing ASPX Windows icon Sysmon EventID 11 T1133 T1190 TTP MOVEit Transfer Critical Vulnerability, Hellcat Ransomware 2026-05-13
Network Discovery Using Route Windows App Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1016.001 Hunting CISA AA22-277A, Qakbot, Prestige Ransomware, Windows Post-Exploitation, Active Directory Discovery 2026-05-13
Cisco Isovalent - Pods Running Offensive Tools Cisco Isovalent Process Exec T1204.003 Anomaly Cisco Isovalent Suspicious Activity 2026-05-13
PowerShell Start or Stop Service Windows icon Powershell Script Block Logging 4104 T1059.001 Anomaly Active Directory Lateral Movement, Scattered Lapsus$ Hunters 2026-05-13
Windows PowerShell Process With Malicious String Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1059.001 TTP Malicious PowerShell 2026-05-13
Windows Snake Malware Kernel Driver Comadmin Windows icon Sysmon EventID 11 T1547.006 TTP Snake Malware 2026-05-13
Windows Modify Registry wuStatusServer Windows icon Sysmon EventID 13 T1112 Hunting RedLine Stealer 2026-05-13
Detect SharpHound Command-Line Arguments Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1069.001 T1069.002 T1087.001 T1087.002 T1482 TTP Ransomware, BlackSuit Ransomware, Windows Discovery Techniques 2026-05-13
Windows Multiple Users Remotely Failed To Authenticate From Host Windows icon Windows Event Log Security 4625 T1110.003 TTP Volt Typhoon, Active Directory Password Spraying 2026-05-13
Windows High File Deletion Frequency Windows icon Sysmon EventID 26, Windows icon Sysmon EventID 23 T1485 Anomaly WhisperGate, Black Basta Ransomware, Data Destruction, Interlock Ransomware, Handala Wiper, Void Manticore, Medusa Ransomware, Clop Ransomware, Sandworm Tools, Swift Slicer, APT37 Rustonotto and FadeStealer, DarkCrystal RAT, DynoWiper, ZOVWiper, NailaoLocker Ransomware 2026-05-13
Allow Operation with Consent Admin Windows icon Sysmon EventID 13 T1548 TTP Azorult, Ransomware, MoonPeak, Windows Registry Abuse 2026-05-13
Windows PowerShell Script From WindowsApps Directory Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1059.001 T1204.002 TTP Malicious PowerShell, MSIX Package Abuse 2026-05-13
Windows Netspy Network Scanner Execution Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1018 T1595 Anomaly Windows Discovery Techniques, Network Discovery 2026-05-13
Windows Theme File Creation in Unusual Location Windows icon Sysmon EventID 11 T1021.002 T1187 T1557.001 Anomaly Spearphishing Attachments 2026-05-13
Windows Steal Authentication Certificates CertUtil Backup Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1649 Anomaly Storm-2460 CLFS Zero Day Exploitation, Windows Certificate Services 2026-05-13
Common Ransomware Extensions Windows icon Sysmon EventID 11 T1485 TTP Black Basta Ransomware, SamSam Ransomware, Interlock Ransomware, LockBit Ransomware, Medusa Ransomware, Clop Ransomware, Ransomware, Rhysida Ransomware, Termite Ransomware, Prestige Ransomware, Ryuk Ransomware, NailaoLocker Ransomware 2026-05-13
Shai-Hulud 2 Exfiltration Artifact Files Linux icon Sysmon for Linux EventID 11, Windows icon Sysmon EventID 11 T1074.001 T1195.002 T1552.001 TTP NPM Supply Chain Compromise 2026-05-13
Windows AppLocker Rare Application Launch Detection T1218 Hunting Windows AppLocker 2026-05-13
Windows PUA Named Pipe Windows icon Sysmon EventID 17, Windows icon Sysmon EventID 18 T1021.002 T1055 T1559 Anomaly SamSam Ransomware, CISA AA22-320A, Medusa Ransomware, IcedID, HAFNIUM Group, DHS Report TA18-074A, Sandworm Tools, Rhysida Ransomware, Seashell Blizzard, DarkGate Malware, DarkSide Ransomware, VanHelsing Ransomware, Active Directory Lateral Movement, Volt Typhoon, Cactus Ransomware, BlackByte Ransomware 2026-05-13
Windows Mock Trusted Directory MSC File Creation Windows icon Sysmon EventID 11 T1218.014 T1548.002 T1574 TTP Windows Persistence Techniques, Windows Privilege Escalation 2026-05-13
Windows Password Managers Discovery Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1555.005 Anomaly Prestige Ransomware, Scattered Spider, Scattered Lapsus$ Hunters, Windows Post-Exploitation 2026-05-13
Windows Chromium Process Loaded Extension via Command-Line Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1185 Anomaly Browser Hijacking 2026-05-13
Powershell Remote Services Add TrustedHost Windows icon Powershell Script Block Logging 4104 T1021.006 TTP DarkGate Malware 2026-05-13
Remcos RAT File Creation in Remcos Folder Windows icon Sysmon EventID 11 T1113 TTP Remcos 2026-05-13
Windows Unusual Count Of Users Failed To Auth Using Kerberos Windows icon Windows Event Log Security 4771 T1110.003 Anomaly Active Directory Kerberos Attacks, Volt Typhoon, Active Directory Password Spraying 2026-05-13
Windows Forest Discovery with GetForestDomain Windows icon Powershell Script Block Logging 4104 T1087.002 TTP Active Directory Discovery 2026-05-13
Windows MMC Loaded Script Engine DLL Windows icon Sysmon EventID 7 T1620 Anomaly XML Runner Loader 2026-05-13
Microsoft Defender ATP Alerts MS Defender ATP Alerts N/A TTP Critical Alerts 2026-05-13
Windows IIS Components Module Failed to Load Windows icon Windows Event Log Application 2282 T1505.004 Anomaly IIS Components 2026-05-13
Clear Unallocated Sector Using Cipher App Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1070.004 TTP Ransomware, Scattered Spider, Compromised Windows Host 2026-05-13
Shai-Hulud Workflow File Creation or Modification Linux icon Sysmon for Linux EventID 11, Windows icon Sysmon EventID 11 T1195 T1554 T1574.006 TTP NPM Supply Chain Compromise 2026-05-13
Windows Impair Defense Change Win Defender Tracing Level Windows icon Sysmon EventID 13 T1685 TTP Windows Registry Abuse, Windows Defense Evasion Tactics 2026-05-13
Windows Mimikatz Crypto Export File Extensions Windows icon Sysmon EventID 11 T1649 Anomaly Sandworm Tools, Windows Certificate Services, CISA AA23-347A 2026-05-13
Samsam Test File Write Windows icon Sysmon EventID 11 T1486 TTP SamSam Ransomware 2026-05-13
Windows Modify Registry Disable Win Defender Raw Write Notif Windows icon Sysmon EventID 13 T1112 Anomaly Azorult, CISA AA23-347A 2026-05-13
Windows Steal Authentication Certificates Certificate Request Windows icon Windows Event Log Security 4886 T1649 Anomaly Windows Certificate Services 2026-05-13
Linux Possible Access To Credential Files Linux icon Sysmon for Linux EventID 1 T1003.008 Anomaly Linux Privilege Escalation, Salt Typhoon, XorDDos, China-Nexus Threat Activity, Linux Persistence Techniques 2026-05-13
Linux Auditd Stop Services Linux icon Linux Auditd Service Stop T1489 Hunting AwfulShred, Data Destruction, Compromised Linux Host, Industroyer2 2026-05-13
Windows System Remote Discovery With Query Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1033 Hunting Active Directory Discovery, Medusa Ransomware 2026-05-13
Creation of Shadow Copy with wmic and powershell Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1003.003 TTP Credential Dumping, Volt Typhoon, Compromised Windows Host, Living Off The Land 2026-05-13
Windows Known GraphicalProton Loaded Modules Windows icon Sysmon EventID 7 T1574.001 Anomaly Water Gamayun, Hellcat Ransomware, CISA AA23-347A 2026-05-13
Headless Browser Mockbin or Mocky Request Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1564.003 TTP GhostRedirector IIS Module and Rungan Backdoor, Forest Blizzard 2026-05-13
Linux At Application Execution Linux icon Sysmon for Linux EventID 1 T1053.002 Anomaly Linux Privilege Escalation, Cisco Isovalent Suspicious Activity, Scheduled Tasks, Linux Living Off The Land, Linux Persistence Techniques 2026-05-13
SLUI RunAs Elevated Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1548.002 TTP DarkSide Ransomware, Compromised Windows Host, Windows Defense Evasion Tactics 2026-05-13
Living Off The Land Detection T1059 T1105 T1133 T1190 Correlation Hellcat Ransomware, Living Off The Land 2026-05-13
Windows MSTSC RDP Commandline Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1021.001 Anomaly Windows RDP Artifacts and Defense Evasion, Medusa Ransomware 2026-05-13
Windows SQL Server Critical Procedures Enabled Windows icon Windows Event Log Application 15457 T1505.001 TTP SQL Server Abuse 2026-05-13
Windows Common Abused Cmd Shell Risk Behavior T1016 T1033 T1049 T1059 T1222 T1529 Correlation FIN7, CISA AA23-347A, Sandworm Tools, Microsoft WSUS CVE-2025-59287, Qakbot, Azorult, DarkCrystal RAT, Volt Typhoon, Netsh Abuse, Windows Post-Exploitation, Disabling Security Tools, Windows Defense Evasion Tactics 2026-05-13
Windows PowerView Unconstrained Delegation Discovery Windows icon Powershell Script Block Logging 4104 T1018 TTP Active Directory Kerberos Attacks, Rhysida Ransomware, CISA AA23-347A 2026-05-13
Suspicious MSBuild Spawn Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1127.001 TTP Storm-2460 CLFS Zero Day Exploitation, Trusted Developer Utilities Proxy Execution MSBuild, Living Off The Land 2026-05-13
Windows Modify Registry DontShowUI Windows icon Sysmon EventID 13 T1112 TTP DarkGate Malware 2026-05-13
Windows Vulnerable Driver Installed Windows icon Windows Event Log System 7045 T1543.003 TTP Void Manticore, Windows Drivers 2026-05-13
Windows File Association Modification via Ftype Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1059.003 Anomaly Windows File Extension and Association Abuse 2026-05-13
Scheduled Task Creation on Remote Endpoint using At Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1053.002 TTP 0bj3ctivity Stealer, Living Off The Land, Scheduled Tasks, Active Directory Lateral Movement 2026-05-13
Windows Bypass UAC via Pkgmgr Tool Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1548.002 Anomaly Warzone RAT 2026-05-13
GetWmiObject Ds Computer with PowerShell Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1018 Anomaly Active Directory Discovery 2026-05-13
Esentutl SAM Copy Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1003.002 Hunting Credential Dumping, Living Off The Land 2026-05-13
Windows ISO LNK File Creation Windows icon Sysmon EventID 11 T1204.001 T1566.001 Hunting AgentTesla, IcedID, Amadey, Gozi Malware, Qakbot, Azorult, Remcos, Spearphishing Attachments, Brute Ratel C4, Warzone RAT, APT37 Rustonotto and FadeStealer 2026-05-13
Windows Remote Service Rdpwinst Tool Execution Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1021.001 TTP Azorult, Windows RDP Artifacts and Defense Evasion, Compromised Windows Host, Scattered Lapsus$ Hunters 2026-05-13
Remote Process Instantiation via WMI Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1047 TTP Salt Typhoon, Void Manticore, CISA AA23-347A, Ransomware, China-Nexus Threat Activity, Suspicious WMI Use, Active Directory Lateral Movement 2026-05-13
Windows Account Access Removal via Logoff Exec Windows icon Sysmon EventID 1 T1059.001 T1531 Anomaly Crypto Stealer 2026-05-13
Windows Archived Collected Data In TEMP Folder Windows icon Sysmon EventID 11 T1560 Anomaly Braodo Stealer, APT37 Rustonotto and FadeStealer 2026-05-13
Windows InstallUtil Remote Network Connection Windows icon Sysmon EventID 1, Network icon Cisco Network Visibility Module Flow Data, Windows icon Sysmon EventID 3 T1218.004 Anomaly Signed Binary Proxy Execution InstallUtil, Compromised Windows Host, Living Off The Land, Cisco Network Visibility Module Analytics 2026-05-13
Windows Audit Policy Auditing Option Modified - Registry Windows icon Sysmon EventID 13 T1547.014 Anomaly Windows Audit Policy Tampering 2026-05-13
Windows Multiple Users Failed To Authenticate Using Kerberos Windows icon Windows Event Log Security 4771 T1110.003 TTP Active Directory Kerberos Attacks, Volt Typhoon, Active Directory Password Spraying 2026-05-13
Windows PowerShell Module File Created Windows icon Sysmon EventID 11 T1059.001 T1129 T1574 Anomaly Malicious PowerShell, Windows Persistence Techniques 2026-05-13
Linux Kworker Process In Writable Process Path Linux icon Sysmon for Linux EventID 1 T1036.004 Hunting Sandworm Tools, Cyclops Blink 2026-05-13
Dump LSASS via comsvcs DLL Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1003.001 TTP Data Destruction, Hellcat Ransomware, HAFNIUM Group, Living Off The Land, Prestige Ransomware, Flax Typhoon, CISA AA22-264A, Volt Typhoon, Compromised Windows Host, Credential Dumping, Industroyer2, Scattered Lapsus$ Hunters, Suspicious Rundll32 Activity, CISA AA22-257A 2026-05-13
ETW Registry Disabled Windows icon Sysmon EventID 13 T1127 T1685 TTP Data Destruction, CISA AA23-347A, Windows Registry Abuse, Hermetic Wiper, Windows Privilege Escalation, Windows Persistence Techniques 2026-05-13
Windows Process Accessing Windows Recall Directory Windows icon Windows Event Log Security 4663 T1059 T1119 Anomaly Windows Post-Exploitation 2026-05-13
File with Samsam Extension Windows icon Sysmon EventID 11 N/A TTP SamSam Ransomware, Hellcat Ransomware 2026-05-13
Windows Outlook Macro Created by Suspicious Process Windows icon Sysmon EventID 11 T1059.005 T1137 TTP NotDoor Malware 2026-05-13
Detect Excessive User Account Lockouts T1078.003 Anomaly Active Directory Password Spraying, Scattered Lapsus$ Hunters 2026-05-13
Windows Modify Registry NoChangingWallPaper Windows icon Sysmon EventID 13 T1112 TTP Rhysida Ransomware 2026-05-13
SilentCleanup UAC Bypass Windows icon Sysmon EventID 13 T1548.002 TTP Windows Registry Abuse, MoonPeak, Windows Defense Evasion Tactics 2026-05-13
Windows Unusual File Creation in Confluence Directory Windows icon Sysmon EventID 11 T1190 T1608.001 T1608.002 Anomaly Confluence Data Center and Confluence Server Vulnerabilities, CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server 2026-05-13
Windows Computer Account Changed to Domain Controller Windows icon Windows Event Log Security 4742 T1136.002 TTP Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation 2026-05-13
Windows Modify Registry Delete Firewall Rules Windows icon Sysmon EventID 12 T1112 TTP ShrinkLocker, NetSupport RMM Tool Abuse, CISA AA24-241A 2026-05-13
Linux Curl Upload File Cisco Isovalent Process Exec, Linux icon Sysmon for Linux EventID 1 T1105 TTP Data Exfiltration, Ingress Tool Transfer, Linux Living Off The Land, NPM Supply Chain Compromise 2026-05-13
Change To Safe Mode With Network Config Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1490 TTP Black Basta Ransomware, BlackMatter Ransomware 2026-05-13
Windows Unusual NTLM Authentication Users By Source Windows icon NTLM Operational 8006, Windows icon NTLM Operational 8005, Windows icon NTLM Operational 8004 T1110.003 Anomaly Active Directory Password Spraying 2026-05-13
Detect MSHTA Url in Command Line Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Network icon Cisco Network Visibility Module Flow Data T1218.005 TTP Suspicious MSHTA Activity, Cisco Network Visibility Module Analytics, Living Off The Land, XWorm, Compromised Windows Host, NetSupport RMM Tool Abuse, Lumma Stealer, APT37 Rustonotto and FadeStealer 2026-05-13
Executable File Written in Administrative SMB Share Windows icon Windows Event Log Security 5145 T1021.002 TTP Data Destruction, BlackSuit Ransomware, Trickbot, IcedID, Hermetic Wiper, Prestige Ransomware, Graceful Wipe Out Attack, VanHelsing Ransomware, Compromised Windows Host, Industroyer2, Active Directory Lateral Movement 2026-05-13
Linux Auditd Nopasswd Entry In Sudoers File Linux icon Linux Auditd Proctitle T1548.003 Anomaly Linux Privilege Escalation, Salt Typhoon, China-Nexus Threat Activity, Compromised Linux Host, Linux Persistence Techniques 2026-05-13
Windows Product Key Registry Query Windows icon Windows Event Log Security 4663 T1012 Anomaly BlankGrabber Stealer 2026-05-13
Linux Setuid Using Setcap Utility Linux icon Sysmon for Linux EventID 1 T1548.001 Anomaly Linux Privilege Escalation, Linux Persistence Techniques 2026-05-13
High Process Termination Frequency Windows icon Sysmon EventID 5 T1486 Anomaly Interlock Ransomware, LockBit Ransomware, Medusa Ransomware, Clop Ransomware, Rhysida Ransomware, Termite Ransomware, NailaoLocker Ransomware, Snake Keylogger, Crypto Stealer, Hellcat Ransomware, BlackByte Ransomware 2026-05-13
Windows DiskCryptor Usage Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1486 Hunting Ransomware 2026-05-13
GetWmiObject DS User with PowerShell Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1087.002 Anomaly Active Directory Discovery 2026-05-13
Windows Service Create with Tscon Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1543.003 T1563.002 TTP Windows RDP Artifacts and Defense Evasion, Compromised Windows Host, Active Directory Lateral Movement 2026-05-13
GetDomainGroup with PowerShell Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1069.002 TTP Active Directory Discovery 2026-05-13
Detect Certipy File Modifications Windows icon Sysmon EventID 11 T1560 T1649 TTP Data Exfiltration, Ingress Tool Transfer, Windows Certificate Services 2026-05-13
Suspicious Image Creation In Appdata Folder Windows icon Sysmon EventID 1, Windows icon Sysmon EventID 11 T1113 TTP Remcos, APT37 Rustonotto and FadeStealer 2026-05-13
Remote Process Instantiation via WinRM and PowerShell Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1021.006 TTP Active Directory Lateral Movement 2026-05-13
Registry Keys Used For Privilege Escalation Windows icon Sysmon EventID 13 T1546.012 TTP Data Destruction, Cloud Federated Credential Abuse, Windows Registry Abuse, Hermetic Wiper, Windows Privilege Escalation, Suspicious Windows Registry Activities 2026-05-13
Windows Service Creation Using Registry Entry Windows icon Sysmon EventID 13 T1574.011 Anomaly Gh0st RAT, Salt Typhoon, CISA AA23-347A, SolarWinds WHD RCE Post Exploitation, Windows Registry Abuse, Suspicious Windows Registry Activities, Windows Persistence Techniques, Derusbi, Crypto Stealer, PlugX, China-Nexus Threat Activity, Brute Ratel C4, Active Directory Lateral Movement, SnappyBee 2026-05-13
Windows ESX Admins Group Creation via Net Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1136.001 T1136.002 TTP VMware ESXi AD Integration Authentication Bypass CVE-2024-37085 2026-05-13
Windows DISM Remove Defender Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1685 TTP Compromised Windows Host, CISA AA23-347A, Windows Defense Evasion Tactics 2026-05-13
Fsutil Zeroing File Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1070 TTP Ransomware, LockBit Ransomware 2026-05-13
Windows AppLocker Privilege Escalation via Unauthorized Bypass T1218 TTP Windows AppLocker 2026-05-13
MacOS Log Removal Osquery Results T1070 TTP MacOS Post-Exploitation 2026-05-13
GetWmiObject User Account with PowerShell Script Block Windows icon Powershell Script Block Logging 4104 T1059.001 T1087.001 Hunting Active Directory Discovery, Malicious PowerShell, Winter Vivern 2026-05-13
Windows Impair Defense Add Xml Applocker Rules Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1685 Hunting Azorult 2026-05-13
Windows User Discovery Via Net Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1087.001 Hunting Active Directory Discovery, Sandworm Tools, Medusa Ransomware 2026-05-13
Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials Windows icon Windows Event Log Security 4648 T1110.003 Anomaly Volt Typhoon, Active Directory Password Spraying, Insider Threat 2026-05-13
Windows Default Rdp File Deletion Windows icon Sysmon EventID 26, Windows icon Sysmon EventID 23 T1070.004 Anomaly Windows RDP Artifacts and Defense Evasion 2026-05-13
Windows AD AdminSDHolder ACL Modified Windows icon Windows Event Log Security 5136 T1546 TTP Sneaky Active Directory Persistence Tricks 2026-05-13
Microsoft Defender Incident Alerts MS365 Defender Incident Alerts N/A TTP Critical Alerts 2026-05-13
Powershell Creating Thread Mutex Windows icon Powershell Script Block Logging 4104 T1027.005 T1059.001 TTP Water Gamayun, Malicious PowerShell 2026-05-13
Windows Autostart Execution LSASS Driver Registry Modification Windows icon Sysmon EventID 13 T1547.008 TTP Windows Registry Abuse 2026-05-13
Spoolsv Spawning Rundll32 Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1547.012 TTP Black Basta Ransomware, Compromised Windows Host, PrintNightmare CVE-2021-34527 2026-05-13
Windows Service Stop By Deletion Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1489 Hunting Azorult, Crypto Stealer, Graceful Wipe Out Attack 2026-05-13
Windows Handle Duplication in Known UAC-Bypass Binaries Windows icon Sysmon EventID 10 T1134.001 Anomaly Castle RAT 2026-05-13
Linux Kernel Module Enumeration Linux icon Sysmon for Linux EventID 1 T1014 T1082 Anomaly XorDDos, Linux Rootkit 2026-05-13
Detect AzureHound Command-Line Arguments Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1069.001 T1069.002 T1087.001 T1087.002 T1482 TTP Compromised Windows Host, Windows Discovery Techniques 2026-05-13
Windows DLL Search Order Hijacking Hunt with Sysmon Windows icon Sysmon EventID 7 T1574.001 Hunting Malicious Inno Setup Loader, Qakbot, Living Off The Land, Windows Defense Evasion Tactics 2026-05-13
Sqlite Module In Temp Folder Windows icon Sysmon EventID 11 T1005 TTP IcedID, Lokibot 2026-05-13
Windows Rdp AutomaticDestinations Deletion Windows icon Sysmon EventID 26, Windows icon Sysmon EventID 23 T1070.004 Anomaly Windows RDP Artifacts and Defense Evasion 2026-05-13
Windows Multiple Users Failed To Authenticate From Host Using NTLM Windows icon Windows Event Log Security 4776 T1110.003 TTP Volt Typhoon, Active Directory Password Spraying 2026-05-13
Windows NirSoft Utilities Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1588.002 Hunting WhisperGate, Data Destruction 2026-05-13
Linux Auditd Hidden Files And Directories Creation Linux icon Linux Auditd Execve T1083 Anomaly Linux Privilege Escalation, Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques 2026-05-13
Windows AppLocker Execution from Uncommon Locations T1218 Hunting Windows AppLocker 2026-05-13
Windows Potential Web Shell Creation For VMware Workspace ONE Windows icon Sysmon EventID 11 T1505.003 Anomaly VMware ESXi AD Integration Authentication Bypass CVE-2024-37085, VMware Aria Operations vRealize CVE-2023-20887, VMware Server Side Injection and Privilege Escalation 2026-05-13
Detect SharpHound Usage Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1069.001 T1069.002 T1087.001 T1087.002 T1482 TTP Ransomware, Windows Discovery Techniques 2026-05-13
Linux Auditd Auditd Daemon Start Linux icon Linux Auditd Daemon Start T1685.004 Anomaly Compromised Linux Host 2026-05-13
SchCache Change By App Connect And Create ADSI Object Windows icon Sysmon EventID 11 T1087.002 Anomaly BlackMatter Ransomware 2026-05-13
Windows Explorer LNK Exploit Process Launch With Padding Windows icon Windows Event Log Security 4688, Windows icon Sysmon EventID 1 T1059.001 T1204.002 TTP ZDI-CAN-25373 Windows Shortcut Exploit Abused as Zero-Day 2026-05-13
Linux Unix Shell Enable All SysRq Functions Linux icon Sysmon for Linux EventID 1 T1059.004 Anomaly AwfulShred, Data Destruction 2026-05-13
Windows Steal Authentication Certificates Certificate Issued Windows icon Windows Event Log Security 4887 T1649 Anomaly Windows Certificate Services 2026-05-13
Windows Service Created with Suspicious Service Path Windows icon Windows Event Log System 7045 T1569.002 TTP Gh0st RAT, Salt Typhoon, Snake Malware, CISA AA23-347A, Clop Ransomware, Qakbot, Flax Typhoon, APT37 Rustonotto and FadeStealer, Derusbi, Crypto Stealer, PlugX, China-Nexus Threat Activity, Brute Ratel C4, Active Directory Lateral Movement 2026-05-13
Cisco NVM - Rclone Execution With Network Activity Network icon Cisco Network Visibility Module Flow Data T1567.002 Anomaly Cisco Network Visibility Module Analytics, Scattered Lapsus$ Hunters 2026-05-13
Unknown Process Using The Kerberos Protocol Windows icon Sysmon EventID 1, Windows icon Sysmon EventID 3 T1550 TTP Active Directory Kerberos Attacks, BlackSuit Ransomware 2026-05-13
Windows Defender ASR Rules Stacking Windows icon Windows Event Log Defender 1134, Windows icon Windows Event Log Defender 1126, Windows icon Windows Event Log Defender 1122, Windows icon Windows Event Log Defender 1133, Windows icon Windows Event Log Defender 1131, Windows icon Windows Event Log Defender 1129, Windows icon Windows Event Log Defender 5007, Windows icon Windows Event Log Defender 1121, Windows icon Windows Event Log Defender 1125 T1059 T1566.001 T1566.002 Hunting Windows Attack Surface Reduction 2026-05-13
Wmiprvse LOLBAS Execution Process Spawn Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1047 TTP Active Directory Lateral Movement 2026-05-13
Credential Dumping via Symlink to Shadow Copy Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1003.003 TTP Credential Dumping, Compromised Windows Host 2026-05-13
Windows Modify System Firewall with Notable Process Path Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1686 TTP Compromised Windows Host, Medusa Ransomware, NjRAT 2026-05-13
Crowdstrike Medium Identity Risk Severity T1110 TTP Compromised Windows Host 2026-05-13
Windows WinPEAS PowerShell Script Execution Windows icon Powershell Script Block Logging 4104 T1007 T1016 T1033 T1082 T1590 T1592.002 T1592.004 T1615 TTP Windows Post-Exploitation 2026-05-13
Windows Remote Access Software BRC4 Loaded Dll Windows icon Sysmon EventID 7 T1003 T1219 Anomaly Brute Ratel C4 2026-05-13
Local Account Discovery With Wmic Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1087.001 Hunting Active Directory Discovery, Scattered Lapsus$ Hunters 2026-05-13
Windows WMIC Shadowcopy Delete Windows icon Sysmon EventID 1 T1490 Anomaly Suspicious WMI Use, Volt Typhoon, Cactus Ransomware 2026-05-13
Windows ScManager Security Descriptor Tampering Via Sc.EXE Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1569.002 TTP Defense Evasion or Unauthorized Access Via SDDL Tampering 2026-05-13
Windows Impair Defenses Disable AV AutoStart via Registry Windows icon Sysmon EventID 13 T1112 TTP Scattered Lapsus$ Hunters, ValleyRAT 2026-05-13
Ryuk Test Files Detected Windows icon Sysmon EventID 11 T1486 TTP Ryuk Ransomware 2026-05-13
Windows Set Network Profile Category to Private via Registry Windows icon Sysmon EventID 13 T1112 Anomaly Secret Blizzard 2026-05-13
Local LLM Framework DNS Query Windows icon Sysmon EventID 22 T1590 Hunting Suspicious Local LLM Frameworks 2026-05-13
Windows Driver Load Non-Standard Path Windows icon Windows Event Log System 7045 T1014 T1068 TTP BlackSuit Ransomware, AgentTesla, CISA AA22-320A, Windows Drivers, BlackByte Ransomware 2026-05-13
Cisco NVM - Webserver Download From File Sharing Website Network icon Cisco Network Visibility Module Flow Data T1105 T1190 TTP Cisco Network Visibility Module Analytics, GhostRedirector IIS Module and Rungan Backdoor 2026-05-13
Linux c99 Privilege Escalation Linux icon Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Privilege Escalation, Linux Living Off The Land 2026-05-13
Linux SSH Authorized Keys Modification Linux icon Sysmon for Linux EventID 1 T1098.004 Anomaly Hellcat Ransomware, Linux Living Off The Land, VoidLink Cloud-Native Linux Malware 2026-05-13
PetitPotam Network Share Access Request Windows icon Windows Event Log Security 5145 T1187 TTP PetitPotam NTLM Relay on Active Directory Certificate Services 2026-05-13
Windows Modify Registry LongPathsEnabled Windows icon Sysmon EventID 13 T1112 Anomaly BlackByte Ransomware 2026-05-13
Cisco Isovalent - Potential Escape to Host Cisco Isovalent Process Exec T1611 Anomaly Cisco Isovalent Suspicious Activity, VoidLink Cloud-Native Linux Malware 2026-05-13
Verclsid CLSID Execution Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1218.012 Hunting Unusual Processes 2026-05-13
Disable AMSI Through Registry Windows icon Sysmon EventID 13 T1685 TTP Ransomware, CISA AA23-347A, Windows Registry Abuse 2026-05-13
Linux Medusa Rootkit Linux icon Sysmon for Linux EventID 11 T1014 T1589.001 TTP China-Nexus Threat Activity, Medusa Rootkit, Hellcat Ransomware, VoidLink Cloud-Native Linux Malware 2026-05-13
Windows CrowdStrike Agent Registry Key Removal Windows icon Sysmon EventID 12 T1685 Anomaly Security Solution Tampering, Windows Defense Evasion Tactics 2026-05-13
Windows Modify Registry ValleyRAT C2 Config Windows icon Sysmon EventID 13 T1112 TTP ValleyRAT 2026-05-13
Windows SOAPHound Binary Execution Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1069.001 T1069.002 T1087.001 T1087.002 T1482 TTP Compromised Windows Host, Windows Discovery Techniques 2026-05-13
Windows Credential Target Information Structure in Commandline Windows icon Sysmon EventID 1 T1071.004 T1187 T1557.001 TTP Local Privilege Escalation With KrbRelayUp, Kerberos Coercion with DNS, Compromised Windows Host, Suspicious DNS Traffic 2026-05-13
Linux Stop Services Linux icon Sysmon for Linux EventID 1 T1489 TTP AwfulShred, Data Destruction, Industroyer2 2026-05-13
Wsmprovhost LOLBAS Execution Process Spawn Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1021.006 TTP CISA AA24-241A, Hellcat Ransomware, Active Directory Lateral Movement 2026-05-13
Linux Possible Ssh Key File Creation Linux icon Sysmon for Linux EventID 11 T1098.004 Anomaly Linux Privilege Escalation, Hellcat Ransomware, Linux Living Off The Land, Linux Persistence Techniques 2026-05-13
Windows Audit Policy Disabled via Auditpol Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1685.001 Anomaly Windows Audit Policy Tampering 2026-05-13
Suspicious SQLite3 LSQuarantine Behavior Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1074 TTP Silver Sparrow 2026-05-13
Nishang PowershellTCPOneLine Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1059.001 TTP HAFNIUM Group, Cleo File Transfer Software 2026-05-13
Windows Multiple Users Failed To Authenticate From Process Windows icon Windows Event Log Security 4625 T1110.003 TTP Volt Typhoon, Active Directory Password Spraying, Insider Threat 2026-05-13
Windows RDP File Execution Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1021.001 T1598.002 TTP Spearphishing Attachments, Windows RDP Artifacts and Defense Evasion, Interlock Ransomware 2026-05-13
Windows DisableAntiSpyware Registry Windows icon Sysmon EventID 13 T1685 TTP SolarWinds WHD RCE Post Exploitation, CISA AA23-347A, Windows Registry Abuse, RedLine Stealer, CISA AA22-264A, Azorult, Ryuk Ransomware, Windows Defense Evasion Tactics 2026-05-13
Linux MySQL Privilege Escalation Linux icon Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Privilege Escalation, Linux Living Off The Land 2026-05-13
Windows PowerShell Script TabExpansion Direct Call Windows icon Powershell Script Block Logging 4104 T1059.001 T1129 Anomaly Malicious PowerShell 2026-05-13
PaperCut NG Remote Web Access Attempt Suricata T1133 T1190 TTP PaperCut MF NG Vulnerability 2026-05-13
Hunting for Log4Shell Nginx Access T1133 T1190 Hunting Log4Shell CVE-2021-44228, CISA AA22-320A 2026-05-13
Windows IIS Server PSWA Console Access Windows icon Windows IIS T1190 Hunting CISA AA24-241A 2026-05-13
Zscaler Exploit Threat Blocked T1566 TTP Zscaler Browser Proxy Threats 2026-05-13
Zscaler Malware Activity Threat Blocked T1566 Anomaly Zscaler Browser Proxy Threats 2026-05-13
Web Remote ShellServlet Access Nginx Access T1190 TTP GhostRedirector IIS Module and Rungan Backdoor, CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server 2026-05-13
Web Spring4Shell HTTP Request Class Module Splunk icon Splunk Stream HTTP T1133 T1190 TTP Spring4Shell CVE-2022-22965 2026-05-13
Zscaler Behavior Analysis Threat Blocked T1566 Anomaly Zscaler Browser Proxy Threats 2026-05-13
SAP NetWeaver Visual Composer Exploitation Attempt Suricata T1190 Hunting SAP NetWeaver Exploitation 2026-05-13
Unusually Long Content-Type Length N/A Anomaly Apache Struts Vulnerability 2026-05-13
Log4Shell JNDI Payload Injection with Outbound Connection T1133 T1190 Anomaly Log4Shell CVE-2021-44228, CISA AA22-320A 2026-05-13
JetBrains TeamCity Authentication Bypass CVE-2024-27198 Suricata T1190 TTP JetBrains TeamCity Vulnerabilities 2026-05-13
Zscaler Phishing Activity Threat Blocked T1566 Anomaly Hellcat Ransomware, Zscaler Browser Proxy Threats 2026-05-13
Tomcat Session Deserialization Attempt Nginx Access T1190 T1505.003 Anomaly Apache Tomcat Session Deserialization Attacks 2026-05-13
Zscaler Scam Destinations Threat Blocked T1566 Anomaly Zscaler Browser Proxy Threats 2026-05-13
Cisco IOS XE Implant Access Suricata T1190 TTP Cisco IOS XE Software Web Management User Interface vulnerability 2026-05-13
Zscaler Virus Download threat blocked T1566 Anomaly Zscaler Browser Proxy Threats 2026-05-13
Zscaler Potentially Abused File Download T1566 Anomaly Zscaler Browser Proxy Threats 2026-05-13
Adobe ColdFusion Access Control Bypass Suricata T1190 Anomaly Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360 2026-05-13
Juniper Networks Remote Code Execution Exploit Detection Suricata T1059 T1105 T1190 TTP Juniper JunOS Remote Code Execution 2026-05-13
Adobe ColdFusion Unauthenticated Arbitrary File Read Suricata T1190 Anomaly Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360 2026-05-13
Zscaler Employment Search Web Activity T1566 Anomaly Zscaler Browser Proxy Threats 2026-05-13
HTTP Duplicated Header Suricata T1071.001 T1190 Anomaly HTTP Request Smuggling 2026-05-13
Ivanti EPM SQL Injection Remote Code Execution Suricata T1190 TTP Ivanti EPM Vulnerabilities, Hellcat Ransomware, GhostRedirector IIS Module and Rungan Backdoor 2026-05-13
Spring4Shell Payload URL Request Nginx Access T1133 T1190 T1505.003 TTP Spring4Shell CVE-2022-22965 2026-05-13
Ivanti Connect Secure Command Injection Attempts Suricata T1190 TTP CISA AA24-241A, Ivanti Connect Secure VPN Vulnerabilities 2026-05-13
Confluence Pre-Auth RCE via OGNL Injection CVE-2023-22527 Suricata T1190 TTP Confluence Data Center and Confluence Server Vulnerabilities 2026-05-13
Detect Web Access to Decommissioned S3 Bucket AWS icon AWS Cloudfront T1485 Anomaly Data Destruction, AWS S3 Bucket Security Monitoring 2026-05-13
Ivanti Connect Secure SSRF in SAML Component Suricata T1190 TTP Ivanti Connect Secure VPN Vulnerabilities 2026-05-13
Supernova Webshell T1133 T1505.003 TTP Earth Alux, NOBELIUM Group, GhostRedirector IIS Module and Rungan Backdoor 2026-05-13
Windows Exchange Autodiscover SSRF Abuse Windows icon Windows IIS T1133 T1190 TTP Seashell Blizzard, ProxyNotShell, ProxyShell, BlackByte Ransomware 2026-05-13
JetBrains TeamCity RCE Attempt Suricata T1190 TTP JetBrains TeamCity Unauthenticated RCE, CISA AA23-347A, JetBrains TeamCity Vulnerabilities 2026-05-13
ProxyShell ProxyNotShell Behavior Detected T1133 T1190 Correlation Seashell Blizzard, ProxyNotShell, ProxyShell 2026-05-13
JetBrains TeamCity Limited Auth Bypass Suricata CVE-2024-27199 Suricata T1190 TTP JetBrains TeamCity Vulnerabilities 2026-05-13
Log4Shell JNDI Payload Injection Attempt Nginx Access T1133 T1190 Anomaly Log4Shell CVE-2021-44228, CISA AA22-257A, CISA AA22-320A 2026-05-13
Detect attackers scanning for vulnerable JBoss servers T1082 T1133 TTP JBoss Vulnerability, SamSam Ransomware 2026-05-13
High Volume of Bytes Out to Url Nginx Access T1567 Anomaly Data Exfiltration, Hellcat Ransomware 2026-05-13
Windows SharePoint Spinstall0 GET Request Suricata T1190 T1505.003 T1552 TTP Microsoft SharePoint Vulnerabilities 2026-05-13
WS FTP Remote Code Execution Suricata T1190 TTP WS FTP Server Critical Vulnerabilities 2026-05-13
Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint Suricata T1190 TTP CISA AA24-241A, Ivanti Connect Secure VPN Vulnerabilities 2026-05-13
Zscaler Privacy Risk Destinations Threat Blocked T1566 Anomaly Zscaler Browser Proxy Threats 2026-05-13
VMWare Aria Operations Exploit Attempt Network icon Palo Alto Network Threat T1068 T1133 T1190 T1210 TTP VMware Aria Operations vRealize CVE-2023-20887 2026-05-13
Nginx ConnectWise ScreenConnect Authentication Bypass Nginx Access T1190 TTP ConnectWise ScreenConnect Vulnerabilities, Hellcat Ransomware, Scattered Lapsus$ Hunters, Seashell Blizzard 2026-05-13
Tomcat Session File Upload Attempt Nginx Access T1190 T1505.003 Anomaly Apache Tomcat Session Deserialization Attacks 2026-05-13
Microsoft SharePoint Server Elevation of Privilege Suricata T1068 Anomaly Microsoft SharePoint Server Elevation of Privilege CVE-2023-29357 2026-05-13
Detect F5 TMUI RCE CVE-2020-5902 T1190 TTP F5 TMUI RCE CVE-2020-5902 2026-05-13
Fortinet Appliance Auth bypass Network icon Palo Alto Network Threat T1133 T1190 TTP CVE-2022-40684 Fortinet Appliance Auth bypass 2026-05-13
Citrix ADC and Gateway CitrixBleed 2 Memory Disclosure Suricata T1190 Anomaly Citrix NetScaler ADC and NetScaler Gateway CVE-2025-5777 2026-05-13
SQL Injection with Long URLs T1190 TTP SQL Injection, GhostRedirector IIS Module and Rungan Backdoor 2026-05-13
Detect Remote Access Software Usage URL Network icon Palo Alto Network Threat T1219 Anomaly Command And Control, Interlock Ransomware, CISA AA24-241A, Ransomware, Remote Monitoring and Management Software, Scattered Lapsus$ Hunters, Insider Threat 2026-05-13
Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082 Suricata T1133 T1190 TTP Ivanti EPMM Remote Unauthenticated Access 2026-05-13
Web Spring Cloud Function FunctionRouter Splunk icon Splunk Stream HTTP T1133 T1190 TTP Spring4Shell CVE-2022-22965 2026-05-13
Zscaler CryptoMiner Downloaded Threat Blocked T1566 Anomaly Zscaler Browser Proxy Threats 2026-05-13
Windows SharePoint ToolPane Endpoint Exploitation Attempt Suricata T1190 T1505.003 TTP Microsoft SharePoint Vulnerabilities 2026-05-13
F5 TMUI Authentication Bypass Suricata N/A TTP F5 Authentication Bypass with TMUI 2026-05-13
HTTP Request to Reserved Name on IIS Server Suricata T1071.001 T1190 TTP HTTP Request Smuggling 2026-05-13
Confluence CVE-2023-22515 Trigger Vulnerability Suricata T1190 TTP CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server 2026-05-13
Jenkins Arbitrary File Read CVE-2024-23897 Nginx Access T1190 TTP Jenkins Server Vulnerabilities, Hellcat Ransomware 2026-05-13
Citrix ADC Exploitation CVE-2023-3519 Network icon Palo Alto Network Threat T1190 Hunting CISA AA24-241A, Citrix Netscaler ADC CVE-2023-3519 2026-05-13
Confluence Data Center and Server Privilege Escalation Nginx Access T1190 TTP Confluence Data Center and Confluence Server Vulnerabilities, CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server 2026-05-13
Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952 Network icon Palo Alto Network Threat T1133 T1190 TTP Fortinet FortiNAC CVE-2022-39952, Hellcat Ransomware 2026-05-13
Monitor Web Traffic For Brand Abuse N/A TTP Brand Monitoring 2026-05-13
Ivanti Connect Secure System Information Access via Auth Bypass Suricata T1190 Anomaly CISA AA24-241A, Ivanti Connect Secure VPN Vulnerabilities 2026-05-13
Citrix ShareFile Exploitation CVE-2023-24489 Suricata T1190 Hunting Citrix ShareFile RCE CVE-2023-24489 2026-05-13
Java Class File download by Java User Agent Splunk icon Splunk Stream HTTP T1190 TTP Log4Shell CVE-2021-44228 2026-05-13
Exploit Public Facing Application via Apache Commons Text Nginx Access T1133 T1190 T1505.003 Anomaly Text4Shell CVE-2022-42889 2026-05-13
Citrix ADC and Gateway Unauthorized Data Disclosure Suricata T1190 TTP Citrix NetScaler ADC and NetScaler Gateway CVE-2023-4966, Scattered Lapsus$ Hunters 2026-05-13
Confluence Unauthenticated Remote Code Execution CVE-2022-26134 Network icon Palo Alto Network Threat T1133 T1190 T1505 TTP Confluence Data Center and Confluence Server Vulnerabilities, Atlassian Confluence Server and Data Center CVE-2022-26134 2026-05-13
CrushFTP Authentication Bypass Exploitation CrushFTP T1059.001 T1059.003 T1190 TTP CrushFTP Vulnerabilities, Hellcat Ransomware 2026-05-13
Plain HTTP POST Exfiltrated Data Splunk icon Splunk Stream HTTP T1048.003 TTP Data Exfiltration, Command And Control, APT37 Rustonotto and FadeStealer 2026-05-13
Detect malicious requests to exploit JBoss servers N/A TTP JBoss Vulnerability, SamSam Ransomware 2026-05-13
Zscaler Adware Activities Threat Blocked T1566 Anomaly Zscaler Browser Proxy Threats 2026-05-13
HTTP Rapid POST with Mixed Status Codes Nginx Access T1071.001 T1190 T1595 Anomaly HTTP Request Smuggling 2026-05-13
CrushFTP Max Simultaneous Users From IP CrushFTP T1110.001 T1110.004 Anomaly CrushFTP Vulnerabilities 2026-05-13
Web JSP Request via URL Nginx Access T1133 T1190 T1505.003 TTP Earth Alux, Spring4Shell CVE-2022-22965 2026-05-13
ConnectWise ScreenConnect Authentication Bypass Suricata T1190 TTP ConnectWise ScreenConnect Vulnerabilities, Seashell Blizzard 2026-05-13
WordPress Bricks Builder plugin RCE Nginx Access T1190 TTP Hellcat Ransomware, WordPress Vulnerabilities 2026-05-13
JetBrains TeamCity Authentication Bypass Suricata CVE-2024-27198 Suricata T1190 TTP Hellcat Ransomware, JetBrains TeamCity Vulnerabilities 2026-05-13
VMware Workspace ONE Freemarker Server-side Template Injection Network icon Palo Alto Network Threat T1133 T1190 Anomaly VMware Server Side Injection and Privilege Escalation 2026-05-13
Zscaler Legal Liability Threat Blocked T1566 Anomaly Zscaler Browser Proxy Threats 2026-05-13
HTTP Possible Request Smuggling Suricata T1071.001 TTP HTTP Request Smuggling 2026-05-13
Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078 Suricata T1133 T1190 TTP Ivanti EPMM Remote Unauthenticated Access 2026-05-13
VMware Server Side Template Injection Hunt Network icon Palo Alto Network Threat T1133 T1190 Hunting VMware Server Side Injection and Privilege Escalation 2026-05-13
Multiple Archive Files Http Post Traffic Splunk icon Splunk Stream HTTP T1048.003 TTP Data Exfiltration, Command And Control, Hellcat Ransomware, APT37 Rustonotto and FadeStealer 2026-05-13
ESXi Syslog Config Change VMWare ESXi Syslog T1690 TTP Black Basta Ransomware, ESXi Post Compromise 2026-05-13
Cisco ASA - Device File Copy to Remote Location Cisco ASA Logs T1005 T1041 T1048.003 Anomaly ArcaneDoor, Suspicious Cisco Adaptive Security Appliance Activity 2026-05-13
ESXi Shared or Stolen Root Account VMWare ESXi Syslog T1078 Anomaly Black Basta Ransomware, ESXi Post Compromise 2026-05-13
ESXi Bulk VM Termination VMWare ESXi Syslog T1499 T1529 T1673 TTP Black Basta Ransomware, ESXi Post Compromise 2026-05-13
ESXi Lockdown Mode Disabled VMWare ESXi Syslog T1685 TTP Black Basta Ransomware, ESXi Post Compromise 2026-05-13
ESXi Loghost Config Tampering VMWare ESXi Syslog T1685 TTP Black Basta Ransomware, ESXi Post Compromise 2026-05-13
Okta Multiple Accounts Locked Out Okta T1110 Anomaly Okta Account Takeover 2026-05-13
Cisco ASA - Logging Disabled via CLI Cisco ASA Logs T1685 TTP Suspicious Cisco Adaptive Security Appliance Activity 2026-05-13
ESXi Encryption Settings Modified VMWare ESXi Syslog T1685 TTP Black Basta Ransomware, ESXi Post Compromise 2026-05-13
ESXi Firewall Disabled VMWare ESXi Syslog T1686 TTP Black Basta Ransomware, ESXi Post Compromise, China-Nexus Threat Activity 2026-05-13
Cisco ASA - New Local User Account Created Cisco ASA Logs T1078.003 T1136.001 Anomaly Suspicious Cisco Adaptive Security Appliance Activity 2026-05-13
PingID New MFA Method Registered For User PingID T1098.005 T1556.006 T1621 TTP Compromised User Account 2026-05-13
Okta Multi-Factor Authentication Disabled Okta T1556.006 TTP Okta Account Takeover, Scattered Lapsus$ Hunters 2026-05-13
Okta Multiple Users Failing To Authenticate From Ip Okta T1110.003 Anomaly Okta Account Takeover 2026-05-13
Cisco Duo Policy Allow Old Java Cisco Duo Administrator T1556 TTP Cisco Duo Suspicious Activity 2026-05-13
Cisco Duo Admin Login Unusual Os Cisco Duo Activity T1556 TTP Cisco Duo Suspicious Activity 2026-05-13
Cisco ASA - User Privilege Level Change Cisco ASA Logs T1078.003 T1098 Anomaly ArcaneDoor, Suspicious Cisco Adaptive Security Appliance Activity 2026-05-13
ESXi SSH Brute Force VMWare ESXi Syslog T1110 Anomaly Black Basta Ransomware, ESXi Post Compromise, Hellcat Ransomware 2026-05-13
ESXi Sensitive Files Accessed VMWare ESXi Syslog T1003.008 T1005 TTP Black Basta Ransomware, ESXi Post Compromise, China-Nexus Threat Activity 2026-05-13
Okta Suspicious Use of a Session Cookie Okta T1539 Anomaly Suspicious Okta Activity, Okta Account Takeover, Scattered Lapsus$ Hunters 2026-05-13
M365 Copilot Application Usage Pattern Anomalies M365 Copilot Graph API T1078 Anomaly Suspicious Microsoft 365 Copilot Activities 2026-05-13
Zoom Rare Input Devices T1123 Hunting Remote Employment Fraud 2026-05-13
ESXi Shell Access Enabled VMWare ESXi Syslog T1021 TTP Black Basta Ransomware, ESXi Post Compromise 2026-05-13
Detect Password Spray Attempts Windows icon Windows Event Log Security 4625 T1110.003 TTP Compromised User Account, Active Directory Password Spraying 2026-05-13
Splunk AppDynamics Secure Application Alerts Splunk icon Splunk AppDynamics Secure Application Alert N/A Anomaly Critical Alerts 2026-05-13
Cisco Duo Policy Allow Devices Without Screen Lock Cisco Duo Administrator T1556 TTP Cisco Duo Suspicious Activity 2026-05-13
ESXi SSH Enabled VMWare ESXi Syslog T1021.004 TTP Black Basta Ransomware, ESXi Post Compromise, Hellcat Ransomware 2026-05-13
M365 Copilot Failed Authentication Patterns M365 Copilot Graph API T1110 Anomaly Suspicious Microsoft 365 Copilot Activities 2026-05-13
Okta New API Token Created Okta T1078.001 TTP Okta Account Takeover, Scattered Lapsus$ Hunters 2026-05-13
M365 Copilot Non Compliant Devices Accessing M365 Copilot M365 Copilot Graph API T1685 Anomaly Suspicious Microsoft 365 Copilot Activities 2026-05-13
Cisco Duo Policy Allow Old Flash Cisco Duo Administrator T1556 TTP Cisco Duo Suspicious Activity 2026-05-13
Cisco Duo Admin Login Unusual Country Cisco Duo Activity T1556 TTP Cisco Duo Suspicious Activity 2026-05-13
Cisco AI Defense Security Alerts by Application Name Cisco AI Defense Alerts N/A Anomaly Critical Alerts 2026-05-13
MCP Sensitive System File Search MCP Server T1552.001 Hunting Suspicious MCP Activities 2026-05-13
M365 Copilot Jailbreak Attempts M365 Exported eDiscovery Prompts T1685 Anomaly Suspicious Microsoft 365 Copilot Activities 2026-05-13
Ivanti VTM New Account Creation Ivanti VTM Audit T1190 TTP Ivanti Virtual Traffic Manager CVE-2024-7593, Hellcat Ransomware, Scattered Lapsus$ Hunters 2026-05-13
Zoom High Video Latency T1078 Anomaly Remote Employment Fraud 2026-05-13
Okta Phishing Detection with FastPass Origin Check Okta T1078.001 T1556 TTP Okta Account Takeover 2026-05-13
ESXi External Root Login Activity VMWare ESXi Syslog T1078 Anomaly Black Basta Ransomware, ESXi Post Compromise 2026-05-13
Cisco ASA - User Account Deleted From Local Database Cisco ASA Logs T1070.008 T1531 Anomaly Suspicious Cisco Adaptive Security Appliance Activity 2026-05-13
Cisco ASA - AAA Policy Tampering Cisco ASA Logs T1556.004 Anomaly Suspicious Cisco Adaptive Security Appliance Activity 2026-05-13
Okta New Device Enrolled on Account Okta T1098.005 TTP Okta Account Takeover, Scattered Lapsus$ Hunters 2026-05-13
PingID Multiple Failed MFA Requests For User PingID T1078 T1110 T1621 TTP Compromised User Account 2026-05-13
Email servers sending high volume traffic to hosts T1114.002 Anomaly HAFNIUM Group, Collection and Staging 2026-05-13
No Windows Updates in a time frame N/A Hunting Monitor for Updates 2026-05-13
Cisco Duo Bypass Code Generation Cisco Duo Administrator T1556 TTP Cisco Duo Suspicious Activity 2026-05-13
MCP Github Suspicious Operation MCP Server T1552.001 Hunting Suspicious MCP Activities 2026-05-13
Cisco ASA - Logging Message Suppression Cisco ASA Logs T1070 T1685.001 Anomaly ArcaneDoor, Suspicious Cisco Adaptive Security Appliance Activity 2026-05-13
Cisco ASA - Reconnaissance Command Activity Cisco ASA Logs T1082 T1590.001 T1590.005 Anomaly Suspicious Cisco Adaptive Security Appliance Activity 2026-05-13
Cisco Duo Policy Skip 2FA for Other Countries Cisco Duo Administrator T1556 TTP Cisco Duo Suspicious Activity 2026-05-13
ESXi Account Modified VMWare ESXi Syslog T1078 T1098 T1136.001 Anomaly Black Basta Ransomware, ESXi Post Compromise 2026-05-13
Okta IDP Lifecycle Modifications Okta T1087.004 Anomaly Suspicious Okta Activity 2026-05-13
ESXi User Granted Admin Role VMWare ESXi Syslog T1078 T1098 TTP Black Basta Ransomware, ESXi Post Compromise 2026-05-13
Ollama Abnormal Service Crash Availability Attack Ollama Server T1489 Anomaly Suspicious Ollama Activities 2026-05-13
ESXi Reverse Shell Patterns VMWare ESXi Syslog T1059 TTP Black Basta Ransomware, ESXi Post Compromise 2026-05-13
Email Attachments With Lots Of Spaces T1036.008 T1566.001 Anomaly Emotet Malware DHS Report TA18-201A, Data Destruction, Hermetic Wiper, Suspicious Emails 2026-05-13
Ollama Possible Memory Exhaustion Resource Abuse Ollama Server T1499 Anomaly Suspicious Ollama Activities 2026-05-13
Ollama Possible RCE via Model Loading Ollama Server T1190 Anomaly Suspicious Ollama Activities 2026-05-13
Detect HTML Help Spawn Child Process Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1218.001 TTP AgentTesla, Suspicious Compiled HTML Activity, Living Off The Land, Compromised Windows Host, APT37 Rustonotto and FadeStealer 2026-05-13
Okta Suspicious Activity Reported Okta T1078.001 TTP Okta Account Takeover 2026-05-13
ESXi System Clock Manipulation VMWare ESXi Syslog T1070.006 TTP Black Basta Ransomware, ESXi Post Compromise 2026-05-13
Cisco ASA - Core Syslog Message Volume Drop Cisco ASA Logs T1685 Hunting ArcaneDoor, Suspicious Cisco Adaptive Security Appliance Activity 2026-05-13
Zoom Rare Audio Devices T1123 Hunting Remote Employment Fraud 2026-05-13
Cisco ASA - Packet Capture Activity Cisco ASA Logs T1040 T1557 Anomaly ArcaneDoor, Suspicious Cisco Adaptive Security Appliance Activity 2026-05-13
PingID New MFA Method After Credential Reset PingID T1098.005 T1556.006 T1621 TTP Compromised User Account, Scattered Lapsus$ Hunters 2026-05-13
ESXi VM Discovery VMWare ESXi Syslog T1673 TTP Black Basta Ransomware, ESXi Post Compromise, China-Nexus Threat Activity 2026-05-13
Okta Multiple Failed MFA Requests For User Okta T1621 Anomaly Okta Account Takeover, Scattered Lapsus$ Hunters 2026-05-13
Okta Risk Threshold Exceeded Okta T1078 T1110 Correlation Suspicious Okta Activity, Okta Account Takeover, Okta MFA Exhaustion 2026-05-13
Okta Unauthorized Access to Application Okta T1087.004 Anomaly Okta Account Takeover 2026-05-13
Suspicious Java Classes T1190 Anomaly Apache Struts Vulnerability 2026-05-13
MCP Prompt Injection MCP Server T1059 TTP Suspicious MCP Activities 2026-05-13
Ollama Abnormal Network Connectivity Ollama Server T1571 Anomaly Suspicious Ollama Activities 2026-05-13
Monitor Email For Brand Abuse N/A TTP Suspicious Emails, Scattered Lapsus$ Hunters, Brand Monitoring 2026-05-13
Okta User Logins from Multiple Cities Okta T1586.003 Anomaly Okta Account Takeover 2026-05-13
Cisco Duo Bulk Policy Deletion Cisco Duo Administrator T1556 TTP Cisco Duo Suspicious Activity 2026-05-13
Detect Distributed Password Spray Attempts Azure icon Azure Active Directory Sign-in activity T1110.003 Hunting Compromised User Account, Active Directory Password Spraying 2026-05-13
Ollama Suspicious Prompt Injection Jailbreak Ollama Server T1059 T1190 Anomaly Suspicious Ollama Activities 2026-05-13
ESXi VIB Acceptance Level Tampering VMWare ESXi Syslog T1685 TTP Black Basta Ransomware, ESXi Post Compromise, China-Nexus Threat Activity 2026-05-13
Suspicious Email Attachment Extensions T1566.001 Anomaly Emotet Malware DHS Report TA18-201A, Data Destruction, Hermetic Wiper, Suspicious Emails 2026-05-13
Cisco Duo Policy Allow Tampered Devices Cisco Duo Administrator T1556 TTP Cisco Duo Suspicious Activity 2026-05-13
Cisco Duo Set User Status to Bypass 2FA Cisco Duo Administrator T1556 TTP Cisco Duo Suspicious Activity 2026-05-13
Okta Multiple Failed Requests to Access Applications Okta T1538 T1550.004 Hunting Okta Account Takeover 2026-05-13
Email files written outside of the Outlook directory Windows icon Sysmon EventID 11 T1114.001 TTP Collection and Staging 2026-05-13
M365 Copilot Information Extraction Jailbreak Attack M365 Exported eDiscovery Prompts T1685 TTP Suspicious Microsoft 365 Copilot Activities 2026-05-13
CrushFTP Server Side Template Injection CrushFTP T1190 TTP CrushFTP Vulnerabilities, Hellcat Ransomware 2026-05-13
MCP Postgres Suspicious Query MCP Server T1555 Hunting Suspicious MCP Activities 2026-05-13
Cisco Duo Policy Deny Access Cisco Duo Administrator T1556 TTP Cisco Duo Suspicious Activity 2026-05-13
Cisco Duo Policy Bypass 2FA Cisco Duo Administrator T1556 TTP Cisco Duo Suspicious Activity 2026-05-13
ESXi Malicious VIB Forced Install VMWare ESXi Syslog T1505.006 TTP Black Basta Ransomware, ESXi Post Compromise, China-Nexus Threat Activity 2026-05-13
Okta Mismatch Between Source and Response for Verify Push Request Okta T1621 TTP Okta Account Takeover, Okta MFA Exhaustion, Scattered Lapsus$ Hunters 2026-05-13
Cisco ASA - Logging Filters Configuration Tampering Cisco ASA Logs T1685 Anomaly Suspicious Cisco Adaptive Security Appliance Activity 2026-05-13
MCP Filesystem Server Suspicious Extension Write MCP Server T1059 Hunting Suspicious MCP Activities 2026-05-13
Okta MFA Exhaustion Hunt Okta T1110 Hunting Okta Account Takeover, Okta MFA Exhaustion, Scattered Lapsus$ Hunters 2026-05-13
ESXi System Information Discovery VMWare ESXi Syslog T1082 TTP Black Basta Ransomware, ESXi Post Compromise 2026-05-13
Okta Successful Single Factor Authentication Okta T1078.004 T1586.003 T1621 Anomaly Okta Account Takeover 2026-05-13
ESXi Audit Tampering VMWare ESXi Syslog T1070 T1690 TTP Black Basta Ransomware, ESXi Post Compromise 2026-05-13
Ollama Excessive API Requests Ollama Server T1498 Anomaly Suspicious Ollama Activities 2026-05-13
M365 Copilot Session Origin Anomalies M365 Copilot Graph API T1078 Anomaly Suspicious Microsoft 365 Copilot Activities 2026-05-13
M365 Copilot Agentic Jailbreak Attack M365 Exported eDiscovery Prompts T1685 Anomaly Suspicious Microsoft 365 Copilot Activities 2026-05-13
ESXi VM Exported via Remote Tool VMWare ESXi Syslog T1005 TTP Black Basta Ransomware, ESXi Post Compromise 2026-05-13
Cisco ASA - Device File Copy Activity Cisco ASA Logs T1005 T1530 Anomaly ArcaneDoor, Suspicious Cisco Adaptive Security Appliance Activity 2026-05-13
Cisco ASA - User Account Lockout Threshold Exceeded Cisco ASA Logs T1110.001 T1110.003 Anomaly Suspicious Cisco Adaptive Security Appliance Activity 2026-05-13
Cisco Duo Policy Allow Network Bypass 2FA Cisco Duo Administrator T1556 TTP Cisco Duo Suspicious Activity 2026-05-13
Zoom Rare Video Devices T1123 Hunting Remote Employment Fraud 2026-05-13
Detect New Login Attempts to Routers N/A TTP Router and Infrastructure Security, Scattered Lapsus$ Hunters 2026-05-13
Ollama Possible API Endpoint Scan Reconnaissance Ollama Server T1595 Anomaly Suspicious Ollama Activities 2026-05-13
Ollama Possible Model Exfiltration Data Leakage Ollama Server T1048 Anomaly Suspicious Ollama Activities 2026-05-13
Okta Authentication Failed During MFA Challenge Okta T1078.004 T1586.003 T1621 TTP Okta Account Takeover, Scattered Lapsus$ Hunters 2026-05-13
Okta ThreatInsight Threat Detected Okta T1078.004 Anomaly Okta Account Takeover 2026-05-13
PingID Mismatch Auth Source and Verification Response PingID T1098.005 T1556.006 T1621 TTP Compromised User Account 2026-05-13
Cisco Duo Admin Login Unusual Browser Cisco Duo Activity T1556 TTP Cisco Duo Suspicious Activity 2026-05-13
ESXi Download Errors VMWare ESXi Syslog T1601.001 T1685 Anomaly Black Basta Ransomware, ESXi Post Compromise 2026-05-13
O365 ZAP Activity Detection Office 365 Universal Audit Log T1566.001 T1566.002 Anomaly Spearphishing Attachments, Suspicious Emails 2026-05-13
AWS Defense Evasion Impair Security Services AWS icon AWS CloudTrail DeleteLoggingConfiguration, AWS icon AWS CloudTrail DeleteDetector, AWS icon AWS CloudTrail DeleteLogStream, AWS icon AWS CloudTrail DeleteIPSet, AWS icon AWS CloudTrail DeleteRule, AWS icon AWS CloudTrail DeleteWebACL, AWS icon AWS CloudTrail DeleteAlarms, AWS icon AWS CloudTrail DeleteRuleGroup T1685.002 TTP AWS Defense Evasion 2026-05-13
O365 Excessive SSO logon errors O365 UserLoginFailed T1556 Anomaly Cloud Federated Credential Abuse, Office 365 Account Takeover 2026-05-13
GCP Successful Single-Factor Authentication Google Workspace T1078.004 T1586.003 TTP GCP Account Takeover, Scattered Lapsus$ Hunters 2026-05-13
Kubernetes Scanner Image Pulling T1526 TTP Dev Sec Ops 2026-05-13
O365 Email Transport Rule Changed Office 365 Universal Audit Log T1114.003 T1564.008 Anomaly Data Exfiltration, Office 365 Account Takeover 2026-05-13
O365 Advanced Audit Disabled O365 Change user license. T1685.002 TTP Office 365 Persistence Mechanisms 2026-05-13
ASL AWS IAM Successful Group Deletion AWS icon ASL AWS CloudTrail T1069.003 T1098 Hunting AWS IAM Privilege Escalation 2026-05-13
AWS SAML Update identity provider AWS icon AWS CloudTrail UpdateSAMLProvider T1078 TTP Cloud Federated Credential Abuse 2026-05-13
ASL AWS IAM AccessDenied Discovery Events AWS icon ASL AWS CloudTrail T1580 Anomaly Suspicious Cloud User Activities 2026-05-13
ASL AWS Disable Bucket Versioning AWS icon ASL AWS CloudTrail T1490 Anomaly Data Exfiltration, Suspicious AWS S3 Activities 2026-05-13
ASL AWS ECR Container Upload Unknown User AWS icon ASL AWS CloudTrail T1204.003 Anomaly Dev Sec Ops 2026-05-13
AWS Multiple Failed MFA Requests For User AWS icon AWS CloudTrail ConsoleLogin T1586.003 T1621 Anomaly AWS Identity and Access Management Account Takeover 2026-05-13
AWS Network Access Control List Created with All Open Ports AWS icon AWS CloudTrail ReplaceNetworkAclEntry, AWS icon AWS CloudTrail CreateNetworkAclEntry T1686.001 TTP AWS Network ACL Activity 2026-05-13
O365 Cross-Tenant Access Change Office 365 Universal Audit Log T1484.002 TTP Azure Active Directory Persistence 2026-05-13
Kubernetes newly seen UDP edge T1204 Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2026-05-13
GCP Detect gcploit framework T1078 TTP GCP Cross Account Activity 2026-05-13
Kubernetes Cron Job Creation Kubernetes icon Kubernetes Audit T1053.007 Anomaly Kubernetes Security 2026-05-13
Cloud Provisioning Activity From Previously Unseen IP Address AWS icon AWS CloudTrail T1078 Anomaly Suspicious Cloud Provisioning Activities 2026-05-13
O365 Service Principal Privilege Escalation O365 Add app role assignment grant to user. T1098.003 TTP Azure Active Directory Privilege Escalation, Office 365 Account Takeover 2026-05-13
Microsoft Intune Device Health Scripts Azure icon Azure Monitor Activity T1021.007 T1072 T1105 T1202 Hunting Azure Active Directory Account Takeover 2026-05-13
Azure AD Multiple Denied MFA Requests For User Azure icon Azure Active Directory Sign-in activity T1621 TTP Azure Active Directory Account Takeover 2026-05-13
Detect AWS Console Login by New User AWS icon AWS CloudTrail T1552 T1586.003 Hunting AWS Identity and Access Management Account Takeover, Suspicious Cloud Authentication Activities 2026-05-13
O365 SharePoint Suspicious Search Behavior Office 365 Universal Audit Log T1213.002 T1552 Anomaly Compromised User Account, Office 365 Collection Techniques, CISA AA22-320A, Office 365 Account Takeover 2026-05-13
O365 File Permissioned Application Consent Granted by User O365 Consent to application. T1528 TTP Office 365 Account Takeover 2026-05-13
O365 Email Reported By User Found Malicious Office 365 Universal Audit Log T1566.001 T1566.002 TTP Spearphishing Attachments, Suspicious Emails 2026-05-13
ASL AWS New MFA Method Registered For User AWS icon ASL AWS CloudTrail T1556.006 TTP AWS Identity and Access Management Account Takeover 2026-05-13
Kubernetes Nginx Ingress LFI T1212 TTP Dev Sec Ops 2026-05-13
O365 Email Security Feature Changed Office 365 Universal Audit Log T1685.002 TTP Office 365 Persistence Mechanisms, Office 365 Account Takeover 2026-05-13
AWS Excessive Security Scanning AWS icon AWS CloudTrail T1526 TTP AWS User Monitoring 2026-05-13
GitHub Organizations Disable Dependabot GitHub Organizations Audit Logs T1195 T1685 Anomaly GitHub Malicious Activity 2026-05-13
Azure AD Successful PowerShell Authentication Azure icon Azure Active Directory T1078.004 T1586.003 TTP Azure Active Directory Account Takeover 2026-05-13
Azure AD New Federated Domain Added Azure icon Azure Active Directory Set domain authentication T1484.002 TTP Scattered Lapsus$ Hunters, Hellcat Ransomware, Azure Active Directory Persistence, Storm-0501 Ransomware 2026-05-13
Gsuite Drive Share In External Email G Suite Drive T1567.002 Anomaly Scattered Lapsus$ Hunters, Dev Sec Ops, Insider Threat 2026-05-13
AWS ECR Container Upload Outside Business Hours AWS icon AWS CloudTrail PutImage T1204.003 Anomaly Dev Sec Ops 2026-05-13
ASL AWS ECR Container Upload Outside Business Hours AWS icon ASL AWS CloudTrail T1204.003 Anomaly Dev Sec Ops 2026-05-13
AWS Exfiltration via Bucket Replication AWS icon AWS CloudTrail PutBucketReplication T1537 TTP Data Exfiltration, Suspicious AWS S3 Activities 2026-05-13
Kubernetes Shell Running on Worker Node with CPU Activity T1204 Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2026-05-13
O365 Multiple Service Principals Created by User O365 Add service principal. T1136.003 Anomaly NOBELIUM Group, Office 365 Persistence Mechanisms 2026-05-13
Cloud Provisioning Activity From Previously Unseen City AWS icon AWS CloudTrail T1078 Anomaly Suspicious Cloud Provisioning Activities 2026-05-13
Gsuite Suspicious Shared File Name G Suite Drive T1566.001 Anomaly Dev Sec Ops 2026-05-13
Detect Spike in AWS Security Hub Alerts for User AWS icon AWS Security Hub N/A Anomaly Critical Alerts, AWS Security Hub Alerts 2026-05-13
ASL AWS Defense Evasion Delete CloudWatch Log Group AWS icon ASL AWS CloudTrail T1685.002 TTP AWS Defense Evasion 2026-05-13
Kubernetes Nginx Ingress RFI T1212 TTP Dev Sec Ops 2026-05-13
ASL AWS UpdateLoginProfile AWS icon ASL AWS CloudTrail T1136.003 TTP AWS IAM Privilege Escalation 2026-05-13
O365 Mailbox Email Forwarding Enabled T1114.003 TTP Office 365 Collection Techniques 2026-05-13
AWS Console Login Failed During MFA Challenge AWS icon AWS CloudTrail ConsoleLogin T1586.003 T1621 TTP AWS Identity and Access Management Account Takeover, Compromised User Account 2026-05-13
AWS Lambda UpdateFunctionCode AWS icon AWS CloudTrail T1204 Hunting Suspicious Cloud User Activities 2026-05-13
ASL AWS Detect Users creating keys with encrypt policy without MFA AWS icon ASL AWS CloudTrail T1486 TTP Ransomware Cloud 2026-05-13
O365 Multi-Source Failed Authentications Spike O365 UserLoginFailed T1110.003 T1110.004 T1586.003 Hunting NOBELIUM Group, Office 365 Account Takeover 2026-05-13
O365 Privileged Role Assigned Office 365 Universal Audit Log T1098.003 TTP Scattered Lapsus$ Hunters, Azure Active Directory Persistence 2026-05-13
Detect Spike in AWS Security Hub Alerts for EC2 Instance AWS icon AWS Security Hub N/A Anomaly Critical Alerts, AWS Security Hub Alerts 2026-05-13
Azure AD AzureHound UserAgent Detected Azure icon Azure Active Directory NonInteractiveUserSignInLogs, Azure icon Azure Active Directory MicrosoftGraphActivityLogs T1087.004 T1526 TTP Compromised User Account, Azure Active Directory Privilege Escalation 2026-05-13
AWS Concurrent Sessions From Different Ips AWS icon AWS CloudTrail DescribeEventAggregates T1185 TTP Compromised User Account, AWS Identity and Access Management Account Takeover, Scattered Lapsus$ Hunters 2026-05-13
O365 Bypass MFA via Trusted IP O365 Set Company Information. T1686.001 TTP Office 365 Persistence Mechanisms 2026-05-13
Azure AD External Guest User Invited Azure icon Azure Active Directory Invite external user T1136.003 TTP Azure Active Directory Persistence 2026-05-13
Microsoft Intune Mobile Apps Azure icon Azure Monitor Activity T1021.007 T1072 T1105 T1202 Hunting Azure Active Directory Account Takeover 2026-05-13
Kubernetes Scanning by Unauthenticated IP Address Kubernetes icon Kubernetes Audit T1046 Anomaly Kubernetes Security 2026-05-13
AWS ECR Container Scanning Findings Low Informational Unknown AWS icon AWS CloudTrail DescribeImageScanFindings T1204.003 Anomaly Dev Sec Ops 2026-05-13
AWS Credential Access Failed Login AWS icon AWS CloudTrail ConsoleLogin T1110.001 T1586.003 TTP AWS Identity and Access Management Account Takeover 2026-05-13
O365 Privileged Graph API Permission Assigned O365 Update application. T1003.002 TTP NOBELIUM Group, Office 365 Persistence Mechanisms 2026-05-13
Kubernetes Falco Shell Spawned Kubernetes icon Kubernetes Falco T1204 Anomaly Kubernetes Security 2026-05-13
AWS Exfiltration via EC2 Snapshot AWS icon AWS CloudTrail ModifySnapshotAttribute, AWS icon AWS CloudTrail DescribeSnapshotAttribute, AWS icon AWS CloudTrail DeleteSnapshot, AWS icon AWS CloudTrail CreateSnapshot T1537 TTP Data Exfiltration, Suspicious Cloud Instance Activities 2026-05-13
Azure AD OAuth Application Consent Granted By User Azure icon Azure Active Directory Consent to application T1528 TTP Azure Active Directory Account Takeover 2026-05-13
AWS IAM AccessDenied Discovery Events AWS icon AWS CloudTrail T1580 Anomaly Suspicious Cloud User Activities 2026-05-13
Amazon EKS Kubernetes cluster scan detection T1526 Hunting Kubernetes Scanning Activity 2026-05-13
Kubernetes Abuse of Secret by Unusual Location Kubernetes icon Kubernetes Audit T1552.007 Anomaly Kubernetes Security 2026-05-13
Detect Spike in blocked Outbound Traffic from your AWS N/A Anomaly Command And Control, Suspicious AWS Traffic, AWS Network ACL Activity 2026-05-13
O365 PST export alert O365 T1114 TTP Data Exfiltration, Office 365 Collection Techniques 2026-05-13
GCP Multiple Users Failing To Authenticate From Ip Google Workspace T1110.003 T1110.004 T1586.003 Anomaly GCP Account Takeover 2026-05-13
AWS Bedrock Delete Model Invocation Logging Configuration AWS icon AWS CloudTrail DeleteModelInvocationLoggingConfiguration T1685.002 TTP AWS Bedrock Security 2026-05-13
Cloud Compute Instance Created By Previously Unseen User AWS icon AWS CloudTrail T1078.004 Anomaly Cloud Cryptomining 2026-05-13
O365 High Number Of Failed Authentications for User O365 UserLoginFailed T1110.001 TTP Office 365 Account Takeover 2026-05-13
Kubernetes Abuse of Secret by Unusual User Name Kubernetes icon Kubernetes Audit T1552.007 Anomaly Kubernetes Security 2026-05-13
ASL AWS Multi-Factor Authentication Disabled AWS icon ASL AWS CloudTrail T1556.006 T1586.003 T1621 TTP AWS Identity and Access Management Account Takeover 2026-05-13
GitHub Enterprise Disable IP Allow List GitHub Enterprise Audit Logs T1195 T1685 Anomaly GitHub Malicious Activity 2026-05-13
O365 Add App Role Assignment Grant User O365 Add app role assignment grant to user. T1136.003 TTP Cloud Federated Credential Abuse, Office 365 Persistence Mechanisms 2026-05-13
Azure AD Privileged Authentication Administrator Role Assigned Azure icon Azure Active Directory Add member to role T1003.002 TTP Azure Active Directory Privilege Escalation, Scattered Lapsus$ Hunters 2026-05-13
AWS Defense Evasion Update Cloudtrail AWS icon AWS CloudTrail UpdateTrail T1685.002 TTP AWS Defense Evasion 2026-05-13
GitHub Organizations Repository Archived GitHub Organizations Audit Logs T1195 T1485 Anomaly GitHub Malicious Activity, NPM Supply Chain Compromise 2026-05-13
Azure AD Service Principal Authentication Azure icon Azure Active Directory Sign-in activity T1078.004 TTP NOBELIUM Group, Azure Active Directory Account Takeover 2026-05-13
Kubernetes Anomalous Outbound Network Activity from Process T1204 Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2026-05-13
Azure AD Global Administrator Role Assigned Azure icon Azure Active Directory Add member to role T1098.003 TTP Azure Active Directory Privilege Escalation, Scattered Lapsus$ Hunters, Azure Active Directory Persistence 2026-05-13
AWS IAM Assume Role Policy Brute Force AWS icon AWS CloudTrail T1110 T1580 TTP AWS IAM Privilege Escalation 2026-05-13
AWS Network Access Control List Deleted AWS icon AWS CloudTrail DeleteNetworkAclEntry T1686.001 Anomaly AWS Network ACL Activity 2026-05-13
O365 New Forwarding Mailflow Rule Created T1114 TTP Office 365 Collection Techniques 2026-05-13
O365 FullAccessAsApp Permission Assigned O365 Update application. T1098.002 T1098.003 TTP NOBELIUM Group, Office 365 Persistence Mechanisms 2026-05-13
ASL AWS Create Access Key AWS icon ASL AWS CloudTrail T1136.003 Hunting AWS IAM Privilege Escalation, Scattered Lapsus$ Hunters 2026-05-13
Azure AD High Number Of Failed Authentications From Ip Azure icon Azure Active Directory T1110.001 T1110.003 TTP Compromised User Account, NOBELIUM Group, Azure Active Directory Account Takeover 2026-05-13
Azure AD Concurrent Sessions From Different Ips Azure icon Azure Active Directory T1185 TTP Compromised User Account, Scattered Lapsus$ Hunters, Azure Active Directory Account Takeover 2026-05-13
Azure AD PIM Role Assigned Azure icon Azure Active Directory T1098.003 TTP Azure Active Directory Privilege Escalation, Scattered Lapsus$ Hunters, Azure Active Directory Persistence 2026-05-13
Azure AD Tenant Wide Admin Consent Granted Azure icon Azure Active Directory Consent to application T1098.003 TTP NOBELIUM Group, Azure Active Directory Persistence 2026-05-13
Kubernetes Abuse of Secret by Unusual User Agent Kubernetes icon Kubernetes Audit T1552.007 Anomaly Kubernetes Security 2026-05-13
O365 DLP Rule Triggered Office 365 Universal Audit Log T1048 T1567 Anomaly Data Exfiltration 2026-05-13
AWS ECR Container Scanning Findings Medium AWS icon AWS CloudTrail DescribeImageScanFindings T1204.003 Anomaly Dev Sec Ops 2026-05-13
AWS Successful Single-Factor Authentication AWS icon AWS CloudTrail ConsoleLogin T1078.004 T1586.003 TTP AWS Identity and Access Management Account Takeover 2026-05-13
AWS CreateLoginProfile AWS icon AWS CloudTrail ConsoleLogin, AWS icon AWS CloudTrail CreateLoginProfile T1136.003 TTP AWS IAM Privilege Escalation 2026-05-13
AWS Bedrock Delete Knowledge Base AWS icon AWS CloudTrail DeleteKnowledgeBase T1485 TTP AWS Bedrock Security 2026-05-13
AWS Exfiltration via Anomalous GetObject API Activity AWS icon AWS CloudTrail GetObject T1119 Anomaly Data Exfiltration 2026-05-13
GitHub Organizations Delete Branch Ruleset GitHub Organizations Audit Logs T1195 T1685 Anomaly GitHub Malicious Activity, NPM Supply Chain Compromise 2026-05-13
AWS Credential Access RDS Password reset AWS icon AWS CloudTrail ModifyDBInstance T1110 T1586.003 TTP AWS Identity and Access Management Account Takeover, Scattered Lapsus$ Hunters 2026-05-13
ASL AWS Network Access Control List Created with All Open Ports AWS icon ASL AWS CloudTrail T1686.001 TTP AWS Network ACL Activity 2026-05-13
GitHub Enterprise Register Self Hosted Runner GitHub Enterprise Audit Logs T1195 T1685 Anomaly GitHub Malicious Activity, NPM Supply Chain Compromise 2026-05-13
AWS Detect Users with KMS keys performing encryption S3 AWS icon AWS CloudTrail T1486 Anomaly Ransomware Cloud 2026-05-13
ASL AWS Defense Evasion Update Cloudtrail AWS icon ASL AWS CloudTrail T1685.002 TTP AWS Defense Evasion 2026-05-13
O365 Email Send Attachments Excessive Volume Office 365 Universal Audit Log T1070.008 T1485 Anomaly Suspicious Emails, Office 365 Account Takeover 2026-05-13
Azure AD Device Code Authentication Azure icon Azure Active Directory T1528 T1566.002 TTP Azure Active Directory Account Takeover 2026-05-13
AWS EC2 Snapshot Shared Externally AWS icon AWS CloudTrail ModifySnapshotAttribute T1537 TTP Data Exfiltration, Suspicious Cloud Instance Activities 2026-05-13
GitHub Enterprise Repository Deleted GitHub Enterprise Audit Logs T1195 T1485 Anomaly GitHub Malicious Activity, NPM Supply Chain Compromise 2026-05-13
O365 Privileged Role Assigned To Service Principal Office 365 Universal Audit Log T1098.003 TTP Azure Active Directory Privilege Escalation, Scattered Lapsus$ Hunters 2026-05-13
O365 SharePoint Malware Detection Office 365 Universal Audit Log T1204.002 TTP Ransomware Cloud, Azure Active Directory Persistence, Office 365 Account Takeover 2026-05-13
O365 Multiple Mailboxes Accessed via API O365 MailItemsAccessed T1114.002 TTP NOBELIUM Group, Office 365 Collection Techniques 2026-05-13
AWS Disable Bucket Versioning AWS icon AWS CloudTrail PutBucketVersioning T1490 Anomaly Data Exfiltration, Suspicious AWS S3 Activities 2026-05-13
O365 Safe Links Detection Office 365 Universal Audit Log T1566.001 TTP Spearphishing Attachments, Office 365 Account Takeover 2026-05-13
AWS Defense Evasion Delete CloudWatch Log Group AWS icon AWS CloudTrail DeleteLogGroup T1685.002 TTP AWS Defense Evasion 2026-05-13
GCP Multi-Factor Authentication Disabled Google Workspace T1556.006 T1586.003 TTP GCP Account Takeover, Scattered Lapsus$ Hunters 2026-05-13
GCP Unusual Number of Failed Authentications From Ip Google Workspace T1110.003 T1110.004 T1586.003 Anomaly GCP Account Takeover 2026-05-13
Azure AD Multiple Service Principals Created by User Azure icon Azure Active Directory Add service principal T1136.003 Anomaly NOBELIUM Group, Azure Active Directory Persistence 2026-05-13
Kubernetes Previously Unseen Process T1204 Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2026-05-13
Kubernetes Abuse of Secret by Unusual User Group Kubernetes icon Kubernetes Audit T1552.007 Anomaly Kubernetes Security 2026-05-13
Detect New Open S3 buckets AWS icon AWS CloudTrail T1530 TTP Suspicious AWS S3 Activities 2026-05-13
AWS Credential Access GetPasswordData AWS icon AWS CloudTrail GetPasswordData T1110.001 T1586.003 Anomaly AWS Identity and Access Management Account Takeover 2026-05-13
ASL AWS Defense Evasion Stop Logging Cloudtrail AWS icon ASL AWS CloudTrail T1685.002 TTP AWS Defense Evasion 2026-05-13
GitHub Enterprise Delete Branch Ruleset GitHub Enterprise Audit Logs T1195 T1685 Anomaly GitHub Malicious Activity, NPM Supply Chain Compromise 2026-05-13
O365 Application Registration Owner Added O365 Add owner to application. T1098 TTP NOBELIUM Group, Office 365 Persistence Mechanisms 2026-05-13
Azure AD User Consent Denied for OAuth Application Azure icon Azure Active Directory Sign-in activity T1528 TTP Azure Active Directory Account Takeover 2026-05-13
ASL AWS Concurrent Sessions From Different Ips AWS icon ASL AWS CloudTrail T1185 Anomaly Compromised User Account, AWS Identity and Access Management Account Takeover, Scattered Lapsus$ Hunters 2026-05-13
AWS SetDefaultPolicyVersion AWS icon AWS CloudTrail SetDefaultPolicyVersion T1078.004 TTP AWS IAM Privilege Escalation 2026-05-13
O365 Security And Compliance Alert Triggered T1078.004 TTP Office 365 Account Takeover 2026-05-13
AWS Detect Users creating keys with encrypt policy without MFA AWS icon AWS CloudTrail PutKeyPolicy, AWS icon AWS CloudTrail CreateKey T1486 TTP Ransomware Cloud 2026-05-13
AWS Multiple Users Failing To Authenticate From Ip AWS icon AWS CloudTrail ConsoleLogin T1110.003 T1110.004 Anomaly AWS Identity and Access Management Account Takeover, Compromised User Account 2026-05-13
ASL AWS Credential Access RDS Password reset AWS icon ASL AWS CloudTrail T1110 T1586.003 TTP AWS Identity and Access Management Account Takeover, Scattered Lapsus$ Hunters 2026-05-13
Kubernetes newly seen TCP edge T1204 Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2026-05-13
Circle CI Disable Security Job CircleCI T1554 Anomaly Dev Sec Ops 2026-05-13
Gdrive suspicious file sharing T1566 Hunting Spearphishing Attachments, Data Exfiltration, Scattered Lapsus$ Hunters 2026-05-13
Detect S3 access from a new IP T1530 Anomaly Suspicious AWS S3 Activities 2026-05-13
AWS Successful Console Authentication From Multiple IPs AWS icon AWS CloudTrail ConsoleLogin T1535 T1586 Anomaly Compromised User Account, Suspicious AWS Login Activities 2026-05-13
GCP Authentication Failed During MFA Challenge Google Workspace login_failure T1078.004 T1586.003 T1621 TTP GCP Account Takeover, Scattered Lapsus$ Hunters 2026-05-13
Azure AD Service Principal Privilege Escalation Azure icon Azure Active Directory Add app role assignment to service principal T1098.003 TTP Azure Active Directory Privilege Escalation 2026-05-13
ASL AWS Credential Access GetPasswordData AWS icon ASL AWS CloudTrail T1110.001 T1586.003 Anomaly AWS Identity and Access Management Account Takeover 2026-05-13
Kubernetes Anomalous Inbound to Outbound Network IO Ratio T1204 Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2026-05-13
O365 Email Suspicious Search Behavior Office 365 Universal Audit Log T1114.002 T1552 Anomaly Compromised User Account, Office 365 Collection Techniques, CISA AA22-320A, Office 365 Account Takeover 2026-05-13
O365 OAuth App Mailbox Access via Graph API O365 MailItemsAccessed T1114.002 TTP NOBELIUM Group, Office 365 Collection Techniques 2026-05-13
AWS Exfiltration via Batch Service AWS icon AWS CloudTrail JobCreated T1119 TTP Data Exfiltration 2026-05-13
O365 Service Principal New Client Credentials O365 T1098.001 TTP NOBELIUM Group, Office 365 Persistence Mechanisms 2026-05-13
Microsoft Intune Bulk Wipe Azure icon Azure Monitor Activity T1561.001 TTP Azure Active Directory Account Takeover 2026-05-13
GitHub Organizations Disable 2FA Requirement GitHub Organizations Audit Logs T1195 T1685 Anomaly GitHub Malicious Activity 2026-05-13
O365 Mail Permissioned Application Consent Granted by User O365 Consent to application. T1528 TTP Office 365 Account Takeover 2026-05-13
Gsuite Email Suspicious Subject With Attachment G Suite Gmail T1566.001 Anomaly Dev Sec Ops 2026-05-13
O365 Email Password and Payroll Compromise Behavior Office 365 Universal Audit Log, Office 365 Reporting Message Trace T1070.008 T1114.001 T1485 TTP Suspicious Emails, Data Destruction, Office 365 Collection Techniques, Office 365 Account Takeover 2026-05-13
AWS ECR Container Upload Unknown User AWS icon AWS CloudTrail PutImage T1204.003 Anomaly Dev Sec Ops 2026-05-13
Azure AD Multiple Failed MFA Requests For User Azure icon Azure Active Directory Sign-in activity T1078.004 T1586.003 T1621 TTP Azure Active Directory Account Takeover 2026-05-13
O365 New Federated Domain Added O365 T1136.003 TTP Cloud Federated Credential Abuse, Office 365 Persistence Mechanisms 2026-05-13
O365 Threat Intelligence Suspicious File Detected Office 365 Universal Audit Log T1204.002 TTP Ransomware Cloud, Office 365 Account Takeover, Azure Active Directory Account Takeover 2026-05-13
Kubernetes Shell Running on Worker Node T1204 Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2026-05-13
Circle CI Disable Security Step CircleCI T1554 Anomaly Dev Sec Ops 2026-05-13
O365 Mailbox Read Access Granted to Application O365 Update application. T1098.003 T1114.002 TTP Office 365 Persistence Mechanisms 2026-05-13
O365 Block User Consent For Risky Apps Disabled O365 Update authorization policy. T1685 TTP Office 365 Account Takeover 2026-05-13
GitHub Enterprise Disable Audit Log Event Stream GitHub Enterprise Audit Logs T1195 T1685.002 Anomaly GitHub Malicious Activity, NPM Supply Chain Compromise 2026-05-13
O365 Exfiltration via File Sync Download Office 365 Universal Audit Log T1530 T1567 Anomaly Data Exfiltration, Office 365 Account Takeover 2026-05-13
O365 Email Receive and Hard Delete Takeover Behavior Office 365 Universal Audit Log, Office 365 Reporting Message Trace T1070.008 T1114.001 T1485 Anomaly Suspicious Emails, Data Destruction, Office 365 Collection Techniques, Office 365 Account Takeover 2026-05-13
O365 New MFA Method Registered O365 Update user. T1098.005 TTP Office 365 Persistence Mechanisms 2026-05-13
O365 Disable MFA O365 Disable Strong Authentication. T1556 TTP Office 365 Persistence Mechanisms 2026-05-13
O365 Added Service Principal O365 T1136.003 TTP Cloud Federated Credential Abuse, NOBELIUM Group, Office 365 Persistence Mechanisms 2026-05-13
AWS Bedrock Delete GuardRails AWS icon AWS CloudTrail DeleteGuardrail T1685.002 TTP AWS Bedrock Security 2026-05-13
ASL AWS Defense Evasion Impair Security Services AWS icon ASL AWS CloudTrail T1685.002 Hunting AWS Defense Evasion 2026-05-13
AWS High Number Of Failed Authentications For User AWS icon AWS CloudTrail ConsoleLogin T1201 Anomaly Compromised User Account, AWS Identity and Access Management Account Takeover 2026-05-13
AWS UpdateLoginProfile AWS icon AWS CloudTrail UpdateLoginProfile T1136.003 TTP AWS IAM Privilege Escalation 2026-05-13
Detect AWS Console Login by User from New Region AWS icon AWS CloudTrail T1535 T1586.003 Hunting AWS Identity and Access Management Account Takeover, Compromised User Account, Suspicious Cloud Authentication Activities, Suspicious AWS Login Activities 2026-05-13
Kubernetes Process with Resource Ratio Anomalies T1204 Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2026-05-13
Cloud Compute Instance Created In Previously Unused Region AWS icon AWS CloudTrail T1535 Anomaly Cloud Cryptomining 2026-05-13
Kubernetes Anomalous Inbound Outbound Network IO T1204 Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2026-05-13
ASL AWS Network Access Control List Deleted AWS icon ASL AWS CloudTrail T1686.001 Anomaly Scattered Lapsus$ Hunters, AWS Network ACL Activity 2026-05-13
Kubernetes Node Port Creation Kubernetes icon Kubernetes Audit T1204 Anomaly Kubernetes Security 2026-05-13
O365 High Privilege Role Granted O365 Add member to role. T1098.003 TTP Office 365 Persistence Mechanisms 2026-05-13
Azure AD Service Principal Created Azure icon Azure Active Directory Add service principal T1136.003 TTP NOBELIUM Group, Azure Active Directory Persistence 2026-05-13
Cloud Compute Instance Created With Previously Unseen Instance Type AWS icon AWS CloudTrail T1578.002 Anomaly Cloud Cryptomining 2026-05-13
O365 Email Hard Delete Excessive Volume Office 365 Universal Audit Log T1070.008 T1485 Anomaly Suspicious Emails, Data Destruction, Office 365 Account Takeover 2026-05-13
Okta Non-Standard VPN Usage Okta T1078 T1090 T1572 TTP Suspicious Okta Activity, Remote Employment Fraud 2026-05-13
ASL AWS IAM Delete Policy AWS icon ASL AWS CloudTrail T1098 Hunting AWS IAM Privilege Escalation 2026-05-13
Azure AD Block User Consent For Risky Apps Disabled Azure icon Azure Active Directory Update authorization policy T1685 TTP Azure Active Directory Account Takeover 2026-05-13
AWS AMI Attribute Modification for Exfiltration AWS icon AWS CloudTrail ModifyImageAttribute T1537 TTP Data Exfiltration, Suspicious Cloud Instance Activities 2026-05-13
Cloud Provisioning Activity From Previously Unseen Country AWS icon AWS CloudTrail T1078 Anomaly Suspicious Cloud Provisioning Activities 2026-05-13
Azure AD Service Principal Owner Added Azure icon Azure Active Directory Add owner to application T1098 TTP Azure Active Directory Privilege Escalation, NOBELIUM Group, Azure Active Directory Persistence 2026-05-13
Azure Runbook Webhook Created Azure icon Azure Audit Create or Update an Azure Automation webhook T1078.004 TTP Azure Active Directory Persistence 2026-05-13
AWS S3 Exfiltration Behavior Identified T1537 Correlation Data Exfiltration, Suspicious Cloud Instance Activities 2026-05-13
Detect AWS Console Login by User from New City AWS icon AWS CloudTrail T1535 T1586.003 Hunting AWS Identity and Access Management Account Takeover, Compromised User Account, Suspicious Cloud Authentication Activities, Suspicious AWS Login Activities 2026-05-13
Kubernetes Suspicious Image Pulling Kubernetes icon Kubernetes Audit T1526 Anomaly Kubernetes Security 2026-05-13
AWS Defense Evasion Delete Cloudtrail AWS icon AWS CloudTrail DeleteTrail T1685.002 TTP AWS Defense Evasion 2026-05-13
ASL AWS EC2 Snapshot Shared Externally AWS icon ASL AWS CloudTrail T1537 TTP Data Exfiltration, Suspicious Cloud Instance Activities 2026-05-13
O365 Multiple OS Vendors Authenticating From User Office 365 Universal Audit Log T1110 TTP Office 365 Account Takeover 2026-05-13
GitHub Organizations Disable Classic Branch Protection Rule GitHub Organizations Audit Logs T1195 T1685 Anomaly GitHub Malicious Activity 2026-05-13
O365 SharePoint Allowed Domains Policy Changed Office 365 Universal Audit Log T1136.003 TTP Azure Active Directory Persistence 2026-05-13
Kubernetes Previously Unseen Container Image Name T1204 Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2026-05-13
Microsoft Intune Manual Device Management Azure icon Azure Monitor Activity T1021.007 T1072 T1529 Hunting Azure Active Directory Account Takeover 2026-05-13
Kubernetes Anomalous Inbound Network Activity from Process T1204 Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2026-05-13
O365 Exfiltration via File Access Office 365 Universal Audit Log T1530 T1567 Anomaly Data Exfiltration, Office 365 Account Takeover 2026-05-13
Kubernetes Pod With Host Network Attachment Kubernetes icon Kubernetes Audit T1204 Anomaly Kubernetes Security 2026-05-13
O365 Email Suspicious Behavior Alert Office 365 Universal Audit Log T1114.003 TTP Suspicious Emails, Office 365 Collection Techniques, Office 365 Account Takeover 2026-05-13
O365 Compliance Content Search Started T1114.002 TTP Office 365 Collection Techniques 2026-05-13
Azure AD PIM Role Assignment Activated Azure icon Azure Active Directory T1098.003 TTP Azure Active Directory Privilege Escalation, Scattered Lapsus$ Hunters, Azure Active Directory Persistence 2026-05-13
O365 Email New Inbox Rule Created Office 365 Universal Audit Log T1114.003 T1564.008 Anomaly Office 365 Collection Techniques 2026-05-13
AWS IAM Delete Policy AWS icon AWS CloudTrail DeletePolicy T1098 Hunting AWS IAM Privilege Escalation 2026-05-13
AWS Unusual Number of Failed Authentications From Ip AWS icon AWS CloudTrail ConsoleLogin T1110.003 T1110.004 T1586.003 Anomaly AWS Identity and Access Management Account Takeover 2026-05-13
Cloud Compute Instance Created With Previously Unseen Image AWS icon AWS CloudTrail N/A Anomaly Cloud Cryptomining 2026-05-13
Detect New Open S3 Buckets over AWS CLI AWS icon AWS CloudTrail T1530 TTP Suspicious AWS S3 Activities 2026-05-13
O365 Multiple AppIDs and UserAgents Authentication Spike O365 UserLoggedIn, O365 UserLoginFailed T1078 Anomaly Office 365 Account Takeover 2026-05-13
AWS High Number Of Failed Authentications From Ip AWS icon AWS CloudTrail ConsoleLogin T1110.003 T1110.004 Anomaly AWS Identity and Access Management Account Takeover, Compromised User Account 2026-05-13
GitHub Enterprise Modify Audit Log Event Stream GitHub Enterprise Audit Logs T1195 T1685.002 Anomaly GitHub Malicious Activity, NPM Supply Chain Compromise 2026-05-13
Azure AD Multiple AppIDs and UserAgents Authentication Spike Azure icon Azure Active Directory Sign-in activity T1078 Anomaly Azure Active Directory Account Takeover 2026-05-13
GitHub Enterprise Disable Dependabot GitHub Enterprise Audit Logs T1195 T1685 Anomaly GitHub Malicious Activity 2026-05-13
AWS Create Policy Version to allow all resources AWS icon AWS CloudTrail CreatePolicyVersion T1078.004 TTP AWS IAM Privilege Escalation 2026-05-13
Gsuite Email With Known Abuse Web Service Link G Suite Gmail T1566.001 Anomaly Dev Sec Ops 2026-05-13
Cloud Instance Modified By Previously Unseen User AWS icon AWS CloudTrail T1078.004 Anomaly Suspicious Cloud Instance Activities 2026-05-13
Azure AD Multiple Service Principals Created by SP Azure icon Azure Active Directory Add service principal T1136.003 Anomaly NOBELIUM Group, Azure Active Directory Persistence 2026-05-13
AWS New MFA Method Registered For User AWS icon AWS CloudTrail CreateVirtualMFADevice T1556.006 TTP AWS Identity and Access Management Account Takeover 2026-05-13
Kubernetes Create or Update Privileged Pod Kubernetes icon Kubernetes Audit T1204 Anomaly Kubernetes Security 2026-05-13
O365 New Email Forwarding Rule Enabled T1114.003 TTP Office 365 Collection Techniques 2026-05-13
Azure AD New Custom Domain Added Azure icon Azure Active Directory Add unverified domain T1484.002 TTP Azure Active Directory Persistence 2026-05-13
O365 New Email Forwarding Rule Created T1114.003 TTP Office 365 Collection Techniques 2026-05-13
GitHub Enterprise Pause Audit Log Event Stream GitHub Enterprise Audit Logs T1195 T1685.002 Anomaly GitHub Malicious Activity, NPM Supply Chain Compromise 2026-05-13
Azure AD Unusual Number of Failed Authentications From Ip Azure icon Azure Active Directory T1110.003 T1110.004 T1586.003 Anomaly Azure Active Directory Account Takeover 2026-05-13
AWS Defense Evasion PutBucketLifecycle AWS icon AWS CloudTrail PutBucketLifecycle T1485.001 T1685.002 Hunting AWS Defense Evasion 2026-05-13
Azure Automation Account Created Azure icon Azure Audit Create or Update an Azure Automation account T1136.003 TTP Azure Active Directory Persistence 2026-05-13
AWS IAM Failure Group Deletion AWS icon AWS CloudTrail DeleteGroup T1098 Anomaly AWS IAM Privilege Escalation 2026-05-13
Azure AD FullAccessAsApp Permission Assigned Azure icon Azure Active Directory Update application T1098.002 T1098.003 TTP NOBELIUM Group, Azure Active Directory Persistence 2026-05-13
Azure AD Service Principal Enumeration Azure icon Azure Active Directory MicrosoftGraphActivityLogs T1087.004 T1526 TTP Compromised User Account, Azure Active Directory Privilege Escalation 2026-05-13
Azure AD Multi-Factor Authentication Disabled Azure icon Azure Active Directory Disable Strong Authentication T1556.006 T1586.003 TTP Scattered Lapsus$ Hunters, Azure Active Directory Account Takeover 2026-05-13
O365 External Guest User Invited Office 365 Universal Audit Log T1136.003 TTP Azure Active Directory Persistence 2026-05-13
Azure AD Successful Single-Factor Authentication Azure icon Azure Active Directory T1078.004 T1586.003 TTP Azure Active Directory Account Takeover 2026-05-13
O365 Excessive Authentication Failures Alert T1110 Anomaly Office 365 Account Takeover 2026-05-13
Kubernetes Pod Created in Default Namespace Kubernetes icon Kubernetes Audit T1204 Anomaly Kubernetes Security 2026-05-13
Kubernetes AWS detect suspicious kubectl calls Kubernetes icon Kubernetes Audit N/A Anomaly Kubernetes Security 2026-05-13
AWS Defense Evasion Stop Logging Cloudtrail AWS icon AWS CloudTrail StopLogging T1685.002 TTP AWS Defense Evasion 2026-05-13
O365 Email Send and Hard Delete Exfiltration Behavior Office 365 Universal Audit Log, Office 365 Reporting Message Trace T1070.008 T1114.001 T1485 Anomaly Suspicious Emails, Data Destruction, Office 365 Collection Techniques, Office 365 Account Takeover 2026-05-13
Kubernetes DaemonSet Deployed Kubernetes icon Kubernetes Audit T1204 Anomaly Kubernetes Security 2026-05-13
O365 Mailbox Folder Read Permission Assigned O365 ModifyFolderPermissions T1098.002 TTP Office 365 Collection Techniques 2026-05-13
Azure AD Service Principal New Client Credentials Azure icon Azure Active Directory T1098.001 TTP Azure Active Directory Privilege Escalation, NOBELIUM Group, Scattered Lapsus$ Hunters, Azure Active Directory Persistence 2026-05-13
Kubernetes Access Scanning Kubernetes icon Kubernetes Audit T1046 Anomaly Kubernetes Security 2026-05-13
AWS ECR Container Scanning Findings High AWS icon AWS CloudTrail DescribeImageScanFindings T1204.003 TTP Dev Sec Ops 2026-05-13
Detect AWS Console Login by User from New Country AWS icon AWS CloudTrail T1535 T1586.003 Hunting AWS Identity and Access Management Account Takeover, Compromised User Account, Suspicious Cloud Authentication Activities, Suspicious AWS Login Activities 2026-05-13
GitHub Enterprise Disable Classic Branch Protection Rule GitHub Enterprise Audit Logs T1195 T1685 Anomaly GitHub Malicious Activity 2026-05-13
GSuite Email Suspicious Attachment G Suite Gmail T1566.001 Anomaly Dev Sec Ops 2026-05-13
O365 External Identity Policy Changed Office 365 Universal Audit Log T1136.003 TTP Azure Active Directory Persistence 2026-05-13
Azure AD Multiple Users Failing To Authenticate From Ip Azure icon Azure Active Directory T1110.003 T1110.004 T1586.003 Anomaly Azure Active Directory Account Takeover 2026-05-13
O365 Threat Intelligence Suspicious Email Delivered Office 365 Universal Audit Log T1566.001 T1566.002 Anomaly Spearphishing Attachments, Suspicious Emails 2026-05-13
ASL AWS Create Policy Version to allow all resources AWS icon ASL AWS CloudTrail T1078.004 TTP AWS IAM Privilege Escalation, Scattered Lapsus$ Hunters 2026-05-13
AWS Exfiltration via DataSync Task AWS icon AWS CloudTrail CreateTask T1119 TTP Data Exfiltration, Hellcat Ransomware, Suspicious AWS S3 Activities 2026-05-13
Azure AD Application Administrator Role Assigned Azure icon Azure Active Directory Add member to role T1098.003 TTP Azure Active Directory Privilege Escalation, Scattered Lapsus$ Hunters 2026-05-13
Detect New Open GCP Storage Buckets T1530 TTP Suspicious GCP Storage Activities 2026-05-13
O365 Application Available To Other Tenants Office 365 Universal Audit Log T1098.003 TTP Data Exfiltration, Azure Active Directory Persistence, Azure Active Directory Account Takeover 2026-05-13
Azure AD Privileged Role Assigned Azure icon Azure Active Directory Add member to role T1098.003 TTP NOBELIUM Group, Scattered Lapsus$ Hunters, Azure Active Directory Persistence, Storm-0501 Ransomware 2026-05-13
Azure AD Privileged Graph API Permission Assigned Azure icon Azure Active Directory Update application T1003.002 TTP NOBELIUM Group, Azure Active Directory Persistence 2026-05-13
O365 Multiple Service Principals Created by SP O365 Add service principal. T1136.003 Anomaly NOBELIUM Group, Office 365 Persistence Mechanisms 2026-05-13
Kubernetes Process with Anomalous Resource Utilisation T1204 Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2026-05-13
Azure AD New MFA Method Registered Azure icon Azure Active Directory Update user T1098.005 TTP Scattered Lapsus$ Hunters, Azure Active Directory Persistence 2026-05-13
Cloud API Calls From Previously Unseen User Roles AWS icon AWS CloudTrail T1078 Anomaly Suspicious Cloud User Activities 2026-05-13
O365 Multiple Failed MFA Requests For User O365 UserLoginFailed T1621 TTP Scattered Lapsus$ Hunters, Office 365 Account Takeover 2026-05-13
ASL AWS Defense Evasion PutBucketLifecycle AWS icon ASL AWS CloudTrail T1485.001 T1685.002 Hunting AWS Defense Evasion 2026-05-13
GitHub Organizations Repository Deleted GitHub Organizations Audit Logs T1195 T1485 Anomaly GitHub Malicious Activity, NPM Supply Chain Compromise 2026-05-13
O365 OAuth App Mailbox Access via EWS O365 MailItemsAccessed T1114.002 TTP NOBELIUM Group, Office 365 Collection Techniques 2026-05-13
O365 Admin Consent Bypassed by Service Principal O365 Add app role assignment to service principal. T1098.003 TTP Office 365 Persistence Mechanisms 2026-05-13
Azure AD New MFA Method Registered For User Azure icon Azure Active Directory User registered security info T1556.006 TTP Compromised User Account, Scattered Lapsus$ Hunters, Azure Active Directory Account Takeover 2026-05-13
AWS Bedrock Invoke Model Access Denied AWS icon AWS CloudTrail T1078 T1550 TTP AWS Bedrock Security 2026-05-13
Azure AD Privileged Role Assigned to Service Principal Azure icon Azure Active Directory Add member to role T1098.003 TTP Azure Active Directory Privilege Escalation, NOBELIUM Group, Scattered Lapsus$ Hunters 2026-05-13
O365 ApplicationImpersonation Role Assigned O365 T1098.002 TTP NOBELIUM Group, Office 365 Collection Techniques, Office 365 Persistence Mechanisms 2026-05-13
Azure AD Multi-Source Failed Authentications Spike Azure icon Azure Active Directory T1110.003 T1110.004 T1586.003 Hunting NOBELIUM Group, Azure Active Directory Account Takeover 2026-05-13
AWS Password Policy Changes AWS icon AWS CloudTrail GetAccountPasswordPolicy, AWS icon AWS CloudTrail UpdateAccountPasswordPolicy, AWS icon AWS CloudTrail DeleteAccountPasswordPolicy T1201 Hunting Compromised User Account, AWS IAM Privilege Escalation 2026-05-13
ASL AWS Defense Evasion Delete Cloudtrail AWS icon ASL AWS CloudTrail T1685.002 TTP AWS Defense Evasion 2026-05-13
AWS IAM Successful Group Deletion AWS icon AWS CloudTrail DeleteGroup T1069.003 T1098 Hunting AWS IAM Privilege Escalation 2026-05-13
Azure AD User ImmutableId Attribute Updated Azure icon Azure Active Directory Update user T1098 TTP Hellcat Ransomware, Azure Active Directory Persistence 2026-05-13
Gsuite Outbound Email With Attachment To External Domain G Suite Gmail T1048.003 Hunting Dev Sec Ops, Insider Threat 2026-05-13
Azure AD User Consent Blocked for Risky Application Azure icon Azure Active Directory Consent to application T1528 TTP Azure Active Directory Account Takeover 2026-05-13
Azure AD Admin Consent Bypassed by Service Principal Azure icon Azure Active Directory Add app role assignment to service principal T1098.003 TTP Azure Active Directory Privilege Escalation, NOBELIUM Group 2026-05-13
High Number of Login Failures from a single source O365 UserLoginFailed T1110.001 Anomaly Office 365 Account Takeover 2026-05-13
Kubernetes Anomalous Traffic on Network Edge T1204 Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2026-05-13
O365 User Consent Blocked for Risky Application O365 Consent to application. T1528 TTP Office 365 Account Takeover 2026-05-13
Kubernetes Process Running From New Path T1204 Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2026-05-13
O365 Email Reported By Admin Found Malicious Office 365 Universal Audit Log T1566.001 T1566.002 TTP Spearphishing Attachments, Suspicious Emails 2026-05-13
GitHub Enterprise Remove Organization GitHub Enterprise Audit Logs T1195 T1485 Anomaly GitHub Malicious Activity 2026-05-13
Detect Spike in S3 Bucket deletion AWS icon AWS CloudTrail T1530 Anomaly Suspicious AWS S3 Activities 2026-05-13
Kubernetes Unauthorized Access Kubernetes icon Kubernetes Audit T1204 Anomaly Kubernetes Security 2026-05-13
ASL AWS SAML Update identity provider AWS icon ASL AWS CloudTrail T1078 TTP Cloud Federated Credential Abuse 2026-05-13
Azure Automation Runbook Created Azure icon Azure Audit Create or Update an Azure Automation Runbook T1136.003 TTP Azure Active Directory Persistence 2026-05-13
Microsoft Intune DeviceManagementConfigurationPolicies Azure icon Azure Monitor Activity T1021.007 T1072 T1484 T1685 T1686 Hunting Azure Active Directory Account Takeover 2026-05-13
AWS Multi-Factor Authentication Disabled AWS icon AWS CloudTrail DeleteVirtualMFADevice, AWS icon AWS CloudTrail DeactivateMFADevice T1556.006 T1586.003 T1621 TTP AWS Identity and Access Management Account Takeover, Scattered Lapsus$ Hunters 2026-05-13
Azure AD User Enabled And Password Reset Azure icon Azure Active Directory Update user, Azure icon Azure Active Directory Enable account, Azure icon Azure Active Directory Reset password (by admin) T1098 TTP Scattered Lapsus$ Hunters, Azure Active Directory Persistence 2026-05-13
Gsuite suspicious calendar invite T1566 Hunting Spearphishing Attachments 2026-05-13
Amazon EKS Kubernetes Pod scan detection T1526 Hunting Kubernetes Scanning Activity 2026-05-13
GitHub Enterprise Disable 2FA Requirement GitHub Enterprise Audit Logs T1195 T1685 Anomaly GitHub Malicious Activity 2026-05-13
Geographic Improbable Location Okta T1078 Anomaly Remote Employment Fraud 2026-05-13
ASL AWS IAM Failure Group Deletion AWS icon ASL AWS CloudTrail T1098 Anomaly AWS IAM Privilege Escalation 2026-05-13
O365 Email Access By Security Administrator Office 365 Universal Audit Log T1114.002 T1567 TTP Data Exfiltration, Office 365 Account Takeover, Azure Active Directory Account Takeover 2026-05-13
Cloud Provisioning Activity From Previously Unseen Region AWS icon AWS CloudTrail T1078 Anomaly Suspicious Cloud Provisioning Activities 2026-05-13
Azure AD Successful Authentication From Different Ips Azure icon Azure Active Directory T1110.001 T1110.003 TTP Compromised User Account, Azure Active Directory Account Takeover 2026-05-13
Risk Rule for Dev Sec Ops by Repository T1204.003 Correlation Dev Sec Ops 2026-05-13
GitHub Enterprise Repository Archived GitHub Enterprise Audit Logs T1195 T1485 Anomaly GitHub Malicious Activity, NPM Supply Chain Compromise 2026-05-13
O365 Concurrent Sessions From Different Ips O365 UserLoggedIn T1185 TTP Scattered Lapsus$ Hunters, Office 365 Account Takeover 2026-05-13
Azure AD Authentication Failed During MFA Challenge Azure icon Azure Active Directory T1078.004 T1586.003 T1621 TTP Azure Active Directory Account Takeover 2026-05-13
O365 Multiple Users Failing To Authenticate From Ip O365 UserLoginFailed T1110.003 T1110.004 T1586.003 TTP NOBELIUM Group, Office 365 Account Takeover 2026-05-13
O365 Mailbox Inbox Folder Shared with All Users O365 ModifyFolderPermissions T1114.002 TTP Office 365 Persistence Mechanisms 2026-05-13
Cloud Security Groups Modifications by User AWS icon AWS CloudTrail T1578.005 Anomaly Suspicious Cloud User Activities 2026-05-13
ASL AWS IAM Assume Role Policy Brute Force AWS icon ASL AWS CloudTrail T1110 T1580 TTP AWS IAM Privilege Escalation, Scattered Lapsus$ Hunters 2026-05-13
GCP Multiple Failed MFA Requests For User Google Workspace T1078.004 T1586.003 T1621 TTP GCP Account Takeover, Scattered Lapsus$ Hunters 2026-05-13
O365 Tenant Wide Admin Consent Granted O365 Consent to application. T1098.003 TTP NOBELIUM Group, Office 365 Persistence Mechanisms 2026-05-13
GCP Kubernetes cluster pod scan detection T1526 Hunting Kubernetes Scanning Activity, Scattered Lapsus$ Hunters 2026-05-13
O365 Elevated Mailbox Permission Assigned O365 Add-MailboxPermission T1098.002 TTP Office 365 Collection Techniques 2026-05-13
Azure Active Directory High Risk Sign-in Azure icon Azure Active Directory T1110.003 T1586.003 TTP Azure Active Directory Account Takeover 2026-05-13
AWS CreateAccessKey AWS icon AWS CloudTrail CreateAccessKey T1136.003 Hunting AWS IAM Privilege Escalation 2026-05-13
O365 User Consent Denied for OAuth Application O365 T1528 TTP Office 365 Account Takeover 2026-05-13
O365 Exfiltration via File Download Office 365 Universal Audit Log T1530 T1567 Anomaly Data Exfiltration, Office 365 Account Takeover 2026-05-13
Detect GCP Storage access from a new IP T1530 Anomaly Suspicious GCP Storage Activities 2026-05-13
O365 Email Send and Hard Delete Suspicious Behavior Office 365 Universal Audit Log T1070.008 T1114.001 T1485 Anomaly Suspicious Emails, Data Destruction, Office 365 Collection Techniques, Office 365 Account Takeover 2026-05-13
O365 Compliance Content Search Exported T1114.002 TTP Office 365 Collection Techniques 2026-05-13
O365 BEC Email Hiding Rule Created T1564.008 TTP Office 365 Account Takeover 2026-05-13
O365 Mailbox Folder Read Permission Granted O365 ModifyFolderPermissions T1098.002 TTP Office 365 Collection Techniques 2026-05-13
Azure AD High Number Of Failed Authentications For User Azure icon Azure Active Directory T1110.001 TTP Compromised User Account, Azure Active Directory Account Takeover 2026-05-13
AWS Bedrock High Number List Foundation Model Failures AWS icon AWS CloudTrail T1580 TTP AWS Bedrock Security 2026-05-13
Prohibited Network Traffic Allowed Cisco Secure Firewall Threat Defense Connection Event T1048 TTP Command And Control, Ransomware, Cisco Secure Firewall Threat Defense Analytics, Prohibited Traffic Allowed or Protocol Mismatch 2026-05-13
3CX Supply Chain Attack Network Indicators Windows icon Sysmon EventID 22 T1195.002 TTP 3CX Supply Chain Attack 2026-05-13
Windows Multi hop Proxy TOR Website Query Windows icon Sysmon EventID 22 T1071.003 Anomaly Interlock Ransomware, AgentTesla 2026-05-13
Cisco Secure Firewall - Oracle E-Business Suite Correlation Cisco Secure Firewall Threat Defense Intrusion Event T1190 TTP Cisco Secure Firewall Threat Defense Analytics, Oracle E-Business Suite Exploitation 2026-05-13
Internal Horizontal Port Scan NMAP Top 20 AWS icon AWS CloudWatchLogs VPCflow, Cisco Secure Firewall Threat Defense Connection Event T1046 TTP China-Nexus Threat Activity, Cisco Secure Firewall Threat Defense Analytics, Scattered Lapsus$ Hunters, Network Discovery 2026-05-13
HTTP RMM User Agent Suricata T1071.001 T1219 Anomaly Remote Monitoring and Management Software, Suspicious User Agents 2026-05-13
Windows Remote Desktop Network Bruteforce Attempt Windows icon Sysmon EventID 3, Cisco Secure Access Firewall T1110.001 Anomaly Compromised User Account, SamSam Ransomware, Cisco Secure Access Analytics, Ryuk Ransomware, Windows RDP Artifacts and Defense Evasion 2026-05-13
HTTP Malware User Agent Suricata T1071.001 TTP RedLine Stealer, Lokibot, Crypto Stealer, Meduza Stealer, Lumma Stealer, Suspicious User Agents 2026-05-13
Cisco Secure Firewall - Lumma Stealer Outbound Connection Attempt Cisco Secure Firewall Threat Defense Intrusion Event T1041 T1573.002 Anomaly Cisco Secure Firewall Threat Defense Analytics, Lumma Stealer 2026-05-13
DNS Query Length With High Standard Deviation Windows icon Sysmon EventID 22 T1048.003 Anomaly Command And Control, Suspicious DNS Traffic, Hidden Cobra Malware 2026-05-13
Wermgr Process Connecting To IP Check Web Services Windows icon Sysmon EventID 22 T1590.005 TTP Trickbot 2026-05-13
Cisco SD-WAN - Peering Activity Cisco SD-WAN NTCE 1000001 T1190 Hunting Cisco Catalyst SD-WAN Analytics 2026-05-13
Cisco Secure Firewall - Bits Network Activity Cisco Secure Firewall Threat Defense Connection Event N/A Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Remote Desktop Network Traffic Zeek Conn T1021.001 Anomaly SamSam Ransomware, Hidden Cobra Malware, Ryuk Ransomware, Windows RDP Artifacts and Defense Evasion, Active Directory Lateral Movement 2026-05-13
Cisco Privileged Account Creation with HTTP Command Execution T1021.004 T1078 T1136 Correlation Cisco Secure Firewall Threat Defense Analytics, Salt Typhoon 2026-05-13
HTTP C2 Framework User Agent Suricata T1071.001 TTP Cobalt Strike, Malicious PowerShell, BishopFox Sliver Adversary Emulation Framework, Tuoni, Spearphishing Attachments, Brute Ratel C4, Meterpreter, Suspicious User Agents 2026-05-13
Detect Remote Access Software Usage DNS Windows icon Sysmon EventID 22 T1219 Anomaly Command And Control, Interlock Ransomware, CISA AA24-241A, Ransomware, Remote Monitoring and Management Software, Scattered Lapsus$ Hunters, Scattered Spider, Insider Threat 2026-05-13
Cisco Secure Firewall - Blocked Connection Cisco Secure Firewall Threat Defense Connection Event T1018 T1046 T1110 T1203 T1595.002 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Cisco Secure Firewall - Snort Rule Triggered Across Multiple Hosts Cisco Secure Firewall Threat Defense Intrusion Event T1027 T1105 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Detect Large ICMP Traffic Cisco Secure Access Firewall, Network icon Palo Alto Network Traffic T1095 TTP China-Nexus Threat Activity, Command And Control, Cisco Secure Access Analytics, Backdoor Pingpong 2026-05-13
Cisco Secure Firewall - Privileged Command Execution via HTTP Cisco Secure Firewall Threat Defense Intrusion Event T1059 T1505.003 Anomaly Cisco Secure Firewall Threat Defense Analytics, Salt Typhoon 2026-05-13
HTTP PUA User Agent Suricata T1071.001 Anomaly Local Privilege Escalation With KrbRelayUp, Suspicious User Agents, BlackSuit Ransomware, Cactus Ransomware 2026-05-13
Cisco Secure Firewall - React Server Components RCE Attempt Cisco Secure Firewall Threat Defense Intrusion Event T1190 TTP React2Shell 2026-05-13
Cisco Secure Firewall - Intrusion Events by Threat Activity Cisco Secure Firewall Threat Defense Intrusion Event T1041 T1573.002 Anomaly Cisco Secure Firewall Threat Defense Analytics, ArcaneDoor 2026-05-13
Cisco Secure Firewall - Communication Over Suspicious Ports Cisco Secure Firewall Threat Defense Connection Event T1021 T1055 T1059.001 T1105 T1219 T1571 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Detect DNS Query to Decommissioned S3 Bucket Windows icon Sysmon EventID 22 T1485 Anomaly Data Destruction, AWS S3 Bucket Security Monitoring 2026-05-13
Detect ARP Poisoning Cisco IOS Logs T1200 T1498 T1557.002 TTP Router and Infrastructure Security 2026-05-13
Internal Horizontal Port Scan AWS icon AWS CloudWatchLogs VPCflow, Cisco Secure Firewall Threat Defense Connection Event T1046 TTP China-Nexus Threat Activity, Cisco Secure Firewall Threat Defense Analytics, Scattered Lapsus$ Hunters, Network Discovery 2026-05-13
Cisco Secure Firewall - Repeated Blocked Connections Cisco Secure Firewall Threat Defense Connection Event T1018 T1046 T1110 T1203 T1595.002 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Cisco Smart Install Oversized Packet Detection Splunk icon Splunk Stream TCP T1190 TTP Cisco Smart Install Remote Code Execution CVE-2018-0171 2026-05-13
Cisco Smart Install Port Discovery and Status Splunk icon Splunk Stream TCP T1190 TTP Cisco Smart Install Remote Code Execution CVE-2018-0171, Scattered Lapsus$ Hunters 2026-05-13
Cisco Secure Firewall - Potential Data Exfiltration Cisco Secure Firewall Threat Defense Connection Event T1041 T1048.003 T1567.002 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
TOR Traffic Cisco Secure Firewall Threat Defense Connection Event, Network icon Palo Alto Network Traffic T1090.003 TTP Command And Control, Interlock Ransomware, Ransomware, NOBELIUM Group, Prohibited Traffic Allowed or Protocol Mismatch, Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Cisco TFTP Server Configuration for Data Exfiltration Cisco IOS Logs T1005 T1567 TTP Cisco Smart Install Remote Code Execution CVE-2018-0171 2026-05-13
Zeek x509 Certificate with Punycode T1573 Hunting OpenSSL CVE-2022-3602 2026-05-13
Cisco SD-WAN - Arbitrary File Overwrite Exploitation Activity Cisco SD-WAN Service Proxy Access Logs T1190 TTP Cisco Catalyst SD-WAN Analytics 2026-05-13
SSL Certificates with Punycode T1573 Hunting OpenSSL CVE-2022-3602 2026-05-13
Detect Software Download To Network Device T1542.005 TTP Router and Infrastructure Security 2026-05-13
Cisco SD-WAN - Low Frequency Rogue Peer Cisco SD-WAN NTCE 1000001 T1190 Anomaly Cisco Catalyst SD-WAN Analytics 2026-05-13
Detect Zerologon via Zeek T1190 TTP Black Basta Ransomware, Rhysida Ransomware, Detect Zerologon Attack 2026-05-13
Detect SNICat SNI Exfiltration T1041 TTP Data Exfiltration 2026-05-13
Cisco Secure Firewall - Remote Access Software Usage Traffic Cisco Secure Firewall Threat Defense Connection Event T1219 Anomaly Command And Control, Interlock Ransomware, Ransomware, Remote Monitoring and Management Software, Scattered Lapsus$ Hunters, Cisco Secure Firewall Threat Defense Analytics, Scattered Spider, Insider Threat 2026-05-13
Protocols passing authentication in cleartext Cisco Secure Firewall Threat Defense Connection Event N/A Anomaly Cisco Secure Firewall Threat Defense Analytics, Use of Cleartext Protocols, Scattered Lapsus$ Hunters 2026-05-13
F5 BIG-IP iControl REST Vulnerability CVE-2022-1388 Network icon Palo Alto Network Threat T1133 T1190 TTP F5 BIG-IP Vulnerability CVE-2022-1388, CISA AA24-241A 2026-05-13
Cisco Secure Firewall - Malware File Downloaded Cisco Secure Firewall Threat Defense File Event T1105 T1203 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Internal Vulnerability Scan T1046 T1595.002 TTP Scattered Lapsus$ Hunters, Network Discovery 2026-05-13
Cisco Secure Firewall - Static Tundra Smart Install Abuse Cisco Secure Firewall Threat Defense Intrusion Event T1190 T1210 T1499 TTP Cisco Secure Firewall Threat Defense Analytics, Cisco Smart Install Remote Code Execution CVE-2018-0171 2026-05-13
Cisco Configuration Archive Logging Analysis Cisco IOS Logs T1098 T1505.003 T1685 Hunting Cisco Smart Install Remote Code Execution CVE-2018-0171 2026-05-13
Cisco Secure Firewall - Blacklisted SSL Certificate Fingerprint Cisco Secure Firewall Threat Defense Connection Event T1071.001 T1573.002 T1587.002 T1588.004 TTP Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Rundll32 DNSQuery Windows icon Sysmon EventID 22 T1218.011 TTP IcedID, Living Off The Land 2026-05-13
Detect Remote Access Software Usage Traffic Network icon Palo Alto Network Traffic T1219 Anomaly Command And Control, Interlock Ransomware, Ransomware, Remote Monitoring and Management Software, Scattered Lapsus$ Hunters, Scattered Spider, Insider Threat 2026-05-13
Cisco Secure Firewall - Citrix NetScaler Memory Overread Attempt Cisco Secure Firewall Threat Defense Intrusion Event T1059 T1203 TTP Cisco Secure Firewall Threat Defense Analytics, Citrix NetScaler ADC and NetScaler Gateway CVE-2025-5777 2026-05-13
Cisco Privileged Account Creation with Suspicious SSH Activity T1021.004 T1078 T1136 Correlation Cisco Secure Firewall Threat Defense Analytics, Salt Typhoon 2026-05-13
Detect Rogue DHCP Server Cisco IOS Logs T1200 T1498 T1557 TTP Router and Infrastructure Security, Scattered Lapsus$ Hunters 2026-05-13
Cisco Secure Firewall - Lumma Stealer Download Attempt Cisco Secure Firewall Threat Defense Intrusion Event T1041 T1573.002 Anomaly Cisco Secure Firewall Threat Defense Analytics, Lumma Stealer 2026-05-13
Cisco Secure Firewall - High Priority Intrusion Classification Cisco Secure Firewall Threat Defense Intrusion Event T1003 T1071 T1078 T1190 T1203 TTP Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Cisco Secure Firewall - Rare Snort Rule Triggered Cisco Secure Firewall Threat Defense Intrusion Event T1583.006 T1598 Hunting Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Windows Gather Victim Network Info Through Ip Check Web Services Windows icon Sysmon EventID 22 T1590.005 Anomaly Quasar RAT, Castle RAT, Void Manticore, Handala Wiper, BlankGrabber Stealer, VIP Keylogger, Water Gamayun, PXA Stealer, Snake Keylogger, Azorult, DarkCrystal RAT, Meduza Stealer, 0bj3ctivity Stealer, Phemedrone Stealer 2026-05-13
Internal Vertical Port Scan AWS icon AWS CloudWatchLogs VPCflow, Cisco Secure Firewall Threat Defense Connection Event T1046 TTP China-Nexus Threat Activity, Cisco Secure Firewall Threat Defense Analytics, Scattered Lapsus$ Hunters, Network Discovery 2026-05-13
Cisco IOS Suspicious Privileged Account Creation Cisco IOS Logs T1078 T1136 Anomaly Cisco Smart Install Remote Code Execution CVE-2018-0171 2026-05-13
Suspicious Process DNS Query Known Abuse Web Services Windows icon Sysmon EventID 22 T1059.005 TTP WhisperGate, Data Destruction, BlankGrabber Stealer, Cactus Ransomware, PXA Stealer, RedLine Stealer, Snake Keylogger, Braodo Stealer, Remcos, Meduza Stealer, Malicious Inno Setup Loader, Phemedrone Stealer 2026-05-13
Cisco Secure Firewall - High EVE Threat Confidence Cisco Secure Firewall Threat Defense Connection Event T1041 T1071.001 T1105 T1573.002 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Cisco Secure Firewall - Repeated Malware Downloads Cisco Secure Firewall Threat Defense File Event T1027 T1105 Anomaly Cisco Secure Firewall Threat Defense Analytics, Hellcat Ransomware 2026-05-13
Windows AD Replication Service Traffic T1003.006 T1207 TTP Sneaky Active Directory Persistence Tricks 2026-05-13
Cisco Secure Firewall - SSH Connection to Non-Standard Port Cisco Secure Firewall Threat Defense Intrusion Event T1021.004 Anomaly Cisco Secure Firewall Threat Defense Analytics, Salt Typhoon 2026-05-13
Windows AD Rogue Domain Controller Network Activity T1207 TTP Sneaky Active Directory Persistence Tricks 2026-05-13
Cisco Network Interface Modifications Cisco IOS Logs T1021 T1133 T1556 Anomaly Cisco Smart Install Remote Code Execution CVE-2018-0171 2026-05-13
Cisco Secure Firewall - Wget or Curl Download Cisco Secure Firewall Threat Defense Connection Event T1053.003 T1059 T1071.001 T1105 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Windows Abused Web Services Windows icon Sysmon EventID 22 T1102 Anomaly BlankGrabber Stealer, Malicious Inno Setup Loader, CISA AA24-241A, NjRAT 2026-05-13
Detect Port Security Violation Cisco IOS Logs T1200 T1498 T1557.002 TTP Router and Infrastructure Security 2026-05-13
Large Volume of DNS ANY Queries T1498.002 Anomaly DNS Amplification Attacks 2026-05-13
Ngrok Reverse Proxy on Network Windows icon Sysmon EventID 22 T1090 T1102 T1572 Anomaly CISA AA24-241A, Reverse Network Proxy, CISA AA22-320A 2026-05-13
Detect Windows DNS SIGRed via Zeek T1203 TTP Windows DNS SIGRed CVE-2020-1350 2026-05-13
Detect hosts connecting to dynamic domain providers Windows icon Sysmon EventID 22 T1189 TTP Command And Control, DNS Hijacking, Data Protection, Prohibited Traffic Allowed or Protocol Mismatch, Dynamic DNS, Suspicious DNS Traffic 2026-05-13
Cisco Secure Firewall - File Download Over Uncommon Port Cisco Secure Firewall Threat Defense File Event T1105 T1571 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Cisco Secure Firewall - Veeam CVE-2023-27532 Exploitation Activity Cisco Secure Firewall Threat Defense Intrusion Event T1003.001 T1059.001 T1190 T1210 TTP Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Protocol or Port Mismatch Cisco Secure Firewall Threat Defense Connection Event T1048.003 Anomaly Command And Control, Cisco Secure Firewall Threat Defense Analytics, Prohibited Traffic Allowed or Protocol Mismatch 2026-05-13
Detect Outbound SMB Traffic Cisco Secure Firewall Threat Defense Connection Event, Cisco Secure Access Firewall T1071.002 TTP Cisco Secure Access Analytics, Hidden Cobra Malware, DHS Report TA18-074A, NOBELIUM Group, Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Detect Unauthorized Assets by MAC address N/A TTP Asset Tracking 2026-05-13
Cisco Secure Firewall - Oracle E-Business Suite Exploitation Cisco Secure Firewall Threat Defense Intrusion Event T1190 TTP Cisco Secure Firewall Threat Defense Analytics, Oracle E-Business Suite Exploitation 2026-05-13
Cisco Secure Firewall - Binary File Type Download Cisco Secure Firewall Threat Defense File Event T1059 T1203 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Detect Traffic Mirroring Cisco IOS Logs T1020.001 T1200 T1498 TTP Router and Infrastructure Security 2026-05-13
DNS Kerberos Coercion Suricata, Windows icon Sysmon EventID 22 T1071.004 T1187 T1557.001 TTP Local Privilege Escalation With KrbRelayUp, Kerberos Coercion with DNS, Compromised Windows Host, Suspicious DNS Traffic 2026-05-13
Cisco Secure Firewall - Possibly Compromised Host Cisco Secure Firewall Threat Defense Intrusion Event T1059 T1203 T1587.001 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Cisco Secure Firewall - Connection to File Sharing Domain Cisco Secure Firewall Threat Defense Connection Event T1071.001 T1090.002 T1105 T1567.002 T1588.002 Anomaly Cisco Secure Firewall Threat Defense Analytics, Scattered Lapsus$ Hunters 2026-05-13
Excessive DNS Failures T1071.004 Anomaly Command And Control, Suspicious DNS Traffic 2026-05-13
Cisco SNMP Community String Configuration Changes Cisco IOS Logs T1040 T1552 T1685 Anomaly Cisco Smart Install Remote Code Execution CVE-2018-0171 2026-05-13
Cisco Secure Firewall - Lumma Stealer Activity Cisco Secure Firewall Threat Defense Intrusion Event T1027 T1190 T1204 T1210 TTP Cisco Secure Firewall Threat Defense Analytics, Lumma Stealer 2026-05-13
Windows Spearphishing Attachment Connect To None MS Office Domain Windows icon Sysmon EventID 22 T1566.001 Hunting Spearphishing Attachments, MuddyWater, AsyncRAT 2026-05-13
Cisco SD-WAN - Uncommon User-Agent Multi-URI Activity Cisco SD-WAN Service Proxy Access Logs T1595 Hunting Cisco Catalyst SD-WAN Analytics 2026-05-13
SMB Traffic Spike T1021.002 Anomaly Emotet Malware DHS Report TA18-201A, DHS Report TA18-074A, Ransomware, Hidden Cobra Malware 2026-05-13
Cisco Secure Firewall - High Volume of Intrusion Events Per Host Cisco Secure Firewall Threat Defense Intrusion Event T1059 T1071 T1595.002 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Detect IPv6 Network Infrastructure Threats Cisco IOS Logs T1200 T1498 T1557.002 TTP Router and Infrastructure Security, Scattered Lapsus$ Hunters 2026-05-13
Hosts receiving high volume of network traffic from email server T1114.002 Anomaly Collection and Staging 2026-05-13
Detect Windows DNS SIGRed via Splunk Stream T1203 TTP Windows DNS SIGRed CVE-2020-1350 2026-05-13
Detect Outbound LDAP Traffic Cisco Secure Firewall Threat Defense Connection Event, Cisco Secure Access Firewall, Network icon Palo Alto Network Traffic T1059 T1190 Hunting Cisco Secure Access Analytics, Cisco Secure Firewall Threat Defense Analytics, Log4Shell CVE-2021-44228 2026-05-13
Cisco Secure Firewall - SSH Connection to sshd_operns Cisco Secure Firewall Threat Defense Intrusion Event T1021.004 Anomaly Cisco Secure Firewall Threat Defense Analytics, Salt Typhoon 2026-05-13
Linux Suspicious Namespace Creation Linux icon Linux Auditd Syscall, Linux icon Sysmon for Linux EventID 1 T1068 TTP Linux Privilege Escalation 2026-05-12
Powershell Defender Threat Actions Set to Allow Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1059.001 TTP Salat Stealer 2026-05-12
Linux Binary Launched Process with Null Argv Linux icon Linux Messages Syslog T1068 TTP Linux Privilege Escalation 2026-05-12
Linux PF_ALG Registration Outside of Boot Window Linux icon Linux Messages Syslog T1068 TTP Linux Privilege Escalation 2026-05-11
Linux Malformed Auth Entry Linux icon Linux Secure T1068 Anomaly Linux Privilege Escalation 2026-05-06
Windows Suspicious Child Process of TieringEngineService.exe Windows icon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1 T1068 TTP RedSun, Windows Privilege Escalation 2026-05-01
Windows VSSVC Process Accessing Defender Engine Windows icon Sysmon EventID 10 T1068 TTP RedSun, Windows Privilege Escalation 2026-05-01
Windows Cloud Files Filter Log Created by Non-System Process Windows icon Sysmon EventID 11 T1068 TTP RedSun, Windows Privilege Escalation 2026-05-01
Windows Suspicious Burst of Password Changes Windows icon Windows Event Log Security 4723, Windows icon Windows Event Log Security 4724 T1068 TTP BlueHammer, Windows Privilege Escalation 2026-04-29
Windows Suspicious Defender Engine or Signature Files Created Windows icon Sysmon EventID 11 T1068 Anomaly BlueHammer, Windows Privilege Escalation 2026-04-27
Windows Suspicious Defender Update Activity in INetCache Windows icon Sysmon EventID 11, Windows icon Sysmon EventID 23 T1068 T1105 Anomaly Windows Persistence Techniques, BlueHammer 2026-04-27
Windows MsMpEng Writing to System32 Windows icon Sysmon EventID 15, Windows icon Sysmon EventID 11 T1068 T1543.003 TTP RedSun, Windows Drivers, BlueHammer, Windows Privilege Escalation 2026-04-27
Windows Admin Password Changed by Non-Admin Windows icon Windows Event Log Security 4723 T1068 T1543.003 TTP BlueHammer, Windows Privilege Escalation 2026-04-27
Windows Non-System Process Querying Definition Update Windows icon Sysmon EventID 22 T1068 T1071.001 Anomaly RedSun, BlueHammer, Windows Privilege Escalation 2026-04-27